How to configure JAAS for EMSCA using a property file.

How to configure JAAS for EMSCA using a property file.

book

Article ID: KB0093820

calendar_today

Updated On:

Products Versions
TIBCO Enterprise Message Service -
Not Applicable -

Description

Description:
This article is about using Jetty's sample LoginModule: PropertyFileLoginModule  to configure JAAS authentcation for EMSA.


Symptoms:
N/A
Cause:
N/A

Issue/Introduction

How to configure JAAS for EMSCA using a property file.

Environment

ALL

Resolution

When JAAS is configured for EMSCA , each time a user attempts to add or refresh an EMS server or deploy configuration changes, the Central Administration server uses the JAAS user ID and password presented by the user to authenticate with the EMS server. If the user does not have sufficient privileges, the action fails. You need to add the JAAS user ID and password configured within EMSCA into the EMS servers with the corresponding admin privileges.

For example, you can configure EMSCA JAAS users in a plain text file:

1). Create a file: emsca.jaas to define the LoginModule Configuration using PropertyFileLoginModule.

#####
tibemsca {
       org.eclipse.jetty.jaas.spi.PropertyFileLoginModule required
       debug="true"
       file="users.txt";
};
#####

2). The users.txt defines the username, password and the role of the user (emsca-admin or emsca-guest). Passwords can be stored in clear text, obfuscated, checksummed or encrypted in order of increasing security. The class org.mortbay.jetty.security.Password can be used to generate all varieties of passwords. 


java -cp ./jetty-all.jar  org.eclipse.jetty.util.security.Password
Usage - java org.eclipse.jetty.security.Password [<user>] <password>
If the password is ?, the user will be prompted for the password

For example, you want to replace the clear text of the password: adminpassword for user: admin. You can do following:


java -cp ./jetty-all.jar  org.eclipse.jetty.util.security.Password  admin adminpassword
adminpassword
OBF:1s3g1vg11wn11xf51xmi1y0s1ri71y0y1xms1xfx1wn51vgt1s3m
MD5:e3274be5c857fb42ab72d786e281b4b8

CRYPT:adDu2y7orMx7Y


Then copy whichever secure version you choose including OBF: MD5: CRYPT: to replace the clear text password in users.txt. The format of users.txt is: <username>: <password>[,<rolename> ...]

Example
#####
admin:OBF:1s3g1vg11wn11xf51xmi1y0s1ri71y0y1xms1xfx1wn51vgt1s3m, emsca-admin
guest:MD5:81011aa42a2a32887835a090dec3d7fb, emsca-guest
#####

Make sure the user: admin and guest has the same password defined in the EMS server(s) with corresponding privileges according to their roles. Then Start EMSCA to enable the use of JAAS. There are two ways to do this.


a). Start the EMSCA server with `-j` or `--jaas` followed by the path to the JAAS configuration file, for example:

tibemsca.bat -j emsca.jaas

b). Define the configuration file: emsca.jaas under the property `com.tibco.emsca.jaas` in the EMSCA configuration file. For example, in the EMSCA configuration file: emsca.property defines following to point to emsca.jaas:

#####
com.tibco.emsca.data.dir=./emsca_data
com.tibco.emsca.http.hostport=*:8080
com.tibco.emsca.jaas=emsca.jaas
#####

Start EMSCA with the EMSCA configuration file: emsca.property:


tibemsca.bat -c emsca.property

Additional Information

Refer to KB: 44550 for EMSCA JAAS in general and enabling LDAP JAAS authentication in EMSCA.
Powered by Wolken Software