About this task
To fully enable security attribute propagation, you must
configure the single sign-on (SSO), Common Secure Interoperability
Version 2 (CSIv2) inbound, and CSIv2 outbound panels in the WebSphere Application Server administrative
console. You can enable just the portions of security attribute propagation
relevant to your configuration. For example, you can enable Web propagation,
which is propagation amongst front-end application servers, using
either the push technique (DynaCache) or the pull technique (remote
method to originating server).
You also can choose whether to enable
Remote Method Invocation (RMI) outbound and inbound propagation, which
is commonly called downstream propagation. Typically both types of
propagation are enabled for any given cell. In some cases, you might
want to choose a different option for a specific application server
using the server security panel within the specific application server
settings.
Restriction: To prevent propagating the same
security attributes among application servers multiple times, WebSphere Application Server verifies that
a Lightweight Third Party Authentication (LTPA) token does not exist.
Two cases can occur. Absence of the LTPA token tells the Application
Server that propagation can proceed. Presence of the LTPA token indicates
that propagation has occurred if the LTPA token has been generated
within the cluster. However, in the second case, if the LTPA token
is present, but has been generated by a server outside the cluster,
such as by Tivoli® Access Manager, Lotus® Domino® or
a different Application Server cluster, security attributes are not
propagated.
To access the
server security panel in the administrative console, click Servers >
Application Servers > server_name. Under Security, click Server
security.
Complete the following steps to
configure WebSphere Application Server for security
attribute propagation:
What to do next
If you need to disable security attribute propagation,
determine whether you need to disable it for either the server level
or the cell level.
Attention: Changes to the server-level
settings override the cell settings.
To
disable security attribute propagation on the server level, complete
the following steps:
- Click Server > Application Servers > server_name.
- Under Security, click Server security.
- Select the RMI/IIOP security for this server overrides cell
settings option.
- Disable security attribute propagation for
inbound requests by clicking CSI inbound authentication under
Additional Properties and clearing the Security attribute propagation option.
- Disable security attribute propagation for
outbound requests by clicking CSI outbound authentication under
Additional Properties and clearing the Security attribute propagation option.
To disable security attribute propagation
on the cell level, undo each of the steps that you completed to enable
security attribute propagation in this task.