Sun Java System Identity Server 2004Q2 
Sample
 

Main Page

JCDI Auth Module

This document explains how to compile, deploy and run the JDBC Auth Module program. 

About JCDI Auth Module

This module enables authentication of JAVA Card (Certificate and the Serial Number) using "com.sun.jndi.ldap.LdapCtxFactory".

Steps to compile the JCDI Auth Module program on Solaris

  • Set the following variables in the Makefile. This Makefile is in the same directory ("<install-root>/SUNWam/samples/authentication/spi/jdbc ) as the JCDI Auth Module program files.
    • JAVA_HOME

    • Set this variable to your installation of JDK. The JDK should be newer than JDK 1.3.1.
    • CLASSPATH

    • Set this variable to refer to the  following jars found in the <install-root>/SUNWam/lib directory.
      am_sdk.jar, am_services.jar, acmecrypt.jar, servlets.jar, am_logging.jar
      (Note: Include jaas.jar in your classpath if you are using JDK version less than JDK1.4)
    • BASE_CLASS_DIR

    • Set this variable to the directory where all the Sample compiled classes are located.
    • JAR_DIR

    • Set this variable to the directory where the JAR files of the Sample compiled classes will be created.
  • Go to the <install-root>/SUNWam/samples/authentication/spi/jcdi directory and run gmake.

Steps to deploy the JCDI Auth Module program

  • Copy JCDI.jar from JAR_DIR to <install-root>/SUNWam/web-src/services/WEB-INF/lib. 
  • Update classpath with JCDI.jar in the Web Container  from which this sample has to run. For use with Sun ONE Webserver, go to server instance's config directory  /<WS-home-dir>/https-<WS-instance-name>/config/. For Sun ONE App Server <AS-home-dir>/domain/domain1/server1/config/ and update server.xml with new classpath.for all other containers consult their documentation
  • Copy JCDI.xml from <install-root>/SUNWam/samples/authentication/spi/jcdi to <install-root>/SUNWam/web-src/services/config/auth/default.
  • Import amAuthJCDI.xml (available in <install-root>/SUNWam/samples/authentication/spi/jcdi) using amadmin to load iPlanetAMAuthJCDIService 
    • cd <install-root>/SUNWam/bin
./amadmin --runasdn uid=amAdmin,ou=People,<default_org>,<root_suffix> --password <password> --schema amAuthJCDI.xml
  • Place amAuthJCDI.properties in <install-root>/SUNWam/locale/ 
  • Redeploy services war file by running corresponding install script depending upon the web container on which these samples are deployed. For example, if samples are deployed on Sun(tm) ONE App Server7.0, run amas70config, for Sun(tm) ONE Web Server run amws61config script found under <install-root>/SUNWam/bin
  • Restart web container (e.g  /<WS-home-dir>/https-<WS-instance-name>/start, /<AS-home-dir>/domains/domain1/server1/bin/start for Sun ONE Web Server and Sun ONE App server respectively)
Steps to load JCDI Auth module into Identity Server
  • Using IS Admin Console.
    • Login to Identity Server Console as amadmin, using the URL: http://<host>.<domain>:<port>/<Console-Deploy-URL> 
    • Select "Service Configuration" frame "Service Configuration" frame select "Core" within "Authentication" 
    • Add class file name com.iplanet.am.samples.authentication.spi.jcdi.JCDI to "Pluggable Auth Modules Classes"
    • Click on save button to save the changes in console.
  • Using commandline (amadmin)
    • Write a sample.xml file as shown below, which will add JCDI auth module entry into allowed modules, authenticators list.
      • <!--
              Copyright (c) 2003 Sun Microsystems, Inc. All rights reserved
             Use is subject to license terms.
        -->
         <!DOCTYPE Requests
              PUBLIC "-//iPlanet//iDSAME 5.0 Admin CLI DTD//EN"
             "jar://com/iplanet/am/admin/cli/amAdmin.dtd"
         >
        <Requests>
            <SchemaRequests serviceName="iPlanetAMAuthService"
         SchemaType="Organization">
              <AddChoiceValues>
                <AttributeValuePair>
                  <Attribute name="iplanet-am-auth-allowed-modules"/>
                  <Value>JCDI</Value>
                </AttributeValuePair>
              </AddChoiceValues>
            </SchemaRequests>
            <SchemaRequests serviceName="iPlanetAMAuthService" SchemaType="Global">
              <AddDefaultValues>
               <AttributeValuePair>
                  <Attribute name="iplanet-am-auth-authenticators"/>
         <Value>com.iplanet.am.samples.authentication.spi.jcdi.JCDI</Value>
                </AttributeValuePair>
              </AddDefaultValues>
            </SchemaRequests>
        </Requests>
    • Load sample.xml via amadmin 
      • cd <install-root>/SUNWam/bin.
      • /amadmin --runasdn uid=amAdmin,ou=People,<default_org>,<root_suffix> --password <password> --data sample.xml

