Common Secure Interoperability Version 2 outbound authentication settings

Use this page to specify the features that a server supports when acting as a client to another downstream server.

To view this administrative console page, complete the following steps:
  1. Click Security > Secure administration, applications, and infrastructure.
  2. Under Authentication, click RMI/IIOP security > CSIv2 outbound authentication.
You also can view this administrative console page by completing the following steps:
  1. Click Servers > Application Servers > server_name.
  2. Under Security, click Server security.
  3. Click CSIv2 outbound authentication.
Authentication features include the following layers of authentication that you can use simultaneously:
Transport layer
The transport layer, the lowest layer, might contain a Secure Sockets Layer (SSL) client certificate as the identity.
Message layer
The message layer might contain a user ID and password or authenticated token.
Attribute layer
The attribute layer might contain an identity token, which is an identity from an upstream server that is already authenticated. The attribute layer has the highest priority, followed by the message layer and then the transport layer. If this server sends all three - the attribute layer, the message layer, and the transport layer - only the attribute layer is used by the downstream server. The only way to use the SSL client certificate as the identity is if it is the only information presented during the outbound request.

Configuration tab

Basic authentication

Specifies whether to send a user ID and a password from the client to the server for authentication.

This type of authentication occurs over the message layer. Basic authentication also involves delegating a credential token from an already authenticated credential, provided the credential type is forwardable (for example, Lightweight Third Party Authentication (LTPA)). Basic authentication refers to any authentication over the message layer and indicates user ID and password as well as token-based authentication.

The following options are available:
Never
This option indicates that this server does not send user ID and password authentication information to downstream servers. By selecting never, requests to downstream servers that require basic authentication fail.
Supported
This option indicates that this server can specify a user ID and password to authenticate with downstream servers. However, a method might be invoked without this type of authentication. For example, the server can use anonymous or client certificate instead.
Required
This option indicates that this server must specify a user ID and password to authenticate with downstream servers for any method request. This server cannot initiate requests with servers that do not support or require basic authentication for inbound requests.

Client certificate authentication

Specifies whether a client certificate from the configured keystore is used to authenticate to the server when the SSL connection is made between this server and a downstream server, provided that the downstream server supports client certificate authentication.

Typically, client certificate authentication has a higher performance than message layer authentication, but requires some additional setup. These additional steps include verifying that this server has a personal certificate and that the downstream server has the signer certificate of this server.

If you select client certificate authentication, the following options are available:
Never
This option indicates that this server does not attempt Secure Sockets Layer (SSL) client certificate authentication with downstream servers.
Supported
This option indicates that this server can use SSL client certificates to authenticate to downstream servers. However, a method can be invoked without this type of authentication. For example, the server can use anonymous or basic authentication instead.
Required
This option indicates that this server must use SSL client certificates to authenticate to downstream servers.

Identity assertion

Specifies whether to assert identities from one server to another during a downstream enterprise bean invocation.

The identity asserted is the invocation credential that is determined by the RunAs mode for the enterprise bean. If the RunAs mode is Client, the identity is the client identity. If the RunAs mode is System, the identity is the server identity. If the RunAs mode is Specified, the identity is the identity specified. The receiving server receives the identity in an identity token and also receives the sending server identity in a client authentication token. The receiving server validates the identity of the sending server to ensure a trusted identity.

When specifying identity assertion on the CSIv2 authentication outbound panel, you must also select basic authentication as supported or required on the CSIv2 authentication inbound panel. The server identity can then be submitted with the identity token, so that the receiving server can trust the sending server. Without specifying basic authentication as supported or required, trust is not established and the identity assertion fails.

Use server trusted identity
Specifies the server identity that the application server uses to establish trust with the target server. The server identity can be sent using one of the following methods:
  • A server ID and password when the server password is specified in the registry configuration.
  • A server ID in a Lightweight Third Party Authentication (LTPA) token when the internal server ID is used.
For interoperability with application servers other than WebSphere Application Server, use one of the following methods:
  • Configure the server ID and password in the registry.
  • Select the Specify an alternative trusted identity option and specify the trusted identity and password so that an interoperable Generic Security Services Username Password (GSSUP) token is sent instead of an LTPA token.
Specify an alternative trusted identity

Specifies an alternative user as the trusted identity that is sent to the target servers instead of sending the server identity. This option is recommended for identity assertion. The identity is automatically trusted when it is sent within the same cell and does not need to be in the trusted identities list within the same cell. However, this identity must be in the registry of the target servers in an external cell and the user ID must be on the trusted identities list or the identity is rejected during trust evaluation.

Trusted identity
Specifies the trusted identity that is sent from the sending server to the receiving server.

If you specify an identity in this field, it can be selected on the panel for your configured user account repository. If you do not specify an identity, a Lightweight Third Party Authentication (LTPA) token is sent between the servers.

Password
Specifies the password that is associated with the trusted identity.
Confirm password
Confirms the password that is associated with the trusted identity.

Stateful sessions

Specifies whether to reuse security information during authentication. This option is usually used to increase performance.

The first contact between a client and server must fully authenticate. However, all subsequent contacts with valid sessions reuse the security information. The client passes a context ID to the server, and that ID is used to look up the session. The context ID is scoped to the connection, which guarantees uniqueness. When the security session is not valid and if authentication retry is enabled, which is the default, the client-side security interceptor invalidates the client-side session and resubmits the request transparently. For example, if the session does not exist on the server; the server fails and resumes operation.

When this value is disabled, every method invocation must authenticate again.

Login configuration

Specifies the type of system login configuration that is used for outbound authentication.

You can add custom login modules before or after this login module by completing the following steps:
  1. Click Security > Secure administration, applications, and infrastructure.
  2. Under Authentication, click Java Authentication and Authorization Service > System logins > New.

Custom outbound mapping

Enables the use of custom Remote Method Invocation (RMI) outbound login modules.

The custom login module maps or performs other functions before the predefined RMI outbound call.

To declare a custom outbound mapping, complete the following steps:
  1. Click Security > Secure administration, applications, and infrastructure.
  2. Under Authentication, click Java Authentication and Authorization Service > System logins > New.

Security attribute propagation

Enables the application server to propagate the Subject and the security content token to other application servers using the Remote Method Invocation (RMI) protocol.

Verify that you are using Lightweight Third Party Authentication (LTPA) as your authentication mechanism. LTPA is the only authentication mechanism that is supported when you enable the security attribute propagation feature. To configure LTPA, complete the following steps:
  1. Click Security > Secure administration, applications, and infrastructure.
  2. Under Authentication, click Authentication mechanisms and expiration.

Trusted target realms

Specifies a list of trusted target realms, separated by a pipe character (|), that differ from the current realm.

Prior to WebSphere Application Server, Version 5.1.1, if the current realm does not match the target realm, the authentication request is not sent outbound to other application servers.




Related tasks
Configuring Common Secure Interoperability Version 2 outbound authentication
Reference topic Reference topic    

Terms and conditions for information centers | Feedback

Last updatedLast updated: Aug 30, 2013 6:03:36 PM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=pix&product=was-base-iseries&topic=usecoutbound
File name: usec_outbound.html