Using Authentication SPIs

Access Manager provides the following sample programs to demonstrate how you can use the Authentication service programming interfaces (SPIs) to extend authentication functionality:

• Implementing a Custom Authentication Module

• Implementing Authentication PostProcessing SPI

• Generating an Authentication User ID

• Implementing A Pure JAAS Module

Implementing a Custom Authentication Module

Access Manager contains a sample exercise for integrating a custom authentication module with files that have already been created. This sample illustrates the steps for integrating an authentication module into the Access Manager deployment. All the files needed to compile, deploy and run the sample authentication module can be found in the following directory:

AccessManager-base/SUNWam/samples/authentication/providers

The following sections will use files from this sample as example code:

• Writing a Sample Login Module

• Compiling and Deploying the LoginModule program

• To Deploy the Login Module Sample Program

• Loading the Login Module Sample into Access Manager

• Running the LoginModule Sample Program

About the Login Module Sample

<PRODUCT_DIR> setting on different Platforms:

Solaris Sparc/x86: <PRODUCT_DIR> = base-directory/SUNWam

Linux: <PRODUCT_DIR> = base-directory/sun/identity

Windows 2000: <PRODUCT_DIR> = base-directory

Writing a Sample Login Module

Use the AMLoginModule SPI to write your own sample login module.

To Write a Sample Login Module

1. Creating a Module Properties File.

2. Writing the Principal Class.

3. Implementing the LoginModule Interface.

   The following are the default directories used in the sample exercise for the various platforms:

   Solaris Sparc/x86: <PRODUCT_DIR> = base-directory/SUNWam

   Linux: <PRODUCT_DIR> = base-directory/sun/identity

   W2K: <PRODUCT_DIR> = base-directory

Creating a Module Properties File

Create a Module properties XML file with the same name of the class (no package name) and use the extension .xml. You must create an XML file with this naming convention even if no states required

Based on this configuration file, the Authentication user interface will dynamically generate a login page.

You can define page states in the module properties file as shown in Creating a Module Properties File. Each callback element corresponds to one login page state. When an authentication process is invoked, Callback[] values will be generated from the user’s Login Module for each state. All login state definitions start with 1. The module controls the login process, and then determines what the next state is.

Auth_Module_Properties.dtd defines the data structure that will be used by each authentication module to specify its properties. Auth_Module_Properties.dtd provides definitions to initiate, construct and send required callbacks information to the Authentication graphical user interface. Auth_Module_Properties.dtd is stored in the <PRODUCT_DIR>/dtd directory.

Example 2–5 Module Configuration Sample

<ModuleProperties moduleName="LoginModuleSample" version="1.0" >
         <Callbacks length="2" order="1" timeout="60" 
							header="This is a sample login page">
             <NameCallback>
             <Prompt> User Name </Prompt>
         </NameCallback>
         <NameCallback>
             <Prompt> Last Name </Prompt>
         </NameCallback>
         </Callbacks>
         <Callbacks length="1" order="2" timeout="60" 
							header="You made it to page 2" >
             <PasswordCallback echoPassword="false" >
             <Prompt> Just enter any password </Prompt>
             </PasswordCallback>
         </Callbacks>
    </ModuleProperties>
Module Configuration Sample
                  

In this module configuration sample, page state one has two callbacks. The first callback is for user ID, and second is for Last Name. When the user fills in the callbacks, the following events occur:

• The Callback[] values are sent to the module.

• The process() routine validates the callback values.

• The module writer sets the next page state to 2.

  Page state 2 has one callback to request the user to enter a password. The process() routine is again called after the user submits the Callback[] values. If the module writer throws a LoginException, then an Authentication Failed page will be sent to the user. If no exception is thrown, the user is redirected to his or her default page.

Writing the Principal Class

After creating module configuration XML file, the next step is to write a Sample Principal class which implements java.security.Principal. The constructor takes the user’s username as an argument. If authentication is successful, the module will return this principal to Authentication framework. The Authentication framework populates a Subject with a SamplePrincipal representing the user.

