WAS v8.5 > Reference > SetsAuthentication protocol settings for a client configuration
We can use settings in the sas.client.props file to configure SAS and Common Secure Interoperability v2 (CSIv2) clients.
Use the following settings in the app_server_root/properties/sas.client.props file to configure SAS and CSIv2 clients.
SAS is supported only between v6.0.x and previous version servers that have been federated in a v6.1 cell.
The sas.client.props file for WAS v8.5 contains some new properties that support BasicAuth and Kerberos, such as:
com.ibm.IPC.authenticationTarget=BasicAuthcom.ibm.IPC.loginUserid=
com.ibm.IPC.loginPassword=com.ibm.IPC.loginSource=promptcom.ibm.IPC.krb5Service=WAScom.ibm.IPC.krb5CcacheFile=com.ibm.IPC.krb5ConfigFile=
com.ibm.CORBA.securityEnabled
Use to determine if security is enabled for the client process.
com.ibm.CORBA.securityEnabled. This table describes the com.ibm.CORBA.securityEnabled setting.
Set Value Data Type Boolean Default True Valid values True or false
com.ibm.CSI.protocol
Use to determine which authentication protocols are active.
The client can configure protocols of ibm, csiv2 or both as active. The only possible values for an authentication protocol are ibm, csiv2 and both. Do not use sas for the value of an authentication protocol. This restriction applies to both client and server configurations. The following list provides information about using each of these protocol options:
- ibm
- Use this authentication protocol option when we are communicating with WAS Version 4.x or earlier servers.
- csiv2
- Use this authentication protocol option when we are communicating with WAS v5 or later servers because the SAS interceptors are not loaded and running for each method request.
- both
- Use this authentication protocol option for interoperability between WAS Version 4.x or earlier servers and WAS v5 or later servers.
Typically, specifying both provides greater interoperability with other servers.
com.ibm.CSI.protocol. This table describes the com.ibm.CSI.protocol setting.
Set Value Data type String Default Both Valid values ibm, csiv2, both
com.ibm.CORBA.authenticationTarget
Use to determine the type of authentication mechanism for sending security information from the client to the server.
If basic authentication is specified, the user ID and password are sent to the server. Using the SSL transport with this type of authentication is recommended; otherwise, the password is not encrypted. The target server must support the specified authentication target.
com.ibm.CORBA.authenticationTarget. This table describes the com.ibm.CORBA.authenticationTarget setting.
Set Value Data type String Default BasicAuth Valid values BasicAuth, KRB5
com.ibm.CORBA.validateBasicAuth
Use to determine if the user ID and password get validated immediately after the login data is entered when the authenticationTarget property is set to BasicAuth.
In previous releases, BasicAuth logins validated only with the initial method request. During the first request, the user ID and password are sent to the server. This request is the first time the client can notice an error, if the user ID or password is incorrect. The validateBasicAuth method is specified and the validation of the user ID and password occurs immediately to the security server.
For performance reasons, you might want to disable this property if we do not want to verify the user ID and password immediately. If the client program can wait, it is better to have the initial method request flow to the user ID and password. However, program logic might not be this simple because of error handling considerations.
com.ibm.CORBA.validateBasicAuth. This table describes the com.ibm.CORBA.validateBasicAuth setting.
Set Value Data type Boolean Default True Valid values True, False
com.ibm.CORBA.authenticationRetryEnabled
Use to specify that a failed login attempt is retried. This property determines if a retry occurs for other errors, such as stateful sessions that are not found on a server or validation failures at the server because of an expiring credential.
The minor code in the exception that is returned to a client determines which errors are retried. The number of retry attempts is dependent upon the com.ibm.CORBA.authenticationRetryCount property.
com.ibm.CORBA.authenticationRetryEnabled. This table describes the com.ibm.CORBA.authenticationRetryEnabled setting.
Set Value Data type Boolean Default True Valid values True, False
com.ibm.CORBA.authenticationRetryCount
Use to specify the number of retries that occur until either a successful authentication occurs or the maximum retry value is reached.
When the maximum retry value is reached, the authentication exception is returned to the client.
com.ibm.CORBA.authenticationRetryCount. This table describes the com.ibm.CORBA.authenticationRetryCount setting.
Set Value Data type Integer Default 3 Range 1-10
com.ibm.CORBA.loginSource
Use to specify how the request interceptor attempts to log in if it does not find an invocation credential already set.
This property is valid only if message layer authentication occurs. If only transport layer authentication occurs, this property is ignored. When specifying properties, the following two additional properties must be defined:
- com.ibm.CORBA.loginUserid
- com.ibm.CORBA.loginPassword
When performing a programmatic login, it is not necessary to specify none as the login source. The request fails if a credential is set as the invocation credential during a method request.
For the distributed platform, we can choose to NOT edit the properties file, sas.client.props, but set the loginSource property as follows: com.ibm.CORBA.loginSource=none
When you set com.ibm.CORBA.loginSource=none for a remote method invocation (RMI) connection, whether using scripting with wsadmin or from other clients, we have to perform a programmatic logon because the logged-in user's credentials are not inherited. Specify user and/or password at the command line.
com.ibm.CORBA.loginSource. This table describes the com.ibm.CORBA.loginSource setting.
Set Value Data type String Default Prompt Valid values Prompt, key file, stdin, none, properties
com.ibm.CORBA.loginUserid
Use to specify the user ID when a properties login is configured and message layer authentication occurs.
This property is valid only when com.ibm.CORBA.loginSource=properties. Also set the com.ibm.CORBA.loginPassword property.
com.ibm.CORBA.loginUserid. This table describes the com.ibm.CORBA.loginUserid setting.
Set Value Data type String Range Any string that is appropriate for a user ID in the configured user registry of the server.
com.ibm.CORBA.loginPassword
Use to specify the password when a properties login is configured and message layer authentication occurs.
This property is valid only when com.ibm.CORBA.loginSource=properties. Also set the com.ibm.CORBA.loginUserid property.
com.ibm.CORBA.loginPassword. This table describes the com.ibm.CORBA.loginPassword setting.
Set Value Data type String Range Any string that is appropriate for a password in the configured user registry of the server.
com.ibm.CORBA.keyFileName
Use to specify the key file used to log in.
A key file is a file containing a list of realm, user ID, and password combinations that a client uses to log into multiple realms.
The realm used is the one found in the interoperable object reference (IOR) for the current method request. The value of this property is used when the com.ibm.CORBA.loginSource=key file is used.
com.ibm.CORBA.keyFileName. This table describes the com.ibm.CORBA.keyFileName setting.
Set Value Data type String Default C;/WebSphere/AppServer/properties/wsserver.key Range Any fully qualified path and file name of a WAS key file.
com.ibm.CORBA.loginTimeout
Use to specify the length of time the login prompt stays available before it is considered a failed login.
com.ibm.CORBA.loginTimeout. This table describes the com.ibm.CORBA.loginTimeout setting.
Set Value Data type Integer Units Seconds Default 300 (5 minute intervals) Range 0 - 600 (10 minute intervals)
com.ibm.CORBA.securityEnabled
Use to determine if security is enabled for the client process.
com.ibm.CORBA.securityEnabled. This table describes the com.ibm.CORBA.securityEnabled setting.
Set Value Data type Boolean Default True Range True, False
Related
Configure CSIV2 inbound and outbound communication settings
Reference:
Common Secure Interoperability v2 and SAS client configuration