Security Infrastructure (SIN) provides default login modules.
You can use the default modules to do the following:
Authentication, role, user, and group management
Support additional backend authentication systems
Exchange credentials through the SharedStateMap
for internal SSO
The default modules are as follows:
For more information about deprecated login modules in Security Infrastructure, see Deprecated Login Modules
SagAbstractLoginModule is the basic login
module in SIN. It provides you with a commit() method
that uses the global configuration parameters. See
Configuration
Parameters for details.
Use this login module for the following:
Extend it to create your own login modules.
Create the SagUserPrincipals with the
information stored in the shared map through the authentication process.
When setting up the JAAS configuration, keep in mind the following basics:
The SIN-based login contexts return zero or only one
SagUserPrincipal if the authentication succeeds. When
setting up the JAAS configuration, keep in mind that some applications expect
only one SagUserPrincipal as the result of a successful
authentication. If your application expects more than one user principal, you
must configure the login context accordingly.
Keeping the password in clear text in the
Subject.privateCredentials may constitute a security
risk, depending on how the Subject is handled. However, there are use cases
where the password needs to be accessible through the Subject, so you must
store the password only if needed.
You use the InternalLoginModule to authenticate
against a user repository defined as a file on the file system. This is the
default authentication mechanism for all webMethods suite products.
In case of successful authentication, the
InternalLoginModule provides a user repository manager.
It also creates a SagUserPrincipal object, and,
optionally, a set of SagGroupPrincipal objects.
The following table outlines the configuration parameters for the
InternalLoginModule.
| Parameter | Description |
|---|---|
domain |
Optional. String. Specifies the domain name to be used for authentication.
Applicable if the domain usage is activated for the
|
internalRepository |
Specifies the path to the internal user repository file. |
groupRepositoryPath |
Optional. Specifies the path to the internal group repository file. |
The user-defined repository files must comply with the following format:
* * Default test repository for INTERNAL based authentication * * Copyright (c) 2001 - 2013 Software AG, Darmstadt, Germany and/or Software AG USA, * Inc., Reston, VA, United States of America, and/or their licensors. All rights reserved. version:3.0 * * user:username:$6a$kMpE+PvDv83zjcQe6fk7rWEiK80V73qoy9OZzr0J4p4W3K1g9x1w2zEadkEjL2OLm1cozDfKJD7ZJckE3AysKw== group repository: *
* * Default test repository for INTERNAL based authentication * * Copyright (c) 2001 - 2013 Software AG, Darmstadt, Germany and/or Software AG USA, * Inc., Reston, VA, United States of America, and/or their licensors. All rights reserved. version:3.0 * * admin:1:administrator,user2 testadmin:2:user2 *
The following sample excerpt outlines the INTERNAL mode of the
InternalLoginModule and the corresponding configuration
included in a login context of a JAAS configuration file.
LoginINTERNAL {
com.softwareag.security.jaas.login.internal.InternalLoginModule required
domain=
logCallback=true
create_group_principal=true
internalRepository="/tmp/myrepo/internalUserRepo"
groupRepositoryPath="/tmp/myrepo/internalGroupRepo";
};
The LDAPLoginModule enables you to use an
external directory to authenticate users. For more information about using
internally defined users and groups, see InternalLoginModule.
You can configure LDAP through:
LDAPLoginModule
an LDAP service using the Integration Server Administrator user interface
For more information about configuring the LDAP services using Integration Server, see the Administering webMethods Integration Server guide.
You can define your JAAS configuration to access information from an external directory if your site uses one of the following external directories for user and group information:
Lightweight Directory Access Protocol (LDAP)
Active Directory acting as an LDAP server
The following table outlines the JAAS configuration properties for all LDAP connections.
| Parameter | Description |
|---|---|
alias |
Optional. Specifies the alias of the LDAP configuration entry. If not
specified, it is set to match the A valid value is any string of characters. No default value. |
url |
Optional. Specifies the URL to the LDAP server. If you want to use an SSL connection to the LDAP server, the URL should start with "ldaps", and you should provide truststore and/or keystore parameters. The expected format is: "ldap://<host>:<port>" or "ldaps://<host>:<port>". No default value. |
domain |
Optional. String. Specifies the domain name to be used for authentication.
Applicable if the domain concept is activated for the
|
noPrinIsAnonymous |
Required. Specifies whether the technical user that connects to the LDAP server must also be used for LDAP authentication. Valid values are:
|
prin |
Required only if Specifies the distinguished name (DN) of the technical user that connects to the LDAP server if an anonymous access to the LDAP server is not allowed. No default value. |
cred |
Required only if Specifies the password of the technical user that connects to
the LDAP server. You use it together with the A valid value is any string of characters. No default value. |
useaf |
Optional. Boolean. Specifies whether to use affixes (dnprefix and dnsuffix) or not. Use the affixes for an easier construction of user DNs with less errors. Valid values are:
|
dnprefix |
Optional. String. Specifies the prefix to attach in front of the username when
performing operations on the LDAP server. To use this parameter, you should
have A valid value is any string of characters. No default value. |
dnsuffix |
Optional. String. Specifies the suffix to attach after the username when performing operations on the LDAP server. A valid value is any string of characters. No default value. |
usecaching |
Optional. Boolean. Specifies if the LDAP framework caches users and/or groups. Valid values are:
|
mattr |
Optional. The login module uses this parameter when performing
member-search operations. The meaning of this parameter depends on the value of
A valid value is any string of characters. No default value. |
memberinfoingroups |
Optional. Boolean. Specifies whether the login module searches users in a group or
groups in a user. You can use it only if the Valid values are:
|
creategroups |
Optional. Boolean. Specifies whether to extract the groups of the logged-in user from the LDAP server. Valid values are:
|
gidprop |
Optional. Specifies the LDAP group attribute. A valid value is any string of characters. No default value. |
grouprootdn |
Optional. Specifies from where to start searches for groups. A valid value is any string of characters. No default value. |
groupobjclass |
Optional. Specifies that the found object is a group. The login module uses this parameter when searching for groups. The default value is "group". |
personobjclass |
Optional. Specifies that the found object is a person. The login module uses this parameter when searching for users. The default value is "person". |
The following sample excerpt outlines and the
corresponding configuration included in a login context of a JAAS configuration
file.