Implementing the LoginModule Interface

AMLoginModule is an abstract class which implements JAAS LoginModule. AMLoginModule provides methods for accessing Access Manager services and the module XML configuration. Login Module writers must subclass AMLoginModule class and implement the following methods:

• init()

• process()

• getPrincipal()

For detailed descriptions, syntax, and parameters, see the Sun Java System Access Manager 7.1 Java API Reference. The following sections provide some supporting information about these methods.

init() This is an abstract method, Module writer should implement to initialize this LoginModule with the relevant information. If this LoginModule does not understand any of the data stored in sharedState or options parameters, the data can be ignored. This method is called by a AMLoginModule after thisSampleLoginModule has been instantiated, and prior to any calls to its other public methods. The method implementation should store away the provided arguments for future use. The init method may additionally peruse the provided sharedState to determine what additional authentication state it was provided by other LoginModules, and may also traverse through the provided options to determine what configuration options were specified to affect the LoginModule’s behavior. It may save option values in variables for future use.

process() The process method is called to authenticate a Subject. This method implementation should perform the actual authentication. For example, it may cause prompting for a user name and password, and then attempt to verify the password against a password database. If your LoginModule requires some form of user interaction (retrieving a user name and password, for example), it should not do so directly. That is because there are various ways of communicating with a user, and it is desirable for LoginModules to remain independent of the different types of user interaction. Rather, the LoginModule’s process method should invoke the handle method of the CallbackHandler passed to this method to perform the user interaction and set appropriate results, such as the user name and password and the AMLoginModule internally passes the GUI an array of appropriate Callbacks, for example a NameCallback for the user name and a PasswordCallback for the password, and the GUI performs the requested user interaction and sets appropriate values in the Callbacks.

Consider the following points while writing the process() method:

• Perform the authentication. If Authentication succeeded, save the principal who has successfully authenticated.

• Return -1 if authentication succeeds, or throw a LoginException such as AuthLoginException if authentication fails or return relevant state specified in module configuration XML file

• If multiple states are available to the user, the Callback array from a previous state may be retrieved by using the getCallbak(int state) methods. The underlying login module keeps the Callback[] from the previous states until the login process is completed.

• If a module writer needs to substitute dynamic text in next state, the writer could use the getCallback() method to get the Callback[] for the next state, modify the output text or prompt, then call replaceCallback() to update the Callback array. This allows a module writer to dynamically generate challenges, passwords or user IDs. Each authentication session will create a new instance of your Login Module Java class. The reference to the class will be released once the authentication session has either succeeded or failed. It is important to note that any static data or reference to any static data in your Login module must be thread-safe.

getPrincipal() This method should be called once at the end of a successful authentication session. A login session is deemed successful when all pages in the Module properties XML file have been sent and the module has not thrown an exception. The method retrieves the authenticated token string that the authenticated user will be known by in the Access Manager environment.

If the custom authentication module requires or already uses a service configuration XML file:

• The XML file should contain attribute schema for one of the following attributes: iplanet-am-auth-authModuleName-auth-level or lsunAMAuthauthModuleNameAuthLevel

• The module Java file should invoke the following method in the init method implementation: public boolean setAuthLevel(int auth_level)

Compiling and Deploying the LoginModule program

If you are writing your own Custom Authentication module based on the AMLoginModule SPI or a pure JAAS module, then you can skip this step. Otherwise, after writing the sample Login Module, compile and deploy the sample found under AccessManager-base/samples/authentication/spi/providers.

To compile the Login Module

1. Set the following environment variables.

   These variables will be used to run the gmake command. You can also set these variables in the Makefile. This Makefile is in the following directory: AccessManager-base /samples/authentication/spi/providers.

   JAVA_HOME: Set this variable to your installation of JDK. The JDK should be version 1.3.1_06 or higher.

