|
|
This section describes tasks you must perform after installing the Web Server SSM. This SSM supports Microsoft IIS and Apache Web Server.
The following tasks are described:
The Web Server SSM uses the Web Service SSM. Before performing the tasks described in this chapter, you must configure the Web Service SSM as described in Configuring SSMs Using ConfigTool.
To create a Web Server SSM instance:
<Type of Security Service Module> > Create New Instance.BEA_HOME/ales30-ssm/<ssm-type>/adm and enter: instancewizard.sh. If you are not using X-windows, use a console based installer.| Notes: |
asiusers group. This gives the Administration Server the permissions required to access the Apache Web Server SSM instance and deploy the security policy and the security configuration.HKEY_LOCAL_MACHINE\SOFTWARE\BEA Systems\ALES\IIS Module\3.0
Enrollment is the process by which an ALES component such as an SCM or SSM registers with an Administration Server.
As part of this process, the SSM system exchanges security certificates with the associated ALES Administration Server.
You must have the Administration Server running prior to enrolling the Security Service Module.
| Note: | While you can use the demonstration digital certificate in a development environment, you should never use it in a production environment. |
To enroll the Security Service Module:
/adm directory: BEA_HOME/ales30-ssm/<ssm-type>/instance/instancename/adm, where instancename is the name you assigned to the instance when you created it.admin username and password. This is the username and password of the Security Administrator doing the enrollment (if you used the default values and have not yet changed them, the default username is system and the password is weblogic).ssl\identity.jks keystore. This keystore contains the identities for all the components you are enrolling.ssl\peer.jks keystore. This keystore contains the certificates of components with which this Security Service Module can communicate.ssl\trust.jks keystore. This keystore contains the AquaLogic Enterprise Security CA certificate used for enrollment.
For more information on enrolltool utility options, see
Administrative Utilities in the ALES Administration Reference.
To start an instance of the Web Service SSM on Windows:
To start an instance of the Web Service SSM on UNIX:
This section describes how to:
The Web Service SSM and the Web Server SSM are installed as a combo. The Web Service SSM instance you created on the remote system has a Configuration ID that will correspond to the SSM you create in the Administration Console. (The Web Server SSM does not have a Configuration ID.)
That is, in your ALES environment you will have two SSMs with the same Configuration ID: one (the instance) on the system where the SSM is installed, and a corresponding one on the Administration Server system.
Java SSM 3.0, WS SSM 3.0. After you create the SSM, the Providers tab becomes active. The tab for a given provider type provides additional information. At a minimum you must have one authorization provider for each SSM.
Click the Providers tab and configure the desired providers.
The Web Server Environmental Binding configuration procedures vary depending on the type of Web Server SSM you are configuring. AquaLogic Enterprise Security supports two Web server SSMs that require configuration of the Web Server Environmental Binding: the Microsoft IIS Web Server SSM and the Apache Web Server SSM.
To configure the environmental binding for Microsoft IIS Web Server, perform the following tasks:
| Note: | This task assumes you have created an instance of the IIS Web Server SSM. |
The IIS Web Server Binding plug-in file is named wles_isapi.dll. This file is located in the BEA_HOME\ales30-ssm\iis-ssm\lib directory.
To configure the Microsoft IIS Web Binding plug-in, perform the following steps:
wles_isapi.dll file (which is located in BEA_HOME\ales30-ssm\iis-ssm\lib directory), and click OK. 
Read and Read/Execute permissions on the following directories:BEA_HOME\ales30-ssm\iis-ssm\libBEA_HOME\ales30-ssm\iis-ssm\instance\iisssmdemo\sslBEA_HOME\ales30-ssm\iis-ssm\instance\iisssmdemo\config
NamePasswordForm.acc file in a virtual directory, repeat the previous step for the virtual directory as well.
wles_isapi.dll file to the Executable field, fill in the other fields as shown in Figure 5-5, and click OK.wles_isapi.dll file again and start the IIS Web Server.| Note: | Be sure to start the IIS Web server with IIS SSM after you have started the Web Service SSM and ARME. |
Configure the NamePasswordForm.acc file for the IIS Web Server as follows:
<FORM METHOD=POST ACTION="test/NamePasswordForm.acc">
To set up the sample web application, perform the following steps:
| Note: | The Web Service SSM must be started before you perform this task because the filter and extension attempt to connect to the Web Service SSM when they are loaded by the Web server. |
IIS Server/wwwroot/test directory as shown in Figure 5-6 and copy the following files to the test directory:NamePasswordForm.acc foo.htmlatnfailure.htmlatzfailure.html| Note: | The NamePasswordForm.acc file is provided in the BEA_HOME\ales30-ssm\iis-ssm\instance\<instancename>\templates directory. The foo.html, atnfailure.html and atzfailure.html files are not provided in the product installation kit. You should use your own versions of these files. |
http://<machine_name_with DNS_suffix>:80/test/foo.html. NamePasswordForm.acc. foo.html.To configure the Apache Web Server, perform the following tasks:
To download and install the Apache Web Server software, perform the following steps:
ServerRoot/modules/mod_include.soServerRoot/modules/mod_ssl.so
where ServerRoot is the Apache installation directory.
