Configuring outbound CSIv2 transport layer

You can configure a Liberty server to perform client certificate authentication for outbound CSIv2 requests.

About this task

The client certificate authentication of the outbound CSIv2 transport layer for a Liberty server is disabled by default. You can configure the transportLayer to specify the SSL configuration to use.

You can configure the SSL element to support client certificate authentication or require it. The certificate sent to the downstream server is authenticated against the downstream server user registry and its identity is only used if no other form of authentication is sent in the CSIv2 request, like an identity assertion in the attribute layer or an authentication token in the authentication layer.

When the client certificate authentication is used, ensure that SSL is supported by this server.

Procedure

  1. Add the appSecurity-2.0 and ejbRemote-3.2 features in the server.xml file. 
    
    <featureManager>
        <feature>appSecurity-2.0</feature>
        <feature>ejbRemote-3.2</feature>
    </featureManager>

    The following example is the default configuration without having to specify it in the server.xml file.

    
    <orb id="defaultOrb">
        <serverPolicy.csiv2>
            <layers>
                <attributeLayer identityAssertionEnabled="false"/>
                <authenticationLayer mechanisms="LTPA,GSSUP" establishTrustInClient="Required"/>
                <transportLayer/>
            </layers>
        </serverPolicy.csiv2>
        <clientPolicy.csiv2>
            <layers>
                <attributeLayer identityAssertionEnabled="false"/>
                <authenticationLayer mechanisms="LTPA,GSSUP" establishTrustInClient="Supported"/>
                <transportLayer/>
            </layers>
        </clientPolicy.csiv2>
    </orb>
  2. Configure SSL support as described in Enabling SSL communication for Liberty.
  3. Optional: Configure the SSL element to use clientAuthentication or clientAuthenticationSupported.
    For example,
    
    <ssl id="defaultSSLConfig" keyStoreRef="defaultKeyStore" 
         trustStoreRef="defaultTrustStore" clientAuthentication="true" />
    or
    
    <ssl id="defaultSSLConfig" keyStoreRef="defaultKeyStore" 
        trustStoreRef="defaultTrustStore" clientAuthenticationSupported="true" />
  4. Optional: If you need to change the SSL configuration that is used by the outbound transport layer configuration, you can do this by adding an <orb> element in the server.xml file as follows or add the transportLayer element to an existing one. Replace the sample values in the example with your values. 
    
    <orb id="defaultOrb">
        <clientPolicy.csiv2>
            <layers>
                <transportLayer sslRef="defaultSSLConfig"/>
            </layers>
        </clientPolicy.csiv2>
    </orb>

    Outbound options can also be configured from the SSL configuration. CSIv2 uses the SSL configuration outbound default if sslRef is not set on the transport layer. For more information about the SSL outbound default, see Configuring outbound CSIv2 attribute layer.

    Outbound SSL filters can also be set on the SSL configuration. The outbound SSL filters use the host and/or port of the outbound connection to determine the SSL configuration to be used. For more information about outbound SSL filters, see Outbound filters for SSL configurations.

  5. Make sure the downstream server trusts any client certificates that are sent from this server.
  6. Make sure that any client certificates used for client authentication are mapped to a user identity in the downstream server user registry.
    • For the basic registry, the user identity is the common name (CN) from the distinguished name (DN) of the certificate.
    • For a Lightweight Directory Access Protocol (LDAP) registry, the DN from the client certificate must be in the LDAP registry.
    Notes:
    • When the clientAuthentication attribute is set to true in the <ssl> element, the client sends a client certificate only to servers that either require or support the client certificate authentication.
    • When the clientAuthenticationSupported attribute is set to true in the <ssl> element, the client might choose whether to send a client certificate based on the <ssl> element configuration that is used by the downstream server.
    • When the clientAuthentication and clientAuthenticationSupported attributes are not set in the <ssl> element, then the server that is acting as a client is not enabled with the client certificate authentication.
    Omitting a layer uses the default values for that layer. For more information about the attributeLayer and authenticationLayer elements, see Configuring outbound CSIv2 attribute layer and Configuring outbound CSIv2 authentication layer.

Results

Your outbound CSIv2 transport layer is now configured for client certificate authentication.