Interstage Application Server V7.
Single Sign-on Operator's Guide - Preface Trademarks Trademarks of other companies are used in this user guide only to identify particular products or systems: Product Trademark/Registered Trademark Microsoft, Visual Basic, Visual C++, Windows, Windows NT, Internet Information Server, and Internet Explorer Registered trademarks of Microsoft Corporation in the U.S.A. and other countries Sun, Solaris, Java, and other trademarks containing Java Trademarks of Sun Microsystems, Inc., in the U.S.A.
Single Sign-on Operator's Guide - Preface Preface Purpose of this Document This manual describes the environment setup and operation procedures required for Interstage Single Sign-on operation. Note Throughout this manual Interstage Application Server is referred to as Interstage. Who Should Read this Document? It is assumed that readers of this manual have a basic knowledge of the following: • The Internet • SSL • Apache • Web Server • LDAP and X.
Single Sign-on Operator's Guide - Preface Organization of this Document This document is organized as follows: • Chapter 1 Overview This chapter provides an outline and explanation of the concepts (e.g., system configuration) and functions of Interstage Single Sign-on. • Chapter 2 Environment Setup (SSO Administrators) This chapter explains how to set up the authentication infrastructure environment for Interstage Single Sign-on.
Table of Contents Chapter 1 Overview What Is Single Sign-on ...................................................................................................................1-2 Problems in Conventional Systems...........................................................................................1-2 Effects of Single Sign-on............................................................................................................1-4 Implementation Method ...............................................
Single Sign-on Operator's Guide: Table of Contents Business system public URL ...................................................................................................1-61 Host Name of the Repository Server .......................................................................................1-65 Chapter 2 Environment Setup (SSO Administrators) Environment Setup Flow .................................................................................................................
Single Sign-on Operator's Guide - Table of Contents Setting the Reference System Repository Server Information in the Authentication Server ..2-78 Setting up a Repository Server and Authentication Server on a Single Machine ........................2-79 Registering a Business System ....................................................................................................2-80 Registration Flow of Business System ....................................................................................
Single Sign-on Operator's Guide: Table of Contents Stopping an Authentication Server.............................................................................................4-6 Stopping a Repository Server ....................................................................................................4-6 Stopping a Repository Server ...............................................................................................4-6 Stopping an SSO Repository ..........................................
Single Sign-on Operator's Guide - Table of Contents Setting the Service Dependency .............................................................................................5-16 Canceling the Service Dependency ........................................................................................5-17 Chapter 6 Troubleshooting Error Handling.................................................................................................................................
Single Sign-on Operator's Guide: Table of Contents Appendix A Samples of User Program Descriptions Registering a Role Configuration in the SSO Repository .............................................................. A-3 Registering User Information in the SSO Repository .................................................................... A-4 Deleting User Information from the SSO Repository ..................................................................... A-7 Adding a User Role .......................
Chapter 1 Overview This chapter provides an outline and description of the functions in the Interstage Single Sign-on application.
Chapter 1: Overview What Is Single Sign-on A business information system uses multiple Web Servers and Web Services together. Users usually need to enter the each their ID and password for Web server and Web service. The Single Sign-on function enables the user to obtain authorization to access multiple Web Servers and Web Services by a single sign-on (Authentication) operation.
What Is Single Sign-on Figure 1-1 Problems in Conventional Systems Reduced User Convenience Since each system has an authentication function, a user must be authenticated every time they use the system. User information (user ID and password) is also managed for each system and therefore user must enter the user ID and password for authentication of each system. The user must also memorize and manage the user ID and password for each system.
Chapter 1: Overview Low Level of Security The total security level of an information system that contains multiple subsystems is equivalent to the lowest security level of its subsystems. This means that even if a subsystem is equipped with an advanced security function based on the latest security architecture, the advanced security function only has an effect on the total system security when all other subsystems have been used within the advanced system.
What Is Single Sign-on Figure 1-2 Comparison of a Conventional System and an Interstage Single Sign-on system Implementation Method Interstage Single Sign-on uses an implementation method called the "agent style" to implement the Single Sign-on. The agent style locates an agent on each business server, where the necessity for user authentication is determined. When authentication is necessary, the authentication server is requested to perform authentication.
