14.2.1 jaas.conf (JAAS configuration file)
- Organization of this subsection
-
(1) Format
This is a JAAS configuration file that is necessary in order to use the user authentication library and single sign-on library functionality.
Options can be specified as follows:
Application {
login-module-name Flag ModuleOptions;
};
(2) File location
-
In Windows
Cosminexus-installation-directory\manager\config\
-
In UNIX
/opt/Cosminexus/manager/config/
(3) Functionality
This file is used to configure settings that are necessary in order to use the user authentication library and single sign-on library functionality. Before using these features, a JAAS configuration file must be created and distributed to each host. Before distributing the file, take necessary precautions against possible eavesdropping.
(4) Options to be specified
Following table describes the options, along with their names.
|
Option name |
Description |
|---|---|
|
Specify an application name. We recommend using a name that can uniquely identify the application. The specified name is used to instantiate the LoginContext class. Names starting with the character strings shown below are used by Cosminexus. Therefore, do not specify an application name starting with any of the following characters:
|
|
|
Specify the authentication engine to be used. Specify one of the following login modules:
|
|
|
Specify a flag to be used to change the behavior according to whether the correct login module was called by LoginContext. For details about the flag to be specified, see the appropriate JAAS documentation. |
|
|
Specify the options necessary to run the login module. For details about the options to be specified, see the sections from (5) Options to be specified for WebPasswordLoginModule to (10) Options to be specified for WebPasswordLDAPLoginModule. |
(5) Options to be specified for WebPasswordLoginModule
The table below shows the options to be specified for WebPasswordLoginModule, along with their default values.
|
Option |
Description |
Default value |
|---|---|---|
|
Specify an LDAP configuration number defined in 14.2.2(3) Repository access-related parameters. The specified value must be a number that identifies a configuration that can reference the user information repository. The value must be enclosed by "". To specify more than one LDAP configuration number, separate the numbers by a comma (,). If more than one LDAP configuration number is specified and the first LDAP directory server specified goes down, the system automatically switches to a different LDAP directory server. The specified value is used by any functionality that needs to reference the repository, for example, when using WebPasswordLoginModule for login. |
0 |
|
|
Specify an LDAP configuration number defined in 14.2.2(3) Repository access-related parameters. The specified value must be a number that identifies a configuration that can update the user information repository. The value must be enclosed by "". To specify more than one LDAP configuration number, separate the numbers by a comma (,). If more than one LDAP configuration number is specified and the first LDAP directory server specified goes down, the system automatically switches to a different LDAP directory server. The specified value is used by any functionality that manages the contents of the repository, such as the password change functionality. |
0 |
|
|
Specify an LDAP configuration number defined in 14.2.2(3) Repository access-related parameters. Specify this option when you are using the PasswordUtil class to change both the password and single sign-on authentication information, or when you are using the LDAP connection failover to change single sign-on authentication information. The specified value must be a number that identifies a configuration that can update the single sign-on in information repository. The value must be enclosed by "". To specify more than one LDAP configuration number, separate the numbers by a comma (,). If more than one LDAP configuration number is specified and the first LDAP directory server specified goes down, the system automatically switches to a different LDAP directory server. The specified value supersedes any value specified in com.cosminexus.admin.auth.sso.ldap.w within the integrated user management configuration file. |
value-specified-in-the-integrated-user-management-configuration-file |
|
|
Specify the realm to be authenticated as a character string. |
None |
|
|
Specify true or false to control whether to hold the password of a user who has logged into the realm in an integrated user management session. The specification is not case-sensitive. If you specify true, the password is to be held. If you specify false, the password is not to be held. If a user is already logged into the realm, the already-held password is not overwritten even if true is specified. If false is specified for this option and a user uses WebPasswordLDAPLoginModule to log into the same realm in the same session, he or she is required to enter his or her user ID and password for each subsequent login. The specified value supersedes any value specified in com.cosminexus.admin.auth.keep_password within the integrated user management configuration file. |
value-specified-in-the-integrated-user-management-configuration-file |
|
|
If true is specified in com.cosminexus.admin.auth.keep_password, specify true or false to control whether to encrypt a password that is held. The specification is not case-sensitive. If you specify true, the password is to be encrypted. If you specify false, the password is not to be encrypted. The specified value supersedes any value specified in com.cosminexus.admin.auth.keep_password.encrypt within the integrated user management configuration file. |
value-specified-in-the-integrated-user-management-configuration-file |
|
|
If the session failover functionality of integrated user management is enabled and true is specified in com.cosminexus.admin.auth.keep_password, specify true or false in this option to control whether to manage a password held in an integrated user management session with the session failover functionality.
