WebSphere Application Server Network Deployment, Version 6.0.x     Operating Systems: AIX, HP-UX, Linux, Solaris, Windows

Interoperating with a C++ common object request broker architecture client

Why and when to perform this task

You can achieve interoperability of Security Authentication Service between the C++ Common Object Request Broker Architecture (CORBA) client and WebSphere Application Server using Common Secure Interoperability Version 2 (CSIv2) authentication protocol over Remote Method Invocation over the Internet Inter-ORB Protocol (RMI-IIOP). The CSIv2 security service protocol has authentication, attribute and transport layers. Among the three layers, transport authentication is conceptually simple, however, cryptographically based transport authentication is the strongest. WebSphere Application Server has implemented the transport authentication layer, so that C++ secure CORBA clients can use it effectively in making CORBA clients and protected enterprise bean resources work together.

Security authentication from non-Java based C++ client to enterprise beans. WebSphere Application Server supports security in the CORBA C++ client to access-protected enterprise beans. If configured, C++ CORBA clients can access protected enterprise bean methods using a client certificate to achieve mutual authentication on WebSphere Application Server applications.

To support the C++ CORBA client in accessing protected enterprise beans:
  • Create an environment file for the client, such as current.env. Set the variables presented in the following list in the file:
    C++ security setting Description
    client_protocol_password Specifies the password for the user ID.
    client_protocol_user Specifies the user ID to authenticate at the target server.
    security_sslKeyring Specifies the name of the RACF keyring for the client to use. The keyring must be defined under the user ID that is issuing the command to run the client.
  • Point to the environment file using the fully qualified path name through the WAS_CONFIG_FILE environment variable. For example, in the test.sh test shell script, export:
    /WebSphere/V6R0M0/DeploymentManager/profiles/default/config/cells/PLEX1Network/nodes/PLEX1Manager/servers/dmgr
    Some of the environment file terms are explained below:
    default
    profile name
    PLEX1Network
    cell name
    PLEX1Manager
    node name
    dmgr
    server name

To support the C++ CORBA client in accessing protected enterprise beans:

Steps for this task

  1. Obtain a valid certificate to represent the client and export its public key to the target enterprise bean server.

    A valid certificate is needed to represent the C++ client. Request a certificate from the certificate authority (CA) or create a self-signed certificate for testing purposes.

    Use the Key Management Utility from the Global Security Kit (GSKit) to extract the public key from the personal certificate and save it in the .arm format. For details, see the related information about how to extract the personal certificate of the public key.

  2. Prepare a truststore file for WebSphere Application Server.
    Add the extracted client public key in the .arm file from the client to the server key truststore file. The server can now authenticate the client.
    Note: This is done by invoking the Key Management Utility through ikeyman.bat or ikeyman.sh from WebSphere Application Server installation.
    For details, see the article on Adding truststore files.
  3. Configure WebSphere Application Server to support SSL as the authentication mechanism.
    1. Start the administrative console.
    2. Locate the application server that has the target enterprise bean deployed and configure it to use SSL client certificate authentication.
      If it is a base installation, complete the following steps:
      1. Click Security > Global security. Under Authentication, click Authentication protocol > CSIv2 inbound authentication. Select Supported for the Basic authentication and Client certificate authentication options. Leave the rest of the options as defaults.
      2. Click Security > Global security. Under Authentication, click Authentication protocol > CSIv2 inbound transport and verify that the SSL-supported option is selected.
      If it is a Network Deployment setting, complete the following steps:
      1. Click Server > Application Server > server_name_where_the_EJB_resides. Under security, click Server security. Under Additional properties, click CSI inbound authentication. Select Supported for the Basic authentication and Client certificate authentication options. Leave the rest of the options as defaults.
      2. Click Server > Application Server > server_name_where_the_EJB_resides. Under security, click Server security. Under Additional properties, click CSI inbound transport. Verify that the SSL-Supported option is selected.

      For details, see the security articles Configuring CSIv2 inbound authentication and Configuring CSIv2 inbound transport.

    3. Restart the application server.

      The WebSphere Application Server is ready to take a C++ CORBA security client and a mutually authenticated server and client by using SSL in the transport layer.

  4. Configure the C++ CORBA client to use a certificate in performing the mutual authentication.
    Client users are accustomed to using property files in their applications because they are helpful in specifying configuration settings. The following list presents important C++ security settings:
    C++ security setting Description
    com.ibm.CORBA.bootstrapHostName=ricebella.austin.ibm.com Specifies the target host name.
    com.ibm.CORBA.securityEnabled=yes Enables security.
    com.ibm.CSI.performTLClientAuthenticationSupported=yes Ensures client is supporting mutual authentication by certificate
    com.ibm.CSI.performTransportAssocSSLTLSSupported=yes Ensures SSL is used, not TCP/IP
    com.ibm.ssl.keyFile=C:/ricebella/etc/DummyKeyRingFile.KDB Specifies which key database file to use.
    com.ibm.ssl.keyPassword=WebAS Specifies the password for opening the key database file. WebSphere Application Server supports a utility called PasswordEncode4cpp to encode the plain password.
    com.ibm.CORBA.translationEnabled=1 Enables the valueType conversion.
    To use the property files in running a C++ client, an environment variable WASPROPS, is used to indicate where a property file or a list of property files exist.

    For the complete set of C++ client properties, see the sample property file scclient.props, which is shipped with the product located in the install_root\profiles\profile_name\etc directory.




Related tasks
Extracting public certificates for truststore files
Configuring Common Secure Interoperability Version 2 inbound authentication
Configuring inbound transports

Task topic    

Terms of Use | Feedback

Last updated: Mar 17, 2005 4:28:29 AM CST
http://publib.boulder.ibm.com/infocenter/ws60help/index.jsp?topic=/com.ibm.websphere.nd.doc/info/ae/ae/tsec_interoperatec.html

© Copyright IBM Corporation 2002, 2005. All Rights Reserved.
This information center is powered by Eclipse technology. (http://www.eclipse.org)