Chapter 1: Overview Basic System Configuration The Interstage Single Sign-on system basically consists of an authentication infrastructure, a business system, and clients. The authentication infrastructure has an authentication server, a repository server, and an SSO repository. The business system has a business server. Figure 1-4 Basic System Configuration Users access the system from a Web browser on a client.
Basic System Configuration If the user accesses the business system without being authenticated, the Web browser is automatically directed to the Authentication infrastructure URL and requested to perform user authentication. When authentication is successful, the Web browser is automatically directed back to the URL specified first. Note • The authentication and business servers cannot be constructed on the same machine.
Chapter 1: Overview Note The repository server is provided by the following products: • Interstage Application Server Enterprise Edition • Interstage Application Server Standard Edition • Interstage Application Server Plus SSO Repository The SSO repository is a single directory used to control the information about all users of the operating system, and the resources associated with each business server. For the SSO repository, Interstage Smart Repository is used.
Basic System Configuration 2. When Setting Up the Authentication Server on Multiple Machines and the Repository Server on a Machine (Middle-scale System: Balancing the Authentication Server Load) This configuration is suitable when the number of users of the business system and the volume of simultaneous access to that business system is large. This system configuration places a load balancer before multiple authentication servers to balance the load of the authentication servers.
Chapter 1: Overview Figure 1-7 Setting Up the Repository Server and Authentication Server on Multiple Machines Individually (Large Scale System) 4. When Setting Up the Repository Server and the Authentication Server on a Single Machine (Small-scale System) This system configuration sets up the authentication infrastructure (repository and authentication servers) on one machine.
Basic System Configuration Business System The business system provides users with Web-based services. The business system basically consists of a business server and Web Systems and services operated on the business server. Business Server In request for business system access from a user, the business server requests the authentication infrastructure in order to authenticate the user. At this point, the business server also authorizes the authenticated user to use the access-target services.
Chapter 1: Overview Figure 1-9 Setting Up a Business Server on a Machine 2. When Setting Up Business Servers on Multiple Machines This system configuration positions a load balancer between the client and multiple business servers, to balance the load of the business servers. Three or more business servers can be implemented.
Basic System Configuration Client With Interstage Single Sign-on, a user uses the business system from a Web browser on a client. Supported Web Browsers The following table lists the Web browsers that can be used on the client. Table 1-1 Supported Web Browsers Web browser Version and level Netscape Communicator 4.6, 4.7, 4.72, 4.73, 4.75, 4.78 Microsoft(R) Internet Explorer 5.01, 5.5, 6.0 Web Browser Setup • Set up the browser to accept cookies. • Validate Java scripts.
Chapter 1: Overview Administrators To operate Interstage Single Sign-on, the SSO (Single Sign-on) administrator must not only manage the authentication infrastructure but also coordinate with the administrator of the business server linked to Single Sign-on. SSO Administrator The SSO administrator manages the authentication infrastructure.
Authentication Authentication Authentication is the operation used to check the validity of any person who attempts to use the system. This section explains the authentication function provided with Interstage Single Sign-on.
Chapter 1: Overview Also, a re-authentication interval can be specified for authentication. When a re-authentication interval is specified, an authenticated user is requested to be authenticated again after a specified time elapses from the first authentication. This function prevents unauthorized use of the Web system by a third person even if a user leaves the client computer for long after authentication.
Authentication If the form authentication is used, users can access the Authentication infrastructure URL directly through a Web browser for authentication, and users can also access the business system. If users access to Authentication infrastructure directly, use the same method to access the following URL: Authentication infrastructure URL/ssoatcag (*1)(*2) In the following explanation, the URL above is replaced with “URL of Form authentication“ *1 Specify the port number even if 443 is specified.
Chapter 1: Overview Figure 1-13 Form Authentication Page in Microsoft(R) Internet Explorer 6.0 Example Basic authentication dialog for Microsoft(R) Internet Explorer 6.
Authentication Figure 1-14 Authentication Window for Microsoft ® Internet Explorer 6.0 Example Basic authentication dialog for Netscape Communicator 4.75 Figure 1-15 Basic Authentication Window for Netscape Communicator 4.75 Certificate Authentication This authentication method is used to authenticate a user with a certificate. This method is convenient when the computer to be used is specified.
Chapter 1: Overview Certificate Information For certificate authentication by Interstage Single Sign-on, the owner name (Subject), owner alias (Subject Alternative Name) and extension information contained in the presented certificate is referenced. Therefore, one of the following items of information must be stored in the certificate.
