Access control information must be set for Web contents to be opened on the business server. In addition to the access control information, set the access control path and access permission role. Perform the following procedure on the Interstage Management Console of the machine on which the repository server (update system) was created. Refer to the Operator’s Guide for details of the items to be defined on the Interstage Management Console.
1. Select [System] > [Security] > [Single Sign-on] > [Authentication infrastructure] > [Repository server] >[Protection resource]. A list of defined sites is displayed in the [Protection resource] tree. Select the site for which a protection path is to be set.
2. Click [Protection path] in the tree. A list of path configurations is displayed. Click the [Create a New Path configuration] tab.
3. In [Path], set the path that is to be access-controlled. To control the access to a directory, always write "/" at the end of the path. To control the access to a file, do not write "/" at the end of the path. 4. After the path to be access-controlled is set, select the name of the role or role set that can access
the path. To permit the access by all users that are registered in the SSO repository, specify nothing as the role name or role set name.
5. Click [Create] to display a list of the specified paths and role information and check them. 6. Request the business server administrator to update the access control information. Refer to 'Information Required for Authorization Using Roles' in 'Overview' for an explanation of permission by a role. Refer to 'Setting User Information Report with Environment Variables' in
'Developing Applications' for an explanation of the user attributes to be posted at authorization setting.
Note
When this system is linked with the Application Gateway and can be accessed only by clients on the Internet, multiple business systems may have the same public URL. To avoid such duplication, these business systems must be designed to have different protection paths.
If an already registered protection path was reported by the business server administrator, request the business server administrator to review the business system design to prevent the protection paths from duplicating.
Registering a Business System
The file name and file path of the authentication server configuration file
Configuration file name: ssoatcag.conf
Configuration file path (directory)
C:\Interstage\F3FMsso\ssoatcag\conf
/etc/opt/FJSVssoac/conf
Configuration items to Add
Table 2-8 Configuration Items to Add
Item Configuration Name
Setting Contents Omissible or Required
Restraint of authentication requests (except from the protection resource)
reject-incorrect- protection- resource-url
Set whether authentication requests (except those from the business system protection resource) are restrained.
YES : restrained NO : unrestrained
Omitting this setting is the same as
specifying "NO". If values other than those above are set, sso02040 is output to system log, and “NO" is considered to have been set. If users operate form authentication, and directly access authentication Infrastructure for authentication, the restraint of the authentication request is invalid.
Omissible. The protection resource URL which accepts authentication requests protection- resource-url
If authentication requests, except those from the business system protection resource are restrained, set the protection resource URL which accepts authentication requests. This configuration is valid only when “YES” is set to “reject-incorrect-protection-resource-url”. In the protection resource URL, set the site configuration and path configuration registered in the SSO repository using the following URL forms.
<URL form>
[Protocol Scheme][Host Name][: Port number][Path] [Protocol Scheme]: Set “http://” or “https://" Omissible. If “YES” is specified for “reject- incorrect- protection- resource- url”, this setting is required.
Item Configuration Name
Setting Contents Omissible or Required
[Host Name]:
Set the host name defined in the protection resource site configuration using FQDN. In the host name, "@", "?" and "&" are invalid.
[: Port number]:
Set the port number defined in the protection resource site configuration. The Port number can be omitted. If it is omitted, the port number is considered to have been set as the following:
- If protocol scheme is "https://" Port number: ":443"
- If protocol scheme is "http://" Port number: ":80"
[Path]:
Set the path configuration of the protection resource. The Path cannot be omitted. Set carefully with the following:
- The path must start with "/".
- Relative paths ("/./", "/../"), continued "/" ("//") and ";" are invalid.
- The path cannot end with the characters "/." or "/..".
Set the above URL form carefully as the following:
- Only alphanumeric characters and symbols can be used. However, the following symbols cannot be used. "<”, “>”, “"”, “{”, “}”, “|”, “\”, “^”, “[”, “]”, “`”, “ ”, “%”
Registering a Business System
Item Configuration Name
Setting Contents Omissible or Required
Specifying the protection path "/protect/" of the protection site "bus.example.com" of operated port number 443 on https:
protection-resource-
url=https://bus.example.com:443/protect/ If the set protection resource URL ends with “/”, it will be handled as a directory. In order for the protection resource to be
authenticated, when authentication is requested, the characters of the set value and the URL must match from the first character forward.
If the URL ends with a character other than “/”, it will be handled as a file. In order for the protection resource to be authenticated, when authentication is requested, the
characters of the set value and the URL must match completely from the first character forward.
If setting more than one protection resource URL, set the first protection resource URL on one line, and subsequent URLs on separate lines.
If multiple URLs are set, decide whether the set URL corresponds to the protection resource URL which accepts the
authentication request from the head in order. Setting example:
Setting two protection resource URLs. protection-resource-
url=https://bus.example.com:443/protect/ protection-resource-
url=https://bus.example.com:443/bussyste m/
If these details are omitted when "reject- incorrect-protection-resource-url" is set to "YES", sso02008 error message is output to the system log when the authentication server starts and stops.
Item Configuration Name
Setting Contents Omissible or Required
If the value set for the protection resource URL is incorrect, sso02007 error message is output to the system log when the
authentication server starts and stops.
Note
• If the configuration file is not correct (for example, a required item is not set, or set with invalid values), Interstage HTTP Server cannot be started.
• The error messages output when invalid settings are configured are registered in the system log. When Interstage HTTP Server starts up, errors can be registered in this log more than once. • If the configuration item does not allow multiple lines, when multiple lines are entered only the top
line is valid, and other lines will be ignored.
• Set the configuration file items using the “<configuration name>=<set value>” form from the head of line. Do not include blanks in front of or behind “=”.
• Set the items of configuration file without unnecessary blanks.
For example, “<configuration name>=123 ” (with a blank behind 123) and “<configuration name>= NO” (with a blank in front of NO) are incorrect. Such entries will be ignored.
• If an invalid configuration name is set, it is ignored. • Lines starting with “#” are regarded as comment lines. The following example shows how to set a configuration file.
Example
The following is an example of a protection resource URL which accepts the authentication request and restrains all authentication requests except those from the protection resource:
Protection resource URL:
https://bus.example.com:443/protect/ https://bus.example.com:443/bussystem/ Reject-incorrect-protection-resource-url=YES protection-resource-url=https://bus.example.com:443/protect/ protection-resource-url=https://bus.example.com:443/bussystem/
Registering a Business System
Addition, modification or deletion of protection resource information
If adding, modifying or deleting protection resource information of the SSO repository, modify the configuration item “protection-resource-url” of the authentication server, and then restart the authentication server.
Moreover, ask the business server administrator for access to real protection resources, or to confirm that the authentication server is functioning with the configuration correctly.