14.2.2 ua.conf (integrated user management configuration file)
- Organization of this subsection
(1) Format
This is a configuration file for using the JAAS-compatible user management and single sign-on functionality.
(2) File location
-
In Windows
Cosminexus-installation-directory\manager\config\
-
In UNIX
/opt/Cosminexus/manager/config/
(3) Repository access-related parameters
Repository access-related parameters define information related to access to the JAAS-compatible user management repository (LDAP directory server or database). These definitions are used to access the repository from relevant login modules or various commands.
You can define an item more than once by appending a different configuration number (either LDAP or JDBC). Configuration numbers must start with 0 and increment by 1. If a number is skipped, the current set of definitions is terminated there. In the following example, it is assumed that 0 and 1 are defined. (The number 3 is ignored because 2 is skipped.)
- Example
java.naming.provider.url.0=ldap://localhost:389 java.naming.provider.url.1=ldap://localhost:389 java.naming.provider.url.3=ldap://localhost:389 #java.naming.provider.url.3 is ignored.
JNDI and JDBC can have their own sets of definitions and each set starts with "0".
(a) JNDI parameters
JNDI parameters define information that is necessary in order to use JNDI to access the LDAP directory server. You can specify a parameter for accessing the LDAP directory server more than once by incrementing the LDAP configuration number from 0.
Option |
Description |
Default value |
---|---|---|
Specify the URL of the repository (LDAP directory server) as a character string. For details, see the appropriate Java JNDI description. |
None |
|
Specify the identifier of the authenticator to be used to access the repository (LDAP directory server), as a character string. For details, see the appropriate Java JNDI description. |
None |
|
Specify the password corresponding to java.naming.security.principal.n, as a character string. For details, see the appropriate Java JNDI description. |
None |
|
Specify the base DN of the repository under JAAS-compatible user management, as a character string. |
None |
|
Specify the attribute name of a user login ID, as a character string. |
uid |
|
Specify true or false to control whether to search the repository for a user entry (RDN) under JAAS-compatible user management. If the attribute name of a user login ID differs from the user entry (RDN), specify true. The specification is not case-sensitive. |
false |
|
If the repository is to be searched for a user entry (RDN) under JAAS-compatible user management, specify a search level of onelevel (search to one level below only) or subtree (search to all levels below). The specification is not case-sensitive. |
onelevel |
|
Specify the attribute name of a user password, as a character string. |
userPassword |
|
Specify true or false to control whether to use LDAP connection pools. The specification is not case-sensitive. |
false |
|
Specify the maximum number of LDAP connection pools. If an incoming request causes the maximum number to be exceeded, the system waits for a pool to become empty. Specify an integer from 0 to 2147483647. If the specified value is equal to or less than 0, 100 is assumed. |
100 |
|
Specify the maximum number of empty LDAP connection pools. The specified maximum number might be exceeded temporarily, but will be adjusted at intervals of the time specified by com.cosminexus.admin.auth.ldap.pool.gc_interval. Specify an integer from 0 to 2147483647. If the specified value exceeds that specified for com.cosminexus.admin.auth.ldap.pool.max, the value specified for com.cosminexus.admin.auth.ldap.pool.max is assumed. If the specified value is equal to or less than 0, half of the value specified for com.cosminexus.admin.auth.ldap.pool.max is assumed. If the value specified for com.cosminexus.admin.auth.ldap.pool.max is an odd number, the value is rounded down. If the specified value is 1, 1 is assumed. |
50 |
|
Specify the number of new pools to be established when the number of empty LDAP connection pools becomes 0 (including when the number is initialized). Specify an integer from 0 to 2147483647. If the specified value exceeds that specified for com.cosminexus.admin.auth.ldap.pool.max_spare, the value specified for com.cosminexus.admin.auth.ldap.pool.max_spare is assumed. If the specified value is equal to or less than 0, half of the value specified for com.cosminexus.admin.auth.ldap.pool.max_spare is assumed. If the value specified for com.cosminexus.admin.auth.ldap.pool.max_spare is an odd number, the value is rounded down. If the specified value is 1, 1 is assumed. |
10 |
|
Specify the time interval for adjusting the number of empty LDAP connection pools as an integer from 0 to 2147483647 (in seconds). See the description for com.cosminexus.admin.auth.ldap.pool.max_spare. If the specified value is equal to or less than 0, this functionality does not work. (The number of pools increases to that specified for com.cosminexus.admin.auth.ldap.pool.max and no pool is deleted.) |
60 |
|
Specify the number of retries to be made if LDAP connection fails, as an integer from 0 to 2147483647. |
1 |
|
Specify the time interval (in ms) for retries to be made if LDAP connection fails, as an integer from 0 to 2147483647. |
0 |
|
Specify a character string indicating the attribute name to be used as a user ID after decomposition of a DN stored in a certificate. The specification is not case-sensitive. If there are two or more instances of the same attribute name when extracting a user ID, the first value found is used. |
cn |
|
Specify the format of passwords stored in the repository. WebPasswordLoginModule uses the specified format to compare passwords.
