To configure certificate-based authentication for systems that include a Web server security plug-in and a redirector plug-in, perform the following tasks, stopping after each step to make sure that things are working properly before proceeding.
Install and configure the Enterprise Security Web Server plug-in on your Web server. See Chapter 11, “Configuring the Web Server Plug-in.” You may want to use an insecure server that accepts client requests on port 80 before deploying this to your production environment.
To improve
performance, Sybase strongly recommends that you install EAServer
and the Web server on different machines. Typically, the portal
generates numerous requests to the localhost HTTP listener, and
if the Web server and EAServer are on the same machine, these requests
are routed through the Web server, the security plug-in, and the
redirector plug-in before EAServer receives them.
To use an LDAP server, instead of the ACDB:
Configure Enterprise Security to use the LDAP authentication delegate—see Chapter 10, “Configuring LDAP Authentication.”
Configure a certificate mapper to tell Enterprise Security how to find the LDAP user based on the certificate provided by the client—see “Certificate mapping”.
Map the PortalWebPlugin role to a user or set of users in the LDAP server.
On the same server where the Enterprise Security Web Server plug-in is installed, install the EAServer redirector plug-in on Apache, iPlanet, or Netscape, and configure EAServer to accept Web server requests. For installation and configuration instructions, see Chapter 9, “Web Server Redirector Plug-In,” in the EAServer System Administration Guide. To access the HTML version, use a Web browser to open html/docs/index.html in your EAServer installation.
Set up the Web server to demand client certificates. See your Web server documentation for more information.
Edit global.propeties.xml, located in the Repository/WebApplication/onepage/config subdirectory of your EAServer installation, and set the values of the secure and secure_login properties to on. See the Enterprise Portal Developer’s Guide for more information about these properties.
Configure an EAServer HTTPS listener for accessing the portal—see “Configuring listeners” in Chapter 3, “Creating and Configuring Servers,” in the EAServer System Administration Guide. Set the listener’s security characteristic to a value that does not include the string “mutual_auth.”
Configure the redirector to support HTTPS—see “Configuring the redirector to support HTTPS connections”.
Configure the server’s HTTP configuration properties—see “Configuring EAServer HTTP properties”.
Create one or more URL assets that represent protected Web pages to force the Web server security plug-in to create a PortalSession object when a user attempts to log in to the portal—see “Creating an asset”.
Configuring the redirector
to support HTTPS connections
Edit the conn_config file in your redirector plug-in installation, and set the following properties:
Connector.WebApp /onepage=https://<host>:<port>/
Where host is the EAServer host and port is where EAServer accepts HTTPS requests.
Connector.Https.qop sybpks_simple
Connector.Https.pin security_PIN
Where security_PIN is the PIN used to connect to Jaguar Security Manager; the default is “sybase.”
Set up an HTTPS listener in EAServer for accessing the portal.
Configuring EAServer HTTP properties
If you have multiple HTTP or HTTPS listeners, you must tell EAServer where to redirect requests.
In Jaguar Manager, expand the Servers folder, highlight the server you are using (typically, Jaguar), and select File | Server Properties.
Select the HTTP Config tab, and enter:
Domain Name – enter the host and domain name of the
Web server; for example, abc.sybase.com.
Proxy HTTPS Port – enter the port number where the Web server accepts HTTPS requests.
The
Proxy HTTPS Port and Proxy HTTP Port numbers must match the values
of the default_https_port and default_http_port properties
in global.properties.xml, whose location depends
on your application server:
EAServer – JAGUAR/Repository/WebApplications/onepage/config.
WebLogic – BEA_ROOT/onepage/config.
Proxy HTTP Port – enter the port number where the Web server accepts HTTP requests.
Set Proxy Protocol to HTTPS.
Click OK to save your changes.
