Quick Reference |
Integrated Authentication Framework allows for flexible creation, configuration, and usage of different authentication scenarios (IAF services) using System Management Hub web interface or a console window. By default, the installation of IAF does not create default authentication scenarios (IAF services) that can be used directly after install. In general, the authentication scenarios are defined in separate directories (within the IAF service directory) that contain IAF attribute files. On the other hand, the IAF attribute files comprise sets of properties that control the specifics of a particular IAF service. You create IAF services by creating the separate directories and the corresponding attribute files manually on the file system or using SMH web interface.
For more information about the properties of the IAF attributes files, see the Integrated Authentication Framework Attributes section within this chapter. In addition, more information about some commonly used authentication scenarios and the corresponding attribute file settings is given in the Integrated Authentication Framework Samples section of the reference documentation.
This document covers the following topics that describe how you can create, configure and manage authentication scenarios:
See also Integrated Authentication Framework Tools.
If you did not install System Management Hub as an administration console of your Integrated Authentication Framework, you can create and configure an IAF service (authentication scenario) manually on the file system.
To create an IAF service manually
Open the IAF services directory on the file system.
Software AG_directory\iaf\service
Create a directory in the service directory and provide a name in capital letters.
For example: "IAFCUSTOM"
Copy the iafnnn.atr attribute file from the service directory into the new directory and change its name.
Note:
The attribute file name must be the same as the name of the
directory in which it resides.
For example: "IAFCUSTOM.atr"
Open the newly created file for editing and change the
BROKER-ID = IAFnnn
to BROKER-ID =
<IAF_Service_Directory_Name>
.
For example: "BROKER-ID = IAFCUSTOM"
Configure the other settings in the attribute file depending on the authentication you want to perform.
For more information about the IAF attributes, see Integrated Authentication Framework Attributes
Save your changes and close the file.
If you installed System Management Hub as an administration console of your Integrated Authentication Framework, you can create and configure an IAF service (authentication scenario) on the SMH web interface.
To create an IAF service in SMH
Open a web browser and start SMH web interface.
http://localhost:<port_number>/smh
Note:
The default SMH port number is 10010. If you specified an
alternative SMH port number during the installation, use the alternative port
number instead.
Log on using the account with which you installed IAF.
On the tree that opens on the left hand-side of the System Management panel, navigate to: > > > .
Right click Integrated Authentication Framework Service
From the context menu, choose
.On the Add Service window, enter the following information:
Service Name
Enter an IAF service name using capital letters only.
TCP Service Port Number
SSL Port Number
Specify the SSL port and the TCP port that is used for administrative purposes. Security-related communication is only available via the SSL port (with the exception of a local NET communication on z/OS)
As a result, System Management Hub creates a directory with the IAF service name in the Software AG_directory\iaf\service\ directory.
Right click the newly created IAF service in the tree view on the left pane.
From the context menu, choose
.Complete the configuration of IAF, mainly to point to the user repository of your choice, which will be used for the authentication requests.
Note:
You can modify the attributes of the newly created IAF service by
editing the corresponding attribute file on the local file system. You can find
the file in the following directory: Software
AG_directory\iaf\service\new_service_directory\new_service_directory.atr.
Before every manual start of Integrated Authentication Framework (without SMH) on UNIX based operating systems, you need to set some shell environment variables. The installation generates the Bourne shell script iaf_setenv.sh in the Software AG_directory/conf. Execute the shell script with the user with which you installed IAF.
The iaf_setenv.sh script defines the following mandatory product-specific global shell environment variables:
Variable | Description |
---|---|
Software AG_directory | Identifies the root directory in which Software AG products are installed. |
IAFDIR | Identifies the base installation directory for Integrated Authentication Framework (typically Software AG_directory/iaf) |
IAFVERS | Identifies the product version.
Note: |
In addition iaf_setenv.sh modifies the PATH environment variable.
directory $IAFDIR/$IAFVERS/bin is added to the list of directories in the PATH environment variable
See iaf_setenv.sh for a complete set of environment settings.
