Use the security attribute propagation feature of WebSphere Application
Server to send security attribute information regarding the original login
to other servers using a token. This topic will help to configure WebSphere
Application Server to propagate security attributes to other servers.
About this task
To fully enable security attribute propagation, you must configure
the single sign-on (SSO), Common Secure Interoperability Version 2 (CSIv2)
inbound, and CSIv2 outbound panels in the WebSphere Application Server administrative
console. You can enable just the portions of security attribute propagation
relevant to your configuration. For example, you can enable Web propagation,
which is propagation amongst front-end application servers, using either the
push technique (DynaCache) or the pull technique (remote method to originating
server).
You also can choose whether to enable Remote Method Invocation
(RMI) outbound and inbound propagation, which is commonly called downstream
propagation. Typically both types of propagation are enabled for any given
cell. In some cases, you might want to choose a different option for a specific
application server using the server security panel within the specific application
server settings.
Restriction: To prevent propagating the same
security attributes among application servers multiple times, WebSphere Application
Server verifies that a Lightweight Third Party Authentication (LTPA) token
does not exist. Two cases can occur. Absence of the LTPA token tells the Application
Server that propagation can proceed. Presence of the LTPA token indicates
that propagation has occurred if the LTPA token has been generated within
the cluster. However, in the second case, if the LTPA token is present, but
has been generated by a server outside the cluster, such as by Tivoli Access
Manager, Lotus Domino or a different Application Server cluster, security
attributes are not propagated.
To
access the server security panel in the administrative console, click Servers
> Application Servers > server_name. Under Security, click Server
security.
Complete the following steps to configure WebSphere Application
Server for security attribute propagation:
What to do next
If you need to disable security attribute propagation, determine
whether you need to disable it for either the server level or the cell level.
Attention: Changes to the server-level settings override the cell settings.
To disable security attribute propagation on
the server level, complete the following steps:
- Click Server > Application Servers > server_name.
- Under Security, click Server security.
- Select the RMI/IIOP security for this server overrides cell settings option.
- Disable security attribute propagation for inbound
requests by clicking CSI inbound authentication under Additional Properties
and clearing the Security attribute propagation option.
- Disable security attribute propagation for outbound
requests by clicking CSI outbound authentication under Additional Properties
and clearing the Security attribute propagation option.
To disable security attribute propagation on the cell level, undo
each of the steps that you completed to enable security attribute propagation
in this task.