   CLASSPATH: Set this variable to refer to am_services.jar which can be found in the Idetnity_base/lib directory. Include jaas.jar in your classpath if you are using JDK version less than JDK1.4

   BASE_DIR: Set this variable to the directory where the Access Manager is installed.

   BASE_CLASS_DIR: Set this variable to the directory where all the Sample compiled classes are located.

   JAR_DIR: Set this variable to the directory where the JAR files of the Sample compiled classes will be created.

2. In the AccessManager-base/samples/authentication/spi/providers directory, run gmake.

To Deploy the Login Module Sample Program

1. Copy LoginModuleSample.jar from JAR_DIR to AccessManager-base/web-src/services/WEB-INF/lib .

2. Copy LoginModuleSample.xml from AccessManager-base /samples/authentication/spi/providers to AccessManager-base /web-src/services/config/auth/default .

3. Redeploy the amserver.war file.

To Redeploy the amserver.war File

1. In AccessManager-base/bin/amsamplesilent, set Deploy Level variable as follows:

   DEPLOY_LEVEL=21

2. In AccessManager-base/bin/amsamplesilent, set container-related environment variables.

   • On Sun Java System Web Server 6.1, where /amserver is the default DEPLOY_URI:

     SERVER_HOST=WebServer-hostName
     SERVER_PORT=WebServer-portNumber
     SERVER_PROTOCOL=[http | https]
     SERVER_DEPLOY_URI=/amserver
     WEB_CONTAINER=WS6
     WS61_INSTANCE=https-$SERVER_HOST
     WS61_HOME= WebServer-base-directory
     WS61_PROTOCOL=$SERVER_PROTOCOL
     WS61_HOST=$SERVER_HOST
     WS61_PORT=$SERVER_PORT
     WS61_ADMINPORT=WebServer-adminPortWS61_ADMIN=WebServer-adminUserName
     

   • On Sun Java System Application Server 7.0, where /amserver is the default DEPLOY_URI:

     SERVER_HOST=ApplicationServer-hostName
     SERVER_PORT=ApplicationServer-portNumber
     SERVER_PROTOCOL=[http | https]
     SERVER_DEPLOY_URI=/amserver
     WEB_CONTAINER=AS7
     AS70_HOME=/opt/SUNWappserver7
     AS70_PROTOCOL=$SERVER_PROTOCOL
     AS70_HOST=$SERVER_HOST
     AS70_PORT=$SERVER_PORT
     AS70_ADMINPORT=4848
     AS70_ADMIN=admin
     AS70_ADMINPASSWD=ApplicationServer-adminPassword
     AS70_INSTANCE=server1
     AS70_DOMAIN=domain1
     AS70_INSTANCE_DIR=/var/opt/SUNWappserver7/domains/
       ${AS70_DOMAIN:-domain1}/${AS70_INSTANCE:-server1}
     AS70_DOCS_DIR=/var/opt/SUNWappserver7/domains/${AS70_DOMAIN:-domain1}/
       ${AS70_INSTANCE:-server1}/docroot
     #If Application Server is SSL Enabled then set the following:
     #AS70_IS_SECURE=true
     #SSL_PASSWORD=SSLpassword
     

   • On other supported platforms:

     Set platform-specific variables as is appropriate for the container.

3. Redeploy the services web application by running the following command:

   AccessManager-base/bin/amconfig -s
     AccessManager-base/bin/amsamplesilent
   

4. Restart the container instance.

   • Web Server example:

     /WebServer-base-directory/
       https-WebServer-instanceName/restart
     

   • Application Server example:

     /var/opt/SUNWappserver7/domains/${AS70_DOMAIN:-domain1}/
       ${AS70_INSTANCE:-server1}/bin/restartserv
     

Loading the Login Module Sample into Access Manager

Once you’ve compiled and deployed the login module, you must load the login module into Access Manager. You can load the login module by using either the Access Manager administration console, or by using the amadmin command.

