The Trust Association Interceptor (TAI) contains two interceptors to process the incoming requests: HttpInterceptor and SipInterceptor. Each interceptor has properties associated with it. Use the WebSphere Integrated Solutions Console to set the properties.
The HttpInterceptor for the Trust Association Interceptor security component contains the following properties:
Parameter | Type | Description |
---|---|---|
enableSenderVerification | Boolean | Default: true. When true, enables the verification of the identity of the pre-hop sender of the incoming request. The user may want to disable this verification when transport-level security or IPSec is enabled on the service platform. |
allowedSenderList | string | Default: null. Comma-delineated list of hosts
that the interceptor considers trusted. When the enableSenderVerification
property is false, this property is ignored. Acceptable input is hostname
or IP address. Wildcards and masking are allowed. The following is a list of acceptable examples: Hostnames: *@us.example.com, *.example.com, dyn94158159.example.com IPv4 addresses: 9.41.x.x, 9.41.57.154, 9.41.57.154/20, 9.41.57.154/255.255.240.0 IPv6 addresses: 2002:092A:8F7A:0000:0000:0020:0000:0001, 2002:92A:8F7A:0:0:20:0:1 2002:92A:8F7A:0:0:20::1, 2002:92A:8F7A::20:0:1 (the four addresses are different representations of the same address) 2002:92A:8F7A::20:0:1/60 The following indicates that ALL prehop senders will be allowed: *, x.x.x.x |
assertedIdentityHeaderType | string | Default: X-XCAP-Asserted-Identity, X-3GPP-Asserted-Identity.
Comma-delineated list of allowed types of asserted identity headers
supported in this interceptor implementation. For example, a different
X-XCAP-Asserted-Identity header may be required in the IBM® XDMS implementation.
Multiple values are allowed to accommodate ambiguous specification
guidelines. A maximum of 2 entries is allowed. |
enableDefaultRoleMapping | Boolean | Default: true. Enables default role mapping, which maps all users to the All authenticated group. Enabling this property prevents WebSphere® Application Server from invoking the user registry to create a Subject. Applications that depend on WebSphere Application Server roles may want to disable this property. |
enableMultipleIDMapping | Boolean | Default: true. Enables stripping the protocol scheme from the SIP URI, to obtain an ID that may match other IDs belonging to the same user. This applies to situations where there are multiple public IDs for a single user. |
handleUnauthenticatedUser | Boolean | Default: false. Enables processing of messages from unauthenticated users. The unauthenticated user will be mapped to the Principal with the value defined in the unauthenticatedPrincipal property. |
anonymousUserID | string | Default: anonymous. The user ID that identifies an anonymous user. |
anonymousPrincipal | string | Default: anonymous.invalid. The value that is mapped to the WebSphere Application Server Principal for an anonymous user. |
unauthenticatedPrincipal | string | Default: anonymous.invalid. The value that is mapped to the WebSphere Application Server Principal for an unauthenticated user. The default is to handle unauthenticated users the same as anonymous users. |
allowedAssertedProxyUsers | string | Default: null. Comma-delineated list of allowed
asserted identity values that indicate the request originates with
a proxy, not an end user. Accepted format is hostname, email name,
or URI. Wildcards are acceptable (for example: *@us.example.com, *.example.com). A maximum of 30 entries is allowed. |
enableLTPABypass | Boolean | Default: False. When set to true, the TAI includes
a WSCredential in the TAIResult's Subject. This prevents a JAAS login
and a look-up in a user registry downstream by WebSphere security.
It further prevents WAS from adding an LTPA token to the message header.
