Select an authentication mechanism
An authentication mechanism defines...
- Whether a credential is forwardable to another Java process
- Format of how security information is stored in credentials and tokens
Authentication establishes whether a client is who or what it claims to be in a particular context. A client can be...
- end user
- machine
- application
The authentication mechanism is responsible for creating a credential, which is an internal product representation of a successfully authenticated client user. Not all credentials are created equally. The abilities of the credential are determined by the configured authentication mechanism.
WAS provides three authentication mechanisms:
- LTPA
- Kerberos
- RSA token authentication mechanism
Kerberos includes...
- authentication
- mutual authentication
- message integrity
- confidentiality
- delegation
KRB5 is used for Kerberos in...
- admin console
- sas.client.props
- soap.client.props
- ipc.client.props
The RSA token authentication mechanism allows base profiles managed by an administrative agent to have different...
- LTPA keys
- different user registries
- different admin users
Simple WebSphere Authentication Mechanism (SWAM) is deprecated in this release. SWAM does not provide authenticated communication between different servers.
Authentication is required for enterprise bean clients and Web clients when they access protected resources. Enterprise bean clients, like a servlet or other enterprise beans or a pure client, send the authentication information to a Web appserver using one of the following protocols:
- CSIv2
- Secure Authentication Service (SAS)
SAS is supported only between V6.0.x and previous version servers that have been federated in a V6.1 cell.
Web clients use the HTTP or HTTPS protocol to send the authentication information.
The authentication information can be...
- basic authentication (user ID and password)
- a credential token
- client certificate
The Web authentication is performed by the Web Authentication module. To configure authentication for a Web client...
Security | Global security | Authentication | Web and SIP security | General settingsThe following options exist for Web authentication:
- Authenticate only when the URI is protected
- WAS challenges the Web client to provide authentication data when the Web client accesses a URI that is protected by a J2EE role.
The Web client can retrieve an authenticated identity only when it accesses a protected URI.
- Use available authentication data when an unprotected URI is accessed
- Retrieves an authenticated identity from either a protected or an unprotected URI.
The Web client is authorized to call the methods...
Although the authentication data is not used when you access an unprotected URI, the authentication data is retained for future use. This option is available when you select check box...
Authentication only when the URI is protected- Authenticate when any URI is accessed
- The Web client must provide authentication data regardless of whether the URI is protected.
- Default to basic authentication when certificate authentication for the HTTPS client fails.
- WAS challenges the Web client for a user ID and password when the required HTTPS client certificate authentication fails.
Enterprise bean authentication is performed by the EJB authentication module, which resides in the CSIv2 and SAS layer.
The authentication module is implemented using the JAAS login module. The Web authenticator and the EJB authenticator pass the authentication data to the login module, which can use the following mechanisms to authenticate the data:
- Kerberos
- LTPA
- RSA token
The authentication module uses the registry configured on the system to perform the authentication. Four types of registries are supported:
- Federated repositories
- Local operating system
- Standalone LDAP registry
- Standalone custom registry
External registry implementation following the registry interface specified by IBM can replace either the local operating system or the LDAP registry.
The login module creates a JAAS subject after authentication and stores the credential that is derived from the authentication data in the public credentials list of the subject. The credential is returned to the Web authenticator or to the enterprise beans authenticator.
The Web authenticator and the enterprise beans authenticator store the received credentials in the Object Request Broker current for the authorization service to use in performing further access control checks. If the credentials are forwardable, they are sent to other appservers.
To configure authentication mechanisms...
- Go to...
Security | Global security | Authentication mechanisms and expiration
...and select an authentication mechanism to configure.
Related tasks
Lightweight Third Party Authentication
Set the LTPA mechanism
Kerberos (KRB5) authentication mechanism support for security
Set Kerberos as the authentication mechanism
Set a Java client for Kerberos authentication
RSA token authentication mechanism
Set the RSA token authentication mechanism
Message layer authentication
Authenticate users
Related
Web authentication settings