Use the security attribute propagation feature of WebSphere® Application Server
to send security attribute information regarding the original login
to other servers by using a token. This topic helps to configure WebSphere Application Server
to propagate security attributes to other servers.
About this task
To fully enable security attribute propagation, you must
configure the single sign-on (SSO), Common Secure Interoperability
Version 2 (CSIv2) inbound, and CSIv2 outbound panels in the WebSphere Application Server
administrative console. You can enable just the portions of security
attribute propagation relevant to your configuration. For example,
you can enable web propagation, which is propagation amongst front-end
application servers, using either the push technique (DynaCache) or
the pull technique (remote method to originating server).
You also
can choose whether to enable Remote Method Invocation (RMI) outbound
and inbound propagation, which is commonly called downstream propagation.
Typically both types of propagation are enabled for any given cell. In
some cases, you might want to choose a different option for a specific
application server using the server security panel within the specific
application server settings.
Restriction: To prevent
propagating the same security attributes among application servers
multiple times, WebSphere Application
Server verifies that a Lightweight Third Party Authentication (LTPA)
token does not exist. Two cases can occur. Absence of the LTPA token
tells the Application Server that propagation can proceed. Presence
of the LTPA token indicates that propagation has occurred if the LTPA
token has been generated within the cluster. However, in the second
case, if the LTPA token is present, but has been generated by a server
outside the cluster, such as by Tivoli® Access
Manager, Lotus® Domino®, or a different Application Server
cluster, security attributes are not propagated.
To
access the server security panel in the administrative console, click Servers > Application Servers > server_name.
Under Security, click Server security.
Complete
the following steps to configure WebSphere Application
Server for security attribute propagation:
What to do next
If you need to disable security attribute propagation,
determine whether you need to disable it for either the server level
or the cell level.
Attention: Changes to the server-level
settings override the cell settings.
To
disable security attribute propagation on the server level, complete
the following steps:
- Click Server > Application Servers > server_name.
- Under Security, click Server security.
- Select the RMI/IIOP security for this server overrides cell settings option.
- Disable security attribute propagation for
inbound requests by clicking CSI inbound authentication under
Additional Properties and clearing the Security attribute propagation option.
- Disable security attribute propagation for
outbound requests by clicking CSI outbound authentication under
Additional Properties and clearing the Security attribute propagation option.
To disable security attribute propagation
on the cell level, undo each of the steps that you completed to enable
security attribute propagation in this task.