You can use the administrative console to configure outbound
messages for CSIv2.
Procedure
- In the administrative console, click Security > Global
security.
- Under Authentication, expand RMI/HOP security.
- Click CSIv2 outbound communication.
- Optional: Click Propagate security attributes or Use
identity assertion. The Propagate security attributes option
enables support for security attribute propagation during login requests.
When you select this option, the application server retains additional
information about the login request, such as the authentication strength
used, and retains the identity and location of the request originator.
The Use
identity assertion option specifies that identity assertion is
a way to assert identities from one server to another during a downstream
Enterprise JavaBeans (EJB) invocation.
The Use
server trusted identity option specifies the server identity that
the application server uses to establish trust with the target server.
The Specify
an alternative trusted identity option enables you to specify
an alternative user as the trusted identity that is sent to the target
servers instead of sending the server identity. If you select this
option you must provide the name of the trusted identity and the password
that is associated with the trusted identity.
Note: You must
select Basic Authentication under the Message Layer authentication
section to send an alternative trusted identity. If you do not select
Basic Authentication, then choose the Server Identity instead.
- Under CSIv2 Message layer authentication, select Supported, Never or Required.
- Never
- Specifies that this server cannot accept an authentication mechanism
that you select under Allow client to server authentication with:.
- Supported
- Specifies that clients communicating with this server can specify
an authentication mechanism that you select under Allow client
to server authentication with:. However, a method might be invoked
without this type of authentication. For example, an anonymous or
client certificate might be used instead.
- Required
- Specifies that clients communicating with this server must specify
an authentication mechanism that you select under Allow client
to server authentication with:.
Avoid trouble: Upon
enabling Location Service Daemon (LSD), CSIv2 inbound and CSIv2 outbound
message layer authentication in global security needs to be set as
either
Required or
Supported.
gotcha
- Under Allow client to server authentication with:,
select Kerberos, LTPA and or Basic authentication. You can optionally select:.
- Kerberos
- Select to enable authentication using the Kerberos token.
- LTPA
- Select to enable authentication using the Lightweight Third-Party
Authentication (LTPA) token.
- Basic authentication
- This type of authentication typically involves sending a user
ID and a password from the client to the server for authentication.
This is also know as Generic Security Services Username Password (GSSUP).
This
authentication also involves delegating a credential token from an
already authenticated credential, provided the credential type is
forwardable; for example, LTPA.
If you select supported under CSIv2
Message layer authentication, and check KRB5 and LTPA under Allow
client to server authentication with:, then the server does not
accept the user name and password.
- Optional: Select Custom outbound mapping. This option enables the use of custom Remote Method Invocation
(RMI) outbound login modules.
Results
You have now configured messages for CSIv2 outbound.