Creating Authentication Databases in Sun Java System Web Server 7.0

Creating Authentication Databases in Sun Java System Web Server 7.0

I tried out creating different authentication databases (keyfile, digestfile, LDAP, PAM) via Administration CLIs in Sun Java System Web Server 7.0. Writing it down in a blog. I went to server installation root and start Administration server and then started wadm.
./admin-server/bin/startserv
./bin/wadm --user=admin
Please enter admin-user-password>\*\*\*
wadm>

I created a file authentication database of type "keyfile" in config "test" and in virtual server "test".
wadm> create-file-authdb --vs=test --config=test --path=/space/mykeyfile mykeyfile
CLI201 Command 'create-file-authdb' ran successfully


Then created a file authentication database of type "digest", added "--syntax=digestfile" in the above command.
wadm> create-file-authdb --vs=test --config=test --syntax=digestfile --path=/space/mydigestfile mydigestfile
CLI201 Command 'create-file-authdb' ran successfully


To create authentication database of type PAM, I used "create-pam-authdb" CLI,
wadm> create-pam-authdb --vs=test --config=test mypamauthdb
CLI201 Command 'create-pam-authdb' ran successfully

Note that PAM realm and PAM auth-db's are only supported on Solaris 9 and 10 and the server instance must be running as root. Change in server.xml <user>webservd</user> to <user>root</user>

To add authentication database of type LDAP, I used "create-ldap-authdb" CLI. This CLI does not create LDAP database, it only configures it. I used an already existing Directory (LDAP) server located in server "test.sun.com", on port 389, with root suffix "o=TestCentral", bind dn "cn=Directory Manager",
wadm> create-ldap-authdb --vs=test --config=test --bind-dn="cn=Directory Manager" --ldap-url=ldap://test.sun.com:389/o=TestCentral --config=test myldapauthdb
Please enter bind-password> \*\*\*
CLI201 Command 'create-ldap-authdb' ran successfully


Note that if I had to add an LDAP server with SSL, all I had to do is change the url prefix from ldap:// to ldaps:// i.e. make LDAP url ldaps://test.sun.com:443/o=TestCentral instead. If CA of LDAP server is not a trusted CA (like Verisign etc.) then I would have to import LDAP Server's CA certificate into Web Server Instance's NSS database as well as in Web Server's admin-server's NSS database.

Listed the authentication databases to check whether the databases were created successfully.
wadm> list-authdbs --vs=test --config=test --all
mykeyfile      keyfile
mydigestfile   digestfile
mypamauthdb    pam
myldapauthdb   ldap

Added a user "user1" in "mykeyfile" authentication database.
wadm> create-user --authdb=mykeyfile --user-password=\*\*\* --vs=test --config=test user1
CLI201 Command 'create-user' ran successfully
Similarly we can add users in other databases also, but I am skipping that part in this blog.
List users to make sure everything is all right.
wadm> list-users --config=test --vs=test --authdb=mykeyfile --all
user1   -

After I was done with all my changes, I deployed the configuration,
wadm> deploy-config
CLI201 Command 'deploy-config' ran successfully

I double checked that "user1" exists in "mykeyfile"
>cat /space/mykeyfile
user1;{SSHA}\*\*\*;
Also I made sure that server.xml had all these auth-db entries :
>cat server.xml
    <virtual-server>
    <name>test</name>
...
    <auth-db>
      <name>mykeyfile</name>
      <url>file</url>
      <property>
        <name>keyfile</name>
        <value>/space/mykeyfile</value>
      </property>
      <property>
        <name>syntax</name>
        <value>keyfile</value>
      </property>
    </auth-db>

    <auth-db>

      <name>mydigestfile</name>
      <url>file</url>
      <property>
        <name>digestfile</name>
        <value>/space/mydigestfile</value>
      </property>
      <property>
        <name>syntax</name>
        <value>digest</value>
      </property>
    </auth-db>

    <auth-db>
      <name>mypamauthdb</name>
      <url>pam</url>
    </auth-db>

    <auth-db>
      <name>myldapauthdb</name>
      <url>ldap://test.sun.com:389/o%3dTestCentral</url>
      <property>
        <name>bindpw</name>
        <value>\*\*\*</value>
        <encoded>true</encoded>
      </property>
      <property>
        <name>binddn</name>
        <value>cn=Directory Manager</value>
      </property>
    </auth-db>
...

I went to "https-test/config" directory and added an ACL manually in the end of the virtual server's ACL file (in this case it is default.acl) which allows only "user1" access. I could have done this from wadm also but I forgot to do so at that time.
> tail -7 default.acl
acl "uri=/";
authenticate (user,group) {
        prompt = "Sun Java System Web Server";
        database = "mykeyfile";
};
deny (all) user = "anyone";
allow (all) user = "user1";
Note that database I have added is "mykeyfile" and should be the same as the name we specified during database creation.

Started the instance and sent a request with "user1", access logs showed that "user1" has been authenticated successfully.
$tail -f https-test/logs/access
123.456.78.90 - user1 [19/Jan/2007:15:00:44 +0530] "GET /a.txt HTTP/1.1" 200 14

NOTE THAT SERVER RESTART IS REQUIRED WHEN YOU ADD A NEW DIGESTFILE/KEYFILE AUTHENTICATION DATABASE.

Comments:

How do we get it to support SAML and/or WS-Federation?

Posted by James on January 20, 2007 at 11:44 AM IST #

SAML support and Federated Identity for Web Server is available through Access Manager: http://docs.sun.com/app/docs/doc/819-4674/6n6qelg8a?a=view http://developers.sun.com/prodtech/javatools/jsenterprise/reference/presentations/sso.html https://opensso.dev.java.net/public/use/docs/pdf/fedsamlgde.pdf

As for WS-Federation support, I'd imagine it would be through OpenSSO: http://blogs.sun.com/superpat/tags/opensso (will post more details later)

Posted by guest on January 21, 2007 at 04:28 PM IST #

How about LDAP and digest. I am struggling to get it to work. I've installed ldap digest plugin in DS and set auth type as digest in auth database, webdav entry and it's corresponding ACL. I'm getting http error 500 in client and server logs say invalid authentication method. Any suggestions?

Posted by Euan Thoms on January 07, 2009 at 03:16 PM IST #

Euan,
Please write to http://forums.sun.com/forum.jspa?forumID=759 so others can also see it and reply.

Posted by meena on January 08, 2009 at 01:25 AM IST #

Refer to the README of digest plugin located under <webserv_install_dir>/plugins/digest.

Posted by amit on January 08, 2009 at 09:47 AM IST #

Post a Comment:
  • HTML Syntax: NOT allowed
About

Meena Vyas

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today