Chapter 3   Configuration

The following must be configured

Database logging

Authservlet.properties

configservlet.properties

dsmsservlet.properties

Enable Raw Logging

---

Logging can be done either to Oracle or directly to a file. You can specify where your logging should take place from

/build/config/authservlet.properties

if you are using Oracle, the generation of users and the tablespaces defined may differ for individual sites - contact the site DBA for advice. The following parameters must be defined: Oracle login name, Oracle login password, PBEPassword set the same as Oracle login password, Oracle hostname, Oracle port number and Oracle SID.

Installation Pre-requisite

You should download from

JDBC^TM -Thin / 100% Java API for JDK^TM 1.1.x
http://technet.oracle.com/software/download.htm

The filename used might be oracle-jdbc-815.zip or classes12_01.zip depending on the version of Oracle you are using. Copy this file into the <iws_servlet_directory>. Then make sure the location of this file is appended to the classpath within jvm12.conf

Running the iPlanet Web Server: Plug-in for Trustbase services SQL Scripts

• Switch to the Oracle user and run server manager:

  myhost> su - oracle Password: myhost> cd <iwsplugin_install_directory>/Build/Config myhost> svrmgrl Oracle Server Manager Release 3.1.5.0.0 - Production (c) Copyright 1997, Oracle Corporation. All Rights Reserved. Oracle8i Enterprise Edition Release 8.1.5.0.0 - Production With the Partitioning and Java options PL/SQL Release 8.1.5.0.0 - Production SVRMGR> connect internal Connected.

• The database must be enabled to support the UTF8 character set. The following script is an example of how to achieve this.

  SVRMGR> SHUTDOWN; SVRMGR> STARTUP MOUNT; SVRMGR> ALTER SYSTEM ENABLE RESTRICED SESSION; SVRMGR> ALTER SYSTEM SET JOB_QUEUE_PROCESSES=0; SVRMGR> ALTER DATABASE OPEN; SVRMGR> ALTER DATABASE CHARACTER SET UTF8; SVRMGR> SHUTDOWN; SVRMGR> STARTUP;

• Create a iPlanet Web Server: Plug-in for Trustbase services user - you may need to change the username, password and default tablespaces depending on site policy:

  SVRMGR> CREATE USER tbase IDENTIFIED BY tbase DEFAULT TABLESPACE USERS TEMPORARY TABLESPACE TEMP; Statement processed. SVRMGR> GRANT CONNECT TO tbase; Statement processed. SVRMGR> GRANT RESOURCE TO tbase; Statement processed. SVRMGR> ALTER USER tbase QUOTA UNLIMITED ON USERS; Statement processed. SVRMGR> quit Server Manager complete.

• Connect as the iPlanet Web Server: Plug-in for Trustbase services user and run the scripts:

  sunstorm% su - oracle sunstorm% cd <install_directory>/build/config sunstorm% sqlplus SQL*Plus: Release 8.1.5.0.0 - Production on Fri Sep 22 12:07:11 2000 (c) Copyright 1999 Oracle Corporation. All rights reserved. Enter user-name: tbase Enter password: Error accessing PRODUCT_USER_PROFILE Warning: Product user profile information not loaded! You may need to run PUPBLD.SQL as SYSTEM Connected to: Oracle8i Enterprise Edition Release 8.1.5.0.0 - Production With the Partitioning and Java options PL/SQL Release 8.1.5.0.0 - Production SQL> @iwsraw.sql

• The following changes need to be made to authservlet.properties

  ;log.dsms.store = com.iplanet.trustbase.identrus.iws.log.raw.PluginFileRawLogStore log.dsms.store = com.iplanet.trustbase.identrus.iws.log.raw.PluginJDBCRawLogStore connection = jdbc:oracle:thin:<username>/<password>@<oracle_instance>:1521:orcl

iWSPTS Configuration

---

The properties files, with iWS 4.1, can be found in:

<iws4.1_Install_directory>/https-<instance_name>/config/Authservlet.properties

<iws4.1_Install_directory>/https-<instance_name>/config/configservlet.properties

<iws4.1_Install_directory>/https-<instance_name>/config/dsmsservlet.properties

The properties files, with iWS 6.0, can be found in:

<iwspts_Install_Directory>/config/Authservlet.properties

<iwspts_Install_Directory>/config/configservlet.properties

<iwspts_Install_Directory>/config/dsmsservlet.properties

and should be configured dynamically from the Web Server as follows:

Figure 3-1    Logon Main Menu

Configuring Authservlet.properties

Most of the configuration you can perform is centered around:

<iws_install_directory>/https-<iws-server-instance>/config/authserv let.properties

Figure 3-2    Authentication Servlet

This file controls the behaviour of both the authentication servlet and cookie authorisation modules. The file is divided into sections and each section controls a different element. The Authservlet section controls the authentication servlet as a whole entity - it controls what signing certificates and used and whether or not to log any data at all. The cengine section controls the cookie authorisation it controls what certificate to consider the server certificate. The LogManager section controls the authentication servlets logging behaviour and its configuration will be familiar to Trustbase transaction manager installers as it is exactly the same. It is used to configure the behaviour of the error , access and raw logs used by the servlet. The CookieGenerator section controls what cookie generators are available to the authentication servlet and how they are configured.