Authentication Figure 1-16 Certificate Selection Window for Microsoft ® Internet Explorer 6.0 Example Certificate selection window for Netscape Communicator 4.75.
Chapter 1: Overview Figure 1-17 Certificate Selection Window for Netscape Communicator 4.75 On Netscape Communicator, the following window is opened after the certificate selection window is displayed. Figure 1-18 Password Entry Dialog Window The "password" or "PIN" is the information to confirm the user who uses the selected certificate. When a valid password or PIN is entered, the selected certificate is presented to the Web server.
Authentication Checking the Effectiveness of Certificate The certificate used for certificate authentication can be checked effectiveness by the authentication server. The effectiveness is checked based on the certificate revocation list (CRL) registered in the authentication server. The CRL lists revoked certificates. If a certificate listed in the CRL is presented, then authentication fails.
Chapter 1: Overview Password Authentication and Certificate Authentication This authentication method only assumes authentication has been successful when both password authentication and certificate authentication have been successfully completed. This method of authentication firstly requests the user to receive certificate authentication. When certificate authentication is successful, the user is then requested to complete password authentication.
Authentication Item Description Role name/role set name Name of the role or role set assigned to the user. Multiple roles or role sets can be set. The role and role set names set in user information must be those defined by role configuration. Re-authentication interval Interval of the time from authentication to subsequent reauthentication required. Validity period start time Date and time when the user starts using Single Sign-on.
Chapter 1: Overview Certificate Selection Windows If no certificate (or only one certificate) has been registered in the client computer, the displaying of the certificate selection window can be suppressed during the certificate authentication operation. The following explains how to suppress display of the certificate selection window on Microsoft® Internet Explorer and Netscape Communicator.
Authentication Figure 1-21 Security Settings Example Netscape Communicator 4.78 Select [Communicator] > [Tools] > [Security Info], and from the window displayed, select [Navigator]. Then select "Select Automatically" for [Certificate to identify you to a web site].
Chapter 1: Overview Figure 1-22 Netscape Navigator Screen Restrictions on Authentication Interstage Single Sign-on provides some functions to prevent illegal access. The functions include the function for requesting re-authentication after a specified time elapses, the function setting a user validity period and the lockout function for disabling password input after several times consecutive invalid password input.
Authentication When the authenticated user connects to the business system from a client computer that has a different IP address, the user is requested to be authenticated regardless of the setting of the reauthentication interval. Figure 1-23 Interstage Single Sign-on Authentication Re-authentication intervals can be set using the following methods.
Chapter 1: Overview For details of the user information stored in the SSO repository, refer to "User Information Entry". For details of the configurations on the Interstage Management Console, refer to Operator’s Guide.
Authentication User Validity Period Validity periods can be set for users in Interstage Single Sign-on. For example, if the information on new employees is stored in the SSO repository in advance, settings can be made to validate authentication on the beginning date of employment and specify the projected end date of employment as the validity period end date.
Chapter 1: Overview Figure 1-25 Lockout in Single Sign-on Authentication If a user has failed password authentication for a specified consecutive number of times and is locked by the lockout function, a message is sent to the user's client computer. The message shown in Figure 1-26 notifies the user when authentication has failed. The display of this message is configured in the environment setup on the authentication server.
Authentication Figure 1-26 Screen Displayed when User is Locked Out 1-33
Chapter 1: Overview When a locked user performs authentication, the following window is displayed on the Web browser. Figure 1-27 Screen Displayed when User has been Locked Note Locked users cannot use Interstage Single Sign-on (even for certificate authentication) until they are unlocked.
Authorization Authorization Authorization is the process that is used to make sure that the user who requests access to a resource is allowed to access the resource. A user who requests access to a resource, for example, a HTML document, image data, or voice data disclosed on a Web server or a CGI application operating on a Web server; is checked to allow access to the resource.
Chapter 1: Overview • Therefore, the accountant can access only the resources "employment regulations" and "settlement information." Multiple roles can be grouped as a role set. In the above example: • The role set "sales department" contains two roles, such as "overseas sales" and "domestic sales." • Because the resource "sales information" permits both "overseas sales" and "domestic sales" to access the resource, the role set "sales department" can be set for the resource.