ExampleRealm {
com.softwareag.security.sin.is.ldap.lm.LDAPLoginModule sufficient
alias="name1";
com.softwareag.security.sin.is.ldap.lm.LDAPLoginModule sufficient
alias="name2";
com.softwareag.security.sin.is.ldap.lm.LDAPLoginModule sufficient;
com.softwareag.security.sin.is.ldap.lm.LDAPLoginModule required
alias="name3"
url="ldap://localhost:389"
prin="CN=sectest,OU=user,dc=example,dc=org"
cred="******"
useaf="true"
dnprefix="CN="
dnsuffix=",OU=user,dc=example,dc=org"
usecaching="false"
mattr="roleoccupant"
memberinfoingroups=false
creategroups=true
gidprop="CN"
grouprootdn="OU=Groups,dc=example,dc=org"
groupobjclass="organizationalRole"
personobjclass="organizationalPerson";
};
You use SAMLAssertValidatorLoginModule to
validate the delegation ticket issued from
SAMLAssertIssuerLoginModule. You can use it for both
SAML 1.1 and SAML 2 assertion validation.
None.
The following sample excerpt outlines
SAMLAssertValidatorLoginModule and the corresponding
configuration included in a login context of a JAAS configuration file.
The following login context is installed by default with Common Platform.
/** Login context used in Common Platform for a default authentication **/
Default {
// SSOS login module for SAML signed assertion validation
com.softwareag.security.idp.saml.lm.SAMLAssertValidatorLoginModule sufficient;
// Internal repository login module (java based)
com.softwareag.security.jaas.login.internal.InternalLoginModule required
template_section=INTERNAL
logCallback=true
internalRepository="C:/softwareag/common/conf/users.txt"
create_group_principal=true
groupRepositoryPath="C:/softwareag/common/conf/groups.txt";
};
You use SAMLAssertIssuerLoginModule to issue a
SAML1.1 or SAML 2 assertion as a delegation ticket between Software AG
products.
You can only use the SAMLAssertIssuerLoginModule in a
chain of login modules. Using this login module on its own, in a separate login
context, is not possible, because it is the other modules in a given login
context that perform the actual authentication of the user. When the
authentication is successful, SAMLAssertIssuerLoginModule issues a
SAML assertion where the fully qualified name of the authenticated user is part
of the Subject of the
AuthenticationStatement attribute of the SAML 1.1
assertion and the SubjectConfirmation attribute of
the SAML 2 assertion. Optionally, the assertion contains a list of groups
(where such are available) as part of the
AttributeStatement attribute of the SAML
assertion.
The SAMLAssertIssuerLoginModule has a single
parameter that you set in the JAAS configuration.
| Parameter | Description |
|---|---|
forceSamlVersion |
Optional. Defines which SAML assertion version to use to issue the delegation token. Valid values are:
|
The following sample excerpt outlines
SAMLAssertIssuerLoginModule and the corresponding
configuration included in a login context of a JAAS configuration file.
First, InternalLoginModule authenticates the
user. If the authentication is successful,
SAMLAssertIssuerLoginModule issues a SAML 1.1 assertion
to be used as a delegation ticket.
/** Login Configuration for the SAMLAssertIssuerLoginModule. **/
SAMLIssuerRealm {
// Internal repository login module (java based)
com.softwareag.security.jaas.login.internal.InternalLoginModule required
template_section=INTERNAL
logCallback=true
internalRepository="C:/softwareag/common/conf/users.txt"
create_group_principal=true
groupRepositoryPath="C:/softwareag/common/conf/groups.txt";
// SSOS login module for SAML 1.1 signed assertion issuance
com.softwareag.security.idp.saml.lm.SAMLAssertIssuerLoginModule sufficient
forceSamlVersion="1.1";
};
You use JMXDelegatedAuthLoginModule to validate
the delegation ticket issued from
SAML1AssertIssuerLoginModule or directly from the SSO
service. You can use it for both SAML 1.1 and SAML 2 assertion validation. The
purpose of this login module is to support the JMX delegation mechanism. The
login module gets a delegation ticket from the password field of the supplied
credentials.
None.
The following sample excerpt outlines
JMXDelegatedAuthLoginModule and the corresponding
configuration included in a login context of a JAAS configuration file.
The following login context is installed by default with Common Platform.
/*
* Login context, used in common Platform for management channel.
*/
PlatformManagement {
// SSOS login module for SAML signed assertion validation
// used for delegated authentication only for JMX
com.softwareag.security.idp.saml.lm.JMXDelegatedAuthLoginModule sufficient;
// Internal repository login module (java based)
com.softwareag.security.jaas.login.internal.InternalLoginModule required
template_section=INTERNAL
logCallback=true
internalRepository="C:/softwareag/conf/users.txt";
};
You use ServletHeaderLoginModule to extract
information from an HttpServletRequest which is sent
to the login module as part of the SagCredentials. The
login module extracts the X.509 certificate chain or SAML artifacts, which are
received as a result of an HTTPS with
ClientAuthentication against a web server. The login
module enters this information into the SagCredentials
and makes it available to other login modules used in the login context of a
JAAS configuration file. Optionally, the login module can extract more
information, such as user names and passwords.
