Use the security attribute propagation feature of WebSphere® Application Server to send security attribute information regarding the original
login to other servers by using a token. This topic helps to configure WebSphere Application Server to propagate security attributes to other
servers.
About this task
To fully enable security attribute propagation, you must configure the single sign-on
(SSO), Common Secure Interoperability Version 2 (CSIv2) inbound, and CSIv2 outbound panels in the
WebSphere Application Server administrative console. You
can enable just the portions of security attribute propagation relevant to your configuration. For
example, you can enable web propagation, which is propagation amongst front-end application servers,
using either the push technique (DynaCache) or the pull technique (remote method to originating
server). You also can choose whether to enable Remote Method Invocation (RMI) outbound and
inbound propagation, which is commonly called downstream propagation. Typically both types of
propagation are enabled for any given cell.
Restriction: To prevent propagating the
same security attributes among application servers multiple times, WebSphere Application Server verifies that a Lightweight Third Party
Authentication (LTPA) token does not exist. Two cases can occur. Absence of the LTPA token tells the
Application Server that propagation can proceed. Presence of the LTPA token indicates that
propagation has occurred if the LTPA token has been generated within the cluster. However, in the
second case, if the LTPA token is present, but has been generated by a server outside the cluster,
such as by Tivoli® Access Manager, Lotus
Domino, or a different Application Server cluster, security
attributes are not propagated.
Complete the following steps to configure WebSphere Application Server for security attribute
propagation:
- Access the WebSphere Application Server
administrative console by typing
http://server_name:port_number/ibm/console.
The administrative console address might differ if you have previously changed the port
number.
- Click Security > Global security.
- Under Web and SIP security, click Single sign-on (SSO).
- Optional: Select the Interoperability Mode option if
you must interoperate with servers that do not support security attribute
propagation.
Servers that do not support security attribute propagation receive the
Lightweight Third Party Authentication (LTPA) token and the Propagation token, but ignore the
security attribute information that they do not understand.
- Select the Web inbound security attribute propagation
option.
The Web inbound security attribute propagation option enables horizontal propagation, which
allows the receiving SSO token to retrieve the login information from the original login server. If
you do not enable this option, downstream propagation can occur if you enable the Security Attribute
Propagation option on both the CSIv2 Inbound authentication and CSIv2 outbound authentication
panels.
Typically, you enable the web inbound security attribute propagation option if you need to
gather dynamic security attributes set at the original login server that cannot be regenerated at
the new front-end server. These attributes include any custom attributes that might be set in the
PropagationToken token using the com.ibm.websphere.security.WSSecurityHelper application programming
interfaces (APIs). You must determine whether enabling this option improves or degrades the
performance of your system. While the option prevents some remote user registry calls, the
deserialization and decryption of some tokens might impact performance. In some cases propagation is
faster, especially if your user registry is the bottleneck of your topology. It is recommended that
you measure the performance of your environment both by using and not using this option. When you
test the performance, it is recommended that you test in the operating environment of the typical
production environment with the typical number of unique users accessing the system
simultaneously.
When the Web inbound security attribute propagation
option is enabled, security attributes are propagated to front-end application servers. When this
option is disabled, the SSO token is used to log in and recreate the Subject from the user
registry.
- Click Security > Global security. Under RMI/IIOP security, click
CSIv2 inbound authentication.
The Login
configuration field specifies RMI_INBOUND as the system login configuration
that is used for inbound requests. To add custom Java™
Authentication and Authorization Service (JAAS) login modules, complete the following steps:
- Click Security > Global security. Under Java Authentication and Authorization Service, click System
logins.
A list of the system login configurations is displayed. WebSphere Application Server provides the following
pre-configured system login configurations: DEFAULT, LTPA, LTPA_WEB, RMI_INBOUND, RMI_OUTBOUND,
SWAM, WEB_INBOUND, wssecurity.IDAssertion, and wssecurity.Signature. Do not delete these predefined
configurations.
Note: SWAM is deprecated in WebSphere
Application Server Version 9.0 and will be removed in a future
release.
