Updated the file with new information.
This commit is contained in:
parent
c697b959f0
commit
64030d705d
@ -17,13 +17,209 @@ to CASA Authentication enabled services.
|
||||
The ATS utilizes mechanism plug-ins for authenticating client entities as well
|
||||
Identity Token Providers for the generation of Identity Tokens.
|
||||
|
||||
ENVIRONMENT SETTINGS
|
||||
|
||||
The following options must be set in the JAVA_OPTS setting before starting Tomcat
|
||||
to allow the Kerberos authentication mechanism to work properly:
|
||||
|
||||
-Djavax.security.auth.useSubjectCredsOnly=false
|
||||
-Djava.security.auth.login.config={replace with the path for JAAS configuration
|
||||
file for the service}
|
||||
|
||||
After setting the above values in the JAVA_OPTS variable you must export it for
|
||||
Tomcat to be able to make use of it.
|
||||
|
||||
The following entry should be included in the JAAS configuration file specified
|
||||
in the java.security.auth.login.config option above to enable the Krb5 authentication
|
||||
mechanism to work correctly:
|
||||
|
||||
other {
|
||||
com.sun.security.auth.module.Krb5LoginModule required
|
||||
useTicketCache=true
|
||||
ticketCache="/var/cache/tomcat5/base/temp/ticket.cache"
|
||||
useKeyTab=true
|
||||
principal="host/server.company.com"
|
||||
doNotPrompt=true
|
||||
storeKey=true
|
||||
keyTab="/etc/krb5.keytab";
|
||||
}
|
||||
|
||||
Please adjust the ticketCache and principal setting to match your installation.
|
||||
|
||||
CONFIGURATION
|
||||
|
||||
AuthTokenSvc configuration consists of multiple entities. Most of the AuthTokenSvc
|
||||
configuration is contained within the "conf" folder under the WEB-INF folder of the
|
||||
application. For an example configuration setup for the AuthTokenSvc see the
|
||||
sampleConf folder.
|
||||
sampleConf folder.
|
||||
|
||||
CONFIGURING THE BASE SERVICE
|
||||
|
||||
The ATS base settings are configured in the svc.settings file under the conf folder.
|
||||
|
||||
Thhe following is an example svc.settings file:
|
||||
|
||||
<?xml version="1.0" encoding="ISO-8859-1"?>
|
||||
<settings>
|
||||
<SessionTokenLifetime>720</SessionTokenLifetime>
|
||||
<LifetimeShorter>10</LifetimeShorter>
|
||||
<IAConfigFile>/home/jluciani/jakarta-tomcat-5.0.28/webapps/CasaAuthTokenSvc/WEB-INF/conf/iaRealms.xml</IAConfigFile>
|
||||
<startSearchContext>o=novell</startSearchContext>
|
||||
</settings>
|
||||
|
||||
Note the following about the sample svc.settings file:
|
||||
|
||||
- The settngs that you can specify in the svc.settings file are: SessionLifetime,
|
||||
LifetimeShorter, IAConfigFile, and startSearchContext.
|
||||
|
||||
- The SessionTokenLifetime setting specifies the number of seconds for which a
|
||||
session token is good for after being issued. The default value for this setting
|
||||
is 360 seconds. Note that a larger value reduces overhead.
|
||||
|
||||
- The LifetimeShorter setting specifies the number of seconds that should be substracted
|
||||
from the SessionTokenLifetime when calculating the number of seconds that clients are
|
||||
told that the session tokens are good for. The default value for this setting is 5
|
||||
seconds.
|
||||
|
||||
- The IAConfigFile settings specifies the path to the identity abstraction
|
||||
configuration file. The identity abstraction configuration file configures
|
||||
the different realms (contexts) that the ATS can utilize to authenticate
|
||||
entities and resolve identities. In the future the configuration of this
|
||||
settng will be optional.
|
||||
|
||||
- The startSearchContext setting specifies the begin location for initiating
|
||||
context searches. This setting or an equivalent setting will be moved to the
|
||||
identity abstraction configuration file where it belongs. Once this is done,
|
||||
the setting will no longer be recognized within the svc.settings file.
