Configuring outbound CSIv2 attribute layer

You can configure a Liberty server to perform identity assertions for outbound CSIv2 requests.

About this task

Identity assertion is disabled by default in the outbound CSIv2 attribute layer for a Liberty server. The server that is acting as a client supports sending the Principal Name and Anonymous identity assertions to a downstream server after the identity assertion is enabled through the identityAssertionEnabled attribute. You can use the identityAssertionTypes attribute to specify more or different identity token types that the server supports for outbound requests. The trustedIdentity and trustedPassword attributes can be used to specify the identity of the client to be verified for trust by the downstream server when the authentication layer mechanism is GSSUP. The trustedIdentity attribute can be set without a trustedPassword if the authentication mechanism in the authentication layer is LTPA. You must also configure the upstream server along with enabling the identity assertion so that the client can assert an identity.

Procedure

  1. Add the appSecurity-2.0 and ejbRemote-3.2 features in the server.xml file. 
    
    <featureManager>
        <feature>appSecurity-2.0</feature>
        <feature>ejbRemote-3.2</feature>
    </featureManager>
    The following example is the default configuration without having to specify it in the server.xml file.
    
    <orb id="defaultOrb">
        <serverPolicy.csiv2>
            <layers>
                <attributeLayer identityAssertionEnabled="false"/>
                <authenticationLayer mechanisms="LTPA,GSSUP" establishTrustInClient="Required"/>
                <transportLayer/>
            </layers>
        </serverPolicy.csiv2>
        <clientPolicy.csiv2>
            <layers>
                <attributeLayer identityAssertionEnabled="false"/>
                <authenticationLayer mechanisms="LTPA,GSSUP" establishTrustInClient="Supported"/>
                <transportLayer/>
            </layers>
        </clientPolicy.csiv2>
    </orb>
  2. Optional: If you need to change the default outbound attribute layer configuration, then add an <orb> element in the server.xml file as follows or add the attributeLayer element to an existing one. Replace the sample values in the example with your values. 
    
    <orb id="defaultOrb">
        <clientPolicy.csiv2>
            <layers>
                <attributeLayer identityAssertionEnabled="true"/>
            </layers>
        </clientPolicy.csiv2>
    </orb>
    Note: The ID value defaultOrb in the <orb> element is predefined and cannot be modified.
  3. Specify the upstream server identity for trust validation by the downstream server. The trustedIdentity specified must exist in the user registry of the target server.
    • When you are using the GSSUP mechanism in the authentication layer, you must set the trustedIdentity and trustedPassword attributes by changing the example values to the identity and password of the upstream server that is acting as a client.
      
<attributeLayer identityAssertionEnabled="true" trustedIdentity="yourTrustedId" trustedPassword="yourTrustedIdPwd"/>

      Encode the password within the configuration. You can get the encoded value by using the securityUtility encode command.

    • When you are using the LTPA mechanism in the authentication layer, you must set the trustedIdentity attribute by changing the example value to the identity of the upstream server that is acting as a client.
      
<attributeLayer identityAssertionEnabled="true" trustedIdentity="yourTrustedId"/>
  4. Optional: If you need to change the default identity assertion token types that are supported by the server, then add the identityAssertionTypes attribute to the attributeLayer element in the server.xml file and specify a comma-separated list of values. The valid values are ITTAnonymous, ITTPrincipalName, ITTX509CertChain, and ITTDistinguishedName. For example, you can configure the server to support identity assertions with X509 Certificate Chains or Distinguished Names. Replace the sample values in the example with your values. 
    
<orb id="defaultOrb">
    <clientPolicy.csiv2>
        <layers>
            <attributeLayer identityAssertionEnabled="true" identityAssertionTypes="ITTX509CertChain, ITTDistinguishedName"/>
        </layers>
    </clientPolicy.csiv2>
</orb>
    Notes:
    • If both LTPA and GSSUP are configured in the authentication layer and the downstream server supports LTPA, then LTPA takes precedence over GSSUP.
    • If both LTPA and GSSUP are configured in the authentication layer and the downstream server supports only GSSUP, then GSSUP is used and the trustedIdentity and trustedPassword attributes must be specified.
    • The trustedIdentity attribute is not required if you are using the transport certificate chain to identify the server to the downstream server. (The identityAssertionEnabled attribute is set to true and establishTrustInClient is set to Never in the authenticationLayer).
    • Omitting a layer uses the default values for that layer.
    For more information about authenticationLayer and transportLayer elements, see Configuring outbound CSIv2 authentication layer and Configuring outbound CSIv2 transport layer.

Results

Your outbound CSIv2 attribute layer is now configured for identity assertion.