How to configure JAAS for EMSCA.
Article ID: KB0093542
Updated On:
| Products | Versions |
|---|---|
| TIBCO Enterprise Message Service | - |
| Not Applicable | - |
Description
Description:
How to configure JAAS for EMSCA.
How to configure JAAS for EMSCA.
Issue/Introduction
How to configure JAAS for EMSCA.
Resolution
EMSCA 7.x's/ 8.x's security mechanism relies on Java Authentication and
Authorization Service (JAAS) LoginModules:
https://docs.oracle.com/javase/7/docs/technotes/guides/security/jaas/JAASRefGuide.html
If JAAS is not enabled, EMSCA will interact with EMS servers using the user name `admin` and no password. EMSCA without JAAS functionality is intended for quickly prototyping an out-of-the-box EMSCA and EMS server setup and never for a production setup. When JAAS is configured for EMSCA , each time a user attempts to add or refresh an EMS server or deploy configuration changes, the Central Administration server uses the JAAS user ID and password presented by the user to authenticate with the EMS server. If the user does not have sufficient privileges, the action fails. You need to add the JAAS user ID and password configured within EMSCA into the EMS servers with the corresponding admin privileges.
For example, if you have external LDAP user: emsca_administrator and emsca_viewer for EMSCA JAAS authorization, you can add emsca_administrator into $admin group in groups.conf. Add the external LDAP user: emsca_viewer into a EMS group with only view-all admin permission.
EMSCA is fully integrated JAAS though Property Files, JDBC through a JDBC driver, JDBC through a DataSource and JNDI lookup, and LDAP. EMSCA can be configured without any customized code to use Jetty's sample LoginModule implementations.
The Jetty version being used by EMSCA has changed in different EMS versions since 7.0:
EMSCA 7.x uses Jetty version: 6.x.
EMSCA 8.0 uses Jetty version: 8.x.
EMSCA 8.1 uses Jetty version: 9.x.
Beginning with EMSCA 8.0, you need to replace the old loginModules:
org.mortbay.jetty.plus.jaas.spi.JDBCLoginModule
org.mortbay.jetty.plus.jaas.ldap.LdapLoginModule
org.mortbay.jetty.plus.jaas.spi.DataSourceLoginModule
org.mortbay.jetty.plus.jaas.spi.PropertyFileLoginModule
with the new LoginModule:
org.eclipse.jetty.jaas.spi.JDBCLoginModule
org.eclipse.jetty.jaas.spi.LdapLoginModule
org.eclipse.jetty.jaas.spi.DataSourceLoginModule
org.eclipse.jetty.jaas.spi.PropertyFileLoginModule
Note:The loginModules (JAR file) are installed under the EMS bin directory. They are set within the EMSCA start up script.
When utilizing JAAS, EMSCA will require user credentials to access EMSCA. The username and password entered by the user are used by EMSCA to interact with an EMS server. EMSCA uses the same user to interact with all EMS servers being managed. If the user does not have sufficient privileges defined in the EMS server, the action fails.
In EMSCA 7.x, 8.0, EMSCA JAAS users must be defined within one of the JAAS groups: emsca-admin or emsca-guest. They are hard coded and can not be changed. Since EMS 8.1, EMSCA has added new flags: --jaas-admins and --jaas-guests. The argument value can be a comma separated list of admin role names and guest role names. You can use those flags to replace the default JAAS group names: "emsca-admin" and "emsca-guest" to your own standard names. For example, if you use LDAP JAAS authentication, you do not need to create two LDAP groups: emsca-admin and emsca-guest in the LDAP server. You can use the existing groups or create two new LDAP groups with your own standard names for admin role groups and guest role groups.
For example, you can start EMSCA with the following:
tibemsca.bat -c emsca_ldap.properties --jaas-admins {EMSCA LDAP group name for admin role}
These settings can also be provided via the configuration file with the following properties:
'com.tibco.emsca.jaas.admin.roles'
'com.tibco.emsca.jaas.guest.roles'
Refer to KB 37380 for how to enable LDAP JAAS authentication for EMSCA 7.x.
Here are the steps to enable EMSCA 8.1 (and higher versions) LDAP JAAS authentication:
1). Create EMSCA LDAP users within the LDAP server, for example: emsca_administrator, emsca_viewer.
2). Add two LDAP groups in LDAP servers for admin role groups and guest role groups.
3). Assign the user: emsca_administrator into LDAP admin role groups and user emsca_viewer into LDAP guest role group.
4). Add the following two properties into the EMSA configuration file (ex: emsca_ldap.property) :
com.tibco.emsca.jaas.admin.roles=<LDAP Admin role group names>
com.tibco.emsca.jaas.guest.roles=<LDAP guest role group names>
5). The EMS servers can be configured to use LDAP JAAS authentication and point to the same LDAP server.
