Configuring inbound CSIv2 authentication layer

You can configure a Liberty server to use a specific authentication mechanism for inbound CSIv2 requests.

About this task

The inbound CSIv2 authentication layer for a Liberty server is enabled with the support for the LTPA and GSSUP authentication mechanisms by default. The establishTrustInClient association option of the authentication layer is set to Required by default to indicate that the authentication mechanisms specified are required. When you are using the LTPA mechanism, ensure that the communicating Liberty servers and other servers share the same LTPA keys.

Procedure

  1. Add the appSecurity-2.0 and ejbRemote-3.2 features in the server.xml file.
        <featureManager>
            <feature>appSecurity-2.0</feature>
            <feature>ejbRemote-3.2</feature>
        </featureManager>

    The following example shows the default configuration without having to specify it in the server.xml file.

        <orb id="defaultOrb">
            <serverPolicy.csiv2>
                <layers>
                    <attributeLayer identityAssertionEnabled="false"/>
                    <authenticationLayer mechanisms="LTPA,GSSUP" establishTrustInClient="Required"/>
                    <transportLayer/>
                </layers>
            </serverPolicy.csiv2>
            <clientPolicy.csiv2>
                <layers>
                    <attributeLayer identityAssertionEnabled="false"/>
                    <authenticationLayer mechanisms="LTPA,GSSUP" establishTrustInClient="Supported"/>
                    <transportLayer/>
                </layers>
            </clientPolicy.csiv2>
        </orb>
  2. Optional: If you need to change the default inbound authentication layer configuration, then add an <orb> element in the server.xml file as follows or add the authenticationLayer element to an existing one. Replace the sample values in the example with your values.
        <orb id="defaultOrb">
            <serverPolicy.csiv2>
                <layers>
                    <authenticationLayer mechanisms="LTPA,GSSUP" establishTrustInClient="Required"/>
                </layers>
            </serverPolicy.csiv2>
            </orb>
    Note: The ID value defaultOrb in the <orb> element is predefined and cannot be modified.
  3. Optional: Set the mechanisms attribute to LTPA or GSSUP to use either LTPA or GSSUP (user name and password) only as the authentication mechanism.
        <authenticationLayer mechanisms="LTPA" establishTrustInClient="Supported"/>
        or
        <authenticationLayer mechanisms="GSSUP" establishTrustInClient="Supported"/>
  4. Optional: Set the establishTrustInClient attribute to Required, Supported, or Never to indicate that the server requires, supports (optional), or never claims authentication with the specified mechanisms.
    Notes:
    • When the establishTrustInClient attribute is set to Required, only clients that either require or support compatible (at least one) authentication mechanisms are able to send a security context to the server.
    • When the establishTrustInClient attribute is set to Supported, a client might choose whether to send the authentication information in the authentication layer.
    • When the establishTrustInClient attribute is set to Never, the inbound CSIv2 authentication layer is disabled and at least one other CSIv2 layer must be enabled to authenticate.

      Omitting a layer uses the default values for that layer.

      For more information about the attributeLayer and transportLayer elements, see Configuring inbound CSIv2 attribute layer and Configuring inbound CSIv2 transport layer.

Results

Your inbound CSIv2 authentication layer is now configured.

Icon that indicates the type of topic Task topic



Timestamp icon Last updated: Monday, 5 December 2016
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=cord&product=was-libcore-mp&topic=twlp_sec_inboundauth
File name: twlp_sec_inboundauth.html