Java client authentication protocol
Accessing secure EJB resources in a secure WebSphere Application Server environment requires an authentication protocol to determine the level of security and the type of authentication between the client and the server. The authentication protocol will merge the server and client authentication requirements and come up with an authentication policy specific for them. This authentication policy will, among others, determine the following.
- The kind of connection used, SSL or TCP/IP.
- If SSL is used then the strength of the encryption should be known.
- The way to authenticate the client, whether user ID and password combination or client certificate, etc.
In WebSphere Application Server version 6, there are two authentication protocols available: IBM's Secure Authentication Service (IBM's SAS) and the Common Secure Interoperability version 2 (CSIV2).
IBM's SAS is the only authentication protocol used by all WebSphere Application Server prior to version 5.
The CSIV2, defined by the Object Management Group (OMG), is a standard protocol defined so that vendors can interoperate securely. It is considered as the strategic protocol and is implemented with more features than IBM's SAS within the WebSphere Application Server version 6.
In preparation for a request to flow from client to server, two client and server side Object Request Brokers (ORBs) must establish a connection over TCP/IP (or SSL) transport layer. Internet Inter-ORB Protocol (IIOP) is the protocol used for handling the communication between these two ORBs object. The authentication protocols IBMs SAS and CSIV2, explained above, are add-on services for the IIOP.
Note: The IBM's SAS and CSIV2 authentication protocols, used in WebSphere Application Server, are add-on services to the standard IIOP protocol for handling communication between two ORBs. Within WebSphere Application Server version 6, the authentication protocol IBM's SAS is deprecated, but is still included for backwards compatibility.