test

i-Planet Administration Guide

Chapter 7 Authentication

This chapter describes:

Authentication

Overview

When end users first access the i-Planet URL, they are presented with an HTML authentication page. If the i-Planet server is configured with multiple authentication modules, end users are presented with a menu of authentication types. If only one is configured, they are sent directly to that authentication page.

If end users fail authentication, they are directed to an authentication-failed page. This page does not indicate to the end user the specific reason that authentication failed. This information is only provided to the system administrator or the administrator for i-Planet, if they are the same, through the authentication log of the Administration Console.

After a successful authentication, end users are redirected to the i-Planet Desktop.

Authentication Modules

Several authentication modules are provided with i-Planet. These are UNIX/NIS, RADIUS, S/Key, SafeWord, and SecurID.

UNIX

The UNIX/NIS authentication module validates userid-password pairs. The system administrator can administer userids locally (through, for example, admintool) or through NIS.

If you are using UNIX username and password (local file, NIS, or both) for authentication, then you, the systems administrator, must make sure that the passwd: entry in the /etc/nsswitch.conf file is set up correctly.

RADIUS

The RADIUS module is a client implementation of Remote Authentication Dial In User Service (RFC 2138). This module supports the i-Planet administrator and sets the RADIUS server or servers on the Authentication Parameters page of the Administration Console. You get to this page by clicking the Authentication link under the Servers section of the navigation frame of the Administration console. Fill in the fields labelled Radius Server and Radius Server Alternate.

The RADIUS shared secret must always be in the file /etc/opt/SUNWstnr/platform.conf, which you edit manually. You cannot specify it on the Authentication Page for the i-Planet Desktop.

To Set the RADIUS shared secret

  1. Edit the file /etc/opt/SUNWstnr/platform.conf to set the line radius.secret= equal to the shared secret.

If you want the end users to type in the RADIUS server along with user name and password, use the following procedure to modify the /etc/opt/SUNWstnr/Radius.properties file on the i-Planet server to add another field on the RADIUS Authentication Page for the i-Planet Desktop.

To Modify the File Radius.properties File

  1. Add an additional input field for the RADIUS server on the RADIUS Authentication Page for the i-Planet Desktop by adding the following line to the end of the /etc/opt/SUNWstnr/Radius.properties file:


    TOKEN Radius Server:

    Missing Cross Reference Target shows what the new .properties file will look like.


    SCREEN

TIMEOUT 60

TEXT RADIUS Authentication

TOKEN User Name:

PASSWORD Password:

TOKEN Radius Server:

  2. If you want end users to be able to type in the alternate RADIUS server, then just add another TOKEN.

    The i-Planet server must be able to resolve the RADIUS server host name or names specified.

S/Key

S/Key is the one-time password system developed by Bellcore. S/Key users must be valid UNIX/NIS users on the i-Planet server. The initial S/Key authentication screen prompts for the user's Unique UserID (UUID) and Personal Identification Number (PIN). If these are validated, then the user is prompted for the next expected one-time password. (This password is actually a six-word passphrase).

Before an end user attempts remote access for the first time, a list of S/Key one-time passwords must be generated for that end user.

For the System Administrator to Generate Passwords for Remote Users

You can generate passwords for end users with the following procedure.

To Generate Passwords for a Remote User

  1. Start the web browser that you want to use.

  2. Start the Administration Console

  3. Click the Generate S/KEY Passwords link in the Misc section in the navigation frame of the Administration Console.

  4. Follow the instructions in the administration frame of the Administration Console.

    When you generate the passwords on behalf of end users, give them the UUID and list of passwords and, separately, give them the PIN that you used. For security, the end users should keep this PIN separate from the UUID and the list of passwords.

For Users to Generate Their Own Passwords

End users can generate their own set of passwords over the intranet before they become remote so that they can use S/Key authentication. They can only use the following procedure over the intranet.