The specified character string is not case-sensitive. If the string other than the above is specified, sha1 is assumed. If com.cosminexus.admin.auth.ldap.password.encrypt.ex is specified, this parameter is ignored. |
sha1 |
|
If the password format used is not one of those provided as standard, specify the fully qualified name of the class for password conversion. If this parameter is omitted or if the specified value cannot be found, the format specified in com.cosminexus.admin.auth.ldap.password.encrypt is used to compare passwords. |
None |
|
Specify the type of LDAP directory server to be connected.
If the value other than the above is specified, ETC is set. |
ETC |
|
Specify the read timeout for the LDAP directory server as an integer from 0 to 3600 (in seconds). If 0 is specified, no timeout occurs. |
3 |
|
Specify the connection timeout (in ms) for the LDAP directory server, as an integer equal to or greater than 0. If the specified integer is equal to or less than 0, the timeout value used in the network protocol, such as TCP, is used. |
LDAP provider specification |
(b) JDBC parameters
JDBC parameters define information that is necessary in order to use JDBC to access the database. You can specify a parameter for accessing the database more than once by incrementing the JDBC configuration number from 0.
Option |
Description |
Default value |
---|---|---|
Specify the class name of a JDBC driver corresponding to the database to be used. Specify the location of the JDBC driver in the class path of the J2EE server. |
JP.co.Hitachi.soft.DBPSV_Driver.JdbcDbpsvDriver |
|
Specify the URL for connecting to the database, as a character string. The URL must be in the following format: Specification example: jdbc:<subprotocol>:<subname> |
None |
|
Specify a character string indicating a database user connecting as a proxy. If this is omitted, it is assumed that there is no database user connecting as a proxy. |
No proxy |
|
Specify the password of a database user connecting as a proxy, as a character string. If com.cosminexus.admin.auth.jdbc.conn.user is omitted, this parameter is ignored. If com.cosminexus.admin.auth.jdbc.conn.user is specified and this parameter is omitted, a null character is assumed. |
Null character |
|
Specify true or false to control whether to use JDBC connection pools. The specification is not case-sensitive. |
false |
|
Specify the maximum number of JDBC connection pools. If an incoming request causes the maximum number to be exceeded, the system waits for a pool to become empty. Specify an integer from 0 to 2147483647. If the specified value is equal to or less than 0, 100 is assumed. |
100 |
|
Specify the maximum number of empty JDBC connection pools. The specified maximum number might be exceeded temporarily, but will be adjusted at intervals of the time specified by com.cosminexus.admin.auth.jdbc.pool.gc_interval. Specify an integer from 0 to 2147483647. If the specified value exceeds that specified for com.cosminexus.admin.auth.jdbc.pool.max, the value specified for com.cosminexus.admin.auth.jdbc.pool.max is assumed. If the specified value is equal to or less than 0, half of the value specified for com.cosminexus.admin.auth.jdbc.pool.max is assumed. If the value specified for com.cosminexus.admin.auth.jdbc.pool.max is an odd number, the value is rounded down. If the specified value is 1, 1 is assumed. |
50 |
|
Specify the number of new pools to be established when the number of empty JDBC connection pools becomes 0 (including when the number is initialized). Specify an integer from 0 to 2147483647. If the specified value exceeds that specified for com.cosminexus.admin.auth.jdbc.pool.max_spare, the value specified for com.cosminexus.admin.auth.jdbc.pool.max_spare is assumed. If the specified value is equal to or less than 0, half of the value specified for com.cosminexus.admin.auth.jdbc.pool.max_spare is assumed. If the value specified for com.cosminexus.admin.auth.jdbc.pool.max_spare is an odd number, the value is rounded down. If the specified value is 1, 1 is assumed. |
10 |
|
Specify the time interval for adjusting the number of empty JDBC connection pools as an integer from 0 to 2147483647 (in seconds). See the description for com.cosminexus.admin.auth.jdbc.pool.max_spare. If the specified value is equal to or less than 0, this functionality does not work. The number of pools increases to that specified for com.cosminexus.admin.auth.jdbc.pool.max and no pool is deleted. |
60 |
|
Specify the number of retries to be made if JDBC connection fails, as an integer from 0 to 2147483647. |
1 |
|
Specify the time interval (in ms) for retries to be made if JDBC connection fails, as an integer from 0 to 2147483647. |
0 |
|
Specify the SQL SELECT statement for searching for a password. The specified SELECT statement must be in the following format: (Specification format) SELECT column-name FROM table-name WHERE search-condition The search condition can only contain a "?" as an IN parameter placeholder. The value is replaced with the user ID specified during authentication. |
None |
|
Specify the value type of the column containing the password. Specify one of the following values to indicate the type supported in the Java language.