The following table outlines the parameters of
ServletHeaderLoginModule.
| Parameter | Description |
|---|---|
saml_artifact_prop_name |
Optional. Defines the name of the SAML artifact property. The default
value is |
netegrity_siteminder_prop_name |
Optional. Defines the name of the Netegrity SiteMinder property. The
default value is |
The following sample excerpt outlines
ServletHeaderLoginModule and the corresponding
configuration which is included in a login context of a JAAS configuration
file.
/** Login Configuration for the ServletHeaderLoginModule. **/
ServletHeaderLogin {
com.softwareag.security.jaas.login.modules.ServletHeaderLoginModule optional;
};
You use SimpleNameMappingLoginModule to map a
user name that is in the sharedState or
CallbackHandler to another user name, which is for
example in a different user repository. The login module sends the result in
the sharedState map. Depending on the parameters you
include in the JAAS configuration file, you can provide different mapping modes
with the login module. The properties mapping mode is based on a Java
properties file. The regular expression mapping mode is based on the
java.util.regex package. To enable a mapping mode you must
use the corresponding configuration parameter in the JAAS configuration. Note
that you cannot use both mapping modes at the same time.
For more sophisticated mapping method, you can sub-class
SimpleNameMappingLoginModule. Using the following sample
excerpt, you can rework the method as explained. You can use the context
parameter to define the target context for which the mapping is performed. The
SagCredentials are sent by the application which calls
the login module and therefore, must not be modified. You set the values of the
super class variables using the mapName method and
mapPassword method, if applicable.
protected mapName(String context, SagCredentials credentials, Map options) throws SagGeneralSecurityException
The following table outlines the parameters of
SimpleNameMappingLoginModule.
| Parameter | Description |
|---|---|
user_mapping_url |
Mandatory only if you use properties file mapping. It defines the URL of the Java properties file that contains the mapping information. |
user_mapping_regex |
Required only if you use regular expression mapping. It defines what regular expression to use to collect the user name from the input name. |
user_mapping_matchgroup |
Optional. Defines the regular expression group which is used for the
results of the regular expression. The default value is
|
The following sample excerpt outlines
SimpleNameMappingLoginModule and the corresponding
configuration which is included in a login context of a JAAS configuration
file.
/** Login Configuration for the SimpleNameMappingLoginModule.**/
PropertyNameMappingLogin {
com.softwareag.security.jaas.login.modules.SimpleNameMappingLoginModule required
user_mapping_url="file:/D:/java/jaas_usermapping.properties";
};
RegexNameMappingLogin {
com.softwareag.security.jaas.login.modules.SimpleNameMappingLoginModule required
user_mapping_regex=".*CN=([^,/]+).*";
};
You use X509CertificateLoginModule to verify
one or more than one X.509 certificate. The login module builds all chains of
trust and at least one chain must end at the Trust Anchor. All certificates in
the chain are verified according to the Public Key Infrastructure extensions
(PKIX). The module checks the statuses of the certificates against Certificate
Revocation Lists (CRLs). It can import missing certificates from PKCS#7 files.
To get the CRL, the validation of the login module supports CRL distribution
point (CRL DP). To enable CRL DP, you can set the value of the Java system
property com.sun.security.enableCRLDP to
"true". The login module also
provides direct trust. This means that the module checks whether the end entity
certificate is part of the truststore. If it is, direct trust is created and
further CRL checks are disabled.
Software AG recommends that you use a PassMan
component in the TODO section of your application to
protect the keystore passwords.
The following table outlines the parameters of the
X509CertificateLoginModule. The parameters allow you to
extend the login module functionality and plug in other certificate validation
methods in it.
| Parameter | Description |
|---|---|
truststore_url |
Defines the URL of the keystore which contains the Trust Anchors. This is the RootCA or certificate authority (CA) certificates that are trusted. |
truststore_password |
Defines the password of the trust keystore. |
truststore_type |
Optional. Defines the type of the trust keystore. Valid values are:
|
check_crl_status |
Boolean. The following list outlines the possible options:
|
crl_url |
Mandatory if the Defines the URLs of the CRL for the end entity certificate. The URLs are separated by a space. |
overwrite_username |
Optional. Boolean. Valid values are:
|
additional_certificates_container_url |
Optional. Defines the URL of the container of additional certificates. |
additional_certificates_container_type |
Optional. Defines the type of the container of additional certificates. Valid values are:
|
additional_certificates_container_password |
Mandatory only if the
Defines the password of the certificate container. |
The following sample excerpt outlines
X509CertificateLoginModule and the corresponding
configuration that is included in a login context of a JAAS configuration file.
The example also shows how the login context reads
crl_url, truststore_url, and
truststore_password from the Java system parameters.
Note that every Java system parameter that is included in the JAAS
configuration file must have a value that differs from
NULL or the empty string. Failure to do so may
cause an exception on the system.
