This topic applies only on the z/OS operating system.

Common Secure Interoperability version 2 (CSIv2) authentication protocol client settings

In addition to the properties that are valid for both Security Authentication Service (SAS) and Common Secure Interoperability Version 2 (CSIv2), this page documents the properties that are valid for the CSIv2 protocol only.

com.ibm.CSI.performClientAuthenticationSupported

Use this property to determine if message layer client authentication is supported. When message layer client authentication is supported, it is performed when communicating with any server that supports or requires the authentication. Message layer client authentication involves transmitting either a user ID and password or a token from an already authenticated credential. If the authenticationTarget property is BasicAuth, the user ID and password are transmitted to the target server. If the authenticationTarget password is a token-based mechanism such as Lightweight Third Party Authentication (LTPA), then the credential token is transmitted to the server after authenticating the user ID and password directly to the security server.

Data type: Boolean
Default: True
Range: True or False

com.ibm.CSI.performClientAuthenticationRequired

Use this property to determine if message layer client authentication is required. When required, message layer client authentication must occur when communicating with any server. If transport layer client authentication is also enabled, both authentications are performed, but message layer client authentication takes precedence at the server.

Data type: Boolean
Default: True
Range: True or False

com.ibm.CSI.performTransportAssocSSLTLSSupported

Use this property to determine if Secure Sockets Layer (SSL) is supported. When SSL is supported, this client causes either SSL or TCP/IP to communicate with a server. If SSL is not supported, then the client must communicate over TCP/IP to the server. Supporting SSL is recommended so that any sensitive information is encrypted and digitally signed. When the associated com.ibm.CSI.performTransportAssocSSLTLSRequired property is enabled (set to true), this property is ignored. In this case, SSL is always required

Data type: Boolean
Default: True
Range: True or False

com.ibm.CSI.performTransportAssocSSLTLSRequired

Use this property to determine if SSL is required. When SSL is required, this client must use SSL to communicate to a server. If SSL is not supported by a server, this client does not attempt a connection to that server. When this property is enabled, the associated com.ibm.CSI.performTransportAssocSSLTLSSupported property is ignored.

Data type: Boolean
Default: True
Range: True or False

com.ibm.CSI.performTLClientAuthenticationSupported

Use this property to determine if transport layer client authentication is supported. When performing client authentication using SSL, the client key file must have a personal certificate configured. Without a personal certificate, the client cannot authenticate to the server over SSL. If the personal certificate is a self-signed certificate, the server must contain the public key of the client in the server trust file. If the personal certificate is granted from a certificate authority (CA), the server must contain the root public key of the CA in the server trust file. This property is only valid when SSL is supported or required. If the associated com.ibm.CSI.performTLClientAuthenticationRequired property is enabled, this property is ignored.

Data type: Boolean
Default: True
Range: True or False

com.ibm.CSI.performTLClientAuthenticationRequired

Use this property to determine if transport layer client authentication is required. If transport layer client authentication is required, every secure socket that is opened between a client and server authenticates using SSL mutual authentication. When performing client authentication using SSL, the client key file must have a personal certificate configured.

Without a personal certificate, the client cannot authenticate to the server over SSL. If the personal certificate is a self-signed certificate, the server must contain the public key of the client in the server trust file. If the personal certificate is granted by a certificate authority (CA), the server must contain the root public key of the CA in the server trust file. When this property is specified, the associated com.ibm.CSI.performTLClientAuthenticationSupported property is ignored.

Data type: Boolean
Default: True
Range: True or False

com.ibm.CSI.performMessageConfidentialityRequired

Use this property to determine if 128-bit ciphers must be used to make SSL connections. If a target server does not support 128-bit ciphers, a connection to that server fails. This property is only valid when SSL is enabled. When this property is enabled, the associated com.ibm.CSI.performMessageConfidentialitySupported property is ignored.

Data type: Boolean
Default: True
Range: True or False

com.ibm.CSI.performClientAuthenticationtype

Use this property to define the type of client authentication. The only value that is supported is BasicAuth.

Data type: String constant
Default: None
Range: None

com.ibm.CSI.performSSL.Keyring

This property is used for providing the name of the Resource Access Control Facility (RACF) keyring used for SSL connections. Changes to this System Authorization Facility (SAF) keyring require changes to the sas.client.props file. For example, you might have to change the following properties:
  • com.ibm.ssl.keyStore=safkeyring:///WASKeyring
  • com.ibm.ssl.trustStore=safkeyring:///WASKeyring
Data type: String
Default: None
Range: None

com.ibm.CORBA.loginUserid

Use this property to specify the user ID when a properties login is configured and message layer authentication occurs. This property is only valid when com.ibm.CORBA.loginSource=properties. Also, set the com.ibm.CORBA.loginPassword property.

Data type: String
Range: Any string that is appropriate for a user ID in the configured user registry of the server.

com.ibm.CORBA.loginPassword

Use to specify the password when a properties login is configured and message layer authentication occurs. This property is only valid when com.ibm.CORBA.loginSource=properties. Also, set the com.ibm.CORBA.loginUserid property.

Data type: String
Range: Any string that is appropriate for a password in the configured user registry of the server.

com.ibm.CSI.rmiOutboundPropagationEnabled

Enables the propagation of custom objects that are added to the Subject. On a pure client, add this property to the sas.client.props file. For more information, see Security attribute propagation.




Related concepts
Security attribute propagation
Related tasks
Configuring Common Secure Interoperability Version 2 (CSIV2) and Security Authentication Service (SAS)
Reference topic    

Terms of Use | Feedback

Last updated: Aug 29, 2010 9:31:45 PM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=vela&product=was-nd-mp&topic=rseccsiv2init
File name: rsec_csiv2initzos.html