|
||||
|
||||
CONFIGURING SERVICES TO CONSUME CASA AUTHENTICATION TOKENS
|
||||
|
||||
Services are configured to consume CASA authentication tokens by creating folders
|
||||
under the conf/enabled_services folders. Since CASA distinguishes between services
|
||||
of the same name existing in different hosts, the first folder that must be created
|
||||
is one for the host where the service resides. The host folder name must match the
|
||||
DNS name of the host where the service resides. Services are configured by creating
|
||||
a folder under the appropriate host folder with a name matching the service name.
|
||||
|
||||
Note when configuring services that the service name and the host names must match
|
||||
the service and host names specified by the client applications when requesting
|
||||
tokens to authenticate to them.
|
||||
|
||||
The services folder must contain an auth.policy file, an authtoken.settings file,
|
||||
and an identoken.settings file. In the absence of any one of those files, the ATS
|
||||
will default to utilizing the files present under its conf folder.
|
||||
|
||||
The auth.policy file specifies the authentication realms (or contexts) to which
|
||||
entities can authenticate to gain access to the service. The auth.policy file also
|
||||
specifies the authentication mechanisms that can be utilized to authenticate to the
|
||||
realms.
|
||||
|
||||
The following is an example auth.policy file:
|
||||
|
||||
<?xml version="1.0" encoding="ISO-8859-1"?>
|
||||
<auth_policy>
|
||||
<auth_source>
|
||||
<realm>CorpTree</realm>
|
||||
<mechanism>Krb5Authenticate</mechanism>
|
||||
<mechanism_info>host@tokenserver.company.novell.com</mechanism_info>
|
||||
</auth_source>
|
||||
<auth_source>
|
||||
<realm>CorpTree</realm>
|
||||
<mechanism>PwdAuthenticate</mechanism>
|
||||
<mechanism_info></mechanism_info>
|
||||
</auth_source>
|
||||
</auth_policy>
|
||||
|
||||
Note the following about the sample auth.policy file:
|
||||
|
||||
- An authentication realm is specified in the auth.policy file by creating an
|
||||
auth_policy entry for it. An auth_policy entry must contain the realm name along
|
||||
with the entries for the authentication mechanisms.
|
||||
|
||||
- When a realm supports more than one authentication mechanism, you must create
|
||||
an auth_source entry for each supported mechanism.
|
||||
|
||||
- The realm names correspond to the realmIDs configured in the Identity Abstraction
|
||||
configuration file for the desired context entry.
|
||||
|
||||
- The authentication mechanism entries are: mechanism and mechanism_info. The mechanism
|
||||
entry specifies the name of the authentication mechanism. The mechanism_info specifies
|
||||
some mechanism specific information. Both authentication mechanism entries must be
|
||||
specified for an auth_source entry.
|
||||
|
||||
- The name of the Krb5 Authentication mechanism is "Krb5Authenticate". This mechanism
|
||||
requires that you specify the service's kerberos principal name under the mechanism_info
|
||||
key.
|
||||
|
||||
- The name of the username/password authentication mechanism is "PwdAuthenticate" and
|
||||
it does not require any information to be included under the mechanism_info key.
|
||||
|
||||
The authtoken.settings file contains settings that should be applied to authentication
|
||||
tokens issued to authenticate to the service.
|
||||
|
||||
The following is an example authtoken.settings file:
|
||||
|
||||
<?xml version="1.0" encoding="ISO-8859-1"?>
|
||||
<settings>
|
||||
<TokenLifetime>720</TokenLifetime>
|
||||
<LifetimeShorter>10</LifetimeShorter>
|
||||
<IdentityTokenType>CasaIdentityToken</IdentityTokenType>
|
||||
</settings>
|
||||
|
||||
Note the following about the sample authtoken.settings file:
|
||||
|
||||
- The settings that you can specify in the authtoken.settings file are: TokenLifetime,
|
||||
LifetimeShorter, and IdentityTokenType. If one of this tokens is not specified then
|
||||
its default value is utilized.
|
||||
|
||||
- The TokenLifetime setting specifies the number of seconds for which a token is good
|
||||
for after being issued. The default value for this setting is 360 seconds. Note that
|
||||
a larger value reduces overhead, but it also gives more time for an intruder to
|
||||
utilize the token if it becomes compromized.
|
||||
|
||||
- The LifetimeShorter setting specifies the number of seconds that should be substracted
|
||||
from the TokenLifetime when calculating the number of seconds that clients are told
|
||||
that the tokens are good for. The default value for this setting is 5 seconds.
