This example presents a pure Java client,
C, accessing a secure enterprise bean on S1.
About this task
C
authenticates to S1 using Secure Sockets Layer (SSL) client certificates.
S1 maps the common name of the distinguished name (DN) in the certificate
to a user in the local registry. The user in this case is bob. The
enterprise bean code on S1 accesses another enterprise bean on S2.
Because the RunAs mode is system, the invocation
credential is set as server1 for any outbound requests.
Procedure
- Configure client C for transport layer authentication
(SSL
client certificates).
- Point the client
to the sas.client.props file.
Use the com.ibm.CORBA.ConfigURL=file:/C:/was/properties/sas.client.props property.
All further configuration involves setting properties within this
file.
- Enable
SSL.
In this case, SSL is supported
but not required: com.ibm.CSI.performTransportAssocSSLTLSSupported=true,
com.ibm.CSI.performTransportAssocSSLTLSRequired=false
- Disable client authentication at the message
layer. com.ibm.CSI.performClientAuthenticationRequired=false,
com.ibm.CSI.performClientAuthenticationSupported=false
- Enable client authentication at the transport
layer. It is supported, but not required. com.ibm.CSI.performTLClientAuthenticationRequired=false,
com.ibm.CSI.performTLClientAuthenticationSupported=true
- Configure the S1 server.
In the administrative
console, S1 is configured for incoming connections to support SSL
with client certificate authentication. The S1 server is configured
for outgoing requests to support message layer client authentication.
- Configure S1 for incoming connections.
- Disable identity assertion.
- Disable user
ID and password authentication.
- Enable SSL.
- Enable
SSL client certificate authentication.
- Configure S1 for outgoing connections.
- Disable identity assertion.
- Disable user ID and password
authentication.
- Enable SSL.
- Enable SSL client certificate
authentication.
-
Configure the S2 server.
In the administrative
console, the S2 server is configured for incoming requests to support
message layer authentication over SSL. Configuration for outgoing
requests is not relevant for this scenario.
- Disable identity assertion.
- Enable
user ID and password authentication.
- Enable
SSL.
- Disable SSL client authentication.