Using the External JAAS Authentication Service

The FTL JAAS authentication service is a containerized service that provides JAAS functionality for the realm server. The service connects to your enterprise LDAP server.

1. Configure the JAAS file.
   The JAAS file specifies Java classes that implement authentication. (You can reuse the same JAAS file as you used in Release 5.1 and earlier.)

   For details, see "JAAS Login Configuration File" in Oracle Java documentation.

2. Deploy the service in a Jetty application container.
   The WAR file FTL-JAAS.war implements the service. Copy the example WAR file from TIBCO_HOME/ftl/version/samples/jaas/FTL-JAAS.war into Jetty's demo-base/webapps directory.
3. Configure the JAAS realm within Jetty.

   Edit demo-base/etc/login.conf and add a tibrealmserver section. See the sample file TIBCO_HOME/ftl/version/samples/jaas/ldap.jaas for an example.

4. Optional. Configure TLS within Jetty.
   It is good practice to use TLS security for authentication service communications.
5. Start the authentication service in a Jetty container.
   Clients can reach the authentication service at protocol://host:port/FTL-JAAS/login. (Supply this URL to the realm server in the next step.)
6. Start the realm server.
   The realm server is a client of the authentication service.

   Supply the command line parameter --auth.url to specify the URL of the authentication service, protocol://host:port/FTL-JAAS/login.

   If the authentication service enables TLS, then its URL specifies the https:// protocol, and you must supply these additional parameters to the realm server:

   • --auth.trust auth_svc_public_cert_location
   • --auth.user realm_svr_user_name
   • --auth.password realm_svr_password