Updated the file with new information.

2006-05-23 15:04:18 +00:00 · 2006-05-23 15:04:18 +00:00 · 64030d705d
commit 64030d705d
parent c697b959f0
1 changed files with 224 additions and 4 deletions
--- a/auth_token/server/AuthTokenSvc/README
+++ b/auth_token/server/AuthTokenSvc/README
@ -17,13 +17,209 @@ to CASA Authentication enabled services.
 The ATS utilizes mechanism plug-ins for authenticating client entities as well
 Identity Token Providers for the generation of Identity Tokens.

+ENVIRONMENT SETTINGS
+
+The following options must be set in the JAVA_OPTS setting before starting Tomcat
+to allow the Kerberos authentication mechanism to work properly:
+
+-Djavax.security.auth.useSubjectCredsOnly=false
+-Djava.security.auth.login.config={replace with the path for JAAS configuration
+                                   file for the service}
+                                   
+After setting the above values in the JAVA_OPTS variable you must export it for
+Tomcat to be able to make use of it.
+
+The following entry should be included in the JAAS configuration file specified
+in the java.security.auth.login.config option above to enable the Krb5 authentication
+mechanism to work correctly:
+
+other {
+com.sun.security.auth.module.Krb5LoginModule required
+      useTicketCache=true
+      ticketCache="/var/cache/tomcat5/base/temp/ticket.cache"
+      useKeyTab=true
+      principal="host/server.company.com"
+      doNotPrompt=true
+      storeKey=true
+      keyTab="/etc/krb5.keytab";
+}
+
+Please adjust the ticketCache and principal setting to match your installation. 
+
 CONFIGURATION

 AuthTokenSvc configuration consists of multiple entities. Most of the AuthTokenSvc
 configuration is contained within the "conf" folder under the WEB-INF folder of the
 application. For an example configuration setup for the AuthTokenSvc see the
-sampleConf folder. 
+sampleConf folder.

