Main Page
JCDI Auth Module
This document explains how to compile, deploy
and run the JDBC Auth Module program.
About JCDI Auth Module
This module enables authentication of JAVA Card (Certificate
and the Serial Number) using "com.sun.jndi.ldap.LdapCtxFactory".
Steps to compile the JCDI Auth Module program on Solaris
-
Set the following variables in the Makefile. This Makefile is in the
same directory ("<install-root>/SUNWam/samples/authentication/spi/jdbc
) as the JCDI Auth Module program files.
-
JAVA_HOME
Set this variable to your installation of JDK. The JDK should be
newer than JDK 1.3.1.
-
CLASSPATH
Set this variable to refer to the following jars found in
the <install-root>/SUNWam/lib directory.
am_sdk.jar, am_services.jar, acmecrypt.jar, servlets.jar, am_logging.jar
(Note: Include jaas.jar in your classpath if you are using JDK
version less than JDK1.4)
-
BASE_CLASS_DIR
Set this variable to the directory where all the Sample compiled
classes are located.
-
JAR_DIR
Set this variable to the directory where the JAR files of the Sample
compiled classes will be created.
-
Go to the <install-root>/SUNWam/samples/authentication/spi/jcdi
directory and run gmake.
Steps to deploy the JCDI Auth Module program
-
Copy JCDI.jar from JAR_DIR to <install-root>/SUNWam/web-src/services/WEB-INF/lib.
-
Update classpath with JCDI.jar in the Web Container from which
this sample has to run. For use with Sun ONE Webserver, go to server instance's
config directory /<WS-home-dir>/https-<WS-instance-name>/config/.
For Sun ONE App Server <AS-home-dir>/domain/domain1/server1/config/
and update server.xml with new classpath.for all other containers consult
their documentation
-
Copy JCDI.xml from <install-root>/SUNWam/samples/authentication/spi/jcdi
to <install-root>/SUNWam/web-src/services/config/auth/default.
-
Import amAuthJCDI.xml (available in <install-root>/SUNWam/samples/authentication/spi/jcdi)
using amadmin to load iPlanetAMAuthJCDIService
-
cd <install-root>/SUNWam/bin
./amadmin --runasdn uid=amAdmin,ou=People,<default_org>,<root_suffix>
--password <password> --schema amAuthJCDI.xml
-
Place amAuthJCDI.properties in <install-root>/SUNWam/locale/
-
Redeploy services war file by running corresponding install script
depending upon the web container on which these samples are deployed. For
example, if samples are deployed on Sun(tm) ONE App Server7.0, run amas70config,
for Sun(tm) ONE Web Server run amws61config script found under <install-root>/SUNWam/bin
-
Restart web container (e.g /<WS-home-dir>/https-<WS-instance-name>/start,
/<AS-home-dir>/domains/domain1/server1/bin/start for Sun ONE Web Server
and Sun ONE App server respectively)
Steps to load JCDI Auth module into Identity Server
-
Using IS Admin Console.
-
Login to Identity Server Console as amadmin, using the URL: http://<host>.<domain>:<port>/<Console-Deploy-URL>
-
Select "Service Configuration" frame "Service Configuration" frame
select "Core" within "Authentication"
-
Add class file name com.iplanet.am.samples.authentication.spi.jcdi.JCDI
to "Pluggable Auth Modules Classes"
-
Click on save button to save the changes in console.
-
Using commandline (amadmin)
-
Write a sample.xml file as shown below, which will add JCDI auth module
entry into allowed modules, authenticators list.
<!--
Copyright (c) 2003 Sun Microsystems,
Inc. All rights reserved
Use is subject to license terms.
