Authenticating Connections to the Universal Messaging Server
When Software AG Universal Messaging serves as the messaging provider, Integration Server acts as the client, and the Universal Messaging realm server acts as the server. Communication between Integration Server and the Universal Messaging server is secured by way of ACL management on the Universal Messaging server. You can add an extra layer of security for a connection between Integration Server and Universal Messaging, before the Universal Messaging server applies the ACLs, by authenticating the connection with a user name and password. You specify this authentication method when you create the Universal Messaging connection alias.
Note:
This feature applies to Integration Server 9.8 or later and Universal Messaging 9.6 or later.
When you configure a Universal Messaging connection alias to authenticate connections between Integration Server and Universal Messaging in this way, user credentials are exchanged using either the Simple Authentication and Security Layer (SASL) framework or the Java Authentication and Authorization Service (JAAS) framework. Universal Messaging uses the JAAS framework by default.
The Universal Messaging administrator determines which framework to use. Work with the Universal Messaging administrator to have the following items in place before you test the connection:
SASL framework: With this framework, the
Universal Messaging server verifies user credentials based on a specified Directory instance, and credentials are stored in an internal directory or in an external directory such as LDAP. Work with the
Universal Messaging administrator to have the following items in place:
Internal user repository. If you want to store user credentials in an internal user repository, the
Universal Messaging administrator should create the repository using the
Software AG Security Infrastructure command line tool. The
Universal Messaging administrator should also set the Nirvana.directory.provider system property as indicated in the server property configuration table that follows.
External user repository configuration. If you want to store user credentials in an external repository such as LDAP, the
Universal Messaging administrator should set the Nirvana.directory.provider system property as indicated in the server property configuration table that follows.
Server property configuration. The
Universal Messaging administrator should set properties in the nserver.conf file, located in
Universal Messaging_directory \server\umserver\bin\ on the
Universal Messaging server, as follows:
Set this property | To |
Nirvana.auth.sagrepo.path | The relative or absolute path of the user credentials text file that the Security Infrastructure command line tool created |
Nirvana.directory.provider | One of the following: If user credentials are stored in an internal user repository, set this property to: com.pcbsys.foundation.security.auth. fSAGInternalUserRepositoryAdapter
If user credentials are stored in an external user repository, set this property to: com.pcbsys.foundation.security.auth. fLDAPAdapter
|
Nirvana.auth.enabled | Y If this parameter is set to N and credentials are passed with the connection request, the Universal Messaging server ignores the credentials and connects without authentication. |
Nirvana.auth.server.mandatory | Y |
For more information about internal and external user repositories, the Security Infrastructure command line tool, and the nserver.cnf system properties, see the Software AG Infrastructure Administrator's Guide and the Universal Messaging documentation.
JAAS framework: With this framework, the
Universal Messaging server invokes a JAAS login module to verify user credentials. Organizations might choose this method over SASL when they require custom logic for authenticating users (for example, when a custom service is needed to extract user credentials from an external database). Work with the
Universal Messaging administrator to have the following items in place:
Login module. The login module contains the code that retrieves and validates passwords. If the user name/password combination supplied in the connection alias differs from what is specified in the login module,
Integration Server displays an error message indicating that the connection failed.
JAAS configuration file. The
Universal Messaging administrator should create a JAAS configuration file, which defines the JAAS key and calls the login module, on the
Universal Messaging server.
Server property configuration. The
Universal Messaging administrator should set properties in the nserver.conf file, located in
Universal Messaging_directory \server\umserver\bin\ on the
Universal Messaging server, as follows:
Set this property | To |
Nirvana.auth.server.jaaskey | noauth |
wrapper.java.classpath | The login module location |
For more information about login modules, JAAS configuration files, and the nserver.cnf system properties, see the Software AG Infrastructure Administrator's Guide and the Universal Messaging documentation.