Network Deployment (Distributed operating systems), v8.0 > Secure applications and their environment > Authenticate users > Configure CSIV2 inbound and outbound communication settings


Configure CSIv2 inbound communications

Inbound communications refers to the configuration that determines the type of accepted authentication for inbound requests. This authentication is advertised in the interoperable object reference (IOR) that the client retrieves from the name server.


Procedure

  1. Start the admin console.

  2. Click Security > Global security.

  3. Under RMI/IIOP security, click CSIv2 inbound communications.
  4. Consider the following layers of security:

    • Identity assertion (attribute layer).

      When selected, this server accepts identity tokens from upstream servers. If the server receives an identity token, the identity is taken from an originating client. For example, the identity is in the same form that the originating client presented to the first server. An upstream server sends the identity of the originating client. The format of the identity can be either a principal name, a distinguished name, or a certificate chain. In some cases, the identity is anonymous. It is important to trust the upstream server that sends the identity token because the identity authenticates on this server. Trust of the upstream server is established either using SSL client certificate authentication or basic authentication. We must select one of the two layers of authentication in both inbound and outbound authentication when you choose identity assertion.

      The server ID is sent in the client authentication token with the identity token. The server ID is checked against the trusted server ID list. If the server ID is on the trusted server list, the server ID is authenticated. If the server ID is valid, the identity token is put into a credential and used for authorization of the request. When identity assertion is enabled, message layer or transport layer should be enabled also. For server-to-server communication, besides enabling transport layer/client authentication, identity assertion or message layer should be enabled also.

      For more information, refer to Identity assertion.

    • Message layer:

      Basic authentication (GSSUP):

      This type of authentication is the most typical. The user ID and password or authenticated token is sent from a pure client or from an upstream server. When a user ID and password are received at the server, they are authenticated with the user registry of the downstream server.

      Lightweight Third Party Authentication (LTPA):

      In this case, an LTPA token is sent from the upstream server. Note that if you choose LTPA, then both servers must share the same LTPA keys

      Kerberos (KRB5):

      To select Kerberos, the active authentication mechanism must be Kerberos. In this case, a Kerberos token is sent from the upstream server.

      For more information, read about Message layer authentication.

    • SSL client certificate authentication (transport layer).

      The SSL client certificate is used to authenticate instead of using user ID and Password. If a server delegates an identity to a downstream server, the identity comes from either the message layer (a client authentication token) or the attribute layer (an identity token), and not from the transport layer through the client certificate authentication.

      A client has an SSL client certificate stored in the keystore file of the client configuration. When SSL client authentication is enabled on this server, the server requests that the client send the SSL client certificate when the connection is established. The certificate chain is available on the socket whenever a request is sent to the server. The server request interceptor gets the certificate chain from the socket and maps this certificate chain to a user in the user registry. This type of authentication is optimal for communicating directly from a client to a server. However, when we have to go downstream, the identity typically flows over the message layer or through identity assertion.

  5. Consider the following points when deciding what type of authentication to accept:

    • A server can receive multiple layers simultaneously, so an order of precedence rule decides which identity to use. The identity assertion layer has the highest priority, the message layer follows, and the transport layer has the lowest priority. The SSL client certificate authentication is used when it is the only layer provided. If the message layer and the transport layer are provided, the message layer is used to establish the identity for authorization. The identity assertion layer is used to establish precedence when provided.
    • Does this server usually receive requests from a client, from a server, or both? If the server always receives requests from a client, identity assertion is not needed. We can choose either the message layer, the transport layer, or both. You also can decide when authentication is required or just supported.

      To select a layer as required, the sending client must supply this layer, or the request is rejected. However, if the layer is only supported, the layer might not be supplied.

    • What kind of client identity is supplied? If the client identity is client certificates authentication and you want the certificate chain to flow downstream so that it maps to the downstream server user registries, identity assertion is the appropriate choice. Identity assertion preserves the format of the originating client. If the originating client authenticated with a user ID and password, a principal identity is sent. If authentication is done with a certificate, the certificate chain is sent.

      In some cases, if the client authenticated with a token and a LDAP server is the user registry, then a distinguished name (DN) is sent.

  6. Configure a trusted server list. When identity assertion is selected for inbound requests, insert a pipe-separated (|) list of server administrator IDs to which this server can support identity token submission. For backwards compatibility, you can still use a comma-delimited list. However, if the server ID is a distinguished name (DN), then use a pipe-delimited (|) list because a comma delimiter does not work. If you choose to support any server sending an identity token, you can enter an asterisk (*) in this field. This action is called presumed trust. In this case, use SSL client certificate authentication between servers to establish the trust.

  7. Configure session management. We can choose either stateful or stateless security. Performance is optimum when choosing stateful sessions. The first method request between a client and server is authenticated. All subsequent requests (or until the credential token expires) reuse the session information, including the credential. A client sends a context ID for subsequent requests. The context ID is scoped to the connection for uniqueness.


Results

When you finish configuring this panel, we have configured most of the information that a client gathers when determining what to send to this server. A client or server outbound configuration with this server inbound configuration, determines the security that is applied. When you know what clients send, the configuration is simple. However, if we have a diverse set of clients with differing security requirements, your server considers various layers of authentication.

For a J2EE application server, the authentication choice is usually either identity assertion or message layer because you want the identity of the originating client delegated downstream. We cannot easily delegate a client certificate using an SSL connection. It is acceptable to enable the transport layer because additional server security, as the additional client certificate portion of the SSL handshake, adds some overhead to the overall SSL connection establishment.


What to do next

After you determine which type of authentication data this server might receive, you can determine what to select for outbound security. See Configure CSIv2 outbound authentication.


Related


CSIv2 inbound communications settings
Configure CSIv2 outbound communications
Configure CSIV2 inbound and outbound communication settings


Related


Identity assertion to the downstream server
Message layer authentication

+

Search Tips   |   Advanced Search