DevPortal

How do I configure Security?

Table of Contents

How do I configure Security?

Pramati Server security is based on Java Authentication and Authorization Service (JAAS) specification.

JAAS is the Java API for providing standard security features for applications and enables services to verify and enforce access controls on users. It extends an access control architecture to the J2EE platform by implementing Java version of the standard Pluggable Authentication Module (PAM) framework.

Server Security can be configured for:

How do I configure Realms?

Authentication services provide reliability and security to determine who is currently executing Java code. The JAAS framework defines a realm in which authentication and user management functions are valid. A realm can be defined as a logical grouping of users, groups (roles), and Access Control Lists (ACLs). It is defined by LoginModule and UserManager. Server provides the following default implementations:

In a standalone node, the realm is implemented as an XML-based realm. In a cluster node, the realm is implemented as a DB-based realm.

For further details on realms, read Defining Security Realms.

How do I set up Password Protection?

Password can be stored for a realm based on the following algorithm types:

One of the above ways can be selected while adding a realm based on XML and DB.

What are XML-Based Realms?

This type of a realm uses an XML file to store the user name, password and group information.

XML-based realm is typically used when there are limited users in the realm. This can occur when the applications deployed on the server do not use any security features or when the application is expected to have limited users.

Table 1: Initial options for the XML-based realm

Option ValueDescription
Path to XMLTo be specified. Mandatory.The path to the XML file that contains the user/group definitions. Path can be provided in the following ways:
1. Provide a relative path using the $NODE_DIR variable. Here, the $NODE_DIR variable refers to the <install_dir>\server\nodes\<node_name> directory. Say, if you want to provide a relative path for a file located at <install_dir>\server\nodes\<node_name>\config\app directory, you can specify the path as $NODE_DIR\config\app\<file_name>.
2. Provide a relative path to the Server config directory.
3. Absolute Path with relative to the Server Installation Directory

If the provided path does not have the valid XML file, it will be created. If the file exists, the user/group information is picked up from the file.

What is the Default DB-Based Realm?

You can use databases to store and retrieve user-related information such as user names, passwords and groups. Server provides a default implementation of a DB-based realm that can be configured to use this common repository to authenticate and authorize clients.

This implementation uses a database with the following tables for storing user names, passwords and groups:

The default implementation assumes that all the columns are of the SQL VARCHAR type.

What are the features of a DB-Based Realm?

Salient features of DB-based realm are:

How do I use LDAP Server for Authentication and Authorization?

Most organizations prefer to have a central repository of users which can be used across the LAN. Few of the important benefits being the availability of all the user's detail at one place, easy retrieval of information and centralized authentication of all users.

The most common and popular repository is LDAP Server. LDAP Servers provide a common repository and can be used for authentication and authorization services.

Pramati Server can use any LDAP v2 or v3 compliant Server for authentication and authorization. The following LDAP directory servers have been tested on Pramati Server:

To enable Pramati Server to use LDAP Server for authentication and authorization, an LDAP based realm must be configured.

How do I Perform Authentication in LDAP-Based Realm?

In LDAP, authentication information is supplied in the "bind" operation. A client initiates a connection with the LDAP Server by sending the server a "bind" operation that contains the authentication information.

To authenticate a user, Pramati Server uses the user name and password, and tries to connect to the LDAP Server. If the connection succeeds, the user is assumed to be authenticated.

How do I perform Authorization in LDAP-Based Realm?

Apart from keeping user’s information, information for different groups and users belonging to the groups are also maintained in the LDAP Server. If the user-group mapping is present in the LDAP Server, they can be used for authorization. Operations in secure J2EE applications will be performed only if the user belongs to an authorized group.

User-Group Mapping is maintained by LDAP Servers in three ways.

Group has ‘user’ as attribute

This is the most common way to store the user-group mapping in the LDAP Server where group node in the LDAP server has users as attributes.

User has ‘group’ as attribute

In this case, user has group as attribute specifying the groups the user belongs to.

User DN contains the group mapping

In this case, the DN for the user has the group information. For example if the DN for a user is 'uid=Tom, ou=admin, ou=Employees, dc=xyz,dc=com', and if ‘ou’ is taken as the group key, this DN implies that user ‘Tom’ belongs to two groups, ‘admin’ and ‘Employee’.

Pramati Server supports all the three types of user-group mapping.

How do I use Certificate-Based Realm?

This type of realm uses certificates for validating the user. Certificate is a digitally signed statement that vouches an identity and its public key. It contains general information like subject, public key, period of validity, issuer name and signature.