Setting up the Schema and the User

1) Update the ldap schema with <install-root>/SUNWam/samples/authentication/spi/jcdi/schema.ldif using 'ldapmodify' command in LDAP Server.
e.g. <install-root>/SUNWam/bin/ldapmodify -h <dshostname> -p <dsport> -D "<ldapbinduser>" -w <ldabinddn> -v -f <install-root>/SUNWam/samples/authentication/spi/jcdi/schema.ldif 

2) Create the 'user' into LDAP using  LDAP Console  or IS Admin Console under the required LDAP Search Root (for e.g.  "ou=people, dc=iplanet, dc=com" subtree ).

3) Then add into the object-classes list for that 'user' the 'authentication-service' object-class.
Three ldap attributes will be created :
- 'authentication-cuid'
- 'authentication-cert-validity'
- 'usercertificate'

4) Fill those attributes with :
- authentication-cuid = 0123456789
- authentication-cert-validity = TRUE
- usercertificate = (with the browsing window, load the certificate.txt file from <install-root>/SUNWam/samples/authentication/api/jcdi )

2) Restart Directory server (e.g /<DS-home-dir>/slapd-<host>/start-slapd) and  web container (e.g  /<WS-home-dir>/https-<WS-instance-name>/start, /<AS-home-dir>/domains/domain1/server1/bin/start for Sun ONE Web Server and Sun ONE App server respectively)

Steps to run the JCDI Auth Module 

1) Login to the Identity Server as amAdmin

2) Verify that the JCDI service is available under the Service Management Tab.If not, go back and follow the loading steps according to the instructions listed above

3) Under the Identity Management tab, select the Org for which you'd like to configure JCDI AuthN. Select the Services View for that Org

4) Register the JCDI service

5) Create a new template for the JCDI service by clicking on the arrow next to the newly registed service

6) Modify the parameters as follows (according to your own settings)

  • LDAP Server Name : Name of the LDAP Server.  e.g. 'bosky'
  • LDAP Server Domain : The name of the LDAP server domain.  e.g. 'red.iplanet.com'
  • LDAP Server : Fully qualified LDAP server name. e.g. 'bosky.red.iplanet.com'
  • LDAP Port : The LDAP Server Port. e.g. '389'
  • LDAP Search Root : The start search DN for the LDAP Server. e.g. 'ou=people,dc=iplanet,dc=com'
  • LDAP Result Attribute : LDAP return attribute. e.g. 'uid'
  • LDAP Filter Attribute : Filter attribute for the LDAP Search. e.g. 'authentication-cuid'
  • LDAP Bind DN :  DN to connect to LDAP database
  • LDAP Bind Password : Password to connect to LDAP database 
  • LDAP Bind Password (confirm): Re-enter the password 
  • Authentication Level:Set this to the appropraite level 
7) Save the service and click on the core service

8) Select JCDI as an AuthN module for that service (Holding Control will allow you to select multiple) in the "Organization Authentication Modules"list. 
Note : Do not de-select LDAP auth module 

9) Save the core service and Logout.

10) You should be all set - login with Authentication Remote API sample 'JCDILogin' under
<install-root>/SUNWam/samples/authentication/api/jcdi by following 
<install-root>/SUNWam/samples/authentication/api/jcdi/Readme.html