Security and Authentication |
Gateway |
Whenever the PROIV Gateway is used by an external application the access must be authenticated. The details supplied by the external application (usually a name and a password) must be checked to verify that the external application has permission to access the PROIV application. The gateway allows the administrator to specify the authentication mechanism that will be used.
The authentication mechanism to be used is specified in the User Authenticator configuration property. The gateway is supplied with two authentication implementations and these are explained below. It is possible to add your own authentication mechanism (see Bus Security).
The Authentication Cache
Because the overhead of authenticating a given user name/password combination can be high, and the frequency of gateway connections can also be high, the gateway can 'remember' successful authentications to reduce the number of actual authentications taking place. The successful authentications are stored in a cache and the Login Cache Lifetime configuration property specifies how long a cache entry is valid. To prevent the cache becoming too large the Login Cache Size configuration property is used to limit the number of entries in the cache.
If you wish to have every gateway connection fully authenticated then set both the Login Cache Lifetime and the Login Cache Size configuration properties to 0. |
Default User Authentication
The Default user authentication mechanism always successfully authenticates user name/password combinations. This means that no user name/password checking is being carried out and all gateway connections are allowed.
JAAS User Authentication
The JAAS user authentication mechanism integrates with Java’s Authentication and Authorization Service API (JAAS). An overview of JAAS is available at http://java.sun.com/products/jaas/overview.html.
JAAS is a pluggable framework for authentication and allows any JAAS LoginModule to be used for authentication.
JAAS LoginModules are available for authentication against many sources including:
-
Kerberos (standard authentication on Windows and available for most Unix platforms)
-
Unix
-
JNDI
-
Database
-
Simple text file
Sample files are included with the gateway to configure the supplied JAAS user authentication to use the Kerberos JAAS LoginModule shipped with the JRE. This allows the user name and password to be authenticated against any Kerberos Key Distribution Centre (KDC) running on your network.
Note that the Windows 2012 R2/2016 server products run a KDC as part of their default install. Several Unix platforms also run Kerberos, and Kerberos is available for most of those Unix platforms that do not ship it. |
Topic ID: 250022