Using Identity Authentication

Identity authentication is based on RFC 4475 and JSR 289. Using identity authentication in a SIP or converged web/SIP application involves the following tasks:

• Configuring a Realm for Identity Authentication

• Configuring sip.xml for Identity Authentication

• Configuring sun-sip.xml for Identity Authentication

• Configuring the Identity Message Root Certificate

Configuring a Realm for Identity Authentication

For identity authentication, you use a realm of class jdbcRealm, except that you set the JAAS context value to assertedRealm. See How to Configure a Realm.

Configuring sip.xml for Identity Authentication

To configure a SIP or converged web/SIP application for identity authentication, specify the security-role, security-constraint, and login-config elements in the sip.xml file.

Part of specifying a security-constraint element is specifying one or more resource-collection subelements. In turn, resource-collection elements have optional sip-method subelements, which specify the SIP methods on those resources within a servlet application to which a security-constraint applies. If no SIP methods are specified, then the security constraint applies to all SIP methods.

The login-config element is the only one that has values unique to identity authentication. As specified in JSR 289, identity authentication is available in two modes: REQUIRED or SUPPORTED. In the REQUIRED mode, the identity header must be present in the request. In the SUPPORTED mode, incoming SIP messages are processed as follows:

• If the identity header is present, it is processed.

• If the identity header is not present, the authentication method configured in the auth-method element is applied.

Here is an example login-config with no auth-method or realm-name defined:

<login-config>
     <identity-assertion>
          <identity-assertion-scheme>Identity</identity-assertion-scheme>
          <identity-assertion-support>REQUIRED</identity-assertion-support>
     </identity-assertion>
</login-config> 

Here is an example login-config with the auth-method and realm-name defined:

<login-config>
     <auth-method>DIGEST</auth-method>
     <realm-name>MyAssertedAppRealm</realm-name>
     <identity-assertion>
          <identity-assertion-scheme>Identity</identity-assertion-scheme>
          <identity-assertion-support>SUPPORTED</identity-assertion-support>
     </identity-assertion>
</login-config>

For more information, see JSR 116, the SIP Servlet API Specification.

Configuring sun-sip.xml for Identity Authentication

Set the trust-auth-realm-ref property in the sun-sip.xml file. This property refers to the jdbcRealm that has assertedRealm as its JAAS context value. See Configuring a Realm for Identity Authentication.

For example:

<sun-sip-app>
    ...
    <property name="trust-auth-realm-ref" value="MyAssertedAppRealm" />
</sun-sip-app>

Configuring the Identity Message Root Certificate

To complete the configuration of identity authentication, add the root certificate (Certificate Authority) of the public key used in the identity message to the cacerts.jks file. For more information, see the keytool command description at http://java.sun.com/javase/6/docs/technotes/tools/solaris/keytool.html.