Why and when to perform this task
The security attribute propagation feature of WebSphere Application Server enables you to send security attribute information regarding the original login to other servers using a token. To fully enable security attribute propagation, you must configure the single signon (SSO), CSIv2 inbound, and CSIv2 outbound panels in the WebSphere Application Server Administrative Console. You can enable just the portions of security attribute propagation relevant to your configuration. For example, you can enable Web propagation, which is propagation amongst front-end application servers, using either the push technique (DynaCache) or the pull technique (remote method to originating server). You also can choose whether to enable Remote Method Invocation (RMI) outbound and inbound propagation, which is commonly called downstream propagation. Typically both types of propagation are enabled for any given cell. In some cases, you might want to choose a different option for a specific application server using the server security panel within the specific application server settings. To access the server security panel in the administrative console, click Servers > Application Servers > server_name. Under Security, click Server security. Under Additional properties, click Server-level security.Complete the following steps to configure WebSphere Application Server for security attribute propagation:
Steps for this task
Typically, you enable the Web inbound security attribute propagation option if you need to gather dynamic security attributes set at the original login server that cannot be regenerated at the new front-end server. This attributes include any custom attributes that might be set in the PropagationToken using the com.ibm.websphere.security.WSSecurityHelper application programming interfaces (APIs). You must determine whether enabling this option improves or degrades the performance of your system. While the option prevents some remote user registry calls, the deserialization and decryption of some tokens might impact performance. In some cases, propagation is faster especially if your user registry is the bottleneck of your topology. It is recommended that you measurement the performance of your environment using and not using this option. When you test the performance, it is recommended that you test in the operating environment of the typical production environment with the typical number of unique users accessing the system simultaneously.
You can specify the order in which the login modules are processed by clicking Set Order.
When Security Attribute Propagation is enabled, WebSphere Application Server adds marker tokens to the Subject to enable the target server to add additional attributes during the inbound login. During the commit phase of the login, the marker tokens and the Subject are marked as read-only and cannot be modified thereafter.
com.ibm.CSI.rmiOutboundPropagationEnabled=true
Result
After completing these steps, you have configured WebSphere Application Server to propagate security attributes to other servers. After you have configured WebSphere Application Server for security attribute propagation and need to disable this functionality, you can disable propagation for either the server level or the cell level. To disable security attribute propagation on the server level, click Server > Application Servers > server_name. Under Security, click Server security. You can disable security attribute propagation for inbound requests by clicking CSI inbound authentication under Additional Properties and deselecting Security attribute propagation. You can disable security attribute propagation for outbound requests by clicking CSI outbound authentication under Additional Properties and deselecting Security attribute propagation. To disable security attribute propagation on the cell level, undo each of the steps that you completed to enable security attribute propagation in this task.Related concepts
Security attribute propagation