Problem: Servlet authenticates but there are no delegated credentials (or deleg example displays message "Expected delegated credential but didn't get any")
Cause 1: The service account is probably not trusted for delegation See Create a User Account on page 17.
Cause 2: The user may have their account configured so that delegation is not allowed.
Check the user's account properties in Active Directory.
Problem: Delegation to IIS fails, with a MIC check problem.
Cause: This is because IIS seems to send back a clone of the mechToken in the MIC field, which causes MIC-checking to fail.
Setting the system property idm.spnego.noMICcheck to true will disable MIC checking.
Debugging
Problem: How do I get more debug information out of VSJ?
At the lowest level setting the Java system properties jcsi.kerberos.debug to the value true and idm.spnego.debug to the value true should produce logging to the standard error output stream.
VSJ Servlet Filter is configured on a per web application basis. This configuration is based upon log4j and defined in the Web applications web.xml deployment descriptor.
VSJ WebLogic Edition is configured through the BEA WebLogic administration console by creating and adding the Default Audit Provider in the Realms -> Providers -> Auditing menu.
VSJ WebSphere Edition logging is configured through the IBM WebSphere administration through the Troubleshooting -> Logs and Trace -> servername -> Modify menu.
57
Glossary
Active Directory
A hierarchical directory service that comes with Windows 2000. It is LDAP compliant and built on the Internet's Domain Naming System (DNS). Active Directory can function in a heterogeneous, enterprise network and encompass other directories including NDS and NIS+.
access control
A set of procedures performed by hardware, software and administrators to monitor access, identify users requesting access, record access attempts, and grant or deny access. Compare with authorization.
authentication
Authentication is the process of determining whether someone or something is, in fact, who or what it is declared to be. In private and public computer networks (including the Internet), authentication is commonly done through the use of logon passwords.
Knowledge of the password is assumed to guarantee that the user is authentic. Each user registers initially (or is registered by someone else), using an assigned or self-declared password. On each subsequent use, the user must know and use the previously declared password. The weakness in this system for transactions that are significant (such as the exchange of money) is that passwords can often be stolen, accidentally revealed, or forgotten.
Logically, authentication precedes authorization (although they may often seem to be combined).
authorization
Authorization is the process of giving someone permission to do or have something. In multi-user computer systems, a system administrator defines for the system which users are allowed access to the system and what privileges of use (such as access to which file directories, hours of access, amount of allocated storage space, and so forth). Assuming that someone has logged in to a computer operating system or application, the system or application may want to identify what resources the user can be given during this session. Thus, authorization is sometimes seen as both the preliminary setting up of permissions by a system administrator and the actual checking of the permission values that have been set up when a user is getting access.
Logically, authorization is preceded by authentication.
DeMilitarized Zone (DMZ)
A middle ground between an organization's trusted internal network and an untrusted, external network such as the Internet.
Enterprise JavaBeans (EJB)
A software component in Sun's J2EE platform, which provides a pure Java environment for developing and running distributed applications. EJBs inherently provide future scalability and also allow multiple user interfaces to be used.
Generic Security Service API (GSS-API)
A C API for distributed security services. Described in IETF RFC 2743.
Java Authentication and Authorization Service (JAAS)
A package that enables services to authenticate and enforce access controls upon users.
It implements a Java version of the standard Pluggable Authentication Module (PAM) framework, and supports user-based authorization.
Java Cryptography Architecture (JCA)
An umbrella term from Sun for implementing security functions for the Java platform.
It includes Sun's Java Security API as well as the Java Cryptography Extension (JCE), which adds more programming interfaces for encryption and key exchange. It also provides a mechanism for adding third-party security packages such as algorithms and digital signatures into Java applications.
Java DataBase Connectivity (JDBC)
A programming interface that lets Java applications access a database via the SQL language. Since Java interpreters (Java Virtual Machines) are available for all major client platforms, this allows a platform-independent database application to be written.
Kerberized application
A software application that requires or performs Kerberos authentication.
Kerberos
Kerberos is a secure method for authenticating a request for a service in a computer network. Kerberos was developed in the Athena Project at the Massachusetts Institute of Technology (MIT). The name is taken from Greek mythology; Kerberos was a three-headed dog who guarded the gates of Hades. Kerberos lets a user request an encrypted
“ticket” from an authentication process that can then be used to request a particular service from a server. The user's password does not have to pass through the network.
Lightweight Directory Access Protocol (LDAP)
A software protocol for enabling anyone to locate organizations, individuals, and other resources such as files and devices in a network, whether on the public Internet or on a corporate intranet. LDAP is a “lightweight” version of Directory Access Protocol (DAP), which is part of X.500, a standard for directory services in a network. Netscape includes it in its latest Communicator suite of products. Microsoft includes it as part of what it calls Active Directory in a number of products including Outlook Express.
Novell's NetWare Directory Services interoperates with LDAP. Cisco also supports it in its networking products.
Glossary 59
Secure Sockets Layer (SSL)
The Secure Sockets Layer (SSL) is a commonly-used protocol for managing the security of message transmission on the Internet. SSL uses a program layer located between the Internet's Hypertext Transfer Protocol (HTTP) and Transport Control Protocol (TCP) layers. SSL is included as part of both the Microsoft and Netscape browsers and most Web server products. Developed by Netscape, SSL also gained the support of Microsoft and other Internet client/server developers, becoming the de facto standard until evolving into Transport Layer Security (TLS). The sockets part of the term refers to the sockets method of passing data back and forth between a client and a server program in a network or between program layers in the same computer. SSL uses the public/private key encryption system from RSA, which also includes the use of a digital certificate.
Simple and Protected GSS-API Negotiation Mechanism (SPNEGO)
A GSSAPI mechanism that allows the secure negotiation of the mechanism to be used by two different GSSAPI implementations. In essence, SPNEGO defines a universal but separate mechanism, solely for the purpose of negotiating the use of other security mechanisms. SPNEGO itself does not define or provide authentication or data protection, although it can allow negotiators to determine if the negotiation has been subverted, once a mechanism is established.
Single Sign-On (SSO)
An authentication process in a client/server relationship where the user, or client, can enter one name and password and have access to more than one application or access to a number of resources within an enterprise. Single sign-on removes the need for the user to enter further authentications when switching between applications.
61
I
integrated authentication, 15–16, 26–27, 43, 48, 53, 55–56
Privilege Attribute Certificate (PAC), 4, 6, 47, 56 Public Key Infrastructure (PKI)
Index 63