Red Hat NETSCAPE ENTERPRISE SERVER 6.0 - NSAPI PROGRAMMER GUIDE Guida Utente

Interstage Application Server V7.0 Single Sign-on Operator's Guide

Single Sign-on Operator's Guide: Table of Contents x Appendix A Samples of User Program Descriptions Registering a Role Configuration in the S

Chapter 2: Environment Setup (SSO Administrators) 2-24 <!-- (Arbitrary: Multiple values allowed: Same value not allowed) --> <

Repository Server Setup 2-25 Example For the administrator DN and Bind password, specify the administrator DN and administrator DN password that we

Chapter 2: Environment Setup (SSO Administrators) 2-26 UX:IREP: INFO: irep13570: adding new entry cn=Admin,ou=Role,ou=SSO ACI,ou=interstage,o=fuji

Repository Server Setup 2-27 cn=User005,ou=User,ou=interstage,o=fujitsu,dc=com IREP: INFO: irep13570: adding new entry cn=User006,ou=User,ou=inters

Chapter 2: Environment Setup (SSO Administrators) 2-28 Using an LDIF File This section explains how to register user information and role configura

Repository Server Setup 2-29 objectClass: organizationalUnit objectClass: top ou: Role dn: ou=Resource,ou=SSO ACI,ou=interstage,o=fujitsu,dc=com ob

Chapter 2: Environment Setup (SSO Administrators) 2-30 objectClass: top <- Mandatory object class cn: Leader

Repository Server Setup 2-31 # User definition # #****************************************************** # Entry: User: user001 dn: cn=user001,ou=Us

Chapter 2: Environment Setup (SSO Administrators) 2-32 ssoRoleName: Admin <- Role name ssoAuthType: basicAuthOrCertAuth

Repository Server Setup 2-33 objectClass: inetOrgPerson <- Mandatory object class objectClass: ssoUser <- Mandator

1-1 Chapter 1 Overview This chapter provides an outline and description of the functions in the Interstage Single Sign-on application.

Chapter 2: Environment Setup (SSO Administrators) 2-34 cn: user005 <- First and last name # Entry: User: user006 dn: cn=

Repository Server Setup 2-35 Example For the administrator DN and Bind password, specify the administrator DN and administrator DN password that we

Chapter 2: Environment Setup (SSO Administrators) 2-36 For the administrator DN and Bind password, specify the administrator DN and administrato

Repository Server Setup 2-37 Note Ensure that you take sufficient action to protect the administrator password. For details about securing your data

Chapter 2: Environment Setup (SSO Administrators) 2-38 Example of Specification Admin Notes • Specify this attribute only once. • Use only alphan

Repository Server Setup 2-39 Attributes Specify the name of a role set and role to be included in the role set as the attributes of the above object

Chapter 2: Environment Setup (SSO Administrators) 2-40 The following characters are valid: • Alphanumeric characters • Space ( ), exclamation mark

Repository Server Setup 2-41 Example of Role Set Whose Configuration Includes a Loop (Looped Portion is Assumed to be Invalid) Figure 2-8 A Role S

Chapter 2: Environment Setup (SSO Administrators) 2-42 • Attributes that must be set for executing certificate authentication (Note) − mail − empl

Repository Server Setup 2-43 Table 2-7 Attributes Used by Interstage Single Sign-on User information object class Attribute name Explanation cn N

Chapter 1: Overview 1-2 What Is Single Sign-on A business information system uses multiple Web Servers and Web Services together. Users usually need

Chapter 2: Environment Setup (SSO Administrators) 2-44 (1) cn Description Specify the first and last name to identify the user entry. Always specif

Repository Server Setup 2-45 The following characters are valid: • Alphanumeric characters • Space ( ), exclamation mark (!), question mark (?), at

Chapter 2: Environment Setup (SSO Administrators) 2-46 (5) employeeNumber Description Specify the number allocated for each user, e.g., employee nu

Repository Server Setup 2-47 The following characters are valid: • Alphanumeric characters • Space ( ), single quotation mark ('), left parent

Chapter 2: Environment Setup (SSO Administrators) 2-48 − basicAuthAndCertAuth: Password authentication and certificate authentication − basicAuth

Repository Server Setup 2-49 Note [Release user lock] of the Interstage Management Console is used to unlock the user account. Do not directly set o

Chapter 2: Environment Setup (SSO Administrators) 2-50 (13) ssoNotAfter Description Specify the date after which Single Sign-on is not available to

Repository Server Setup 2-51 (15) ssoLockTimeStamp Description This attribute specifies the date when the user was locked by the repository server i

Chapter 2: Environment Setup (SSO Administrators) 2-52 7. Activate the created repository server. Refer to 'Starting a Repository Server&apo

Repository Server Setup 2-53 1. Setting SSL Communication 1. Preparations for SSL communication (acquiring the SSL site certificate and registerin

What Is Single Sign-on 1-3 Figure 1-1 Problems in Conventional Systems Reduced User Convenience Since each system has an authentication function, a

Chapter 2: Environment Setup (SSO Administrators) 2-54 Adding a Repository Server (Reference System) This section explains how to set up a reposito

Repository Server Setup 2-55 After execution of the irepbacksys command, the backup folder is created under the C:\WINDOWS\temp folder. C:\>i

Chapter 2: Environment Setup (SSO Administrators) 2-56 − Protocol Version Select 'SSL 3.0' only. − Client Certificate Select 'Yes (A

Repository Server Setup 2-57 General Settings − Repository Name (*1) Enter the same name as that of the SSO repository (master) that was created fo

Chapter 2: Environment Setup (SSO Administrators) 2-58 − Retrieval Processing Timeout The default value is '3600' seconds. Change this v

Repository Server Setup 2-59 The SSO master repository data of the update system repository server is restored according to the following procedure:

Chapter 2: Environment Setup (SSO Administrators) 2-60 Backup file name: /home/user1/backup.tar.Z SSO repository name: ssorep Database storage dir

Repository Server Setup 2-61 Changing the Settings of the SSO Repository of the Restored Repository Server (Reference System) Set replication slave

Chapter 2: Environment Setup (SSO Administrators) 2-62 Notes • When the Microsoft® Internet Explorer is used as the browser, an authentication inf

Setup of Authentication Server 2-63 Setup of Authentication Server This section explains the procedure for setting up of the authentication server t

Chapter 1: Overview 1-4 Low Level of Security The total security level of an information system that contains multiple subsystems is equivalent to th

Chapter 2: Environment Setup (SSO Administrators) 2-64 SSL Communication using Application Gateway For operation using non-SSL communication betwee

Setup of Authentication Server 2-65 Refer to 'SSL Commands' in Reference Manual (Command Edition) for details of the scsmakeenv command fo

Chapter 2: Environment Setup (SSO Administrators) 2-66 The following is an example in which the Interstage certificate environment with the access

Setup of Authentication Server 2-67 When the scsmakeenv command is terminated normally, the CSR is output to the file specified with the -f option o

Chapter 2: Environment Setup (SSO Administrators) 2-68 Is <CN=authenticate_server.fujitsu.com, OU=FUJITSU TOKYO, O=FUJITSU, L=Shinjuku, ST=Toky

Setup of Authentication Server 2-69 CA certificate: '/tmp/ca-cert.cer' CA Certificate Nickname: 'CACERT' Site certificate: &a

Chapter 2: Environment Setup (SSO Administrators) 2-70 Protocol Version Select 'SSL 2.0' and 'SSL 3.0'. Verify Client Certifica

Setup of Authentication Server 2-71 Example The following shows an example in which the Interstage certificate environment is created for the first

Chapter 2: Environment Setup (SSO Administrators) 2-72 New Password: Retype: UX:SCS: INFO: scs0100: Interstage certificate environment was created

Setup of Authentication Server 2-73 # JAVA_HOME=/opt/FJSVawjbk/jdk14;export JAVA_HOME # scsenter –n CRLCACERT –f /tmp/crlca-cert.cer Password: Ce

What Is Single Sign-on 1-5 Figure 1-2 Comparison of a Conventional System and an Interstage Single Sign-on system Implementation Method Interstage S

Chapter 2: Environment Setup (SSO Administrators) 2-74 The following example uses the Bourne shell. When password input is requested, enter the pas

Setup of Authentication Server 2-75 6. To distribute load by setting multiple repository servers, specify [Host name and Port number of Repository

Chapter 2: Environment Setup (SSO Administrators) 2-76 Adding an Authentication Server for Load Distribution This section explains the process of a

Setup of Authentication Server 2-77 Setting Up Environment for Destination Machine for Copying 1. For SSL communication using the authentication se

Chapter 2: Environment Setup (SSO Administrators) 2-78 • The environment information file of the authentication server is important for security.

Setting up a Repository Server and Authentication Server on a Single Machine 2-79 Setting up a Repository Server and Authentication Server on a Sing

Chapter 2: Environment Setup (SSO Administrators) 2-80 Registering a Business System If a business server administrator requests an SSO administrat

Registering a Business System 2-81 Information to be Acquired from Business Server Administrator When a business server administrator requests you t

Chapter 2: Environment Setup (SSO Administrators) 2-82 Remarks When this system is linked with the Application Gateway and can be accessed only by

Registering a Business System 2-83 The file name and file path of the authentication server configuration file Configuration file name: ssoatcag.con

Chapter 1: Overview 1-6 Basic System Configuration The Interstage Single Sign-on system basically consists of an authentication infrastructure, a bus

Chapter 2: Environment Setup (SSO Administrators) 2-84 Item Configuration Name Setting Contents Omissible or Required [Host Name]: Set the host na

Registering a Business System 2-85 Item Configuration Name Setting Contents Omissible or Required Specifying the protection path "/protect/&qu

Chapter 2: Environment Setup (SSO Administrators) 2-86 Item Configuration Name Setting Contents Omissible or Required If the value set for the pro

Registering a Business System 2-87 Addition, modification or deletion of protection resource information If adding, modifying or deleting protection

Chapter 2: Environment Setup (SSO Administrators) 2-88 • The business system setup file is important for security. Be sure to delete this file aft

More Secure Use 2-89 More Secure Use Communication data and authentication information between servers are encrypted in the Interstage Single Sign-o

Chapter 2: Environment Setup (SSO Administrators) 2-90 Figure 2-10 Interstage Single Sign-on Using IPsec 1. The IPsec encryption communication i

More Secure Use 2-91 Using a Firewall When a firewall is set, a group of authentication servers and repository servers must be set up in an independ

Chapter 2: Environment Setup (SSO Administrators) 2-92 For an explanation of installing the firewall and setting filtering function, refer to the m

3-1 Chapter 3 Environment Setup (Business Server Administrators) This chapter explains the flow of, and method for, setting up the business system e

Basic System Configuration 1-7 If the user accesses the business system without being authenticated, the Web browser is automatically directed to the

Chapter 3: Environment Setup (Business Server Administrators) 3-2 Environment Setup Flow This section explains how to add a business system. Refer t