- Click the name of the login configuration that you want to modify.
- Under Additional Properties, click JAAS Login Modules.
The JAAS Login Modules panel is displayed, which lists all of the login modules that are
processed in the login configuration. Do not delete the required JAAS login modules. Instead, you
can add custom login modules before or after the required login modules. If you add custom login
modules, do not begin their names with com.ibm.ws.security.server.
You can specify the order in
which the login modules are processed by clicking Set
Order.
- Select the Security attribute propagation option on the CSIv2
inbound authentication panel.
When you select Security Attribute
Propagation, the server advertises to other application servers that it can receive
propagated security attributes from another server in the same realm over the Common Secure
Interoperability version 2 (CSIv2) protocol.
- Click Security > Global security. Under RMI/IIOP security, click
CSIv2 Outbound authentication.
The CSIv2 outbound authentication
panel is displayed. The Login configuration field specifies
RMI_OUTBOUND as the JAAS login configuration that is used for outbound configuration. You
cannot change this login configuration. Instead, you can customize this login configuration by
completing the substeps that are listed previously for CSIv2 Inbound authentication.
- Optional: Verify that the Security Attribute
Propagation option is selected if you want to enable outbound Subject and security
context token propagation for the Remote Method Invocation (RMI) protocol.
When you
select this option, WebSphere Application Server
serializes the Subject contents and the PropagationToken contents. After the contents are
serialized, the server uses the CSIv2 protocol to send the Subject and PropagationToken token to the
target servers that support security attribute propagation. If the receiving server does not support
security attribute tokens, WebSphere Application Server
sends the Lightweight Third Party Authentication (LTPA) token only.
Important: WebSphere Application Server propagates only the objects
within the Subject that it can serialize. The server propagates custom objects on a best-effort
basis.
When
Security Attribute Propagation is enabled, WebSphere Application Server adds marker tokens to the
Subject to enable the target server to add additional attributes during the inbound login. During
the commit phase of the login, the marker tokens and the Subject are marked as read-only and cannot
be modified thereafter.
![[z/OS]](../images/ngzos.svg)
Important: When using
security attribute propagation, use the same LTPA keys in all cell configurations.
When the
Security Attribute Propagation option
is enabled, allow the JAAS DESERIALIZE_ASYNCH_CONTEXT configuration to successfully refresh expired
LTPA Tokens:
- Log in to the WebSphere Integrated Solution Console
- Select .
- Create a custom property, com.ibm.ws.security.context.renewToken, and set the value to
true.
- Save your changes and synchronize the nodes.
- Restart the server or servers.
Setting the com.ibm.ws.security.context.renewToken property this way ensures that asynchronous
beans succeed in deserializing expired security contexts when
Security Attribute
Propagation is disabled.
- Optional: Select the Custom Outbound Mapping option if
you clear the Security Attribute Propagation option and you want to use the
RMI_OUTBOUND login configuration.
If neither the Custom Outbound
Mapping option nor the Security Attribute Propagation option is
selected, WebSphere Application Server does not call the
RMI_OUTBOUND login configuration. If you need to plug in a credential mapping login module, you must
select the Custom Outbound Mapping option.
- Optional: Specify trusted target realm names in the Trusted Target
Realms field.
By specifying these realm names, information can be sent to
servers that reside outside the realm of the sending server to support inbound mapping that is at
these downstream servers. To perform outbound mapping to a realm different from the current realm,
you must specify the realm in this field so that you can get to this point without having the
request rejected because of a realm mismatch. If you need WebSphere Application Server to propagate security attributes to another realm when a request
is sent, you must specify the realm name in the Trusted Target Realms field.
Otherwise, the security attributes are not propagated to the unspecified realm. You can add multiple
target realms by adding a pipe (|) delimiter between each entry.
- Optional: Enable propagation for a pure client.
For a pure client to propagate attributes added to the invocation Subject, you must add the
following property to the
sas.client.props file:
com.ibm.CSI.rmiOutboundPropagationEnabled=trueNote: The
sas.client.props file is located at
<WAS-HOME>/profiles/<ProfileName>/properties>.