Use this topic to use the wsadmin tool to configure inbound and outbound communications using the Common Secure Interoperability protocol. Common Secure Interoperability Version 2 (CSIv2) supports increased vendor interoperability and additional features.
Inbound authentication refers to the configuration that determines the type of accepted authentication for inbound requests. This authentication is advertised in the interoperable object reference (IOR) that the client retrieves from the name server.
Parameter | Description |
---|---|
-securityDomainName | Specifies the name of the security configuration. If you do not specify a security domain name, the command modifies the global security configuration. (String) |
-messageLevelAuth | Specifies whether clients connecting to this server must specify a user ID and password. Specify Never to disable the user ID and password requirement. Specify Supported to accept a user ID and password. Specify Required to require a user ID and password. (String) |
-supportedAuthMechList | Specifies the authentication mechanism to use. Specify KRB5 for Kerberos authentication, LTPA for Lightweight Third-Party Authentication, BasicAuth for basic authentication, and custom to use your own authentication token implementation. You can specify more than one, separated by the pipe character (|). (String) |
-clientCertAuth | Specifies whether a client that connects to the server must connect using an SSL certificate. Specify Never to allow clients to connect without SSL certificates. Specify Supported to accept clients connecting with and without SSL certificates. Specify Required to require clients to use SSL certificate. (String) |
-transportLayer | Specifies the transport layer support level. Specify Never to disable transport layer support. Specify Supported to enable transport layer support. Specify Required to require transport layer support. (String) |
-sslConfiguration | Specifies the SSL configuration alias to use for inbound transport. (String) |
-enableIdentityAssertion | Specifies whether to enable identity assertion. When using the identity assertion authentication method, the security token generated is a <wsse:UsernameToken> element that contains a <wsse:Username> element. Specify true for the -enableIdentityAssertion parameter to enable identity assertion. (Boolean) |
-trustedIdentities | Specifies a list of trusted server identities, separated by the pipe character (|). To specify a null value, set the value of the -trustedIdentities parameter as an empty string (""). (String) |
-statefulSession | Specifies whether to enable a stateful session. Specify true to enable a stateful session. (Boolean) |
-enableAttributePropagation | Specifies whether to enable security attribute propagation. Security attribute propagation allows the application server to transport authenticated subject contents and security context information from one server to another in your configuration. Specify true to enable security attribute propagation. (Boolean) |
The configureCSIInbound command configures the CSIv2 Inbound authentication on a security domain or on the global security configuration. When configuring CSI Inbound in a security domain for the first time, the CSI objects are copied from global security. Then, the changes are applied to configuration.
AdminTask.configureCSIInbound('-securityDomainName testDomain -messageLevelAuth Supported -supportedAuthMechList KRB5|LTPA -clientCertAuth Supported -statefulSession true')
AdminConfig.save()
Outbound authentication refers to the configuration that determines the type of authentication that is performed for outbound requests to downstream servers.