Note: The EMSCA JAAS functionality is currently provided from Jetty providers. EMS Server's JAAS plugin module is not integrated with Jetty. We have to use two different JAAS modules for EMSCA and EMS server. You can use com.tibco.example.LDAPSearchLoginModule provided under {EMS_install_dir}/samples/security directory for EMS server LDAP JAAS authentication. Since EMS 8.1, EMS provides compiled and fully functional pre-built JAAS modules that can be used to enable LDAP and host-based authentication in the EMS server. See the EMS User's Guide for details.
6). Create a file: emsca_ldap.jaas to define the LoginModule Configuration using org.eclipse.jetty.jaas.spi.LdapLoginModule. Example: The LDAP server is a Windows Active Directory server:
tibemsca {
org.eclipse.jetty.jaas.spi.LdapLoginModule required
debug="true"
contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
hostname="10.108.114.60"
port="389"
bindDn="CN=Administrator,CN=Users,DC=test,DC=na,DC=tibco,DC=com"
bindPassword="Tibco123"
authenticationMethod="simple"
forceBindingLogin="true"
userBaseDn="CN=Users,DC=test,DC=na,DC=tibco,DC=com"
userRdnAttribute="cn"
userIdAttribute="cn"
userPasswordAttribute="userPassword"
userObjectClass="person"
roleBaseDn="CN=Users,DC=test,DC=na,DC=tibco,DC=com"
roleNameAttribute="cn"
roleMemberAttribute="member"
roleObjectClass="group";
};
7). Define the configuration file: emsca_ldap.jaas under the property `com.tibco.emsca.jaas` in the EMSCA configuration file.
Example: In the EMSCA 8.1 (and higher version) configuration file: emsca_ldap.property defines the following to point to emsca.jaas:
com.tibco.emsca.data.dir=./emsca_data
com.tibco.emsca.http.hostport=*:9090
com.tibco.emsca.jaas=emsca_ldap.jaas
com.tibco.emsca.jaas.admin.roles=<LDAP Admin role group names>
com.tibco.emsca.jaas.guest.roles=<LDAP guest role group names>
8). Start EMSCA 8.1 (and higher versions) to enable the use of LDAP JAAS:
tibemsca.bat -c emsca_ldap.property
9). Test the LDAP users: emsca_administrator, emsca_viewer to login EMSCA GUI. Note: EMSCA can only manage the EMS server starting with a JSON conf file.
https://docs.oracle.com/javase/7/docs/technotes/guides/security/jaas/JAASRefGuide.html
If JAAS is not enabled, EMSCA will interact with EMS servers using the user name `admin` and no password. EMSCA without JAAS functionality is intended for quickly prototyping an out-of-the-box EMSCA and EMS server setup and never for a production setup. When JAAS is configured for EMSCA , each time a user attempts to add or refresh an EMS server or deploy configuration changes, the Central Administration server uses the JAAS user ID and password presented by the user to authenticate with the EMS server. If the user does not have sufficient privileges, the action fails. You need to add the JAAS user ID and password configured within EMSCA into the EMS servers with the corresponding admin privileges.
For example, if you have external LDAP user: emsca_administrator and emsca_viewer for EMSCA JAAS authorization, you can add emsca_administrator into $admin group in groups.conf. Add the external LDAP user: emsca_viewer into a EMS group with only view-all admin permission.
EMSCA is fully integrated JAAS though Property Files, JDBC through a JDBC driver, JDBC through a DataSource and JNDI lookup, and LDAP. EMSCA can be configured without any customized code to use Jetty's sample LoginModule implementations.
The Jetty version being used by EMSCA has changed in different EMS versions since 7.0:
EMSCA 7.x uses Jetty version: 6.x.
EMSCA 8.0 uses Jetty version: 8.x.
EMSCA 8.1 uses Jetty version: 9.x.
Beginning with EMSCA 8.0, you need to replace the old loginModules:
org.mortbay.jetty.plus.jaas.spi.JDBCLoginModule
org.mortbay.jetty.plus.jaas.ldap.LdapLoginModule
org.mortbay.jetty.plus.jaas.spi.DataSourceLoginModule
org.mortbay.jetty.plus.jaas.spi.PropertyFileLoginModule
with the new LoginModule:
org.eclipse.jetty.jaas.spi.JDBCLoginModule
org.eclipse.jetty.jaas.spi.LdapLoginModule
org.eclipse.jetty.jaas.spi.DataSourceLoginModule
org.eclipse.jetty.jaas.spi.PropertyFileLoginModule
Note:The loginModules (JAR file) are installed under the EMS bin directory. They are set within the EMSCA start up script.
