Copyright © Cloud Software Group, Inc. All Rights Reserved
Copyright © Cloud Software Group, Inc. All Rights Reserved


Chapter 11 Security Policies : Shared Resources Properties
Shared Resources Properties
This section explains the properties of supported shared resources.
Configuring LDAP Authentication Shared Resource
Description
The LDAP authentication shared resource is used to authenticate the user name and password against the LDAP server. The user name is specified as the usernameToken in the incoming request from the client.
Use Case
Verifying usernameToken in the incoming request.
Properties
Table Properties for LDAP Authentication Shared Resource describes the properties for LDAP Authentication Shared Resource.
Table 107 Properties for LDAP Authentication Shared Resource
Property
Description
com.tibco.asg.intent.usernameToken
 
Boolean intent property indicates if the LDAP authentication method can be enforced on the request message or not. Possible values are true or false.
If the value of this property set to true, the request message must contain a valid username token.
com.tibco.trinity.runtime.core.provider.authn.ldap.initialCtxFactory
 
Specifies the name of the JNDI Factory to use.
The default value is com.sun.jndi.ldap.LdapCtxFactory (Sun's LdapCtxFactory).
Optional.
com.tibco.trinity.runtime.core.provider.authn.ldap.serverURL
 
Specifies the URL to connect to the LDAP directory server. The LDAP URL is defined as: ldap://hostname:port. The LDAP SSL URL is defined as: ldaps://hostname:port
Required.
com.tibco.trinity.runtime.core.provider.authn.ldap.searchTimeOut
 
The time (in milliseconds) to wait for a response from the LDAP directory server. A value of 0 causes it to wait indefinitely. If a negative number is specified, it uses the provider's default setting.
Optional.
com.tibco.trinity.runtime.core.provider.authn.ldap.userAttributeUsersName
 
The name of the attribute in the user object that represents the user's name. The value depends on what LDAP server is used. If you are use ActiveDirectory LDAP Server, set this value as CN. If SunOne or OpenLDAP LDAP Server is used, set this value as uid.
Optional.
com.tibco.trinity.runtime.core.provider.authn.ldap.userAttributesExtra
 
Specifies the optional list of user attributes to retrieve from the LDAP directory during authentication. Separation characters for the list of user attributes are comma, any ASCII whitespace or semicolon.
For example, mail givenname
Optional.
com.tibco.trinity.runtime.core.provider.authn.ldap.userSearchBaseDN
 
Specifies the base distinguished name (DN) where the searches for the users begin. You must supply the base DN that narrows the search to the smallest set of objects that includes all valid users. This is relevant only when used with administrator's credentials in search mode.
For example, ou=people,ou=na,dc=example,dc=org
Required in admin (search) mode.
com.tibco.trinity.runtime.core.provider.authn.ldap.userSearchExpression
 
Specifies the expression to be used for searching in admin mode against potential user objects. For example, search expression is specified as: (&(uid={0})(objectClass=person)).
In this string, the variable {0} represents the name of the user. The code substitutes the user name for this variable, and passes the resulting boolean expression to the LDAP server. The LDAP server matches that search expression against user objects to find a match. The search result must contain exactly one match.
This property is relevant only when credentialProvider property is set and the binding is done as administrator; otherwise userDNTemplate is used.
Required in admin (search) mode.
com.tibco.trinity.runtime.core.provider.authn.ldap.userDNTemplate
 
Specifies a template to be used when formatting user's DN before binding. It is used as an alternative to admin (search) mode.
For example, uid={0},ou=employee,ou=tsi,o=tibco
Required for bind mode (not in admin (search) mode).
com.tibco.trinity.runtime.core.provider.authn.ldap.userAttributeGroupsName
 
If you specified "LDAP user indicates groups" (as either userHasGroups or userDNHasGroups) then you must supply the name of the attribute in each user object that lists the groups to which the user belongs. Otherwise, this parameter is not relevant. Mandatory when relevant.
com.tibco.trinity.runtime.core.provider.authn.ldap.userAttributesExtraList
 
Same as userAttributesExtra property but this is specified in list form.
Optional.
com.tibco.trinity.runtime.core.provider.authn.ldap.userSearchScopeSubtree
 
A boolean property which determines if the entire sub-tree is searched or not. If true value is specified, the entire sub-tree starting at the base DN is searched. Otherwise, the nodes one level below the base DN is searched.
Optional.
com.tibco.trinity.runtime.core.provider.authn.ldap.groupSearchBaseDN
 
Specifies the base distinguished name (DN) where the searches for the groups begin. You must supply the base DN that narrows the search to the smallest set of objects that includes all valid groups.
For example, ou=groups,ou=na,dc=example,dc=org
The default value is empty.
Optional.
com.tibco.trinity.runtime.core.provider.authn.ldap.enableNestedGroupSearch
 
