345 lines
15 KiB
Plaintext
345 lines
15 KiB
Plaintext
/***********************************************************************
|
|
*
|
|
* Copyright (C) 2006 Novell, Inc. All Rights Reserved.
|
|
*
|
|
* This library is free software; you can redistribute it and/or
|
|
* modify it under the terms of the GNU Lesser General Public
|
|
* License as published by the Free Software Foundation; version 2.1
|
|
* of the License.
|
|
*
|
|
* This library is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
* Library Lesser General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU Lesser General Public
|
|
* License along with this library; if not, Novell, Inc.
|
|
*
|
|
* To contact Novell about this file by physical or electronic mail,
|
|
* you may find current contact information at www.novell.com.
|
|
*
|
|
* Author: Juan Carlos Luciani <jluciani@novell.com>
|
|
*
|
|
***********************************************************************/
|
|
/***********************************************************************
|
|
*
|
|
* README for AuthTokenSvc
|
|
*
|
|
***********************************************************************/
|
|
|
|
INTRODUCTION
|
|
|
|
AuthTokenSvc is the CASA Authentication Token Service (ATS). It is implemented
|
|
as a Java servlet and supporting classes that execute in the Tomcat environment.
|
|
|
|
The ATS is responsible for providing clients with the necessary authentication
|
|
policy information, for authenticating client entities, and for providing
|
|
clients with Authentication Tokens that they can then use for authenticating
|
|
to CASA Authentication enabled services.
|
|
|
|
The ATS utilizes mechanism plug-ins for authenticating client entities as well
|
|
Identity Token Providers for the generation of Identity Tokens.
|
|
|
|
ENVIRONMENT SETTINGS
|
|
|
|
The following options must be set in the JAVA_OPTS environment variable before
|
|
starting Tomcat to allow the Kerberos authentication mechanism to work properly
|
|
with Sun's Java:
|
|
|
|
-Djava.security.auth.login.config={replace with the path for JAAS configuration
|
|
file for the service}
|
|
|
|
After setting the above values in the JAVA_OPTS variable you must export it for
|
|
Tomcat to be able to make use of it.
|
|
|
|
The following entry should be included in the JAAS configuration file specified
|
|
in the java.security.auth.login.config option above to enable the Krb5 authentication
|
|
mechanism to work correctly:
|
|
|
|
other {
|
|
com.sun.security.auth.module.Krb5LoginModule required
|
|
useTicketCache=true
|
|
ticketCache="/var/cache/tomcat5/base/temp/ticket.cache"
|
|
useKeyTab=true
|
|
principal="host/server.company.com"
|
|
doNotPrompt=true
|
|
storeKey=true
|
|
keyTab="/etc/krb5.keytab";
|
|
}
|
|
|
|
Please adjust the ticketCache and principal setting to match your installation.
|
|
|
|
By default, AuthTokenSvc reads its configuration from the "conf" folder under
|
|
the WEB-INF folder of the Tomcat Web Application ($CATALINA_HOME/webapps/CasaAuthTokenSvc/WEB-INF/conf).
|
|
This can be over-ridden by setting the following option in the JAVA_OPTS environment variable:
|
|
|
|
-Dcom.novell.casa.authtoksvc.config={replace with the path to the configuration
|
|
folder}
|
|
|
|
CONFIGURATION
|
|
|
|
AuthTokenSvc configuration consists of multiple entities. The authTokenSvc configuration
|
|
is contained within the "conf" folder under the WEB-INF folder of the application
|
|
($CATALINA_HOME/webapps/CasaAuthTokenSvc/WEB-INF/conf). For an example configuration setup
|
|
for the AuthTokenSvc see the sampleConf folder.
|
|
|
|
The location of the AuthTokenSvc configuration folder can be over-ridden by specifying
|
|
a different path via the com.novell.casa.authtoksvc.config system property.
|
|
|
|
CONFIGURING THE BASE SERVICE
|
|
|
|
The ATS base settings are configured in the svc.settings file under the conf folder.