If a session failover occurs and a user uses WebPasswordLDAPLoginModule to log into the same realm in the same session, he or she is required to enter his or her user ID and password for each subsequent login. Specification example: com.cosminexus.admin.auth.gsession.keep_password=true |
value-specified-in-the-integrated-user-management-configuration-file |
(6) Options to be specified for WebSSOLoginModule
The table below shows the options to be specified for WebSSOLoginModule, along with their default values.
|
Option |
Description |
Default value |
|---|---|---|
|
Specify the identifier of the login module to be called from WebSSOLoginModule. The specified identifier is used to read necessary information from the JAAS-compatible user management configuration file. If this is omitted, the Cosminexus standard login module (WebPasswordLoginModule) is assumed. |
WebPasswordLoginModule |
|
|
Specify an LDAP configuration number defined in 14.2.2(3) Repository access-related parameters. The specified value must be a number that identifies a configuration that can reference the single sign-on information repository. The value must be enclosed by "". To specify more than one LDAP configuration number, separate the numbers by a comma (,). If more than one LDAP configuration number is specified and the first LDAP directory server specified goes down, the system automatically switches to a different LDAP directory server. The specified value is used by any functionality that needs to reference the repository, for example, when using WebSSOLoginModule to perform single sign-on. The specified value supersedes any value specified in com.cosminexus.admin.auth.sso.ldap.r within the integrated user management configuration file. |
value-specified-in-the-integrated-user-management-configuration-file |
|
|
Specify an LDAP configuration number defined in 14.2.2(3) Repository access-related parameters. The specified value must be a number that identifies a configuration that can update the single sign-on information repository. The value must be enclosed by "". To specify more than one LDAP configuration number, separate the numbers by a comma (,). If more than one LDAP configuration number is specified and the first LDAP directory server specified goes down, the system automatically switches to a different LDAP directory server. The specified value is used by any functionality that needs to update the repository, such as the password change functionality. The specified value supersedes any value specified in com.cosminexus.admin.auth.sso.ldap.w within the integrated user management configuration file. |
value-specified-in-the-integrated-user-management-configuration-file |
|
|
Specify the realm to be authenticated as a character string. |
None |
(7) Options to be specified for DelegationLoginModule
The table below shows the options to be specified for DelegationLoginModule, along with their default values.
|
Option |
Description |
Default value |
|---|---|---|
|
Specify the name of a custom login module (or class name) to be called by DelegationLoginModule, as a character string. The specified name must be a fully qualified name. |
None |
|
|
Specify the realm to be authenticated as a character string. |
None |
(8) Options to be specified for WebCertificateLoginModule
The table below shows the options to be specified for WebCertificateLoginModule, along with their default values.
|
Option |
Description |
Default value |
|---|---|---|
|
Specify an LDAP configuration number defined in 14.2.2(3) Repository access-related parameters. The specified value must be a number that identifies a configuration that can reference the user information repository. The value must be enclosed by "". To specify more than one LDAP configuration number, separate the numbers by a comma (,). If more than one LDAP configuration number is specified and the first LDAP directory server specified goes down, the system automatically switches to a different LDAP directory server. The specified value is used by any functionality that needs to reference the repository, for example, when using WebCertificateLoginModule for login. |
0 |
|
|
Specify the realm to be authenticated as a character string. |
None |
(9) Options to be specified for WebPasswordJDBCLoginModule
The table below shows the options to be specified for WebPasswordJDBCLoginModule, along with their default values.
|
Option |
Description |
Default value |
|---|---|---|
|
Specify a JDBC configuration number defined in 14.2.2(3) Repository access-related parameters. The specified value must be a number that identifies a configuration that can reference the user information repository. The value must be enclosed by "". The specified value is used by any functionality that needs to reference the repository, for example, when using WebPasswordJDBCLoginModule for login. |
0 |
|
|
Specify the realm to be authenticated as a character string. |
None |
|
|
Specify true or false to control whether to hold the password of a user who has logged into the realm in an integrated user management session. The specification is not case-sensitive. If you specify true, the password is to be held. If you specify false, the password is not to be held. If a user is already logged into the realm, the already-held password is not overwritten even if true is specified. If false is specified for this option and a user uses WebPasswordLDAPLoginModule to log into the same realm in the same session, he or she is required to enter his or her user ID and password for each subsequent login. The specified value supersedes any value specified in com.cosminexus.admin.auth.keep_password within the integrated user management configuration file. |
value-specified-in-the-integrated-user-management-configuration-file |
|
|
If true is specified in com.cosminexus.admin.auth.keep_password, specify true or false to control whether to encrypt a password that is held. The specification is not case-sensitive. If you specify true, the password is to be encrypted. If you specify false, the password is not to be encrypted. The specified value supersedes any value specified in com.cosminexus.admin.auth.keep_password.encrypt within the integrated user management configuration file. |
value-specified-in-the-integrated-user-management-configuration-file |
|
|
If the session failover functionality of integrated user management is enabled and true is specified in com.cosminexus.admin.auth.keep_password, specify true or false in this option to control whether to manage a password held in an integrated user management session with the session failover functionality.