Authorization Figure 1-29 Information Required for Authorization Using Roles Role Configuration The role or role set name to be used is registered as a role configuration. Roles are used to authorize the users who access the business system. Roles must be designed on the basis of the departments and businesses of the users who use the business system. To define a post, e.g., "general employee" or "manager," or a department, e.g.
Chapter 1: Overview Examples of Roles Table 1-5 Role Post/department Role name General employee employee Executive officer executives Accounting department finance department Administration department administration department Example of Role Set Table 1-6 Role Set Post/department Role set name Contained role All employees all employee、executives User Information For details of user information, refer to "User information".
Authorization Note If a role or role set name set in the path configuration is not defined by role configuration, access control information cannot be updated on the business server. The role and role set names set in the path configuration must be the same as that defined by the role configuration.
Chapter 1: Overview Updating Access Control Information The business server retains the access control information fetched from the SSO repository to reduce the load on the repository server and increase the processing speed of the business server itself. If the access control information (role configurations, protection resources) registered in the SSO repository has been changed, access control information retained in the business server must be updated.
Authorization • If the access control information is updated while the business server is active, make sure that you access a protection resource after the update. This is important to ensure that authentication and authorization can be performed normally. If authentication or authorization is not performed normally, updating may have failed. If updating of access control information has failed, the business server responds to every access from user with message "500 Internal Server Error".
Chapter 1: Overview High-Performance and High-Reliability System Interstage Single Sign-on supports high-performance and high-reliability systems such as client certificate verification, high-speed SSL communication, load balancing, and increased availability. Load Balancing When the authentication requests from users converge on the authentication server, the load on the server is also increased. The load can be balanced by adding an authentication server.
High-Performance and High-Reliability System Figure 1-31 Load Balancing among Authentication and Repository Servers The figure above shows the load balancing among authentication and repository servers. The authentication requests from clients are distributed to each authentication server by a load balancer, e.g., Interstage Traffic Director, to each authentication server.
Chapter 1: Overview For an example of setting a system configuration in which multiple authentication servers are arranged to distribute the authentication server load, see “When Setting Up the Authentication Server on Multiple Machines and the Repository Server on a Machine" of “Basic Configurations of Authentication Infrastructure” of "Authentication Infrastructure”.
High-Performance and High-Reliability System Figure 1-32 Increasing System Availability When the re-connection interval specified as an environment setting on the authentication server has elapsed after the automatic switching of authentication request destination, repository server (reference system), an attempt is made automatically to connect to the repository server (reference system) that was the destination for the old authentication request.
Chapter 1: Overview Figure 1-33 Standby Repository takes over in the Event of a Failure This means that the Interstage Single Sign-on service can operate without a halt when multiple repository servers (reference systems) are installed.
High-Performance and High-Reliability System • If the repository server (update system) stops operation as the result of some problem, user authentication fails even when the repository server (reference system) can operate normally. • The authentication server may attempt to re-connect to the first repository server that failed before the re-connection interval (as specified as an environment setting on the authentication server) elapses.
Chapter 1: Overview To use SSL Accelerator during Interstage Single Sign-on operations, SSL Accelerator must be set up as follows: Client Authentication When the authentication method is "certificate authentication" or "password authentication and certificate authentication," select “client authentication”. For the configuration method, see the relevant SSL accelerator instruction manual.
High-Performance and High-Reliability System Figure 1-36 Example of Screen Shown when Page Cannot be Displayed Linkage with Application Gateway The reverse function offered in Application Gateway can be used to access a safer intranet from a client on the Internet.
Chapter 1: Overview The settings for a system that can be set up using the Application Gateway reverse function are explained below. Remark • In a system that has linkage with Application Gateway, the following can be used as the authentication method for a user accessing from the Internet. − • Password authentication When SSL communication is used between the Application Gateway and authentication server, security can be further enhanced. 1.
High-Performance and High-Reliability System Examples of the reverse settings in the figure above are shown in the table below. In the URL for the directory from which the request originated that is entered in the business server reverse settings, specify a directory layer for each business server. Example: /www1/, /www2/. Table 1-7 Reverse Settings Request-source URL Conversion control Relay-destination URL Remarks https://sd.fujitsu.com:44 3/www1/ <----------> http://www.fujitsu.