/** Login Configuration for the X509CertificateLoginModule **/
X509Login {
com.softwareag.security.jaas.login.modules.X509CertificateLoginModule required
check_crl_status=true
crl_url="${com.softwareag.security.crl.url}"
truststore_url="${com.softwareag.security.truststore.url}"
truststore_password="${com.softwareag.security.truststore.password}"
truststore_type=jks
overwrite_username=false
additional_certificates_container_url="${com.softwareag.security.certificate.container.url}"
additional_certificates_container_type="jks"
additional_certificates_container_password="="${com.softwareag.security.certificate.container.password}";
};
You use SAMLArtifactLoginModule to verify
credentials received as SAML artifacts. The module uses the
opensaml library and supports SAML version 1.1. It sends
a request and validates the SAML artifact against a SAML endpoint, which is the
authority issuer of the artifact. The authentication is successful only if the
endpoint validates the SAML artifact successfully. The result of the validation
is a SAML response that contains information about the owner of the artifact. A
part of this response is the user name. If configured in the JAAS configuration
file, the login module can overwrite the user name in the
SagUserPrincipal with the one that is received in the
SAML response.
The following table outlines the parameters of
SAMLArtifactLoginModule.
| Parameter | Description |
|---|---|
saml_identity_provider_url |
Defines the URL of the SAML authority that validates the artifact. |
overwrite_username |
Optional. Boolean. Valid values are:
|
The following sample excerpt outlines
SAMLArtifactLoginModule and the corresponding
configuration that is included in a login context of a JAAS configuration file.
In this example, the login context reads the
saml_identity_provider_url parameter from the Java
system parameters. Note that every Java system parameter that is included in
the JAAS configuration file must have a value that differs from
NULL or empty string. Failure to do so may cause
an exception on the system.
/** Login Configuration for the SAMLArtifactLoginModule **/
SAMLArtifactLogin {
com.softwareag.security.jaas.login.modules.SAMLArtifactLoginModule required
saml_identity_provider_url="${com.sample.security.saml.samlendpoint}"
overwrite_username=true;
};
With this login module, you can authenticate users and retrieve groups through the native SSX library.
SSXLoginModule is distributed as a template
property file within the sin-ssx.jar file. It performs
authentication using one of the following combination of credentials:
User name and password
User name, password and an IAF token (or IAF artifact)
IAF token (or IAF artifact) only
See SSXLoginModule
Configuration Template for the content of the template
file.
Note:
The template file holds the properties that will be changed rarely,
while the configuration file holds the properties that will be changed
frequently.
Authentication is done against LDAP, Active Directory, IAF server, or operating system.
In the case of authentication against an IAF server, you may receive an IAF token or artifact during delegated authentication that is added as a SecurityToken to the SharedMap. This IAF token authenticates you. Authentication is done in the following way:
The module verifies the token against the IAF server.
After verification, the module confirms the token's validity and your user identity.
To use SSXLoginModule
Set sin-common.jar and sin-ssx.jar in the classpath.
Set the <dlls> in
java.library.path.
To configure SSXLoginModule
Configure SSXLoginModule to use RMI
Configure and start the RMI server.
There is a set of default parameters for the configuration of
SSXLoginModule. These parameters are used by default and
you can overwrite all of them within the JAAS configuration file.
The information about the SSXLoginModule custom
parameters is organized under the following
headings:
SSXLoginModule has several custom parameters
for the module options.
Specify your own options, including the mandatory ones that are not included in the template. Your parameters overwrite the ones from the template file.
Security Infrastructure supports a mechanism for overwriting SSX properties which complies with the following pattern:
Initially, Security Infrastructure verifies all locally configured settings.
If the OPTIONS_URL parameter is configured,
the functionality attempts to obtain the properties remotely.
If the URL address is configured but the respective properties
cannot be read and verified, the result is null and the login
module is disregarded.
If the remote properties are verified successfully, the functionality overwrites the respective locally set properties.
If the remote file provides properties that are not available in the local settings, then the remote properties are taken into account. However, if the remote file does not provide information about any locally set properties, then the functionality preserves the local settings.
The following table outlines the SSXLoginModule
parameters for common configuration.
| Parameter | Description |
|---|---|
options_url |
Optional. Defines the URL that specifies the location of the properties file. It may contain any of the listed SSX login module parameters. It allows you to manage all SSX properties centrally. No default value. Note: |
UseDomainForOptionsURL |
This parameter appends the domain to the value of the
Valid values are:
|
template_section |
The value is a section from the template authentication properties file. Note: Valid values are:
No default value. |
create_user_principal |
Optional. Creates Valid values are:
|
defaultDomainName |
Optional. Specifies the default domain name. If the
No default value. |
CreateGroups |
Optional. Specifies whether the login module creates user groups. Valid values are:
|
CreateGroupProperties |
Optional. Specifies whether the login module creates user group properties. Valid values are:
|
CreateUserProperties |
Optional. Specifies whether the login module creates user properties. Valid values are:
|
propertyMapping.number |
Optional. Specifies the number of mapped properties. Use this property if you want to have property mapping. A valid value is any positive integer value. No default value. |
propertyMapping.X.key /
propertyMapping.X.value |
Required only if
Specifies key/value pairs for the property mapping. Valid values: X (key and value) runs through all values from "0"
to "( No default value. |
nativeLogFile |
Optional. Specifies the output file for logging. No default value. |
nativeLogLevel |
Optional. Specifies the value of the logging level. Valid values are the Integer values from 1 to 6. No default value. |
cacheTime |
Optional. Specifies for how long the authenticated user stays in cache. The value is in seconds. A valid value is any Integer value. The default value is 180. |
denyTime |
Optional. Specifies for how long the authenticated requests of a particular user (userID) are ignored. The value is in seconds. A valid value is any Integer value. The default value is 100. |
denyCount |
Optional. Specifies the number of invalid login attempts. A valid value is any Integer value. The default value is 3. |
cacheSize |
Optional. Specifies the maximum number of successfully authenticated users that are stored in the cache. When the cache overflows, the oldest entry is removed. A valid value is any Integer value. The default value is 300. |
This section describes the INTERNAL repository type which is based on a text file. The current default repository type, OS, requires specific root privileges on UNIX. To avoid the necessity of specific privileges, it is recommended that you use the internal repository as the default user repository for new installations that use SSX on UNIX.