For Users to Generate Passwords

End users use this procedure to generate their own S/Key passwords over the intranet before they become remote.

  1. They start the web browser that they want to use.

  2. They type the following as the URL in the browser:

    http://i-Planet_server:default-port/cgi-bin/skey/skeylogin.cgi

    8080 is the default port for the i-Planet server.

Once they have remotely logged into the i-Planet system, end users can generate more one-time passwords by clicking the Generate S/KEY Passwords link on the i-Planet Desktop.

Note -

When end users generate more S/Key passwords, the new list of passwords supersedes the previously generated list and UUID for the end users will change.

Removing the i-Planet software will delete all S/Key password information for the end users.

Note -

If an end user uses the last password and logs out before generating a new list of passwords, then a new list for that user can only be generated using one of the other two methods.

SafeWord

This module is a client implementation for authenticating using the SafeWord system from Secure Computing. The module is written for a SafeWord configuration that uses X9.9, asynchronous device mode for X9.9, a challenge length of four decimal digits, and a password length of eight digits. The SafeWord server must be installed locally on the i-Planet server.

SecurID

The SecurID module is a client implementation for authenticating the ACE/Server from Security Dynamics Technologies, Inc. The module's interface only provides for authentication. It does not provide for any other functions, such as "new PIN mode." The ACE/Server does not have to be installed locally to the i-Planet server, although the i-Planet software checks at installation for evidence that the ACE/Client has previously been installed. (In particular, it checks for the existence of the file /etc/sdace.txt). If you install the ACE/Client subsequently to installing the i-Planet server, you can add SecurID to the list of authenticators through the Authentication Parameters page in the Administration Console.

To Add SecurID to the List of Authenticator Through the Administration Console

  1. Log into the Administration Console.

  2. Click the Authentication link under the Server section.

  3. In the Authentication Modules field at the top of the Authentication Parameters frame, add the following line:

com.sun.login.securid.Securid

  1. Click the Enter button at the bottom of the frame.

  2. As root, on the i-Planet server, restart the web server, by typing:


    # /opt/SUNWjeev/bin/iplanet_serv stop
# /opt/SUNWjeev/bin/iplanet_serv start

TEXT--Each screen has one TEXT keyword. This is the text that is displayed at the top of the authentication page. It is typically used to describe the authentication module or as an informational message to the end user.

General

Each authentication module has a properties file that can be used to customize the HTML pages that are displayed to the end user. The properties file for each module is located in /etc/opt/SUNWstnr on the i-Planet server. For example, the UNIX authentication modules properties file is /etc/opt/SUNWstnr/Unix.properties.

Each authentication module has a TIMEOUT parameter that can be modified in the corresponding /etc/opt/SUNWstrnr/authenication_module.properties file. This time-out specifies the number of seconds that the end users have to submit the screen before the time-out page displays. The default for each module is 60 seconds.

For example, if you want to make sure that the end users using UNIX login have two minutes (120 seconds) to login, change the TIMEOUT parameter in the /etc/opt/SUNWstnr/Unix.properties from 60 to 120.

For each HTML page that is sent for the authentication module, there is a keyword SCREEN followed by keyword TEXT, followed by any number of the keywords TOKEN and PASSWORD. Each screen may also contain an optional TIMEOUT keyword. For example, the Unix.properties file contains the following entries as shown in Missing Cross Reference Target 


SCREEN

TIMEOUT 60

TEXT Unix User Password Login

TOKEN Enter Your UserId

PASSWORD Enter Your Password
.

Note -

You cannot change the ordering of any of the tokens.

TIMEOUT--specifies the number of seconds the authentication module will wait before sending the user a login session time-out page.

TOKEN--Each TOKEN keyword causes an input box to be displayed. The text after the keyword is displayed above the input box. You cannot change the ordering of the tokens.

PASSWORD--Each PASSWORD keyword causes an input box to be displayed. The text after the keyword will be displayed above the input box. The only difference between the TOKEN and PASSWORD is the PASSWORD text will not be echoed, but will be asterisks. You cannot change the ordering of the tokens.