To Load the Login Module Using the Administration Console

1. Login to Access Manager Console as amadmin, using the URL:

   http://host.domain:port/Console-Deploy-URL

2. Click Configuration.

3. In the Configuration tab, under Authentication, click Core.

4. Add class file name com.iplanet.am.samples.authentication.spi.providers. LoginModuleSample to the Pluggable Authentication Modules Classes list.

5. Click Save.

To Load the Login Module Using the Command Line

1. Write a sample XML file as shown in To Load the Login Module Using the Command Line, which will add the LoginModuleSample authentication module entry into the allowed modules and an authenticators list.

   <!-- Copyright (c) 2003 Sun Microsystems, Inc. All rights reserved Use is subject to license terms. --> <!DOCTYPE Requests PUBLIC "-//iPlanet//iDSAME 5.0 Admin CLI DTD//EN" "jar://com/iplanet/am/admin/cli/amAdmin.dtd" > <Requests> <SchemaRequests serviceName="iPlanetAMAuthService" SchemaType="Global"> <AddDefaultValues> <AttributeValuePair> <Attribute name="iplanet-am-auth-authenticators"/> <Value>com.iplanet.am.samples.authentication.spi.providers. LoginModuleSample</Value> </AttributeValuePair> </AddDefaultValues> </SchemaRequests> </Requests>

2. Use amadmin to load sample.xml:

   <AMADMIN> --runasdn uid=amAdmin,ou=People,<root_suffix> --password <password> --data sample.xml

   Solaris Sparc/x86: AMADMIN = <PRODUCT_DIR>/bin/amadmin

   On W2K: AMADMIN = <PRODUCT_DIR>\\bin\\amadmin

Running the LoginModule Sample Program

This sections provides instructions for running the login module on Solaris and on Windows platforms.

To Run the LoginModule on Solaris

1. Use the following URL to log in to Access Manager console as amAdmin:

   http://host.domain:port/Console-Deploy-URI

2. Click Identity Management, and in the Identity Management view select your organization.

3. From the View menu, select Services.

4. In the navigation frame, under Authentication, click Core.

5. SelectLoginModuleSample to add it to the list of highlighted modules in Organization Authentication Modules.

   Make sure LDAP module is also selected. If not selected, you will not be able to login to Access Manager Console. You can use Control + mouse click to add additional modules.

6. Click Save.

7. Log out.

8. Enter the following URL:

   http://host.domain:port/Service-Deploy-URI/UI/Login?module=LoginModuleSample

   If you choose to use an organization other than the default, be sure to specify that in the URL using the org parameter.

To Run the Login Module on Windows 2000

1. Set the following environment variables. These variables will be used to run the make command. You can also set these variables in the Makefile.

   This Makefile is in the same directory as the Login Module Sample program files: AccessManager-base\samples\authentication\spi\providers

   JAVA_HOME: Set this variable to your installation of JDK. The JDK should be version 1.3.1_06 or higher.

   BASE: Set this variable to base-directory

   CLASSPATH: Set this variable to refer to am_services.jar which can be found in the base-directory\lib directory. Include jaas.jar in your classpath if you are using JDK version less than JDK1.4

   BASE_CLASS_DIR: Set this variable to the directory where all the Sample compiled classes are located.

   JAR_DIR: Set this variable to the directory where the JAR files of the Sample compiled classes will be created.

2. In the base-directory\samples\authentication\spi\providers directory, run the make command.

To Deploy the Login Module

1. Copy LoginModuleSample.jar from JAR_DIR to AccessManager-base\web-src\services\WEB-INF\lib

2. In the Web Container from which this sample has to run, update the classpath with LoginModuleSample.jar.

3. Update server.xml with the new classpath and server.xml locations:

   • Sun Java System Web Server : <WS-install-dir>\https-<WS-instance-name>\config\server.xml

   • Sun Java System Application Server: <AS-install-dir>\domain<appserver domain><appserver_instance>\config\server.xml

     Example:<AS-install-dir>\domain\domain1\server1\config\server.xml

4. Copy LoginModuleSample.xml from base-directory \samples\authentication\spi\providers to base-directory\web-src\services\config\auth\default.

