+

Search Tips   |   Advanced Search

Credential Vault


The Credential Vault is a service that stores credentials that allow portlets to log in to applications outside the realm on behalf of the user. It manages multiple identities for portlets and users.

Using Credential Vault, a portlet can retrieve a user's authentication identity and then pass the information to a backend application. The Credential Vault features the following two levels of sign-on:

Credential objects can also pass IBM Tivoli Access Manager single sign-on tokens to backend applications.

IBM WebSphere Portal provides a database vault implementation for mappings to secrets for other enterprise applications. By default, the Credential Vault contains an administrator-managed vault segment and a user-managed vault segment. Administrator-managed vaults allow users to update mappings; however, users cannot add new applications to this vault. The user-managed vault segment allows users to add application definitions, such as a POP3 mail account, under the user vault and store a mapping there. By default, the vault uses an encryption plug-is that encodes the passwords in Base 64.

WebSphere Portal initially provides two vault adapter configurations that write to the database:

default-release Default vault for administrator-managed vault segments. Stores credentials in the release domain
default-customization Default vault for user-managed vault segments. Stores credentials in the customization domain

WebSphere Portal also supports the storage and retrieval of credentials from other vault services, such as Tivoli Access Manager. WebSphere Portal ships a Credential Vault adapter for Tivoli Access Manager.


Parent: Security and authentication considerations
Related: Authentication
Federal Information Processing Standards
Plan for single sign-on
Secure communications using SSL
Caching considerations


Last update: April 30, 2014