EAServer supports integration with Netegrity SiteMinder security software. Netegrity SiteMinder provides single sign-on and centralized management of Web, database, and software resources in enterprise applications. For more information, see the Netegrity Web site.
The following configurations are supported:
Web access to EAServer through a secure reverse-proxy server. This configuration provides global single sign-on support for all applications and servers that are protected by the proxy server, as well as centralized user and user rights management. In this configuration, no direct user connections are allowed to EAServer. Instead, users access EAServer via the proxy server. Users log in to the secure proxy server using basic (user name plus password) authentication or by presenting an SSL certificate. This configuration requires a reverse-proxy server that supports Netegrity single sign-on, such as Apache with the Netegrity Web Agent installed or the Netegrity Secure Proxy Server.
Direct client access to EAServer with Netegrity authentication. In this configuration, users present their login credentials (user name and password or SSL certificate) to EAServer. The Netegrity agent installed in EAServer forwards the credentials to the Netegrity Policy Server for validation. While this configuration does not support global single sign-on, it does allow you to take advantage of centralized user and user-rights management provided by the Netegrity Policy Server.
Mixed access, which is a combination of these two approaches. For example, you can enable access through a proxy server to provide global single sign-on support to Web client users, while still supporting direct IIOP or IIOPS connections to EAServer from other client applications.
EAServer integration with SiteMinder is provided by Java Authentication and Authorization Service (JAAS) modules installed in EAServer, along with custom role service and caller principal service components. These components use the Netegrity Agent API to connect to the Netegrity Policy Server to verify user credentials, login status, and role membership.
When using Netegrity, EAServer authorization is based on the EAServer roles that are associated with components and Web resources, with role membership evaluated by the Netegrity Policy Server. The required roles for resource access are determined based on the component or Web application properties, as set in EAServer Manager or jagtool. When a resource requires role membership for access, EAServer calls the Netegrity role service, which determines whether the user is a member of the required role based on settings maintained in the Netegrity Policy Server.
These JAAS login modules are provided for Netegrity/EAServer integration:
An HTTP login module, which allows EAServer Web applications to support Netegrity single sign-on in reverse-proxy configurations.
A X.509 certificate login module, which validates client SSL certificates presented to EAServer by forwarding them to the Netegrity Policy Server.
A basic login module, which validates client user names and passwords presented to EAServer by forwarding them to the Netegrity Policy Server.
The Netegrity integration login modules are defined in the Netegrity JAAS configuration file, netegrity_jaas.cfg. On Windows, this file is installed in the ini subdirectory of your EAServer installation. On UNIX platforms, the file is installed in the config directory. You must configure the security scenario that you want to use by modifying the attributes of each login module in this file. The attributes for each scenario are listed below:
For Web only access via the Netegrity Secure Proxy Server, use these settings in netegrity_jaas.cfg:
Login module |
Attribute |
|---|---|
HTTP LoginModule |
Requisite |
X.509 LoginModule |
Optional |
Basic LoginModule |
Optional |
For direct client access using basic authentication without support for single sign-on, use these settings in netegrity_jaas.cfg:
Login module |
Attribute |
|---|---|
HTTP LoginModule |
Optional |
X.509 LoginModule |
Optional |
Basic LoginModule |
Requisite |
For mixed access, use these settings in netegrity_jaas.cfg:
Login module |
Attribute |
|---|---|
HTTP LoginModule |
Sufficient |
X.509 LoginModule |
Sufficient |
Basic LoginModule |
Sufficient |
The following configuration can be performed in the Netegrity Policy Server User Interface Console. For detailed instructions, see the Netegrity documentation. These settings are required for all scenarios.
Policy Server setup
Create a Web agent named easagent, configured with the Policy Server host name and password.
Create a user directory with all the user names to be authenticated. Also, add a user “Anonymous” with password “Anonymous”. The anonymous user is required to allow IIOP login without user credentials, such as for a client accessing a message-driven bean.
If you use client certificates in your application, enter the common name of each certificate in the user directory.
