![[Fix Pack 5.0.1 and later]](../../501.gif)
Common Secure Interoperability outbound authentication settings
Use this page to specify the features that a server supports when acting as a client to another downstream server.
To view this administrative console page, click Security > Authentication Protocol > CSI Outbound Authentication.
Authentication features include three layers of authentication that you can use simultaneously:
- Transport layer
- The transport layer, the lowest layer, might contain a Secure Sockets :Layer (SSL) client certificate as the identity.
- Message layer
- The message layer might contain a user ID and password or authenticated token.
- Attribute layer
- The attribute layer might contain an identity token, which is an identity from an upstream server that is already authenticated. The identity layer has the highest priority, followed by the message layer and then the transport layer. If this server sends all three, only the identity layer is used by the downstream server. The only way to use the SSL client certificate as the identity is if it is the only information presented during the outbound request.
Configuration tab
- Basic Authentication
- Specifies whether to send a user ID and a password from the client
to the server for authentication.
This type of authentication occurs over the message layer. Basic authentication also involves delegating a credential token from an already authenticated credential, provided the credential type is forwardable (for example, Lightweight Third Party Authentication (LTPA)). Basic authentication refers to any authentication over the message layer and indicates user ID and password as well as token-based authentication.
Selecting Basic Authentication determines whether it is required or supported. Selecting Required indicates that when the server goes outbound to downstream servers, the downstream server must support basic authentication for this server to connect. Selecting Supported indicates that this server might or might not perform basic authentication to a downstream server. Other methods of authentication can occur if configured. Selecting Never, indicates that this server never sends a message layer token outbound to a downstream server. If the downstream server requires basic authentication, then the connection is not attempted.
Data type: String - Client Certificate Authentication
- Specifies whether a client certificate from the configured keystore
file is used to authenticate to the server when the SSL connection is made
between this server and a downstream server (provided that the downstream
server supports client certificate authentication).
Typically, client certificate authentication has a higher performance than message layer authentication, but requires some additional setup steps. These additional steps include verifying that this server has a personal certificate and the downstream server has the signer certificate of this server.
If you select client certificate authentication, decide whether it is required or supported. Selecting Required indicates that this server can only connect to downstream servers with client certificate authentication also configured. Selecting Supported indicates that this server performs client certificate authentication with any downstream server, but might not use client certificate authentication depending on whether it is supported by the downstream server. Selecting Never indicates that this client does not perform client certificate authentication to any downstream server. This limitation prevents access to any downstream server that requires client certificate authentication.
Data type: String - Identity Assertion
- Specifies whether to assert identities from one server to another
during a downstream enterprise bean invocation.
The identity asserted is the invocation credential that is determined by the RunAs mode for the enterprise bean. If the RunAs mode is Client, the identity is the client identity. If the RunAs mode is System, the identity is the server identity. If the RunAs mode is Specified, the identity is the identity specified. The receiving server receives the identity in an identity token and also receives the sending server identity in a client authentication token. The receiving server validates the identity of the sending server to ensure a trusted identity.
When specifying identity assertion on the CSIv2 Authentication Outbound panel, select basic authentication as supported or required on the CSIv2 Authentication Outbound panel. This action allows the server identity to be submitted, along with the identity token, so that the receiving server can trust the sending server. Without specifying basic authentication as supported or required, trust is not established and the identity assertion fails.
Data type: String - Stateful Sessions
- Specifies whether to reuse security information during authentication.
This option is usually used to increase performance.
The first contact between a client and server must fully authenticate. However, all subsequent contacts with valid sessions, reuse the security information. The client passes a context ID to the server, and that ID is used to look up the session. The context ID is scoped to the connection, which guarantees uniqueness. Whenever the security session is invalid and if authentication retry is enabled (it is enabled by default), the client-side security interceptor invalidates the client-side session and resubmits the request transparently. For example, if the session does not exist on the server; the server fails and resumes operation.
When this value is disabled, every method invocation must re-authenticate.
Data type: String