Configuring the outbound CSIv2 authentication layer in the Liberty application client container

You can configure a Liberty application client container to use specific authentication mechanisms for outbound CSIv2 requests.

About this task

The outbound CSIv2 authentication layer for a Liberty application client container is enabled with support for the GSSUP authentication mechanism by default. The establishTrustInClient association option of the authentication layer is set to Supported by default to indicate that the authentication mechanisms specified are supported and optional.

Procedure

  1. Configure the <orb> element in the client.xml file as follows or add the authenticationLayer element to an existing one, replacing the sample values in the example with your values: 
    <orb id="defaultOrb">
   <clientPolicy.clientContainerCsiv2>
     <layers>
      <authenticationLayer user="userId" password="{xor}PDc+MTg6Ejo="/>
     </layers>
   </clientPolicy.clientContainerCsiv2>
</orb>
    Note: The id value defaultOrb in the <orb> element is predefined and cannot be modified.
    Note: Hash encoding cannot be used for encrypting the password because the original password cannot be decoded from the hashed value.

    The mechanisms and establishTrustInClient attributes are optional. The only supported value, and the default value, for the mechanisms attribute is GSSUP.

    Without specifying an <orb> element, the following configuration is implicit.
    <orb id="defaultOrb">
    <clientPolicy.clientContainerCsiv2>
        <layers>
            <authenticationLayer mechanisms="GSSUP" establishTrustInClient="Supported"/>
            <transportLayer/>
        </layers>
    </clientPolicy.clientContainerCsiv2>
</orb>
  2. Optional: Set the user and password attributes with a valid user ID and password to access the server. By default, a server requires the GSSUP mechanism for inbound connections, meaning that the server must receive a user and password and because of this requirement, the user, and password values are required in the client.xml file, unless a programmatic login is implemented by the application.
  3. Optional: Set the establishTrustInClient attribute to Required, Supported (default), or Never for performing authentication with the specified mechanisms. For example, 
    <orb id="defaultOrb">
   <clientPolicy.clientContainerCsiv2>
     <layers>
      <authenticationLayer user="userId" password="{xor}PDc+MTg6Ejo=" establishTrustInClient="Required" />
     </layers>
   </clientPolicy.clientContainerCsiv2>
</orb>
    Note:
    • When the establishTrustInClient attribute is set to Required, the client is able to send an authentication token of one of the specified mechanisms only to servers that either require or support the same authentication mechanisms.
    • When the establishTrustInClient attribute is set to Supported (default), the client can choose whether to send the authentication information in the authentication layer. If the server is configured with Supported or Required of the same authentication mechanisms, then the client sends a compatible authentication token.
    • When the establishTrustInClient attribute is set to Never, the outbound CSIv2 authentication layer is disabled and the CSIv2 transport layer must be enabled to authenticate to the server.

Results

Your outbound CSIv2 authentication layer is now configured.