Propagating security attributes among appservers

 

+

Search Tips   |   Advanced Search

 

Use the security attribute propagation feature of WebSphere Application Server to send security attribute information regarding the original login to other servers using a token. This topic will help to configure WebSphere Application Server to propagate security attributes to other servers.

 

Overview

To fully enable security attribute propagation, configure the console panels...

You can enable just the portions of security attribute propagation relevant to the configuration. For example, you can enable Web propagation, which is propagation amongst front-end appservers, using either the push technique (DynaCache) or the pull technique (remote method to originating server).

You also can choose whether to enable Remote Method Invocation (RMI) outbound and inbound propagation, which is commonly called downstream propagation. Typically both types of propagation are enabled for any given cell. In some cases, you might want to choose a different option for a specific appserver using the server security panel within the specific appserver settings.

To prevent propagating the same security attributes among appservers multiple times, WebSphere Application Server verifies that a LTPA token does not exist. Two cases can occur. Absence of the LTPA token tells the Application Server that propagation can proceed. Presence of the LTPA token indicates that propagation has occurred if the LTPA token has been generated within the cluster. However, in the second case, if the LTPA token is present, but has been generated by a server outside the cluster, such as by Tivoli Access Manager, Lotus Domino or a different Application Server cluster, security attributes are not propagated.

To access the server security panel in the administrative console, click...

Servers | Application Servers | server | Security | Server security

Complete the following steps to configure WAS for security attribute propagation:

 

Procedure

  1. Access the console...

    http://server:port_number/ibm/console

  2. Click...

    Security | Secure administration, applications, and infrastructure | Web security | Single sign-on (SSO)
  3. Optional: Select the Interoperability Mode option if interoperate with servers that do not support security attribute propagation.

    Servers that do not support security attribute propagation receive the LTPA token and the Propagation token, but ignore the security attribute information that they do not understand.

  4. Select the Web inbound security attribute propagation option.

    Enables horizontal propagation, which allows the receiving SSO token to retrieve the login information from the original login server. If you do not enable this option, downstream propagation can occur if you enable the Security Attribute Propagation option on both the CSIv2 Inbound authentication and CSIv2 outbound authentication panels.

    Typically, you enable the Web inbound security attribute propagation option if dynamic security attributes set at the original login server cannot be regenerated at the new front-end server. These attributes include any custom attributes that might be set in the PropagationToken token using the APIs...

    com.ibm.websphere.security.WSSecurityHelper

    You must determine whether enabling this option improves or degrades the performance of your system. While the option prevents some remote user registry calls, the deserialization and decryption of some tokens might impact performance. In some cases propagation is faster, especially if your user registry is the bottleneck of your topology. IBM recommends that you measure the performance of your environment both using and not using this option. When you test the performance, it is recommended that you test in the operating environment of the typical production environment with the typical number of unique users accessing the system simultaneously.

  5. Click...

    Security | Secure administration, applications, and infrastructure | RMI/IIOP security | CSIv2 inbound authentication

    The Login configuration field specifies RMI_INBOUND as the system login configuration that is used for inbound requests. To add custom JAAS login modules, complete the following steps:

    1. Click...

      Security | Secure administration, applications, and infrastructure | Java Authentication and Authorization Service | System logins

      A list of the system login configurations is displayed. WAS provides the following pre-configured system login configurations:

      Do not delete these predefined configurations.

      SWAM is deprecated in WAS V6.1 and will be removed in a future release.

    2. Click the name of the login configuration to modify.

    3. Under Additional Properties, click JAAS Login Modules.

      The JAAS Login Modules panel is displayed, which lists all of the login modules that are processed in the login configuration. Do not delete the required JAAS login modules. Instead, you can add custom login modules before or after the required login modules. If you add custom login modules, do not begin their names with com.ibm.ws.security.server.

      You can specify the order in which the login modules are processed by clicking Set Order.