+CONFIGURING THE BASE SERVICE
+
+The ATS base settings are configured in the svc.settings file under the conf folder.
+
+Thhe following is an example svc.settings file:
+
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<settings>
+<SessionTokenLifetime>720</SessionTokenLifetime>
+<LifetimeShorter>10</LifetimeShorter>
+<IAConfigFile>/home/jluciani/jakarta-tomcat-5.0.28/webapps/CasaAuthTokenSvc/WEB-INF/conf/iaRealms.xml</IAConfigFile>
+<startSearchContext>o=novell</startSearchContext>
+</settings>
+
+Note the following about the sample svc.settings file:
+
+- The settngs that you can specify in the svc.settings file are: SessionLifetime,
+  LifetimeShorter, IAConfigFile, and startSearchContext.
+  
+- The SessionTokenLifetime setting specifies the number of seconds for which a
+  session token is good for after being issued. The default value for this setting
+  is 360 seconds. Note that a larger value reduces overhead.
+  
+- The LifetimeShorter setting specifies the number of seconds that should be substracted
+  from the SessionTokenLifetime when calculating the number of seconds that clients are
+  told that the session tokens are good for.  The default value for this setting is 5
+  seconds.
+  
+- The IAConfigFile settings specifies the path to the identity abstraction
+  configuration file. The identity abstraction configuration file configures
+  the different realms (contexts) that the ATS can utilize to authenticate
+  entities and resolve identities. In the future the configuration of this
+  settng will be optional.
+  
+- The startSearchContext setting specifies the begin location for initiating
+  context searches. This setting or an equivalent setting will be moved to the
+  identity abstraction configuration file where it belongs. Once this is done,
+  the setting will no longer be recognized within the svc.settings file. 
+ 
+CONFIGURING SERVICES TO CONSUME CASA AUTHENTICATION TOKENS
+
+Services are configured to consume CASA authentication tokens by creating folders
+under the conf/enabled_services folders. Since CASA distinguishes between services
+of the same name existing in different hosts, the first folder that must be created
+is one for the host where the service resides. The host folder name must match the
+DNS name of the host where the service resides. Services are configured by creating
+a folder under the appropriate host folder with a name matching the service name.
+
+Note when configuring services that the service name and the host names must match
+the service and host names specified by the client applications when requesting
+tokens to authenticate to them.
+
+The services folder must contain an auth.policy file, an authtoken.settings file,
+and an identoken.settings file. In the absence of any one of those files, the ATS
+will default to utilizing the files present under its conf folder.
+
+The auth.policy file specifies the authentication realms (or contexts) to which
+entities can authenticate to gain access to the service. The auth.policy file also
+specifies the authentication mechanisms that can be utilized to authenticate to the
+realms.
+
+The following is an example auth.policy file: 
+
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<auth_policy>
+<auth_source>
+<realm>CorpTree</realm>
+<mechanism>Krb5Authenticate</mechanism>
+<mechanism_info>host@tokenserver.company.novell.com</mechanism_info>
+</auth_source>
+<auth_source>
+<realm>CorpTree</realm>
+<mechanism>PwdAuthenticate</mechanism>
+<mechanism_info></mechanism_info>
+</auth_source>
+</auth_policy>
+
+Note the following about the sample auth.policy file:
+
+- An authentication realm is specified in the auth.policy file by creating an
+  auth_policy entry for it. An auth_policy entry must contain the realm name along
+  with the entries for the authentication mechanisms.
+  
+- When a realm supports more than one authentication mechanism, you must create
+  an auth_source entry for each supported mechanism.
+  
+- The realm names correspond to the realmIDs configured in the Identity Abstraction
+  configuration file for the desired context entry.
+  
+- The authentication mechanism entries are: mechanism and mechanism_info. The mechanism
+  entry specifies the name of the authentication mechanism. The mechanism_info specifies
+  some mechanism specific information. Both authentication mechanism entries must be
+  specified for an auth_source entry.
+  
+- The name of the Krb5 Authentication mechanism is "Krb5Authenticate". This mechanism
+  requires that you specify the service's kerberos principal name under the mechanism_info
+  key.
+  
+- The name of the username/password authentication mechanism is "PwdAuthenticate" and
+  it does not require any information to be included under the mechanism_info key.
+  
+The authtoken.settings file contains settings that should be applied to authentication
+tokens issued to authenticate to the service.
+
+The following is an example authtoken.settings file:
+
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<settings>
+<TokenLifetime>720</TokenLifetime>
+<LifetimeShorter>10</LifetimeShorter>
+<IdentityTokenType>CasaIdentityToken</IdentityTokenType>
+</settings>
+
+Note the following about the sample authtoken.settings file: 
+
+- The settings that you can specify in the authtoken.settings file are: TokenLifetime,
+  LifetimeShorter, and IdentityTokenType. If one of this tokens is not specified then
+  its default value is utilized.
+  
+- The TokenLifetime setting specifies the number of seconds for which a token is good
+  for after being issued. The default value for this setting is 360 seconds. Note that
+  a larger value reduces overhead, but it also gives more time for an intruder to
+  utilize the token if it becomes compromized.
+  
+- The LifetimeShorter setting specifies the number of seconds that should be substracted
+  from the TokenLifetime when calculating the number of seconds that clients are told
+  that the tokens are good for.  The default value for this setting is 5 seconds.
+  
+- The IdentityTokenType specifies the type of identity tokens that must be embedded in
+  the authentication tokens with identity information. The default value for this
+  setting is CasaIdentityToken.
+  
+The identoken.settings file contains settings that should be applied to identity tokens
+embedded in authentication tokens.
+
+The following is an example identoken.settings file:
+
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<settings>
+<Attributes>sn,groupMembership,guid</Attributes>
+<EncryptAttributes>false</EncryptAttributes>
+<Certificate>Base64 encoded certificate</Certificate>
+</settings>
+
+Note the following about the sample identoken.settings file:
+
+- The settings that you can specify in the identoken.settings file are: Attributes.
+  EncryptAttributes, and Certificate.
+  
+- The Attributes setting specifies the identity attributes that must be included
+  as part of the identity token, The attributes are specified in the form of a coma
+  delimited list. The default velue for this setting is "sn".
+  
+- The EncryptAtributes setting specifies whether or not the identity information
+  contained in the identity token should be emcrypted with the services's Public
+  Certificate. The default value for this setting is "false". Please note that
+  to enable identity attribute encryption you must not allow the ATS to default to
+  the file present in its conf folder (Attribute encryption is not yet supported
+  by the Casa identity token provider).
+  
+- The Certificate setting specifies the certificate that must be utilized to encrypt
+  identity attribute data. The certificate contains the public key of the targeted
+  service. The certificate data is Base64 encoded.
+  
+- The identoken.settings file can also contain additional identity token provider
+  specific settings.
+  
 CONFIGURING AUTHENTICATION MECHANISMS

 Authentication mechanisms available to the AuthTokenSvc are configured by creating
@ -34,13 +230,37 @@ name of the class implementing the mechanism along with path information which
 can be utilized by the ATS to load the class. The mechanism.settings file can
 also contain mechanism specific settings.

-The following setting is mandatory: 
+The following setting is mandatory:

-One of the following settngs must be included:
+ClassName - This is the name of the class implementing the authentication mechanism.

-For example mechanism.settings files look at sampleConf/auth_mechanisms/ 
+One of the following settings must be included:

+RelativeClassPath - This is a relative path from the web application's root folder
+to the folder containing the class implementing the mechanism.

+ClassPath - This is an absolute path to the folder containing the path to the class
+implementing the mechanism.
+
+The following is an example mechanism.settings file for the Krb5Authentication
+mechanism:
+
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<settings>
+<ClassName>com.novell.casa.authtoksvc.Krb5Authenticate</ClassName>
+<RelativeClassPath>WEB-INF/classes</RelativeClassPath>
+<ServicePrincipalName>host@tokenserver.company.novell.com</ServicePrincipalName>
+</settings>
+
+The base AuthTokenSvc package contains two authentication mechanisms, these are
+Krb5Authenticate and PwdAuthenticate. The configuration under sampleConf is set up
+to allow an AuthTokenSvc to leverage both mechanisms.
+
+The Krb5Authenticate mechanism requires that the following setting also be included
+in its mechanism.settings file:
+
+ServicePrincipalName - This is the name of the Kerberos Service Principal that the
+Authentication Token Service runs as when authenticating other entities.

 CONFIGURING ADDITIONAL IDENTITY TOKEN PROVIDERS