— Integrated Authentication Framework (IAF) —
Configuring the Integrated Authentication Framework
This document covers the following topics:
Configuring Broker
Here is an example of how to configure a Broker to work with IAF:
DEFAULTS=BROKER
...
SECURITY=YES
...
DEFAULTS=SECURITY
AUTHENTICATION-TYPE="iaf://<machine>:<port>?TRUST_STORE=c:/temp/cert.pem"
SECURITY-LEVEL=AUTHENTICATION
where parameters such as TRUST_STORE reflect the definition of an SSL
connection to the IAF server. See
SSL
Parameters in section Broker Attribute File.
Note:
Make sure the CommonName inside the certificate is correct and that
the SSL connection on the IAF side has the appropriate certificates.
Configuring the IAF Server
IAF Server
The IAF server
-
does not require a license file,
-
needs a special attribute file,
-
uses JCL or Argus Agents for maintenance.
Argus Agents
The top level agent is called "Integrated Authentication Framework 2.2"
and contains one sub-node: "Integrated Authentication Framework Service".
Setting the focus on this second agent first followed by a right mouse
click enables you to add a new local IAF server. On the input mask, specify the
SSL port and the transport mechanisms that should be supported (SSL and/or
NET).
When the new IAF server shows up in the tree view on the left pane, set
the focus on this new entry and use the right mouse click to modify the
attribute file. Complete the configuration of the IAF, mainly to point to the
user repository of your choice, which will be used for the authentication
requests.
Then use the functions (via right mouse click) Start and Stop.
The log file can be inspected via a right mouse click function or can
alternatively be viewed in the IAF install directory under the subdirectory of
the name of the IAF server.
The underlying SSX authentication access module is defined in the IAF
section of the attribute file (DEFAULTS=IAF).
Attributes
| Attribute |
Values |
Opt/
Req
|
Operating System |
|
|
|
|
|
| IAFVALIDTIME
|
300|
n |
O |
z |
u |
w |
|
|
Default time the tokens are valid (in seconds).
|
| MAXCACHEDUSERS
|
100|
n |
O |
z |
u |
w |
|
|
User cache: Maximum number of successfully authenticated users
stored in the cache.
|
| VALIDTIME
|
0|
n |
O |
z |
u |
w |
|
|
User cache: Length of time (in seconds) a user should remain in
the cache.
|
| DENYTIME
|
60|
n |
O |
z |
u |
w |
|
|
Negative cache: Deny access for n
seconds for a specific user ID after the DENYCOUNT number of false
authentications.
|
| DENYCOUNT
|
0|
n |
O |
z |
u |
w |
|
| 0 |
Deactivate. |
| n |
Number of invalid authentications before each client request
will be rejected for the next DENYTIME seconds.
|
|
| LOGLEVEL
|
0| 1 -
6 |
O |
z |
u |
w |
|
|
Log level for tracing.
| 0 |
Off |
| 6 |
Maximum trace level. |
|
| AUTHTYPE
|
OS| LDAP | ADSI |
SAF
|
O |
z |
u |
w |
|
|
Native authentication types supported
| OS |
UNIX, Windows, z/OS |
| LDAP |
UNIX, Windows, z/OS |
| ADSI |
Windows only - active directory |
| SAF |
z/OS only |
|
| SERVERHOST
|
localhost |
O |
z |
u |
w |
|
|
Name of the server for authentication.
Note:
Can be omitted
for AUTHTYPE=OS
ignored for AUTHTYPE=SAF
mandatory for
AUTHTYPE=LDAP
|
| SERVERPORT
|
389|
n |
O |
z |
u |
w |
|
|
See SERVERHOST. The port of the server. For LDAP, a default port
of 389 is assumed.
|
| WINUSELOGONUSERON2000
|
0| 1
|
O |
z |
u |
w |
|
|
For AUTHTYPE=OS only.
| 0 |
By default, authentication on Windows 2000 is performed by
SSPI method, since
LogonUser() is a privileged method on this Windows
version.
|
| 1 |
Use the Windows API logonUser()
even if running on Windows 2000.
|
Note:
If enough privileges are held by the account this process is
running under, you can use the LogonUser() function.
This has certain advantages and is the default for all other supported Windows
versions.
|
| WINAUTHUSEREXIST
|
1| 0
|
O |
|
|
w |
|
|
For AUTHTYPE=OS only.
Windows 2000 only.
When the Guest account is enabled,
any undefined user is automatically accepted and mapped to the Guest account.
If set to true, the default SSPI-based authentication on Windows 2000 will
issue a second call to make sure that the user really exists.
Note:
If the Guest account is not enabled on the authentication
server, WINAUTHUSEREXIST can be turned off for performance reasons.
|
| LDAPPERSONBINDDN
|
"dc=People,dc=myorg,dc=com" |
O |
z |
u |
w |
|
|
For AUTHTYPE=LDAP only. DN where the users can be found in the
LDAP server.
|
| LDAPUSERIDFIELD
|
cn |
O |
z |
u |
w |
|
|
For AUTHTYPE=LDAP only. Name of the user ID field, as this varies
on the different LDAP implementations.
|
| LDAPCONNECTIONPEROPERATION
|
0|
n |
O |
z |
u |
w |
|
|
For AUTHTYPE=LDAP only.
| 1 |
Keep connections up until the IAF service is shut
down.
|
| 0 |
Reconnect with each authentication call. |
|
| LDAPSASLAUTH
|
0| 1
|
O |
z |
u |
w |
|
| 1 |
Use the security SASL authentication (type: DIGEST-MD5)
|
|
| LDAPSTARTTLS
|
0| 1
|
O |
z |
u |
w |
|
| 1 |
Use the StartTLS (i.e. to secure the LDAP communication with
TLS before making the authentication.
|
|
| ADSIFORESTDN
|
"dc=myorg,dc=com" |
O |
|
|
w |
|
|
For AUTHTYPE=ADSI only. Name of the forest DN.
|