Environment Setup Flow 3-3 For details regarding the set up of Web system and Web service environments, refer to the Web server manual. The configura

Chapter 3: Environment Setup (Business Server Administrators) 3-4 System configuration Setting up a business server on a server Setting up business s

Environment Setup Flow 3-5 Conditions for Using the Business System Configuration Spreadsheet The business system configuration spreadsheet supports M

Chapter 3: Environment Setup (Business Server Administrators) 3-6 Designing a Business System The business system administrator must clarify and repo

Setting up Business Servers 3-7 Setting up Business Servers This section explains the procedure for setting up business servers. The Interstage Manag

Chapter 3: Environment Setup (Business Server Administrators) 3-8 - Microsoft(R) Internet Information Service • If multiple types of Web servers a

Setting up Business Servers 3-9 8. To use linkage with Interstage Portalworks, select [System] > [Security] > [Single Sign-on] > [Business s

Chapter 3: Environment Setup (Business Server Administrators) 3-10 4. To update access control information automatically when the business server is

Setting up Business Servers 3-11 The following procedure describes how to use the ssocloneaz command to migrate the environment of the existing busine

Chapter 1: Overview 1-8 Note The repository server is provided by the following products: • Interstage Application Server Enterprise Edition • Inte

Chapter 3: Environment Setup (Business Server Administrators) 3-12 • Configure the following settings when the load balancer is Interstage Traffic D

Setting up Business Servers 3-13 /etc/opt/FSUNprovd(*1) *1 The configuration file name can be changed. Table 3-2 Environment configuration file for

Chapter 3: Environment Setup (Business Server Administrators) 3-14 Environment Configuration File Name and Storage Destination Environment configurat

Setting up Business Servers 3-15 For details about the environment configuration file for Sun ONE Web Server, refer to “NSAPI Programmer’s Guide for

Chapter 3: Environment Setup (Business Server Administrators) 3-16 Example Init fn="load-modules" shlib="/usr/lib/ssoatzipl.so"

Setting up Business Servers 3-17 Example Examples of magnus.conf and obj.conf that have been set immediately after installation of Sun ONE Web Server

Chapter 3: Environment Setup (Business Server Administrators) 3-18 Microsoft(R) Internet Information Services 5.0 and 6.0 This section explains the p

Setting up Business Servers 3-19 2. If Microsoft(R) Internet Information Services is running, stop it. To stop Microsoft(R) Internet Information Serv

Chapter 3: Environment Setup (Business Server Administrators) 3-20 3. Select the Web site into which a business server is to be integrated. In the f

Setting up Business Servers 3-21 4. Select Properties to open the property sheet. Select the [ISAPI Filters] tab, and then click the Add button. Fi

Basic System Configuration 1-9 2. When Setting Up the Authentication Server on Multiple Machines and the Repository Server on a Machine (Middle-scale

Chapter 3: Environment Setup (Business Server Administrators) 3-22 Figure 3-7 Specify Business Server 6. After the settings have been made, click

Setting up Business Servers 3-23 Setting the Access Permission for Operation Resources of a Web Server Used by a Business Server The Web server used b

Chapter 3: Environment Setup (Business Server Administrators) 3-24 Permit only the owner and group to access the access log output destination direc

4-1 Chapter 4 Operation and Maintenance This chapter explains the operation and maintenance of Interstage Single Sign-on, including starting and sto

Chapter 4: Operation and Maintenance 4-2 Starting Single Sign-on This section explains how to start the servers. • Starting a Repository Server • S

Starting Single Sign-on 4-3 Starting an Authentication Server To start an authentication server, use the Interstage Management Console on the server w

Chapter 4: Operation and Maintenance 4-4 • If Microsoft Internet Information Services 6.0 is used To start a business server, start Microsoft Intern

Stopping Single Sign-on 4-5 Stopping Single Sign-on This section explains how to stop the servers. • Stopping a Business Server • Stopping an Authen

Chapter 4: Operation and Maintenance 4-6 • If InfoProvider Pro is used Stopping InfoProvider Pro automatically stops a business server. To stop In

Changing Environment Settings 4-7 Changing Environment Settings This section explains how to change the operating environments of the repository serve

Single Sign-on Operator's Guide - Preface ii Trademarks Trademarks of other companies are used in this user guide only to identify particular pro

Chapter 1: Overview 1-10 Figure 1-7 Setting Up the Repository Server and Authentication Server on Multiple Machines Individually (Large Scale Syst

Chapter 4: Operation and Maintenance 4-8 − Protection resource registration entry For details on creating the repository server (reference system),

Changing Environment Settings 4-9 [Actions for Changing Effective User] • If Interstage HTTP Server is used After the effective user of the Web serve

Chapter 4: Operation and Maintenance 4-10 User Related Operation This section explains how to manage user-related operations. Single Sign-on users a

User Related Operation 4-11 Amending the Role of a User If the section or title of a user changes, the accessible resources can be amended by changing

Chapter 4: Operation and Maintenance 4-12 Notes • When resetting a password, pay careful attention to password security. For details on password sec

Authorization-related Operation 4-13 Authorization-related Operation This section explains changing role configurations and protection resources. • A

Chapter 4: Operation and Maintenance 4-14 Notes • If the repository server (update system) and repository server (reference system) are allocated fo

Authorization-related Operation 4-15 Notes • If the repository server (update system) and repository server (reference system) are allocated for load

Chapter 4: Operation and Maintenance 4-16 Maintenance Using Access Logs Interstage Single Sign-on records authentication and authorization processing

Maintenance Using Access Logs 4-17 User Identification Information User identification information (dn or uid) identifies the user who has requested a