5. Restart the web container

   Web Server: <WS-home-dir>\https-<WS-instance-name>\restart

   Application Server: AppServer-home-dir>\domains\<domain name><server_instance>\bin\restartserv

Implementing Authentication PostProcessing SPI

The Authentication SPI includes the AMPostAuthProcessInterface which can be implemented for post-processing tasks. The AMPostProcessInterface Javadoc are available at:

AccessManager-base/SUNWam/docs/com/sun/identity/authentication/spi/ AMPostAuthProcessInterface.html

The SPI is configurable at the organization, service and role levels. The Authentication Service invokes the post processing SPI methods on successful or failed authentication and on logout.

About the PostProcessing SPI Sample

<PRODUCT_DIR> or AccessManager-base directory on different Platforms:

• Solaris Sparc/x86: AccessManager-base/SUNWam

• Linux: AccessManager-base/sun/identity

To Compile the ISAuthPostProcessSample Program on Solaris Sparc/x86 or Linux

Follow these steps given below to compile the sample found under AccessManager-base/samples/authentication/spi/postprocess.

1. Set the following environment variables.

   JAVA_HOME: Set this variable to your installation of JDK. The JDK should be version 1.3.1_06 or higher.

   CLASSPATH: Set this variable to refer to am_services.jar which can be found in the AccessManager-base/lib directory. Include jaas.jar in your classpath if you are using JDK version lower than JDK1.4

   BASE_DIR: Set this variable to the directory where Access Manager is installed.

   BASE_CLASS_DIR: Set this variable to the directory where all the Sample compiled classes are located.

   JAR_DIR: Set this variable to the directory where the JAR files of the Sample compiled classes will be created.

   These variables will be used to run the gmake command. You can also set these variables in the Makefile. This Makefile is in the following directory: AccessManager-base/samples/authentication/spi/postprocess.

2. In the directory AccessManager-base /samples/authentication/spi/postprocess, run the gmake command.

To Deploy the ISAuthPostProcess Sample Program

1. Copy ISAuthPostProcess.jar from JAR_DIR to AccessManager-base/lib.

2. Update the Web Container configuration file server.xml.

   Add ISAuthPostProcessSample.jar to the classpath. The server.xml file for different web containers can be found at the following locations:

   Web Server: <WS-home-dir>/https-<WS-instance-name>/config/

   Application Server:<AS-home-dir>/domain/domain1/server1/config/

   For all other web containers consult, the manufacturer’s documentation.

3. Restart the web container.

   Web Server: <WS-home-dir>/https-<WS-instance-name>/restart

   Application Server: <AS-install-dir>/<domains>/<domain name>/<server instance>/bin/restartserv Example: /<AS-home-dir>/domains/domain1/server1/bin/restartserv

   For all other web containers consult their documentation.

Configuring the Authentication Post Processing SPI

The Authentication PostProcessing Sample can be configured at the Organization, Service or Role level.

To Configure ISAuthPostProcess Sample for an Organization

1. Log in to Access Manager console as amAdmin. Use the following URL:

   http://host.domain:port/Console-Deploy-URI

2. Click Identity Management, and select your organization.

3. From the View menu, click Services.

4. In the navigation frame, under Authentication, click Core.

5. Add the following to the Authentication PostProcessing Class attribute:

   com.iplanet.am.samples.authentication.spi.postprocess

6. Add the following to the Authentication PostProcessing Class attribute:

   ISAuthPostProcessSample

7. Click Save.

8. Log out.

9. Go to the following URL

   If you choose to use an organization other than the default, be sure to specify that in the URL using the org parameter.

   The postprocessing SPI will be executed on successful authentication, on failed authentication, and on Logout.

