You can configure a Liberty server
to perform identity assertions for outbound CSIv2 requests.
About this task
Identity assertion is disabled by default in the outbound CSIv2 attribute layer for a Liberty server. The server that is acting as a
client supports sending the Principal Name and Anonymous identity assertions to a downstream server
after the identity assertion is enabled through the identityAssertionEnabled
attribute. You can use the identityAssertionTypes
attribute to specify more or
different identity token types that the server supports for outbound requests. The
trustedIdentity
and trustedPassword
attributes can be used to
specify the identity of the client to be verified for trust by the downstream server when the
authentication layer mechanism is GSSUP. The trustedIdentity
attribute can be set
without a trustedPassword
if the authentication mechanism in the authentication
layer is LTPA. You must also configure the upstream server along with enabling the identity
assertion so that the client can assert an identity.
Procedure
-
Add the
appSecurity-2.0
and ejbRemote-3.2
features in the
server.xml
file.
<featureManager>
<feature>appSecurity-2.0</feature>
<feature>ejbRemote-3.2</feature>
</featureManager>
The following example is the default configuration without having to specify it in the
server.xml
file.
<orb id="defaultOrb">
<serverPolicy.csiv2>
<layers>
<attributeLayer identityAssertionEnabled="false"/>
<authenticationLayer mechanisms="LTPA,GSSUP" establishTrustInClient="Required"/>
<transportLayer/>
</layers>
</serverPolicy.csiv2>
<clientPolicy.csiv2>
<layers>
<attributeLayer identityAssertionEnabled="false"/>
<authenticationLayer mechanisms="LTPA,GSSUP" establishTrustInClient="Supported"/>
<transportLayer/>
</layers>
</clientPolicy.csiv2>
</orb>
-
Optional: If you need to change the default outbound attribute layer configuration, then add an
<orb>
element in the server.xml file as follows or add the
attributeLayer
element to an existing one. Replace the sample values in the example
with your values.
<orb id="defaultOrb">
<clientPolicy.csiv2>
<layers>
<attributeLayer identityAssertionEnabled="true"/>
</layers>
</clientPolicy.csiv2>
</orb>
Note: The ID value defaultOrb
in the <orb>
element is
predefined and cannot be modified.
-
Specify the upstream server identity for trust validation by the downstream server. The
trustedIdentity
specified must exist in the user registry of the target
server.
- When you are using the GSSUP mechanism in the authentication layer, you must set the
trustedIdentity
and trustedPassword
attributes by changing the
example values to the identity and password of the upstream server that is acting as a
client.
<attributeLayer identityAssertionEnabled="true" trustedIdentity="yourTrustedId" trustedPassword="yourTrustedIdPwd"/>
Encode
the password within the configuration. You can get the encoded value by using the
securityUtility
encode command.
- When you are using the LTPA mechanism in the authentication layer, you must set the
trustedIdentity
attribute by changing the example value to the identity of the
upstream server that is acting as a
client.
<attributeLayer identityAssertionEnabled="true" trustedIdentity="yourTrustedId"/>
-
Optional: If you need to change the default identity assertion token types that are supported
by the server, then add the
identityAssertionTypes
attribute to the
attributeLayer
element in the server.xml file and specify a
comma-separated list of values. The valid values are ITTAnonymous
,
ITTPrincipalName
, ITTX509CertChain
, and
ITTDistinguishedName
. For example, you can configure the server to support identity
assertions with X509 Certificate Chains or Distinguished Names. Replace the sample values in the
example with your values.
<orb id="defaultOrb">
<clientPolicy.csiv2>
<layers>
<attributeLayer identityAssertionEnabled="true" identityAssertionTypes="ITTX509CertChain, ITTDistinguishedName"/>
</layers>
</clientPolicy.csiv2>
</orb>
Notes:
- If both LTPA and GSSUP are configured in the authentication layer and the downstream server
supports LTPA, then LTPA takes precedence over GSSUP.
- If both LTPA and GSSUP are configured in the authentication layer and the downstream server
supports only GSSUP, then GSSUP is used and the
trustedIdentity
and
trustedPassword
attributes must be specified.
- The
trustedIdentity
attribute is not required if you are using the transport
certificate chain to identify the server to the downstream server. (The
identityAssertionEnabled
attribute is set to true and
establishTrustInClient
is set to Never in the
authenticationLayer
).
- Omitting a layer uses the default values for that layer.
For more information about
authenticationLayer
and
transportLayer
elements, see
Configuring
outbound CSIv2 authentication layer and
Configuring outbound CSIv2 transport layer.
Results
Your outbound CSIv2 attribute layer is now configured for identity assertion.