Creating Authentication Databases in Sun Java System Web Server 7.0

Creating Authentication Databases in Sun Java System Web Server 7.0

I tried out creating different authentication databases (keyfile, digestfile, LDAP, PAM) via Administration CLIs in Sun Java System Web Server 7.0. Writing it down in a blog. I went to server installation root and start Administration server and then started wadm.
./admin-server/bin/startserv
./bin/wadm --user=admin
Please enter admin-user-password>***
wadm>

I created a file authentication database of type "keyfile" in config "test" and in virtual server "test".
wadm> create-file-authdb --vs=test --config=test --path=/space/mykeyfile mykeyfile
CLI201 Command 'create-file-authdb' ran successfully

Then created a file authentication database of type "digest", added "--syntax=digestfile" in the above command.
wadm> create-file-authdb --vs=test --config=test --syntax=digestfile --path=/space/mydigestfile mydigestfile
CLI201 Command 'create-file-authdb' ran successfully

To create authentication database of type PAM, I used "create-pam-authdb" CLI,
wadm> create-pam-authdb --vs=test --config=test mypamauthdb
CLI201 Command 'create-pam-authdb' ran successfully
Note that PAM realm and PAM auth-db's are only supported on Solaris 9 and 10 and the server instance must be running as root. Change in server.xml <user>webservd</user> to <user>root</user>

To add authentication database of type LDAP, I used "create-ldap-authdb" CLI. This CLI does not create LDAP database, it only configures it. I used an already existing Directory (LDAP) server located in server "test.sun.com", on port 389, with root suffix "o=TestCentral", bind dn "cn=Directory Manager",
wadm> create-ldap-authdb --vs=test --config=test --bind-dn="cn=Directory Manager" --ldap-url=ldap://test.sun.com:389/o=TestCentral --config=test myldapauthdb
Please enter bind-password> ***
CLI201 Command 'create-ldap-authdb' ran successfully

Note that if I had to add an LDAP server with SSL, all I had to do is change the url prefix from ldap:// to ldaps:// i.e. make LDAP url ldaps://test.sun.com:443/o=TestCentral instead. If CA of LDAP server is not a trusted CA (like Verisign etc.) then I would have to import LDAP Server's CA certificate into Web Server Instance's NSS database as well as in Web Server's admin-server's NSS database.

Listed the authentication databases to check whether the databases were created successfully.
wadm> list-authdbs --vs=test --config=test --all
mykeyfile      keyfile
mydigestfile   digestfile
mypamauthdb    pam
myldapauthdb   ldap

Added a user "user1" in "mykeyfile" authentication database.
wadm> create-user --authdb=mykeyfile --user-password=*** --vs=test --config=test user1
CLI201 Command 'create-user' ran successfully
Similarly we can add users in other databases also, but I am skipping that part in this blog.
List users to make sure everything is all right.
wadm> list-users --config=test --vs=test --authdb=mykeyfile --all
user1   -

After I was done with all my changes, I deployed the configuration,
wadm> deploy-config
CLI201 Command 'deploy-config' ran successfully

I double checked that "user1" exists in "mykeyfile"
>cat /space/mykeyfile
user1;{SSHA}***;
Also I made sure that server.xml had all these auth-db entries :
>cat server.xml
    <virtual-server>
    <name>test</name>
...
    <auth-db>
      <name>mykeyfile</name>
      <url>file</url>
      <property>
        <name>keyfile</name>
        <value>/space/mykeyfile</value>
      </property>
      <property>
        <name>syntax</name>
        <value>keyfile</value>
      </property>
    </auth-db>

    <auth-db>
      <name>mydigestfile</name>
      <url>file</url>
      <property>
        <name>digestfile</name>
        <value>/space/mydigestfile</value>
      </property>
      <property>
        <name>syntax</name>
        <value>digest</value>
      </property>
    </auth-db>

    <auth-db>
      <name>mypamauthdb</name>
      <url>pam</url>
    </auth-db>

    <auth-db>
      <name>myldapauthdb</name>
      <url>ldap://test.sun.com:389/o%3dTestCentral</url>
      <property>
        <name>bindpw</name>
        <value>***</value>
        <encoded>true</encoded>
      </property>
      <property>
        <name>binddn</name>
        <value>cn=Directory Manager</value>
      </property>
    </auth-db>
...

I went to "https-test/config" directory and added an ACL manually in the end of the virtual server's ACL file (in this case it is default.acl) which allows only "user1" access. I could have done this from wadm also but I forgot to do so at that time.
> tail -7 default.acl
acl "uri=/";
authenticate (user,group) {
        prompt = "Sun Java System Web Server";
        database = "mykeyfile";
};
deny (all) user = "anyone";
allow (all) user = "user1";
Note that database I have added is "mykeyfile" and should be the same as the name we specified during database creation.

Started the instance and sent a request with "user1", access logs showed that "user1" has been authenticated successfully.
$tail -f https-test/logs/access
123.456.78.90 - user1 [19/Jan/2007:15:00:44 +0530] "GET /a.txt HTTP/1.1" 200 14

Posted by meena ( Jan 20 2007, 03:42:36 PM IST ) Permalink Comments [2]