Indicates the flag to determine if nested groups should be searched for. If the value is not set to true, the groups are only returned in which the user is the direct member.
The default value is false
Optional.
com.tibco.trinity.runtime.core.provider.authn.ldap.groupSearchExpression
 
Specifies the expression to be used for searching against potential groups. For example, search expression is specified as: (&(uid={0})(objectClass=person)).
In this string, the variable {0} represents the name of the user though. The code substitutes the user name for this variable, and passes the resulting boolean expression to the LDAP server. The LDAP server matches that search expression against groups to find all groups containing the username.
The values might be different for different LDAP server.
For example, its defined as uniquemember={0} for SunOne, cn={0} for OpenLDAP, member={0} for Active Directory.
Required.
com.tibco.trinity.runtime.core.provider.authn.ldap.groupSearchScopeSubtree
 
A boolean property which determines if the entire sub-tree is searched or not. If true value is specified, the entire sub-tree starting at the base DN for groups is searched. Otherwise, the nodes one level below the base DN is searched.
Optional.
com.tibco.trinity.runtime.core.provider.authn.ldap.groupIndication
 
Specifies how the group memberships for users are found.
The default value is noGroupInfo
Optional.
Possible values are as follows:
userHasGroups
userDNHasGroups
groupHasUsers
noGroupInfo
If the value has userHasGroups,you must specify the attribute name which points the groups the user belongs to in the userAttributeGroupsName property.
If the value has userDNHasGroups,the userAttributeGroupsName property has the attribute name which hold the DNs of groups to which the user belongs. You must specify groupAttributeGroupsName property to get a specific part of the DN name.
If the value has groupHasUsers,each group object includes a list of users that belong to the group.
If the value has noGroupInfo, group memberships aren't handled.
com.tibco.trinity.runtime.core.provider.authn.ldap.groupAttributeGroupsName
 
Depending on groupIndication's value:
groupHasUsers: group attribute holding the group's name. Example value for OpenLDAP: cn, for Active Directory: sAMAccountName. Mandatory
userHasGroups: group's name part holding group's name. If not specified the group's whole DN will be used. Example cn
otherwise ignored
com.tibco.trinity.runtime.core.provider.authn.ldap.groupAttributeSubgroupsName
 
Specifies the name of the attribute in each group object denoting subgroups.
For example, the value is defined as uniqueMember for OpenLDAP server, member for ActiveDirectory LDAP server.
Optional
com.tibco.trinity.runtime.core.provider.authn.ldap.groupAttributeUsersName
 
Specifies the attribute name if the groupIndication property has groupHasUsers value. It specifies the name of the attribute in each group object denoting its users.
For example, the value is uniqueMember for OpenLDAP, member for ActiveDirectory Server.
Required if the groupIndication property has groupHasUsers value.
followReferrals
 
Determines if the client follow referrals returned by the LDAP server.
The default value is false
Optional.
LDAP SSL
com.tibco.trinity.runtime.core.provider.identity.trust.trustStoreServiceProvider
 
Specifies the Identity trust provider configuration to provide SSL support for LDAP
com.tibco.trinity.runtime.core.provider.credential.keystore.truststore.keyStoreLocation
 
Specifies the location of the keystore for the credentials.
com.tibco.trinity.runtime.core.provider.credential.keystore.truststore.keyStorePassword
 
Specifies the location of the keystore for the credentials.
com.tibco.trinity.runtime.core.provider.credential.keystore.truststore.keyStoreRefreshInterval
 
Specifies the refresh interval (milliseconds).
com.tibco.trinity.runtime.core.provider.credential.keystore.truststore.keyStoreType
 
Specifies the keystore type. Supported formats are JKS,PKCS12.
Sample File
The properties and example configuration for LDAP authentication shared resource is provided in the following sample file:
See ASG_CONFIG_HOME/default/security/resource/LdapAsp.properties, as follows:
LdapAsp.properties
Configuring SiteMinder Service Provider
Description
The Siteminder Service Provider is used to authenticate SiteMinder session cookie or username/password retrieved from the HTTP header.
Use Case
Authenticate username/password from the incoming request.
Authenticate SiteMinder session cookie from the incoming request.
Properties
Table Properties for SiteMinder Service Provider describes the properties for SiteMinder Service Provider.
Table 108 Properties for SiteMinder Service Provider
Property
Description
com.tibco.trinity.runtime.core.provider.authn.siteminder.agentName
 
Specifies the name of SiteMinder agent.
For example, sm-agent
com.tibco.trinity.runtime.core.provider.authn.siteminder.clientIPAddress
 