-->
<!DOCTYPE Requests
PUBLIC "-//iPlanet//iDSAME 5.0 Admin
CLI DTD//EN"
"jar://com/iplanet/am/admin/cli/amAdmin.dtd"
>
<Requests>
<SchemaRequests serviceName="iPlanetAMAuthService"
SchemaType="Organization">
<AddChoiceValues>
<AttributeValuePair>
<Attribute
name="iplanet-am-auth-allowed-modules"/>
<Value>JCDI</Value>
</AttributeValuePair>
</AddChoiceValues>
</SchemaRequests>
<SchemaRequests serviceName="iPlanetAMAuthService"
SchemaType="Global">
<AddDefaultValues>
<AttributeValuePair>
<Attribute
name="iplanet-am-auth-authenticators"/>
<Value>com.iplanet.am.samples.authentication.spi.jcdi.JCDI</Value>
</AttributeValuePair>
</AddDefaultValues>
</SchemaRequests>
</Requests>
-
Load sample.xml via amadmin
-
cd <install-root>/SUNWam/bin.
-
/amadmin --runasdn uid=amAdmin,ou=People,<default_org>,<root_suffix>
--password <password> --data sample.xml
Setting up the Schema and the User
1) Update the ldap schema with <install-root>/SUNWam/samples/authentication/spi/jcdi/schema.ldif
using 'ldapmodify' command in LDAP Server.
e.g. <install-root>/SUNWam/bin/ldapmodify -h <dshostname>
-p <dsport> -D "<ldapbinduser>" -w <ldabinddn> -v -f <install-root>/SUNWam/samples/authentication/spi/jcdi/schema.ldif
2) Create the 'user' into LDAP using LDAP Console or
IS Admin Console under the required LDAP Search Root (for e.g.
"ou=people, dc=iplanet, dc=com" subtree ).
3) Then add into the object-classes list for that 'user' the 'authentication-service'
object-class.
Three ldap attributes will be created :
- 'authentication-cuid'
- 'authentication-cert-validity'
- 'usercertificate'
4) Fill those attributes with :
- authentication-cuid = 0123456789
- authentication-cert-validity = TRUE
- usercertificate = (with the browsing window, load the certificate.txt
file from <install-root>/SUNWam/samples/authentication/api/jcdi )
2) Restart Directory server (e.g /<DS-home-dir>/slapd-<host>/start-slapd)
and web container (e.g /<WS-home-dir>/https-<WS-instance-name>/start,
/<AS-home-dir>/domains/domain1/server1/bin/start for Sun ONE Web Server
and Sun ONE App server respectively)
Steps to run the JCDI Auth Module
1) Login to the Identity Server as
amAdmin
2) Verify that the JCDI service is available under the Service Management
Tab.If not, go back and follow the loading steps according to the instructions
listed above
3) Under the Identity Management tab, select the Org for which you'd
like to configure JCDI AuthN. Select the Services View for that Org
4) Register the JCDI service
5) Create a new template for the JCDI service by clicking on the
arrow next to the newly registed service
6) Modify the parameters as follows (according to your own settings)
-
LDAP Server Name : Name of the LDAP Server. e.g.
'bosky'
-
LDAP Server Domain : The name of the LDAP server domain.
e.g. 'red.iplanet.com'
-
LDAP Server : Fully qualified LDAP server name. e.g. 'bosky.red.iplanet.com'
-
LDAP Port : The LDAP Server Port. e.g. '389'
-
LDAP Search Root : The start search DN for the LDAP Server. e.g. 'ou=people,dc=iplanet,dc=com'
-
LDAP Result Attribute : LDAP return attribute. e.g. 'uid'
-
LDAP Filter Attribute : Filter attribute for the LDAP
Search. e.g. 'authentication-cuid'
-
LDAP Bind DN : DN to connect to LDAP database
-
LDAP Bind Password : Password to
connect to LDAP database
-
LDAP Bind Password (confirm): Re-enter
the password
-
Authentication Level:Set this to the appropraite level
7) Save the service and click on the
core service
8) Select JCDI as an AuthN module for that service (Holding Control
will allow you to select multiple) in the "Organization Authentication
Modules"list.
Note : Do not de-select LDAP auth module
9) Save the core service and Logout.
10) You should be all set - login with Authentication Remote API
sample 'JCDILogin' under
<install-root>/SUNWam/samples/authentication/api/jcdi by following
<install-root>/SUNWam/samples/authentication/api/jcdi/Readme.html
|