This example is the same
as example 1, except for the interaction
from client C2 to server S2. Therefore, the configuration of example
1 still is valid, but you have to modify server S2 slightly and add
a configuration for client C2. The configuration is not modified for
C1 or S1.
Procedure
-
Configure client C2 for transport layer authentication
(Secure Sockets Layer (SSL) client certificates).
- Point the client to the sas.client.props file.
Use the com.ibm.CORBA.ConfigURL=file:/C:/was/properties/sas.client.props property.
All further configuration involves setting properties within this
file.
- Enable
SSL.
In this case, SSL is supported
but not required:
com.ibm.CSI.performTransportAssocSSLTLSSupported=true,
com.ibm.CSI.performTransportAssocSSLTLSRequired=false
- Disable client authentication at the message
layer.
com.ibm.CSI.performClientAuthenticationRequired=false,
com.ibm.CSI.performClientAuthenticationSupported=false
- Enable client authentication at the transport
layer
where it is supported, but not required.
com.ibm.CSI.performTLClientAuthenticationRequired=false,
com.ibm.CSI.performTLClientAuthenticationSupported=true
- Configure the server, S2.
In the administrative
console, server S2 is configured for incoming requests to SSL client
authentication and identity assertion. Configuration for outgoing
requests is not relevant for this example.
You can mix and match
these configuration options. However, a precedence exists as to which
authentication features become the identity in the received credential:
- Identity assertion
- Message-layer client
authentication (basic authentication or token)
- Transport-layer
client authentication (SSL certificates)
- Enable identity assertion.
- Disable
user ID and password authentication.
- Enable
SSL.
- Enable SSL client authentication.