| Back | Next | Contents | Cams Administrator's Guide |
This document quickly moves you through Cams integration learning steps and provides hints that might jot down for consideration or follow-up later. You should be familiar with the terminology and concepts addressed in the Introduction and have installed and tested the Cams policy server. The integration steps you'll take in this document include:
These instructions use the symbol CAMS_HOME to represent the directory in which you've installed the Cams policy server. Make sure that you follow the instructions closely to ensure that your first Cams integration is successful. Once you've come through the initial integration learning curve, it will be much easier to branch out, make changes specific to your environment and try more advanced options!
NOTE: Most sites use only the required Cams system security domain. This is the default Cams configuration and requires no additional attention unless you want to relocate the security domain files (not recommended) or use multiple Cams security domains to delegate management of resources and user communities. For more information, see Security Domain Registry Configuration. Otherwise, we'll assume you're configuring the system security domains and proceed to the first step.
Most sites like to configure authentication first and it is advisable to do so before making to many changes like integrating Cams web agents. By default, the Cams XML user directory is configured for HTTP user authentication in the system security domain. In a text editor, open:
CAMS_HOME/conf/domains/system/login-conf.xml
NOTE: Using a text or XML editor that supports XML syntax highlighting will greatly enhance your ability to configure Cams. The free vim editor is an excellent alternative. For those who don't know vi keyboard commands, vim features a Windows notepad editing mode.
The login-config.xml file is divided into three separate <login-config-entry> blocks. Usually, only the top block named http, used for HTTP user authentication, needs configuration (as show in Example 1). The <login-config-entry> block named cams-agent is unique to the system security domain and should be left as is for authentication of Cams web agents.
<login-config-entry name="http"> <login-module-entry |
Example 1 - The Cams XML user registry defined in login-config.xml for HTTP user authentication
For now, change the XML login module flag value from REQUIRED to OPTIONAL. This will enable login module stacking when you integrate your user directory, where you can authenticate users with both the Cams XML login module and the one that you'll configure next.
NOTE: It is helpful to leave the Cams XML login module enabled at this point for use with examples below and for Cams web agent integration testing. Once you have completed the exercises in this document and your initial Cams web agent integration, you'll want to disable the XML login module for HTTP user authentication by commenting it out (move the preceding comment end marker ("-->") below the XML tag elements).
Most sites use either Active Directory, an LDAP server or an SQL database for authentication. If you are using something else, please see Login Configuration. The test Jetty web server has login configuration tools to assist with integration using these standard user directories. To configure authentication, start the Cams policy server and the test Jetty web server.
To run the Jetty web server in a Windows console:
cd %CAMS_HOME%\jetty\
camstest.bat
Enter control-C in the console window to stop the Jetty HTTP server.
To start the Jetty test web server on Linux/UNIX:
CD $CAMS_HOME/jetty/
./camstest.sh
Enter http://localhost:8080/ if your web browser is on the same system as the Cams policy server and Jetty web server and http://hostname:8080/ (where hostname is the DNS name or IP address of the system) if your web browser is on a remote system. Then:
For additional information on configuration of these and other login modules, please see Login Configuration.
NOTE: Sites using SQL databases for user authentication should configure the Cams JDBC connection pooling service to maximize performance.
When the Cams policy server requires a user to be authenticated, a login page must be served that prompts for user credentials to be sent to the configured login module(s). The Cams policy server requests the Cams web agent to redirect the user's browser to the page specified by the camsLoginURL value.
WARNING: If the configured camsLoginURL is not available on the target web server, a HTTP 404 page not found error will be displayed by your web server instead.
<login-parameters> <login-parameter name="camsLoginUrl" value="/cams/login.jsp"/> </login-parameters> |
Example 2 - The Cams login URL is defined in login-config.xml
While you have the system security domain's login-config.xml open, locate the camsLoginUrl value at the bottom of the <login-config-entry> block named http (shown in Example 2). Make sure you review the preceding comment. You don't need to change this now to test with Jetty, which servers the Cams JSP login page. Supplying the camsLoginUrl with the relative path /cams/login.jsp enables the Cams web agent in the Jetty test web server to redirect your browser to that login page.
If you change your Cams integration to use non-Java IIS or Apache web servers, you'll need to reference an ASP or Perl login page. We strongly recommend use of a fully-qualified URL using the secure HTTPS protocol. By specifying use of HTTPS for this URL and for the subsequent POST to the Cams login URI (which is set to /cams/login by default in cams-webagent.conf), you ensure that users see that the login page is secure and that the user's credentials are encrypted when transported to the web server. For example:
NOTE: As an alternative strategy to use ASP and Perl pages, you can configure IIS and Apache with a Java web server like Tomcat using mod_jk to serve JSP pages. Other Java application servers like BEA WebLogic and IBM WebSphere usually use the JSP login page.