Basic System Configuration 1-11 Business System The business system provides users with Web-based services. The business system basically consists of

Chapter 4: Operation and Maintenance 4-18 Supplementary Information The cause of authentication failure is recorded in the access log. For details ab

Maintenance Using Access Logs 4-19 Date/Time Access date/time is recorded in the “YYYY/MM/DD HH:MM:SS+XXXX” format. "+XXXX" refers to the ti

Chapter 4: Operation and Maintenance 4-20 Example 10.131.201.199 – 10.131.201.34 – 10.131.201.88 [2002/09/11 20:28:22 +0900] – "cn=User001,

Maintenance Using Access Logs 4-21 Example 10.131.201.199 [2002/09/11 20:28:22 +0900] – "cn=User001,ou=User,ou=interstage,o=fujitsu,dc=com&qu

Chapter 4: Operation and Maintenance 4-22 Operating Notes for Large Systems For operation using large systems, note the following points: • To updat

5-1 Chapter 5 Single Sign-on Customization This chapter explains Interstage Single Sign-on Customization and includes the following sections: • Cus

Chapter 5: Single Sign-on Customization 5-2 Customizing Messages Displayed on a Web Browser Interstage Single Sign-on provides a function that custom

Customizing Messages Displayed on a Web Browser 5-3 If an authentication server has already been added for load balancing, also customize the messages

Chapter 5: Single Sign-on Customization 5-4 Cause of the message to be displayed Message Contents Message File Name The specified certificate is dam

Customizing Messages Displayed on a Web Browser 5-5 Notes • Message files are available in Japanese and English versions. Select the appropriate mes

Chapter 1: Overview 1-12 Figure 1-9 Setting Up a Business Server on a Machine 2. When Setting Up Business Servers on Multiple Machines This system

Chapter 5: Single Sign-on Customization 5-6 Cause of Error Message Contents Message File Name The user was locked out because the password was re-e

Customizing Messages Displayed on a Web Browser 5-7 • If [No] is specified for [Notify Cause of Authentication Failure to user?] when the authenticat

Chapter 5: Single Sign-on Customization 5-8 Cause of Error Message Contents Message File Name The system does not support generation of an 8.3-for

Customizing Messages Displayed on a Web Browser 5-9 Example An example of editing message file “403roleerr_en.template” is shown below. Unedited Messa

Chapter 5: Single Sign-on Customization 5-10 - Ask the System Administrator to check whether the required access authority has been assigned<BR>

Customizing Messages Displayed on a Web Browser 5-11 • If a message file is deleted or there is no authority to access a message file, the system log

Chapter 5: Single Sign-on Customization 5-12 Access Authorization for the Message File Output at Form Authentication Table 5-4 Windows Access Author

Customizing Messages Displayed on a Web Browser 5-13 Table 5-8 [Microsoft Internet Information Services 6.0] Resource Setting Authority to Access Co

Chapter 5: Single Sign-on Customization 5-14 − To use InfoProvider Pro and other Web servers, set the effective user to other Web servers. − Set th

Customizing Messages Displayed on a Web Browser 5-15 Form definition <form action="/ssoatcag" method="post"> • Set &

Basic System Configuration 1-13 Client With Interstage Single Sign-on, a user uses the business system from a Web browser on a client. Supported Web B

Chapter 5: Single Sign-on Customization 5-16 Service Linkage with SSO Repository Before the repository server of the Interstage Single Sign-on is st

Service Linkage with SSO Repository 5-17 Canceling the Service Dependency Use the ssounsetsvc command to cancel the service dependency. For details on

Chapter 5: Single Sign-on Customization 5-18

6-1 Chapter 6 Troubleshooting This chapter explains the action to be taken if an error occurs during operation of the Interstage Single Sign-on syst

Chapter 6: Troubleshooting 6-2 Error Handling This section explains how to respond to abnormalities that may occur during operation. Error Investigat

Error Handling 6-3 SSO Administrator The SSO administrator must perform the following steps as necessary: • Change the SSO repository settings • In

Chapter 6: Troubleshooting 6-4 /var/adm/messages /var/log/messages • Output destination of access log of business server The access log is output

Examples of Errors 6-5 Examples of Errors Errors are generally classified into the following items: • Errors that can be encountered while using the

Chapter 6: Troubleshooting 6-6 Although a business system protected resource is accessed, no response is returned. Confirm the following: • The bus

Examples of Errors 6-7 *4 Refer to “Linkage with SSL Accelerator” for details of the SSL accelerator settings. Refer to “Load Balancing” for details

Chapter 1: Overview 1-14 Administrators To operate Interstage Single Sign-on, the SSO (Single Sign-on) administrator must not only manage the authent

Chapter 6: Troubleshooting 6-8 Message "ihs81215: The error occurred in start processing of Interstage HTTP Server. " is displayed on the I

7-1 Chapter 7 Developing Applications Interstage SSO (single sign-on) supports authentication to Interstage single sign-on authentication servers an

Chapter 7: Developing Applications 7-2 Developing Java Applications This section explains how to develop Java applications using the Java application

Developing Java Applications 7-3 Program Development Flow Servlet Application that Receives Authentication Information from a Client Figure 7-1 Servl

Chapter 7: Developing Applications 7-4 Processing Flow Table 7-2 provides processing flow information. Table 7-2 Process Flow Information Processing

Developing Java Applications 7-5 Setup Item Required? Explanation protection resources Executing application Required Set the JavaVM options. Obta

