Using the External JAAS Authentication Service

The FTL JAAS authentication service is a containerized service that provides JAAS functionality for the FTL server. The service connects to your enterprise LDAP server.

1. Configure the JAAS file.
   The JAAS file specifies Java classes that implement authentication. (You can reuse the same JAAS file as you used in Release 5.x and earlier.)

   For details, see "JAAS Login Configuration File" in Oracle Java documentation.

2. Deploy the service in a Jetty application container.
   The WAR file FTL-JAAS.war implements the service. Copy the example WAR file from TIBCO_HOME/ftl/version/samples/jaas/FTL-JAAS.war into Jetty's demo-base/webapps directory.
3. Configure the JAAS realm within Jetty.

   Edit demo-base/etc/login.conf and add a tibftlserver section. See the sample file TIBCO_HOME/ftl/version/samples/jaas/ldap.jaas for an example.

   Note: The term "realm" denotes two separate concepts in JAAS and FTL.
4. Optional. Configure TLS within Jetty.
   It is good practice to use TLS security for authentication service communications.
5. Start the authentication service in a Jetty container.
   Clients can reach the authentication service at protocol://host:port/FTL-JAAS/login. (Supply this URL to the ftl server in the next step.)
6. Configure the FTL server to use the authentication service.
   The FTL server is a client of the authentication service.

   Supply the command line parameter auth.url to specify the URL of the authentication service. For example:

   globals:
     # ...
     auth.url: protocol://host:port/FTL-JAAS/login

   If the authentication service enables TLS, then its URL specifies the https:// protocol, and you must supply these additional parameters to the FTL server:

     auth.trust: auth_service_public_cert_location
     auth.user: ftl_server_user_name
     auth.password: ftl_server_password