Universal Messaging can use the Software AG Security Infrastructure component (SIN) to provide server JAAS authentication capabilities. The SIN component provides a variety of options for using different authentication back-ends and implementing flexible authentication scenarios.

Full details of the Software AG Security Infrastructure component are available in the Software AG documentation web site in the document Software AG Infrastructure Administrator's Guide . See the description of the predefined login modules in that guide for details of setting up authentication using JAAS login modules and a description of the parameters available for configuring the login modules.

The SIN modules are delivered with the Universal Messaging distribution and are available on the Universal Messaging server classpath. By default the server is configured to use a JAAS context named UM-Default which is defined in a file jaas.conf, that resides under the server bin directory. The server configuration file Server_Common.conf (again under the server bin directory) defines the path to the JAAS configuration file as the value of the system property java.security.auth.login.config. The name of the JAAS context to be used for authentication is configured through the system property Nirvana.auth.server.jaaskey. Note that when this property is present, the server will use JAAS authentication, overriding any configured legacy directory-based authenticators. Finally, in order to enable the server authentication one needs to switch the flag Nirvana.auth.enabled to Y as well as modify the flag Nirvana.auth.mandatory to Y in order to make authentication mandatory.

The default values that come with a Universal Messaging server instance are:

The UM-Default JAAS context is pre-configured to use the Software AG default internal user repository as an authentication back-end.

Universal Messaging installation delivers a JAAS configuration file that comes with a pre-configured UM-Default JAAS context and templates for a few other authentication scenarios.

Besides using the Software AG internal user repository, SIN offers a variety of options for LDAP authentication:

The LDAP look up method involves logging on to the LDAP server either anonymously (if allowed) or by using a predefined principal, and performing a lookup for a user entry matching a certain attribute. Finally the SIN-specific LDAP login module will attempt to bind with the retrieved user's distinguished name and the supplied password. The following template configuration is provided where you should fill in the required properties:

With active directory the SIN-specific LDAP login module offers the possibility for a direct bind with the supplied username and password, using the following configuration template where the user should fill in the active directory URL.

It is also possible to attempt a direct bind against an LDAP server where the bind DN will be constructed by the SIN-specific JAAS login module using a prefix and a suffix, with the supplied username in-between. In this case the user is required to configure the URL of the LDAP server, as well as the prefix and the suffix to be used for the construction of the bind DN:

JAAS is extremely flexible and allows for using a combination of different back-ends, such as, several LDAP servers and/or repositories. For example it is possible to configure LDAP authentication with an internal user repository as a fallback mechanism:

To use any custom JAAS context, or any of the predefined templates, you would need to modify the value of the Nirvana.auth.server.jaaskey system property inside the Server_Common.conf file in the server bin directory, pointing it to the context to be used. At the moment the context name is globally defined for the entire server.