Chapter 7: Developing Applications 7-6 When an Application Runs as a Stand-alone Application When an application is run as a stand-alone application

Developing Java Applications 7-7 Setup Items Required? Explanation Creating login configuration file Required Create a login configuration file corr

Chapter 7: Developing Applications 7-8 Example import java.io.BufferedReader; import java.io.InputStreamReader; import java.io.IOException; import

Developing Java Applications 7-9 continue; } finally { Arrays.fill(password,' '); Arrays.fill(tmp,'

Authentication 1-15 Authentication Authentication is the operation used to check the validity of any person who attempts to use the system. This secti

Chapter 7: Developing Applications 7-10 public static void main(String args[]) { ISSsoJaas sample = new ISSsoJaas(); try{ if (sample

Developing Java Applications 7-11 Converting LoginContext to an Instance Convert the LoginContext to an instance. The code is shown below. LoginCo

Chapter 7: Developing Applications 7-12 Obtaining User Information When JAAS authentication is executed successfully, the objects listed below are as

Developing Java Applications 7-13 Table 7-7 Object Classes Associated with the Subject Object Class Name Explanation com.fujitsu.interstage.sso.auth.

Chapter 7: Developing Applications 7-14 • Client IP address • Authentication time • Re-authentication time • Scope of authentication information. O

Developing Java Applications 7-15 } try{ System.out.println("user.home=" + System.getProperty("user.home")); }ca

Chapter 7: Developing Applications 7-16 Setting the Application Execution Environment This section explains how the administrator for the operating a

Developing Java Applications 7-17 Table 7-9 Setting Environment Variables for Solaris OE and Linux (JDK1.3) Environment Variable Values CLASSPATH

Chapter 7: Developing Applications 7-18 Example Interstage install directory: C:\Interstage JDK install directory: "C:\Interstage\JDK14"

Developing Java Applications 7-19 Obtaining Service ID File If an authentication server of the authentication destination is specified with a Java app

Chapter 1: Overview 1-16 Also, a re-authentication interval can be specified for authentication. When a re-authentication interval is specified, an

Chapter 7: Developing Applications 7-20 • Java application that receives a user ID/password from a client for authentication com.fujitsu.interstage.

Developing Java Applications 7-21 Option Explanation authservertrusted Specify whether the site certificate of an authentication server presented fro

Chapter 7: Developing Applications 7-22 Execution of a Java Application that Receives a User ID/Password from a Client for Authentication Business s

Developing Java Applications 7-23 To Grant Permission for Each Code Base grant codeBase <URL>{ permission <access-permission-class-name&g

Chapter 7: Developing Applications 7-24 File Encoding for Security Policy File When a character other than alphanumeric characters and symbols is use

Developing Java Applications 7-25 Table 7-14 Jar File Descriptions Jar File Explanation Jar file used by the single sign-on JavaAPI (*1) Specify perm

Chapter 7: Developing Applications 7-26 "com.fujitsu.interstage.sso.auth.ISAuthorizationCredential com.fujitsu.interstage.sso.auth.ISUserP

Developing Java Applications 7-27 permission javax.security.auth.AuthPermission "createLoginContext.com.fujitsu.interstage.sso"; per

Chapter 7: Developing Applications 7-28 /etc/opt/FJSVisscs/security/env/keystore/.keystore Using the Keytool Command Obtain the site certificate

Developing Java Applications 7-29 Setting Access Permission for Operation Resources Resources (such as the configuration file and service ID file) are

Authentication 1-17 If the form authentication is used, users can access the Authentication infrastructure URL directly through a Web browser for auth

Chapter 7: Developing Applications 7-30 Table 7-15 Setting Access Permissions for Files (Windows) Resource Explanation Service ID file Set access pe

Developing Java Applications 7-31 Registering Protection Resources For a servlet application that receives authentication information from a client, t

Chapter 7: Developing Applications 7-32 An OutOfMemoryError error typically occurs in this situation. The memory used in Java can be broadly divided

Developing Java Applications 7-33 Objects in an Old generation area that are no longer required are recovered using FullGC processing. The total memor

Chapter 7: Developing Applications 7-34 Executing Applications This section explains how to execute a Java application that uses the single sign-on J

Developing Java Applications 7-35 If the Java application to be executed uses a trust store file other than the JDK or JSSE default, a system property

Chapter 7: Developing Applications 7-36 /opt/FJSVj2ee/lib The copy destination directories are shown below. C:\Interstage\J2EE\var\deployment\ijs

Developing Java Applications 7-37 JDK1.4 java -Djava.security.auth.login.config=login-configuration-file-absolute-pathname -Djava.security.manager

Chapter 7: Developing Applications 7-38 /opt/FJSVj2ee/var/deployment/ijserver/IJServer name/ext For details on servlet application operation, refe

Developing Java Applications 7-39 Sample Code Storage Location Sample codes are stored in the following directories (hereafter referred to as sample d

Chapter 1: Overview 1-18 Figure 1-13 Form Authentication Page in Microsoft(R) Internet Explorer 6.0 Example Basic authentication dialog for Microso

Chapter 7: Developing Applications 7-40 (2) Deploying Servlet Application Use the Interstage Management Console to deploy the servlet application in

Developing Java Applications 7-41 (3) Setting IJServer WorkUnit Use the Interstage Management Console to select the [System] > [WorkUnit] > [IJ

Chapter 7: Developing Applications 7-42 JavaVM option -Djava.security.auth.login.config=C:\Interstage\J2EE\var\deployment\ijserver \IJServer\webap

Developing Java Applications 7-43 /** * sample login config file */ com.fujitsu.interstage.sso{ com.fujitsu.interstage.sso.auth.module.ISCrede

