Configuring inbound CSIv2 attribute layer

You can configure a Liberty server to claim support for identity assertion for inbound CSIv2 requests.

About this task

The inbound CSIv2 attribute layer for a Liberty server has identity assertion that is disabled by default. The server supports Anonymous, Principal Name, X509 Certificate Chain, and Distinguished Name identity assertions from an upstream server that is acting as a client after the identity assertion is enabled through the identityAssertionEnabled attribute. You can use the identityAssertionTypes attribute to specify the identity token types that the server supports. The trustedIdentities attribute can be used to specify the identity of the trusted upstream servers that are able to assert an identity to this server.
CAUTION:
Ensure that only trusted entities communicate with the server if presumed trust is set.

Procedure

  1. Add the appSecurity-2.0 and ejbRemote-3.2 features in the server.xml file.
        <featureManager>
            <feature>appSecurity-2.0</feature>
            <feature>ejbRemote-3.2</feature>
        </featureManager>
    The following is the default configuration without having to specify it in the server.xml file.
        <orb id="defaultOrb">
            <serverPolicy.csiv2>
                <layers>
                    <attributeLayer identityAssertionEnabled="false"/>
                    <authenticationLayer mechanisms="LTPA,GSSUP" establishTrustInClient="Required"/>
                    <transportLayer/>
                </layers>
            </serverPolicy.csiv2>
            <clientPolicy.csiv2>
                <layers>
                    <attributeLayer identityAssertionEnabled="false"/>
                    <authenticationLayer mechanisms="LTPA,GSSUP" establishTrustInClient="Supported"/>
                    <transportLayer/>
                </layers>
            </clientPolicy.csiv2>
        </orb>
  2. Optional: If you need to change the default inbound attribute layer configuration, then add an <orb> element in the server.xml file as follows or add the attributeLayer element to an existing one. Replace the sample values in the example with your values.
        <orb id="defaultOrb">
            <serverPolicy.csiv2>
                <layers>
                    <attributeLayer identityAssertionEnabled="true"/>
                </layers>
            </serverPolicy.csiv2>
        </orb>
    Note: The ID value defaultOrb in the <orb> element is predefined and cannot be modified.
  3. Set the trustedIdentities attribute by changing the example values to the trustedIdentity of each of the upstream servers. The pipe character (|) must be used to separate the values when there are more than one asserting client.
    <attributeLayer identityAssertionEnabled="true" trustedIdentities="yourAssertingUpstreamServer|anotherAssertingUpstreamServer"/>
  4. Alternative: Instead of setting a named value for the trustedIdentities in step 2, you can set the trustedIdentities attribute with the character (*) to indicate that the server supports presumed trust. With presumed trust, any upstream server is able to assert an identity and must be used only when the upstream servers can be limited to a set of trusted servers. Therefore, use this value with caution.
    <attributeLayer identityAssertionEnabled="true" trustedIdentities="*"/>
  5. When an upstream server that sends a certificate chain is trusted, add the issuer distinguished name of the certificate chain to the trustedIdentities attribute. For example,
        <attributeLayer identityAssertionEnabled="true" trustedIdentities="CN=localhost,O=ibm,C=us"/>
  6. Optional: If you need to change the default identity assertion token types that are supported by the server, then add the identityAssertionTypes attribute to the attributeLayer element in the server.xml file and specify a comma-separated list of values. The valid values are ITTAnonymous, ITTPrincipalName, ITTX509CertChain, andITTDistinguishedName. For example, you can configure the server to support identity assertions with X509 Certificate Chains or Distinguished Names. Replace the sample values in the example with your values.
    <orb id="defaultOrb">
        <serverPolicy.csiv2>
            <layers>
                <attributeLayer identityAssertionEnabled="true" identityAssertionTypes="ITTX509CertChain, ITTDistinguishedName"/>
            </layers>
        </serverPolicy.csiv2>
    </orb>
    Note: The upstream server identity is obtained from the security information that the server sent in either the authentication layer or the transport layer. The authentication layer identity takes precedence over the transport identity, and the transport identity is used if no security information is sent at the authentication layer. For sample syntax and more information about authenticationLayer and transportLayer elements, see Configuring inbound CSIv2 authentication layer and Configuring inbound CSIv2 transport layer.
    Omitting a layer uses the default values for that layer.

Results

Your inbound CSIv2 attribute layer is now configured for identity assertion.

Icon that indicates the type of topic Task topic



Timestamp icon Last updated: Saturday, 3 December 2016
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=cord&product=was-nd-mp&topic=twlp_sec_inboundattributes
File name: twlp_sec_inboundattributes.html