The specified keyword is not case-sensitive. If the string other than the above keywords is specified, string is assumed. |
string |
|
Specify the format of passwords stored in the repository. WebPasswordLoginModule uses the specified format to compare passwords.
The specified keyword is not case-sensitive. If the value other than the above keywords is specified, none is assumed. If com.cosminexus.admin.auth.jdbc.password.encrypt.ex is specified, this parameter is ignored. If sha1 or md5 is specified in this parameter, specify byte in the com.cosminexus.admin.auth.jdbc.password.type parameter. |
none |
|
If the password format used is not one of those provided as standard, specify the fully qualified name of the class for password conversion. If this parameter is omitted or if the specified parameter cannot be found, the encryption format specified in com.cosminexus.admin.auth.ldap.password.encrypt is used to compare passwords. |
None |
(c) API parameters
API parameters define information used by APIs when referencing or updating the user information repository on the LDAP directory server.
Append .<name> to items. The .<name> element is an identifier that indicates use of an API to reference or update the user information repository. The specified name is also specified in the LdapUserDataManager constructor.
- name format
Application's-Java-package-name.internal-name
Internal name: Character string consisting of alphanumeric characters (A-Z, a-z, and 0-9), and period (.).
- Example
com.cosminexus.admin.auth.api.repository.ldap.config.<com.cosminexus.admin.auth.Example>=1
The name element can be defined more than once by changing the value. To define the name element more than once, each instance must be made unique in the configuration file. Specify the name element as a character string consisting of alphanumeric characters (A-Z, a-z, and 0-9), and period (.). If any other character is used, the name element might not be recognized correctly.
Option |
Description |
Default value |
---|---|---|
Specify the identifier (or an LDAP configuration number specified in the appropriate JNDI parameter) indicating the LDAP directory server used by API. |
None |
(d) Single sign-on parameters
Single sign-on parameters are necessary in order to use the single sign-on functionality. Two different types of information must be specified. One is for information used by WebSSOLoginModule, and the other is for definition information used for calling a custom login module. Append .name to definitions of the latter type (options starting from com.cosminexus.admin.auth.sso.lm in the following table). The .name element is the identifier of a login module called from WebSSOLoginModule.
The .name element can be defined more than once by changing the value. The specified .name is used in the JAAS configuration.
- Format
-
item-used-by-WebSSOLoginModule=value
definition-for-calling-the-custom-login-module.name=value
- Example
com.cosminexus.admin.auth.sso.keyfile=d:/tmp/DES3key.key com.cosminexus.admin.auth.sso.lm.krb5=com.sun.security.module.Krb5LoginModule com.cosminexus.admin.auth.sso.param.userid.Krb5=javax.security.auth.login.name ...
Option
Description
Default value
Specify the absolute path and name of the file containing key information for encryption when registering single sign-on information. If this file is not specified, a LoginException will occur when using the single sign-on functionality for login or during use of the password change functionality (using the PasswordUtil class).
If com.cosminexus.admin.auth.sso.encrypt=none, the value specified in this parameter is ignored.
None
Specify the product to be used to encrypt single sign-on authentication information (SecretData).
-
JCE: JCE is used.
-
NONE: No encryption functionality is used.
The specified keyword is not case-sensitive.
