You can configure a Liberty application client container to use specific authentication
mechanisms for outbound CSIv2 requests.
About this task
The outbound CSIv2 authentication layer for a Liberty application client container is enabled
with support for the GSSUP authentication mechanism by default. The
establishTrustInClient association option of the authentication layer is set to
Supported by default to indicate that the authentication mechanisms specified
are supported and optional.
Procedure
- Configure the orb element in the client.xml file
as follows or add the authenticationLayer element
to an existing one, replacing the sample values in the example with
your values:
<orb id="defaultOrb">
<clientPolicy.clientContainerCsiv2>
<layers>
<authenticationLayer user="userId" password="{xor}PDc+MTg6Ejo="/>
</layers>
</clientPolicy.clientContainerCsiv2>
</orb>
Note: The id value defaultOrb in
the orb element is predefined and cannot be modified.
Note: Hash
encoding cannot be used for encrypting the password because the original
password cannot be decoded from the hashed value.
The mechanisms and establishTrustInClient attributes
are optional. The only supported value, and the default value, for
the mechanisms attribute is GSSUP.
Without
specifying an
<orb> element, the following
configuration is implicit.
<orb id="defaultOrb">
<clientPolicy.clientContainerCsiv2>
<layers>
<authenticationLayer mechanisms="GSSUP" establishTrustInClient="Supported"/>
<transportLayer/>
</layers>
</clientPolicy.clientContainerCsiv2>
</orb>
- Optional: Set the user and password attributes
with a valid user ID and password to access the server. By default,
a server requires the GSSUP mechanism for inbound
connections, meaning that the server must receive a user and password
and because of this requirement, the user, and password values are
required in the client.xml file, unless a programmatic
login is implemented by the application.
- Optional: Set the establishTrustInClient attribute
to Required, Supported (default),
or Never for performing authentication with
the specified mechanisms. For example,
<orb id="defaultOrb">
<clientPolicy.clientContainerCsiv2>
<layers>
<authenticationLayer user="userId" password="{xor}PDc+MTg6Ejo=" establishTrustInClient="Required" />
</layers>
</clientPolicy.clientContainerCsiv2>
</orb>
Note: - When the establishTrustInClient attribute is
set to Required, the client is able to send
an authentication token of one of the specified mechanisms only to
servers that either require or support the same authentication mechanisms.
- When the establishTrustInClient attribute is
set to Supported (default), the client can
choose whether to send the authentication information in the authentication
layer. If the server is configured with Supported or Required of
the same authentication mechanisms, then the client sends a compatible
authentication token.
- When the establishTrustInClient attribute is
set to Never, the outbound CSIv2 authentication
layer is disabled and the CSIv2 transport layer must be enabled to
authenticate to the server.
Results
Your outbound CSIv2 authentication layer is now configured.