Entering content frame

Function documentation Resource Adapter Security

Use

This function enables you to define:

·        The authentication mechanism of the resource adapter

·        The mechanism for authentication of a resource principal to the Enterprise Information System (EIS).

These mechanisms are defined at deployment time. You cannot change them runtime. After you define a mechanism for signing on to the EIS, this security information applies to all connections that the resource adapter provides.

The security information in the deployment descriptors of the resource adapter is encrypted.

Activities

ra.xml

In the standard deployment descriptor of the resource adapter (ra.xml) you must configure the following parameters:

·        Authentication mechanism

You can choose between BasicPassword (basic password-based authentication) and Kerbv5 (Kerberos version 5-based authentication), which are the values defined by the J2EE Connector Architecture specification as most common. Any other authentication mechanisms are outside the scope of this specification.

Example

<authentication-mechanism-type>BasicPassword</authentication-mechanism-type>

<authentication-mechanism-type>Kerbv5</authentication-mechanism-type>

·        Credential interface

You can choose either javax.resource.spi.security.PasswordCredential or javax.resource.spi.security.GenericCredential. The PasswordCredential class provides a holder for user name and password. The GenericCredential interface defines a security mechanism-independent interface for accessing the security credentials of a resource principal.

Example

<credential-interface>javax.resource.spi.security.PasswordCredential</credential-interface>

<credential-interface>javax.resource.spi.security.GenericCredential</credential-interface>

·        Reauthentication support

You must also specify if the resource adapter supports re-authentication. The re-authentication support enables the EIS sign-on after changing the security context of the ManagedConnection instances provided by this adapter.

Example

<reauthentication-support>true</reauthentication-support>

<reauthentication-support>false</reauthentication-support>

connector-j2ee-engine.xml

In the Structure linkadditional deployment descriptor of the resource adapter you must set the security parameters for the resource principal authentication:

·        Authentication type

You can choose one of the following options:

¡        Caller Impersonation – the credentials of the caller principal are directly passed to the EIS and used to authenticate the resource principal

¡        Credentials Mapping – you can use this mechanism when the application server and the EIS support different authentication domains. In this case, the credentials of the caller principal are transformed into the type of resource principal credentials using the authentication mechanism type of the EIS (if it is possible), and passed to EIS system using javax.security.auth.Subject object. You are required to specify the user store, where the application server can find the transformed credentials that correspond to the caller credentials. For more information about user stores, see Structure linkManaging User Stores.

¡        Configured Identity – all caller principals obtain a connection from the EIS using the same identity; you can specify either the user store where the identity is stored, or a user name and a password for the configured identity (which is the resource principal in this case).

¡        Principal Mapping – this authentication type defines strict mapping between the caller principals and the resource principal; only authorized caller principals can obtain a connection using a specific identity. You must specify the user store where this identity is stored, and enter the name for the identity.

If you choose not to specify a user store in the above cases, the system creates an internal user store, which is destroyed when the application containing the resource adapter is removed from the server. It is recommended that you do not use the internal user stores for other applications.

Example

<authentication-type>principal mapping</authentication-type>

<user-store>DBMS User Store</user-store>

·        Identity subject

You must set the mapping between a caller principal (that requests a connection to the EIS) and a resource principal (that is authorized to access the resources in the EIS). This mapping forms an identity subject.

Example

<identity-subject>

  <caller-principal>

<user-name>Administrator</user-name>

  </caller-principal>

<resource-principal>

<user-name>System</user-name>

</resource-principal>

</identity-subject>

See also:

Structure linkImplementing Security Functions

 

Leaving content frame