Chapter 1: Overview Figure 1-38 Using SSL Communication between Application Gateway and Authentication Server To operate using this system configuration, use the following settings. Setup of Application Gateway • Reverse Settings Examples of the reverse settings in the figure above are shown in the table below. In the URL for the directory from which the request originated that is entered in the business server reverse settings, specify a directory layer for each business server. Example: /www1/, /www2/.
High-Performance and High-Reliability System • The clients in the intranet cannot access the protection resources in the business system. • Note the following points for the design of business systems. − The first layer of the URL path of each business system must be unique. − The root path ("/") of the business system cannot be accessed by clients.
Chapter 1: Overview https://sd.fujitsu.com:44 3/dir2/ <---------- https://sd.fujitsu.com:443/dir2/ https://sd.fujitsu.com:44 3/dir3/ <----------> http://www2.fujitsu.com:80/dir3/ https://sd.fujitsu.com:44 3/dir3/ <---------- https://sd.fujitsu.com:443/dir3/ https://sd.fujitsu.com:44 3/auth/ <----------> http://auth.fujitsu.com:80/ Reverse settings of Authentication server https://sd.fujitsu.com:44 3/auth/ <---------- https://sd.fujitsu.
High-Performance and High-Reliability System [Using SSL communication between Application Gateway and authentication server] Figure 1-40 Using Using SSL Communication between Application Gateway and Authentication Server Setup of Application Gateway • Reverse Settings Examples of the reverse settings in the figure above are shown in the table below.
Chapter 1: Overview When “Set-Cookies Header” is specified in the HTTP response header, and the path and domain that are specified to “Set-Cookies Header” are the same as the directory and server name of the Relay-destination URL defined in table 1-10, set the path and domain so as to replace the compatible Request-source URL.. Setup of authentication server • To create SSL configurations on the authentication server, select [System] > [Security] > [SSL] > [Create a new SSL Configuration] tab.
Choosing URLs Choosing URLs This section describes how to choose the Authentication infrastructure URL, the Business system public URL, and the host name of repository server. Authentication infrastructure URL The Authentication infrastructure URL is selected depending on the combination of the load balancer, Application Gateway, and SSL Accelerator. The following describes examples of combinations with Interstage Traffic Director, Application Gateway, and SSL Accelerator.
Chapter 1: Overview Figure 1-42 Using Interstage Director to Balance the Load on the Authentication Server Using SSL Accelerator The FQDN and port number of the Authentication infrastructure URL are identical to the FQDN of the authentication server and the port number of SSL Accelerator, respectively.
Choosing URLs Figure 1-44 Using Both SSL Accelerator and Interstage Traffic Director Linking with Application Gateway and using SSL Communication between Application Gateway and Authentication Server The FQDN and port number of the Authentication infrastructure URL are identical to the authentication server (*1). The Authentication infrastructure URL is different from the URL viewed from the client.
Chapter 1: Overview Linking with Application Gateway and Using Non-SSL Communication between Application Gateway and Authentication Server [To enable the clients only on the Internet to access] The FQDN and port number of the Authentication infrastructure URL are the FQDN and the port number of Application Gateway, respectively. The scheme name of the Authentication infrastructure URL is "https".
Choosing URLs Figure 1-47 Non-SSL Communication between Application Gateway and Authentication Server viewed from the Client *2 When Interstage Traffic Director is installed between Application Gateway and authentication server, assume Application Gateway as the client and obtain the Authentication infrastructure URL based on the information from the explanation described in figure 1-45. Use the FQDN of the obtained URL as a substitute for the FQDN of the authentication server.
Chapter 1: Overview Figure 1-48 Combining No Other Equipment or Product Using Interstage Traffic Director for Balancing the Load on the Authentication Server The FQDN and port number of the Business system public URL are identical to those of the virtual IP address set for Interstage Traffic Director.
Choosing URLs Figure 1-50 Using SSL Accelerator Using both SSL Accelerator and Interstage Traffic Director The FQDN and port number of the Business system public URL are identical to the FQDN of the virtual IP address set for Interstage Traffic Director and the port number of SSL Accelerator respectively.
Chapter 1: Overview Figure 1-52 Linking with Application Gateway and Enabling Clients on the Internet and Intranet to Access *1 For further details, refer to "Linkage with Application Gateway". *2 When Interstage Traffic Director or SSL Accelerator is installed between Application Gateway and business server, assume Application Gateway as the client and obtain the Business system public URL according to the above explanation.