Chapter 7: Developing Applications 7-44 Note Use JDK1.4 if the UTF-8 type is used for the site certificate or CA certificate. (7) Defining Servlet A

Developing Java Applications 7-45 Use the Interstage Management Console to select [System] > [Security] > [Single Sign-on] > [Business system

Chapter 7: Developing Applications 7-46 Example AuthorizationCredential ･･･ Dn cn=user002,ou=User,ou=interstage,o=fujitsu,dc=c

Developing Java Applications 7-47 Execution Procedure (1) Preparation Perform the following steps: 1. Obtain the authentication infrastructure URL t

Chapter 7: Developing Applications 7-48 C:\>set CLASSPATH=C:\Interstage\F3FMsso\ssoatzag\lib\isssomod14.jar C:\>set JAVA_HOME=C:\Interstage\

Developing Java Applications 7-49 (4) Obtaining Service ID File Request that the SSO administrator creates a service ID file for the business server

Authentication 1-19 Figure 1-14 Authentication Window for Microsoft ® Internet Explorer 6.0 Example Basic authentication dialog for Netscape Communi

Chapter 7: Developing Applications 7-50 com.fujitsu.interstage.sso{ com.fujitsu.interstage.sso.auth.module.ISLoginModule Required authserver="

Developing Java Applications 7-51 Change the role name in the sample file. permission java.util.PropertyPermission "user.home","rea

Chapter 7: Developing Applications 7-52 (8) Activating Sample Application Activation examples are shown below. Example JDK1.3 Trust store file name

Developing Java Applications 7-53 JDK1.4 Trust store file name: "C:\Interstage\etc\security\env\keystore\.keystore" C:\>cd C:\Interst

Chapter 7: Developing Applications 7-54 psy6 zsl2A6d6FBzIsw7NeTkhBdjhq1Z506GaprHQ2zfqhWIzItto3x9dzSo2wQev/v4wn3Vc53lpWA/v Mqkj oMeVjQssloKIJfcF6gWBEH

Developing Java Applications 7-55 When user “user001” does not belong to role “Admin” UserName=user001 Password=user001 *** Credential Information

Chapter 7: Developing Applications 7-56 Setting User Information Report with Environment Variables Information on an authenticated user can be used i

Setting User Information Report with Environment Variables 7-57 User Information Explanation Example Valid range for authentication information The

Chapter 7: Developing Applications 7-58 Notes • Information reported to a Web application must be within the size specified below. If it exceeds th

A-1 Appendix A Samples of User Program Descriptions This appendix provides examples of user programs developed with Java that are used to operate th

Single Sign-on Operator's Guide - Preface iii Preface Purpose of this Document This manual describes the environment setup and operation procedur

Chapter 1: Overview 1-20 Certificate Information For certificate authentication by Interstage Single Sign-on, the owner name (Subject), owner alias (

Appendix A: Samples of User Program Descriptions A-2 DirContext ctx = new InitialDirContext(env); Note Carefully handle the administrator DN and

Registering a Role Configuration in the SSO Repository A-3 Registering a Role Configuration in the SSO Repository This sample program assumes the envi

Appendix A: Samples of User Program Descriptions A-4 Registering User Information in the SSO Repository This sample program assumes the environment s

Registering User Information in the SSO Repository A-5 Description of User Program Example // Associating the values in CSV file with attributes pr

Appendix A: Samples of User Program Descriptions A-6 al.add(index, null); } else { al.se

Deleting User Information from the SSO Repository A-7 Deleting User Information from the SSO Repository This sample program assumes the environment se

Appendix A: Samples of User Program Descriptions A-8 Adding a User Role This sample program assumes the environment setup below. Change the setup ac

Adding a User Role A-9 for(int i = 0; i < roleAttr.size(); i++) { if(role.compareToIgnoreCase((String)roleAttr.get(i)

Appendix A: Samples of User Program Descriptions A-10 Deleting a User Role This sample program assumes the environment setup below. Change the setup

Deleting a User Role A-11 ModificationItem( DirContext.REPLACE_ATTRIBUTE, roleAttr ); ctx.modifyAttributes(dn, mods); }

Authentication 1-21 Figure 1-16 Certificate Selection Window for Microsoft ® Internet Explorer 6.0 Example Certificate selection window for Netscape

Appendix A: Samples of User Program Descriptions A-12 Displaying the User Lock Status This sample program assumes the environment setup below. Chang

Displaying the User Lock Status A-13 } } } : Postprocessing

Appendix A: Samples of User Program Descriptions A-14 Displaying the User Validity Period This sample program assumes the environment setup below. C

Displaying the User Validity Period A-15 } if(ret[0] != null) { System.out.println("Validity period start time = " + ret[0]); } el

Appendix A: Samples of User Program Descriptions A-16 Changing the User Validity Period This sample program assumes the environment setup below. Cha

Changing the User Password A-17 Changing the User Password This sample program assumes the environment setup below. Change the setup according to the

Appendix A: Samples of User Program Descriptions A-18

B-1 Appendix B Entry Attributes To Be Registered in SSO Repository This appendix describes the user information, role configurations and protection

Appendix B: Entry Attributes To Be Registered in SSO Repository B-2 User Information This section describes the user information managed by Interstag

User Information B-3 Attribute name Explanation Description Example of registration ssoAuthType Authentication method Specifies the user authentica

Chapter 1: Overview 1-22 Figure 1-17 Certificate Selection Window for Netscape Communicator 4.75 On Netscape Communicator, the following window is