Configure an authentication scheme to match your Netegrity configuration scenario, as described in “Authentication methods for EAServer and SiteMinder”.
Configure a domain named Sybase that uses the user directory. Create a realm named “EAS” with these properties:
Agent is “easagent”.
Resource Filter is “/EAS”.
Default Resource Protection is “Unprotected”.
Authentication Scheme matches the scheme you configured previously.
For the EAS realm, create a rule named “DummyResource” with resource “/DummyResource”. This rule must be enabled with the “Allow Access” option selected. This rule is the default resource for authentication.
For the EAS realm, create additional rules for each EAServer role with the following properties:
Set the resource to:
/ROLE/role-name
Where role-name is the EAServer
role name, as displayed in EAServer Manager. For example, “Admin
Role” in EAServer requires the resource /Role/Admin
Role.
Set Web Agent Actions to “Get, Post, Put.”
Enable the rule and select the “Allow Access” option.
Create a new policy, for example, Policy01. For each role used in your application, create mappings for the client user names and certificate common names that belong to the role. These mappings are used for role-based authorization of resource access.
If you use client certificates in your application, configure the certificate mapping properties. Create a mapping for each issuing certificate, that is, the distinguished name of each root certificate that corresponds to a certificate authority used by your application. Map this distinguished name to the user directory type that matches the user directory that you created earlier. For each mapping, select the Single Attribute mapping option, and select the Common Name (CN) as the attribute to map.
To ensure the changes you have made take effect, flush the Policy Server cache.
To support Netegrity single sign-on in your application, you must configure a compatible reverse-proxy server. EAServer has been tested with the Apache Web server running as a reverse-proxy with the Netegrity Web Agent installed. See the Netegrity SiteMinder Web Agent Installation Guide and Web Agent Guide for instructions on configuring Apache to run with the Netegrity Web Agent installed.
Reverse-proxy access requires the additional Policy Server settings described below.
Policy Server configuration for reverse-proxy
server access
Use the Netegrity Policy Server User Interface Console to perform this configuration. For detailed instructions on each step, see the Netegrity documentation:
Create a new Web agent to represent the proxy server, for example, ApacheAgent.
Create an Agent Conf object for the proxy server agent. Highlight the ApacheDefaultSettings object, then create a new object from it. Set the DefaultAgentName parameter to match the name of the Web agent created in step 1, for example, “ApacheAgent.”
Create a Host Conf object for the proxy server. Highlight the DefaultHostSettings object, then create a new object from it. Configure the Policy Server IP address and listener ports to match your installation.
Configure authentication schemes to match your Netegrity configuration scenario. For user name/password access, configure a scheme that uses BASIC or FORM authentication. For client certificate authentication, configure a scheme that uses X.509 template authentication. For FORM and X.509 schemes, configure the proxy server itself as the Server name setting.
Create a new realm for the Web agent that represents the proxy server with these settings:
For Agent, select the name of the Web agent, for example, “ApacheAgent”.
Add “/” to the resource filter.
For Default Resource Protection, select Unprotected.
Select an appropriate authentication scheme.
Create a rule named “All” in the realm with these settings:
Set the resource to “*”.
Select “Get, Post, Put” for the Web agent actions.
Select Allow Access.
Select Enabled.
In the policy configuration, set up mappings for the All rule to include the client user names and certificate common names that are used in your application.
To ensure the changes you have made take effect, flush the Policy Server cache.
To troubleshoot problems, enable debug logging in the Policy Service Management Console. Select “Log to File” and “Append” options. Do not select “Log to Console”.
Configuring EAServer to use SiteMinder security
Install the Netegrity JAAS configuration file into your server. The file is netegrity_jaas.cfg, located in the EAServer ini subdirectory on Windows platforms and config subdirectory on UNIX platforms. Install the JAAS module as follows:
Using EAServer Manager, display the Server Properties dialog box. On the Security tab, set the JAAS Configuration File to the full path to the netegrity_jaas.cfg file.
If you are running a server other than the preconfigured
Jaguar server, display the Advanced tab. Set the com.sybase.jaguar.server.jaas.section property
to Jaguar. If this property
is not present, add it.