Choosing URLs Figure 1-53 Linking with Application Gateway and Enabling only Internet Clients to Access *1 For further details, refer to "Linkage with Application Gateway". Note When using SSL Accelerator with the mechanism that uses the virtual IP address as transfer measure, the FQDN of the Business system public URL are the FQDN of the IP address set for SSL Accelerator.
Chapter 1: Overview Not Using a Cluster System The host name of the repository server (update system) is the same as the machine on which the repository server (update system) is set up. Figure 1-54 Not Using a Cluster System Using a Cluster System The host name of the repository server (update system) is the one that is common to the operational node and the standby node of the cluster system.
Chapter 2 Environment Setup (SSO Administrators) This chapter explains the setup for the authentication infrastructure environment. Use the Interstage Management Console to set up the Interstage Single Sign-on environment. Refer to the Operator’s Guide for details of starting the Interstage Management Console and for details of the items to be defined in the Interstage Management Console.
Chapter 2: Environment Setup (SSO Administrators) Environment Setup Flow Authentication infrastructure environment setup includes the following four operations: • Preparation for Environment Setup (SSO repository design, preparation for a user program) • Repository Server Setup • Setup of Authentication Server • Registering a Business System Set up the environment as to operation, as the steps required for setup will depend on the system configuration.
Environment Setup Flow Flow of Environment Setup by Systems Figure 2-1 Flow of Environment Setup 2-3
Chapter 2: Environment Setup (SSO Administrators) Table 2-1 shows the steps required for the environment setup of various types of systems: Table 2-1 Environment Setup Preparation for Environment Setup Setting up the authentication server on a machine and the repository server on another machine Setting up the authentication server on multiple machines and the repository server on one machine Setting up the authentication server and the repository server on multiple machines individually Preparation f
Environment Setup Flow Setting up the authentication server on a machine and the repository server on another machine Setting up the authentication server on multiple machines and the repository server on one machine Setting up the authentication server and the repository server on multiple machines individually Adding an authentication server to the authentication infrastructure already set up Work for setting up repository server (reference system) Setup of authentication server Setting up of SSL co
Chapter 2: Environment Setup (SSO Administrators) Remark Use of authentication infrastructure configuration spreadsheet Setting up the authentication server on a machine and the repository server on another machine Setting up the authentication server on multiple machines and the repository server on one machine Setting up the authentication server and the repository server on multiple machines individually The authentication infrastructure configuration spreadsheet (middle-scale system) is available.
Environment Setup Flow Filenames and Location of the Authentication Infrastructure Configuration Spreadsheet File name of the Authentication Infrastructure Configuration Spreadsheet: • SSO_Auth_L.xls Use this sheet to set up authentication servers and repository servers on multiple machines. • SSO_Auth_M.
Chapter 2: Environment Setup (SSO Administrators) Preparation for Environment Setup Prepare a user program and design an SSO repository before environment setup. Designing an SSO Repository In Interstage Single Sign-on, the SSO repository collectively manages information required for authentication and authorization. This section explains the items to be designed before creation of an SSO repository.
Preparation for Environment Setup Designing a Registration Destination Entry Design an entry in which role configuration, user information, and protection resources are to be registered in the SSO repository. Define the registration destination entry when creating an SSO repository.
Chapter 2: Environment Setup (SSO Administrators) User Information Example This example shows a design of registering information about two users in the following registration destination entry: User information registration destination entry: ou=User,ou=interstage,o=fujitsu,dc=com Table 2-3 Register User Information Item User information user001 user002 cn=user001 cn=user002 Authentication method Certificate authentication Certificate authentication User ID user001 user002 Password 00123401 0
Preparation for Environment Setup Figure 2-3 Role Configuration and User Information Registration Destinations Preparation for a User Program To install Interstage Single Sign-on, prepare a user program for operating the SSO repository in the following ways: • Registering role configuration in the SSO repository • Registering user information in the SSO repository • Deleting user information from the SSO repository • Adding a user role • Deleting a user role • Displaying user lock status • Di
Chapter 2: Environment Setup (SSO Administrators) Repository Server Setup This section describes the procedure for setting up a repository server that configures the authentication infrastructure. Use the Interstage Management Console of the machine in which a repository server is set up. Refer to the Operator’s Guide for details of starting the Interstage Management Console. Refer to the Operator’s Guide for details of the items to be defined in the Interstage Management Console.