You can start (or stop) an IAF service using any of the instructions sets below:
Note:
On UNIX based operating systems, you must start the
iaf_setenv.sh shell script before you start the IAF
service. For more information, see UNIX
Environment Prerequisites and Settings.
To start (or stop) an IAF service from within the services directory
Start a console window and open the following directory:
Software AG_directory\iaf\service\service_directory
Start the IAF service using the following commands depending on the operating system:
Windows
..\..\bin\iafnuc.exe -a
<attribute_file_name>.atr
For example: ..\..\bin\iafnuc.exe -a
IAFCUSTOM.atr
UNIX
../../bin/iafnuc -a
<attribute_file_name>.atr
For example: ../../bin/iafnuc -a
IAFCUSTOM.atr
To stop an IAF service, execute the following commands depending on the operating system:
Windows
Close the console window or press CTRL+C.
UNIX
kill -2
procID
To start (or stop) an IAF service from within the bin directory
Start a console window and open the following directory:
Software AG_directory\iaf\bin
Start the IAF service using the following commands depending on the operating system:
Windows
iafstart.bat
<service_directory_name>
For example: iafstart.bat IAFCUSTOM
UNIX
sh iafstart
<service_directory_name>
For example: sh iafstart IAFCUSTOM
To stop an IAF service, execute the following commands depending on the operating system:
Windows
iafstop.bat
<service_directory_name>
For example: iafstop.bat IAFCUSTOM
UNIX
sh iafstop
<service_directory_name>
For example: sh iafstop IAFCUSTOM
To start (or stop) the IAF service using SMH
Open a web browser and start SMH web interface.
http://localhost:<port_number>/smh
Note:
The default SMH port number is 10010. If you specified an
alternative SMH port number during the installation, use the alternative port
number instead.
Log on using the account with which you installed IAF.
On the tree that opens on the left hand-side of the System Management panel, navigate to: > > > > .
Right click the <IAF_Service_Entry>.
From the context menu, choose
(or ).Note:
To enable automatic start of a configured IAF service when the
Software AG Integrated Authentication Framework service is
started, right click the
<IAF_Service_Entry> and
then choose . That option is available
on Windows operating systems only.
View the log file in the IAF install directory under the subdirectory of the name of the IAF server.
To open the IAF service log file on the local file system
Open the following directory:
Software AG_directory\iaf\service\IAF_service_directory
Open the log file:
IAF_service.log
To inspect the IAF service log file using SMH
Open a web browser and start SMH web interface.
http://localhost:<port_number>/smh
Note:
The default SMH port number is 10010. If you specified an
alternative SMH port number during the installation, use the alternative port
number instead.
Log on using the account with which you installed IAF.
On the tree that opens on the left hand-side of the System Management panel, navigate to: > > > > .
Right click the <IAF_Service_Entry>.
From the context menu, choose
.The section DEFAULTS=IAF
within the
iafnnn.atr file contains the IAF related attributes to
configure the specific behavior of the Authentication Service.