Parameter | Description |
---|---|
-securityDomainName | Specifies the name of the security configuration. If you do not specify a security domain name, the command modifies the global security configuration. (String) |
-enableAttributePropagation | Specifies whether to enable security attribute propagation. Security attribute propagation allows the application server to transport authenticated subject contents and security context information from one server to another in your configuration. Specify true to enable security attribute propagation. (Boolean) |
-enableIdentityAssertion | Specifies whether to enable identity assertion. When using the identity assertion authentication method, the security token generated is a <wsse:UsernameToken> element that contains a <wsse:Username> element. Specify true for the -enableIdentityAssertion parameter to enable identity assertion. (Boolean) |
-useServerIdentity | Specifies whether to use the server identity to establish trust with the target server. Specify true to use the server identity. (Boolean) |
-trustedId | Specifies the trusted identity that the application server uses to establish trust with the target server. (String) |
-trustedIdentityPassword | Specifies the password of the trusted server identity. (String) |
-messageLevelAuth | Specifies whether clients connecting to this server must specify a user ID and password. Specify Never to disable the user ID and password requirement. Specify Supported to accept a user ID and password. Specify Required to require a user ID and password. (String) |
-supportedAuthMechList | Specifies the authentication mechanism to use. Specify KRB5 for Kerberos authentication, LTPA for Lightweight Third-Party Authentication, BasicAuth for basic authentication, and custom to use your own authentication token implementation. You can specify more than one, separated by the pipe character (|). (String) |
-clientCertAuth | Specifies whether a client that connects to the server must connect using an SSL certificate. Specify Never to allow clients to connect without SSL certificates. Specify Supported to accept clients connecting with and without SSL certificates. Specify Required to require clients to use SSL certificate. (String) |
-transportLayer | Specifies the transport layer support level. Specify Never to disable transport layer support. Specify Supported to enable transport layer support. Specify Required to require transport layer support. (String) |
-sslConfiguration | Specifies the SSL configuration alias to use for inbound transport. (String) |
-statefulSession | Specifies whether to enable a stateful session. Specify true to enable a stateful session. (Boolean) |
-enableCacheLimit | Specifies whether to limit the size of the CSIv2 session cache. If you specify a true value, a limit is added to the cache size. The value of the limit is determined by the values that you set with the -maxCacheSize and -idleSessionTimeout parameters. A false value, which is the default, does not limit the cache size. Consider adding a true value for this parameter if your environment uses Kerberos authentication and the clock skew for the configured key distribution center (KDC) is small. A small clock skew is defined as less than 20 minutes. This parameter applies when you set the -statefulSession parameter to true. (Boolean) |
-maxCacheSize | Specifies the maximum size of the session cache after which expired sessions are deleted from the cache. Expired sessions are sessions that are idle longer than the time that you specify for the -idleSessionTimeout parameter. Consider specifying a value for this parameter if your environment uses Kerberos authentication and the clock skew for the configured key distribution center (KDC) is small. A small clock skew is defined as less than 20 minutes. Consider increasing the value of this parameter if the small cache size causes the garbage collection to run so frequently that it impacts the performance of the application server. This parameter applies when you set the -statefulSession and -enableCacheLimit parameters to true and set a value for the -idleSessionTimeout parameter. The valid range of values for this parameter is 100 to 1000. (Integer) |
-idleSessionTimeout | Specifies the time, in milliseconds, that a CSIv2 session can remain idle before being deleted. The session is deleted if you set the -enableCacheLimit parameter to true and the value of the -maxCacheSize parameter is exceeded. Consider decreasing the value for this parameter if your environment uses Kerberos authentication and the clock skew for the KDC is small. A small clock skew can result in a greater number of rejected CSIv2 sessions. However, with a smaller value for this parameter, the application server can clean out the rejected sessions more often and reduce the possibility of a resource shortage. The valid range of values for this parameter is 60,000 to 86,400,000 milliseconds. (Integer) |
-enableOutboundMapping | Specifies whether to enable custom outbound identity mapping. Specify true to enable custom outbound identity mapping. (Boolean) |
-trustedTargetRealms | Specifies a list of target realms to trust. Separate each realm name with the pipe character (|). (String) |
The configureCSIOutbound command configures the CSIv2 outbound authentication in a security domain or in the global security configuration. When configuring CSI outbound authentication in a security domain for the first time, the application server copies the CSI objects from global security. Then, the application server applies the changes to that configuration.
AdminTask.configureCSIOutbound('-securityDomainName testDomain -enableIdentityAssertion true -trustedId myID -trustedIdentityPassword myPassword123 -messageLevelAuth Required -trustedTargetRealms realm1|realm2|realm3')
AdminConfig.save()
In this information ...Related concepts
Related tasks
Related reference
| IBM Redbooks, demos, education, and more(Index) Use IBM Suggests to retrieve related content from ibm.com and beyond, identified for your convenience. This feature requires Internet access. Most of the following links will take you to information that is not part of the formal product documentation and is provided "as is." Some of these links go to non-IBM Web sites and are provided for your convenience only and do not in any manner serve as an endorsement by IBM of those Web sites, the material thereon, or the owner thereof. |