Configure the authentication protocol

For special security requirements from Java clients, you might want to configure the authentication protocol. This entails choosing a protocol, either CSIv2 or SAS. The CSIv2 protocol is new to WebSphere Application Server Version 5 and has many new and improved features. The SAS protocol is still provided as a backwards compatibility to previous product releases but is being deprecated.

Follow these steps to configure an authentication protocol for WebSphere Application Server:

1. Decide which authentication protocol to use: CSIv2 or both CSIv2 and SAS.
   CSIv2 is the recommended protocol because it provides more features than SAS. SAS is provided for backward compatability with previous versions of WebSphere Application Server. If you are operating in an heterogeneous environment, you may want to configure both protocols for your server. For more information, see Authentication protocols.

   You select the authentication protocol on the Global Security page of the administrative console.

2. Decide if you need to define inbound or outbound transports or both.
   For example, you might have a Java client that communicates with an application server, which in turn communicates to a second application server. The Java client uses the sas.client.props file to configure outbound security (pure clients only need to configure outbound security). The first application server configures inbound security to handle the right type of authentication from the Java client. The second application server uses its outbound security configuration when communicating with the first application server.

   The type of authentication might be different than what you would expect from the Java client into the application server. Security might be tighter between the pure client and the first application server, depending on your infrastructure. The first application server uses its inbound security configuration to accept requests from the second application server. These two have to have similiar configuration options as well. If the first application server communicates to other applications servers, then the outbound security might need to be configured a special way.

3. If you are using CSIv2, decide what type of authentication to use: BasicAuth (user ID and password) or client certificate.
   By default, authentication that uses user IDs and passwords is performed. Both Java client certificate authentication and Identity Assertion are disabled by default. Therefore, if you want this type of Basic Authentication to be performed at every tier, than you probably do not need to modify the CSIv2 authentication protocol configuration. However, if you have any special requirements where some servers authenticate differently from other servers, then you want to configure CSIv2 to best take advantage of the features it offers. For more information, see CSIv2 features.

4. Configure the servers.
   Use the administrative console. If you want some servers to authenticate differently from others, modify the server-level configurations. Any time you modify the server-level configurations, you are overriding the cell-level configurations.

   Start the administrative console, and expand Security --> Authentication Protocol. The authentication protocol inbound and outbound settings are listed in the navigation menu.

   • Configure CSIv2 inbound authentication
   • Configure CSIv2 outbound authentication
   • Configure inbound transport
   • Configure output transport

Common Secure Interoperability Version 2 scenarios

The following scenarios are intended to demonstrate how to configure specific Common Secure Interoperability Version 2 (CSIv2) configuration examples:

• Scenario 1: Basic authentication and identity assertion
• Scenario 2: Basic authentication, identity assertion, and client certificates
• Scenario 3: Client certificate authentication and RunAs system
• Scenario 4: TCP/IP transport using VPN
• Scenario 5: Interoperability with WebSphere Application Server Version 4