Securing Login Information of a Technical User
In the above Jaas configuration, the technical user password is stored in clear text.
To secure the password, you must first reconfigure the Jass configuration to reference the necessary LDAP configuration properties file, for example, in the following way:
CentraSite {
com.softwareag.security.jaas.login.internal.InternalLoginModule sufficient
domain="INTERNAL"
alias="INTERNAL"
applyDomain="true"
create_group_principal="false"
internalRepository="C:/SoftwareAG/common/conf/users.txt";
com.softwareag.security.sin.is.ldap.lm.LDAPLoginModule required
alias="EUR";
};
The LDPAPLoginModule entry in the Jaas configuration file will no longer contain the LDAP configuration properties. Instead, the entry contains an alias parameter used to point to an EUR configuration. For defining the EUR configuration, the file com.softwareag.security.ldap.server.pid-EUR.properties must be stored in the folder com.softwareag.platform.config.propsloader under <RuntimeDir>/configuration.
(The location of the
<RuntimeDir> folder is described in the document
Overview of Basic Operations).
The LDAP configuration properties file looks as follows:
alias=EUR
url=ldap\://ldap-server\:389
prin=CN\=tech-user,ou\=user,OU\=Germany,DC\=EUR,DC\=example,DC\=com
@secure.cred=password
useaf=false
userrootdn=DC\=EUR,DC\=example,DC\=com
personobjclass=inetOrgPerson
uidprop=samAccountName
noPrinIsAnonymous=false
groupobjclass=group
usecaching=false
applyDomain=true
createGroupProperties=true
memberinfoingroups=false
creategroups=true
createUserProperties=true
grouprootdn=DC\=EUR,DC\=example,DC\=com
domain=EUR
The property @secure.cred contains the password in clear text.
Software AG Runtime scans for new files and replaces the clear text password with a handle after securely storing the password in another location.
The dynamically loaded LDAP configuration properties file looks as follows:
##
#Fri Dec 19 14:02:42 CET 2014
useaf=false
userrootdn=DC\=EUR,DC\=example,DC\=com
personobjclass=inetOrgPerson
prin=CN\=tech-user,ou\=user,OU\=Germany,DC\=EUR,DC\=example,DC\=com
uidprop=samAccountName
url=ldap\://ldap-server\:389
noPrinIsAnonymous=false
groupobjclass=group
usecaching=false
applyDomain=true
@secure.cred=@secure\:com.softwareag.security.ldap.server.pid-EUR.properties-cred
createGroupProperties=true
alias=EUR
memberinfoingroups=false
creategroups=true
createUserProperties=true
grouprootdn=DC\=EUR,DC\=example,DC\=com
domain=EUR
Here, the property @secure.cred does not contain the password in clear text. Instead, it contains a pointer to the internal secure password store. Thus the clear text password is replaced with the dynamic LDAP configuration as long as the Software AG Runtime is running.