Select an authentication mechanism

WAS v8.5 > Secure applications > Authenticate users
Select an authentication mechanism

An authentication mechanism defines rules about security information, such as whether a credential is forwardable to another Java process, and the format of how security information is stored in both credentials and tokens. The authentication mechanism creates a internal credential for a successfully authenticated client user.
WAS provides three authentication mechanisms:

LTPA
Kerberos (KRB5)
RSA token

KRB5 is used for Kerberos in the dmgr console and in the files: sas.client.props, soap.client.props and ipc.client.props. The RSA token preserves the base profiles configurations, allowing profiles managed by an administrative agent to have different LTPA keys, different user registries, and different administrative users.
Authentication is required for enterprise bean clients and web clients when they access protected resources. Enterprise bean clients, like a servlet or other enterprise beans or a pure client, send the authentication information to a web application server using one of the following protocols:

CSIv2
Secure Authentication Service (SAS)

SAS is supported only between v6.0.x and previous version servers that have been federated in a v6.1 cell. Web clients use the HTTP or HTTPS protocol to send the authentication information.
The authentication information can be...

Basic authentication (user ID and password)
credential token
client certificate

To configure web authentication for a web client, from the dmgr console...
Security | Global security | Authentication | Web and SIP security | General settings

The following options exist for Web authentication:

Authenticate only when the URI is protected The web client can retrieve an authenticated identity only when it accesses a protected URI. WAS challenges the web client to provide authentication data when the web client accesses a URI that is protected by a J2EE role. This default option is also available in previous versions of WAS.
Use available authentication data when an unprotected URI is accessed The web client is authorized to call the getRemoteUser, isUserInRole, and getUserPrincipal methods; retrieves an authenticated identity from either a protected or an unprotected URI. Although the authentication data is not used when we access an unprotected URI, the authentication data is retained for future use. This option is available when we select the Authentication only when the URI is protected check box.
Authenticate when any URI is accessed The web client must provide authentication data regardless of whether the URI is protected.
Default to basic authentication when certificate authentication for the HTTPS client fails. WAS challenges the web client for a user ID and password when the required HTTPS client certificate authentication fails.

The enterprise bean authentication is performed by the EJB authentication module. The EJB authentication module resides in the CSIv2 and SAS layer. The authentication module is implemented using the JAAS login module. The web authenticator and the EJB authenticator pass the authentication data to the login module, which can use the following mechanisms to authenticate the data:

Kerberos
LTPA
RSA token
SWAM

The authentication module uses the registry that is configured on the system to perform the authentication. Four types of registries are supported:

Federated repositories
Local operating system
Standalone LDAP registry
Stand-alone custom registry

External registry implementation following the registry interface specified by IBM can replace either the local operating system or the LDAP registry.
The login module creates a JAAS subject after authentication and stores the credential that is derived from the authentication data in the public credentials list of the subject. The credential is returned to the web authenticator or to the enterprise beans authenticator.
The web authenticator and the enterprise beans authenticator store the received credentials in the ORB current for the authorization service to use in performing further access control checks. If the credentials are forwardable, they are sent to other application servers.
To configure authentication mechanisms in the dmgr console...

Security | Global security | Authentication mechanisms and expiration | authentication mechanism

Subtopics

LTPA
Configure LTPA and work with keys
Configure the LTPA mechanism
Kerberos (KRB5) authentication mechanism support for security
Set up Kerberos as the authentication mechanism for WAS
RSA token authentication mechanism
Configure the RSA token authentication mechanism
Simple WebSphere authentication mechanism (deprecated)
Message layer authentication

Related
Configure Kerberos as the authentication mechanism
Configure a Java client for Kerberos authentication
Authenticate users

Reference:

Web authentication settings

+
Search Tips | Advanced Search

Authenticate only when the URI is protected	The web client can retrieve an authenticated identity only when it accesses a protected URI. WAS challenges the web client to provide authentication data when the web client accesses a URI that is protected by a J2EE role. This default option is also available in previous versions of WAS.
Use available authentication data when an unprotected URI is accessed	The web client is authorized to call the getRemoteUser, isUserInRole, and getUserPrincipal methods; retrieves an authenticated identity from either a protected or an unprotected URI. Although the authentication data is not used when we access an unprotected URI, the authentication data is retained for future use. This option is available when we select the Authentication only when the URI is protected check box.
Authenticate when any URI is accessed	The web client must provide authentication data regardless of whether the URI is protected.
Default to basic authentication when certificate authentication for the HTTPS client fails.	WAS challenges the web client for a user ID and password when the required HTTPS client certificate authentication fails.