You can configure a Liberty
server to use a specific authentication mechanism for inbound CSIv2 requests.
About this task
The inbound CSIv2 authentication layer for a Liberty server is enabled with the support for
the LTPA and GSSUP authentication mechanisms by default. The establishTrustInClient
association option of the authentication layer is set to Required by default to
indicate that the authentication mechanisms specified are required. When you are using the LTPA
mechanism, ensure that the communicating Liberty servers and other servers share the same
LTPA keys.
Procedure
- Add the appSecurity-2.0 and ejbRemote-3.2 features in
the server.xml file.
<featureManager>
<feature>appSecurity-2.0</feature>
<feature>ejbRemote-3.2</feature>
</featureManager>
The following example shows the default configuration without having to specify it in
the server.xml file.
<orb id="defaultOrb">
<serverPolicy.csiv2>
<layers>
<attributeLayer identityAssertionEnabled="false"/>
<authenticationLayer mechanisms="LTPA,GSSUP" establishTrustInClient="Required"/>
<transportLayer/>
</layers>
</serverPolicy.csiv2>
<clientPolicy.csiv2>
<layers>
<attributeLayer identityAssertionEnabled="false"/>
<authenticationLayer mechanisms="LTPA,GSSUP" establishTrustInClient="Supported"/>
<transportLayer/>
</layers>
</clientPolicy.csiv2>
</orb>
- Optional: If you need to change the default inbound authentication layer configuration,
then add an <orb> element in the server.xml file as follows or add
the authenticationLayer element to an existing one. Replace the sample
values in the example with your values.
<orb id="defaultOrb">
<serverPolicy.csiv2>
<layers>
<authenticationLayer mechanisms="LTPA,GSSUP" establishTrustInClient="Required"/>
</layers>
</serverPolicy.csiv2>
</orb>
Note: The ID value defaultOrb in the <orb> element is predefined and
cannot be modified.
- Optional: Set the mechanisms attribute to LTPA or
GSSUP to use either LTPA or GSSUP (user name and password) only as the
authentication mechanism.
<authenticationLayer mechanisms="LTPA" establishTrustInClient="Supported"/>
or
<authenticationLayer mechanisms="GSSUP" establishTrustInClient="Supported"/>
- Optional: Set the establishTrustInClient attribute to
Required, Supported, or Never to
indicate that the server requires, supports (optional), or never claims authentication
with the specified mechanisms.
Notes: - When the establishTrustInClient attribute is set to
Required, only clients that either require or support compatible
(at least one) authentication mechanisms are able to send a security context to the
server.
- When the establishTrustInClient attribute is set to
Supported, a client might choose whether to send the
authentication information in the authentication layer.
- When the establishTrustInClient attribute is set to
Never, the inbound CSIv2 authentication layer is disabled and at
least one other CSIv2 layer must be enabled to authenticate.
Omitting a layer uses
the default values for that layer.
For more information about the
attributeLayer and transportLayer elements,
see Configuring inbound CSIv2 attribute layer and Configuring inbound
CSIv2 transport layer.
Results
Your inbound CSIv2 authentication layer is now configured.