Set Common Secure Interoperability authentication using scripting

Use this topic to use wsadmin to configure inbound and outbound communications using the Common Secure Interoperability protocol. CSIv2 supports increased vendor interoperability and additional features. You must meet the following requirements before configuring local operating system user registries:

• You must have the administrator or new admin role.

• Enable global security in the environment.

• Set multiple realms using security domains in the environment.

 

• Set CSI inbound communication authentication.

  Inbound authentication refers to the configuration that determines the type of accepted authentication for inbound requests. This authentication is advertised in the interoperable object reference (IOR) that the client retrieves from the name server.

  1. Launch the wsadmin scripting tool using the Jython scripting language.

  2. Determine the settings to specify for CSI inbound communication.

     The configureCSIInbound command configures various settings for CSI inbound communication. Review the following list of optional parameters to determine the attributes to set in the configuration:

     
     

     Table 1. Command parameters

     Parameter	Description
     -securityDomainName	Name of the security configuration. If we do not specify a security domain name, the command modifies the global security configuration. (String)
     -messageLevelAuth	Specifies whether clients connecting to this server must specify a user ID and password. Specify Never to disable the user ID and password requirement. Specify Supported to accept a user ID and password. Specify Required to require a user ID and password. (String)
     -supportedAuthMechList	Authentication mechanism to use. Specify KRB5 for Kerberos authentication, LTPA forLightweight Third-Party Authentication, BasicAuth for basic authentication, and custom to use the own authentication token implementation. We can specify more than one, separated by the pipe character (|). (String)
     -clientCertAuth	Specifies whether a client that connects to the server must connect using an SSL certificate. Specify Never to allow clients to connect without SSL certificates. Specify Supported to accept clients connecting with and without SSL certificates. Specify Required to require clients to use SSL certificate. (String)
     -transportLayer	Transport layer support level. Specify Never to disable transport layer support. Specify Supported to enable transport layer support. Specify Required to require transport layer support. (String)
     -sslConfiguration	SSL configuration alias to use for inbound transport. (String)
     -enableIdentityAssertion	Specifies whether to enable identity assertion. When using the identity assertion authentication method, the security token generated is a <wsse:UsernameToken> element that contains a <wsse:Username> element. Specify true for the -enableIdentityAssertion parameter to enable identity assertion. (Boolean)
     -trustedIdentities	List of trusted server identities, separated by the pipe character (|). To specify a null value, set the value of the -trustedIdentities parameter as an empty string (""). (String)
     -statefulSession	Specifies whether to enable a stateful session. Specify true to enable a stateful session. (Boolean)
     -enableAttributePropagation	Specifies whether to enable security attribute propagation. Security attribute propagation allows the application server to transport authenticated subject contents and security context information from one server to another in the configuration. Specify true to enable security attribute propagation. (Boolean)

  3. Set CSI inbound communication authentication.

     The configureCSIInbound command configures the CSIv2 Inbound authentication on a security domain or on the global security configuration. When configuring CSI Inbound in a security domain for the first time, the CSI objects are copied from global security. Then, the changes are applied to configuration. Use the configureCSIInbound command to configure CSI inbound authentication for a security domain or the global security configuration, as the following Jython example demonstrates:

     AdminTask.configureCSIInbound('-securityDomainName testDomain -messageLevelAuth Supported -supportedAuthMechList KRB5|LTPA -clientCertAuth Supported -statefulSession true')

  4. Save the configuration changes...

     AdminConfig.save()

• Set CSI outbound communication authentication.

  Outbound authentication refers to the configuration that determines the type of authentication that is performed for outbound requests to downstream servers.

  1. Launch the wsadmin scripting tool using the Jython scripting language.

  2. Determine the settings to specify for CSI outbound communication.

     The configureCSIOutbound command configures various settings for CSI outbound communication. Review the following list of optional parameters to determine the attributes to set in the configuration:

     
     

     Table 2. Command parameters

     Parameter	Description
     -securityDomainName	Name of the security configuration. If we do not specify a security domain name, the command modifies the global security configuration. (String)
     -enableAttributePropagation	Specifies whether to enable security attribute propagation. Security attribute propagation allows the application server to transport authenticated subject contents and security context information from one server to another in the configuration. Specify true to enable security attribute propagation. (Boolean)
     -enableIdentityAssertion	Specifies whether to enable identity assertion. When using the identity assertion authentication method, the security token generated is a <wsse:UsernameToken> element that contains a <wsse:Username> element. Specify true for the -enableIdentityAssertion parameter to enable identity assertion. (Boolean)
     -useServerIdentity	Specifies whether to use the server identity to establish trust with the target server. Specify true to use the server identity. (Boolean)
     -trustedId	Trusted identity that the application server uses to establish trust with the target server. (String)
     -trustedIdentityPassword	of the trusted server identity. (String)
     -messageLevelAuth	Specifies whether clients connecting to this server must specify a user ID and password. Specify Never to disable the user ID and password requirement. Specify Supported to accept a user ID and password. Specify Required to require a user ID and password. (String)
     -supportedAuthMechList	Authentication mechanism to use. Specify KRB5 for Kerberos authentication, LTPA forLightweight Third-Party Authentication, BasicAuth for basic authentication, and custom to use the own authentication token implementation. We can specify more than one, separated by the pipe character (|). (String)
     -clientCertAuth	Specifies whether a client that connects to the server must connect using an SSL certificate. Specify Never to allow clients to connect without SSL certificates. Specify Supported to accept clients connecting with and without SSL certificates. Specify Required to require clients to use SSL certificate. (String)
     -transportLayer	Transport layer support level. Specify Never to disable transport layer support. Specify Supported to enable transport layer support. Specify Required to require transport layer support. (String)
     -sslConfiguration	SSL configuration alias to use for inbound transport. (String)
     -statefulSession	Specifies whether to enable a stateful session. Specify true to enable a stateful session. (Boolean)
     -enableOutboundMapping	Specifies whether to enable custom outbound identity mapping. Specify true to enable custom outbound identity mapping. (Boolean)
     -trustedTargetRealms	List of target realms to trust. Separate each realm name with the pipe character (|). (String)

  3. Set CSI outbound communication authentication.

     The configureCSIOutbound command configures the CSIv2 outbound authentication in a security domain or in the global security configuration. When configuring CSI outbound authentication in a security domain for the first time, the appserver copies the CSI objects from global security. Then, the appserver applies the changes to that configuration. Use the configureCSIOutbound command to configure CSI outbound authentication for a security domain or the global security configuration, as the following Jython example demonstrates:

     AdminTask.configureCSIOutbound('-securityDomainName testDomain -enableIdentityAssertion true -trustedId myID -trustedIdentityPassword myPassword123 -messageLevelAuth Required -trustedTargetRealms realm1|realm2|realm3')

  4. Save the configuration changes...

     AdminConfig.save()

Local operating system registries

 

Related tasks

Set security domains using scripting
Mapping resources to security domains using scripting
Remove resources from security domains using scripting
Remove security domains using scripting

 

Related

SecurityConfigurationCommands