Database Provider

This is a module of the Authentication Servlet and it controls how a username which is entered by the user is associated with a LDAP database entry. Inside the LDAP database you must add the Base 64 encoded certificate for a user to that user's LDAP entry. The field you need to add it too by default is "usersmimecertificate" but this can be changed with "LdapDatabase.Property=CertificateElement=" property inside the DatabaseProvider section. You can control which Database Provider is chosen by using the setting in the AuthServlet section - see below.

CookieGenerator


This is a module of the Authentication Servlet an it controls what the contents of the cookie will be that is generated in response to a successful Certificate Status Check.

LogManager

Activate Logging : Controls whether or not these logs are written to

Authservlet


This section is also expected to contain any settings you wish to make to control the DSMS.

PropertyName	PropertyType	PropertyDe- fault	Remarks
ActivateErrorLog- ging	Boolean	True	Determines whether or not the authentication servlet will log any errors at all. Disabling error logging would be unwise.
ActivateAccessLog- ging	Boolean	True	Determines whether the authentication should log access's - an access would be a request to perform a certificate status check.
ActivateRawLog- ging	Boolean	True	Determines whether the authentication serv- let logs the raw certifi- cate status check data. This log can consume quite a lot of disk space quickly.
InsistOnProof	Boolean	True	Determines whether the authentication serv- let trusts the End Entity it is asking to perform an Identrus CSC - Whether it will accept the absence of the end entity freshness proof.
KeyStoreType	String	Null	This determines what type of keystore is being used - for the moment this should always be set to JSS. This setting should be left alone after deploy- ment.
KeyStoreLocation	String	Null	This determines where the keystore can be found. This setting should be left alone after deployment.
KeyStorePassword	String	Null	This determines the password used to open the keystore. It should be left alone after deployment.
ReturnPage	String	errors/certific ate_return.ht ml	This setting controls what page is sent back after the initial chal- lenge. This setting should never be altered.
SubstString	String	REPLACET HISSTRING	This setting controls what strings is replaced in returned pages. This setting should never be aletered.
ErrorReturnPage	String	Errors/login- error.html	This setting controls what page is sent back when a login error occurs. This setting should never be changed.
DatabaseProvider	String	LdapData- base	This setting controls which database pro- vider is chosen from the available database providers.
CookieGenerator	String	Certificate- Cookie	This setting controls which cookie genera- tor is chosen from the available cookie gener- ators.
SigningCertificate	String	None	This setting controls which certificate will be used to sign requests. You should use the alias of your chosen cerrificate.
SSLSigningCertifi- cate	String	None	This setting controls which certificate is used for SSL client communications.

Cengine


This section controls the cokie checking software the properties availbale are :

Property Name	Property Type	Default	Remarks
ServerCertNickName	String	None	The nick name of the server certificate that is being used to sign the cookies.

Configuring configurationservlet.properties

Configuration Level : Controls the amount of configuration options that are provided it effectively provides and beginner , medium , and advanced settings - valid values are 1 , 2 , 3 - default is 1.

Require Authentication : Controls whether the configuration servlet demands the password for the keystore when attempting to change the configuration. valid values : ticked/not ticked. default : ticked.

Require SSL Secure Connections : Controls whether the configuration servlet will accept connections through only secure connections or both secure and insecure. valid values : ticked/not ticked. Default : ticked.

Figure 3-3    Configuration Servlet

Configuring dsmsdemoservlet.properties

This file can be configured as follows:

Figure 3-4    Demonstration Servlet

• Signing Certificate Nick Name : Is the nick name of the certificate you are using for signing your message between the authoritative entities and the webserver.

• SSL Signing certificate Nick Name : Is the nick name of the certificate you are using for SSL transactions between the authoritative entities and the webserver.

• Verification Certificate Nick Name : Are the nick names of the certificates you are using as trust anchors - to verify the signed messages you receive from authoritative entities.

• Insist On Freshness Proof Presence : Controls whether we insist on the presence of a freshness proof - and if one is not provided we will attempt to get one.

• Generate Nonce : controls whether nonce's are generated or not.

• Preferred Protocol : controls which protocol is used to perform certificate status checks - valid values : "identrus" or "ocsp". default value : "identrus".

• Protocol Version : Controls what version of the protocol we use. Default : 0. valid value : 0 , 1 , 2.

• Force Default Location : Controls whether we ignore the AIA of a certificate and send our check to the location specified in Default location.

• Maximum Time proof : Controls how long a freshness is considered valid since its generation. This value is specified in seconds.

• Create Signed OCSP : Controls whether we sign OCSP requests that we generate - this setting is overriden under the identrus protocol where they are never signed.

• Verify Signed OCSP : Controls whether we verify signed OCSP responses that we receive - this setting is overriden under the identrus protocol where they are not checked.

• clip base64 lines : controls whether the base64 generated is clipped to a line length.

• Default location: the location to send transactions to, if set to "Yes".