Create a new security configuration, assign the
CertificateAuthenticationLoginModule authentication provider to it, and assign the security
configuration to an Unwired Server domain or package.
The CertificateAuthenticationLoginModule authentication provider supports X.509
certificate logins to SAP systems through JCo, DOE-C, Online
Data Proxy, and Web service connections. You can assign security configurations to
domains, packages, or applications.
- Create the new security configuration:
- From Sybase Control Center, select
Security.
- Select the General tab, click New, and enter a name for the new security configuration, for example, X509SECADMINCERT. Click OK.
- Configure the new security configuration:
- Expand the Security folder.
- Select the X509SECADMINCERT security configuration.
- Select Authentication.
- Select New.
- Select com.sybase.security.core.CertificateAuthenticationLoginModule as the Authentication provider.
- Click OK to accept the default settings, or modify any of these settings as required:
- Click <Add New Property>, select Validate Certificate Path and set the value to true.
- If more than one truststore is defined in Unwired Server,
click <Add New Property>, select
Trusted Certificate Store and set the value to
the location of the Java truststore that contains the
Unwired Server trusted CA certificates. Otherwise,
the default Unwired Server truststore is used.
- If you change the default password for the truststore, click <Add New Property>, select Trusted Certificate Store Password and set the value of the truststore password.
- Click OK.
- Select the General tab, select Validate, then Apply.
- Assign the X509SECADMINCERT security configuration to an
Unwired Server domain. This example uses the default domain, but
you can specify any domain to which the package is deployed:
- Click .
- Click Assign.
- Select X509SECADMINCERT and click OK.
- If any other security configurations have been assigned to this SSO domain,
Sybase suggests that you unassign them.
However, many deployments of Unwired Platform do mix
SSO and non-SSO MBOs or operations in the same package. There are certain
operations that are not sensitive and do not require the overhead of setting up
the SSO connection to the backend. Some packages may even perform DCNs, and the
DCN user would not be part of the SSO-enabled login module. If you do
authenticate a user against a non-SSO login module and then attempt to perform
an SSO-enabled operation, then the credentials are sent to the backend, which
may not be desired.