The information is organized under the following headings:
Configuring LDAP Authentication with Technical User Credentials
Configuring SSX Authentication with Internal User Repository
Software AG Security eXtensions (SSX) is a user database interface that contains functions for user authentication and for the retrieval of repository objects. The main benefit of the interface is that it gives a client a uniform view to all the different user databases that implement it. The interface is written in C and Java and consists of a set of libraries that allow authentication against different systems (for example, LDAP, AD, and OS).
SSX authenticates a user by providing credentials. Its native functions retrieve repository data and administer functions to users and groups.
SSX module for authentication is used in the Client/Server Layer of System Management Hub. System Management Hub’s web UI part that is managed by the Pluggable UI no longer supports SSX authentication modules starting from version 10.1. Main implication for not supporting SSX in the Pluggable UI is that web UI part of System Management Hub no longer accepts Operating System credentials. The server parts of System Management Hub (Client/Server Layer) still accept Operating System credentials for batch commands. Default authentication for Pluggable UI is changed to authenticate against internal user repository with default credentials set to Administrator:manage like many other webMethods products.
SSX is disabled by default in System Management Hub 9.0. For guidelines on how to enable SSX in System Management Hub 8.0, see SSX in System Management Hub.
Following is an overview of the basic functionality of Software AG Security eXtensions:
Authentication of a user with a given password and, optionally, a domain name
Handling users from all domains
Distinguishing users from all domains when multiple user repositories are involved in a large scale application
Enumerating all local groups that the user belongs to
Enumerating groups and users of the specified user database
Manipulation of entries of the specified user database
Filtering support in the repository
Specifying an output file for logging
Specifying the user database that you want to work with:
"OS" for the native operating system
"LDAP" for an LDAPserver
(LDAP only) Specifying an LDAP server type; this sets internally appropriate defaults. Available server types are:
ActiveDirectory
SunOneDirectory
OpenLDAP
Graphical user interface to select the desired LDAP server type:
Specifying how long an authenticated user entry must remain in the cache (the time in seconds)
Specifying the number of invalid logon attempts before any further authentication attempts are blocked
Specifying the maximum number of cached users authenticated successfully. When the cache overflows, the oldest entry is removed
System Management Hub 9.0 comes with SSX disabled by default. It can be enabled via the web interface, the batch interface, or the registry.
Note:
You must have a valid admin user to use the web interface or run
batch commands.
For more details on how to set up the SSX configurations in System Management Hub via the web interface, see the SSX Configuration of the Client/Server Layer under Web Interface.
For more details on how to set up the SSX configurations in System Management Hub via the batch interface, see Configuring SSX under Batch Commands of the Batch Interface.
To enable SSX via the registry
Open the Registry Editor.
Switch the registry key SSX_Enabled from "0" to "1":
HKEY_LOCAL_MACHINE\SOFTWARE\Software AG\System Management Hub\CSLayerServer\SSX_Enabled
Restart CSLayer service.
If you experience logon problems after enabling SSX authentication, change the SSX authentication mode of the target machine, or of the application from which you are trying to access System Management Hub, or both. For more information about the different settings and their affects, see SSX Authentication Scenarios.
SSX has a separate log file that gives additional information. If you still cannot solve the problem, change the SSX logging level and send the logging file to Software AG Support.
To change SSX Logging Level registry
Open the Registry Editor.
Switch the registry key SSX_Log_Level from "1" to "6":
HKEY_LOCAL_MACHINE\SOFTWARE\Software AG\System Management Hub\CSLayerServer\SSX_Log_Level
Restart CSLayer service.
Note:
The log file is located at
<SAGROOT>/common/arg/log/SSX.log
SSX modules for authentication can be used in the Client/ Server Layer of System Management Hub.
The Pluggable UI is installed with the installation of System Management Hub, but its authentication is different from System Management Hub's. Authentication of users can be different types (LDAP, Active Directory, or internal user repository). By default, the authentication module in the Pluggable UI is set to authentication against internal user repository, while the one in System Management Hub 9.0 is disabled.
Important:
If you change the authentication mode on the target machine
(for example, from "default" to "LDAP"), you affect the authentication for
accessing other products (for example, CentraSite Registry/ Repository, the
Application Server Tier components, CentraSite Control).
