This section describes how to configure the Enterprise Security global properties, which define the features that affect your entire security system.
To configure global security properties, use any standard ASCII text editor to edit the security.properties file located in the java/classes/com/sybase/ep/security subdirectory of your EAServer installation. If a property does not exist in security.properties and it has a default value specified in a configuration properties table, the default value is in effect. To modify the value of a property that is not specified in security.properties, edit the file and add it. Property names are case-sensitive. The order of the properties in the file does not matter.
If you make any changes to security.properties, you must restart EAServer for the changes to take effect.
The tables below describe all the properties in the security.properties file that you may need to edit to enable Enterprise Security features. Where applicable, the tables also show default values, and a description.
Table 15-1 lists the system-wide auditing properties that determine where auditing information is written. For more information about auditing, see Chapter 6, “Auditing.”
Property name |
Default value |
Description |
|---|---|---|
auditAuthenticationManagementOperations |
Specifies whether to audit authentication- delegate calls to com.sybase.ep.security.management beans. This is used only for the LDAP authentication delegate and any custom authentication delegates that use the Management APIs to replicate data into the ACDB. |
|
auditDatabaseConnCache |
Connection cache created in EAServer to obtain a connection to the audit database server. |
|
auditDatabaseInsertSql |
|
The SQL statement used to insert a record into the Audit table. |
auditDatabaseJdbcDrive |
JDBC driver used to connect to the audit database server. Used only when auditSPI is set to database. |
|
auditDatabaseJdbcUrl |
The JDBC URL used to connect to the audit database. Used only when auditSPI is set to database. |
|
auditDatabasePassword |
The password that is used to connect to the audit database. Used only when auditSPI is set to database. |
|
auditDatabaseUsername |
The user name that is used to connect to the audit database. Used only when auditSPI is set to database. |
|
auditKey |
sybase_ep |
Key value used internally both to generate and verify audit requests. It ensures that outside clients cannot add audit information to the audit trail. You can change the value. |
auditLog |
audit.log Currently created in the $JAGUAR/bin directory. |
The name of the file in which auditing information is written. This is the backup destination when auditSPI is set to either dbconncache or database. |
auditOverflowLog |
auditOverflow.log Typically created in the SYBASE directory; for example, on Windows: c:\sybase\auditOverflow.log. |
The name of the file in which auditing information is written if an error occurs while writing to the primary audit destination. This is the secondary backup destination when auditSPI is set to either dbconncache or database. |
auditSPI |
file |
|
Table 15-2 lists the authentication delegate properties.
Property name |
Default value |
Description |
|---|---|---|
adminRoleDN |
The DN for the admin role |
|
defaultDSORoleDN |
The DN for the default domain’s security officer |
|
guestRoleDN |
The DN for the guest role |
|
pluginRoleDN |
The distinguished name (DN) for the plug-in role |
Table 15-3 describes properties used to manage the asset cache.
Property |
Default value |
Value |
|---|---|---|
assetCacheSize |
1000 |
Specifies the asset cache size. |
assetCacheFlushPercentage |
10 |
Specifies the percentage of the asset cache size at which the cache should be flushed. |
cachemgrLog |
Specifies the path to the log file. This file is for logging plug-in cache and ACDB synchronization problems. |
Table 15-4 lists the properties that you must set to enable LDAP. For information about LDAP, see Chapter 10, “Configuring LDAP Authentication.”
Property name |
Default value |
Description |
|---|---|---|
attributeList |
User attributes that can be mapped to LDAP attributes. |
|
ldap.AttributeMapper. certificateAttributes |
A comma-delimited list of attribute names that can be searched for in the supplied certificate. The attributes are extracted from the certificate DN. |
|
ldap.AttributeMapper. directoryAttributes |
A comma-delimited list of the LDAP attributes that correspond to the ldap.AttributeMapper.certificateAttributes.. |
|
ldap.attributeMappingNames |
The subject attributes that are populated when authenticating an LDAP user. The currently supported attributes are:
|
|
ldap.attributeMappingValues |
The LDAP attributes that correspond to the subject attributes specified in ldap.attributeMappingNames:
|
|
ldap.connection.bindname |
The user name that should be used to initially establish the LDAP connection. Leaving this field blank means anonymous binding to the LDAP server. |
|
ldap.connection.password |
The password for the name specified in ldap.connection.bindname. |
|
ldap.certificateMapper |
Certificate mapper. |
|
ldap.connection.host |
none |
The host name of the LDAP server. You can include multiple host names, delimited by a space character. You can also include the port number. For example: tsandee-pc:389. Port numbers within this property override the port number specified in the ldap.connection.port property. |
ldap.connection.port |
389 |
The port number at which the LDAP delegate connects. |
ldap.followReferrals |
true |
Determines whether or not referrals are followed automatically when encountered by the delegate. |
ldap.groups |
The properties that reside under this package define mappings from LDAP groups to Enterprise Security groups. The LDAP entry must be of the object class groupOfUniqueNames (static) or groupOfURLs (dynamic). [mapid] is a user-defined string that binds the two parameters together into one mapping. |
|
ldap.connection.minpooled |
The minimum number of LDAP connections in the pool. |
|
ldap.connection.maxpooled |
The maximum number of LDAP connections in the pool. |
|
ldap.organizationMapper |
none |
The class name of a class that meets the qualifications specified in the Organization Mapping section. If this is not specified, any subjects who authenticate are placed in the root organization. |
ldap.rebuildSubjects |
Specifies whether to copy subject information from LDAP into the ACDB every time a user authenticates. |
|
ldap.roles |
The properties that reside under this package define mappings from LDAP groups to Enterprise Security roles. The LDAP entry must be of the object class groupOfUniqueNames (static) or groupOfURLs (dynamic). [mapid] is a user-defined string that binds the three parameters together into one mapping. |
|
ldap.searchBase |
This allows retrieval of authenticated users. |
|
ldap.searchFilter |
&({UID_ATTR}={UID})(objectClass=inetOrgPerson) |
The LDAP query which is used to retrieve a user’s LDAP record. Normally, this value is dynamically calculated using the attributes.uid property and a user-supplied credential. The user credentials are dynamically substituted for instances of the string {UID} before executing the query. The value of the uid_attr property is substituted for the {UID_ATTR} string. |
Table 15-5 list the properties to configure enhanced password security features. For more information, see Chapter 8, “Securing Accounts and Assets.”
