Configuring CSIv2 to secure IIOP communication
The following information covers some of the general cases for configuring both inbound and outbound CSIv2 security for IIOP communication.
Inbound calls allow CICS® Liberty to listen as an object request broker (ORB) on a TCP/IP port for IIOP-RMI requests and call the target EJB method.
Outbound calls are where CICS Liberty makes a request to an ORB to start an EJB method. Outbound calls can be made to the same JVM server the call was made for, or any other Java™ virtual machine (JVM) capable of acting as an ORB.
In the following example, the client is the JVM making the outbound request and the server is the JVM receiving the inbound request. Either one, or both of these, can be the CICS Liberty JVM server. For more information, see Configuring Common Secure Interoperability version 2 (CSIv2) in Liberty.
Configuring CSIv2 to use TLS
Inbound
- Create a keystore that contains the certificate for the
server.
<keyStore id="iiopKeyStore" ... /> - Create an SSL repertoire (the
SSLelement) that references the keystore.<ssl id="iiopSSL" keyStoreRef="iiopKeyStore" /> - Create an IIOP endpoint with an IIOPS
port.
<iiopEndpoint id="defaultIiopEndpoint" host="host.example.com" iiopPort="2809"> <iiopsOptions iiopsPort="9402" sslRef="iiopSSL" /> </iiopEndpoint>
Important: By default the IIOPs options
sslRef references the
defaultSSLConfig SSL repertoire.Outbound
- Create a keystore. You can include a key that allows the keystore to trust a root certificate,
which trusts all the certificates that are signed by that
certificate.
<keystore id="iiopTrustStore" ... /> - Create an SSL repertoire (the
SSLelement) that references the keystore.<ssl id="iiopSSL" trustStoreRef="iiopTrustStore" ... /> - Create an ORB with the CSIv2 client
policy.
<orb id="defaultOrb" nameService="corbaname::host.example.com"> <clientPolicy.csiv2> <layers> <transportLayer sslRef="iiopSSL" /> </layers> </clientPolicy.csiv2> </orb>
Configuring CSIv2 to allow propagation of the user ID from the client to the server
Inbound
- Create an ORB with the CSIv2 server
policy.
<orb id="defaultOrb"> <serverPolicy.csiv2> <layers> <attributeLayer identityAssertionEnabled="true" /> </layers> </serverPolicy.csiv2> </orb> - Optionally, you can specify one or more identities to be trusted by the
server.
<attributeLayer identityAssertionEnabled="true" trustedIdentities="MYUSER" />
Outbound
- Create an ORB with the CSIv2 client
policy.
<orb id="defaultOrb" nameService="corbaname::host.example.com:2809"> <clientPolicy.csiv2> <layers> <attributeLayer identityAssertionEnabled="true" /> </layers> </clientPolicy.csiv2> </orb> - Optionally, you can provide a trusted identity to be authorized by the server.
<attributeLayer identityAssertionEnabled="true" trustedIdentity="MYUSER" trustedPassword="MYPASSWD" />
Important: The trusted user must exist in a user registry on the server. The
trustedPassword can be encoded by using the Liberty
securityUtility tool.Configuring CSIv2 to use TLS Client Authentication
Inbound
- Create a keystore. You can include a key that allows the keystore to trust a root certificate,
which trusts all the certificates that are signed by that
certificate.
<keyStore id="iiopTrustStore" ... /> - Create an SSL repertoire (the
SSLelement) that references the keystore.<ssl id="iiopSSL" trustStoreRef="iiopTrustStore" ... /> - Create an IIOP endpoint with an IIOPS
endpoint.
<iiopEndpoint id="defaultIiopEndpoint" host="host.example.com" port="2809"> <iiopsOptions iiopsPort="9402" sslRef="iiopSSL" /> </iiopEndpoint> - Create an ORB with the CSIv2 server
policy.
<orb id="defaultOrb"> <serverPolicy.csiv2> <layers> <attributeLayer identityAssertionEnabled="true" ... /> <transportLayer sslRef="iiopSSL" /> </layers> </serverPolicy.csiv2> </orb>
Outbound
- Create a keystore that contains the clients
certificate.
<keyStore id="iiopKeyStore" ... /> - Create an SSL repertoire (the
SSLelement) that references the keystore.<ssl id="iiopSSL" keyStoreRef="iiopKeyStore" /> - Create an ORB with the CSIv2 client
policy.
<orb id="defaultOrb"> <clientPolicy.csiv2> <layers> <attributeLayer identityAssertionEnabled="true" /> <transportLayer sslRef="iiopSSL" /> </layers> </clientPolicy.csiv2> </orb>