Appendix B: Entry Attributes To Be Registered in SSO Repository B-4 Attribute name Explanation Description Example of registration ssoNotBefore Va

User Information B-5 Attribute name Explanation Description Example of registration ssoLockTimeStamp Lockout time Specifies the date and time the

Appendix B: Entry Attributes To Be Registered in SSO Repository B-6 Role Configuration This section describes the role information required by Inters

Role Configuration B-7 The role configuration can also be a role set that contains multiple roles. An example of role set configuration is shown belo

Appendix B: Entry Attributes To Be Registered in SSO Repository B-8 Protection Resources This section describes the target domain information require

Protection Resources B-9 Path Configuration This section describes the target path information required by Interstage Single Sign-on for access contro

Appendix B: Entry Attributes To Be Registered in SSO Repository B-10

Index-1 Index access authority setting for message files, 5-11 access control information centralized management, 1-39 updating, 1-40 access logs auth

Single Sign-on Operator’s Guide - Index Index-2 setting access permission for Web server operation resources, 3-23 setting up, 3-7 setting up for load

Single Sign-on Operator’s Guide - Index Index-3 authentication, 1-15 authentication form tag specifications, 5-14 authentication infrastructure, 1-7 a

Authentication 1-23 Checking the Effectiveness of Certificate The certificate used for certificate authentication can be checked effectiveness by the

Single Sign-on Operator’s Guide - Index Index-4 lockout, 1-31 canceling, 4-11 messages customizing, 5-8 customizing authentication error messages, 5-5

Single Sign-on Operator’s Guide - Index Index-5 changing settings of SSO repository for update system repository server, 2-62 confirming certificate a

Single Sign-on Operator’s Guide - Index Index-6 Sun ONE Web Server Enterprise Edition 6.0 integrating into, 3-15 system availability, increased, 1-44

Chapter 1: Overview 1-24 Password Authentication and Certificate Authentication This authentication method only assumes authentication has been succe

Authentication 1-25 Item Description Role name/role set name Name of the role or role set assigned to the user. Multiple roles or role sets can be se

Chapter 1: Overview 1-26 Certificate Selection Windows If no certificate (or only one certificate) has been registered in the client computer, the di

Authentication 1-27 Figure 1-21 Security Settings Example Netscape Communicator 4.78 Select [Communicator] > [Tools] > [Security Info], and fr

Chapter 1: Overview 1-28 Figure 1-22 Netscape Navigator Screen Restrictions on Authentication Interstage Single Sign-on provides some functions to

Authentication 1-29 When the authenticated user connects to the business system from a client computer that has a different IP address, the user is re

Single Sign-on Operator's Guide - Preface iv Organization of this Document This document is organized as follows: • Chapter 1 Overview This chap

Chapter 1: Overview 1-30 For details of the user information stored in the SSO repository, refer to "User Information Entry". For details o

Authentication 1-31 User Validity Period Validity periods can be set for users in Interstage Single Sign-on. For example, if the information on new em

Chapter 1: Overview 1-32 Figure 1-25 Lockout in Single Sign-on Authentication If a user has failed password authentication for a specified consecu

Authentication 1-33 Figure 1-26 Screen Displayed when User is Locked Out

Chapter 1: Overview 1-34 When a locked user performs authentication, the following window is displayed on the Web browser. Figure 1-27 Screen Displ

Authorization 1-35 Authorization Authorization is the process that is used to make sure that the user who requests access to a resource is allowed to

Chapter 1: Overview 1-36 • Therefore, the accountant can access only the resources "employment regulations" and "settlement informati

Authorization 1-37 Figure 1-29 Information Required for Authorization Using Roles Role Configuration The role or role set name to be used is regist

Chapter 1: Overview 1-38 Examples of Roles Table 1-5 Role Post/department Role name General employee employee Executive officer executives Account

Authorization 1-39 Note If a role or role set name set in the path configuration is not defined by role configuration, access control information cann

v Table of Contents Chapter 1 Overview What Is Single Sign-on ...

Chapter 1: Overview 1-40 Updating Access Control Information The business server retains the access control information fetched from the SSO reposito

Authorization 1-41 • If the access control information is updated while the business server is active, make sure that you access a protection resourc

Chapter 1: Overview 1-42 High-Performance and High-Reliability System Interstage Single Sign-on supports high-performance and high-reliability system

High-Performance and High-Reliability System 1-43 Figure 1-31 Load Balancing among Authentication and Repository Servers The figure above shows the

Chapter 1: Overview 1-44 For an example of setting a system configuration in which multiple authentication servers are arranged to distribute the aut

High-Performance and High-Reliability System 1-45 Figure 1-32 Increasing System Availability When the re-connection interval specified as an environ

Chapter 1: Overview 1-46 Figure 1-33 Standby Repository takes over in the Event of a Failure This means that the Interstage Single Sign-on service

High-Performance and High-Reliability System 1-47 • If the repository server (update system) stops operation as the result of some problem, user auth

Chapter 1: Overview 1-48 To use SSL Accelerator during Interstage Single Sign-on operations, SSL Accelerator must be set up as follows: Client Authen

High-Performance and High-Reliability System 1-49 Figure 1-36 Example of Screen Shown when Page Cannot be Displayed Linkage with Application Gateway

Single Sign-on Operator's Guide: Table of Contents vi Business system public URL ...

