EAServer 6.0 uses the “user@domain” style for user security. This improves the ability for administrators to separate different user security settings into different domains. For example, you can separate users into different domains, and use a different access control policy for each domain.
As a result, every user is a member of a domain. For example, admin@system represents the admin user in the system domain. If you provide only the user name, the server assigns it to the ‘default’ domain; user@default. Any user, in any domain, can have “admin-role” assigned to it. “admin@system” is the default. EAServer includes two preinstalled domains; system, and default.
In addition, there is no default password set for the user 'admin@system'. When you install EAServer, you are asked to provide an admin password. Otherwise use the set-admin-password command to set the admin password. You must set this password before you can start EAServer.
From the Web Management Console, expand the Security folder.
Right-click the Domains folder and select Add.
The New Domain wizard guides you through adding a new security domain. You can then set domain properties.
From the Web Management Console, expand the Security folder.
Select Domains | domain_name, where domain_name is the domain for which you are setting properties. The right pane displays the domain properties.
Select the General, Password Settings, or Login Properties tab to access the properties. See Table 10-1 (General) and Table 10-2 (Password Settings) for a description of the properties.
The Login Properties tab contains one property, Certificate Digest Algorithm, which defines the Secure Hash Algorithm (SHA) used for logins to this domain. SHA-512 is the default.
Select Apply to apply your changes, or Reset to restore them to their previous values.
Property name |
Description |
|---|---|
Login Method |
Select the method used for login from the drop-down list. See “Login methods” for a description of each. |
Login Cache Timeout |
Specifies how long to cache login information before timing out. The value is in seconds. Once a user is logged in, the login information (user name and password) is maintained in the system. The next time the same user logs in, the system checks the cached information and compares it with the password. This way, normal authentication is bypassed and performance enhanced. |
Login Failure Lock Threshold |
Specifies the number of times the client can retry with wrong credentials before being locked out. |
Login Failure Lock Timeout |
Specifies the amount of time a user is locked out when the login failure lock threshold is reached. |
Access Control Policy |
The access control policy for the selected login method. The Access Control Policy should be configured to the name of the policy class for all security domains which might be associated with JACC-enabled modules. The policy class selected for this purpose is expected to perform JACC policy checks only. See “JACC (JSR-115) support”. JRE-related policy can be separately enabled (if required) using standard JRE security policy mechanisms. |
Audit Access Denied |
When set to true, any failure caused by a user trying to access a server resource is logged to the server’s log file ($EAServer/logs/server_name.log). |
Audit Access Permitted |
When set to true, any success caused by a user trying to access a server resource is logged to the server’s log file ($EAServer/logs/server_name.log). |
Permission Cache Timeout |
The number of seconds that the result of an authorization (access control) check is cached. This applies to both denied access and permitted access. Caching of authorization results improves performance. |
Authentication Service |
The name and path to your custom authentication service component (if any). This allows you to customize EAServer security and to integrate with third-party enterprise security software. See Chapter 7, “Creating and Using Custom Security Components.” |
FTP Host Name(s) |
The host name of the FTP server to which the security domain delegates authentication requests. A comma-separated list can be used to specify multiple servers (for high availability, not load balancing). |
FTP Port Number |
The port number of the FTP server to which the security domain delegates authentication requests. |
Http Resource URL(s) |
The URL for an HTTP resource which the security domain attempts to access when delegating authentication requests to an HTTP server. A comma-separated list can be used to specify multiple URLs (for high availability, not load balancing). |
JAAS Login Context |
The name of a JAAS (Java Authentication and Authorization Service) login context that has been configured in jaas.conf. Refer to the JDK documentation for details on jaas.conf. |
JDBC Driver Class |
The JDBC driver class to be used for database authentication. |
JDBC Database URL(s) |
The URL for a JDBC database which the security domain attempts to access when delegating authentication requests to a database server. A comma-separated list can be used to specify multiple URLs (for high availability, not load balancing). |
JNDI Initial Context Factory |
The name of an initial context factory class to be used for JNDI authentication. |
JNDI Provider URL |
The provider URL which the security domain attempts to access when delegating authentication requests to a JNDI server. |
JNDI Lookup Name |
The name of a JNDI-bound object which the security domain attempts to lookup when delegating authentication requests to a JNDI server. |
Role Service Component |
The name and path to your custom role service component (if any). This allows you to customize EAServer security and to integrate with third-party enterprise security software. See Chapter 7, “Creating and Using Custom Security Components.” |
Web Realm Names |
EAServer contains a default security realm. The security realm is a container used to store the roles used to allow and limit access to your Web services. When you connect to EAServer from the Web Management Console, you see the security realm. |
Property name |
Description |
|---|---|
Password Hash Algorithm |
The algorithm used to encrypt the password. The strongest supported algorithm is used (currently SHA-512). |
Minimum Password Length |
The minimum total number of characters. |
Maximum Password Length |
Defines the maximum password length. Used only if the Login Method is Local-hash. The default value is 14. |
Minimum Password Letters |
The minimum number of letters contained in the password. |
Require Mixed Case Passwords |
When true, the password must contain both uppercase and lowercase letters. |
Password Start Characters |
When set, the password must start with one of the characters in the string you enter here. For example: a, B, r, t, 3. |
Minimum Password Digits |
The minimum number of digits (0 – 9) the password contains. |
Minimum Password Special Characters |
The minimum number of special characters (*, &, #, and so on) the password contains. |
Password Special Characters |
A comma-separated list of special characters the password can contain. |
Password End Characters |
A comma-separated list of characters required to end the password. If left blank, any character can end the password. |
Retain Old Passwords |
The number or historical passwords saved for this user. |
Adding a new domain