For authentication in this realm, the user presents the certificate to the server. For the server to trust and authenticate this certificate, the server certificate of the signing authority or the certificate itself should be in the trusted CA Certificate store. This store is located at <install_dir>\server\nodes\<node_name>\trustedcacert.

The Certificate-based realm uses the KeyLoginModule.

The following table lists the classes that implement the Certificate-based realm:

Table 2: Classes that implement the Certificate-based realm

FunctionClass NameImplements the interface
LoginModulecom.pramati.security.loginmodules.certificate.KeyloginModulejavax.security.auth.spi.LoginModule
UserManagercom.pramati.security.loginmodules.certificate.KeyUserManagercom.pramati.services.security.spi.Usermanager

What is LoginModule?

The class com.pramati.security.loginmodules.certificate.KeyLoginModule implements the Certificate-based user authentication.

What is KeyUserManager?

This class implements the com.pramati.security.spi.UserManager interface. User and group management functions are performed through this class. It checks if a user has the relevant UserManagerPermission before an action is initiated.

The initial option for the KeyLoginModule and the KeyUserManager are the same. The only difference is that the realm option is not available to the KeyUserManager class.

How do I add Realm using the Console?

Select Configure > Security in the Explore panel. In the displayed screen, click Add in the Realms section. For adding a realm select any of these values from the drop-down list: Based on the selected realm, the next page may vary with configuration inputs.

How do I create XML-Based Realms?

To create XML-based realms:
  1. On the Console, select Configure > Security.
  2. To add a new realm, under the section Realm select XML-based from the drop-down list and click Add.
  3. Provide the name for the realm and the path for the XML. The password can be set based on the available algorithm types discussed in the previous section.
  4. Click Save. A new XML-based realm is created, which will be listed in the realm page. For configuring the groups, click the settings link for the specified realm.

You can add the following for this realm:

How do I create DB-Based Realms?

Selecting the realm type as DB and clicking Add displays a screen for providing the following details:

Table 3: Step 2 of adding a DB-based realm

FieldsOptionsDescription
Driver-Name of the Driver for connecting to the database. This is a mandatory field.
URL-URL to the database location. This is a mandatory field.
Username-The user name used to login to the database.
Password-The password used to login to the database.
DB Operations--
-Create TablesSelecting this option creates user and group tables according to the information provided.
-Create Root UserSelecting this option creates a user root with password pramati and adds an administrator group. User root is associated with this group.
User Information--
-Table NameThe table name where the details of the user name are stored. This is a mandatory field.
-User ColumnThe user name column in the table where the user name is stored. This is a mandatory field.
-Password ColumnThe column name in the table where the password is stored. This is a mandatory field.
Group Information--
-Table NameThe table name where the details of the group name are stored. This is a mandatory field.
-Group ColumnThe column name in the table where the group name is stored. This is a mandatory field.
User-Group Mapping--
-Table NameThe table name where the details of the user and group name mapping are stored. This is a mandatory field.
-User ColumnThe column name in the table where the user name is stored. This is a mandatory field.
-Group ColumnThe column name in the table where the group name is stored. This is a mandatory field.
DB Cache--
-CachingThis will enable caching by instantiating the Cached PM.
-Max EntriesSize of the cache, if the caching option is set to true. The default value is 40.
-ExpiryThis is the duration for which the user details will be cached in the memory. The default value is 60 seconds.
Password-Select the algorithm type as either Hash or Encrypted.
-HashHash of the password is stored. Recommended. The password can only be compared and cannot be retrieved. Hence should not be used for applications involving Digest Authentication.
--Name: Select the name from the drop-down list as MD5 or SHA1.
-EncryptedEncrypted form of the password is stored.
--Name: Select the name from the drop-down list as BlowFish or DES.
--Salt Start Index: Specify the salt start index here.
--Salt Length: Specify the salt length here.
--Padding: This is set to true by default.
Password Details-Specify the following details regarding password:
-ExpiryWhether the password will expire or is it set as permanent and the expiry is disabled. If this is enabled, the user must change the password after the time specified in the ‘Expiry Time’ field.
-Expiry TimeThe number of days till which the password is valid. The default value is 180 days. This is applicable only if the ‘Expiry’ field is set as ‘Enabled’.
-Password Expiry ColumnThe column name in the table where details related to password expiry are stored.
Weak Password Detection--
-Dictionary FileThe dictionary filename used by cracklib to detect weak password. Read ‘Using Cracklib to detect weak passwords’ for more details.
-Validation ClassOther password verifier class can also be provided apart from the internal crack lib.

To encrypt passwords for a DB-based realm, provide the algorithm type for the password field. The various algorithm types are described in the previous section. After providing the necessary details for the DB-based realm, click Save.

