Configure outbound identity mapping to a different target realm
By default, when WebSphere Application Server makes an outbound request from one server to another server in a different security realm, the request is rejected. This topic details alternatives for enabling one server to send outbound requests to a target server in a different realm.
This outbound request is rejected to protect against a rogue server reading potentially sensitive information if successfully impersonating the home of the object. Select one of the following alternative procedures so that one server can send outbound requests to a target server in a different realm. When we are finished with a procedure on the administrative console, click Apply.
Tasks
- Do not perform mapping. Instead, allow the existing security information to flow to a trusted target server, even if the target server resides in a different realm. Complete the following steps in the administrative console:
- Click Security > Global security.
- Under RMI/IIOP security, click CSIv2 outbound authentication.
- Target realms in the Trusted target realms field. We can specify each trusted target realm that is separated by a pipe (|) character. For example, specify server.domain:port_number for a LDAP server or the machine name for local operating system. To propagate security attributes to a different target realm, specify that target realm in the Trusted target realms field.
- Use the JAAS WSLogin application login configuration to create a basic authentication Subject containing the credentials of the new target realm. This configuration enables us to log in with a realm, user ID, and password specific to the user registry of the target realm. We can provide the login information from within the Java EE application that is making the outbound request or from within the RMI_OUTBOUND system login configuration. These two login options are described in the following information:
- Use the WSLogin application login configuration from within the Java EE application to log in and get a Subject containing the user ID and the password of the target realm. The application can wrap the remote call with a WSSubject.doAs call. For an example, see Example: Using the WSLogin configuration to create a basic authentication subject.
- Use the code sample in Example: Using the WSLogin configuration to create a basic authentication subject from this plug point within the RMI_OUTBOUND login configuration. Every outbound RMI request passes through this login configuration when it is enabled. Complete the following steps to enable and plug in this login configuration:
- Click Security > Global security.
- Under RMI/IIOP security, click CSIv2 outbound authentication.
- Select the Custom outbound mapping option. If the Security Attribute Propagation option is selected, then WAS is already using this login configuration and we do not need to enable custom outbound mapping.
- Write a custom login module. See Developing custom login modules for a system login configuration for JAAS.
The Example: Sample login configuration for RMI_OUTBOUND shows a custom login module that determines whether the realm names match. In this example, the realm names do not match so the WSLoginmodule is used to create a basic authentication Subject based on custom mapping rules. The custom mapping rules are specific to the customer environment and must be implemented using a realm to user ID and password mapping utility.
- Configure the RMI_OUTBOUND login configuration so that the new custom login module is first in the list.
- Click Security > Global security.
- Under Java Authentication and Authorization Service, click System logins > RMI_OUTBOUND
- Under Additional Properties, click JAAS login modules > New to add your login module to the RMI_OUTBOUND configuration.
- Return to the JAAS login modules panel for RMI_OUTBOUND.
- Click Set order to change the order that the login modules are loaded so that our custom login is loaded first.
- Add the use_realm_callback and use_appcontext_callback options to the outbound mapping module for WSLogin. To add these options:
- Click Security > Global security.
- Under Java Authentication and Authorization Service, click Application logins > WSLogin.
- Under Additional properties, click JAAS login modules > com.ibm.ws.security.common.auth.module.WSLoginModuleImpl.
- Under Additional properties, click Custom Properties > New.
- On the Custom properties panel, enter use_realm_callback in the Name field and true in the Value field.
- Click OK.
- Click New to enter the second custom property.
- On the Custom properties panel, enter use_appcontext_callback in the Name field and true in the Value field.
The following changes are made to the security.xml file:
<entries xmi:id="JAASConfigurationEntry_2" alias="WSLogin"> <loginModules xmi:id="JAASLoginModule_2" moduleClassName="com.ibm.ws.security.common.auth.module.proxy.WSLoginModuleProxy" authenticationStrategy="REQUIRED"> <options xmi:id="Property_2" name="delegate" value="com.ibm.ws.security.common.auth.module.WSLoginModuleImpl"/> <options xmi:id="Property_3" name="use_realm_callback" value="true"/> <options xmi:id="Property_4" name="use_appcontext_callback" value="true"/> </loginModules> </entries>
Subtopics
- Example: Using the WSLogin configuration to create a basic authentication subject
This example shows how to use the WSLogin application login configuration from within a J2EE application to log in and get a Subject containing the user ID and the password of the target realm.- Example: Sample login configuration for RMI_OUTBOUND
This example shows a sample login configuration for RMI_OUTBOUND that determines whether the realm names match between two servers.
Perform identity mapping for authorization across servers in different realms Implement a custom authentication token for security attribute propagation Developing custom login modules for a system login configuration for JAAS