|
|
|
|
The following is an example svc.settings file:
|
|
|
|
<?xml version="1.0" encoding="ISO-8859-1"?>
|
|
<settings>
|
|
<SessionTokenLifetime>43200</SessionTokenLifetime>
|
|
<LifetimeShorter>10</LifetimeShorter>
|
|
<IAConfigFile>/home/jluciani/jakarta-tomcat-5.0.28/webapps/CasaAuthTokenSvc/WEB-INF/conf/iaRealms.xml</IAConfigFile>
|
|
<ReconfigureInterval>60</ReconfigureInterval>
|
|
<startSearchContext>o=novell</startSearchContext>
|
|
<KeyStoreUser>privKey<KeyStoreUser>
|
|
<KeyStorePwd>foobar<KeyStorePwd>
|
|
</settings>
|
|
|
|
Note the following about the sample svc.settings file:
|
|
|
|
- The settngs that you can specify in the svc.settings file are: SessionLifetime,
|
|
LifetimeShorter, IAConfigFile, and startSearchContext.
|
|
|
|
- The SessionTokenLifetime setting specifies the number of seconds for which a
|
|
session token is good for after being issued. The default value for this setting
|
|
is 43200 seconds. Note that a larger value reduces overhead.
|
|
|
|
- The LifetimeShorter setting specifies the number of seconds that should be substracted
|
|
from the SessionTokenLifetime when calculating the number of seconds that clients are
|
|
told that the session tokens are good for. The default value for this setting is 5
|
|
seconds.
|
|
|
|
- The IAConfigFile settings specifies the path to the identity abstraction
|
|
configuration file. The identity abstraction configuration file configures
|
|
the different realms (contexts) that the ATS can utilize to authenticate
|
|
entities and resolve identities. In the future the configuration of this
|
|
settng will be optional.
|
|
|
|
- The ReconfigureInterval setting specifies how often the ATS should refresh its
|
|
configuration. The default value for this setting is 60 seconds. A ReconfigureInterval
|
|
value of 0 means that the ATS will not refresh its configuration once it has been
|
|
initialized, thus requiring that the servlet be re-initialized to make configuration
|
|
changes take effect.
|
|
|
|
- The startSearchContext setting specifies the begin location for initiating
|
|
context searches. The absence of this setting will result in searches ocurring
|
|
from the root of the tree. This setting or an equivalent setting will be moved
|
|
to the identity abstraction configuration file where it belongs. Once this is done,
|
|
the setting will no longer be recognized within the svc.settings file.
|
|
|
|
- The KeyStoreUses setting specifies the user's alias name in the keystore that identifies
|
|
the private key that is to be used to sign tokens.
|
|
|
|
- The KeyStorePwd setting specifies the password of the user specified by KeyStoreUser to get
|
|
the private signing key from the keystore.
|
|
|
|
ATSs digitally sign tokens, for this purpose it is necessary that keys be generated and installed
|
|
in a keystore whose location and properties are configured in the crypto.properties file present in
|
|
the "classes" folder under the WEB-INF folder of the AuthTokenSvc application
|
|
($CATALINA_HOME/webapps/CasaAuthTokenSvc/WEB-INF/classes). Please note that you must edit the
|
|
crypto.properties file with the appropriate information once the AuthTokenSvc is deployed to
|
|
a Tomcat server.
|
|
|
|
CONFIGURING SERVICES TO CONSUME CASA AUTHENTICATION TOKENS
|
|
|
|
By default, an ATS will issue CASA authentication tokens to be consumed by any service
|
|
not explicitedly configured as a consumer in the ATS's configuration. This default
|
|
behavior can be turned off by setting the following system property in the JAVA_OPTS
|
|
environment variable:
|
|
|
|
-Dcom.novell.casa.authtoksvc.enabled_svcs_only=true
|
|
|
|
Services explicitedly configured as consumers of CASA authentication tokens by creating
|
|
folders under the conf/anabled_services folder. Since CASA distinguishes between services
|
|
of the same name existing in different hosts, the first folder that must be created
|
|
is one for the host where the service resides. The host folder name must match the
|
|
DNS name of the host where the service resides unless the service resides in the same
|
|
host as the ATS in which case the host folder name must be "localhost". Services are
|
|
configured by creating a folder under the appropriate host folder with a name matching
|
|
the service name.