You can add Groups to the realm by clicking the settings link. Provide here the names of the Groups you would like to add to the realm. The new DB-based realm is created. If the DB tables do not exist, they are created.

How do I detect Weak Passwords?

A simple way to break server security is to guess the server administrator's password. To ensure some safety and security in making a user enter a valid password that is difficult to crack, use the com.pramati.security.base.CheckPasswordSecurity interface. This provides a single method isPasswordSecure(...) that checks if anyone can crack the password. Once an implementation class for this interface is created, the server administrator can provide its name in the UserManager option - checkPasswordClass. The class must be added to the Server’s classpath.

Following is a sample implementation which throws an exception if the password length is < 6 characters:

import com.pramati.services.security.BadPasswordException;
import com.pramati.security.base.CheckPasswordSecurity;
import java.util.Properties;
public class SampleCheckPasswordSecurity implements CheckPasswordSecurity
{public void isPasswordSecure(Properties options, String password)
	throws BadPasswordException
	{if (password.length()<6)
	 throw new BadPasswordException("Password is too short");
	}
}

How do I use Cracklib to detect weak passwords?

Cracklib was originally a Unix-based software facility for detecting weak passwords. It uses a dictionary route to check whether passwords chosen by users can be easily derived. The Java version of cracklib can be used to prevent users from choosing weak passwords in Server.

To enable this facility:

  1. Download the latest version of cracklib and extract it to the <install_dir>\cracklib.
  2. Setup your CLASSPATH to point to <install_dir>\cracklib.
  3. Run java org.solinger.cracklib.Packer make <install_dir>\config\cracklib.dict words. This creates a compressed dictionary file needed by cracklib under the <install_dir>\config directory.

How do I set up a Realm to use Cracklib?

To setup your realm to use cracklib for detecting weak passwords:
  1. Add <install_dir>\cracklib\classes to your server's CLASSPATH. If the server is already running, restart the server after changing the CLASSPATH.
  2. When you create a DB-based realm, specify the value for the init option checkPasswordClass as com.pramati.security.loginmodules.db.CracklibCheckPasswordSecurity and dictionaryWordsFileName in the LoginModules option while adding the realm.

Note: Setup your realm to use Cracklib when you are creating it. If you want to set it up later, you need to make modifications to the security-config.xml located at <install_dir>\server\nodes\<node_name>\config.

How do I create LDAP-Based Realms for Pramati Server?

Select the realm type as LDAP and click Next. Provide the following details in the new page:

Table 4: Step 2 of adding an LDAP-based realm

FieldsOptionsDescription
Context Factory-This is the ContextFactory to be used for LDAP Connection. If not specified the default value taken for this is com.sun.jndi.ldap.LdapCtxFactory. This is a mandatory field.
Server IP, Port-IP and Port for the LDAP Server.
UseSSL-SSL option is enabled for the realm
Authentication Type- Authentication type to be used for connection to LDAP Server. This is same as Context.SECURITY_AUTHENTICATION. Select the type as "none", "simple" or "strong" using the drop down list. The default value is set at "simple".
Super User DN-The super user's DN or super user's name to be used to connect to the server.
Super User Password-Password of the super user.
User Search Criteria--
-Base DNBase DN where the search will start from. This is a mandatory field.
-Search FilterSearch Filter to be used for searching a user. An example for this filter is (CN=%U). Here '%U' will be replaced by the user name being searched at the runtime. User can define any complex filter like (&(cn=%U)(objectClass=account)). This is a mandatory field.
-Search ScopeScope for searching the user. Possible values for this is "SubTree" and "OneLevel". As the name suggests, if the user is to be searched immediately under the BaseDN, the search scope can be given as "OneLevel". If it should be searched in the subtree as well, the value should be "SubTree".
Group Configuration--
XML-based-If this is selected, the XML file provided will be used for fetching user-group mapping and thereby for authorization. This is not selected by default.
-FilePath of the file that contains the Group information and User-group mapping.
LDAP-based-Group Search
--Base DN: Base DN where the search for the group will start from. This is a mandatory field.
--Search Filter: Search filter to be used for searching a group. An example for this filter is (OU=%G). Here '%G' will be replaced by the group name being searched at the runtime. This is a mandatory field.
--Search Scope: Search Scope for searching the group. Specifies whether to search only under GroupBaseDN or go into the subtree. Possible values for this is "SubTree" and "OneLevel".
-User-Group Mapping-
--Group has User/Subgroup has its attributes: Provide the values for User and Subgroup attribute keys. The attribute keys refer to the keys with which Users and Subgroups are associated with the Group.
--User/Subgroup has Group as its attribute: Provide the value for the Group attribute key with which the parent group is associated with this user/subgroup.
--User DN has Group: Provide the Key name for the group in the user DN.

