AIX: Enable step-up authentication, the Remember me cookie, or both
Overview
Step-up authentication provides different authentication levels for pages and portlets. The Remember me cookie is an encrypted HTTP cookie that supports authentication and lets you present personalized portlets and pages in a public area without the need for users to manually authenticate. Step-up authentication and the Remember me cookie let remembered users view anonymous pages and portlets with a standard or identified authentication level. By providing a valid Remember me cookie, a user can also access protected pages and portlets that require the identified authentication level. If the authentication level is set to authenticated, the user must provide a user ID and password to view the page or portlet.
We can use step-up authentication with IBM WSRP extensions. The authentication level defined for portlets on the Producer portal is automatically set on the Consumer portal when it consumes WSRP services. If you apply step-up authentication mechanisms on the Producer, users are also challenged for stronger authentication credentials on the Consumer portal as required.
To use step-up authentication with an IBM WSRP extension, ensure your environment meets the following requirements:
- The Producer and Consumer portals are WebSphere Portal v8.0 or later.
- You enable step-up authentication on both the Producer and Consumer portals.
- The authentication levels are the same on the Producer and Consumer portals.
Portal administrators can change authentication levels on both the Producer portal or Consumer portal at any time. If the authentication level on the Consumer portal is less than the authentication level on the Producer portal, the Producer portal gives the following error message and users cannot access the portlets:
AccessDeniedFault EJPWC1118E: User authentication not strong enough.
The Remember me cookie does not extend the Personalization feature to the public area because a user identified by the Remember me cookie in a public area is still considered anonymous from an access control point of view.
The authoring portlet and the web content viewer do not fully support step-up authentication or the Remember me cookie. However, the user name component is aware of the Remember me cookie. If the Remember me cookie is set on a request and a user not logged in, the user name component does not use the anonymous user design for the response but instead uses the user name design complete with the name or distinguished name of the user specified by the Remember me cookie.
Step-up authentication requires LtpaToken2 for single sign-on.
Enable step-up authentication and/or the Remember me cookie
- Log on to the WAS admin console and go to...
Security | Global security | Web and SIP security | Single sign-on (SSO)
Verify that both of the following are enabled...
- Interoperability Mode
- Web inbound security attribute propagation
- Choose one of the following configuration options:
- Enable both step-up authentication and the Remember me cookie
Edit...
WP_PROFILE/ConfigEngine/properties/wkplc.properties
...and set enable_rememberme to true in the 'StepUp Authentication' properties section.
Save changes then run...
./ConfigEngine.sh enable-stepup-authentication \ -DWasUserid=wasuser \ -DWasPassword=foo \ -Dsua_user=user_name \ -Dsua_serversecret_password=fooBy default, this task enables the following authentication levels:
- standard
- identified
- authenticated
We can define the sua_user and sua_serversecret_password parameters either in wkplc.properties or on the command line. If you enter the values in the properties file and on the command line, the values entered on the command line will overwrite the values in wkplc.properties.
- Enable only step-up authentication
Edit...
WP_PROFILE/ConfigEngine/properties/wkplc.properties
...and set enable_rememberme to false in the 'StepUp Authentication' properties section. Save changes then run..
./ConfigEngine.sh enable-stepup-authentication \ -DWasUserid=wasuser \ -DWasPassword=fooBy default, this task enables the following authentication levels:
- standard
- authenticated
- Enable only the Remember me cookie
./ConfigEngine.sh enable-rememberme \ -DWasUserid=wasuser \ -DWasPassword=foo \ -Dsua_user=user_name \ -Dsua_serversecret_password=fooWe can define the sua_user and sua_serversecret_password parameters either in wkplc.properties or on the command line. If you enter the values in the properties file and on the command line, the values entered on the command line will overwrite the values in wkplc.properties.
- Check the output for any error messages before proceeding with any additional tasks. If any of the configuration tasks fail, verify the values in wkplc.properties.
- Stop and restart servers, dmgrs, and node agents.
- To change the authentication level on a page or portlet, go to...
Administration | Access | Resource Permissions | [Pages|Portlets] | [page|portlet] | Authentication Level
...and choose one of the following Authentication Levels...
Standard Allow anonymous and identified users to view the page or portlet. If anonymous users have access to the page or portlet, no authentication is required. If only authenticated users have access to the page or portlet, authentication is required. Identified If enable_rememberme=true and during login the user selects... Remember me on this computer
...the following cookie is generated...
com.ibm.portal.RememberMe
If a user previously authenticated to WebSphere Portal and then returns with the com.ibm.portal.RememberMe cookie, the user is "identified" and the content displays without the user having to log in. Do not set the Access level to identified for the Login portlet. This action causes problems when logging into WebSphere Portal.
Authenticated Allow anonymous and identified users to login to view the page or portlet. If you customized the step-up authentication, you may have different levels.
Configure Remember me for J2EE authentication on AIX
WebSphere Portal allows us to configure Remember me for J2EE authentication, which works in conjunction with step-up authentication. When this feature is enabled, a user is logged in automatically when accessing a protected portal area by presenting a valid Remember me cookie. Unless the requested resource has a higher step-up authentication requirement, the user is not asked to provide any other proof of identity (for example, user name and password) to enter the protected portal area.
To enable J2EE authentication using a Remember me cookie, go to...
Resources | Resource Environment | Resource Environment Providers | WP RememberMeConfigService | Custom properties | New
...and enter the following values for the new property.
Name j2eeAuthenticate Value true Type java.lang.Boolean
Disable step-up authentication, the Remember me cookie, or both
- Disable both step-up authentication and the Remember me cookie, edit...
WP_PROFILE/ConfigEngine/properties/wkplc.properties
...and set disable_rememberme to true in the StepUp Authentication section. Add the disable_rememberme property to the StepUp Authentication section if it is not available in wkplc.properties.
Save changes then run...
./ConfigEngine.sh disable-stepup-authentication -DWasUserid=wasuser -DWasPassword=foo- Disable only step-up authentication
Edit...
WP_PROFILE/ConfigEngine/properties/wkplc.properties
...and set disable_rememberme to false in the StepUp Authentication section. Add the disable_rememberme property to the StepUp Authentication section if it is not available in wkplc.properties.
Save the changes to wkplc.properties then run...
./ConfigEngine.sh disable-stepup-authentication -DWasUserid=wasuser -DWasPassword=foo- Disable only the Remember me cookie
./ConfigEngine.sh disable-rememberme -DWasUserid=wasuser -DWasPassword=fooStop and restart servers, dmgrs, and node agents.
Parent: Enable step-up authentication, the Remember me cookie, or both