UM authentication with JAAS

We are configuring JAAS authentication for UM which is on 9.10

Steps we followed for JAAS is :

  1. Creating Jaas.config file - file attached
  2. Copied below jars from common/runtime/bundles/platform/eclipse/plugins to UniversalMessaging/lib/ldap
    com.softwareag.security.sin.common_9.10.0.0000-0263.jar
    com.softwareag.security.sin.jaas_9.10.0.0000-0263.jar
    com.softwareag.security.sin.misc_9.10.0.0000-0263.jar
    com.softwareag.security.sin.utils_9.10.0.0000-0263.jar
    com.softwareag.security.sin.is.ldap_9.10.0.0000-0263.jar
    org.eclipse.osgi_3.10.100.0000-0023.jar
  3. Edit Server_Common.conf - file attached
  4. Add users to the local user store by running the below command
    /…/UniversalMessaging/server/profiles/users.txt -c -p manage Administrator
  5. Restart the UM realm

when we tried connecting from Enterprise manager to the realm by giving the credentials mentioned in JAAS file we got below error. It is trying to use SASL authentication, but we are forcing it to use JAAS.

[Mon Jul 18 12:12:42 GMT 2016],SECURITY: Mandatory credentials not supplied - administrator@172.29.223.236 on nsp://172.29.223.236:63778
[Mon Jul 18 12:12:42 GMT 2016],SASL-ServerLoginContext/6: [debug] New session with mechanism=PLAIN/enabled=true/true, remote=172.29.223.238, srvname=dselilx6188 - driver=com.pcbsys.foundation.drivers.nio.fChannelDriver
[Mon Jul 18 12:12:42 GMT 2016],SASL-ServerLoginContext/6: [debug] Received PLAIN response=16
[Mon Jul 18 12:12:42 GMT 2016],SASL-ServerLoginContext/6: [debug] Authenticating PLAIN username=testpub - authorisation-ID=null/allowed=false
[Mon Jul 18 12:12:42 GMT 2016],SASL-ServerLoginContext/6: [debug] SASL negotiation failed - java.lang.SecurityException: java.io.IOException: jaas.conf (No such file or directory)

Are we missing any configuration. Please suggest.
Server_Commaon.txt (7.62 KB)
jaas.txt (781 Bytes)

Monica,
if you want to use local users in users.txt, then you don’t need to configure jaas at all and you don’t need to copy those jar files.
You only need these lines (I have commented out the ones you DON’T need):

wrapper.java.additional.18=-DNirvana.auth.sagrepo.path=…/users.txt
wrapper.java.additional.19=-DNirvana.auth.enabled=Y
wrapper.java.additional.20=-DNirvana.auth.mandatory=Y
#wrapper.java.additional.21=-DNirvana.auth.server.jaaskey=UM
#wrapper.java.additional.22=-Djava.security.auth.login.config=jaas.conf

You do not need jaas.conf and the other settings unless you want to use LDAP for authentication and the standard LDAP module for UM is too limiting for you.

Hope this helps.

Thanks Jonathan.

Our intention is to use LDAP authentication using Jaas.

Do I need to do any other settings to achieve this.

Please suggest.

Regards,
Monica

Hi Jonathan,

When we try to connect to realm from Enterprise Manager with URL nsp://ip:9090 along with credentials which is in jaas.conf, it failed to connect.
Attaching the latest log file. It says Invalid protocol handshake detected.

Please suggest.

Thanks,
Monica
nirvana.log (17.9 KB)

Monica,
the attached document describes how to set this up using the Software AG Common platform LDAP module, which is more flexible than the basic UM LDAP module and will soon replace it.
This is along the lines of what you were originally trying. But note that this does not use users.txt at all. Users are authenticated against your external LDAP server, which I assume is what you want.

The error message you are seeing doesn’t seem to point to an issue with authentication, but you never know. If you are running Enterprise Manager from a different machine from the UM server, then please make sure that your EM machine has exactly the same UM version and patch level as the server.

Hope this helps.
Configuring Platform LDAP with UM.pdf (270 KB)

Monica,

Below Configuration works for me.

-DNirvana.auth.mandatory=Y
-DNirvana.auth.enabled=Y
#-DNirvana.auth.sagrepo.path=…/users.txt
-Djava.security.auth.login.config=./jaas.cnf
-DNirvana.auth.server.jaaskey=Jldap
-DNirvana.ldap.url=ldap://{hostname:port}/{baseDN}
-DNirvana.ldap.rootcreds={username:password}
-DNirvana.directory.provider=com.pcbsys.foundation.security.auth.fLDAPAdapter

Jldap {
com.softwareag.security.jaas.login.ldap.LdapLoginModule required
template_section=LDAP
authType=“ldap”
serverType=“ApacheDS”
serverHost=“{hostname}”
serverPort=“{portNumber}”
personBindDn=“{user Base}”
groupBindDn=“{group Base}”
userIdField=“uid”
personObjClass=“top,person,organizationalPerson,inetOrgPerson”
personPropAttr=“userPassword,uid”
CreateGroups=false
useLog=“true”
logLevel=“debug”
logFile=“umldap.log”
};
Share me the umldap.log after activating this configuration. Also I can see java.io.IOException: jaas.conf (No such file or directory), is the jaas.conf file placed in the right location?