WebSphere brand IBM WebSphere Telecom Web Services Server, Version 7.1

Configuring the Trust Association Interceptor

The Trust Association Interceptor (TAI) contains two interceptors to process the incoming requests: HttpInterceptor and SipInterceptor. Each interceptor has properties associated with it. Use the WebSphere Integrated Solutions Console to set the properties.

The interceptor properties are created and configured from the Integrated Solutions Console during the installation process by entering the interceptor Name, Value, and Description.
Note:
  • The allowedSenderList property is required at a minimum.
  • For information about the installation process, refer to the Installing section for each component.
This topic provides the description of the properties and their default values.

HTTP Properties

The HttpInterceptor for the Trust Association Interceptor security component contains the following properties:

Table 1. HttpInterceptor properties
Parameter Type Description
enableSenderVerification Boolean Default: true. When true, enables the verification of the identity of the pre-hop sender of the incoming request. The user may want to disable this verification when transport-level security or IPSec is enabled on the service platform.
allowedSenderList string Default: null. Comma-delineated list of hosts that the interceptor considers trusted. When the enableSenderVerification property is false, this property is ignored. Acceptable input is hostname or IP address.

Wildcards and masking are allowed. The following is a list of acceptable examples:

Hostnames:

*@us.example.com, *.example.com, dyn94158159.example.com

IPv4 addresses:

9.41.x.x, 9.41.57.154, 9.41.57.154/20, 9.41.57.154/255.255.240.0

IPv6 addresses:

2002:092A:8F7A:0000:0000:0020:0000:0001, 2002:92A:8F7A:0:0:20:0:1 2002:92A:8F7A:0:0:20::1, 2002:92A:8F7A::20:0:1

(the four addresses are different representations of the same address) 2002:92A:8F7A::20:0:1/60

The following indicates that ALL prehop senders will be allowed: *, x.x.x.x

assertedIdentityHeaderType string Default: X-XCAP-Asserted-Identity, X-3GPP-Asserted-Identity. Comma-delineated list of allowed types of asserted identity headers supported in this interceptor implementation. For example, a different X-XCAP-Asserted-Identity header may be required in the IBM® XDMS implementation. Multiple values are allowed to accommodate ambiguous specification guidelines.

A maximum of 2 entries is allowed.

enableDefaultRoleMapping Boolean Default: true. Enables default role mapping, which maps all users to the All authenticated group. Enabling this property prevents WebSphere® Application Server from invoking the user registry to create a Subject. Applications that depend on WebSphere Application Server roles may want to disable this property.
enableMultipleIDMapping Boolean Default: true. Enables stripping the protocol scheme from the SIP URI, to obtain an ID that may match other IDs belonging to the same user. This applies to situations where there are multiple public IDs for a single user.
handleUnauthenticatedUser Boolean Default: false. Enables processing of messages from unauthenticated users. The unauthenticated user will be mapped to the Principal with the value defined in the unauthenticatedPrincipal property.
anonymousUserID string Default: anonymous. The user ID that identifies an anonymous user.
anonymousPrincipal string Default: anonymous.invalid. The value that is mapped to the WebSphere Application Server Principal for an anonymous user.
unauthenticatedPrincipal string Default: anonymous.invalid. The value that is mapped to the WebSphere Application Server Principal for an unauthenticated user. The default is to handle unauthenticated users the same as anonymous users.
allowedAssertedProxyUsers string Default: null. Comma-delineated list of allowed asserted identity values that indicate the request originates with a proxy, not an end user. Accepted format is hostname, email name, or URI.

Wildcards are acceptable (for example: *@us.example.com, *.example.com).

A maximum of 30 entries is allowed.

enableLTPABypass Boolean Default: False. When set to true, the TAI includes a WSCredential in the TAIResult's Subject. This prevents a JAAS login and a look-up in a user registry downstream by WebSphere security. It further prevents WAS from adding an LTPA token to the message header. Avoiding expensive LTPA calls by WebSphere, might improve IMS systems performance.
When this is set to true, you must also disable security attribute propagation from the Integrated Solutions Console:
  1. Click Security > Secure Administration > web security > single sign-on (SSO), and clear the Web inbound security attribute propagation check box.
  2. Click Security > Secure Administration > RMI/IOP security > CSIv2 inbound authentication, and clear the security attribute propagation check box.
  3. Click Security > Secure Administration > RMI/IOP security > CSIv2 outbound authentication, and clear the security attribute propagation check box.

SIP Properties

The SipInterceptor for the Trust Association Interceptor security component contains the following properties:

Table 2. SipInterceptor properties
Parameter Type Description
enableSenderVerification Boolean Default: true. When true, enables the verification of the identity of the pre-hop sender of the incoming request. The user may want to disable this verification when transport-level security or IPSec is enabled on the service platform.
allowedSenderList string Default: null. Comma-delineated list of hosts that the interceptor considers trusted. When the enableSenderVerification property is false, this property is ignored. Acceptable input is hostname or IP address.

