Configuring outbound identity mapping to a different target realm

By default, when WebSphere® Application Server makes an outbound request from one server to another server in a different security realm, the request is rejected. This topic details alternatives for enabling one server to send outbound requests to a target server in a different realm.

About this task

This outbound request is rejected to protect against a rogue server reading potentially sensitive information if successfully impersonating the home of the object. Select one of the following alternative procedures so that one server can send outbound requests to a target server in a different realm. When you are finished with a procedure on the administrative console, click Apply.

Procedure

  • Do not perform mapping. Instead, allow the existing security information to flow to a trusted target server, even if the target server resides in a different realm.
    Complete the following steps in the administrative console:
    1. Click Security > Global security.
    2. Under RMI/IIOP security, click CSIv2 outbound authentication.
    3. Specify the target realms in the Trusted target realms field. You can specify each trusted target realm that is separated by a pipe (|) character.
      For example, specify server_name.domain:port_number for a Lightweight Directory Access Protocol (LDAP) server or the machine name for local operating system. If you want to propagate security attributes to a different target realm, you must specify that target realm in the Trusted target realms field.
  • Use the Java™ Authentication and Authorization Service (JAAS) WSLogin application login configuration to create a basic authentication Subject that contains the credentials of the new target realm.
    This configuration enables you to log in with a realm, user ID, and password that are specific to the user registry of the target realm. You can provide the login information from within the Java Platform, Enterprise Edition (Java EE) application that is making the outbound request or from within the RMI_OUTBOUND system login configuration. These two login options are described in the following information:
    1. Use the WSLogin application login configuration from within the Java EE application to log in and get a Subject that contains the user ID and the password of the target realm.
      The application can wrap the remote call with a WSSubject.doAs call. For an example, see Example: Using the WSLogin configuration to create a basic authentication subject.
    2. Use the code sample in Example: Using the WSLogin configuration to create a basic authentication subject from this plug point within the RMI_OUTBOUND login configuration.
      Every outbound Remote Method Invocation (RMI) request passes through this login configuration when it is enabled. Complete the following steps to enable and plug in this login configuration:
      1. Click Security > Global security.
      2. Under RMI/IIOP security, click CSIv2 outbound authentication.
      3. Select the Custom outbound mapping option. If the Security Attribute Propagation option is selected, then WebSphere Application Server is already using this login configuration and you do not need to enable custom outbound mapping.
      4. Write a custom login module. For more information, see Developing custom login modules for a system login configuration for JAAS.

        The Example: Sample login configuration for RMI_OUTBOUND shows a custom login module that determines whether the realm names match. In this example, the realm names do not match so the WSLoginmodule is used to create a basic authentication Subject based on custom mapping rules. The custom mapping rules are specific to the customer environment and must be implemented using a realm to user ID and password mapping utility.

      5. Configure the RMI_OUTBOUND login configuration so that your new custom login module is first in the list.
        1. Click Security > Global security.
        2. Under Java Authentication and Authorization Service, click System logins > RMI_OUTBOUND
        3. Under Additional Properties, click JAAS login modules > New to add your login module to the RMI_OUTBOUND configuration.
        4. Return to the JAAS login modules panel for RMI_OUTBOUND.
        5. Click Set order to change the order that the login modules are loaded so that your custom login is loaded first.
  • Add the use_realm_callback and use_appcontext_callback options to the outbound mapping module for WSLogin.
    To add these options, complete the following steps:
    1. Click Security > Global security.
    2. Under Java Authentication and Authorization Service, click Application logins > WSLogin.
    3. Under Additional properties, click JAAS login modules > com.ibm.ws.security.common.auth.module.WSLoginModuleImpl.
    4. Under Additional properties, click Custom Properties > New.
    5. On the Custom properties panel, enter use_realm_callback in the Name field and true in the Value field.
    6. Click OK.
    7. Click New to enter the second custom property.
    8. On the Custom properties panel, enter use_appcontext_callback in the Name field and true in the Value field.
    The following changes are made to the security.xml file:
    <entries xmi:id="JAASConfigurationEntry_2" alias="WSLogin">
 <loginModules xmi:id="JAASLoginModule_2" 
  moduleClassName="com.ibm.ws.security.common.auth.module.proxy.WSLoginModuleProxy" 
  authenticationStrategy="REQUIRED">
  <options xmi:id="Property_2" name="delegate" 
   value="com.ibm.ws.security.common.auth.module.WSLoginModuleImpl"/>
  <options xmi:id="Property_3" name="use_realm_callback" value="true"/>
  <options xmi:id="Property_4" name="use_appcontext_callback" value="true"/>
 </loginModules>
</entries>