Repository Server Setup Setting up a Repository Server for Addition of a Repository Server (Reference System) Perform the following procedure to add a repository server (reference system) during operation: Set up an SSL communication environment of the repository server (update system) This step is not required when an SSL communication environment has been set up in the repository server (update system).
Chapter 2: Environment Setup (SSO Administrators) − Administrator DN password (re-enter) Re-enter the password for the SSO administrator. − Public Directory (*1) 'ou=interstage,o=fujitsu,dc=com' has been specified. Change this directory as necessary. − Create Default Tree? (*1) Click 'Yes.
Repository Server Setup Detailed settings Database Configuration − Maximum number of searchable entries Maximum number of entries that can be searched The default is '500 entries'. Change the value as necessary. − Cache Size The default is '1,000 pages'. One page consists of 4 kilobytes. Change the value as necessary. − Search Timeout The default is '3,600 seconds'. Change the value as necessary. − User password encryption method (*1) Select 'SHA.
Chapter 2: Environment Setup (SSO Administrators) 4. Check the checkbox of the created SSO repository and click the Start button to start the SSO repository. Registering User Information and Role Configuration in the SSO Repository Register user information and role configuration in the SSO repository with the user program. Refer to Preparation for a User Program, for details about the user program. User information can be imported from the database (source data) to the SSO repository using a command.
Repository Server Setup Figure 2-4 Importing User Information from the Database to the SSO Repository The procedure for importing user information from the database (source data) to the SSO repository is described below: 1. Set the CLASSPATH environment variable 2. Create the operation information file 3. Execute the ssoimportum command (1) Set the CLASSPATH environment variable Use JDBC to connect to the database. The JDBC driver for connection to the database must be prepared.
Chapter 2: Environment Setup (SSO Administrators) Conditions for connection and an example of the settings that should be made are shown below. Database to be connected to: Oracle8i JDBC driver storage directory C:\temp\classes12.zip and C:\temp\nls_charset12.zip C:\>set CLASSPATH=%CLASSPATH%;C:\temp\classes12.zip;C:\temp\nls_charset12.zip An example of the settings that should be made if the Interstage JDBC driver is used are shown below.
Repository Server Setup Conditions for connection and an example of the settings that should be made are shown below. Database to be connected to: Oracle9i JDK/JRE to be used to: 1.4 JDBC driver storage directory /tmp/ojdbc14.jar and /tmp/nls_charset12.zip # CLASSPATH=/tmp/ojdbc14.jar:/tmp/nls_charset12.zip:$CLASSPATH # export CLASSPATH (2) Create the operation information file Create an operation information file in which the settings that are required for extracting the user information are described.
Chapter 2: Environment Setup (SSO Administrators) 4. Execute the user information import command. Figure 2-5 Add Entries using the CSV Data File The sample files provided by Interstage Single Sign-on are as follows: Sample File Names and Storage Directory Sample CSV file for entry addition: sample_add.csv Sample rule file: sample_rule.xml Sample storage directory: C:\Interstage\F3FMsso\ssoatcsv\sample\csv /opt/FJSVssosv/sample/csv 1.
Repository Server Setup The data in CSV format that corresponds to the above data is as follows: user001,user001,user001,user001,user001,100001,user001@interstage.fujitsu.co m,Admin user002,user002,user002,user001,user001,100002,user002@interstage.fujitsu.co m,Admin user003,user003,user003,user003,user003,100003,user003@interstage.fujitsu.co m,Leader user004,user004,user004,user004,user004,100004,user004@interstage.fujitsu.co m,Leader user005,user005,user005,user005,user005,100005,user005@interstage.
Chapter 2: Environment Setup (SSO Administrators) .com,Leader ADD,user004,user004,user004,user004,user004,100004,user004@interstage.fujitsu .com,Leader ADD,user005,user005,user005,user005,user005,100005,user005@interstage.fujitsu .com,General ADD,user006,user006,user006,user006,user006,100006,user006@interstage.fujitsu .com,General Rule File The rule file associates the above CSV data with the user information entry attributes as shown below.
Repository Server Setup ]> sso rule ou=User,ou=interstage,o=fujitsu,dc=com uid