Specifies the IP address of the machine where agent is installed.
For example, 10.97.107.22
com.tibco.trinity.runtime.core.provider.authn.siteminder.resource
 
Specifies the resource to protect.
com.tibco.trinity.runtime.core.provider.authn.siteminder.smHostConfFileLocationOption
 
Specifies how to identify the SmHost.conf file location.
For example, this value can be specified as specifyCustomLocation
com.tibco.trinity.runtime.core.provider.authn.siteminder.smHostConfFileLocation
 
Specifies the path to the agent configuration file.
For example, this value can be specified as /security/resource/SmHost.conf
Sample File
See ASG_CONFIG_HOME/default/security/resource/SiteMinderAsp.properties, as follows:
SiteMinderAsp.properties
Configuring Trust Identity Provider
Description
The Trust Identity Provider is used to retrieve public certificates from a credential store required to perform trust operations. You must store the public certificate and provide its location. The certificates are used by the Core Engine to verify the signatures when the payload in the incoming request is signed. The Core Engine uses the public certificate to encrypt the response payload before it sends the response back to the client.
Use Case
Verify signatures for the signed request payload.
Encrypt the request payload to forward to the external target operation.
Encrypt the response payload.
Properties
Table Properties for Trust Identify Provider (TIP) describes the properties for Trust Identify Provider.
Table 109 Properties for Trust Identify Provider (TIP)
Property
Description
com.tibco.asg.intent.signature
 
Boolean intent property indicates if the incoming request message is signed or not. If signed, then the signatures are verified using the trust identity provider properties (public credentials). Possible values are true or false.
If the value of this property set to true, the request message must have valid signatures.
com.tibco.trinity.runtime.core.provider.identity.trust.trustStoreServiceProvider
 
Specifies the name of the credential service provider containing the credentials for establishing trust.
com.tibco.trinity.runtime.core.provider.credential.keystore.truststore.keyStoreType
 
Specifies the keystore type. Supported formats are JKS,PKCS12.
com.tibco.trinity.runtime.core.provider.credential.keystore.truststore.keyStoreLocation
 
Specifies the location(s) of the keystore.
com.tibco.trinity.runtime.core.provider.credential.keystore.truststore.keyStorePassword
 
Specifies the password to unlock the keystore.
com.tibco.trinity.runtime.core.provider.credential.keystore.truststore.keyStoreRefreshInterval
 
Specifies the refresh interval (milliseconds).
Sample File
See ASG_CONFIG_HOME/default/security/resource/TrustIsp.properties, as follows:
TrustIsp.properties
Configuring Subject Identity Provider
Description
The Subject Identity Provider is used to retrieve private keys (credentials) from a credential store. You must store the private keys and provide its location. The private keys are used by the Core Engine to decrypt the message when the payload in the incoming request is encrypted. The gateway uses the private keys to sign the response message before sending it back to the client.
Use Case
Decrypt the request payload.
Sign the request message to forward to any external target operation.
Sign the response payload.
Properties
Table Properties for Subject Identify Provider (SIP) describes the properties for Subject Identify Provider.
Table 110 Properties for Subject Identify Provider (SIP)
Property
Description
com.tibco.asg.intent.decrypt
 
Boolean intent property indicates if the incoming request message is encrypted or not. If encrypted, then the request message payload is decrypted using the subject identity provider properties (private credentials). Possible values are true or false.
If the value of this property set to true, the request message must be encrypted.
com.tibco.trinity.runtime.core.provider.identity.subject.identityStoreServiceProvider
 
Specifies the name of the credential service provider containing the private credentials for establishing the subject's identity.
com.tibco.trinity.runtime.core.provider.identity.subject.keyAlias
 
Specifies an alias name for the key corresponding to the private credentials in the credential store for establishing the subject's identity.
com.tibco.trinity.runtime.core.provider.identity.subject.keyPassword
 
Specifies the protection parameter of the private credentials in the credential store for establishing the subject's identity.
com.tibco.trinity.runtime.core.provider.credential.keystore.keyStoreType
 
Specifies the keystore type of the private credentials.
com.tibco.trinity.runtime.core.provider.credential.keystore.keyStoreLocation
 
Specifies the location(s) of the keystore of the private credentials.
com.tibco.trinity.runtime.core.provider.credential.keystore.keyStorePassword
 
Specifies the password to unlock the keystore.
com.tibco.trinity.runtime.core.provider.credential.keystore.keyStoreRefreshInterval
 
Specifies the refresh interval in milliseconds.
Sample File
See ASG_CONFIG_HOME/default/security/resource/SubjectIsp.properties, as follows:
SubjectIsp.properties
Copyright © Cloud Software Group, Inc. All Rights Reserved
Copyright © Cloud Software Group, Inc. All Rights Reserved