Configuring outbound CSIv2 authentication layer
You can configure a Liberty server to use specific authentication mechanisms for outbound CSIv2 requests.
About this task
The outbound CSIv2 authentication layer for a Liberty server is enabled with support for the LTPA and GSSUP authentication mechanisms by default. The establishTrustInClient association option of the authentication layer is set to Supported by default to indicate that the authentication mechanisms specified are supported and optional.
When the LTPA mechanism is used, ensure that the communicating Liberty servers and other servers share the same LTPA keys.
Procedure
- Add the appSecurity-2.0 and ejbRemote-3.2
features in the server.xml file.
<featureManager> <feature>appSecurity-2.0</feature> <feature>ejbRemote-3.2</feature> </featureManager>
The following example is the default configuration without having to specify it in the server.xml file.<orb id="defaultOrb"> <serverPolicy.csiv2> <layers> <attributeLayer identityAssertionEnabled="false"/> <authenticationLayer mechanisms="LTPA,GSSUP" establishTrustInClient="Required"/> <transportLayer/> </layers> </serverPolicy.csiv2> <clientPolicy.csiv2> <layers> <attributeLayer identityAssertionEnabled="false"/> <authenticationLayer mechanisms="LTPA,GSSUP" establishTrustInClient="Supported"/> <transportLayer/> </layers> </clientPolicy.csiv2> </orb>
- Optional: If you need to change the default outbound authentication layer
configuration, then add an <orb> element in the
server.xml file as follows or add the
authenticationLayer element to an existing one. Replace the
sample values in the example with your values.
<orb id="defaultOrb"> <clientPolicy.csiv2> <layers> <authenticationLayer mechanisms="LTPA,GSSUP" establishTrustInClient="Supported"/> </layers> </clientPolicy.csiv2> </orb>
Note: The ID value defaultOrb in the <orb> element is predefined and cannot be modified. - Optional: Set the mechanisms attribute to LTPA or
GSSUP to use either LTPA or GSSUP (user name and password)
only as the authentication mechanism.
or<authenticationLayer mechanisms="LTPA" establishTrustInClient="Supported"/>
<authenticationLayer mechanisms="GSSUP" establishTrustInClient="Supported"/>
- Optional: Set the establishTrustInClient attribute to
Required, Supported, or
Never to indicate that the server that is acting as a
client requires, supports(optional), or never performs authentication with the
specified mechanisms. Notes:For more information about the attributeLayer and transportLayer elements, see Configuring outbound CSIv2 attribute layer and Configuring outbound CSIv2 transport layer. For an example of a programmatic login when using GSSUP as the authentication mechanism, see Example: Using the WSLogin configuration to create a basic authentication subject.
- When the establishTrustInClient attribute is set to Required, the client is able to send an authentication token of one of the specified mechanisms only to servers that either require or support the same authentication mechanisms.
- When the establishTrustInClient attribute is set to Supported, the client might choose whether to send the authentication information in the authentication layer. If the downstream server is configured with Supported or Required, then the client sends a compatible authentication token.
- When the establishTrustInClient attribute is set to Never, the outbound CSIv2 authentication layer is disabled and at least one other CSIv2 layer must be enabled to authenticate to the downstream server.
- Omitting a layer uses the default values for that layer.
Results
Parent topic: Configuring outbound CSIv2 in Liberty


http://www14.software.ibm.com/webapp/wsbroker/redirect?version=cord&product=was-nd-mp&topic=twlp_sec_outboundauth
File name: twlp_sec_outboundauth.html