X

Blogs about Deep Learning, Machine Learning, AI, NLP, Security, Oracle Traffic Director,Oracle iPlanet WebServer

  • January 20, 2007

Creating Authentication Databases in Sun Java System Web Server 7.0

Creating Authentication Databases in Sun Java System Web Server 7.0

I tried out creating different authentication databases (keyfile, digestfile, LDAP, PAM) via Administration CLIs in Sun Java System Web Server 7.0. Writing it down in a blog. I went to server installation root and start Administration server and then started wadm.
./admin-server/bin/startserv
./bin/wadm
--user=admin

Please
enter admin-user-password>
\*\*\*
wadm>


I created a file authentication database of type "keyfile" in config "test" and in virtual server "test".
wadm> create-file-authdb
--vs=test --config=test --path=/space/mykeyfile mykeyfile

CLI201
Command 'create-file-authdb' ran successfully



Then created a file authentication database of type "digest", added "--syntax=digestfile" in the above command.
wadm> create-file-authdb
--vs=test --config=test --syntax=digestfile
--path=/space/mydigestfile mydigestfile

CLI201
Command 'create-file-authdb' ran successfully



To create authentication database of type PAM, I used "create-pam-authdb" CLI,
wadm>
create-pam-authdb
--vs=test --config=test mypamauthdb


CLI201 Command 'create-pam-authdb' ran successfully

Note that PAM realm and PAM auth-db's are only supported on Solaris 9 and 10 and the server instance must be running as root. Change in server.xml

<user>webservd</user>

to

<user>root</user>



To add authentication database of type LDAP, I used "create-ldap-authdb" CLI. This CLI does not create LDAP database, it only configures it. I used an already existing Directory (LDAP) server located in server "test.sun.com", on port 389, with root suffix "o=TestCentral", bind dn "cn=Directory Manager",
wadm> create-ldap-authdb --vs=test
--config=test --bind-dn="cn=Directory Manager"
--ldap-url=ldap://test.sun.com:389/o=TestCentral --config=test
myldapauthdb

Please enter bind-password>
\*\*\*
CLI201 Command
'create-ldap-authdb' ran successfully



Note that if I had to add an LDAP server with SSL, all I had to do is change the url prefix from ldap:// to ldaps:// i.e. make LDAP url ldaps://test.sun.com:443/o=TestCentral instead. If CA of LDAP server is not a trusted CA (like Verisign etc.) then I would have to import LDAP Server's CA certificate into Web Server Instance's NSS database as well as in Web Server's admin-server's NSS database.


Listed the authentication databases to check whether the databases were created successfully.
wadm> list-authdbs
--vs=test --config=test --all


mykeyfile      keyfile

mydigestfile   digestfile

mypamauthdb    pam

myldapauthdb   ldap


Added a user "user1" in "mykeyfile" authentication database.
wadm> create-user
--authdb=mykeyfile --user-password=\*\*\* --vs=test --config=test user1

CLI201
Command 'create-user' ran successfully


Similarly we can add users in other databases also, but I am skipping that part in this blog.


List users to make sure everything is all right.
wadm> list-users --config=test --vs=test
--authdb=mykeyfile --all

user1  
-

After I was done with all my changes, I deployed the
configuration,
wadm> deploy-config
CLI201
Command 'deploy-config' ran successfully



I double checked that "user1" exists in "mykeyfile"
>cat /space/mykeyfile
user1;{SSHA}\*\*\*;

Also I made sure that server.xml had all these auth-db entries :
>cat server.xml
   
<virtual-server>

   
<name>test</name>

...
   
<auth-db>

     
<name>mykeyfile</name>

     
<url>file</url>

     
<property>

       
<name>keyfile</name>

       
<value>/space/mykeyfile</value>

     
</property>

     
<property>

       
<name>syntax</name>

       
<value>keyfile</value>

     
</property>

   
</auth-db>


    <auth-db>

     
<name>mydigestfile</name>

     
<url>file</url>

     
<property>

       
<name>digestfile</name>

       
<value>/space/mydigestfile</value>

     
</property>

     
<property>

       
<name>syntax</name>

       
<value>digest</value>

     
</property>

   
</auth-db>

   
<auth-db>

     
<name>mypamauthdb</name>

     
<url>pam</url>

   
</auth-db>

   
<auth-db>

     
<name>myldapauthdb</name>

     
<url>ldap://test.sun.com:389/o%3dTestCentral</url>

     
<property>

       
<name>bindpw</name>

       
<value>\*\*\*</value>

       
<encoded>true</encoded>

     
</property>

     
<property>

       
<name>binddn</name>

       
<value>cn=Directory Manager</value>

     
</property>

   
</auth-db>

...


I went to "https-test/config" directory and added an ACL manually in the end of the virtual server's ACL file (in this case it is default.acl) which allows only "user1" access. I could have done this from wadm also but I forgot to do so at that time.
> tail -7 default.acl
acl
"uri=/";

authenticate
(user,group) {

       
prompt = "Sun Java System Web Server";

       
database = "mykeyfile";

};
deny (all)
user = "anyone";

allow
(all) user = "user1";


Note that database I have added is "mykeyfile" and should be the same as the name we specified during database creation.


Started the instance and sent a request with "user1", access logs showed that "user1" has been authenticated successfully.
$tail -f https-test/logs/access
123.456.78.90
- user1 [19/Jan/2007:15:00:44 +0530] "GET /a.txt HTTP/1.1" 200 14

NOTE THAT SERVER RESTART IS REQUIRED WHEN YOU ADD A NEW DIGESTFILE/KEYFILE AUTHENTICATION DATABASE.

Join the discussion

Comments ( 5 )
  • James Saturday, January 20, 2007
    How do we get it to support SAML and/or WS-Federation?
  • guest Sunday, January 21, 2007
    SAML support and Federated Identity for Web Server is available through Access Manager:
    http://docs.sun.com/app/docs/doc/819-4674/6n6qelg8a?a=view
    http://developers.sun.com/prodtech/javatools/jsenterprise/reference/presentations/sso.html
    https://opensso.dev.java.net/public/use/docs/pdf/fedsamlgde.pdf

    As for WS-Federation support, I'd imagine it would be through OpenSSO: http://blogs.sun.com/superpat/tags/opensso
    (will post more details later)

  • Euan Thoms Wednesday, January 7, 2009

    How about LDAP and digest. I am struggling to get it to work. I've installed ldap digest plugin in DS and set auth type as digest in auth database, webdav entry and it's corresponding ACL. I'm getting http error 500 in client and server logs say invalid authentication method. Any suggestions?


  • meena Wednesday, January 7, 2009

    Euan,

    Please write to http://forums.sun.com/forum.jspa?forumID=759 so others can also see it and reply.


  • amit Thursday, January 8, 2009

    Refer to the README of digest plugin located under <webserv_install_dir>/plugins/digest.


Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.