The following choices are available when configuring the
Common Secure Interoperability Version 2 (CSIv2) Outbound Authentication
panel.
Before you begin
Outbound authentication refers to the configuration
that determines the type of authentication that is performed for outbound
requests to downstream servers. Several layers or methods of
authentication can occur. The downstream server inbound authentication
configuration must support at least one choice made in this server
outbound authentication configuration. If nothing is supported, the
request might go outbound as unauthenticated. This situation does
not create a security problem because the authorization runtime is
responsible for preventing access to protected resources. However,
if you choose to prevent an unauthenticated credential from going
outbound, you might want to designate one of the authentication layers
as required, rather than supported. If a downstream server does not
support authentication, then when authentication is required, the
method request fails to go outbound.
About this task
The following choices are available in the Common Secure
Interoperability Version 2 (CSIv2) Outbound Authentication panel.
Remember that you are not required to complete these steps in the
displayed order. Rather, these steps are provided to help you understand
your choices for configuring outbound authentication.
Procedure
- Select Identity Assertion (attribute layer).
When selected, this server sends an identity token to a downstream
server if the downstream server supports identity assertion. When
an originating client authenticates to this server, the authentication
information supplied is preserved in the outbound identity token.
If the client authenticating to this server uses client certificate
authentication, then the identity token format is a certificate chain,
containing the exact client certificate chain from the inbound socket.
The same scenario is true for other mechanisms of authentication.
Read theIdentity Assertion topic
for more information.
-
Select User ID and Password (message layer).
This type of authentication is the most typical. The user ID
and password (if BasicAuth credential) or
authenticated token (if authenticated credential) are sent outbound
to the downstream server if the downstream server supports message
layer authentication in the inbound authentication panel. Refer to
the Message Layer
Authentication article for more information.
- Select SSL Client certificate authentication (transport
layer). The main reason to enable outbound Secure Sockets
Layer (SSL) client authentication from one server to a downstream
server is to create a trusted environment between those servers. For
delegating client credentials, use one of the two layers mentioned
previously. However, you might want to create SSL personal certificates
for all the servers in your domain, and only trust those servers in
your SSL truststore file. No other servers or clients can connect
to the servers in your domain, except at the tiers where you want
them. This process can protect your enterprise bean servers from access
by anything other than your servlet servers. Refer to the SSL Client Certificate Authentication topic
for more information.
A server can send multiple layers simultaneously,
therefore, an order of precedence rule decides which identity to use.
The identity assertion layer has the highest priority, the message
layer follows, and the transport layer has the lowest priority. SSL
client certificates are only used as the identity for invoking method
requests, when that is the only layer provided. SSL client certificates
are useful for trust purposes, even if the identity is not used for
the request. If only the message layer and transport layer are provided,
the message layer is used to establish the identity for authorization.
If the identity assertion layer is provided (regardless of what is
provided), then the identity from the identity token is always used
by the authorization engine as the identity for that request.
Example
Typically, the outbound authentication configuration is for
an upstream server to communicate with a downstream server. Most
likely, the upstream server is a servlet server and the downstream
server is an Enterprise JavaBeans (EJB) server. On a servlet server,
the client authentication that is performed to access the servlet
can be one of many different types of authentication, including client
certificate and basic authentication. When receiving basic authentication
data, whether through a prompt login or a form-based login, the basic
authentication information is typically authenticated to from a credential
of the mechanism type that is supported by the server, such as the
Lightweight Third Party Authentication (LTPA). When LTPA is the mechanism,
a forwardable token exists in the credential. Choose the message layer
(BasicAuth) authentication to propagate the
client credentials. If the credential is created using a certificate
login and you want to preserve sending the certificate downstream,
you might decide to go outbound with identity assertion.