Configure inbound transports

 

Overview

Inbound transports refer to the types of listener ports and their attributes that are opened to receive requests for this server. Both CSIv2 and SAS have the ability to configure the transport. However, the following differences between the two protocols exist:

 

Configure

  1. Click thru...

    Security | Authentication Protocol | CSIv2 Inbound Transport
    ...to select the type of transport and the SSL settings.

    By selecting the type of transport, as noted previously, you choose which listener ports you want to open. In addition, you disable the SSL client certificate authentication feature if you choose TCP/IP as the transport.

  2. Go to Security | SSL and define the SSL settings that correspond to an SSL transport. Configuration options include keystore files, truststore files, ciphers, cryptographic token selections, and so on.

  3. Consider fixing the listener ports that you configured.

    You complete this action in a different panel, but this is the time to think about it. Most end points are managed at a single location, which is why they do not appear in the Inbound Transport panels. Managing end points at a single location helps you decrease the number of conflicts in your configuration when you are assigning the end points. The location for SSL end points is at each server. The following port names are defined in the End Points panel and are used for ORB security:

    CSIV2_SSL_MUTUALAUTH_LISTENER_ADDRESS CSIv2 Client Authentication SSL Port
    CSIV2_SSL_SERVERAUTH_LISTENER_ADDRESS CSIv2 SSL Port
    SAS_SSL_SERVERAUTH_LISTENER_ADDRESS SAS SSL Port
    ORB_LISTENER_PORT TCP/IP Port

    For an appserver, click thru...

    Servers | Application Servers | server_name | Additional Properties | End Points

    The End Points panel displays for the specified server. For a node agent, go to...

    System Administration | Node Agents | node_name | Additional Properties | End Points

    The end points for the node agent and deployment manager already are fixed, but you might consider reassigning the ports.

    For the deployment manager, click thru...

    System Administration | Deployment Manager | Additional Properties | End Points

    WAS ORB uses a listener port for Remote Method Invocation over the Internet Inter-ORB Protocol (RMI/IIOP) communications, which is generally not specified and selected dynamically during run time. If you are working with a firewall, specify a static port for the ORB listener and open that port on the firewall so that communication can pass through the specified port. The endPoint property for setting the ORB listener port is: ORB_LISTENER_ADDRESS.

    In the WAS Network Deployment environment, the ORB_LISTENER_ADDRESS endPoint is specified on the node agent. The Location Service Daemon (LSD) resides on the node agent and piggybacks onto the ORB listener port, which results in the need to have the port fixed. Also, add the ORB_LISTENER_ADDRESS to the other appservers to set their ORB listener port. Each ORB has a distinct listener port. In WebSphere Application Server Network Deployment, specify a different listener port. For example, you might specify the following ports:

    Node agent: ORB_LISTENER_ADDRESS=9000
    Server1: ORB_LISTENER_ADDRESS=9811
    Server2: ORB_LISTENER_ADDRESS=9812

    Complete the following steps using the Administrative Console to specify the ORB_LISTENER_ADDRESS port or ports. In the WebSphere Application Server Network Deployment environment, complete the following steps for the node agent and the deployment manager.

    1. Click thru...

      Servers | Application Servers | server_name | End Points | Additional Properties | New | End Point Name field | ORB_LISTENER_ADDRESS

    2. Enter the IP address, the fully qualified DNS host name, or the DNS host name by itself into the Host field. For example, if the host name is myhost, the fully qualified DNS name can be myhost.myco.com and the IP address can be 155.123.88.201 .

    3. Enter the port number in the Port field. The port number specifies the port for which the service is configured to accept client requests. The port value is used in conjunction with the host name. Using the previous example, the port number might be 9000.

  4. Click thru...

    Security | Authentication Protocol | SAS Inbound

    ...to select the SSL settings used for inbound requests from SAS clients. Remember that the SAS protocol is used to interoperate with previous releases. When configuring the key store and trust store files in the SSL configuration, these files need the right information for interoperating with previous releases of WebSphere Application Server. For example, a previous release has a different trust store file than the Version 5 release. If you use the Version 5 key store file, add the signer to the trust store file of the previous release for those clients connecting to this server.

 

Results

The inbound transport configuration is complete.

 

Usage scenario

With this configuration, you can configure a different transport for inbound security versus outbound security. For example, if the application server is the first server used by end users, the security configuration might be more secure. When requests go to back-end enterprise bean servers, you might lighten up on the security for performance reasons when you go outbound. This flexibility allows you to design the right transport infrastructure to meet your needs.

 

What to do next

When you finish configuring security, perform the following steps to save, synchronize and restart the servers.

  1. Click Save in the administrative console to save any modifications to the configuration.

  2. Synchronize the configuration with all node agents.

  3. Stop and restart all servers, once synchronized.

Common Secure Interoperability transport inbound settings
Secure Association Service transport inbound settings

 

WebSphere is a trademark of the IBM Corporation in the United States, other countries, or both.

 

IBM is a trademark of the IBM Corporation in the United States, other countries, or both.