Common Secure Interoperability Version 2 outbound authentication settings

Use this page to specify the features that a server supports when acting as a client to another downstream server.

To view this administrative console page, complete the following steps:
  1. Click Security > Global security.
  2. Under Authentication, click Authentication protocols > CSIv2 outbound authentication.
You also can view this administrative console page by completing the following steps:
  1. Click Servers > Application Servers > .
  2. Under Security, click Server security.
  3. Under Additional properties, click CSIv2 outbound authentication.
Authentication features include the following layers of authentication that you can use simultaneously:
Transport layer
The transport layer, the lowest layer, might contain a Secure Sockets Layer (SSL) client certificate as the identity.
Attribute layer
The attribute layer might contain an identity token, which is an identity from an upstream server that is already authenticated. The attribute layer has the highest priority, followed by the message layer and then the transport layer. If this server sends all three - the attribute layer, the message layer, and the transport layer - only the attribute layer is used by the downstream server. The only way to use the SSL client certificate as the identity is if it is the only information presented during the outbound request.

Configuration tab

Client certificate authentication

Specifies whether a client certificate from the configured keystore is used to authenticate to the server when the SSL connection is made between this server and a downstream server, provided that the downstream server supports client certificate authentication.

Typically, client certificate authentication has a higher performance than message layer authentication, but requires some additional setup. These additional steps include verifying that this server has a personal certificate and that the downstream server has the signer certificate of this server.

If you select client certificate authentication, the following options are available:
Never
This option indicates that this server does not attempt Secure Sockets Layer (SSL) client certificate authentication with downstream servers.
Supported
This option indicates that this server can use SSL client certificates to authenticate to downstream servers. However, a method can be invoked without this type of authentication. For example, the server can use anonymous or basic authentication instead.
Required
This option indicates that this server must use SSL client certificates to authenticate to downstream servers.

Identity assertion

Specifies whether to assert identities from one server to another during a downstream enterprise bean invocation.

The identity asserted is the client identity. If there are multiple identity types to assert, the identity is asserted in the following order: client certificate, distinguished name (DN), System Authorization Facility (SAF) user ID. The receiving server receives the identity in an identity token with an empty client authentication token. The Secure Sockets Layer (SSL) certificate of the server acts as the identity of the server to the receiving server.

Stateful sessions

Specifies whether to reuse security information during authentication. This option is usually used to increase performance.

On z/OS systems, this option is ignored. The sending server prefers stateful sessions and uses them if the receiving server supports it.

Login configuration

Specifies the type of system login configuration that is used for outbound authentication.

You can add custom login modules before or after this login module by completing the following steps:
  1. Click Security > Global security.
  2. Under Authentication, click JAAS configuration > System logins > New.

Custom outbound mapping

Enables the use of custom Remote Method Invocation (RMI) outbound login modules.

The custom login module maps or performs other functions before the predefined RMI outbound call.

To declare a custom outbound mapping, complete the following steps:
  1. Click Security > Global security.
  2. Under Authentication, click JAAS configuration > System logins > New.

Security attribute propagation

Enables the application server to propagate the Subject and the security content token to other application servers using the Remote Method Invocation (RMI) protocol.

Verify that you are using Lightweight Third Party Authentication (LTPA) as your authentication mechanism. LTPA is the only authentication mechanism that is supported when you enable the security attribute propagation feature. To configure LTPA, complete the following steps:
  1. Click Security > Global security.
  2. Under Authentication, click Authentication mechanisms > LTPA.

By default, the Security attribute propagation option is enabled and outbound login configuration is invoked. If you clear this option, the application server does not propagate any additional login information to downstream servers.

Trusted target realms

Specifies a list of trusted target realms, separated by a pipe character (|), that differ from the current realm.

Prior to WebSphere Application Server, Version 5.1.1, if the current realm does not match the target realm, the authentication request is not sent outbound to other application servers.




Reference topic    

Terms of Use | Feedback

Last updated: Aug 29, 2010 8:25:23 PM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=vela&product=was-nd-zos&topic=usecoutbound
File name: usec_outbound.html