Configuring your security scenario  Configuring reverse-proxy access to EAServer

Chapter 10: Creating and Using Custom Security Components

Configuring the SiteMinder Policy Server

The following configuration can be performed in the Netegrity Policy Server User Interface Console. For detailed instructions, see the Netegrity documentation. These settings are required for all scenarios.

StepsPolicy Server setup

  1. Create a Web agent named easagent, configured with the Policy Server host name and password.

  2. Create a user directory with all the user names to be authenticated. Also, add a user “Anonymous” with password “Anonymous”. The anonymous user is required to allow IIOP login without user credentials, such as for a client accessing a message-driven bean.

  3. If you use client certificates in your application, enter the common name of each certificate in the user directory.

  4. Configure an authentication scheme to match your Netegrity configuration scenario, as described in “Authentication methods for EAServer and SiteMinder”.

  5. Configure a domain named Sybase that uses the user directory. Create a realm named “EAS” with these properties:

    1. Agent is “easagent”.

    2. Resource Filter is “/EAS”.

    3. Default Resource Protection is “Unprotected”.

    4. Authentication Scheme matches the scheme you configured previously.

  6. For the EAS realm, create a rule named “DummyResource” with resource “/DummyResource”. This rule must be enabled with the “Allow Access” option selected. This rule is the default resource for authentication.

  7. For the EAS realm, create additional rules for each EAServer role with the following properties:

    1. Set the resource to:

      /ROLE/role-name

      Where role-name is the EAServer role name, as displayed in EAServer Manager. For example, “Admin Role” in EAServer requires the resource /Role/Admin Role.

    2. Set Web Agent Actions to “Get, Post, Put.”

    3. Enable the rule and select the “Allow Access” option.

  8. Create a new policy, for example, Policy01. For each role used in your application, create mappings for the client user names and certificate common names that belong to the role. These mappings are used for role-based authorization of resource access.

  9. If you use client certificates in your application, configure the certificate mapping properties. Create a mapping for each issuing certificate, that is, the distinguished name of each root certificate that corresponds to a certificate authority used by your application. Map this distinguished name to the user directory type that matches the user directory that you created earlier. For each mapping, select the Single Attribute mapping option, and select the Common Name (CN) as the attribute to map.

  10. To ensure the changes you have made take effect, flush the Policy Server cache.




Copyright © 2005. Sybase Inc. All rights reserved. Configuring reverse-proxy access to EAServer

View this document as PDF