- Identity assertion (attribute layer).
When selected, this server accepts
identity tokens from upstream servers. If the server receives an identity
token, the identity is taken from an originating client. For example, the
identity is in the same form that the originating client presented to the
first server. An upstream server sends the identity of the originating client.
The format of the identity can be either a principal name, a distinguished
name, or a certificate chain. In some cases, the identity is anonymous. It
is important to trust the upstream server that sends the identity token because
the identity authenticates on this server. Trust of the upstream server is
established either using Secure Sockets Layer (SSL) client certificate authentication
or basic authentication. You must select one of the two layers of authentication
in both inbound and outbound authentication when you choose identity assertion.
The server ID is
sent in the client authentication token with the identity token. The server
ID is checked against the trusted server ID list. If the server ID is on the
trusted server list, the server ID is authenticated. If the server ID is valid,
the identity token is put into a credential and used for authorization of
the request.
For more information, refer to Identity assertion.
- User ID and password (message layer).
This type of authentication is
the most typical. The user ID and password or authenticated token is sent
from a pure client or from an upstream server. However, the upstream server
cannot be a z/OS server because z/OS does not support a user ID or password
from a server acting as a client. When a user ID and password are received
at the server, they are authenticated with the user registry.
Usually, a token is sent from an upstream
server and a user ID and password are sent from a client, including a servlet.
When a token is received at the server level, the token is validated to determine
whether tampering has occurred or whether it is expired.
For
more information, refer to User
ID and password.
- Secure Sockets Layer client certificate authentication (transport
layer).
The SSL client certificate is used to authenticate instead of using
user ID and Password. If a server delegates an identity to a downstream server,
the identity comes from either the message layer (a client authentication
token) or the attribute layer (an identity token), and not from the transport
layer through the client certificate authentication.
A
client has an SSL client certificate that is stored in the keystore file of
the client configuration. When SSL client authentication is enabled on this
server, the server requests that the client send the SSL client certificate
when the connection is established. The certificate chain is available on
the socket whenever a request is sent to the server. The server request interceptor
gets the certificate chain from the socket and maps this certificate chain
to a user in the user registry. This type of authentication is optimal for
communicating directly from a client to a server. However, when you have to
go downstream, the identity typically flows over the message layer or through
identity assertion.
For
more information, refer to Secure
Sockets Layer client certificate authentication.