Use the security attribute propagation feature of WebSphere® Application Server
to send security attribute information regarding the original login
to other servers by using a token. This topic helps to configure WebSphere Application Server
to propagate security attributes to other servers.
About this task
To fully enable security attribute propagation, you must
configure the single sign-on (SSO), Common Secure Interoperability
Version 2 (CSIv2) inbound, and CSIv2 outbound panels in the WebSphere Application Server
administrative console. You can enable just the portions of security
attribute propagation relevant to your configuration. For example,
you can enable web propagation, which is propagation amongst front-end
application servers, using either the push technique (DynaCache) or
the pull technique (remote method to originating server). You also
can choose whether to enable Remote Method Invocation (RMI) outbound
and inbound propagation, which is commonly called downstream propagation.
Typically both types of propagation are enabled for any given cell.
In some cases, you might want to choose a different option for a specific
application server using the server security panel within the specific
application server settings.
Restriction: To prevent
propagating the same security attributes among application servers
multiple times, WebSphere Application
Server verifies that a Lightweight Third Party Authentication (LTPA)
token does not exist. Two cases can occur. Absence of the LTPA token
tells the Application Server that propagation can proceed. Presence
of the LTPA token indicates that propagation has occurred if the LTPA
token has been generated within the cluster. However, in the second
case, if the LTPA token is present, but has been generated by a server
outside the cluster, such as by Tivoli® Access
Manager, Lotus® Domino®, or a different Application Server
cluster, security attributes are not propagated.
To
access the server security panel in the administrative console, click Servers >
Application Servers > server_name. Under Security, click Server
security.
Complete the following steps to
configure WebSphere Application
Server for security attribute propagation:
- Access the WebSphere Application
Server administrative console by typing http://server_name:port_number/ibm/console.
The administrative console address might differ if you have
previously changed the port number.
- Click Security > Global security.
- Under Web security, click Single sign-on (SSO).
- Optional: Select the Interoperability Mode option
if you must interoperate with servers that do not support security
attribute propagation.
Servers that do not support security
attribute propagation receive the Lightweight Third Party Authentication
(LTPA) token and the Propagation token, but ignore the security attribute
information that they do not understand.
- Select the Web inbound security attribute propagation option.
The Web inbound security attribute propagation option enables
horizontal propagation, which allows the receiving SSO token to retrieve
the login information from the original login server. If you do not
enable this option, downstream propagation can occur if you enable
the Security Attribute Propagation option on both the CSIv2 Inbound
authentication and CSIv2 outbound authentication panels.
Typically,
you enable the web inbound security attribute propagation option if
you need to gather dynamic security attributes set at the original
login server that cannot be regenerated at the new front-end server.
These attributes include any custom attributes that might be set in
the PropagationToken token using the com.ibm.websphere.security.WSSecurityHelper
application programming interfaces (APIs). You must determine whether
enabling this option improves or degrades the performance of your
system. While the option prevents some remote user registry calls,
the deserialization and decryption of some tokens might impact performance.
In some cases propagation is faster, especially if your user registry
is the bottleneck of your topology. It is recommended that you measure
the performance of your environment both by using and not using this
option. When you test the performance, it is recommended that you
test in the operating environment of the typical production environment
with the typical number of unique users accessing the system simultaneously.
When the Web inbound security attribute propagation option
is enabled, security attributes are propagated to front-end application
servers. When this option is disabled, the SSO token is used to log
in and recreate the Subject from the user registry.
- Click Security > Global security. Under RMI/IIOP
security, click CSIv2 inbound authentication.
The Login
configuration field specifies RMI_INBOUND as
the system login configuration that is used for inbound requests.
To add custom Java™ Authentication
and Authorization Service (JAAS) login modules, complete the following
steps:
- Click Security > Global security. Under Java Authentication and Authorization
Service, click System logins.
A list of the system
login configurations is displayed. WebSphere Application
Server provides the following pre-configured system login configurations:
DEFAULT, LTPA, LTPA_WEB, RMI_INBOUND, RMI_OUTBOUND, SWAM, WEB_INBOUND,
wssecurity.IDAssertion, and wssecurity.Signature. Do not delete these
predefined configurations.
Note: SWAM is deprecated
in WebSphere Application
Server Version 8.5 and will
be removed in a future release.
- Click the name of the login configuration that you want
to modify.
- Under Additional Properties, click JAAS Login Modules.
The JAAS Login Modules panel is displayed, which lists all of
the login modules that are processed in the login configuration. Do
not delete the required JAAS login modules. Instead, you can add custom
login modules before or after the required login modules. If you add
custom login modules, do not begin their names with com.ibm.ws.security.server.