  6. Select the Security attribute propagation option on the CSIv2 inbound authentication panel. When you select Security Attribute Propagation, the server advertises to other appservers that it can receive propagated security attributes from another server in the same realm over the Common Secure Interoperability version 2 (CSIv2) protocol.

  7. Click...

    Security | Secure administration, applications, and infrastructure | RMI/IIOP security | CSIv2 Outbound authentication

    The CSIv2 outbound authentication panel is displayed. The Login configuration field specifies RMI_OUTBOUND as the JAAS login configuration that is used for outbound configuration. You cannot change this login configuration. Instead, you can customize this login configuration by completing the substeps that are listed previously for CSIv2 Inbound authentication.

     

  8. Optional: Verify that the Security Attribute Propagation option is selected if you want to enable outbound Subject and security context token propagation for the RMI protocol. When you select this option, WAS serializes the Subject contents and the PropagationToken contents. After the contents are serialized, the server uses the CSIv2 protocol to send the Subject and PropagationToken token to the target servers that support security attribute propagation. If the receiving server does not support security attribute tokens, WebSphere Application Server sends the LTPA token only.

    WAS propagates only the objects within the Subject that it can serialize. The server propagates custom objects on a best-effort basis.

    When Security Attribute Propagation is enabled, WAS adds marker tokens to the Subject to enable the target server to add additional attributes during the inbound login. During the commit phase of the login, the marker tokens and the Subject are marked as read-only and cannot be modified thereafter.

     

  9. Optional: Select the Custom Outbound Mapping option if you clear the Security Attribute Propagation option and you want to use the RMI_OUTBOUND login configuration. If neither the Custom Outbound Mapping option nor the Security Attribute Propagation option is selected, WAS does not call the RMI_OUTBOUND login configuration. If plug in a credential mapping login module, select the Custom Outbound Mapping option.

     

  10. Optional: Specify trusted target realm names in the Trusted Target Realms field. By specifying these realm names, information can be sent to servers that reside outside the realm of the sending server to support inbound mapping that is at these downstream servers. To perform outbound mapping to a realm different from the current realm, specify the realm in this field so that you can get to this point without having the request rejected because of a realm mismatch. If we need WebSphere Application Server to propagate security attributes to another realm when a request is sent, specify the realm name in the Trusted Target Realms field. Otherwise, the security attributes are not propagated to the unspecified realm. You can add multiple target realms by adding a pipe (|) delimiter between each entry.

     

  11. Optional: Enable propagation for a pure client.

    For a pure client to propagate attributes added to the invocation Subject, add the following property to the sas.client.props file: 

    com.ibm.CSI.rmiOutboundPropagationEnabled=true

    The sas.client.props file is located at <WAS-HOME>/profiles/<ProfileName>/properties>.

 

Results

After completing these steps, you have configured WebSphere Application Server to propagate security attributes to other servers.

 

What to do next

If disable security attribute propagation, determine whether disable it for either the server level or the cell level.

Changes to the server-level settings override the cell settings.

To disable security attribute propagation on the server level...

  1. Click...

    Server | Application Servers | server | Security | Server security
  2. Select the RMI/IIOP security for this server overrides cell settings option.

  3. Disable security attribute propagation for inbound requests by clicking CSI inbound authentication under Additional Properties and clearing the Security attribute propagation option.

  4. Disable security attribute propagation for outbound requests by clicking CSI outbound authentication under Additional Properties and clearing the Security attribute propagation option.

To disable security attribute propagation on the cell level, undo each of the steps that you completed to enable security attribute propagation in this task.

 

Related concepts

Security attribute propagation

 

Related tasks

Implementing a custom propagation token
Implementing a custom authorization token
Implementing a custom single sign-on token
Implementing a custom authentication token
Propagating a custom Java serializable object
Authenticating users

 

Related Reference

Example: Using the default propagation token
Example: Using the default authorization token
Example: Using the default single sign-on token
Default authentication token