To change the authentication mode on the target machine, you must have administrator's rights. Following are some of the possible authentication scenarios to illustrate the fact that System Management Hub and the Pluggable UI have different SSX authentication modules:
| Pluggable UI SSX Authentication set to... | Target Machine SSX Authentication set to... | Provides this logon scenario... |
|---|---|---|
| Internal user repository | LDAP | You can log on to the Pluggable UI on the target machine using local file defined user name and password. To use System Management Hub, you must authenticate again with your domain credentials. |
| Internal user repository | OS | You can log on to the Pluggable UI on the target machine using local file defined user name and password. To use System Management Hub, you must authenticate again using the operating system's user name and password. |
| Internal user repository | Internal user repository | You can log on to the Pluggable UI on the target machine using local file defined user name and password. To use System Management Hub, you do not have to authenticate again. |
| LDAP | OS | You can log on to the Pluggable UI on the target machine with your domain credentials. To use System Management Hub, you must authenticate again using the operating system's user name and password. |
| LDAP | Internal user repository | You can log on to the Pluggable UI on the target machine with your domain credentials. To use System Management Hub, you must authenticate again using local file defined user name and password. |
| LDAP | LDAP | You can log on to the Pluggable UI on the target machine with your domain credentials. To use System Management Hub, you do not have to authenticate again. |
Important:
With System Management Hub and the Pluggable UI using different authentication types you must be careful
what you select authentication. Using central user repository (like LDAP or Active Directory) for the Pluggable UI
and for System Management Hub can greatly lower the authentication problems. On UNIX systems, only default encryption of
user passwords is possible for System Management Hub authentication when authenticating against the operating system.
You configure authentication via technical user to access and search for users on LDAP servers that do not support anonymous queries. The following task allows you to provide and configure technical user settings in your System Management Hub.
To authenticate against an LDAP server using technical user
credentials and SSX
Create a technical user credential file.
For more information about creating technical user credential files, see the Software AG Security Infrastructure documentation.
Start System Management Hub web interface in a web browser.
Click
On the dropdown menu, select one of the login contexts that are available in the jaas.config file. The following list outlines the default login context that are available in the jaas.config file. However, depending on the use case, the file can contain other login contexts.
.
Use this default login context to define the default login modules that you want to use for authentication on the platform.
.
Use this login context to define the login modules that you want to use to authenticate against the Pluggable UI of System Management Hub.
On the Authentication Login Module options area, select radio button.
On the dropdown menu, select .
Click .
On the Effective Login Modules area, select option.
Click .
On the Options for LDAP configuration of SSXLoginModule dialog, configure the following properties:
useLdapTechUser
A Boolean parameter which default value is false. The parameter is
optional and allows you to enable the usage of a technical user.
techLdapUserCredFile
The parameter is mandatory if you enable the usage of a technical
user. It specifies the path of the technical user credentials file.
techLdapUserKeyFile
The parameter is optional and specifies the path of the
alternative key file.
For more information about configuring
SSXLoginModule settings, see the Software AG
Security Infrastructure documentation.
Click .
Click .
You can configure SSX authentication via internal user repository. The following task allows you to provide and configure internal user repository to a login context that is used in System Management Hub. The internal repository text file is an alternative to the OS and LDAP repositories. It is recommended to use an internal repository only during the initial setup of all required components or until you configure a real repository.
To authenticate using internal user repository in SSX
Create an internal user credential file.
For more information about creating an internal user repository, see the Software AG Security Infrastructure documentation.
Start System Management Hub web interface in a web browser.
Click
On the dropdown menu, select one of the login contexts that are available in the jaas.config file. The following list outlines the default login context that are available in the jaas.config file. However, depending on the use case, the file can contain other login contexts.
.
Use this default login context to define the default login modules that you want to use for authentication on the platform.
.
Use this login context to define the login modules that you want to use to authenticate against the Pluggable UI of System Management Hub.
On the Authentication Login Module options area, select radio button.
On the dropdown menu, select .
Click .
On the Effective Login Modules area, select option.
Click .
On the Control flag dropdown menu, set the flag of the login module. Valid values are:
For more information about the control flag of login modules, see the Software AG Security Infrastructure documentation.
On the Internal Repository dialog, click .
On the Manage Local Repository area, proceed as follows.
To add a user, click .
On the dialog that opens, provide new user name and password, and click .
Note:
When you enter a user name or a password, you can use only
digits, Latin letters, and the following characters: ! ( ) - . ? [ ] _
~.
To edit existing user credentials, select a user entry and click .
On the dialog that opens, provide a new password and click .
To delete a user entry, select the entry and click .
For more information about configuring
SSXLoginModule settings, see the Software AG
Security Infrastructure documentation.
Important:
Once you confirm the changes and click the
button, the changes are saved in an external file
on the file system. At a later stage, you cannot revert the changes that are
stored to the file by choosing the
button.
Click .
Click .
When you configure a login context, you can verify that logging context by executing it using real user credentials against a real Pluggable UI or SSXLoginOS.
To verify the configuration you provide
On the dropdown menu, select one of the login contexts that are available in the jaas.config file. The following list outlines the default login context that are available in the jaas.config file. However, depending on the use case, the file can contain other login contexts.
.
Use this default login context to define the default login modules that you want to use for authentication on the platform.
.
Use this login context to define the login modules that you want to use to authenticate against the Pluggable UI of System Management Hub.
Enter user credentials that you want to use with the configured login context.
Click