How to enable authentication in EMSCA 7.0 .

How to enable authentication in EMSCA 7.0 .

book

Article ID: KB0091146

calendar_today

Updated On:

Products Versions
TIBCO Enterprise Message Service -
Not Applicable -

Description

Resolution:
Description:
=============
How to enable authentication in EMSCA 7.0 .

Resolution:
=============
EMSCA 7.0's security mechanism relies on Java Authentication and Authorization Service (JAAS) LoginModules:

http://docs.oracle.com/javase/1.4.2/docs/guide/security/jaas/JAASLMDevGuide.html).

If JAAS is not enabled, EMSCA will interact with EMS servers using the user name `admin` and no password. EMSCA without JAAS functionality is intended for quickly prototyping an out-of-the-box EMSCA and EMS server setup and never for a production setup.

EMSCA is fully integrated JAAS though Property Files, JDBC through a JDBC driver, JDBC through a DataSource and JNDI lookup, and LDAP. EMSCA can be configured without any customized code to use Jetty's four sample LoginModule implementations:

    • org.mortbay.jetty.plus.jaas.spi.JDBCLoginModule
    • org.mortbay.jetty.plus.jaas.spi.PropertyFileLoginModule
    • org.mortbay.jetty.plus.jaas.spi.DataSourceLoginModule
    • org.mortbay.jetty.plus.jaas.ldap.LdapLoginModule

When utilizing JAAS, EMSCA will require user credentials to access EMSCA. The username and password entered by the user are used by EMSCA to interact with an EMS server. EMSCA uses the same user to interact with all  EMS servers being managed.  If the user does not have sufficient privileges defined in the EMS server, the action fails.

EMSCA JAAS users must be defined within one of these JAAS groups: emsca-admin and emsca-guest:

=============
emsca-admin

Grants administrative privleges to members. Administrators may lock and edit an EMS server in Central Administration and deploy an updated server configuration. However, note that the user must also have administrative privileges for the EMS server before deploying.
    
emsca-guest

Grants read-only privileges to members. Guest users are not able to make changes or deploy configurations through Central Administration.
=============

If the EMSCA JAAS users are not existing in the users' configuration for the EMS servers which you want to manage in EMSCA, you need to add the EMSCA JAAS users in each EMS server with proper privileges according to its role before adding the EMS server into EMSCA.

For example, the followings are the steps to configure EMSCA JAAS users in a plain text file:

1). Create a file: emsca.jaas to define the LoginModule Configuration using PropertyFileLoginModule.

#####
tibemsca {
       org.mortbay.jetty.plus.jaas.spi.PropertyFileLoginModule required
       debug="true"
       file="users.txt";
};
#####

2) . The users.txt defines the username, password and the role of the user (emsca-admin or emsca-guest):

Passwords can be stored in clear text, obfuscated, checksummed or encrypted in order of increasing security.  The class org.mortbay.jetty.security. Password can be used to generate all varieties of passwords.

java -cp jetty-all.jar org.mortbay.jetty.security.Password
Usage - java org.mortbay.jetty.security.Password [&ltuser>] &ltpassword>

For example, you want to replace the clear text of the password: adminpassword for user: admin. You can do following:

C:\tibco\ems\7.0\bin&gtjava -cp jetty-all.jar org.mortbay.jetty.security.Password admin adminpassword adminpassword OBF:1s3g1vg11wn11xf51xmi1y0s1ri71y0y1xms1xfx1wn51vgt1s3m
MD5:e3274be5c857fb42ab72d786e281b4b8
CRYPT:adDu2y7orMx7Y

Then copy whichever secure version you choose including OBF: MD5: CRYPT: to replace the clear text password in users.txt.

The format of users.txt is: &ltusername>: &ltpassword>[,&ltrolename> ...]

for example:
#####
admin:OBF:1s3g1vg11wn11xf51xmi1y0s1ri71y0y1xms1xfx1wn51vgt1s3m, emsca-admin
guest:MD5:81011aa42a2a32887835a090dec3d7fb, emsca-guest
#####

Make sure the user: admin and guest has the same password defined in the EMS server(s) with corresponding privleges according to their roles.

3). Start EMSCA to enable the use of JAAS. There are two ways to do it:

a). Simply start the EMSCA server with `-j` or `--jaas` followed by the path to the JAAS configuration file, for example:

tibemsca.bat -j emsca.jaas

b). Define he configuration file: emsca.jaas under the property `com.tibco.emsca.jaas` in the EMSCA configuration file.
For example, in EMSCA configuration file: emsca.property defines following to point to emsca.jaas:

#####
com.tibco.emsca.data.dir=./emsca_data
com.tibco.emsca.http.hostport=*:8080
com.tibco.emsca.jaas=emsca.jaas
#####

Start EMSCA with the EMSCA configuration file: emsca.property:
tibemsca.bat -c emsca.property

Issue/Introduction

How to enable authentication in EMSCA 7.0 .