NONE
Specify the LDAP configuration number defined at the beginning of this section. The specified value must be a number that identifies a configuration that can reference the single sign-on information repository. The specified value is used by any functionality that needs to reference the repository, for example, when using WebSSOLoginModule to perform a single sign-on.
0
Specify the LDAP configuration number defined at the beginning of this section. The specified value must be a number that identifies a configuration that can update the single sign-on in information repository. The specified value is used by any functionality that manages the repository, such as the password change functionality or SSOExport and SSOImport commands.
0
Specify the login module name (or class name) of each application called by WebSSOLoginModule Specify the full package name.
None
Specify the name of the parameter for passing a user ID registered in the single sign-on information repository. The specified value is set by WebSSOLoginModule before the login() method is called. Note that this occurs only if the value is authenticated.
com.cosminexus.admin.auth.sso.userid
Specify the name of the parameter for passing encrypted information registered in the single sign-on information repository. The key with the specified parameter name and the key value are set by WebSSOLoginModule before the login() method is called. Note that the key and its value are set only if they are already authenticated. Decrypted data is set for the value.
com.cosminexus.admin.auth.sso.secdat
Specify the name of the parameter for passing non-encrypted information registered in the single sign-on information repository. The specified value is set by WebSSOLoginModule before the login() method is called. Note that this occurs only if the value is authenticated.
Be careful not to use a duplicate parameter name when specifying com.cosminexus.admin.auth.sso.param.userid, com.cosminexus.admin.auth.sso.param.secdat, or com.cosminexus.admin.auth.sso.param.pubdat.
If a duplicate parameter name is used, the contents are not guaranteed.
com.cosminexus.admin.auth.sso.pubdat
-
(e) Custom login module parameters
Custom login module parameters are necessary in order to call a custom login module from DelegationLoginModule or WebSSOLoginModule.
Option |
Description |
Default value |
---|---|---|
Specify the absolute path of the directory containing a custom login module and its related classes (such as Principal and Credential classes). |
None |
(f) Cosminexus standard login module parameters
Cosminexus standard login module parameters define general information for the Cosminexus standard login modules.
Option |
Description |
Default value |
---|---|---|
Specify true or false to control whether to hold the password of a user who has logged into the realm in an integrated user management session. The specification is not case-sensitive. If you specify true, the password is to be held. If you specify false, the password is not to be held. If a user is already logged into the realm, the already-held password is not overwritten even if true is specified. If false is specified for this option and a user uses WebPasswordLDAPLoginModule to log into the same realm in the same session, he or she is required to enter his or her user ID and password for each subsequent login. |
false |
|
If true is specified in com.cosminexus.admin.auth.keep_password, specify true or false to control whether to encrypt a password that is held. The specification is not case-sensitive. If you specify true, the password is to be encrypted. If you specify false, the password is not to be encrypted. |
true |
|
If true is specified for com.cosminexus.admin.auth.param_check.enable and one of the following Cosminexus standard login modules is used to log in with a login user name starting or ending with a space, an exception will occur:
|
true |
|
If the session failover functionality of integrated user management is enabled and true is specified in com.cosminexus.admin.auth.keep_password, specify true or false in this option to control whether to manage a password held in an integrated user management session with the session failover functionality.
If a session failover occurs and a user uses WebPasswordLDAPLoginModule to log into the same realm in the same session, he or she is required to enter his or her user ID and password for each subsequent login. Specification example: com.cosminexus.admin.auth.gsession.keep_password=true |
false |
(g) Other parameters
A trace file contains definition information related to the entire user management using the Cosminexus standard login module.
Option |
Description |
Default value |
---|---|---|
Specify the full path and name of the trace file (without an extension). In output, the specified value has an extension of .n.log appended. (n indicates the number of files from 1 to the maximum number of files (up to 16).) If this specification is omitted, no trace log is output. |
None |
|
Specify the trace level as a number. Trace information is output for levels equal to or below the specified level.
|
0 |
|
Specify the number of trace files as a number from 1 to 16. |
4 |
|
Specify the maximum size of a trace file as a number from 4096 to 2147483647. If a log file exceeds the specified size, subsequent logs are recorded in a new file with the next file number. If the final log file (the file with a file number equal to the maximum number of files) reaches the maximum file size, log file 1 is overwritten. |
65536 |
|
If a session failover filter is set, disable the session failover support of integrated user management.
|
false |