Scenario 2: Basic authentication, identity assertion, and client certificates

Scenario 2: Basic authentication, identity assertion, and client certificates

This scenario is the same as Scenario 1 (see Scenario 1: Basic authentication and identity assertion), except for the interaction from client C2 to server S2. Therefore, the configuration of Scenario 1 still is valid, but you have to modify server S2 slightly and add a configuration for client C2. There is no modification of the configuration for C1 or S1.

Step 1: Configure client C2

Client C2 requires transport layer authentication (Secure Sockets Layer (SSL) client certificates). To configure transport layer authentication:

  1. Identify the sas.client.props file to the client by specifying the property com.ibm.CORBA.ConfigURL=file:/QIBM/UserData/WebAS5/product/instance/properties/sas.client.props where product is Base or ND and instance is the name of your instance. All further configuration involves setting properties within this file.

  2. Enable SSL. In this case, SSL is supported but not required:
    com.ibm.CSI.performTransportAssocSSLTLSSupported=true
    com.ibm.CSI.performTransportAssocSSLTLSRequired=false

  3. Disable client authentication at the message layer.
    com.ibm.CSI.performClientAuthenticationRequired=false
    com.ibm.CSI.performClientAuthenticationSupported=false

  4. Enable client authentication at the transport layer. Here it is supported, but not required:
    com.ibm.CSI.performTLClientAuthenticationRequired=false
    com.ibm.CSI.performTLClientAuthenticationSupported=true

Step 2: Configure server, S2

In the administrative console, server S2 is configured for incoming requests to SSL client authentication and identity assertion. Configuration for outgoing requests is not relevant for this scenario.

Configure server S2 for incoming connections:

  1. Enable identity assertion.

  2. Disable user ID and password authentication.

  3. Enable SSL.

  4. Enable SSL client authentication.

Note: You can mix and match these configuration options. However, there is a precedence to which authentication features become the identity in the received credential:

  1. Identity assertion

  2. Message layer client authentication (basic authentication or token)

  3. Transport layer client authentication (SSL certificates)