If a session failover occurs and a user uses WebPasswordLDAPLoginModule to log into the same realm in the same session, he or she is required to enter his or her user ID and password for each subsequent login. Specification example: com.cosminexus.admin.auth.gsession.keep_password=true |
value-specified-in-the-integrated-user-management-configuration-file |
(10) Options to be specified for WebPasswordLDAPLoginModule
The table below shows the options to be specified for WebPasswordLDAPLoginModule, along with their default values.
|
Option |
Description |
Default value |
|---|---|---|
|
Specify an LDAP configuration number defined in 14.2.2(3) Repository access-related parameters. The specified value must be a number that identifies a configuration that can reference the user information repository. The value must be enclosed by "". To specify more than one LDAP configuration number, separate the numbers by a comma (,). If more than one LDAP configuration number is specified and the first LDAP directory server specified goes down, the system automatically switches to a different LDAP directory server. The specified value is used by any functionality that needs to reference the repository, for example, when using WebPasswordLDAPLoginModule for login. |
0 |
|
|
Specify an LDAP configuration number defined in 14.2.2(3) Repository access-related parameters. The specified value must be a number that identifies a configuration that can update the user information repository. The value must be enclosed by "". To specify more than one LDAP configuration number, separate the numbers by a comma (,). If more than one LDAP configuration number is specified and the first LDAP directory server specified goes down, the system automatically switches to a different LDAP directory server. The specified value is used by any functionality that manages the contents of the repository, such as the password change functionality. |
0 |
|
|
Specify an LDAP configuration number defined in 14.2.2(3) Repository access-related parameters. Specify this option when you are using the PasswordUtil class to change both the password and single sign-on authentication information, or when you are using the LDAP connection failover to change single sign-on authentication information. The specified value must be a number that identifies a configuration that can update the single sign-on information repository. The value must be enclosed by "". To specify more than one LDAP configuration number, separate the numbers by a comma (,). If more than one LDAP configuration number is specified and the first LDAP directory server specified goes down, the system automatically switches to a different LDAP directory server. The specified value supersedes any value specified in com.cosminexus.admin.auth.sso.ldap.w within the integrated user management configuration file. |
value-specified-in-the-integrated-user-management-configuration-file |
|
|
Specify the realm to be authenticated as a character string. |
None |
|
|
Specify true or false to control whether to hold the password of a user who has logged into the realm in an integrated user management session. The specification is not case-sensitive. If you specify true, the password is to be held. If you specify false, the password is not to be held. If a user is already logged into the realm, the already-held password is not overwritten even if true is specified. If false is specified for this option and a user uses WebPasswordLDAPLoginModule to log into the same realm in the same session, he or she is required to enter his or her user ID and password for each subsequent login. The specified value supersedes any value specified in com.cosminexus.admin.auth.keep_password within the integrated user management configuration file. |
value-specified-in-the-integrated-user-management-configuration-file |
|
|
If true is specified in com.cosminexus.admin.auth.keep_password, specify true or false to control whether to encrypt a password that is held. The specification is not case-sensitive. If you specify true, the password is to be encrypted. If you specify false, the password is not to be encrypted. The specified value supersedes any value specified in com.cosminexus.admin.auth.keep_password.encrypt within the integrated user management configuration file. |
value-specified-in-the-integrated-user-management-configuration-file |
|
|
If the session failover functionality of integrated user management is enabled and true is specified in com.cosminexus.admin.auth.keep_password, specify true or false in this option to control whether to manage a password held in an integrated user management session with the session failover functionality.
If a session failover occurs and a user uses WebPasswordLDAPLoginModule to log into the same realm in the same session, he or she is required to enter his or her user ID and password for each subsequent login. Specification example: com.cosminexus.admin.auth.gsession.keep_password=true |
value-specified-in-the-integrated-user-management-configuration-file |