|
|
|
|
Note when configuring services that the service folder and the host folder names must match
|
|
the service and host names specified by the client applications when requesting tokens to
|
|
authenticate to them with the exception of when the service resides in the same host as the
|
|
ATS in which case the host folder name is "localhost" and the host name specified by the
|
|
application is the host's DNS name.
|
|
|
|
The services folder must contain an auth.policy file, an authtoken.settings file,
|
|
and an identoken.settings file. In the absence of any one of those files or if the service
|
|
is not explicitedly configured, the ATS will default to utilizing the files present under
|
|
its conf folder.
|
|
|
|
The auth.policy file specifies the authentication realms (or contexts) to which
|
|
entities can authenticate to gain access to the service. The auth.policy file also
|
|
specifies the authentication mechanisms that can be utilized to authenticate to the
|
|
realms.
|
|
|
|
The following is an example auth.policy file:
|
|
|
|
<?xml version="1.0" encoding="ISO-8859-1"?>
|
|
<auth_policy>
|
|
<auth_source>
|
|
<realm>CorpTree</realm>
|
|
<mechanism>Krb5Authenticate</mechanism>
|
|
<mechanism_info>host/tokenserver.company.novell.com@KRB_REALM</mechanism_info>
|
|
</auth_source>
|
|
<auth_source>
|
|
<realm>CorpTree</realm>
|
|
<mechanism>PwdAuthenticate</mechanism>
|
|
<mechanism_info></mechanism_info>
|
|
</auth_source>
|
|
</auth_policy>
|
|
|
|
Note the following about the sample auth.policy file:
|
|
|
|
- An authentication realm is specified in the auth.policy file by creating an
|
|
auth_policy entry for it. An auth_policy entry must contain the realm name along
|
|
with the entries for the authentication mechanisms.
|
|
|
|
- When a realm supports more than one authentication mechanism, you must create
|
|
an auth_source entry for each supported mechanism.
|
|
|
|
- The realm names correspond to the realmIDs configured in the Identity Abstraction
|
|
configuration file for the desired context entry.
|
|
|
|
- The authentication mechanism entries are: mechanism and mechanism_info. The mechanism
|
|
entry specifies the name of the authentication mechanism. The mechanism_info specifies
|
|
some mechanism specific information. Both authentication mechanism entries must be
|
|
specified for an auth_source entry.
|
|
|
|
- The name of the Krb5 Authentication mechanism is "Krb5Authenticate". This mechanism
|
|
defaults the service principal name to host/hostname@KERBEROS_REALM. You can use a
|
|
different service principal name under the mechanism_info key.
|
|
|
|
- The name of the username/password authentication mechanism is "PwdAuthenticate" and
|
|
it does not require any information to be included under the mechanism_info key.
|
|
|
|
The authtoken.settings file contains settings that should be applied to authentication
|
|
tokens issued to authenticate to the service.
|
|
|
|
The following is an example authtoken.settings file:
|
|
|
|
<?xml version="1.0" encoding="ISO-8859-1"?>
|
|
<settings>
|
|
<TokenLifetime>3600</TokenLifetime>
|
|
<LifetimeShorter>10</LifetimeShorter>
|
|
<IdentityTokenType>CasaIdentityToken</IdentityTokenType>
|
|
</settings>
|
|
|
|
Note the following about the sample authtoken.settings file:
|
|
|
|
- The settings that you can specify in the authtoken.settings file are: TokenLifetime,
|
|
LifetimeShorter, and IdentityTokenType. If one of this tokens is not specified then
|
|
its default value is utilized.
|
|
|
|
- The TokenLifetime setting specifies the number of seconds for which a token is good
|
|
for after being issued. The default value for this setting is 3600 seconds. Note that
|
|
a larger value reduces overhead, but it also gives more time for an intruder to
|
|
utilize the token if it becomes compromized.