To Configure the ISAuthPostProcess Sample for a Service

1. Log in to Access Manager console as amAdmin. Use the following URL:

   http://<host>.<domain>:<port>/<Console-Deploy-URI>

2. Click Identity Management, and select your organization.

3. From the View menu, select Services.

4. Select Authentication Configuration

5. From the Service Instance frame, select New Instance.

6. Enter a name for the service.

7. Add the following to the Authentication PostProcessing Class attribute: com.iplanet.am.samples.authentication.spi.postprocess. ISAuthPostProcessSampl

8. Click Submit to save the changes.

9. Click Service Name and define the Authentication Configuration for the new service.

10. Log out.

11. Go to the following URL: http://host.domain:port/Service-Deploy-URI/UI/Login?service=servicename

    If you choose to use an organization other than the default, be sure to specify that in the URL using the org parameter.

    The postprocessing SPI will get executed on successful authentication, failed authentication and on Logout for the service accessed.

To Configure ISAuthPostProcess Sample for a Role

1. Log in to Access Manager console as amAdmin. Use the following URL:

   http://host.domain:port/Console-Deploy-URI

2. Click the Identity Management tab, and select your organization.

3. From the View menu, select Roles to view the role properties.

4. From the View menu, select Services.

5. Click Edit to edit the authentication configuration.

6. Add the following to the Authentication post Processing Class attribute:

   com.iplanet.am.samples.authentication.spi.postprocess. ISAuthPostProcessSample

7. Click Submit to save the changes.

8. Log out.

9. Go to the following URL:

   http://host.domain:port/Service-Deploy-URI/UI/Login?role=roleName

   If you choose to use an organization other than the default, be sure to specify that in the URL using the org parameter. Example: org=orgName

   The postprocessing SPI will be executed for the service accessed on successful authentication, on failed authentication, and on Logout.

Compiling On Windows 2000

Go to the base-directory\samples\authentication\spi\postprocess directory and run the make command.

To Deploy the ISAuthPostProcessSample Program

1. Copy ISAuthPostProcess.jar from JAR_DIR to base-directory\lib

2. In the Web Container from which this sample has to run, update the classpath with ISAuthPostProcess.jar.

3. Restart Access Manager.

   base-directory\bin\amserver start

To Configure Authentication Post Processing SPI

This sample can be can be set in the Core Authentication Service for Organization and Authentication Configuration Service for Role OR Service.

See the section Configuring the Authentication Post Processing SPI.

Generating an Authentication User ID

This file explains how to compile, deploy and configure the Authentication User ID Generation SPI Sample.

• To Compile the UserIDGeneratorSample on Solaris Sparc/x86, Linux

• To Deploy the UserIDGeneratorSample Program

• Configuring the UserIDGeneratorSample Program

• Compiling the UserIDGeneratorSample Program on Windows 2000

In the following sections, the PRODUCT_DIR setting depends on which platform you’re using:

Solaris Sparc/x86: PRODUCT_DIR = <install_root>/SUNWam

Linux: PRODUCT_DIR = <install_root>/sun/identity

To Compile the UserIDGeneratorSample on Solaris Sparc/x86, Linux

The sample is located in the following directory:

AccessManager-base/samples/authentication/spi/genuid

1. Set the following environment variables.

   These variables will be used to run the gmake command. You can also set these variables in the Makefile which is located in the following directory:

   AccessManager-base/samples/authentication/spi/genuid

   JAVA_HOME: Set this variable to your installation of JDK. The JDK should be version 1.3.1_06 or higher.

   CLASSPATH: Set this variable to refer to am_services.jar which can be found in the <PRODUCT_DIR>/lib directory. Include jaas.jar in your classpath if you are using JDK version less than JDK1.4.

   BASE_DIR: Set this variable to the directory where the Access Manager is installed.

   BASE_CLASS_DIR: Set this variable to the directory where all the Sample compiled classes are located.

   JAR_DIR: Set this variable to the directory where the JAR files of the Sample compiled classes will be created.

2. In the directory AccessManager-base /samples/authentication/spi/genuid, run the gmake command:

To Deploy the UserIDGeneratorSample Program

1. Copy UserIDGeneratorSample.jar from JAR_DIR to AccessManager-base/lib.

2. in the Web Container from which this sample has to run, update the classpath with UserIDGeneratorSample.jar.

