Configure CSIv2 outbound communications
The following choices are available when configuring the CSIv2 (CSIv2) outbound communications panel.
Outbound communications refers to the configuration that determines the type of authentication performed for outbound requests to downstream servers. Several layers or methods of authentication can occur. The downstream server inbound authentication configuration must support at least one choice that is made in this server outbound authentication configuration. If nothing is supported, the request might go outbound as unauthenticated. This situation does not create a security problem because the authorization runtime is responsible for preventing access to protected resources. However, if you choose to prevent an unauthenticated credential from going outbound, you might want to designate one of the authentication layers as required, rather than supported. If a downstream server does not support authentication, then when authentication is required, the method request fails to go outbound.
The following choices are available in the CSIv2 (CSIv2) outbound communications panel. We are not required to complete these steps in the displayed order. Rather, these steps are provided to help understand the choices for configuring outbound communications.
- Select Identity Assertion (attribute layer). When selected, this server sends an identity token to a downstream server if the downstream server supports identity assertion. When an originating client authenticates to this server, the authentication information supplied is preserved in the outbound identity token. If the client authenticating to this server uses client certificate authentication, then the identity token format is a certificate chain, containing the exact client certificate chain from the inbound socket. The same scenario is true for other mechanisms of authentication. Read the Identity Assertion topic for more information.
- Select User ID and Password (message layer). This type of authentication is the most typical. The user ID and password (if BasicAuth credential) or authenticated token (if authenticated credential) are sent outbound to the downstream server if the downstream server supports message layer authentication in the inbound authentication panel. Refer to the Message Layer Authentication article for more information.
- Select SSL Client certificate authentication (transport layer). The main reason to enable outbound Secure Sockets Layer (SSL) client authentication from one server to a downstream server is to create a trusted environment between those servers. For delegating client credentials, use one of the two layers that are mentioned previously. However, you might want to create SSL personal certificates for all the servers in the domain, and only trust those servers in the SSL truststore file. No other servers or clients can connect to the servers in the domain, except at the tiers where we want them. This process can protect the enterprise bean servers from access by anything other than the servlet servers.
Example
Typically, the outbound authentication configuration is for an upstream server to communicate with a downstream server. Most likely, the upstream server is a servlet server and the downstream server is an EJB server. On a servlet server, the client authentication performed to access the servlet can be one of many different types of authentication, including client certificate and basic authentication. When receiving basic authentication data, whether through a prompt login or a form-based login, the basic authentication information is typically authenticated to from a credential of the mechanism type that is supported by the server, such as the LTPA. When LTPA is the mechanism, a forwardable token exists in the credential. Choose the message layer (BasicAuth) authentication to propagate the client credentials. If the credential is created using a certificate login and to preserve sending the certificate downstream, you might decide to go with outbound identity assertion.
Subtopics
- CSIv2 outbound communications settings
Use this page to specify the features that a server supports when acting as a client to another downstream server.
- (zos) Additional Common Secure Interoperability outbound authentication settings
Use this page to configure additional authentication settings for requests that are received by this server using the Object Management Group (OMG) Common Secure Interoperability authentication protocol.
Related tasks
Configure CSIv2 (CSIV2) inbound and outbound communication settings Configure CSIv2 inbound communications
Identity assertion to the downstream server