When utilizing JAAS, EMSCA will require user credentials to access EMSCA. The username and password entered by the user are used by EMSCA to interact with an EMS server. EMSCA uses the same user to interact with all EMS servers being managed. If the user does not have sufficient privileges defined in the EMS server, the action fails.
In EMSCA 7.x, 8.0, EMSCA JAAS users must be defined within one of the JAAS groups: emsca-admin or emsca-guest. They are hard coded and can not be changed. Since EMS 8.1, EMSCA has added new flags: --jaas-admins and --jaas-guests. The argument value can be a comma separated list of admin role names and guest role names. You can use those flags to replace the default JAAS group names: "emsca-admin" and "emsca-guest" to your own standard names. For example, if you use LDAP JAAS authentication, you do not need to create two LDAP groups: emsca-admin and emsca-guest in the LDAP server. You can use the existing groups or create two new LDAP groups with your own standard names for admin role groups and guest role groups.
For example, you can start EMSCA with the following:
tibemsca.bat -c emsca_ldap.properties --jaas-admins {EMSCA LDAP group name for admin role}
These settings can also be provided via the configuration file with the following properties:
'com.tibco.emsca.jaas.admin.roles'
'com.tibco.emsca.jaas.guest.roles'
Refer to KB 37380 for how to enable LDAP JAAS authentication for EMSCA 7.x.
Here are the steps to enable EMSCA 8.1 (and higher versions) LDAP JAAS authentication:
1). Create EMSCA LDAP users within the LDAP server, for example: emsca_administrator, emsca_viewer.
2). Add two LDAP groups in LDAP servers for admin role groups and guest role groups.
3). Assign the user: emsca_administrator into LDAP admin role groups and user emsca_viewer into LDAP guest role group.
4). Add the following two properties into the EMSA configuration file (ex: emsca_ldap.property) :
com.tibco.emsca.jaas.admin.roles=<LDAP Admin role group names>
com.tibco.emsca.jaas.guest.roles=<LDAP guest role group names>
5). The EMS servers can be configured to use LDAP JAAS authentication and point to the same LDAP server.
Note: The EMSCA JAAS functionality is currently provided from Jetty providers. EMS Server's JAAS plugin module is not integrated with Jetty. We have to use two different JAAS modules for EMSCA and EMS server. You can use com.tibco.example.LDAPSearchLoginModule provided under {EMS_install_dir}/samples/security directory for EMS server LDAP JAAS authentication. Since EMS 8.1, EMS provides compiled and fully functional pre-built JAAS modules that can be used to enable LDAP and host-based authentication in the EMS server. See the EMS User's Guide for details.
6). Create a file: emsca_ldap.jaas to define the LoginModule Configuration using org.eclipse.jetty.jaas.spi.LdapLoginModule. Example: The LDAP server is a Windows Active Directory server:
tibemsca {
org.eclipse.jetty.jaas.spi.LdapLoginModule required
debug="true"
contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
hostname="10.108.114.60"
port="389"
bindDn="CN=Administrator,CN=Users,DC=test,DC=na,DC=tibco,DC=com"
bindPassword="Tibco123"
authenticationMethod="simple"
forceBindingLogin="true"
userBaseDn="CN=Users,DC=test,DC=na,DC=tibco,DC=com"
userRdnAttribute="cn"
userIdAttribute="cn"
userPasswordAttribute="userPassword"
userObjectClass="person"
roleBaseDn="CN=Users,DC=test,DC=na,DC=tibco,DC=com"
roleNameAttribute="cn"
roleMemberAttribute="member"
roleObjectClass="group";
};
7). Define the configuration file: emsca_ldap.jaas under the property `com.tibco.emsca.jaas` in the EMSCA configuration file.
Example: In the EMSCA 8.1 (and higher version) configuration file: emsca_ldap.property defines the following to point to emsca.jaas:
com.tibco.emsca.data.dir=./emsca_data
com.tibco.emsca.http.hostport=*:9090
com.tibco.emsca.jaas=emsca_ldap.jaas
com.tibco.emsca.jaas.admin.roles=<LDAP Admin role group names>
com.tibco.emsca.jaas.guest.roles=<LDAP guest role group names>
8). Start EMSCA 8.1 (and higher versions) to enable the use of LDAP JAAS:
tibemsca.bat -c emsca_ldap.property
9). Test the LDAP users: emsca_administrator, emsca_viewer to login EMSCA GUI. Note: EMSCA can only manage the EMS server starting with a JSON conf file.
Feedback
Yes
No
Powered by