| Note: | The Apache Web Server Security Service Module (SSM) requires that the above two modules be included in the Apache installation; otherwise the Secure Sockets Layer (SSL) and the Security Assertion Markup Language (SAML) server-server include (SSI) related functions will not work. |
| Note: | You may build your own 2.0.x version of the Apache Web Server with the above mentioned modules. If the modules are built into Apache, there may be no such files. |
The ALES module contains only one file. For Windows, the file name is mod_wles.dll. For Sun Solaris and Linux, the file name is mod_wles.so.
To install and configure the ALES module:
ServerRoot/conf/httpd.conf file and add a LoadModule directive. There are several LoadModule directives in the LoadModule section of the httpd.conf file. Add the following line to the end of the LoadModule section:LoadModule wles_module <APACHE_SSM_HOME>/lib/mod_wles.so
where <APACHE_SSM_HOME> is the Apache Web Server SSM installation directory.
LoadModule wles_module c:\bea\ales30-ssm\apache-ssm\lib\mod_wles.dll
LoadModule wles_module /home/tiger/bea/ales30-ssm/apache-ssm/lib/mod_wles.so
WLESConfigDir directive right after the above LoadModule directive as follows:<IfModule mod_wles.cpp>
WLESConfigDir <APACHE_SSM_HOME>/instance/<instance_name>/config
</IfModule>
where the config directory is the directory that contains the default.properties file.
| Note: | In the IfModule condition, be sure to specify mod_wles.cpp, not mod_wles.c. |
ServerName. For example:ServerName www.yourservername.com:8080
asiusers group so it can read the mod_wles file and other required files: Group asiusersenvvars file in the ServerRoot/bin directory, appending the directory where mod_wles.so resides to the default LD_LIBRARY_PATH, so that the file looks like this: LD_LIBRARY_PATH="/www/apache/lib:$LD_LIBRARY_PATH:<APACHE_SSM_HOME>/lib"| Note: | This step ensures that the Apache Web Server can load the dependency libraries for the mod_wles file. |
ctl script to start or restart Apache Web Server in the ServerRoot/bin directory.
Configure the NamePasswordForm.html file for the Apache Web Server as follows:
<FORM METHOD=POST ACTION="/test/NamePasswordForm.html">
To set up the sample web application, perform the following steps:
Apache Server/wwwroot/test directory as shown in Figure 5-7 and copy the following files to the test directory:NamePasswordForm.htmlfoo.htmlatnfailure.htmlatzfailure.html| Note: | The NamePasswordForm.html file is provided in the BEA_HOME\ales30-ssm\apache-ssm\instance\<instancename>\templates directory. The foo.html, atnfailure.html and atzfailure.html files are not provided in the product installation kit. You should use your own versions of these files. |
http://<hostmachine.cookiedomain>:8088/test/foo.html. NamePasswordForm.html foo.html.
The Web Server SSM has a configuration file named default.properties. All configuration settings for the Web Server SSM instance are defined in this file. This file is pre-configured and placed in the proper location for you.
If you want to edit the default.properties file for your particular environment, refer to the parameters descriptions in the following sections:
The AquaLogic Enterprise Security services are stateless services; it is the calling Web Service client that is responsible for determining session related information. In addition, in a web environment, a session does not necessarily end with an explicit logout, so session termination must be inferred from a lack of activity.
Table 5-3 describes the settings used to manage session behavior. You use these settings to configure the Web server session related behavior for the security configuration to which it applies.
Table 5-4 describes the settings that you use to configure the Web server authentication behavior for the security configuration to which it applies. Also, for information on mapping JAAS Callbacks, see Mapping JAAS Callback Type to Form and Form Fields.
Given a question, this setting specifies what field on what form will answer that question. Notice that the <prompt> is shown as optional. However, the prompt is required if there are multiple callbacks of the same type, because there is no other way for the SSM to distinguish identical callback types. The prompt is obtained from the callback by calling the
getPrompt() method, but it is not used in the display of the form. If the prompt setting is missing, then the Web Server SSM attempts to answer the callbacks in the order of the settings. If the order does not match the order of the providers, then authentication fails. For more information on using this setting, see Mapping JAAS Callback Type to Form and Form Fields.
|
|
Table 5-5 describes the different types of authentication callbacks that are supported by the Web Server SSM.