|
||||
|
||||
- The IdentityTokenType specifies the type of identity tokens that must be embedded in
|
||||
the authentication tokens with identity information. The default value for this
|
||||
setting is CasaIdentityToken.
|
||||
|
||||
The identoken.settings file contains settings that should be applied to identity tokens
|
||||
embedded in authentication tokens.
|
||||
|
||||
The following is an example identoken.settings file:
|
||||
|
||||
<?xml version="1.0" encoding="ISO-8859-1"?>
|
||||
<settings>
|
||||
<Attributes>sn,groupMembership,guid</Attributes>
|
||||
<EncryptAttributes>false</EncryptAttributes>
|
||||
<Certificate>Base64 encoded certificate</Certificate>
|
||||
</settings>
|
||||
|
||||
Note the following about the sample identoken.settings file:
|
||||
|
||||
- The settings that you can specify in the identoken.settings file are: Attributes.
|
||||
EncryptAttributes, and Certificate.
|
||||
|
||||
- The Attributes setting specifies the identity attributes that must be included
|
||||
as part of the identity token, The attributes are specified in the form of a coma
|
||||
delimited list. The default velue for this setting is "sn".
|
||||
|
||||
- The EncryptAtributes setting specifies whether or not the identity information
|
||||
contained in the identity token should be emcrypted with the services's Public
|
||||
Certificate. The default value for this setting is "false". Please note that
|
||||
to enable identity attribute encryption you must not allow the ATS to default to
|
||||
the file present in its conf folder (Attribute encryption is not yet supported
|
||||
by the Casa identity token provider).
|
||||
|
||||
- The Certificate setting specifies the certificate that must be utilized to encrypt
|
||||
identity attribute data. The certificate contains the public key of the targeted
|
||||
service. The certificate data is Base64 encoded.
|
||||
|
||||
- The identoken.settings file can also contain additional identity token provider
|
||||
specific settings.
|
||||
|
||||
CONFIGURING AUTHENTICATION MECHANISMS
|
||||
|
||||
Authentication mechanisms available to the AuthTokenSvc are configured by creating
|
||||
@ -34,13 +230,37 @@ name of the class implementing the mechanism along with path information which
|
||||
can be utilized by the ATS to load the class. The mechanism.settings file can
|
||||
also contain mechanism specific settings.
|
||||
|
||||
The following setting is mandatory:
|
||||
The following setting is mandatory:
|
||||
|
||||
One of the following settngs must be included:
|
||||
ClassName - This is the name of the class implementing the authentication mechanism.
|
||||
|
||||
For example mechanism.settings files look at sampleConf/auth_mechanisms/
|
||||
One of the following settings must be included:
|
||||
|
||||
RelativeClassPath - This is a relative path from the web application's root folder
|
||||
to the folder containing the class implementing the mechanism.
|
||||
|
||||
ClassPath - This is an absolute path to the folder containing the path to the class
|
||||
implementing the mechanism.
|
||||
|
||||
The following is an example mechanism.settings file for the Krb5Authentication
|
||||
mechanism:
|
||||
|
||||
<?xml version="1.0" encoding="ISO-8859-1"?>
|
||||
<settings>
|
||||
<ClassName>com.novell.casa.authtoksvc.Krb5Authenticate</ClassName>
|
||||
<RelativeClassPath>WEB-INF/classes</RelativeClassPath>
|
||||
<ServicePrincipalName>host@tokenserver.company.novell.com</ServicePrincipalName>
|
||||
</settings>
|
||||
|
||||
The base AuthTokenSvc package contains two authentication mechanisms, these are
|
||||
Krb5Authenticate and PwdAuthenticate. The configuration under sampleConf is set up
|
||||
to allow an AuthTokenSvc to leverage both mechanisms.
|
||||
|
||||
The Krb5Authenticate mechanism requires that the following setting also be included
|
||||
in its mechanism.settings file:
|
||||
|
||||
ServicePrincipalName - This is the name of the Kerberos Service Principal that the
|
||||
Authentication Token Service runs as when authenticating other entities.
|
||||
|
||||
CONFIGURING ADDITIONAL IDENTITY TOKEN PROVIDERS
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user