Chapter 1: Overview 1-50 The settings for a system that can be set up using the Application Gateway reverse function are explained below. Remark • I

High-Performance and High-Reliability System 1-51 Examples of the reverse settings in the figure above are shown in the table below. In the URL for th

Chapter 1: Overview 1-52 Figure 1-38 Using SSL Communication between Application Gateway and Authentication Server To operate using this system con

High-Performance and High-Reliability System 1-53 • The clients in the intranet cannot access the protection resources in the business system. • No

Chapter 1: Overview 1-54 https://sd.fujitsu.com:443/dir2/ <---------- https://sd.fujitsu.com:443/dir2/ https://sd.fujitsu.com:443/dir3/ <-----

High-Performance and High-Reliability System 1-55 [Using SSL communication between Application Gateway and authentication server] Figure 1-40 Using

Chapter 1: Overview 1-56 When “Set-Cookies Header” is specified in the HTTP response header, and the path and domain that are specified to “Set-Cooki

Choosing URLs 1-57 Choosing URLs This section describes how to choose the Authentication infrastructure URL, the Business system public URL, and the h

Chapter 1: Overview 1-58 Figure 1-42 Using Interstage Director to Balance the Load on the Authentication Server Using SSL Accelerator The FQDN and

Choosing URLs 1-59 Figure 1-44 Using Both SSL Accelerator and Interstage Traffic Director Linking with Application Gateway and using SSL Communicati

Single Sign-on Operator's Guide - Table of Contents vii Setting the Reference System Repository Server Information in the Authentication Server .

Chapter 1: Overview 1-60 Linking with Application Gateway and Using Non-SSL Communication between Application Gateway and Authentication Server [To e

Choosing URLs 1-61 Figure 1-47 Non-SSL Communication between Application Gateway and Authentication Server viewed from the Client *2 When Interstage

Chapter 1: Overview 1-62 Figure 1-48 Combining No Other Equipment or Product Using Interstage Traffic Director for Balancing the Load on the Authen

Choosing URLs 1-63 Figure 1-50 Using SSL Accelerator Using both SSL Accelerator and Interstage Traffic Director The FQDN and port number of the Busi

Chapter 1: Overview 1-64 Figure 1-52 Linking with Application Gateway and Enabling Clients on the Internet and Intranet to Access *1 For further d

Choosing URLs 1-65 Figure 1-53 Linking with Application Gateway and Enabling only Internet Clients to Access *1 For further details, refer to &quo

Chapter 1: Overview 1-66 Not Using a Cluster System The host name of the repository server (update system) is the same as the machine on which the re

2-1 Chapter 2 Environment Setup (SSO Administrators) This chapter explains the setup for the authentication infrastructure environment. Use the Int

Chapter 2: Environment Setup (SSO Administrators) 2-2 Environment Setup Flow Authentication infrastructure environment setup includes the following

Environment Setup Flow 2-3 Flow of Environment Setup by Systems Figure 2-1 Flow of Environment Setup

Single Sign-on Operator's Guide: Table of Contents viii Stopping an Authentication Server...

Chapter 2: Environment Setup (SSO Administrators) 2-4 Table 2-1 shows the steps required for the environment setup of various types of systems: Tab

Environment Setup Flow 2-5 Setting up the authentication server on a machine and the repository server on another machine Setting up the authentic

Chapter 2: Environment Setup (SSO Administrators) 2-6 Setting up the authentication server on a machine and the repository server on another mach

Environment Setup Flow 2-7 Filenames and Location of the Authentication Infrastructure Configuration Spreadsheet File name of the Authentication Inf

Chapter 2: Environment Setup (SSO Administrators) 2-8 Preparation for Environment Setup Prepare a user program and design an SSO repository before

Preparation for Environment Setup 2-9 Designing a Registration Destination Entry Design an entry in which role configuration, user information, and

Chapter 2: Environment Setup (SSO Administrators) 2-10 User Information Example This example shows a design of registering information about two us

Preparation for Environment Setup 2-11 Figure 2-3 Role Configuration and User Information Registration Destinations Preparation for a User Progra

Chapter 2: Environment Setup (SSO Administrators) 2-12 Repository Server Setup This section describes the procedure for setting up a repository ser

Repository Server Setup 2-13 Setting up a Repository Server for Addition of a Repository Server (Reference System) Perform the following procedure t

Single Sign-on Operator's Guide - Table of Contents ix Setting the Service Dependency ...

Chapter 2: Environment Setup (SSO Administrators) 2-14 − Administrator DN password (re-enter) Re-enter the password for the SSO administrator. −

Repository Server Setup 2-15 Detailed settings Database Configuration − Maximum number of searchable entries Maximum number of entries that can be

Chapter 2: Environment Setup (SSO Administrators) 2-16 4. Check the checkbox of the created SSO repository and click the Start button to start the

Repository Server Setup 2-17 Figure 2-4 Importing User Information from the Database to the SSO Repository The procedure for importing user inform

Chapter 2: Environment Setup (SSO Administrators) 2-18 Conditions for connection and an example of the settings that should be made are shown below

Repository Server Setup 2-19 Conditions for connection and an example of the settings that should be made are shown below. Database to be connected

Chapter 2: Environment Setup (SSO Administrators) 2-20 4. Execute the user information import command. Figure 2-5 Add Entries using the CSV Data

Repository Server Setup 2-21 The data in CSV format that corresponds to the above data is as follows: user001,user001,user001,user001,user001,100

Chapter 2: Environment Setup (SSO Administrators) 2-22 .com,Leader ADD,user004,user004,user004,user004,user004,100004,[email protected]

Repository Server Setup 2-23 <!ELEMENT ldapdelete (#PCDATA)> <!ELEMENT ldapmodify (#PCDATA)> ]> <!-- Cannot be modified -->