Follow the instructions for your platform below to copy necessary files from the Netegrity SDK installation to the JDK installation that you use to run EAServer.
On UNIX platforms, verify the JDK location by checking the values of the JAGUAR_JDK13 or JAGUAR_JDK14 variables in the EAServer bin/setenv.sh file. Copy these files from the Netegrity SDK installation to the JDK jre/lib/sparc subdirectory:
libsmagentapi.so
libsmjavaagentapi.so
On Windows platforms, verify the JDK location by checking the values of the JAGUAR_JDK13 or JAGUAR_JDK14 variables in the EAServer bin\setenv.bat file. Copy these files from the Netegrity SDK installation to the JDK jre\bin subdirectory:
smAgentAPI.dll
smJavaagentapi.dll
Copy the following JAR files from the Netegrity SDK to the java/lib subdirectory of your EAServer installation:
smjavaagentapi.jar
smjavaskd2.jar
On the Advanced tab in the Server Properties dialog box, set the property com.sybase.jaguar.server.callerprincipalservice to:
pseudo://java/com.sybase.jaguar.security.netegrity/CtsSecurity/NetegrityCallerPrincipal
On the Advanced tab in the Server Properties dialog box, set the property com.sybase.jaguar.server.roleservice to:
pseudo://java/com.sybase.jaguar.security.netegrity/CtsSecurity/NetegrityRoleService
Also on the Advanced tab, set the properties listed in the table below:
Property |
Value |
|---|---|
com.sybase.jaguar.server.http.sso |
If you have configured single sign-on
support using a reverse-proxy server, set to |
com.sybase.jaguar.server.smAgentName |
The agent name used in the SiteMinder Policy Server, for example, “easagent”. |
com.sybase.jaguar.server.smAgentPassword.e |
The agent password used to connect to the SiteMinder Policy Server. The password is stored in encrypted form in the EAServer repository. |
com.sybase.jaguar.server.smServerAddress |
The host name of the SiteMinder Policy Server. |
com.sybase.jaguar.server.smAgentDebug (optional) |
Optionally set to |
com.sybase.jaguar.server.smAuthorizationPort (optional) |
Authorization port for the SiteMinder Policy Server. If not set, the default is 44443. |
com.sybase.jaguar.server.smAuthenticationPort (optional) |
Authentication port for the SiteMinder Policy Server. If not set, the default is 44442. |
com.sybase.jaguar.server.smAccountingPort (optional) |
Accounting port for the SiteMinder Policy Server. If not set, the default is 44441. |
com.sybase.jaguar.server.server.smTimeout (optional) |
The SiteMinder cache lifetime limitation in seconds. If not set, the default is two times of EAServer Authorization cache timeout, specified by the server property com.sybase.jaguar.server.authorization.permcachetimeout |
com.sybase.jaguar.server.smSize (optional) |
The SiteMinder cache size. If not set, the default is 600. |
For each EAServer Web application, display the Web Application Properties in EAServer Manager. Configure the authentication method as described in “Authentication methods for EAServer and SiteMinder”.
You must configure the Netegrity and EAServer authentication methods differently depending on whether you allow direct log in to EAServer. If you allow direct login to EAServer, configure the EAServer and SiteMinder authentication methods to match according to Table 10-1. If you use FORM authentication, the login and error page must be set and deployed in EAServer. Do not mix certificate based authentication with user name/password based authentication. In other words, all EAServer Web applications must use FORM or BASIC, or all must use CLIENT-CERT.
EAServer authentication method |
SiteMinder authentication scheme type |
|---|---|
FORM |
BASIC |
BASIC |
BASIC |
CLIENT-CERT |
X.509 |
If you use a reverse-proxy server to support Netegrity single sign-on, use BASIC in EAServer. In SiteMinder, use BASIC, FORM, or X.509 as required by the application. In this case, authentication is performed within the reverse-proxy server and the Netegrity setting supersedes the EAServer setting.
| Copyright © 2005. Sybase Inc. All rights reserved. |
|
|