The internal repository text file is an alternative to the OS and LDAP repositories. It is recommended to use an internal repository only during the initial setup of all required components or until you configure a real repository.
The following table outlines the internal repository mode parameters
of the SSXLoginModule.
| Parameter | Description |
|---|---|
authType |
Specifies the user repository type. The required value is "INTERNAL". No default value. |
internalRepository |
Specifies the path of the internal text repository file. For more information, see Creating Internal User Repository Files. |
defaultDomain |
Optional. Specifies a default domain name. When calling the
|
The following sample excerpt outlines the INTERNAL mode of the
SSXLoginModule and the corresponding configuration which
is included in a login context of a JAAS configuration file.
/** Example Login Configurations for the SSXLoginModule **/
/* This context is for logging in to the internal repository. */
SSXLoginINTERNAL {
com.softwareag.security.jaas.login.ssx.SSXLoginModule required
template_section=INTERNAL
logCallback=true
internalRepository="/tmp/myrepo/internalRepo";
};
The following table outlines the SSXLoginModule
parameters for operating system configuration:
| Parameter | Description |
|---|---|
authType |
Specifies the user database type. The valid value is
No default value. |
authDaemonPath |
Specifies the explicit path of the privileged daemon process. Specify this parameter if the sagssxauthd2 executable file is not in the current directory. Valid value is the valid path to the sagssxauthd2 module. No default value. Note: |
defaultGroup |
Optional. Specify a default group name here to be returned with any of the group results that are returned by the repository manager. A valid value is any valid group name. No default value. |
defaultDomain |
Optional. If this parameter is specified, its value is used at authentication time when domain name is not specified by the user. If a domain name is specified, the value of this parameter is not used. A valid value is any valid domain name. No default value. |
noImpersonation |
Optional. Boolean. Specifies how to access data. Valid values are:
Note: |
unixAddMachineName |
Optional. Boolean. Specifies the local machine name (on which the user is authenticated). The machine name is added before users and groups; for example, machine_name\user. Valid values are:
|
The following table outlines the SSXLoginModule
custom parameters for ADSI configuration.
| Parameter | Description |
|---|---|
authType |
Specifies the user database type. The valid value is
No default value. |
defaultGroup |
Optional. Specify a default group name here to be returned with any of the group results that are returned by the repository manager. A valid value is any valid group of users. No default value. |
defaultDomain |
Optional. If this parameter is specified, its value is used at authentication time when domain name is not specified by the user. If a domain name is specified, the value of this parameter is not used. A valid value is any valid domain name. No default value. |
serverHost |
Optional. Specifies the name of the server. A valid value is any valid server name and any valid IP address. No default value. |
adsiPersonBindDn |
Optional. Specifies the Personal Bind Distinguished Name (DN) for LDAP required for accessing a user. Use it only when all the users that are accessed are under the same node. Do not use it in cases of normal authentication. Valid values: for example, "ou=users, ou=germany, dc=eur, dc=sa, dc=com". No default value. |
adsiGroupBindDn |
Optional. Specifies the Personal Bind Distinguished Name (DN) for LDAP required for accessing a group. Use it only when all the groups that are accessed are under the same node. Do not use it in cases of normal authentication. Valid values: for example, "ou=groups, ou=germany, dc=eur, dc=sa, dc=com". No default value. |
adsiForestDn |
Optional. Specifies the name of the forest. You use this value when accessing ActiveDirectory. Valid values: for example, "dc=myorg,dc=com". No default value. |
The following table outlines the SSXLoginModule
custom parameters for LDAP configuration.