Attribute | Values | Opt/ Req |
Operating System | ||||
---|---|---|---|---|---|---|---|
IAF Service Parameters | |||||||
IAF_LISTENADDRESS | string | R | u | w | |||
Name of the IAF service. All IAF tokens will contain this field as an identifier. Currently this field is for documentation purposes only. If in doubt, specify "localhost". |
|||||||
IAFVALIDTIME | 300 | n seconds | O | u | w | |||
Default length of time the tokens are valid. |
|||||||
LOCALCODEPAGE | IBM-037 (z/OS)| ISO-8859-1 (other) | O | u | w | |||
The internal codepage that is used to communicate with the underlying user repositories | |||||||
IAF Delegation Parameters | |||||||
IAFVERIFYDELEGATEDUSER | YES | NO | O | u | w | |||
Determines whether a check should be performed to verify that the delegated user ID really exists. |
|||||||
IAFDELEGATEDAUTHUSER | string | O | u | w | |||
ID of the technical user that will access the user repository. |
|||||||
IAFDELEGATEDAUTHDOMAIN | string | O | u | w | |||
Domain name of the technical user. |
|||||||
IAFDELEGATEDAUTHPASS | string | O | u | w | |||
Encrypted password of the technical user. Use the program IAFCryptDelegatedPwd to create the correct value. |
|||||||
IAFDELEGATEDCERTPATH | string | O | u | w | |||
Alternate path (directory) where the certificates for the delegated authentication can be found. Default: look in the etc directory of the installation path. To create these files, use the tool CertNameGenerator.jar. | |||||||
IAFDELEGATEDAUTHTIMEJITTER | n seconds | O | u | w | |||
The delegated authentication call not only requires a signature, it must also be performed within a certain time interval. Allow for a time lag of n seconds between the requesting machine and the one where the IAF service is running. | |||||||
SSX Common Configuration Parameters | |||||||
AUTHTYPE | OS | LDAP | ADSI | INTERNAL | R | u | w | |||
Native authentication type.
For |
|||||||
VALIDTIME | 0 | n seconds | O | u | w | |||
User cache: Length of time (in seconds) a user should remain in the cache. 0=Deactivate this cache. | |||||||
DENYTIME | 60 | n seconds | O | u | w | |||
Negative cache: Deny access for
n seconds for a specific user ID after the
DENYCOUNT number of false authentications.
|
|||||||
DENYCOUNT | 0 | n | O | u | w | |||
Number of invalid authentications
before each client request will be rejected for the next
DENYTIME seconds.
|
|||||||
MAXCACHEDUSERS | 100 | n | O | u | w | |||
User cache: Maximum number of successfully authenticated users stored in the cache. | |||||||
LOGFILE | string | O | u | w | |||
Full file path to the log file. | |||||||
LOGLEVEL | 6 | n | O | u | w | |||
Defines log level. Valid values are integers from 0 to 6. | |||||||
DEFAULTDOMAIN | string | O | u | w | |||
The default domain name. | |||||||
SSX OS Configuration Parameters | |||||||
AUTHDPATH | Format: string | O | u | ||||
Explicit path of the privileged daemon process. | |||||||
UNIXADDMACHINENAME | false | true | O | u | ||||
Return the UNIX hostname in front of all user and group names returned. Example: "UNIXWRK1\UserName". | |||||||
DEFAULTGROUP | string | O | u | w | |||
For
AUTHTYPE=OS and
AUTHTYPE=LDAP only: always show this group to
contain all users.
|
|||||||
WINNOIMPERSONISATION | false | true | O | w | ||||
Windows only. When performing repository queries, normally the authenticated user is impersonated when the call has been made. However, when the authenticated user does not have enough access rights, the impersonation can be switched off and access is performed under the ID of the user that started the IAF service. | |||||||
SSX INTERNAL Parameter | |||||||
INTERNALREPOSITORY | file | O | u | w | |||
Only for
AUTHTYPE=INTERNAL . Name of the file that
contains the user repository.
|
|||||||
SSX LDAP Configuration Parameters | |||||||
SERVERHOST | host_name | O | u | w | |||
Name of the server for
authentication. Mandatory for AUTHTYPE=LDAP ;Can be omitted for AUTHTYPE=OS ;ignored for AUTHTYPE=INTERNAL .
|
|||||||
SERVERPORT | 389 | n | O | u | w | |||
See
SERVERHOST . The port of the server. For LDAP, a
default port of 389 is assumed.
