User Authentication
TIBCO ActiveSpaces security allows you to authenticate the users of security domain requestors.
If the security domain for a metaspace has been configured to perform user authentication, then user authentication occurs when a security domain requestor tries to connect to the metaspace.If authentication fails, the connection to the metaspace fail.s
The authentication setting in the security policy file used by the security domain controller for a metaspace controls how users are authenticated. You can specify two types of user authentication:
Username and password authentication can be performed using the operating system's authentication services or an LDAP server. Certificate-based authentication can only be done using an LDAP server.
The basic format of the authentication setting in the security policy file is:
authentication=<none(default)|userpwd|x509>;[source=<system|ldap>;<source property>;...;hint=<string>]
If you specify userpwd or x509 for the authentication setting. you must specify source settings to enable the security domain controller to connect to the system that performs the authentication:
- source=system specifies that the security domain controller should use operating system services to authenticate users.
- source=ldap indicates that the security domain controller should connect to and use an LDAP server for authentication.
See the following sections for more detailed information on how to configure the authentication settings for operating system or LDAP authentication:
For each type of authentication, TIBCO ActiveSpaces prompts the user of the security domain requestor to enter the appropriate information needed for authentication (for example, user name and password, location of PKCS#12 file, and the password of the private key in the file).
You can override the default behavior for retrieving authentication information by using a callback mechanism. If a callback function is available, then when a security domain requestor tries to connect to a metaspace, ActiveSpaces uses the callback function to retrieve the user's authentication information instead of using the default behavior provided by TIBCO ActiveSpaces. See Authentication Callback for more detailed information.
- Operating System User Authentication
User name and password authentication can be done using the operating system to authenticate the user. When operating system authentication is used and a security domain requestor first tries to connect to a metaspace, TIBCO ActiveSpaces prompts the user to enter their: - LDAP User Authentication
You can configure user authentication to use an LDAP server to perform user name and password authentication. When user name and password authentication is used with LDAP and a security domain requestor first tries to connect to a metaspace, TIBCO ActiveSpaces prompts the user to enter their: - LDAP Certificate Authentication
Security domain controllers can be configured to perform certificate authentication using an LDAP server. When certificate authentication is used and a security domain requestor attempts to connect to a metaspace, the user will be prompted to enter the following: - Authentication Callback
Sometimes you might not want to use ActiveSpaces’ default behavior for retrieving user authentication information. For example, if you want your users to use a smart card or USB drive to hold their authentication information and automatically authenticate security domain users without their being aware that the authentication has taken place, you can override the default behavior.