IMAGE--This keyword instructs the authentication module to replace the standard i-Planet image with the image following the keyword. The image should be placed in /opt/SUNWjeev/public_html/images. This image should be a gif file.

HTML--This keyword tells the authentication module that you want to override the dynamic HTML generation and supply your own HTML page. The authentication modules expect to receive URL parameters specific to each type of authentication. If you override the HTML for a module, your HTML page must supply the correct number and names of the parameters and show a small section of the HTML necessary for the UNIX page. Missing Cross Reference Target shows a section of HTML code for the UNIX page.


<P><STRONG>Enter Your UserId</STRONG><BR>

<INPUT TYPE=" NAME=TOKEN0 SIZE="22"></P>

<P><STRONG>Enter Your Password</STRONG><BR>

<INPUT TYPE="PASSWORD" NAME=TOKEN1 SIZE="22"></P>

The UNIX module expects the user ID and password in the parameters TOKEN0 and TOKEN1. To ensure you have the correct HTML you should go to that authentication page and view the HTML source.

Adding or Removing Modules

By default all modules except the UNIX module are enabled. When multiple modules are enabled, the end users see a menu of all the possible authentication modules. When end users click the link for a specific module, the authentication server loads that module and the end users receive the HTML pages for that module. If only one module is enabled, then no menu is sent and the user is sent directly to the enabled authentication module.

Follow these steps to add or remove login modules from i-Planet. (In this example, a RADIUS authentication module is being added, but you use the same steps to add or remove any of the modules.)

To Add (Remove) a Module to (from) the List of Authentication Modules

  1. On the i-Planet gateway in the file named reverseproxy.policy in the directory /opt/SUNWsnrp/policy, add the line:

    * http://i-Planet _server.eng.sun.com:8080/login/Radius

    This line tells the i-Planet gateway to allow a URL to reach the RADIUS authentication module to start the authentication process. You can add it anywhere in the file. The i-Planet gateway uses this file to decide which URLs will be forwarded to the i-Planet server.

    If you were removing the RADIUS module, you would delete that line.

  2. As root, type the following to stop and restart the reverse proxy on the i-Planet gateway for it to recognize the changes:


    # /opt/SUNWsnrp/bin/iplanet_gw stop
# /opt/SUNWsnrp/bin/iplanet_gw start

  3. On the i-Planet server, start the web browser that you are going to use.

  4. Type the URL for the Administration Console:

    http://fully_qualilfied_name_of_i-Planet_server_host:8080/console.

  5. Click the Authentication link.

  6. Add the following information to the Authentication Modules list:

    com.sun.login.radius.Radius

    If you were removing a module, you would delete the line.

  7. Click the Enter button at the bottom of the page when you have added or removed a module to save your changes.

  8. As root, on the i-Planet server, type the following to stop and restart the web server:


    # /opt/SUNWjeev/bin/iplanet_serv stop
# /opt/SUNWjeev/bin/iplanet_serv start

Troubleshooting

The following are some of the areas in which problems often occur:

The Default URL

When end users successfully authenticate, they are redirected to the default i-Planet Desktop. If they want (or you want them to have) redirection to a page other than the i-Planet Desktop, you must modify the file /opt/SUNWjeev/profiles/.default.

To Modify the /opt/SUNWjeev/profiles/.default File

  1. Set the user.url to the URL to which you want all your users redirected after authentication. For example, if you want all your users to go to www.sun.com after authentication, type:

    user.url=http://www.sun.com

    Note -

    There is only one default for all users.

If you want a different URL for individual end users, you must add the desired URL for each user in the file that corresponds to the authenticated name for that user.

For example, if a user authenticates as user123, the file should be called /opt/SUNWjeev/profiles/user123 and should contain the following information:


role=web

user.url=http://user_default_url

session.uid=user123