Authentication mechanisms

Network Deployment (Distributed operating systems), v8.0 > Secure applications and their environment > Authenticate users

Authentication mechanisms

Overview

To configure authentication mechanisms...
Security | Global security | Authentication mechanisms and expiration | authentication_mechanism

The authentication mechanism applies security rules and creates credentials for end users, machines, and applications. WAS provides three authentication mechanisms:

LTPA
Kerberos
RSA

Kerberos includes...

authentication
mutual authentication
message integrity and confidentiality
delegation

Kerberos is referenced as "KRB5" in sas.client.props, soap.client.props, ipc.client.props, and in the console.
RSA allows profiles managed by an admin agent to have different LTPA keys, user registries, and administrative users.
Authentication data can be...

basic authentication (user ID and password)
credential token
client certificate

Web clients send authentication data using protocols...

HTTP
HTTPS

EJB clients send authentication data using protocols...

CSIv2
SAS

We configure web authentication using...

Security | Global security | Authentication | Web and SIP security | General settings

Options...

Authenticate only when the URI is protected Web client retrieves an authenticated identity only when accessing URIs protected by a J2EE role.
Use available authentication data when an unprotected URI is accessed Although authentication data is not used accessing an unprotected URI, data is retained for future use. The web client can call methods: getRemoteUser, isUserInRole, and getUserPrincipal. Available if "Authentication only when the URI is protected" is selected.
Authenticate when any URI is accessed The web client provides authentication data regardless of whether the URI is protected.
Default to basic authentication when certificate authentication for the HTTPS client fails. WAS challenges the web client for a user ID and password if HTTPS client certificate authentication fails.

Web and EJB authenticators pass data to the login module, which authenticates using...

Kerberos
LTPA
RSA

...using any of these types of registries...

Federated repositories
Local operating system
Standalone LDAP registry
Stand-alone custom registry
External registry

The login module...

Creates a JAAS subject
Stores the derived credential in the public credentials list of the subject
Returns the credential to the web or EJB authenticator

The web and EJB authenticators store credentials in an ORB. If forwardable, they are sent to other application servers.

Related
LTPA
LTPA keys
LTPA mechanism
Kerberos (KRB5) authentication mechanism support for security
Set up Kerberos as authentication mechanism for WAS
RSA token authentication mechanism
RSA token authentication mechanism
Message layer authentication
Configure Kerberos as authentication mechanism
Configure a Java client for Kerberos authentication
Authenticate users
Web authentication settings

+
Search Tips | Advanced Search

Authenticate only when the URI is protected	Web client retrieves an authenticated identity only when accessing URIs protected by a J2EE role.
Use available authentication data when an unprotected URI is accessed	Although authentication data is not used accessing an unprotected URI, data is retained for future use. The web client can call methods: getRemoteUser, isUserInRole, and getUserPrincipal. Available if "Authentication only when the URI is protected" is selected.
Authenticate when any URI is accessed	The web client provides authentication data regardless of whether the URI is protected.
Default to basic authentication when certificate authentication for the HTTPS client fails.	WAS challenges the web client for a user ID and password if HTTPS client certificate authentication fails.