Liberty Repository[8.5.5.6 or later]
This topic applies to WebSphere Application Server Liberty V8.5.5.9 and earlier. For the latest Liberty topics, see the WebSphere Application Server Liberty documentation.

Configuring the outbound CSIv2 transport layer in the Liberty application client container

You can configure the Liberty application client container to perform client certificate authentication for outbound CSIv2 requests.

About this task

The client certificate authentication of the outbound CSIv2 transport layer for a Liberty application client container is not used by default. You can configure the transportLayer to specify the SSL configuration to use.

You can configure the SSL element to support client certificate authentication or require it. The certificate sent to the server is authenticated against the server user registry and its identity is only used if no other form of authentication is sent in the CSIv2 request, like an identity assertion in the attribute layer or an authentication token in the authentication layer.

Procedure

  1. Configure SSL support as described in Enabling SSL communication for the Liberty application client container.
  2. Optional: Configure the SSL element to use clientAuthentication or clientAuthenticationSupported. For example,
        <ssl id="defaultSSLConfig" keyStoreRef="defaultKeyStore" 
             trustStoreRef="defaultTrustStore" clientAuthentication="true" />
    or
        <ssl id="defaultSSLConfig" keyStoreRef="defaultKeyStore" 
            trustStoreRef="defaultTrustStore" clientAuthenticationSupported="true" />
  3. Configure the <orb> element in the client.xml file as follows or add the transportLayer element to an existing one and replace the sample values in the sample with your values:
    <orb id="defaultOrb">
        <clientPolicy.clientContainerCsiv2>
            <layers>
                <transportLayer sslRef="defaultSSLConfig"/>
            </layers>
        </clientPolicy.clientContainerCsiv2>
    </orb>
    Without specifying an <orb> element, the following configuration is implicit.
    <orb id="defaultOrb">
        <clientPolicy.clientContainerCsiv2>
            <layers>
                <authenticationLayer mechanisms="GSSUP" establishTrustInClient="Supported"/>
                <transportLayer/>
            </layers>
        </clientPolicy.clientContainerCsiv2>
    </orb>
  4. Make sure the server trusts any client certificates that are sent from this server.
    • When the clientAuthentication attribute is set to true in the ssl element, the client sends a client certificate only to servers that either require or support the client certificate authentication.
    • When the clientAuthenticationSupported attribute is set to true in the ssl element, the client might choose whether to send a client certificate based on the ssl element configuration used by the server.
    • When the clientAuthentication and clientAuthenticationSupported attributes are not set in the ssl element , the server that is acting as a client is not enabled with the client certificate authentication.

Results

Your outbound CSIv2 transport layer is now configured for client certificate authentication.

Icon that indicates the type of topic Task topic



Timestamp icon Last updated: Tuesday, 12 December 2017
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=phil&product=was-libcore-mp&topic=twlp_sec_csiv2outtransport_client
File name: twlp_sec_csiv2outtransport_client.html