CSIv2 authentication protocol client settings

 

 

Overview

In addition to the properties that are valid for both SAS and CSIv2, this page documents the properties that are valid for the CSIv2 protocol only.

 

com.ibm.CSI.performStateful

Used to determine if the CSIv2 protocol maintains stateful sessions between a client and server after the initial secure association (authentication between a particular client and server).

For performance reasons, it is beneficial to enable this property. Considerations for disabling this property include troubleshooting an authentication protocol session-related problem.

Data type... Boolean
Default... True
Range... True or False

 

com.ibm.CSI.performClientAuthenticationSupported

Use to determine if message layer client authentication is supported.

When supported, message layer client authentication is performed when communicating with any server that supports or requires the authentication. Message layer client authentication involves transmitting either a user ID and password or a token from an already authenticated credential. If the authenticationTarget property is BasicAuth, the user ID and password are transmitted to the target server. If the authenticationTarget password is a token-based mechanism such as Lightweight Third Party Authentication (LTPA) or Kerberos, then the credential token is transmitted to the server after authenticating the user ID and password directly to the security server.

Data type... Boolean
Default... True
Range... True or False

 

com.ibm.CSI.performClientAuthenticationRequired

Use to determine if message layer client authentication is required.

When required, message layer client authentication must occur when communicating with any server. If transport layer client authentication is also enabled, both authentications are performed, but message layer client authentication takes precedence at the server.

Data type... Boolean
Default... True
Range... True or False

 

com.ibm.CSI.performTransportAssocSSLTLSSupported

Use to determine if SSL is supported.

When SSL is supported, this client causes either SSL or TCP/IP to communicate with a server. If SSL is not supported, then the client must communicate over TCP/IP to the server. Supporting SSL is recommended so that any sensitive information is encrypted and digitally signed. When the associated com.ibm.CSI.performTransportAssocSSLTLSRequired property is enabled (set to true), this property is ignored. In this case, SSL is always required.

Data type... Boolean
Default... True
Range... True or False

 

com.ibm.CSI.performTransportAssocSSLTLSRequired

Use to determine if SSL is required.

When SSL is required, this client must use SSL to communicate to a server. If SSL is not supported by a server, this client does not attempt a connection to that server. When this property is enabled, the associated com.ibm.CSI.performTransportAssocSSLTLSSupported property is ignored.

Data type... Boolean
Default... True
Range... True or False

 

com.ibm.CSI.performTLClientAuthenticationSupported

Use to determine if transport layer client authentication is supported.

When performing client authentication using SSL, the client key file must have a personal certificate configured. Without a personal certificate, the client cannot authenticate to the server over SSL. If the personal certificate is a self-signed certificate, the server must contain the public key of the client in the server trust file. If the personal certificate is a Certificate Authority (CA) granted certificate, the server must contain the root public key of the CA in the server trust file. This property is only valid when SSL is supported or required. If the associated com.ibm.CSI.performTLClientAuthenticationRequired property is enabled, this property is ignored.

Data type... Boolean
Default... True
Range... True or False

 

com.ibm.CSI.performTLClientAuthenticationRequired

Use to determine if transport layer client authentication is required.

If required, every secure socket opened between a client and server authenticates using SSL mutual authentication. When performing client authentication using SSL, the client key file must have a personal certificate configured. Without a personal certificate, the client cannot authenticate to the server over SSL.

If the personal certificate is a self-signed certificate, the server must contain the public key of the client in the server trust file. If the personal certificate is a certificate authentication (CA) granted certificate, the server must contain the root public key of the CA in the server trust file. When this property is specified, the associated com.ibm.CSI.performTLClientAuthenticationSupported property is ignored.

Data type... Boolean
Default... True
Range... True or False

 

com.ibm.CSI.performMessageConfidentialitySupported

 

Use to determine if 128-bit ciphers are supported to make SSL connections.

If a target server does not support 128-bit ciphers, you can make a connection at a lower encryption strength. This property is only valid when SSL is enabled.

Data type... Boolean
Default... True
Range... True or False

 

com.ibm.CSI.performMessageConfidentialityRequired

Use to determine if 128-bit ciphers must be used to make SSL connections.

If a target server does not support 128-bit ciphers, a connection to that server fails. This property is only valid when SSL is enabled. When this property is enabled, the associated com.ibm.CSI.performMessageConfidentialitySupported property is ignored.

Data type... Boolean
Default... True
Range... True or False

 

com.ibm.CSI.performMessageIntegritySupported

 

Use to determine if 40-bit ciphers are supported to make SSL connections.

If a target server does not support 40-bit ciphers, you can make a connection using only digital signing ciphers. This property is only valid when SSL is enabled. This property is ignored if the associated com.ibm.CSI.performMessageIntegrityRequired property is enabled.

Data type... Boolean
Default... True
Range... True or False

 

com.ibm.CSI.performMessageIntegrityRequired

 

Use to determine if 40-bit ciphers must be used to make SSL connections.

If a target server does not support 40-bit ciphers, a connection to that server fails. This property is only valid when SSL is enabled. When this property is enabled, the associated com.ibm.CSI.performMessageIntegritySupported property is ignored.

Data type... Boolean
Default... True
Range... True or False