The access-control-policy.xml file configures a Cams access control policy, which consists of a default bias, permissions and rules. Rules define how an access control policy protects resources. Some of the rules you'll use are supplied with Cams (called intrinsic rules). You can reference and combine existing rules to create new ones or create entirely new, custom rules. A permission is the binding of a rule to a specific resource pattern (e.g. a URL pattern). The default bias specifies if access to resources without matching permissions will be granted or denied.
Open the system security domain's access control policy in a text editor:
CAMS_HOME/conf/domains/system/access-control-policy.xml
At the top of the file you see the access control policy declaration, the default bias and the last modified time:
<access-control-policy defaultBias="granted" lastModifiedTime="200701011200">
The default bias grants access to all resources unless you specify permissions that grant access to requests that meet the associated rule evaluation criteria. You can conversely set the default bias to denied, which denies all resource access unless specifically granted by permissions. As you make changes to access-control-policy.xml while the Cams policy server is running, you can increment the lastModifiedTime and save the file to attempt a reload. If you make edits and save without incrementing, a running Cams policy server will display an error message and the access control policy changes will not reload. The access control policy never loads if there are XML syntax errors.
A Cams access control policy is divided into XML blocks of one or more <permission-collection> and one <acr-lib> (access control rule library). The permissions you'll work with are in the top <permission-collection> of type http. The <permission-collection> blocks for type cams is for Cams web agents and should not be altered unless instructed to do so by Cafésoft support.
When a Cams policy server receives an access check request, the system security domain always does the initial evaluation. The permission that matches a given access check request is determined by:
If no permission has a matching resource pattern and action, then the default bias determines whether access to the resource is granted or denied. Hard values can be specified as well as a wild card (*) to match in any of the four HTTP resource pattern components (scheme, host, port or URI). For example, the following are all valid permission resource patterns:
Generally, wild cards are recommended for the scheme, host and port values to maximize access control policy portability between development, staging and production systems. See the Configuring Cams Access Control Policy for more information on resource pattern matching.
A permission always has either an <acr-ref> or <owner> tag. The <acr-ref> tag references an access control rule that will be evaluated when the permission's resource is matched. The <owner> tag references a valid security domain to which the resource request will be forwarded. Example 3 shows examples (similar to those in the file you have open but uncommented) of a permission that references the intrinsic Cams granted rule (to always grant access), delegation of a resource to another security domain and a reference to a role-based access control rule defined in <acr-lib>.
NOTE: You activate and deactivate permissions and rules by commenting or uncommenting them using the XML start comment "<!--" and end comment "-->" markers.
<permission-collection type="http" desc="HTTP/HTTPS permissions">
<!-- Example: Grant access to the Cams login/logout URIs and login
page. Should you change the defaultBias to "denied", you MUST
grant access to Cams login/logout resources. -->
<!-- Example: Grant access to the Cams test page to authenticated
users with the "administrator" role. -->
<Permission desc="allow administrators to access Cams test page" actions="">
<resource-pattern id="*://*:*/cams/camstest*"/>
<acr-ref id="cams administrator rule"/>
</permission>
</permission-collection>
|
Example 3 - Sample Cams access control policy permissions
Example 4 shows the default system security domain's access control rule library, which is enclosed by the <acr-lib> tags. You see two defined rules:
<!-- Library of access control rules --> <!-- Cams administrators must have the "administrator" role. --> <auth-acr id="cams administrator rule"> <role-constraint> <role-name>administrator</role-name> </role-constraint> </auth-acr> <!-- Cams web agents must have the "cams-agent" role. WARNING: Do not remove unless replaced by equivalent or Cams web |
Example 4 - Rules from the default system security domain
As you start to work with the Cams access control policy, remember that you can dynamically reload the access-control-policy.xml file by incrementing the lastModifiedTime and saving the file. Make sure you check in the console where you started the Cams policy server to determine if any XML syntax errors occur. If they do, the Cams policy server will not reload the access-control-policy.xml file.
