Replacing Existing Sybase Control Center Login Modules with Delegate Login Module

If you have manually configured a login provider to work with Sybase Control Center for authentication, Sybase strongly recommends that you update csi.properties and roles-map.xml to use the newly added Delegate Login module. The runtime upgrade script automatically replaces PreConfigured User Login module entries when it finds them.

1. Open SCC_HOME\conf\csi.properties and add the Delegate Login module to it, shown in bold in the example below:

   
   ## This file defines the default CSI configuration
   
   ###########################################
   ## login modules ##
   ###########################################
   ## Anonymous Login Module
   CSI.loginModule.1.provider=com.sybase.ua.services.security.anonymous.AnonymousLoginModule
   CSI.loginModule.1.controlFlag=sufficient
   CSI.loginModule.1.options.moduleName=Anonymous Login Module
   CSI.loginModule.1.options.roles=uaAnonymous
   
   ###########################################
   ## authorizers ##
   ###########################################
   ## XML Authorizer
   CSI.authorizer.1.provider=com.sybase.ua.services.security.xml.XMLAuthorizer
   
   ###########################################
   ## attributers ##
   ###########################################
   ## XML Attributer
   CSI.attributer.1.provider=com.sybase.ua.services.security.xml.XMLAttributer
   
   
   ## SUP PreConfiguredUser and Delegation Login Modules
   ## The number "2" is file content dependent and must be derived 
   ## by the user based on the quantity of other modules configured
   ## in the same file. The "modulename" must be unique.
   ## A controlFlag is defined through Sybase Control Center 
   ## properties for each stacked security provider.
   CSI.loginModule.2.options.moduleName=SUP Delegation Login Module
   CSI.loginModule.2.provider=com.sybase.ua.services.security.sup.SUPDelegateLoginModule
   CSI.loginModule.2.controlFlag=sufficient

2. Open SCC_HOME\conf\roles-map.xml, then insert the entries in bold to use only the Delegation Login module:

   <?xml version="1.0" encoding="UTF-8"?>
   <roles-map>
    <uaf-roles>
      <role name="uaAgentAdmin" description="Agent administrator role" />
      <role name="uaPluginAdmin" description="Plugin administrator role" />
      <role name="uaOSAdmin" description="Operation system administrator role" />
      <role name="uaASEAdmin" description="ASE administrator role" />
      <role name="uaUser" description="User role" />
      <role name="uaGuest" description="Guest role" />
      <role name="uaAnonymous" description="Anonymous role" />
      <role name="sccAdminRole" description="SCC Administrator Role" />
      <role name="sccOperRole" description="SCC Operator Role" />
      <role name="sccUserRole" description="SCC User Role" />
      <role name="sccGuestRole" description="SCC Guest Role" />
      <role name="jmxDirectAccess" description="JMX Direct Access Role" />    
    </uaf-roles>
    <security-modules>
   
      ## The "name" attribute value must match the name specified in the csi.properties file.
   <module name="SUP Delegation Login Module">
        <role-mapping modRole="SUP Administrator" uafRole="uaAnonymous,uaAgentAdmin,uaPluginAdmin,sccAdminRole,sccUserRole,sccOperRole,sccGuestRole,jmxDirectAccess"/>
        <role-mapping modRole="SUP Domain Administrator" uafRole="uaAnonymous,uaAgentAdmin,uaPluginAdmin,sccUserRole,sccOperRole,sccGuestRole,jmxDirectAccess"/>
      </module>
      <module name="Anonymous Login Module">
        <role-mapping modRole="uaAnonymous" uafRole="uaAnonymous" />
      </module>
    </security-modules>
   </roles-map>