In case the LDAP Server does not have the User group Mapping and LDAP is used only for authentication and not for authorization, the mapping can be defined in an XML file.

How do I create Users and Groups in LDAP-Based Realm?

Adding a new user, new group or assigning users to groups is the system administrator’s responsibility and should not be tampered with by any other system or user. Due to this reason, LDAP Server User and group can not be added to the LDAP Server from Pramati Server's Console.

In case the user-group Mapping is not there in LDAP Server and XML is used for this purpose, the user and group can be added to the XML from the Console. However, the user must be present in the LDAP Server for authentication to succeed.

How do I add Groups?

To add a Group:
  1. On the Console, select Configure > Security in the Explore panel. This displays the Security screen. By default, the system realm is defined when you install Server.
  2. Click Settings for an existing realm. This leads you to the Security > Realm screen that displays the details of the selected realm. The existing Groups, Permissions, Login Module, and User Manager are listed in this page.
  3. Under the Groups section, click Add. This leads you to the Security > Realm > Add Group screen for adding a group.
  4. Provide the Name for the Group to be added, and select the available Groups and Users to be added to the new Group. The selected group will be added as a sub-group for this group.

If the realm is an LDAP realm, and the User-Group mapping is in LDAP, the Group cannot be added to that realm.

In case of a DB-based realm, if an existing table is being used for a User, Group, and User-Group, and its structure is different from the default structure used by the Server, it may not be possible to add a group or a User to the DB-based realm.

On the next screen, add Permissions for the new Group, and click Save. This adds the group to the realm. The details are provided on the main page.

How do I add Sub-groups?

To add a sub-group to a group, on the screen for adding a group:
  1. Click Settings for an existing realm. This leads you to the Security > Realm screen that displays the details of the selected realm.
  2. Under the Groups section, clicking on Add leads you to the Security > Realm > Add Group screen for adding a group.
  3. Provide the Name for the Group to be added.
  4. Select the available Groups to be added to the new Group and click the >> button.
  5. The selected group will be added as a sub-group for this group and click Save.

How do I remove Sub-groups?

To remove a sub-group from a parent group:
  1. Start and connect to Server.
  2. On the Console, select Configure > Security in the Explore panel.
  3. Click Settings for an existing realm.
  4. Click on the group name from which the sub-group has to be deleted. All sub-groups and users associated with this group are displayed.
  5. Select the required sub-group using the checkbox, and click Delete.
The sub-group is removed from the parent group.

Note: When you delete a sub-group from a parent group, you only remove the parent-child association. The sub-group and the other associations of the group (if any) are retained in the realm.

How do I add Permissions?

To add a permission:
  1. On the Console, select Configure > Security in the Explore panel.
  2. Click Settings for an existing realm.
  3. Under the Permissions section, click Add. This displays the Security > Realm > Add Permission screen for adding a group.
  4. Enter a name and select the permission type from the drop-down list. Read the section on Permission Types -- add link for more information.
  5. Click Add.
The new permission is added and listed in realm page. You can now modify the default values of the permission for desired actions and groups.

How do I associate Actions and Groups with Permissions?

After you create a permission, you need to specify the actions that are permitted. To associate actions and groups with a permission:
  1. Start and connect to Server.
  2. On the Console, select Configure > Security in the Explore panel.
  3. Click any existing realm. The realm appears and the existing permissions and groups are listed in this page.
  4. Click the required permission.
  5. A list of existing groups and the actions that are permitted for the selected permission appears in the Permissions page.
  6. Select the required actions against the required group.
  7. Click Save.

How do I delete Permissions?

To delete a permission:
  1. Start and connect to Server.
  2. On the Console, select Configure > Security in the Explore panel.
  3. Click any existing realm. By default, the system realm is defined when you install Server.
  4. The realm page appears. The existing permissions and groups are listed in this page.
  5. Select the permission that has to be deleted from the list of permissions and click Delete.

How do I add Users?

To add a user using the Console:
  1. Start and connect to Server.
  2. On the Console, select Configure > Security in the Explore panel.
  3. Click Settings for an existing realm.
  4. Under the Groups section, click Add User. This leads you to the Security > Realm > User screen for adding a user. Provide the following details for the new user:

    Table 5: Adding a User

    FieldsDescription
    NameName of the new User
    PasswordTo authenticate the new user name
    Retype PasswordConfirm your password here
    GroupsSelect the available Groups to which the new User is to be added using the ‘>>’ option

  5. Click Save. This adds the user to the selected group, that shows an increment in its number of Users field. Clicking the Group name link displays the details for the User.

