The extensible authentication feature uses the Java virtual machine (JVM) and the Java Authentication and Authorization Service (JAAS) to allow you to run your own Java-based authentication module in the EMS server.
Your authentication module, or LoginModule, runs in the JVM within the EMS server, and is accessed by
tibemsd using the JAAS interface. This is a flexible way to extend the security of your EMS application. The LoginModule can be used to augment existing authentication processes, or can be the sole method of authentication used by the EMS server. The
user_auth parameter in the main configuration file determines when the LoginModule is used.
Each time an EMS client attempts to create a connection to the server, the server will authenticate the client before accepting the connection. When extensible authentication is enabled,
tibemsd passes the username and password to the LoginModule, which returns an allow or deny response.
If more than one authentication mechanism is enabled, it’s important to note the order that the authentication processes are employed, as determined by their order in the
user_auth parameter. The server will search each authentication source in order, and if the user does not exist there,
tibemsd passes the username and password to the next source.
For example, if local authentication appears before JAAS authentication, the server will search for the provided username and password first in the
users.conf file. If the user does not exist there,
tibemsd passes the username and password to the LoginModule, which allows or denies the connection attempt.
Consider a connection request from a client with the username avogus. If
avogus exists in the
users.conf, the EMS server will either authenticate or deny access to
avogus based on the username and password located there. Only if
avogus does not exist in the
users.conf does the server pass the username and password to the LoginModule.
The LoginModule is a custom module that runs inside the EMS server within a JVM. The LoginModule is written using JAAS, a set of APIs provided by Sun Microsystems, and used to create plugable Java applications. JAAS provides the interface between your code and the EMS server. JAAS is a standard part of JRE, and is installed with EMS.
In order to implement extensible authentication, you must write a LoginModule implementing the JAAS interface. There are some requirements for a LoginModule that will run in the EMS server:
The EMS server locates and loads the LoginModule based on the contents of the configuration file specified by the
jaas_config_file parameter in the
tibemsd.conf file. Usually, the JAAS configuration file is named
jaas.conf. This file contains the configuration information used to invoke the LoginModule.
The contents of the jaas.conf file should follow the JAAS configuration syntax, as documented at: