Sun Java System Access Manager 2005Q4
Sample


Main Page

JCDI Auth Module


This document explains how to compile, deploy and run the JDBC Auth Module program. 

About JCDI Auth Module

This module enables authentication of JAVA Card (Certificate and the Serial Number) using "com.sun.jndi.ldap.LdapCtxFactory".

PRODUCT_DIR setting on different Platforms:

  • Solaris sparc/x86 : PRODUCT_DIR = <install_root>/SUNWam

  • Linux             : PRODUCT_DIR = <install_root>/sun/identity

Steps to compile the JCDI Auth Module program

  • Set the following variables in the Makefile. This Makefile is in <PRODUCT_DIR>/samples/authentication/spi/jcdi

    • JAVA_HOME
      Set this variable to your installation of JDK. The JDK should be newer than JDK 1.3.1.

    • CLASSPATH
      Set this variable to refer to the  following jars found in the PRODUCT_DIR/lib directory.
      am_sdk.jar, am_services.jar, acmecrypt.jar, servlets.jar, am_logging.jar
      (Note: Include jaas.jar in your classpath if you are using JDK version less than JDK1.4)

    • BASE_CLASS_DIR
      Set this variable to the directory where all the Sample compiled classes are located.

    • JAR_DIR
      Set this variable to the directory where the JAR files of the Sample compiled classes will be created.

  • Go to the <PRODUCT_DIR>/samples/authentication/spi/jcdi directory and run gmake.

Steps to deploy the JCDI Auth Module program

  • Copy JCDI.jar from JAR_DIR to <PRODUCT_DIR>/web-src/services/WEB-INF/lib. 

  • Copy JCDI.xml from <PRODUCT_DIR>/samples/authentication/spi/jcdi to <PRODUCT_DIR>/web-src/services/config/auth/default.

  • Import amAuthJCDI.xml (available in <PRODUCT_DIR>/samples/authentication/spi/jcdi) using amadmin to load iPlanetAMAuthJCDIService 

    <PRODUCT_DIR>/bin/amadmin --runasdn uid=amAdmin,ou=People,<default_org>,
    <root_suffix> --password <password> --schema amAuthJCDI.xml

  • Place amAuthJCDI.properties in <PRODUCT_DIR>/locale/ 

  • Redeploy amserver.war file.

Steps to load JCDI Auth module into Access Manager

  • Using Access Manager Admin Console.

    • Login to Access Manager Console as amadmin, using the URL: http://<host>.<domain>:<port>/<Service-Deploy-URI>/UI/Login 

    • Select "Configuration" tab

    • Select "Core" within "Authentication".

    • Add class file name com.iplanet.am.samples.authentication.spi.jcdi.JCDI to "Pluggable Auth Modules Classes"

    • Click on save button to save the changes in console.

  • Using commandline (amadmin)

    • Write a sample.xml file as shown below, which will add JCDI auth module entry into allowed modules, authenticators list.

        <!--
              Copyright (c) 2003 Sun Microsystems, Inc. All rights reserved
             Use is subject to license terms.
        -->
         <!DOCTYPE Requests
              PUBLIC "-//iPlanet//iDSAME 5.0 Admin CLI DTD//EN"
             "jar://com/iplanet/am/admin/cli/amAdmin.dtd"
         >
        <Requests>
            <SchemaRequests serviceName="iPlanetAMAuthService" SchemaType="Global">
              <AddDefaultValues>
               <AttributeValuePair>
                  <Attribute name="iplanet-am-auth-authenticators"/>
         <Value>com.iplanet.am.samples.authentication.spi.jcdi.JCDI</Value>
                </AttributeValuePair>
              </AddDefaultValues>
            </SchemaRequests>
        </Requests>

    • Load sample.xml via amadmin 

      <PRODUCT_DIR>/bin/amadmin --runasdn uid=amAdmin,ou=People,<root_suffix>
       --password <password> --data sample.xml

Setting up the Schema and the User

1) Update the ldap schema with <PRODUCT_DIR>/samples/authentication/spi/jcdi/schema.ldif using 'ldapmodify' command in LDAP Server.
e.g. <PRODUCT_DIR>/bin/ldapmodify -h <dshostname> -p <dsport> -D "<ldapbinduser>" -w <ldabinddn> -v -f <PRODUCT_DIR>/samples/authentication/spi/jcdi/schema.ldif 

2) Create the 'user' into LDAP using  LDAP Console  or Access Manager Administration Console under the required LDAP Search Root (for e.g.  "ou=people, dc=iplanet, dc=com" subtree ).

3) Then add into the object-classes list for that 'user' the 'authentication-service' object-class.
Three ldap attributes will be created :
- 'authentication-cuid'
- 'authentication-cert-validity'
- 'usercertificate'

4) Fill those attributes with :
- authentication-cuid = 0123456789
- authentication-cert-validity = TRUE
- usercertificate = (with the browsing window, load the certificate.txt file from <PRODUCT_DIR>/samples/authentication/api/jcdi )

2) Restart Directory server (e.g /<DS-home-dir>/slapd-<host>/start-slapd) and  web container (e.g  /<WS-home-dir>/https-<WS-instance-name>/start, /<AS-home-dir>/domains/domain1/server1/bin/start for Sun ONE Web Server and Sun ONE App server respectively)

Steps to run the JCDI Auth Module 

1) Login to the Access Manager as amAdmin using http://<host>.<domain>:<port>/<Service-Deploy-URI>/UI/Login

2) Verify that the JCDI module instance is available.If not, go back and follow the loading steps according to the instructions listed above

3) Select "Access Control" tab.

4) Select the realm. Select "New" Under "Instances".

5) Click on "Authentication" tab.

6) Create new JCDI auth module instance as JCDI with type as JCDI

7) Configure the module service attributes as follows (according to your own settings)

  • LDAP Server Name : Name of the LDAP Server.  e.g. 'bosky'

  • LDAP Server Domain : The name of the LDAP server domain.  e.g. 'red.iplanet.com'

  • LDAP Server : Fully qualified LDAP server name. e.g. 'bosky.red.iplanet.com'

  • LDAP Port : The LDAP Server Port. e.g. '389'

  • LDAP Search Root : The start search DN for the LDAP Server. e.g. 'ou=people,dc=iplanet,dc=com'

  • LDAP Result Attribute : LDAP return attribute. e.g. 'uid'

  • LDAP Filter Attribute : Filter attribute for the LDAP Search. e.g. 'authentication-cuid'

  • LDAP Bind DN :  DN to connect to LDAP database

  • LDAP Bind Password : Password to connect to LDAP database 

  • LDAP Bind Password (confirm): Re-enter the password 

  • Authentication Level:Set this to the appropraite level 

8) Save the Instance.

9) Logout.

10) You should be all set to login with Authentication Remote API sample 'JCDILogin' by following 
<PRODUCT_DIR>/samples/authentication/api/jcdi/Readme.html