|
|
|
|
- The LifetimeShorter setting specifies the number of seconds that should be substracted
|
|
from the TokenLifetime when calculating the number of seconds that clients are told
|
|
that the tokens are good for. The default value for this setting is 5 seconds.
|
|
|
|
- The IdentityTokenType specifies the type of identity tokens that must be embedded in
|
|
the authentication tokens with identity information. The default value for this
|
|
setting is CasaIdentityToken.
|
|
|
|
The identoken.settings file contains settings that should be applied to identity tokens
|
|
embedded in authentication tokens.
|
|
|
|
The following is an example identoken.settings file:
|
|
|
|
<?xml version="1.0" encoding="ISO-8859-1"?>
|
|
<settings>
|
|
<Attributes>sn,groupMembership,guid</Attributes>
|
|
<EncryptAttributes>false</EncryptAttributes>
|
|
</settings>
|
|
|
|
Note the following about the sample identoken.settings file:
|
|
|
|
- The settings that you can specify in the identoken.settings file are: Attributes.
|
|
EncryptAttributes, and Certificate.
|
|
|
|
- The Attributes setting specifies the identity attributes that must be included
|
|
as part of the identity token, The attributes are specified in the form of a coma
|
|
delimited list. The default velue for this setting is "sn".
|
|
|
|
- The EncryptAtributes setting specifies whether or not the identity information
|
|
contained in the identity token should be emcrypted with the services's Public
|
|
Certificate. The default value for this setting is "false". Please note that
|
|
to enable identity attribute encryption you must not allow the ATS to default to
|
|
the file present in its conf folder (Attribute encryption is not yet supported
|
|
by the Casa identity token provider).
|
|
|
|
- The identoken.settings file can also contain additional identity token provider
|
|
specific settings.
|
|
|
|
CONFIGURING AUTHENTICATION MECHANISMS
|
|
|
|
Authentication mechanisms available to the AuthTokenSvc are configured by creating
|
|
a sub-folder named after the authentication mechanism type under the
|
|
conf/auth_mechanisms folder. The authentication mechanism folders must contain a
|
|
settings file named mechanism.settings. The mechanism.settings file must contain the
|
|
name of the class implementing the mechanism along with path information which
|
|
can be utilized by the ATS to load the class. The mechanism.settings file can
|
|
also contain mechanism specific settings.
|
|
|
|
The following setting is mandatory:
|
|
|
|
ClassName - This is the name of the class implementing the authentication mechanism.
|
|
|
|
One of the following settings must be included:
|
|
|
|
RelativeClassPath - This is a relative path from the web application's root folder
|
|
to the folder containing the class implementing the mechanism.
|
|
|
|
ClassPath - This is an absolute path to the folder containing the path to the class
|
|
implementing the mechanism.
|
|
|
|
The following is an example mechanism.settings file for the Krb5Authentication
|
|
mechanism:
|
|
|
|
<?xml version="1.0" encoding="ISO-8859-1"?>
|
|
<settings>
|
|
<ClassName>com.novell.casa.authtoksvc.Krb5Authenticate</ClassName>
|
|
<RelativeClassPath>WEB-INF/classes</RelativeClassPath>
|
|
<ServicePrincipalName>host</ServicePrincipalName>
|
|
</settings>
|
|
|
|
The base AuthTokenSvc package contains two authentication mechanisms, these are
|
|
Krb5Authenticate and PwdAuthenticate. The configuration under sampleConf is set up
|
|
to allow an AuthTokenSvc to leverage both mechanisms.
|
|
|
|
The Krb5Authenticate mechanism defaults the service principal name to "host/hostname",
|
|
you can over-ride this parameter by adding the following entry to its mechanism.settings file:
|
|
|
|
ServicePrincipalName - This is the name of the Kerberos Service Principal that the
|
|
Authentication Token Service runs as when authenticating other entities.
|
|
|
|
CONFIGURING ADDITIONAL IDENTITY TOKEN PROVIDERS
|
|
|
|
<This feature is not currently supported>
|
|
|
|
SECURITY CONSIDERATIONS
|
|
|
|
- TBD -
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|