Cams Administrator's Guide

Security Domain Registry Configuration

Cams uses security domains to logically partition the management of access control, authentication, and logging. Each Cams policy server will usually have multiple security domains, each of which must be declared in the security domain registry. Each security domain includes at least the following configuration files:

access-control-policy.xml
login-config.xml
security-domain.xml

The Cams security domain registry maintains basic information about each security domain, including the name and location of configuration metadata. The security domain registry also enables you to define substitution values that are passed to all security domains and can be referenced within their configuration files.

This document describes the values you will use to edit the Cams security domain registry. See also the Security Domain Registry Tag Reference for a complete listing of and reference information on all the XML tags used in the security-domain-registry.xml file.

Configuring the Security Domain Registry Factory

A Cams security domain registry factory is a Java class that loads information about the security domains known to Cams from the security-domain-registry.xml file. This factory is configured in the Cams CAMS_HOME/conf/cams.conf file with the values shown in Example 1.

#
#---	The factory class used to create the SecurityDomainRegistry
#---	and it's configuration parameter(s)
#
security.domain.registry.factory=\
	com.cafesoft.security.engine.domain.XmlSecurityDomainRegistryFactory
security.domain.registry.factory.params=\
	${cams.home}/conf/domains/security-domain-registry.xml

Example 1 - The default Cams policy server security domain registry factory configuration

The default Cams security domain registry factory (XmlSecurityDomainRegistryFactory), loads an XML registry file located in the directory specified by the parameter. The parameter's ${cams.home} substitution value is specified by the CAMS_HOME environment variable to the Cams policy server via the startup script.

Normally, you will only need to change this configuration if you move the security-domain-registry.xml file to another directory. The use of a factory provides the flexibility to store the Cams security domain registry in other document formats or databases should it be required.

Configuring the Cams XML Security Domain Registry

Example 2 shows a Cams XML security domain registry file. This file defines two security domains, system and mydomain, which you'll see at the bottom of the file. To add a new security domain, copy and paste an existing security domain and change the values to reflect the name and location of the new security domain configuration files.

NOTE: Only the system security domain is required, but most installations should delegate resource permissions from the system security domain to one or more custom security domains for adminstrative purposes.

<?xml version="1.0"?>
<!DOCTYPE security-domain-registry SYSTEM 
 "http://cafesoft.com/security-domain-registry_1_0.dtd">

<security-domain-registry>

  <!-- Global variables (you can define your own as required)
      cams.logs.base.dir - the directory for the Cams Policy Server log files
  -->
  <var-list>
    <var name="cams.logs.base.dir" value="${cams.home}/logs"/>
  </var-list>

  <!-- System security domain -->
  <security-domain enable="true">
    <name>system</name>
    <home>${cams.home}/conf/domains/system</home>
  </security-domain>

  <!-- Mydomain security domain -->
 	<security-domain enable="false">
    <name>mydomain</name>
    <home>${cams.home}/conf/domains/mydomain</home>
  </security-domain>

</security-domain-registry>

Example 2 - A Cams security domain registry configuration

As you can see in Example 2, var-list/var elements can be used to define substitution values for use throughout the Cams security domains. These values make it easier for you to work with resource permissions and other values found throughout the security domain configuration files. You can define as many substitution values as you require.

Substitution values defined in the security domain registry are inherited for use within XML configuration files in all security domains. You can also define values that are specific to a security domain configuration file (or that overrides a variable set in security-domain-registry.xml).

In addition to values you define, the following are provided by the Cams policy server and are available in every security domain:

cams.server.name - The name assigned to the Cams policy server via its registration file: ${cams.home}/conf/cams-reg-default.conf or cams-reg-<IP address>.
cams.cluster.name - The name of the Cams cluster to which a given Cams policy server is assigned. Every Cams policy server runs in a cluster, even if it's just a cluster of one server. The default Cams cluster name is: MyCamsCluster.
cams.home - The fully qualified path to the Cams installation directory (set based on an environment variable defined within runcams.bat or runcams.sh).
cams.cluster.home - The path to the Cams cluster configuration home directory. By default this is the same as cams.home.
cams.server.home - The path to the Cams policy server configuration directory. This may or may not be the same as cams.home depending on whether or not a cluster-specific and server-specific configuration directory has been created. By default, cams.server.home will be the same as cams.home.
cams.server.port - The TCP/IP port number on which the Cams policy server listens for connection by agents as configured in ${cams.home}/conf/cams.conf.
cams.security-domain.name - The name of a given security domain (set based on the <name> element of a <security-domain> registration).
cams.security-domain.home - The home directory for a security domain (set based on the <home> element of a <security-domain> registration).

The substitution value cams.logs.base.dir is defined within security-domain-registry.xml and used throughout the default security domain configuration files. This value is used to centralize the location where each security domain writes its log files. If you want security domain log files to be written to security domain-specific directories, you can override the value of this variable within the desired security-domain.xml file, or you can hard-code the log file path within security-domain.xml. See Security Domain Configuration for more information.

Back | Next | Contents