By using this configuration, you can configure a different transport
for inbound security versus outbound security.
Before you begin
Outbound transports refers to the transport that is used to
connect to a downstream server. When you configure the outbound transport,
consider the transports that the downstream servers support. If you are considering
Secure Sockets Layer (SSL), also consider including the signers of the downstream
servers in this server truststore file for the handshake to succeed.
When
you select an SSL configuration, that configuration points to keystore and
truststore files that contain the necessary signers.
When
you select an SSL configuration, that configuration points to keystore and
truststore keyrings and keystore and truststore files that contain the necessary
signers.
If you configured client certificate authentication for this server
by completing the following steps, then the downstream servers contain the
signer certificate belonging to the server personal certificate:
- Click Security > Global security.
- Under Authentication, click Authentication protocols > CSIv2 outbound
authentication.
About this task
Complete the following steps to configure the outbound transport
panels.
Procedure
- Select the type of transport and the SSL settings
by clicking Security > Global security. Under Authentication, click Authentication
Protocol > CSIv2 Outbound Transport. By selecting the type of transport,
you choose the transport to use when connecting to downstream servers. The
downstream servers support the transport that you choose. If you choose SSL-Supported,
the transport that is used is negotiated during the connection. If both the
client and server support SSL, always select the SSL-Supported option
unless the request is considered a special request that does not require SSL,
such as if an object request broker (ORB) is a request.
- Click Security > SSL to specify the
SSL settings that correspond to the SSL transport.
This
panel includes the SSL configuration of keystore files, truststore files,
file formats, security levels, ciphers, cryptographic token selections, and
so on. Verify that the truststore keyring file in the selected SSL configuration
contains the signers for any downstream servers. Also, verify that the downstream
servers contain the server signer certificates when outbound client certificate
authentication is used.
Verify that the truststore keyring
file in the selected SSL configuration contains the signers for any downstream
servers. Also, verify that the downstream servers contain the server signer
certificates when outbound client certificate authentication is used.
Select the SSL settings
that are used for outbound requests to downstream Secure Authentication Service
(SAS) servers. Click Security > Global security. Under Authentication,
click Authentication Protocol > SAS Outbound transport. Remember
that the SAS protocol allows interoperability with previous releases. When
configuring the keystore and truststore files in the SSL configuration, these
files have the correct information for inter-operating with previous
releases of WebSphere Application Server. For example, a previous release
has a different personal certificate than the Version 6 release. If you use
the keystore file from the Version 6 release, you must add the signer to the
truststore file of the previous release. Also, you must extract the signer
for the Version 6 release and import that signer into the truststore file
of the previous release.
Results
The outbound transport configuration is complete. With this configuration,
you can configure a different transport for inbound security versus outbound
security. For example, if the application server is the first server used
by end users, the security configuration might be more secure. When requests
go to back-end enterprise beans servers, you might consider less security
for performance reasons when you go outbound. With this flexibility you can
design a transport infrastructure that meets your needs.
What to do next
When you finish configuring security, perform the following steps
to save, synchronize, and restart the servers.
- Click Save in the administrative console to save any modifications
to the configuration.
Synchronize the configuration
with all node agents.
- Stop and restart all servers, after synchronization.