| Parameter | Description |
|---|---|
authType |
Specifies the user database type. The valid value is No default value. |
serverHost |
Specifies the name of the server. A valid value is any valid server name and any valid IP address. No default value. |
serverPort |
Optional. Specifies the port of the server. A valid value is any valid port number. The default value is 389. |
serverType |
Optional. Specifies the type of the server. Valid values are:
No default value. |
personBindDn |
Specifies the Personal Bind Distinguished Name (DN) for LDAP where the authentication information is stored. This value is prefixed with “userIdField=” when running the LDAP authentication. Valid values: for example, "ou=users, ou=germany, dc=eur, dc=sa, dc=com". No default value. |
groupBindDn |
Specifies the Group Root Distinguished Name (DN) for LDAP where the search for group names starts. This value is prefixed with “groupIdField=” when running the LDAP authentication. Valid values: for example, "ou=groups, ou=germany, dc=eur, dc=sa, dc=com". No default value. |
personObjClass |
Optional. Specifies the object classes that are contained in the user entries. Valid values: <String_Value1>, <String_Value2>, ..., <String_ValueN>. The default value depends on the
|
groupObjClass |
Optional. Specifies the object classes that the group entries contain. Valid values: <String_Value1>, <String_Value2>, ..., <String_ValueN>. The default value is dependent on the
|
personGrpAttr |
Optional. Specifies the property name of a user entry. It points from a user entry to the group that the user is a member of. Valid values: <String_Value>. The default value depends on the
|
groupPrsAttr |
Optional. Specifies the property name of a user entry that points from the group to the users. Valid values: <String_Value>. The default value is dependent on the
|
userIdField |
Optional. Specifies the property name that denotes a user entry. Valid values: <String_Value>. The default value is dependent on the
|
groupIdField |
Optional. Specifies the property name that denotes a group entry. Valid values: <String_Value>. The default value is |
allowDomainAsBaseBindDn |
Optional. Boolean. If the domain name is not specified explicitly and the
Valid values are:
|
personPropAttr |
Optional. Specifies the property names that can be accessed for a user entry. A valid value is a comma-separated list that contains the property names (<String_Value1>, <String_Value2>, ..., <String_ValueN>). The list with property names for a user entry is empty in the following cases:
The default value is dependent on the
|
groupPropAttr |
Optional. Specifies the property names that can be accessed for a group entry. The value is a comma-separated list that contains the property names (<String_Value1>, <String_Value2>, ..., <String_ValueN>). The list with property names for a group entry is empty in the following cases:
The default value depends on the
|
ldapStartTls |
Optional. Boolean. Enforces the usage of secure communication (TLS/ SSL). Valid values are:
|
resolveGroups |
Optional. Specifies the method for finding the groups of a user using the LDAP authentication type. Valid values are:
|
computedGroupProp |
Optional. Denotes the name of the LDAP property. It is activated if
Valid values: <String_Value>. No default value. |
ldapSSLConnection |
Optional. Boolean. This parameter denotes the secure communication (with set
Valid values are:
|
followReferrals |
Optional. Boolean. Specifies whether the Valid values are:
|
refServerBindingType |
Optional. Specifies the kind of binding during "referral following". Valid values are:
|
referralHopsCnt |
Optional. Specifies the count of the referral hops. If this parameter is not specified, the count is unlimited. A valid value is any positive integer. The default value is unlimited. |
useLdapTechUser |
Optional. Boolean. Allows you to enable the usage of a technical user. Valid values are:
|
techLdapUserCredFile |
Mandatory only if you enable the usage of a technical user. Specifies the path of the technical user credentials file. A valid value is any valid directory and file name on the file system. No default value. For more information, see Creating Technical User Credential Files. |
techLdapUserKeyFile |
Optional. Specifies the path of the alternative key file. A valid value is any valid directory and file name on the file system. No default value. |
The following table outlines the SSXLoginModule
custom parameters for IAF configuration.
| Parameter | Description |
|---|---|
IAFserverHost |
Specifies the host name (plus SSL port) of the IAF server. You can either use No default value. |
IAFCertLocation |
Optional. Specifies the location of the IAF certificate. For example,
No default value. |
serverHost |
Specifies the host of the server. You can use the combination of
Specify the No default value. Note: |
homeDir |
Optional. Locates the broker stub module and the crypto library. SSX looks for specific libraries. The homeDir parameter specifies the path to those libraries and loads them dynamically. Following is a list of the libraries for the different operating systems:
For example (Windows): homeDir="C:\SoftwareAG\webMethods8\<DIR_DLL_Libraries>" Default value: On Windows, try to load from the directory that is specified in the registry key “HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ CommonFilesDir". If SSX cannot load, it tries a standard Windows search strategy to find the file. On UNIX, it depends on dlopen specifications. If it does not succeed, it tries the "ETBLNK" environment variable value. |
The following table outlines the SSXLoginModule
custom parameters for RMI configuration.
| Parameter | Description |
|---|---|
rmiEnabled |
Optional. Boolean. Specifies whether the Valid values are:
|
rmiServerAddress |
Optional. Specifies the host server for RMI. Use it only if
A valid value is any valid server address. The default value is |
rmiServerPort |
Optional. Specifies the port that the remote server listens. Use it only
if A valid value is any valid server port. No default value. Note: |
throw_exc_missing_remote |
Optional. Boolean. Valid values are:
|
You use this login module to issue IAF tokens based on a previously performed authentication outside the SIN infrastructure.
You need this login module in order to use custom authentication in the application. Based on the established trust, you retrieve an IAF token for authentication.
This module establishes trust between the application using this login module and the IAF server (client SSL certificates validation).
The trust relationship is based on digital signatures. For each
delegated authentication request, a signed message (SHA1/RSA) is sent from
DelegatedAuthenticationModule to the IAF server. The IAF
server verifies the message and searches for the signer certificate in a white
list.
The required custom parameters are passed to an SSX function call and to a corresponding Java method.
To use this module via RMI, extend the
Authenticator classes.
This login module requires the same configuration parameters as
SSXLoginModule when using IAF authentication.
The following table outlines the parameters of
DelegatedAuthenticationLoginModule
| Parameter | Description |
|---|---|
keystore_url |
Specifies the URL pointing to the Java keystore to be used for signing. A valid value is any valid URL. No default value. |
keystore_password |
Specifies the password for the keystore to be used for signing. |
keystore_type |
Optional. Specifies the type of the keystore. Valid values are:
|
signkey_alias |
Optional. Specifies the key alias to use for signing. |
signkey_password |
Mandatory only if it is not the same as
Specifies the password for the signing key, if it is not the same as the keystore password. |
canonical_username_prefix |
Optional. String that is to be prefixed to the user name. If not present, nothing is prefixed, and just the domain and user name are passed. |
create_user_principal |
Optional. Boolean. Valid values are:
|
rmiEnabled |
Optional. Boolean. Specifies whether Valid values are:
|
rmiServerAddress |
Mandatory only if the Specifies the hostname/IP address of the remote server - “user.sam.ple.com” or “10.3.137.20”. |
rmiServerPort |
Required only if the Specifies the port that the remote server listens to - “12345”. Note: |
rmiSSLEnable |
Mandatory only if the Specifies whether the RMI connection uses SSL or not. |
rmiKeyStore |
Mandatory only if the Specifies the keystore that must be used during the secure RMI communication. |
rmiKeyStorePass |
Mandatory only if the Specifies the keystore password. |
rmiKeyStoreType |
Mandatory only if the Specifies the keystore type. |
rmiTrustStore |
Mandatory only if the Specifies the truststore that must be used during the secure RMI communication. |
rmiTrustStorePass |
Mandatory only if the Specifies the truststore password. |
rmiTrustStoreType |
Mandatory only if the Specifies the truststore type. |
throw_exc_missing_remote |
Optional. Boolean. Valid values are:
|
The IAF server provides the function for delegated authentication. It requires a technical user for the access to the underlying user repository. When the delegated user tries to get data from the repository, the server uses this technical user internally to connect to the user repository. In fact, when we try to get groups, users, properties, etc. from the repository, we use the credentials of this technical user. The parameters for this technical user must be set in the IAF configuration file.