Avoiding expensive LTPA calls by WebSphere, might improve IMS systems
performance. When this is set to true, you must also disable security
attribute propagation from the Integrated Solutions Console:
|
The SipInterceptor for the Trust Association Interceptor security component contains the following properties:
Parameter | Type | Description |
---|---|---|
enableSenderVerification | Boolean | Default: true. When true, enables the verification of the identity of the pre-hop sender of the incoming request. The user may want to disable this verification when transport-level security or IPSec is enabled on the service platform. |
allowedSenderList | string | Default: null. Comma-delineated list of hosts
that the interceptor considers trusted. When the enableSenderVerification
property is false, this property is ignored. Acceptable input is hostname
or IP address. Wildcards and masking are allowed. The following is a list of acceptable examples: Hostnames: *@us.example.com, *.example.com, dyn94158159.example.com IPv4 addresses: 9.41.x.x, 9.41.57.154, 9.41.57.154/20, 9.41.57.154/255.255.240.0 IPv6 addresses: 2002:092A:8F7A:0000:0000:0020:0000:0001, 2002:92A:8F7A:0:0:20:0:1 2002:92A:8F7A:0:0:20::1, 2002:92A:8F7A::20:0:1 (the four addresses are different representations of the same address) 2002:92A:8F7A::20:0:1/60 The following indicates that ALL prehop senders will be allowed: *, x.x.x.x |
assertedIdentityHeaderType | string | Default: P-Asserted-Identity. Comma-delineated
list of allowed types of asserted identity headers supported in this
interceptor implementation. For example, a different X-XCAP-Asserted-Identity
header may be required in the IBM XDMS implementation.
Multiple values are allowed to accommodate ambiguous specification
guidelines. A maximum of 2 entries is allowed. |
enableDefaultRoleMapping | Boolean | Default: true. Enables default role mapping, which maps all users to the All authenticated group. Enabling this property prevents WebSphere Application Server from invoking the user registry to create a Subject. Applications that depend on WebSphere Application Server roles may want to disable this property. |
pAssertedIdentityURIType | string | Default: sip. When two P-Asserted-Identity headers are present in the message, the user has the option of choosing which SIP URI type is used for the asserted identity. Possible values: sip, sips, and tel. |
enableMultipleIDMapping | Boolean | Default: true. Enables stripping the protocol scheme from the SIP URI, to obtain an ID that may match other IDs belonging to the same user. This applies to situations where there are multiple public IDs for a single user. |
handleUnauthenticatedUser | Boolean | Default: false. Enables processing of messages from unauthenticated users. The unauthenticated user will be mapped to the Principal with the value defined in the unauthenticatedPrincipal property. |
anonymousUserID | string | Default: anonymous. The user ID that identifies an anonymous user. |
anonymousPrincipal | string | Default: anonymous.invalid. The value that is mapped to the WebSphere Application Server Principal for an anonymous user. |
unauthenticatedPrincipal | string | Default: anonymous.invalid. The value that is mapped to the WebSphere Application Server Principal for an unauthenticated user. The default is to handle unauthenticated users the same as anonymous users. |
allowedAssertedProxyUsers | string | Default: null. Comma-delineated list of allowed
asserted identity values that indicate the request originates with
a proxy, not an end user. Accepted format is hostname, email name,
or URI. Wildcards are acceptable (for example: *@us.example.com, *.example.com). A maximum of 30 entries is allowed. |
enableErrorMessageReception | Boolean | Default: false. Enables processing of error
messages that are sent from the SIP container to itself. An example
is where a SIP message is sent to a SIP destination that is no longer
attached. When the message times out, the SIP container sends an error
message to itself. These messages lack p-asserted-identity headers
and, as a result, are not normally processed by the TAI. If true, enables the processing of error messages that lack p-asserted-identity headers and are generated by the localhost. If false, any error messages sent by the SIP container to itself are processed using the same rules as all other messages. Use errorMessageStatusCodeList to designate which SIP error messages are to be processed. |
errorMessageStatusCodeList | string | Default: 4xx. Comma-delineated list of message
codes within the range of 400-499 (Client Error) and 500-599 (Server
Error) to be processed when enableErrorMessageReception is true. You can use a wildcard of "*", "x", or "X" to indicate a substitution for a single digit. For example, 4** would represent all 4xx error status Codes (400-499). A value of *** would represent all 4xx and 5xx codes. A maximum of 20 entries is allowed. |
enableLTPABypass | Boolean | Default: False. When set to true, the TAI includes
a WSCredential in the TAIResult's Subject. This prevents a JAAS login
and a look-up in a user registry downstream by WebSphere security.
It further prevents WAS from adding an LTPA token to the message header.
Avoiding expensive LTPA calls by WebSphere, might improve IMS systems
performance. When this is set to true, you must also disable security attribute propagation from the Integrated Solutions Console. For details, refer to the section titled Disabling security attribute propagation, later in this topic. |
Follow these steps to disable security attribute propagation. This is required when enableLTPABypass is set to true.