Thursday Dec 18, 2008

Configuring NonceManager for Digest and Identity authentication modules

Identity authentication and Digest authentication modules need NonceManager to cache call-id and nonce values respectively.
One can configure the max nonce age for these modules using NonceManager property under Security-Service element in domain.xml. maxNonceAge value is in milliseconds.
eg:
"property name="NonceManager" value="id=identity-nonce-config,maxNonceAge=350000;id=sip-nonce-config,maxNonceAge=3000"

NonceManager for Digest authentication module is sip-nonce-config whose default value is 600000 milliseconds.
NonceManager for identity authentication module is identity-nonce-config whose default value is 3600000 milliseconds.

Snapshot of configuring NonceManager using Admin UI is here

Thursday Nov 27, 2008

Configuration elements for Identity authentication(RFC 4474)

IdentityValidatorConfiguration :

property enables users to configure Identity (RFC 4474) authentication module in Sailfin, the property has name value pairs seperated by a comma as configuration parameters.This property can be configured under security element in domain.xml, use the Administration UI as shown here.


eg: maxClockSkew=30000, timestampFreshnessLimit=360000

  • maxClockSkew

This sets the maximum difference allowed between the system clocks of the sender and recipient. The value is specified in milliseconds.

  • timestampFreshnessLimit

Sets the maximum duration of time after which the timestamp becomes stale, the value MUST be specified in milliseconds and the default value is 600 seconds.

  • enableRevocationCheck

if this flag is set to true, the default revocation checking mechanism of the underlying PKIX service provider will be used, by default value is false.


  • certificateValidator

specifies the class name of custom certificate validator implemented by the user, this class must implement org.glassfish.comms.api.security.auth.CertificateValidator interface.

PrincipalMapper

is used by Identity and P-Asserted authentication modules of sailfin. PrincipalMapper is used convert user names to format understood by the Sailfin container, This property is optional and a default implementation is provided by Sailfin. This property points to a class name which implements com.sun.enterprise.security.auth.PrincipalMapper interface. This property can be configured under security element in domain.xml, use the Administration UI as shown here. Each application using P-Asserted / Identity authentication creates its own instance of PrincipalMapper implementation class.

Properties in sun-sip.xml

  • trust-auth-realm-ref

property is used by Identity and P-Asserted authentication modules and should point to any security realm with “assertedRealm” as jaas-context value.

  • trust-id-ref

property is used only by P-Asserted authentication module and should point to identity-assertion-trust configuration element in domain.xml. Trust-id-ref will have id value of “ identity-assertion-trust” element.



About

venu

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today