Complete the following steps to configure Common Secure Interoperability
Version 2 (CSIV2) and Security Authentication Service (SAS).
- Determine how to configure security inbound and outbound at each
point in your infrastructure.
For example, you might have a
Java client communicating with an Enterprise JavaBeans (EJB) application server,
which in turn communicates to a downstream EJB application server.
A CSIv2 Java client
utilizes a configuration file that is specified by the com.ibm.CORBA.ConfigURL
Java property to configure outbound security.
The upstream EJB
application server configures inbound security to handle the correct type
of authentication from the Java client. The upstream EJB application server
utilizes the outbound security configuration when going to the downstream
EJB application server.
This type of authentication might be different
than what you expect from the Java client into the upstream EJB application
server. Security might be tighter between the pure client and the first EJB
server, depending on your infrastructure. The downstream EJB server utilizes
the inbound security configuration to accept requests from the upstream EJB
server. These two servers require similar configuration options as well. If
the downstream EJB application server communicates to other downstream servers,
the outbound security might require a special configuration.
- Specify the type of authentication.
By default, the server supports authentication
with a user ID and password.
Both Java client certificate authentication
and identity assertion are disabled by default. If you want this type of authentication
performed at every tier, use the CSIv2 authentication protocol configuration
as is. However, if you have any special requirements where some servers authenticate
differently from other servers, consider how to configure CSIv2 to its best
advantage.
- Configure clients and servers.
Configuring
a pure Java client is done through a properties file that is specified by
the com.ibm.CORBA.ConfigURL Java property.
Configuring servers is always
done from the administrative console or scripting, either from the security
navigation for cell-level configurations or from the server security of the
application server for server-level configurations. If you want some servers
to authenticate differently from others, modify some of the server-level configurations.
When you modify the server-level configurations, you are overriding the cell-level
configurations.