There are two required and one optional configuration settings that specify what form and what field contain the information required to satisfy the authentication callbacks. The credential gathering form must use an HTTP POST method to specify this information. Listing 5-1 shows an example of how to use the POST method in the credential gathering form.
<FORM METHOD=POST ACTION="LoginNamePwdTextIn.html">
<!--#AUTHSTATE -->
<TABLE BGCOLOR="C0C0C0"><TR><TD>
<TABLE BGCOLOR="#FFFFFF">
<TR><TD COLSPAN="2" BGCOLOR="#C0C0C0">Please Login</TD></TR>
<TR><TD COLSPAN="2">User Name </TD><TR>
<TR><TD><!--#PROMPT --></TD><TD><INPUT NAME="username"></TD></TR>
<TR><TD COLSPAN="2">Password </TD><TR>
<TR><TD><!--#PROMPT.1--></TD><TD><INPUT TYPE=
PASSWORD NAME="password"></TD></TR>
<TR><TD COLSPAN="2">Input Text </TD><TR>
<TR><TD><!--#PROMPT --></TD><TD><INPUT NAME="textinput"></TD></TR>
<TR><TD COLSPAN="2"> </TD><TR>
<TR><TD COLSPAN="2" ALIGN="CENTER"><INPUT TYPE="SUBMIT" VALUE="OK"></TD><TR>
</TABLE>
</TD></TR></TABLE>
</FORM>
The form field defines the HTTP POST data name that results from a submitted form.
The settings have the following format:
authentication.<callback type>[<prompt>] = <field>:<form URL>
Given a question, this setting specifies what field on what form will answer that question. Notice that the <prompt> is shown as optional. However, if there are multiple callbacks of the same type, the <prompt> is required because there is no other way for the Web Server SSM to distinguish identical callback types. The <prompt> is obtained from the callback by calling the getPrompt() method, but it is not used in the display of the form. If the <prompt> setting is missing, then the Web Server SSM attempts to answer the callbacks in the order of the settings. If the order does not match the order of the authentication providers, then authentication fails.
The supported callback types are: nameCallback, passwordCallback, textInputCallback, textOutputCallback.
Table 5-6 provides examples of callback usage and more information on each supported callback type.
Table 5-7 describes the settings that you use to configure the Web server role mapping behavior for the policy domain to which it applies.
Table 5-8 describes the settings that you use to configure the Web server credential mapping behavior for the policy domain to which it applies.
If set to |
|||
List of credential types to ask for in this policy domain. Only credentials that are mapped and that are supported by configured Credential Mapping provider are returned for a specific request. Therefore, asking for a credential does not guarantee that it is there. For example, to configure credential mapping to support the password for the database server, perform the following steps:
|
|||
Table 5-9 describes the settings that you use to configure the Web Server SSM naming authority.
Specifies the naming authority for the resource. The naming authority is configured in the Web Service SSM. |
|
Specifies the URL of the Web Services Registry Service. For example: |
Table 5-10 describes the settings that you use to configure the Web Server SSM naming authority.
The Web Server Security Service Module (SSM) tool kit enables you to access user environment variables using Common Gateway Interface (CGI).
Although security is embedded within the web server itself, requiring no special programming (if the user does not have access, your code will never run), a security administrator may want to use CGI to access and modify environment variables passed in by the Web Server Security Service Module. In order to customize the application according to the details of the security being enforced, a web application may access several environmental values in order to provide a more integrated user experience.
You can use CGI to access the following environment variables:
ALES_IDENTITY — An authentication environment variable. It is available to a CGI programmer after a user successfully authenticates. This variable contains the username of the user, if available. It specifies the name of the HTTP header that will be added. The value of the variable is a list of the identity principals, including username and groups.ALES_DECISIONTIME — An authorization environment variable. It is available to a CGI programmer after a user is authorized to access a secure resource. It contains the date and time this authorization decision was rendered and has this format: “Monday June 23 15:14:21 EDT 2003”ALES_ROLES — A role environment variable that stores a list of roles calculated for the user.CRED is the default. Different credential types are handled differently, but the general format of the variable is: CRED_{NAME}={VALUE}
Password credentials conform to the format
javax.resource.spi.security.PasswordCredential. The ManagedConnectionFactory element of this class is ignored. This credential type is rendered in the CGI environment as:
|
Password credentials conform to the format
javax.resource.spi.security.PasswordCredential. The ManagedConnectionFactory element of this class is ignored. This credential type is rendered in the CGI environment as:
|
|