Enable step-up authentication, the Remember me cookie, or both on Linux

You can choose to enable either step-up authentication or the Remember me cookie individually or you can choose to use these features together.

Log on to the IBM WebSphere Application Server Administrative Console and navigate to Security -> Global security -> Web and SIP security -> Single sign-on (SSO). Verify that both Interoperability Mode and Web inbound security attribute propagation are enabled.

You can use step-up authentication with IBM Web Services for Remote Portlets (WSRP) extensions. The authentication level defined for portlets on the Producer portal is automatically set on the Consumer portal when it consumes WSRP services. If you apply step-up authentication mechanisms on the Producer, users are also challenged for stronger authentication credentials on the Consumer portal as required. To use step-up authentication with an IBM WSRP extension, ensure environment meets the following requirements:

The Remember me cookie does not extend the Portal Personalization feature to the public area because a user identified by the Remember me cookie in a public area is still considered anonymous from an access control point of view.
Web Content Management note: The authoring portlet and the web content viewer do not fully support step-up authentication or the Remember me cookie. However, the user name component is aware of the Remember me cookie. If the Remember me cookie is set on a request and a user not logged in, the user name component does not use the anonymous user design for the response but instead uses the user name design complete with the name or distinguished name of the user specified by the Remember me cookie.
Restriction: Step-up authentication requires the LtpaToken2 for single sign-on; see Implementing single sign-on to minimize web user authentications for details.

To enable step-up authentication and/or the Remember me cookie:

  1. Choose one of the following configuration options:

    Enable step-up authentication and the Remember me cookie configuration options

    Option Steps
    Enable both step-up authentication and the Remember me cookie By default, this task enables the following authentication levels:

      standard

      identified

      authenticated

    Complete the following steps to enable step-up authentication and the Remember me cookie:

    1. Edit WP_PROFILE/ConfigEngine/properties/wkplc.properties

    2. Set enable_rememberme to true in the 'StepUp Authentication' properties section.

    3. Save changes to wkplc.properties.

    4. Run the ./ConfigEngine.sh enable-stepup-authentication -DWasUserid=wasuser -DWasPassword=foo -Dsua_user=user_name -Dsua_serversecret_password=foo task from the WP_PROFILE/ConfigEngine.

    You can define the sua_user and sua_serversecret_password parameters either in wkplc.properties or on the command line. If you enter the values in the properties file and on the command line, the values entered on the command line will overwrite the values in wkplc.properties.
    Enable only step-up authentication By default, this task enables the following authentication levels:

      standard

      authenticated

    Complete the following steps to enable only step-up authentication:

    1. Edit WP_PROFILE/ConfigEngine/properties/wkplc.properties

    2. Set enable_rememberme to false in the 'StepUp Authentication' properties section.

    3. Save changes to wkplc.properties.

    4. Run the ./ConfigEngine.sh enable-stepup-authentication -DWasUserid=wasuser -DWasPassword=foo task from the WP_PROFILE/ConfigEngine.

    Enable only the Remember me cookie Run the ./ConfigEngine.sh enable-rememberme -DWasUserid=wasuser -DWasPassword=foo -Dsua_user=user_name -Dsua_serversecret_password=foo task from the WP_PROFILE/ConfigEngine. You can define the sua_user and sua_serversecret_password parameters either in wkplc.properties or on the command line. If you enter the values in the properties file and on the command line, the values entered on the command line will overwrite the values in wkplc.properties.

  2. Check the output for any error messages before proceeding with any additional tasks. If any of the configuration tasks fail, verify the values in wkplc.properties.

  3. Stop and restart the appropriate servers to propagate the changes.

  4. Complete the following steps to change the authentication level on a page or portlet:

    1. Click Administration.

    2. Click Resource Permissions under Access.

    3. Click either the Pages link or the Portlets link.

    4. Locate the page or portlet you want to change and click the Authentication Level link.

    5. Choose one of the following levels:

        The following Authentication Levels are provided out-of-the-box. If you customized step-up authentication, you may have different levels.
        Standard

          Set the Authentication Level to Standard if you want anonymous and identified users to view the page or portlet. The Standard level has the following two states based on the access control setting for the page or portlet:

          • If anonymous users have access to the page or portlet, no authentication is required.

          • If only authenticated users have access to the page or portlet, authentication is required.


        Identified (if enabled)

          Set the Authentication Level to Identified if you want anonymous users to login and identified users to view the page or portlet.


        Authenticated

          Set the Authentication Level to Authenticated if you want anonymous and identified users to login to view the page or portlet.


Parent

Linux: Enable step-up authentication, the Remember me cookie, or both

 


+

Search Tips   |   Advanced Search