EAServer supports integration with Netegrity SiteMinder security software. Netegrity SiteMinder provides single sign-on and centralized management of Web, database, and software resources in enterprise applications. For more information, see the Netegrity Web site.
The following configurations are supported:
Web access to EAServer through a secure reverse-proxy server. This configuration provides global single sign-on support for all applications and servers that are protected by the proxy server, as well as centralized user and user rights management. In this configuration, no direct user connections are allowed to EAServer. Instead, users access EAServer via the proxy server. Users log in to the secure proxy server using basic (user name plus password) authentication or by presenting an SSL certificate. This configuration requires a reverse-proxy server that supports Netegrity single sign-on, such as Apache with the Netegrity Web Agent installed or the Netegrity Secure Proxy Server.
Direct client access to EAServer with Netegrity authentication. In this configuration, users present their login credentials (user name and password or SSL certificate) to EAServer. The Netegrity agent installed in EAServer forwards the credentials to the Netegrity Policy Server for validation. While this configuration does not support global single sign-on, it does allow you to take advantage of centralized user and user-rights management provided by the Netegrity Policy Server.
Mixed access, which is a combination of these two approaches. For example, you can enable access through a proxy server to provide global single sign-on support to Web client users, while still supporting direct IIOP or IIOPS connections to EAServer from other client applications.
EAServer integration with SiteMinder is provided by Java Authentication and Authorization Service (JAAS) modules installed in EAServer, along with custom role service and caller principal service components. These components use the Netegrity Agent API to connect to the Netegrity Policy Server to verify user credentials, login status, and role membership.
When using Netegrity, EAServer authorization is based on the EAServer roles that are associated with components and Web resources, with role membership evaluated by the Netegrity Policy Server. The required roles for resource access are determined based on the component or Web application properties, as set in EAServer Manager or jagtool. When a resource requires role membership for access, EAServer calls the Netegrity role service, which determines whether the user is a member of the required role based on settings maintained in the Netegrity Policy Server.
These JAAS login modules are provided for Netegrity/EAServer integration:
An HTTP login module, which allows EAServer Web applications to support Netegrity single sign-on in reverse-proxy configurations.
A X.509 certificate login module, which validates client SSL certificates presented to EAServer by forwarding them to the Netegrity Policy Server.
A basic login module, which validates client user names and passwords presented to EAServer by forwarding them to the Netegrity Policy Server.
