Enabling Policy Server logging  Chapter 11: Using the JAAS API

Chapter 10: Creating and Using Custom Security Components

Configuring EAServer for SiteMinder security

StepsConfiguring EAServer to use SiteMinder security

  1. Install the Netegrity JAAS configuration file into your server. The file is netegrity_jaas.cfg, located in the EAServer ini subdirectory on Windows platforms and config subdirectory on UNIX platforms. Install the JAAS module as follows:

    1. Using EAServer Manager, display the Server Properties dialog box. On the Security tab, set the JAAS Configuration File to the full path to the netegrity_jaas.cfg file.

    2. If you are running a server other than the preconfigured Jaguar server, display the Advanced tab. Set the com.sybase.jaguar.server.jaas.section property to Jaguar. If this property is not present, add it.

  2. Follow the instructions for your platform below to copy necessary files from the Netegrity SDK installation to the JDK installation that you use to run EAServer.

    On UNIX platforms, verify the JDK location by checking the values of the JAGUAR_JDK13 or JAGUAR_JDK14 variables in the EAServer bin/setenv.sh file. Copy these files from the Netegrity SDK installation to the JDK jre/lib/sparc subdirectory:

    On Windows platforms, verify the JDK location by checking the values of the JAGUAR_JDK13 or JAGUAR_JDK14 variables in the EAServer bin\setenv.bat file. Copy these files from the Netegrity SDK installation to the JDK jre\bin subdirectory:

  3. Copy the following JAR files from the Netegrity SDK to the java/lib subdirectory of your EAServer installation:

  4. On the Advanced tab in the Server Properties dialog box, set the property com.sybase.jaguar.server.callerprincipalservice to:

    pseudo://java/com.sybase.jaguar.security.netegrity/CtsSecurity/NetegrityCallerPrincipal

  5. On the Advanced tab in the Server Properties dialog box, set the property com.sybase.jaguar.server.roleservice to:

    pseudo://java/com.sybase.jaguar.security.netegrity/CtsSecurity/NetegrityRoleService

  6. Also on the Advanced tab, set the properties listed in the table below:

    Property

    Value

    com.sybase.jaguar.server.http.sso

    If you have configured single sign-on support using a reverse-proxy server, set to true to enable external single sign-on support in EAServer. If your configuration allows direct client connections to EAServer, set to false.

    com.sybase.jaguar.server.smAgentName

    The agent name used in the SiteMinder Policy Server, for example, “easagent”.

    com.sybase.jaguar.server.smAgentPassword.e

    The agent password used to connect to the SiteMinder Policy Server. The password is stored in encrypted form in the EAServer repository.

    com.sybase.jaguar.server.smServerAddress

    The host name of the SiteMinder Policy Server.

    com.sybase.jaguar.server.smAgentDebug (optional)

    Optionally set to true to enable debug message logging from the Netegrity integration components installed in EAServer.

    com.sybase.jaguar.server.smAuthorizationPort (optional)

    Authorization port for the SiteMinder Policy Server. If not set, the default is 44443.

    com.sybase.jaguar.server.smAuthenticationPort (optional)

    Authentication port for the SiteMinder Policy Server. If not set, the default is 44442.

    com.sybase.jaguar.server.smAccountingPort (optional)

    Accounting port for the SiteMinder Policy Server. If not set, the default is 44441.

    com.sybase.jaguar.server.server.smTimeout (optional)

    The SiteMinder cache lifetime limitation in seconds. If not set, the default is two times of EAServer Authorization cache timeout, specified by the server property com.sybase.jaguar.server.authorization.permcachetimeout

    com.sybase.jaguar.server.smSize (optional)

    The SiteMinder cache size. If not set, the default is 600.

  7. For each EAServer Web application, display the Web Application Properties in EAServer Manager. Configure the authentication method as described in “Authentication methods for EAServer and SiteMinder”.

Authentication methods for EAServer and SiteMinder

You must configure the Netegrity and EAServer authentication methods differently depending on whether you allow direct log in to EAServer. If you allow direct login to EAServer, configure the EAServer and SiteMinder authentication methods to match according to Table 10-1. If you use FORM authentication, the login and error page must be set and deployed in EAServer. Do not mix certificate based authentication with user name/password based authentication. In other words, all EAServer Web applications must use FORM or BASIC, or all must use CLIENT-CERT.

Table 10-1: Authentication methods for scenarios that allow direct EAServer login

EAServer authentication method

SiteMinder authentication scheme type

FORM

BASIC

BASIC

BASIC

CLIENT-CERT

X.509

If you use a reverse-proxy server to support Netegrity single sign-on, use BASIC in EAServer. In SiteMinder, use BASIC, FORM, or X.509 as required by the application. In this case, authentication is performed within the reverse-proxy server and the Netegrity setting supersedes the EAServer setting.




Copyright © 2005. Sybase Inc. All rights reserved. Chapter 11: Using the JAAS API

View this book as PDF