If no Group has been selected while adding the User, the user is added to the ‘Everybody’ group, and can be later on assigned to any group.

To make changes to the password and the group fields, click Edit against the selected user.

How do I delete Users?

A user can be deleted from a group, or can be completely removed from the Server.

To delete a user from a specific group:

  1. Click the required group. The list of existing users and permissions appears in the Group page.
  2. Select the user to be deleted from the list using the checkbox, and click Delete.
This deletes the selected user from just the selected group.

To remove a user from the server:

  1. Select Configure > Security > Edit > All Users. The list of existing users and permissions appears.
  2. Select the user to be deleted from the list using the checkbox, and click Delete.

How do I change Passwords?

To change the password for the Console:
  1. Select Start > Programs > Pramati <version_no.> > Server Administration.
  2. Enter the user name as root and password as pramati and press Enter to login to the Console.
  3. On the Console screen, select Configure. There are two ways for changing the password:

How do I use User Settings to change Passwords?

Select Configure > User Settings in the Explore panel. This takes you directly to a screen where you can modify the password settings. Enter the old and the desired password. Confirm the password and click Save. The password is changed and should be used the next time you log in.

How do I use Security Option to Change Passwords?

Select Configure > Security in the Explore panel. In this page, click Settings against the realm name, the password for which has to be changed. This leads you to the Security > Realm screen that displays details of the selected realm:

Changing Password for Users in Groups

Under Groups, click All Users. This takes you to the Security > Realm > Users screen. Click Settings for the user for which the password is to be changed. This takes you to a screen for editing the following details:

Table 6: Changing Password for the selected Group

FieldsDescription
Old PasswordThe existing password for the user
New PasswordThe new password for the user
Retype New PasswordRetype the new password for the user
Group ListThe groups to which the user belongs

The name of the user is displayed by default. Click Save to go back to the Security > Realm page.

How do I set URL Access Control?

Access can be restricted for each application by specifying the IPs in the URL access control option under Configure > Security page. For the application, choose Edit IP Access.

Select Enable Access Control. Now click Allow IPs and provide the list of IPs that can access the specified application. The request will be honoured only when the request comes from the specific IP for the requested application.

What is Server Authentication for Web Clients?

The Web client passes on the login information including the username and password along with the realm name to the Web container. The Web container service in Pramati Server sends the information to the security framework for enabling client authentication. The LoginModule in the security framework verifies the username and password and populates the subject and the principals on successful authentication. The Web container receives the populated subject along with the principals and associates this subject obtained with the session context. It uses the same for any further operations.

When an authentication needs to be done using the Web client, the Web client passes all the necessary values to the security framework for the same. If the authentication is username/password based, then basic authentication or form authentication is used. But if the authentication is Certificate-based using HTTPS, the SSL layer takes care of authenticating the client.

What is Server Authentication for Standalone Java Clients?

Since Java clients run outside the server’s VM, server’s configuration and Login Modules are not directly available to them. To enable a Java client to authenticate to server, Pramati's JAAS framework provides the ClientLoginModule for Java clients to login to the server.

In case the authentication needs to be done on username/password based realm, the com.pramati.security.client.ClientLoginModule, should be used.

In case the authentication needs to be done on a Certificate-based realm, the com.pramati.security.client.ClientCertificateLoginModule should be used. Once the client gets authorized, the subject is populated along with the principals and sent back to the client.

This ClientLoginModule abstracts the complexity of authentication process from the client and returns a handle to LoginContext which could then be used to log on.

To perform server authentication:

  1. Define a login configuration file by specifying the port on which the server is listening and the realm into which the user wishes to log in.
  2. Write a client program that creates a LoginContext and invokes the login() method. Read Sample CertificateClientLoginModule for Server authentication.
  3. Invoke the client program and specify the path and name of the configuration file as a parameter.

What is a Configuration File?

The login config file conforms to JAAS configuration format.

Example of a configuration file:

Login {com.pramati.security.client.ClientLoginModule required com.pramati.realm="realm://127.0.0.1:9191/system"; };
The module option com.pramati.realm specifies the server location, port number (//127.0.0.1/9191) and realm (system) to which the user wishes to log in.

How do I invoke ClientLogin?

To invoke the ClientLogin module at the command prompt, enter: 
java -Djava.security.auth.login.config=<pathtologin.cfg> <client’s class name>

In both Web and Java client authentication, the login information is stored in a log file by the security auditor.

Related Documents

To get information about JAAS, refer to:

© Pramati Technologies 2007 Runs on Pramati Server | Feedback | Legal