Configuring Web Services Transaction support in a secure environment

If you use Web Services Atomic Transaction (WS-AT) or Web Services Business Activity (WS-BA) support when administrative security is enabled, you might have to change the default transaction service configuration. You can disable the transaction coordination authorization setting, create a new web container transport chain, or do both.

About this task

[AIX Solaris HP-UX Linux Windows][z/OS]You might disable transaction coordination authorization if you want to interoperate with other servers, but you do not want to use the transaction manager in the Common Criteria EAL4 evaluated configuration (the default when administrative security is set). When transaction coordination authorization is disabled, WebSphere® Application Server does not automatically reject secure WS-Transactions protocol messages.

[IBM i]You might disable transaction coordination authorization if you want to interoperate with other servers and you do not want to set up security for the transaction manager to support the Common Criteria EAL4 evaluated configuration. When transaction coordination authorization is disabled, WebSphere Application Server does not automatically reject secure WS-Transactions protocol messages.

You might configure a new web container transport chain for use by WS-Transactions in the following situations:
  • You want to use an alternative port number for WS-AT or WS-BA protocol messages.
  • You want to interoperate with a non-WebSphere Application Server that requires client certificate authentication on the Secure Sockets Layer (SSL) connection that is used for protocol messages.
The transaction service, by default, selects a suitable web container transport chain from the list of those configured and uses it for protocol messages. You can configure a new transport chain and specify your own settings. For example, you can specify an alternative SSL configuration that requires client certificate authentication, which is then used specifically for WS-Transactions protocol messages.

Procedure

  1. Optionally, use the following steps to disable transaction coordination authorization.
    1. In the administrative console, click Servers > Server Types > WebSphere application servers > server_name > [Container Settings] Container Services > Transaction Service.
    2. Clear the Enable transaction coordination authorization check box.
    3. Click Apply or OK.
    4. Save your changes to the master configuration.
  2. Optionally, use the following steps to create a new web container transport chain.
    1. In the administrative console, click Servers > Application servers > server_name > [Container Settings] Web Container Settings > Web container transport chains.
    2. Click New to create a new transport chain.
    3. Type a name for the transport chain.
    4. From the Transport chain template list, select an appropriate template.
    5. Click Next to select a new port for the chain.
    6. Type a name, host, and port number for the port.
      For a secure chain, the host must match the common name in the certificate that is used.
    7. Click Next, confirm the settings, then click Finish.
    8. Save your changes to the master configuration.
    9. If necessary, create a new SSL configuration and associate it with the SSL channel associated with your new chain.
      For more information, see Creating a Secure Sockets Layer configuration.
      You are now ready to configure the transaction service to use the new transport chain.
    10. Click Servers > Application servers > server_name > [Container Settings] Container Services > Transaction Service.
    11. In the External WS-Transaction HTTP(S) URL prefix section, click Select prefix, then select the web container transport chain that you have just created from the list.

      If you are using an intermediary, such an HTTP proxy, in front of the application server, click Specify custom prefix, then type the external endpoint URL information for the intermediary node in the field. For more information, see Enabling WebSphere Application Server to use an intermediary node for web services transactions.

    12. Click Apply or OK, then save your changes to the master configuration.
  3. After you save all the configuration changes, restart the server for the changes to take effect.

Results

You configured your system to use WS-AT or WS-BA in a secure environment.