|
|||||||
LDAPSERVERTYPE | OpenLDAP | ActiveDirectory | SunOneDirectory | Tivoli | Novell | ApacheDS | O | u | w | |||
LDAP server type. | |||||||
LDAPSSLCONNECTION | true | false | O | u | w | |||
Set this to "true" if the LDAP connection is being made over an SSL-secured port (normally 636). | |||||||
LDAPPERSONBINDDN | distinguishedName | O | u | w | |||
Distinguished name of a node where
the user entries are located. Example:ou=Germany,dc=mycorp,dc=com |
|||||||
LDAPGROUPBINDDN | distinguishedName | O | u | w | |||
Root node as base for all group searches. | |||||||
LDAPUSERIDFIELD | cn | string | O | u | w | |||
Attribute name that contains the user ID. | |||||||
LDAPGROUPIDFIELD | cn | string | O | u | w | |||
Attribute keyword for groups. | |||||||
LDAPPERSONOBJECTCLASS | string | O | u | w | |||
objectClass
that denotes (most uniquely) a user.
|
|||||||
LDAPGROUPOBJECTCLASS | string | O | u | w | |||
objectClass
that denotes (most uniquely) a group.
|
|||||||
LDAPALLOWDOMAINASBASBINDDN | false | true | O | u | w | |||
Allows you to specify a full DN as
the domain ID (example: ou=users,dc=mycomp,dc=com ). This can be
used especially together with the Delegated Authentication feature and the
Technical User feature.
|
|||||||
LDAPPERSONPROPERTYATTR | string | ||||||
Specify the list of attributes to be returned when reading user attributes. | |||||||
LDAPGROUPPROPERTYATTR | string | O | u | w | |||
Specify the list of attributes to be returned when reading group attributes. | |||||||
RESOLVEGROUPS | RU | RD | CP | O | u | w | |||
LDAP group resolution, i.e. how do we find all groups that a user is a member of?
|
|||||||
LDAPPERSONGRPATTR | string | O | u | w | |||
Group resolution. If "RU" is specified: user attribute that points to the list of groups. | |||||||
LDAPGROUPUSRATTR | string | O | u | w | |||
Group resolution. If "RD" is specified: group attribute that points to the list of members. | |||||||
RESOLVEGROUPSPROPERTY | string | O | u | w | |||
LDAP group resolution: if
"CP" is specified in
RESOLVEGROUPS , use this user property.
|
|||||||
FOLLOWREFERRALS | false | true | O | u | w | |||
Specify whether the SSX must follow referrals or not. | |||||||
REFSERVERBINDINGTYPE | same_creds | no_creds | O | u | w | |||
Specify the binding during
referral following. same_creds - use same credential for authentication to the next LDAP server; no_creds - use anonymous binding for the next server. |
|||||||
REFERRALHOPSCNT | 1 | n | O | u | w | |||
Count of the referral hops. If this parameter is not specified the count is unlimited. | |||||||
TECHLDAPUSERCREDFILE | filename | O | u | w | |||
LDAP technical user support. Specify the complete path of the file name where the userId and the encrypted password can be found. See also Creating Technical User Credential Files. | |||||||
TECHLDAPUSERKEYFILE | keyfile | O | u | w | |||
LDAP technical user support. Specify the complete path of the file name, where keyvalue can be found to decrypt the technical user's password. See also Creating Technical User Credential Files. | |||||||
USELDAPTECHUSER | false | true | O | u | w | |||
LDAP technical user support. Specify true to activate this feature. See also Creating Technical User Credential Files. | |||||||
ADSI Parameters | |||||||
SERVERHOST | string | O | u | w | |||
Name of the server for
authentication. Can be omitted for AUTHTYPE=OS ;ignored for AUTHTYPE=INTERNAL ;mandatory for AUTHTYPE=LDAP .
|
|||||||
SERVERPORT | 389 | n | O | u | w | |||
See
SERVERHOST . The port of the server. For LDAP, a
default port of 389 is assumed.
|
|||||||
ADSIFORESTDN | distinguishedName | O | u | w | |||
For
AUTHTYPE=ADSI only. Name of the ActiveDirectory
forest.
Caution: |
|||||||
ADSIPERSONBASEBINDDN | distinguishedName | O | u | w | |||
ADSI: root node as base for all user searches | |||||||
ADSIGROUPBASEBINDDN | distinguishedName | O | u | w | |||
ADSI: root node as base for all group searches |