Property name |
Allowed values |
Default value |
Description |
|---|---|---|---|
passwordAllowedEncodings |
Any valid encoding type. You can enter multiple values in a comma-delimited string. |
SHA |
Defines password encoding types. This effects validation for passwords already stored in the database. For example, to allow users whose passwords are stored using the MD5 encoding, the value must include “MD5”. |
passwordAllowUnsaltedAuthentications |
true or false |
false |
Specifies whether to allow users who have unsalted passwords defined in the database to be authenticated. This security check can be disabled when importing unsalted passwords from other sources; for example, from the iPlanet Directory Server, which stores unsalted passwords by default. |
passwordDefaultEncoding |
Any valid encoding type. Only a single type is allowed. Either “TXT” or the name of a message digest algorithm defined by the java.security. MessageDigest class. |
SHA |
Defines the default encoding of the passwords that are stored by a SMAPI or other internal routine, such as a PasswordUtils class routine. |
passwordRandomSaltLength |
An integer. |
8 |
The number of bytes of random salt data to generate whenever passwords are generated. In general, higher values provide more secure storage of the password. This formula determines the total size in bytes of the encoded password, which must be less than 64: round4(salt_bytes * 1.34) + round4(encoding_bytes * 1.34) + 3 + length_of_algorithm_name) The round4 operator rounds up to the nearest multiple of 4. Assuming the algorithm name is “SHA” (20 encoding bytes) and the number of salt bytes is 8, the size of the encoded password would be: round4(8 * 1.34) + round4(20 * 1.34) + 3 + 3 = 12 + 28 + 3 + 3 = 46 bytes |
passwordRandomSaltsEnabled |
true or false |
true |
Allows the administrator to define whether to generate random salted data to encode with the user’s passwords, when encoding new passwords. This data is included in the encoded password string immediately after the encoding, within the same curly brackets; for example:
{SHA:base64encodedsalt}encodedPasswordData
If the value is false, unsalted passwords are always allowed to authenticate, and allowUnsaltedAuthentications is always true. |
Table 15-6 defines the PortalSession properties.
Property name |
Default value |
Description |
|---|---|---|
keyFile |
The path to the encryption key file. |
|
oldKeyFile |
The path to the old encryption key file. |
|
sessionDuration |
3600 (seconds) |
The duration of a portal session. This value must be the same as the value of the EAServer com.sybase.jaguar.server.authtimeout property, which is defined in the $JAGUAR/bin/Jaguar.props file. If you update either property, you must update both properties. |
sessionPurgeInterval |
900 (seconds) |
How often the service that removes expired sessions from the database runs. |
Table 15-8 defines the role mapping properties.
Property name |
Default value |
Description |
|---|---|---|
defaultRolemappingEnabled |
true |
If true, EAServer attempts to perform role mapping implicitly between J2EE roles and Enterprise Security roles, which eliminates the need to add role mappings to the security.properties file. For more information, see “Implicit role mapping”. |
easerverRolemap.epdefault_0.epdn |
PortalWebPlugin |
The DN of the Enterprise Security PortalWebPlugin role. |
easerverRolemap.epdefault_0.jagrole |
PortalWebPlugin |
The name of the EAServer role that maps to the Enterprise Security PortalWebPlugin role. |
easerverRolemap.epdefault_1.epdn |
PortalSecOfficer |
The DN of the Enterprise Security PortalSecOfficer role. |
easerverRolemap.epdefault_1.jagrole |
PortalSecurityOfficer |
The name of the EAServer role that maps to the Enterprise Security PortalSecOfficer role. |
easerverRolemap.epdefault_2.epdn |
PortalAdmin |
The DN of the Enterprise Security PortalAdmin role. |
easerverRolemap.epdefault_2.jagrole |
PortalAdmin |
The name of the EAServer role that maps to the Enterprise Security PortalAdmin role. |
easerverRolemap.epdefault_3.epdn |
PortalGuest |
The DN of the Enterprise Security PortalGuest role. |
easerverRolemap.epdefault_3.jagrole |
PortalGuest |
The name of the EAServer role that maps to the Enterprise Security PortalGuest role. |
Table 15-8 defines the distinguished name (DN) of the self-registration group.
Property name |
Default value |
Description |
|---|---|---|
selfRegistrationGroupName |
SelfRegGroup |
The DN of the self-registration group.
|
This is changed from Enterprise Security versions earlier
than 6.0, where this property identified the group name.