Following are the parameters needed for the configuration of IAF server to handle delegated authentication requests.
| Parameter | Description |
|---|---|
iafdelegatedCertPath |
Specifies the directory that contains the white list certificates, that is, fingerprint: 01-23-45-67-78-89.der. |
iafdelegatedAuthTimeJitter |
Specifies the time jitter for time stamp. The value designates
seconds. A valid value is any positive integer. The default value is
|
iafdelegatedAuthUser |
Optional. Specifies the ID of the user who authenticates against the user repository. |
iafdelegatedAuthPass |
Obfuscated password of a user who authenticates against the user repository. This obfuscation must be done using CryptTechuserPassTool.exe |
iafdelegatedAuthDomain |
Specifies the domain name of the auth user. A valid value is any valid domain name. No default value. Note: |
You use SSXStopLoginModule as a dummy
replacement of the XmlServerLoginModule. If a preceding
SSXLoginModule authenticates the subject, then the
SSXStopLoginModule terminates the module chain if it is
"sufficient".
The following LoginModule methods act as
follows:
login() method - always returns
"false".
commit() method - if a previous
SSXLoginModule authenticates the subject, returns
"true". Otherwise, returns "false".
The following table contains some user cases:
| User case | login() returns... | commit() returns... | Whole authentication |
|---|---|---|---|
| Unauthenticated subject | false | false | LoginModule ignored |
| Authenticated subject | false | true | pass |
None. Any provided parameters are ignored.
The following sample excerpt outlines
SSXStopLoginModule.
/* Internal repository login module (SSX) */
com.softwareag.security.jaas.login.ssx.SSXLoginModule requisite
template_section="INTERNAL"
logCallback="true"
internalRepository="C:/SoftwareAG/common/conf/users.txt"
/*SSXStopLoginModule*/
com.centrasite.resourceaccess.junit.SSXStopLoginModule sufficient;
You use SimpleSSXLoginModule to authenticate
against the local operating system only. The module invokes a simple command
line utility that sends encrypted user name and password, and returns an
encrypted answer that indicates whether the authentication is successful. The
module does not control any other information, such as users, groups, or user
properties. Also, it does not implement
IUserRepositoryManager. The module encrypts the message
using a TripleDES algorithm. The command line utility authenticates the user
against the local operating system using an SSX library.
Note:
If you use the SimpleSSXLoginModule on
UNIX-based operating systems, you must set the
authDaemonPath property in the JAAS configuration
file.
The following table outlines the parameters of
SimpleSSXLoginModule.
| Parameter | Description |
|---|---|
LoginUtilityPath |
Defines the full location path to the command line utility that performs the login. |
authDaemonPath |
This parameter is mandatory only for UNIX operating systems. It defines the full location path of the privileged daemon process. You must specify a value for the property if the executable sagssxauthd2 module is not available in the current work directory. |
The following sample excerpt outlines the
SimpleSSXLoginModule and the corresponding configuration
included in a login context of a JAAS configuration file.
/** Login Configuration for the SimpleSSXLoginModule **/
SimpleSSXLogin {
com.softwareag.security.jaas.login.ssx.SimpleSSXLoginModule required
LoginUtilityPath=<command_line_utility>;
}
The implementation of LDAP support in Security Infrastructure allows
you to access an LDAP server and browse for fully qualified users anonymously
or using technical user credentials. To access a protected LDAP server that
does not accept anonymous queries, you can use
SSXLoginModule directly, or configure and use
RemoteLoginModule to access the remote authentication
service (and then SSXLoginModule) in the login context
of your JAAS configuration. RemoteLoginModule allows you
to enforce queries that are executed by the technical user and facilitates the
discovery of fully qualified users on the LDAP server. This login module is
used on the client side and allows you to protect key information about the
technical user from the end user. RemoteLoginModule is
explicitly part of Security Infrastructure and does not interact with the LDAP
server directly.
RemoteLoginModule extends
SagAbstractLoginModule and is part of the
sin-common.jar package. In its initialize phase, the
login module follows a standard way to obtain the available
SagCredentials objects from
CallbackHandler and all properties from the JAAS
configuration. During the login phase, the login module prepares the
communication channel with the remote service and uses the host name and port
number that are specified in the properties of the login module. Additional
properties ensure the communication over a secure SSL or TLS protocol. When the
connection is established, the transmitted message contains the name of the
system (IP address or a DNS name), all available credentials
(SagCredentials), and optionally JAAS configuration
properties.
