CSIv2 authentication protocol client settings
In addition to the properties that are valid for both Security Authentication Service (SAS) and CSIv2 (CSIv2), this page documents the properties that are valid for the CSIv2 protocol only.
- com.ibm.CSI.performStateful
Used to determine if the CSIv2 protocol maintains stateful sessions between a client and server after the initial secure association (authentication between a particular client and server).
For performance reasons, it is beneficial to enable this property. Considerations for disabling this property include troubleshooting an authentication protocol session-related problem.
Data type: Boolean Default: True Range: True or False - com.ibm.CSI.performClientAuthenticationSupported
Use to determine if message layer client authentication is supported.
When supported, message layer client authentication is performed when communicating with any server that supports or requires the authentication. Message layer client authentication involves transmitting either a user ID and password or a token from an already authenticated credential. If the authenticationTarget property is BasicAuth, the user ID and password are transmitted to the target server. If the authenticationTarget password is a token-based mechanism such as Lightweight Third Party Authentication (LTPA), then the credential token is transmitted to the server after authenticating the user ID and password directly to the security server.
Data type: Boolean Default: True Range: True or False - com.ibm.CSI.performClientAuthenticationRequired
Use to determine if message layer client authentication is required.
When required, message layer client authentication must occur when communicating with any server. If transport layer client authentication is also enabled, both authentications are performed, but message layer client authentication takes precedence at the server.
Data type: Boolean Default: True Range: True or False - com.ibm.CSI.performTransportAssocSSLTLSSupported
Use to determine if SSL is supported.
When SSL is supported, this client causes either SSL or TCP/IP to communicate with a server. If SSL is not supported, then the client must communicate over TCP/IP to the server. Supporting SSL is recommended so that any sensitive information is encrypted and digitally signed. When the associated com.ibm.CSI.performTransportAssocSSLTLSRequired property is enabled (set to true), this property is ignored. In this case, SSL is always required.
Data type: Boolean Default: True Range: True or False - com.ibm.CSI.performTransportAssocSSLTLSRequired
Use to determine if SSL is required.
When SSL is required, this client must use SSL to communicate to a server. If SSL is not supported by a server, this client does not attempt a connection to that server. When this property is enabled, the associated com.ibm.CSI.performTransportAssocSSLTLSSupported property is ignored.
Data type: Boolean Default: True Range: True or False - com.ibm.CSI.performTLClientAuthenticationSupported
Use to determine if transport layer client authentication is supported.
When performing client authentication using SSL, the client key file must have a personal certificate configured. Without a personal certificate, the client cannot authenticate to the server over SSL. If the personal certificate is a self-signed certificate, the server must contain the public key of the client in the server trust file. If the personal certificate is granted from a certificate authority (CA), the server must contain the root public key of the CA in the server trust file. Valid when SSL is supported or required. If the associated com.ibm.CSI.performTLClientAuthenticationRequired property is enabled, this property is ignored.
Data type: Boolean Default: True Range: True or False - com.ibm.CSI.performTLClientAuthenticationRequired
Use to determine if transport layer client authentication is required.
If required, every secure socket that is opened between a client and server authenticates using SSL mutual authentication. When performing client authentication using SSL, the client key file must have a personal certificate configured. Without a personal certificate, the client cannot authenticate to the server over SSL.
If the personal certificate is a self-signed certificate, the server must contain the public key of the client in the server trust file. If the personal certificate is granted by a certificate authority (CA), the server must contain the root public key of the CA in the server trust file. When this property is specified, the associated com.ibm.CSI.performTLClientAuthenticationSupported property is ignored.
Data type: Boolean Default: True Range: True or False - com.ibm.CSI.performMessageConfidentialitySupported
Use to determine if 128-bit ciphers are supported to make SSL connections.
If a target server does not support 128-bit ciphers, one can make a connection at a lower encryption strength. Valid when SSL is enabled.
Data type: Boolean Default: True Range: True or False - com.ibm.CSI.performMessageConfidentialityRequired
Use to determine if 128-bit ciphers must be used to make SSL connections.
If a target server does not support 128-bit ciphers, a connection to that server fails. Valid when SSL is enabled. When this property is enabled, the associated com.ibm.CSI.performMessageConfidentialitySupported property is ignored.
Data type: Boolean Default: True Range: True or False - com.ibm.CSI.performMessageIntegritySupported
Use to determine if 40-bit ciphers are supported to make SSL connections.
If a target server does not support 40-bit ciphers, one can make a connection using only digital-signing ciphers. Valid when SSL is enabled. This property is ignored if the associated com.ibm.CSI.performMessageIntegrityRequired property is enabled.
Data type: Boolean Default: True Range: True or False - com.ibm.CSI.performMessageIntegrityRequired
Use to determine if 40-bit ciphers must be used to make SSL connections.
If a target server does not support 40-bit ciphers, a connection to that server fails. Valid when SSL is enabled. When this property is enabled, the associated com.ibm.CSI.performMessageIntegritySupported property is ignored.
Data type: Boolean Default: True Range: True or False - com.ibm.CSI.rmiOutboundPropagationEnabled
Enables the propagation of custom objects that are added to the Subject. On a pure client, add this property to the sas.client.props file. For more information, see Security Attribute Propagation.