If not already open, open CAMS_HOME/conf/domains/system/access-control-policy.xml in a text editor. By default, access is granted to all HTTP/HTTPS requests. To tighten security for a system HTTP resource request, first, define an access control rule that requires a user to have the myrole role. Between the <acr-lib> and </acr-lib> tags, create the new rule by inserting:
<!-- Requires authenticated users with "myrole" --> <auth-acr id="require myrole"> <role-constraint> <role-name>myrole</role-name> </role-constraint> </auth-acr>
Now, add a permission to protect the secure directory by inserting it in the type http <permission-collection> block. For example, to only allow users with myrole to access the content of secure (and its subdirectories), add the following permission:
<!-- Requires authenticated users with "myrole" -->
<permission desc="Requires user to have myrole for access">
<resource-pattern id="*://*:*/secure/*"/>
<acr-ref id="require myrole"/>
</permission>
Update the lastModifiedDate and save the file. Your Cams security policy will now require that users authenticate and have the role myrole to access the contents in secure and look like this. Next, you need a user with myrole role in the cams-user.xml file in the system security domain (or in the user directory you configured in Step 1). Using a text editor, open:
CAMS_HOME/conf/domains/mydomain/cams-user.xml
and add myrole to the guest user:
<user name="guest" password="password" roles="myrole"/>
Save the file. The Jetty web server includes a secure directory for your convenience. You can try testing by browsing to http://localhost:8080/secure/ and entering when prompted:
User name: guest
Password: password
WARNING: When working with access control policies, caching by both your browser and the Cams web agent can adversely effect the expected results. It is best to disable browser page caching and to disable Cams web agent access control check caching (set cams.access.check.cache=false in cams-webagent.conf and restart your web server).
You should create a security policy document before starting work on a Cams access control policy. This is typically a short document that includes definition of the resources in your environment and what access rights are required to access them. You can then use the Cams access control policy to define the permissions and rules that will enforce your security policy. As you implement the security policy, the Access Control Policy Tag Reference is extremely helpful to learn more about Cams permissions and rules you can use and to clone examples.
By default the Cams policy server listens for network connections on the loopback IP address (127.0.0.1). However, only Cams web agents running on the same system as the Cams policy server can connect using this address. Because you'll probably use one or more Cams web agents installed on different network systems, you'll need to set the Cams policy server bind address to an IP address that is network accessible.
The Cams policy server bind address is specified as a command-line parameter when Cams is started. For example, if the system on which the Cams policy server is installed is 192.168.1.101, then:
-Dcams.server.bindaddr="192.168.1.101"
will tell the Cams policy server to bind to that IP address. If the value of this parameter is not a valid IP address or not an IP address assigned to the local system, then a fatal configuration error will be reported and the Cams policy server will fail to startup. If this parameter is not specified, the Cams policy server will bind to the first IP address returned from the list of IP addresses assigned to the local system.
To set the Cams policy server bind address:
Windows
Edit CAMS_HOME\conf\runcams.conf and set -Dcams.server.bindaddr to your server's IP address:
wrapper.java.additional.4=-Dcams.server.bindaddr=192.168.1.101Linux/UNIX
Edit CAMS_HOME/bin/runcams.sh and set -Dcams.server.bindaddr to your server's IP address:
P="${P} -Dcams.server.bindaddr=192.168.1.101"
NOTE: Though you may use a DNS host name for the bind address, it is recommended that you use an IP address for best performance.
WARNING: The Cams web agent in your test Jetty web server will no longer connect after you change the Cams policy server bind address. If you make this change and desire to use the test Jetty web server, see Step 4 for instructions on how to change the Cams web agent server URL value found in CAMS_HOME/jetty/etc/cams-webagent.conf.
Download the Cams web agent(s) and documentation you will need and follow the installation instructions in the Cams web agent guide. Cams web agent guides are also available online in the Cafésoft Documentation Center.
Many configuration values are similar across all Cams web agents and found in each web agent's configuration file: cams-webagent.conf. Most default values work as is and only need to be changed to enable specific features or as part of a hardening exercise. However, the following cams-webagent.conf value must be changed if you changed the bind address in step 3:
cams.server.url.MyCamsServer - set to the IP address or host name and port of the Cams policy server to connect to (the substring MyCamsServer must match the cams.server.name value specified in CAMS_HOME/conf/cams-reg-default.conf). For example:
cams.server.url.MyCamsServer=cams://192.168.1.101:9191
You should review the Cams web agent guide Configuration Properties appendix to see a full list of all properties and features. Each Cams web agent also includes a sample login page and Cams web agent test page written in the scripting language most appropriate for the target web server. After you install a Cams web agent, use the Cams web agent test page to test correct installation. Also, see the Scripts appendix in each Cams web agent guide for documentation on the structure and use of the login page.
WARNING: Your Cams access control policy must grant unconditional access to the Cams login/logout URIs and login page for correct operation. You must also ensure that the Cams login URL, which is configured in login-config.xml, references a page that is available on your web server (see Cams Login URL in Step 1).
NOTE: You can start and stop the Cams policy server and web agents in any order and connections will be established and cleaned up automatically. However, there is a benefit to using the following order:
You now understand the various integration components that need to be configured for Cams to secure your web resources. To continue to learn more about and customize Cams to meet your integration requirements, see:
© Copyright 1996-2008 Cafésoft LLC. All rights reserved.