Portal, Express Beta Version 6.1 Operating systems: i5/OS, Linux,Windows

Security considerations for WSRP services

When you use WSRP with your portal, you can configure security and provide authentication by using different authentication mechanisms.

• Authentication of the end user by using WS-Security (Web services security). For example, this can be by using Lightweight Third-Party Authentication (LTPA) token forwarding. In this case the Consumer portal passes requests from individual users on to the Producer portal under separate user IDs. Note: With the portal you can use all security tokens that IBM^® WebSphere^® Application Server supports. For most tokens the Consumer and Producer portals need to share the same user registry, for example, LTPA.
• Authentication of the Consumer portal by using Secure Socket Layer Client Certificate Authentication: In this case the Consumer portal channels all requests by its users under the same preset shared user ID and passes them on to the Producer portal. For this option the Consumer and Producer portal can have shared or separate user registries.

1. For both Producer and Consumer portals:

   1. You can use both security configurations independently on your portal, providing security by both WS-Security and SSL client certificate authentication. For more detailed information refer to the URL given under Related information below.
   2. If you use your portal as both a Producer and a Consumer portal, the security configurations for both these roles are independent of each other.
2. For Producer portals:

   1. For a Producer portal, security for WSRP services is optional. You can configure it if required, but you do not have to provide security.
   2. When you configure WSRP security for a Producer portal by one of these options, you also need to configure Portal Access Control for that Producer portal and give the users of the Consumer portal access permissions.
   3. If you want to allow a Consumer portal that is configured for SSL client certificate authentication to be able to consume your WSRP services, you need to configure at least SSL for your Producer portal, but not necessarily client certificate authentication.
3. For Consumer portals:

   1. For a Consumer portal, you need to provide the same security setup for WSRP as the Producer portal from which you consume WSRP services.
   2. On the Consumer portal, the WSRP services that are consumed as remote portlets behave like local portlets. Therefore you can configure Portal Access Control for the WSRP services on the Consumer portal the same way as for local portlets.

• If you use WS-Security, assign access rights on the Producer portal to the actual Consumer portal users.
• If you use SSL client certificate authentication, assign access rights to the shared user ID that the Consumer uses and that is specified in the client certificate.
• If you use none of these two authentication methods, assign access rights to the anonymous user. This is necessary because the Producer portal assumes the anonymous user, if no authentication is performed.

By default Portal Access Control is enabled for the Producer portal. The section "Disabling and Enabling Portal Access Control for the Producer portal" shows how to disable and enable Portal Access Control on the Producer portal.