   • On Sun ONE Web Server, go to server instance configurationdirectory:

     <WS-home-dir>/https-<WS-instance-name>/config/

   • On Sun ONE Application Server, in the directory <AS-home-dir>/domain/domain1/server1/config/ update server.xml with the new classpath.

   • For all other containers, consult the documentation that came with the product.

3. Restart web container.<WS-home-dir>/https-<WS-instance-name>/start

   <AS-home-dir>/domains/domain1/server1/bin/start

Configuring the UserIDGeneratorSample Program

The Authentication User ID Generation Sample can be configured at the Organization level, and then used or invoked by the out-of-box Membership/Self- registration authentication module.

To Configure UserIDGeneratorSample for an Organization

1. Log in to Access Manager console as amAdmin. Use the following URL:

   http://host.domain:port/Console-Deploy-URI

2. Click the Identity Management tab, and select your organization.

3. From the View menu, select Services.

4. In the navigation frame, under Authentication, click Core.

5. Add the following to the Pluggable User Name Generator Class attribute: com.iplanet.am.samples.authentication.spi.genuid. UserIDGeneratorSample

6. Click Save to save the changes.

7. Log out.

To Access an Authentication Module for an Organization

This module is the one which invokes the UserIDGenerator SPI implementation class. By default, only the Membership/Self-registration authentication module calls this SPI implementation.

1. Make sure that you have registered and enabled the Membership authentication module, and that you have created a template for the organization.

2. Enter the following URL:

   http://host.domain:port/Service-Deploy-URI/UI/Login?module=Membership

   If you choose to use an organization other than the default, be sure to specify that in the URL using the org parameter. Example: org=orgName

3. Click New User.

   You should be able to register any existing username or user ID.

   The UserIDGeneratorSample will be executed. You will be presented with the generated User IDs choice menu to choose any one username or user ID.

Compiling the UserIDGeneratorSample Program on Windows 2000

In the <install-root>\samples\authentication\spi\genuid directory, run the make command.

To deploy the UserIDGeneratorSample Program

1. Copy UserIDGeneratorSample.jar from JAR_DIR to <install-root>\\lib

2. In the Web Container from which this sample has to run, update the classpath with UserIDGeneratorSample.jar.

3. Restart Access Manager.

   <install-root>\bin\amserver start

To Configure the UserIDGeneratorSample Program

Configuring the program on Windows 2000 is similar to configuring the program on Solaris. See Configuring the Authentication Post Processing SPI.

Implementing A Pure JAAS Module

A sample program demonstrates how to write pure a JAAS module to replay callbacks by authenticating using Access Manager Authentication Client API. It will authenticate a user by replaying the callbacks required by Access Manager the Authentication Module. You can modify this program to use other existing or customized Access Manager Authentication modules. This sample module can be plugged in into any standard JAAS framework using the JAAS API.

For detailed information on JAAS, see the Sun Developer Documentation at the following URL:http://java.sun.com/products/jaas/. For detailed information on how to write a JAAS module, see the JAAS LoginModule Developer’s Guide at the following URL:

http://java.sun.com/j2se/1.4.2/docs/guide/security/
				jaas/JAASLMDevGuide.html

Conventions Used in the Samples

To Run the Sample on Solaris Sparc x86 or Linux:

1. In the Makefile, set the following variables:

   BASE: Enter the path to the directory where Access manager is installed.

   JAVA_HOME: Enter the path to the directory where Java compiler is installed

   CONFIG: Enter the entry specified in the login configuration file. This entry will be used to do the user authentication

2. Copy AMConfig.properties from Access Manager server installation machine location <CONFIG_DIR> to the client machine where the sample will be run.