After a successful authentication, the login module receives from the
remote service a Subject (which has attached
UserRepositoryManager) as it is created on the remote
side. The subject is stored locally in the login module. If the authentication
fails on the remote side, SagGeneralSecurityException is
received in the login module, which on the other hand is converted to a
LoginException on the client side. In the commit phase,
RemoteLoginModule parses the local Subject and extracts
from it information about all entries, such as principals, public and private
credentials, properties and so on. At a later stage, the login module assigns
these entries to the Subject on the client side that is connected with the
authentication. An important stage is to attach
IUserRepositoryManager instance which comes from the
remote service. As part of Security Infrastructure, you can combine and use
this login module with all available login modules to fulfill any custom
authentication scenarios.
The following table outlines the parameters of
RemoteLoginModule.
| Parameter | Description |
|---|---|
rmiServerAddress |
Defines the host name of the remote server. A valid value is any valid server name or IP address. |
rmiServerPort |
Defines the port number on which the remote server is running. |
The following sample excerpt outlines
RemoteLoginModule and the corresponding configuration
included in a login context of a JAAS configuration.
/** Login Configuration for the RemoteLoginModule **/
RemoteLoginModuleSSL {
com.softwareag.security.jaas.remote.login.RemoteLoginModule required
rmiServerAddress="server"
rmiServerPort="32415";
};
The implementation of the remote service remains in the existing RMI
implementation and additionally comprises two classes that are connected to the
remote authentication and repository manager
RemoteLoginServer and
RemoteRepositoryManagerServer respectively.
The RemoteLoginServer class facilitates the
second authentication that is based on the credentials that come from the
client side. The entire process includes the following stages:
The remote service listens on a specified port and supports SSL/TLS server authentication. The port is configured in the RemoteSSXServer.config file. When it receives a communication request, if needed, it validates the SSL/TLS certificates.
When the certificates are successfully validated, and the
communication channel is enabled, the remote service receives a message which
contains the name of the client system (an IP address or a remote system name)
all available credentials (SagCredentials) and optional
JAAS configuration entities. The service extracts the name of the client system
and checks whether it is received from a secure client.
If the client is secure, the service prepares a follow up authentication. The configuration name for technical user is set in the RemoteSSXServer.config file and the JAAS configuration file is set as a system property java.security.auth.login.config when the RMI server is running.
In case of successful authentication, the service returns to the
client a generated Subject. The server subject is saved in a cache with the
contexts of the currently authenticated clients. In case of failure,
SagGeneralSecurityException which contains the root
cause is returned.
When the RMI server is running, one more object is created for the
remote repository manager. This object is an instance of
RemoteRepositoryManagerServer. The process includes the
following stages:
The remote repository manager listens on a specified RemoteSSXServer.configport and supports SSL/TLS server authentication.
The manager extracts the subject from the cached context and then it retrieves repository manager from the principal in the Subject.
The server repository manager is used for each remote repository operation and data transfer to the client.
To configure the remote service to handle technical user requests, you must configure the following properties in the server configuration file (RemoteSSXServer.config).
| Parameter | Description |
|---|---|
authPortTech |
Optional. Defines the remote technical user authentication port. |
repoPortTech |
Optional. Defines the remote technical repository manager authenticator. |
jaasConfigName |
Optional. Defines the JAAS configuration name for technical use. Note: |
accessListFile |
Optional. Defines the path to the file that contains the IP addresses or DNS names of the trusted clients. |
The following sample excerpt outlines the configuration settings of the remote service, which are included in the RemoteSSXServer.config file.
port = 31415 authPort = 31416 repoPort = 31417 authPortTech = 31418 repoPortTech = 31419 keyStore = Y:/java/cvs/SIN/SIN_SSX/test/com/softwareag/security/jaas/remote/ssx/localhost.p12 keyStorePass = 123456 keyStoreType = PKCS12 rmiHostName = my_server jaasConfigName = SSXLoginOpenLDAPTechUserSSL
The Single Sign-On (SSO) service issues and parses a signed SAML assertion that can be used as a single sign-on and delegation token. The default implementation uses the SAML 2 assertion issuance, however SAML 1.1 version is supported as well.
The bundles required for the SSO service are available within all Software AG Shared Platform profiles. The SSO service requires a dynamic configuration properties file in order to work correctly. By default, your installation contains a com.softwareag.sso.pid.properties file located under <Software AG_install_directory>/profiles/<profile_name>/configuration/com.softwareag.platform.config.propsloader.
The following table outlines the parameters of the SSO service dynamic configuration.
| Parameter | Description |
|---|---|
com.softwareag.security.idp.keystore.keyalias |
Specifies the key alias to use for signing. Default value is "ssos". |
com.softwareag.security.idp.keystore.type |
Optional. Specifies the type of the keystore. Valid values are:
|
com.softwareag.security.idp.truststore.location |
Optional. Specifies the truststore to be used. |
com.softwareag.security.idp.truststore.password |
Mandatory only if the
Specifies the truststore password. |
com.softwareag.security.idp.keystore.location |
Specifies the location of the keystore to be used. Default value is "/common/conf/keystore.jks". |
com.softwareag.security.idp.truststore.keyalias |
Specifies the truststore key alias. Default value is "ssos". |
com.softwareag.security.idp.keystore.password |
Optional. Specifies the password for the keystore to be used. |
com.softwareag.security.idp.assertion.lifeperiod |
Specifies the time to live for the issued assertion (in milliseconds). Default value is "300". |
com.softwareag.security.idp.ehcache.location |
|
com.softwareag.security.idp.truststore.type |
Mandatory only if the
Specifies the truststore type. Valid values are:
|