WAS v8.5 > Secure applications > Authenticate users > Configure CSIV2 inbound and outbound communication settingsConfigure outbound messages
We can use the dmgr console to configure outbound messages for CSIv2.
- In the dmgr console, click Security > Global security.
- Under Authentication, expand RMI/HOP security.
- Click CSIv2 outbound communication.
- Optional: Click Propagate security attributes or Use identity assertion. The Propagate security attributes option enables support for security attribute propagation during login requests. When you select this option, the application server retains additional information about the login request, such as the authentication strength used, and retains the identity and location of the request originator.
The Use identity assertion option specifies that identity assertion is a way to assert identities from one server to another during a downstream EJB invocation.
The Use server trusted identity option specifies the server identity the application server uses to establish trust with the target server.
The Specify an alternative trusted identity option enables you to specify an alternative user as the trusted identity sent to the target servers instead of sending the server identity. If selected you must provide the name of the trusted identity and the password associated with the trusted identity.
Select Basic Authentication under the Message Layer authentication section to send an alternative trusted identity. If we do not select Basic Authentication, then choose the Server Identity instead.
- Under CSIv2 Message layer authentication, select Supported, Never or Required.
- Never
- Specifies that this server cannot accept an authentication mechanism that you select under Allow client to server authentication with:.
- Supported
- Clients communicating with this server can specify an authentication mechanism that you select under Allow client to server authentication with:. However, a method might be invoked without this type of authentication. For example, an anonymous or client certificate might be used instead.
- Required
- Clients communicating with this server must specify an authentication mechanism that you select under Allow client to server authentication with:.
Upon enabling Location Service Daemon (LSD), CSIv2 inbound and CSIv2 outbound message layer authentication in global security needs to be set as either Required or Supported.
- Under Allow client to server authentication with:, select Kerberos, LTPA and or Basic authentication. We can optionally select:.
- Kerberos
- Enable authentication using the Kerberos token.
- LTPA
- Enable authentication using the Lightweight Third-Party Authentication (LTPA) token.
- Basic authentication
- This type of authentication typically involves sending a user ID and a password from the client to the server for authentication. This is also know as Generic Security Services Username Password (GSSUP).
This authentication also involves delegating a credential token from an already authenticated credential, provided the credential type is forwardable; for example, LTPA.
If we select supported under CSIv2 Message layer authentication, and check KRB5 and LTPA under Allow client to server authentication with:, then the server does not accept the user name and password.
- Optional: Select Custom outbound mapping. This option enables the use of custom Remote Method Invocation (RMI) outbound login modules.
Results
You have now configured messages for CSIv2 outbound.
Related
Configure CSIV2 inbound and outbound communication settings
Configure inbound messages
Configure inbound transports
Configure outbound transports
Reference:
Kerberos authentication settings
Common Secure Interoperability v2 inbound communications settings
Common Secure Interoperability v2 outbound communications settings