Operating Systems: i5/OS
             Personalize the table of contents and search results
Configure Common Secure Interoperability V2 outbound authentication
The following choices are available when configuring the Common
Secure Interoperability V2 (CSIv2) Outbound Authentication panel.
Outbound authentication refers to the configuration that determines
the type of authentication that is performed for outbound requests to downstream
servers. Several layers or methods of authentication can occur.
The downstream server inbound authentication configuration must support at
least one choice made in this server outbound authentication configuration.
If nothing is supported, the request might go outbound as unauthenticated.
This situation does not create a security problem because the authorization
runtime is responsible for preventing access to protected resources. However,
if you choose to prevent an unauthenticated credential from going outbound,
you might want to designate one of the authentication layers as required,
rather than supported. If a downstream server does not support authentication,
then when authentication is required, the method request fails to go outbound.
Overview
The following choices are available in the Common Secure Interoperability
V2 (CSIv2) Outbound Authentication panel. Remember that you are not
required to complete these steps in the displayed order. Rather, these steps
are provided to help you understand your choices for configuring outbound
authentication.
Procedure
- Select Identity Assertion (attribute layer). When
selected, this server sends an identity token to a downstream server if the
downstream server supports identity assertion. When an originating client
authenticates to this server, the authentication information supplied is preserved
in the outbound identity token. If the client authenticating to this server
uses client certificate authentication, then the identity token format is
a certificate chain, containing the exact client certificate chain from the
inbound socket. The same scenario is true for other mechanisms of authentication.
Read theIdentity Assertion topic
for more information.
- Select User
ID and Password (message layer). This type of authentication
is the most typical. The user ID and password (if BasicAuth credential)
or authenticated token (if authenticated credential) are sent outbound to
the downstream server if the downstream server supports message layer authentication
in the inbound authentication panel. Refer to the Message Layer Authentication article for more information.
- Select SSL Client certificate authentication (transport
layer). The main reason to enable outbound Secure Sockets Layer
(SSL) client authentication from one server to a downstream server is to create
a trusted environment between those servers. For delegating client credentials,
use one of the two layers mentioned previously. However, you might want to
create SSL personal certificates for all the servers in your domain, and only
trust those servers in your SSL truststore file. No other servers or clients
can connect to the servers in your domain, except at the tiers where you want
them. This process can protect your enterprise bean servers from access by
anything other than your servlet servers.
}
Common Secure Interoperability V2 outbound authentication settings
Related tasks
Configuring Common Secure Interoperability V2 inbound authentication
Configuring IIOP authentication
Related Reference
Identity assertion to the downstream server
Message layer authentication
Configuring session management
Overview
You can choose either stateful or stateless security.
Performance is optimum when choosing stateful sessions. The first method request
between this server and the downstream server is authenticated. All subsequent
requests reuse the session information, including the credential. A unique
session entry is defined as the combination of a unique client authentication
token and an identity token, scoped to the connection.
Example
Typically, the outbound authentication configuration is for an upstream
server to communicate with a downstream server. Most likely, the upstream
server is a servlet server and the downstream server is an Enterprise JavaBeans
(EJB) server. On a servlet server, the client authentication that is performed
to access the servlet can be one of many different types of authentication,
including client certificate and basic authentication. When receiving basic
authentication data, whether through a prompt login or a form-based login,
the basic authentication information is typically authenticated to from a
credential of the mechanism type that is supported by the server, such as
the Lightweight Third Party Authentication (LTPA). When LTPA is the mechanism,
a forwardable token exists in the credential. Choose the message layer (BasicAuth) authentication to propagate the client credentials.
If the credential is created using a certificate login and you want to preserve
sending the certificate downstream, you might decide to go outbound with identity
assertion.
What to do next
Save the configuration and restart the server for the changes to
take effect.
}
Related tasks
Configuring IIOP authentication
  Â