Enable step-up authentication, the Remember me cookie, or both on IBM i

We can choose to enable either step-up authentication or the Remember me cookie individually or we can choose to use these features together.

Log on to the WAS admin console and go to...

Security | Global security | Web and SIP security | Single sign-on (SSO)

Verify that both Interoperability Mode and Web inbound security attribute propagation are enabled.

We can use step-up authentication with IBM WSRP extensions. The authentication level defined for portlets on the Producer portal is automatically set on the Consumer portal when it consumes WSRP services. If you apply step-up authentication mechanisms on the Producer, users are also challenged for stronger authentication credentials on the Consumer portal as required.
To use step-up authentication with an IBM WSRP extension, ensure your environment meets the following requirements:

• The Producer and Consumer portals are WebSphere Portal v8.0 or later.

• You enable step-up authentication on both the Producer and Consumer portals.

• The authentication levels are the same on the Producer and Consumer portals.

  • Portal administrators can change authentication levels on both the Producer portal or Consumer portal at any time.

  • If the authentication level on the Consumer portal is less than the authentication level on the Producer portal, the Producer portal gives the following error message and users cannot access the portlets: AccessDeniedFault EJPWC1118E: User authentication not strong enough.. For this reason, the authentication level on the Consumer portal must be the same as the authentication level on the Producer portal.

Important: The Remember me cookie does not extend the Portal Personalization feature to the public area because a user identified by the Remember me cookie in a public area is still considered anonymous from an access control point of view.

Web Content Manager note: The authoring portlet and the web content viewer do not fully support step-up authentication or the Remember me cookie. However, the user name component is aware of the Remember me cookie. If the Remember me cookie is set on a request and a user not logged in, the user name component does not use the anonymous user design for the response but instead uses the user name design complete with the name or distinguished name of the user specified by the Remember me cookie.

Restriction: Step-up authentication requires the LtpaToken2 for single sign-on; see Implementing single sign-on to minimize web user authentications for details. To enable step-up authentication and/or the Remember me cookie:

1. Choose one of the following configuration options:

   Option	Steps
   Enable both step-up authentication and the Remember me cookie By default, this task enables the following authentication levels: standard identified authenticated	To enable step-up authentication and the Remember me cookie: Edit wkplc.properties, located in... WP_PROFILE/ConfigEngine/properties Set enable_rememberme to true in the 'StepUp Authentication' properties section. Save the changes to wkplc.properties. Run the ConfigEngine.sh enable-stepup-authentication -DWasUserid=wasuser -DWasPassword=foo -Dsua_user=user_name -Dsua_serversecret_password=foo We can define the sua_user and sua_serversecret_password parameters either in wkplc.properties or on the command line. If you enter the values in the properties file and on the command line, the values entered on the command line will overwrite the values in wkplc.properties.
   Enable only step-up authentication By default, this task enables the following authentication levels: standard authenticated	To enable only step-up authentication: Edit wkplc.properties, located in... WP_PROFILE/ConfigEngine/properties Set enable_rememberme to false in the 'StepUp Authentication' properties section. Save the changes to wkplc.properties. Run the ConfigEngine.sh enable-stepup-authentication -DWasUserid=wasuser -DWasPassword=foo
   Enable only the Remember me cookie	Run the ConfigEngine.sh enable-rememberme -DWasUserid=wasuser -DWasPassword=foo -Dsua_user=user_name -Dsua_serversecret_password=foo We can define the sua_user and sua_serversecret_password parameters either in wkplc.properties or on the command line. If you enter the values in the properties file and on the command line, the values entered on the command line will overwrite the values in wkplc.properties.

2. Check the output for any error messages before proceeding with any additional tasks. If any of the configuration tasks fail, verify the values in wkplc.properties.

3. Stop and restart servers, dmgrs, and node agents.

4. To change the authentication level on a page or portlet:

   1. Click Administration.

   2. Click Resource Permissions under Access.

   3. Click either the Pages link or the Portlets link.

   4. Locate the page or portlet to change and click the Authentication Level link.

   5. Choose one of the following levels:

      The following Authentication Levels are provided out-of-the-box. If you customized the step-up authentication, you may have different levels.

      Standard

      Set the Authentication Level to Standard if you want anonymous and identified users to view the page or portlet. The Standard level has the following two states based on the access control setting for the page or portlet:

      • If anonymous users have access to the page or portlet, no authentication is required.

      • If only authenticated users have access to the page or portlet, authentication is required.

      Identified (available if enable_rememberme=true)

      Set the Authentication Level to Identified to control whether or not content is displayed to an unauthenticated user based on the existence of a persistent HTTP cookie. This option is intended for pages and portlets that are visible to anonymous users. An example is the Remember me on this computer option during login. This option generates the com.ibm.portal.RememberMe cookie.

      If a user previously authenticated to WebSphere Portal and then returns with the com.ibm.portal.RememberMe cookie, the user is "identified" and the content displays without the user having to log in. If a user attempts to access WebSphere Portal without the com.ibm.portal.RememberMe cookie, the user is asked to authenticate before the content is displayed.

      CAUTION:

      Do not set the Access level to identified for the Login portlet. This action causes problems when logging into WebSphere Portal.

      Authenticated

      Set the Authentication Level to Authenticated if you want anonymous and identified users to login to view the page or portlet.

Parent: IBM i: Enable step-up authentication, the Remember me cookie, or both