You
can specify the order in which the login modules are processed by
clicking Set Order.
- Select the Security attribute propagation option
on the CSIv2 inbound authentication panel.
When you select Security
Attribute Propagation, the server advertises to other application
servers that it can receive propagated security attributes from another
server in the same realm over the Common Secure Interoperability version
2 (CSIv2) protocol.
- Click Security > Global security. Under RMI/IIOP
security, click CSIv2 Outbound authentication.
The
CSIv2 outbound authentication panel is displayed. The Login configuration field
specifies RMI_OUTBOUND as the JAAS login configuration that
is used for outbound configuration. You cannot change this login configuration.
Instead, you can customize this login configuration by completing
the substeps that are listed previously for CSIv2 Inbound authentication.
- Optional: Verify that the Security Attribute
Propagation option is selected if you want to enable outbound
Subject and security context token propagation for the Remote Method
Invocation (RMI) protocol.
When you select this option, WebSphere Application
Server serializes the Subject contents and the PropagationToken contents. After the contents are
serialized, the server uses the CSIv2 protocol to send the Subject and PropagationToken token to the
target servers that support security attribute propagation. If the receiving server does not support
security attribute tokens, WebSphere Application Server
sends the Lightweight Third Party Authentication (LTPA) token only.
Important: WebSphere Application Server propagates only the objects
within the Subject that it can serialize. The server propagates custom objects on a best-effort
basis.
When
Security Attribute Propagation is enabled, WebSphere Application Server adds marker tokens to the Subject to enable
the target server to add additional attributes during the inbound login. During the commit phase of
the login, the marker tokens and the Subject are marked as read-only and cannot be modified
thereafter.
Important: When using security
attribute propagation, use the same LTPA keys in all cell configurations.
When the
Security Attribute Propagation
option is enabled, allow the JAAS DESERIALIZE_ASYNCH_CONTEXT configuration to successfully refresh
expired LTPA Tokens:
- Log in to the WebSphere Integrated Solution Console
- Select .
- Create a custom property, com.ibm.ws.security.context.renewToken, and set the value to
true.
- Save your changes and synchronize the nodes.
- Restart the server or servers.
Setting the com.ibm.ws.security.context.renewToken property this way ensures that asynchronous
beans succeed in deserializing expired security contexts when
Security Attribute Propagation
is disabled.
- Optional: Select the Custom Outbound Mapping option
if you clear the Security Attribute Propagation option and
you want to use the RMI_OUTBOUND login configuration.
If
neither the Custom Outbound Mapping option nor the Security
Attribute Propagation option is selected, WebSphere Application Server does not call
the RMI_OUTBOUND login configuration. If you need to plug in a credential
mapping login module, you must select the Custom Outbound Mapping option.
- Optional: Specify trusted target realm names
in the Trusted Target Realms field.
By specifying
these realm names, information can be sent to servers that reside
outside the realm of the sending server to support inbound mapping
that is at these downstream servers. To perform outbound mapping to
a realm different from the current realm, you must specify the realm
in this field so that you can get to this point without having the
request rejected because of a realm mismatch. If you need WebSphere Application Server
to propagate security attributes to another realm when a request is
sent, you must specify the realm name in the Trusted Target Realms field.
Otherwise, the security attributes are not propagated to the unspecified
realm. You can add multiple target realms by adding a pipe (|)
delimiter between each entry.
- Optional: Enable propagation for a pure client.
For a pure client to propagate attributes added to the invocation
Subject, you must add the following property to the
sas.client.props file:
com.ibm.CSI.rmiOutboundPropagationEnabled=true
Note: The sas.client.props file
is located at <WAS-HOME>/profiles/<ProfileName>/properties>.
What to do next
If you need to disable security attribute propagation,
determine whether you need to disable it for either the server level
or the cell level.
Attention: Changes to the server-level
settings override the cell settings.
Attention: Note that the settings might be overridden in a security
domain.
To disable security attribute
propagation on the server level, complete the following steps:
- Click Server > Application Servers > server_name.
- Under Security, click Server security.
- Select the RMI/IIOP security for this server overrides cell
settings option.
- Disable security attribute propagation for
inbound requests by clicking CSI inbound authentication under
Additional Properties and clearing the Security attribute propagation option.
- Disable security attribute propagation for
outbound requests by clicking CSI outbound authentication under
Additional Properties and clearing the Security attribute propagation option.
To disable security attribute propagation
on the cell level, undo each of the steps that you completed to enable
security attribute propagation in this task.