Wildcards and masking are allowed. The following is a list of acceptable examples:

Hostnames:

*@us.example.com, *.example.com, dyn94158159.example.com

IPv4 addresses:

9.41.x.x, 9.41.57.154, 9.41.57.154/20, 9.41.57.154/255.255.240.0

IPv6 addresses:

2002:092A:8F7A:0000:0000:0020:0000:0001, 2002:92A:8F7A:0:0:20:0:1 2002:92A:8F7A:0:0:20::1, 2002:92A:8F7A::20:0:1

(the four addresses are different representations of the same address) 2002:92A:8F7A::20:0:1/60

The following indicates that ALL prehop senders will be allowed: *, x.x.x.x

assertedIdentityHeaderType string Default: P-Asserted-Identity. Comma-delineated list of allowed types of asserted identity headers supported in this interceptor implementation. For example, a different X-XCAP-Asserted-Identity header may be required in the IBM XDMS implementation. Multiple values are allowed to accommodate ambiguous specification guidelines.

A maximum of 2 entries is allowed.

enableDefaultRoleMapping Boolean Default: true. Enables default role mapping, which maps all users to the All authenticated group. Enabling this property prevents WebSphere Application Server from invoking the user registry to create a Subject. Applications that depend on WebSphere Application Server roles may want to disable this property.
pAssertedIdentityURIType string Default: sip. When two P-Asserted-Identity headers are present in the message, the user has the option of choosing which SIP URI type is used for the asserted identity. Possible values: sip, sips, and tel.
enableMultipleIDMapping Boolean Default: true. Enables stripping the protocol scheme from the SIP URI, to obtain an ID that may match other IDs belonging to the same user. This applies to situations where there are multiple public IDs for a single user.
handleUnauthenticatedUser Boolean Default: false. Enables processing of messages from unauthenticated users. The unauthenticated user will be mapped to the Principal with the value defined in the unauthenticatedPrincipal property.
anonymousUserID string Default: anonymous. The user ID that identifies an anonymous user.
anonymousPrincipal string Default: anonymous.invalid. The value that is mapped to the WebSphere Application Server Principal for an anonymous user.
unauthenticatedPrincipal string Default: anonymous.invalid. The value that is mapped to the WebSphere Application Server Principal for an unauthenticated user. The default is to handle unauthenticated users the same as anonymous users.
allowedAssertedProxyUsers string Default: null. Comma-delineated list of allowed asserted identity values that indicate the request originates with a proxy, not an end user. Accepted format is hostname, email name, or URI.

Wildcards are acceptable (for example: *@us.example.com, *.example.com).

A maximum of 30 entries is allowed.

enableErrorMessageReception Boolean Default: false. Enables processing of error messages that are sent from the SIP container to itself. An example is where a SIP message is sent to a SIP destination that is no longer attached. When the message times out, the SIP container sends an error message to itself. These messages lack p-asserted-identity headers and, as a result, are not normally processed by the TAI.

If true, enables the processing of error messages that lack p-asserted-identity headers and are generated by the localhost. If false, any error messages sent by the SIP container to itself are processed using the same rules as all other messages.

Use errorMessageStatusCodeList to designate which SIP error messages are to be processed.

errorMessageStatusCodeList string Default: 4xx. Comma-delineated list of message codes within the range of 400-499 (Client Error) and 500-599 (Server Error) to be processed when enableErrorMessageReception is true.

You can use a wildcard of "*", "x", or "X" to indicate a substitution for a single digit. For example, 4** would represent all 4xx error status Codes (400-499). A value of *** would represent all 4xx and 5xx codes.

A maximum of 20 entries is allowed.

enableLTPABypass Boolean Default: False. When set to true, the TAI includes a WSCredential in the TAIResult's Subject. This prevents a JAAS login and a look-up in a user registry downstream by WebSphere security. It further prevents WAS from adding an LTPA token to the message header. Avoiding expensive LTPA calls by WebSphere, might improve IMS systems performance.

When this is set to true, you must also disable security attribute propagation from the Integrated Solutions Console. For details, refer to the section titled Disabling security attribute propagation, later in this topic.

Disabling security attribute propagation

Follow these steps to disable security attribute propagation. This is required when enableLTPABypass is set to true.

If you are using WebSphere Application Server version 7.0.0.7:
  1. Click Security > Global Security > Web and SIP security > single sign-on (SSO), and clear the Web inbound security attribute propagation check box.
  2. Click Security > Global Security > RMI/IOP security > CSIv2 inbound communications, and clear the propagate security attributes check box.
  3. Click Security > Global Security > RMI/IOP security > CSIv2 outbound communications, and clear the propagate security attributes check box.
If you are using WebSphere Application Server version 6.1.0.29:
  1. Click Security > Secure Administration > Web security > single sign-on (SSO), and clear the Web inbound security attribute propagation check box.
  2. Click Security > Secure Administration > RMI/IOP security > CSIv2 inbound authentication, and clear the security attribute propagation check box.
  3. Click Security > Secure Administration > RMI/IOP security > CSIv2 outbound authentication, and clear the security attribute propagation check box.



Terms of use
(C) Copyright IBM Corporation 2009. All Rights Reserved.