Configuration of JAAS Authentication
You can configure the Central Administration server to use Java Authentication and Authorization Service (JAAS) authentication. JAAS authentication has two purposes:
- Authenticate users logging into the Central Administration server.
When JAAS is configured, users must enter credentials when logging into the Central Administration web interface. Central Administration users must be in one of these JAAS groups:
- emsca-admin — Grants administrative privileges to members. Administrators may lock and edit an EMS server in Central Administration, and deploy an updated server configuration. However, note that the user must
also have administrative privileges for the EMS server before deploying.
You can change the group names with administrative privileges using the --jaas-admin option.
- emsca-guest — Grants read-only privileges to members. Guest users are not able to make changes or deploy configurations through Central Administration.
You can change the group names with guest privileges using the --jaas-guests option.
- emsca-admin — Grants administrative privileges to members. Administrators may lock and edit an EMS server in Central Administration, and deploy an updated server configuration. However, note that the user must
also have administrative privileges for the EMS server before deploying.
- Authenticate the Central Administration server to EMS servers.
When JAAS is configured, each time a user attempts to add or refresh an EMS server or deploy configuration changes, the Central Administration server uses the JAAS user ID and password presented by the user to authenticate with the EMS server. If the user does not have sufficient privileges, the action fails.
Additionally, assigning conflicting JAAS roles (such as guest and admin) to the same user grants admin privileges.
To enable JAAS authentication, set the --jaas option at the command line, or through the related setting in the Central Administration configuration file.
JAAS can be configured to fetch user credentials from a property file or from an LDAP server. With LDAP, changes made to Central Administration user credentials are taken into account dynamically. With a property file, it is required to restart the Central Administration server upon altering user credentials.
For more information on JAAS security, see the sample configuration files in EMS_HOME\samples\emsca\jaas.