Common authentication protocol settings for a client configuration

Use the following settings in the install_dir/properties/sas.client.props file to configure Security Authentication Service (SAS) and Common Secure Interoperability V2 (CSIv2) clients.

 

com.ibm.CORBA.securityEnabled

Use to determine if security is enabled for the client process.

Setting Value
Data Type Boolean
Default True
Valid values True or false

 

com.ibm.CSI.protocol

Use to determine which authentication protocols are active.

The client can configure protocols of ibm, csiv2 or both as active. The only possible values for an authentication protocol are ibm, csiv2 and both. Do not use sas for the value of an authentication protocol. This restriction applies to both client and server configurations. The following list provides information about using each of these protocol options:

ibm

Use this authentication protocol option when you are communicating with WebSphere Application Server V4.x or earlier servers.

csiv2

Use this authentication protocol option when you are communicating with WebSphere Application Server V5 or later servers because the SAS interceptors are not loaded and running for each method request.

both

Use this authentication protocol option for interoperability between WAS V4.x or earlier servers and WebSphere Application Server V5 or later servers. Typically, specifying both provides greater interoperability with other servers.

Setting Value
Data type String
Default Both
Valid values ibm, csiv2, both

 

com.ibm.CORBA.authenticationTarget

Use to determine the type of authentication mechanism for sending security information from the client to the server.

If basic authentication is specified, the user ID and password are sent to the server. Using the SSL transport with this type of authentication is recommended because otherwise the password is not encrypted. The target server must support the specified authentication target.

If you specify LTPA, then LTPA must be the mechanism configured at the server for a method request to proceed securely.

Setting Value
Data type String
Default BasicAuth
Valid values BasicAuth, LTPA

 

com.ibm.CORBA.validateBasicAuth

Use to determine if the user ID and password get validated immediately after the login data is entered when the authenticationTarget property is set to BasicAuth.

In previous releases, BasicAuth logins only validated with the initial method request. During the first request, the user ID and password are sent to the server. This request is the first time that the client can notice an error, if the user ID or password is incorrect. The validateBasicAuth method is specified and the validation of the user ID and password occurs immediately to the security server.

For performance reasons, you might want to disable this property if you do not want to verify the user ID and password immediately. If the client program can wait, it is better to have the initial method request flow to the user ID and password. However, program logic might not be this simple because of error handling considerations.

Setting Value
Data type Boolean
Default True
Valid values True, False

 

com.ibm.CORBA.authenticationRetryEnabled

Use to specify that a failed login attempt is retried. This property determines if a retry occurs for other errors, such as stateful sessions that are not found on a server or validation failures at the server because of an expiring credential.

The minor code in the exception that is returned to a client determines which errors are retried. The number of retry attempts is dependent upon the com.ibm.CORBA.authenticationRetryCount property.

Setting Value
Data type Boolean
Default True
Valid values True, False

 

com.ibm.CORBA.authenticationRetryCount

Use to specify the number of retries that occur until either a successful authentication occurs or the maximum retry value is reached.

When the maximum retry value is reached, the authentication exception is returned to the client.

Setting Value
Data type Integer
Default 3
Range 1-10

 

com.ibm.CORBA.loginSource

Use to specify how the request interceptor attempts to log in if it does not find an invocation credential already set.

Valid if message layer authentication occurs. If only transport layer authentication occurs, this property is ignored. When specifying properties, the following two additional properties need defining:

  • com.ibm.CORBA.loginUserid

  • com.ibm.CORBA.loginPassword

When performing a programmatic login, it is not necessary to specify none as the login source. Unless you want the request to fail, do not set a credential as the invocation credential during a method request.

Setting Value
Data type String
Default Prompt
Valid values Prompt, key file, stdin, none, properties

 

com.ibm.CORBA.loginUserid

Use to specify the user ID when a properties login is configured and message layer authentication occurs.

Valid when com.ibm.CORBA.loginSource=properties. Also, set the com.ibm.CORBA.loginPassword property.

Setting Value
Data type String
Range Any string that is appropriate for a user ID in the configured user registry of the server.

 

com.ibm.CORBA.loginPassword

Use to specify the password when a properties login is configured and message layer authentication occurs.

This property is only valid when com.ibm.CORBA.loginSource=properties. Also, set the com.ibm.CORBA.loginUserid property.

Setting Value
Data type String
Range Any string that is appropriate for a password in the configured user registry of the server.

 

com.ibm.CORBA.keyFileName

Use to specify the key file that is used to log in.

A key file is a file that contains a list of realm, user ID, and password combinations that a client uses to log into multiple realms. The realm that is used is the one found in the interoperable object reference (IOR) for the current method request. The value of this property is used when the com.ibm.CORBA.loginSource=key file is used.

Setting Value
Data type String
Default C;/WebSphere/AppServer/properties/wsserver.key
Range Any fully qualified path and file name of a WAS key file.

 

com.ibm.CORBA.loginTimeout

Use to specify the length in time that the login prompt stays available before it is considered a failed login.

Setting Value
Data type Integer
Units Seconds
Default 300 (5 minute intervals)
Range 0 - 600 (10 minute intervals)

 

com.ibm.CORBA.securityEnabled

Use to determine if security is enabled for the client process.

Setting Value
Data type Boolean
Default True
Range True, False