3. On the client machine, be sure the following are in your classpath:

   • am_services.jar

   • jaas.jar

   • jss3.jar

   • AMConfig.properties

     Include jaas.jar in your classpath if you are using a JDK version less than JDK1.4

4. A sample configuration file purejaassample.config is provided for testing this sample.

   The file contains only one entry named Sample. Sample is the name to be entered for CONFIG in the Makefile:

   Sample { PureJAASSampleLoginModule required ORG_NAME="dc=iplanet,dc=com" INDEX_NAME="LDAP" debug=true; };

   The entry specifies that the LoginModule to be used to do the user authentication is the PureJAASSampleLoginModule and that this SampleLoginModule must succeed in order for authentication to be considered successful. It passes options with ORG_NAME as the organization name and INDEX_NAME as the Access Manager authentication module to which this sample must authenticate.

   If you must use a different login configuration, modify the Makefile. For example, change the following:

   -Djava.security.auth.login.config=purejaassample.config

   to this:

   -Djava.security.auth.login.config=your_jaas_config_file.config
   

5. To compile, run the gmake command.

6. To run the sample program run the gmake run command.

To Enable SSL

1. In the sample client program, add this JVM property:

   -D "java.protocol.handler.pkgs=com.iplanet.services.comm"

2. In the AMConfig.properties file, edit the following properties:

   com.iplanet.am.admin.cli.certdb.dir: <PRODUCT_DIR>/servers/alias

   com.iplanet.am.admin.cli.certdb.prefix: https-machine1.com-machine1-

   com.iplanet.am.server.protocol: https

   com.iplanet.am.server.port: Enter the appropriate port on the server machine where machine1 is the host name of the server

To Run the Sample on Windows 2000

1. In make.bat, set the following properties:

   BASE: Enter the path to the directory where Access manager is installed

   JAVA_HOME: Enter the path to the directory where the Java compiler is installed.

   CONFIG: Enter the entry which will be used for user authentication. This entry is specified in the login configuration file.

2. Copy AMConfig.properties from Access Manager server installation machine location <CONFIG_DIR> to the client machine where this sample will be run.

3. On the client machine, make sure the following are in your classpath:

   • am_services.jar

   • jaas.jar

   • jss3.jar

   • AMConfig.properties

     Include jaas.jar in your classpath if you are using JDK version less than JDK1.4.

4. A sample configuration file purejaassample.config is provided for testing this sample.

   The file contains only one entry named.Sample. Sample is the name to be entered for CONFIG in the Makefile.

   Sample { PureJAASSampleLoginModule required ORG_NAME="dc=iplanet,dc=com" INDEX_NAME="LDAP" debug=true; };

   The entry specifies that the LoginModule to be used to do the user authentication is the PureJAASSampleLoginModule. SampleLoginModule is must succeed in order for authentication to be considered successful. It passes options with ORG_NAME as the organization name and INDEX_NAME as the Access Manager authentication module to which this sample has to authenticate.

   If you must use a different login configuration, modify the Makefile. For example, change the following:

   -Djava.security.auth.login.config=purejaassample.config

   to this:

   -Djava.security.auth.login.config=your_jaas_config_file.config
   

5. To compile, run the make command.

6. To run the sample program, run the make run command.

To Enable SSL

1. In the sample client program, add this JVM property:

   -D "java.protocol.handler.pkgs=com.iplanet.services.comm"

2. Edit the following properties in the AMConfig.properties file:

   com.iplanet.am.admin.cli.certdb.dir: <install-dir>\SUN\IdentityServer6\Servers\alias

   com.iplanet.am.admin.cli.certdb.prefix:https-machine1.red.iplanet.com-machine1-

   com.iplanet.am.server.protocol: https

   com.iplanet.am.server.port: Enter the appropriate port on the server machine where machine1 is the host name of the server

   For the detailed information, see the Javadoc for Remote Client APIs. By default, Access Manager Javadoc is installed in the following directory:

   AccessManager-base/SUNWam/docs

   For the detailed information on how to plug the Login Module into the standard JAAS Context, see the JAAS Reference Guide at the following URL:

   http://java.sun.com/j2se/1.5.0/docs/guide/security/jaas/JAASRefGuide.html