Introduction

This manual describes how to setup authorization and authentication for different directory services.

Authentication

When a user logs into Comflow runtime environment he or she must be authenticated in a proper way. Hence, a proper authentication configuration must be set up for a user to be able to log into the Comflow runtime environment. 

Authorization

After a user has been authenticated to log into the system he or she must have the proper authorization settings so that she has access to the right functions. Function authorization is defined using the system administration part of the runtime GUI However, for the Comflow runtime engine to handle users and groups in a correct way, the proper authorization sitedef settings must be configured.

Authentication and authorization methods

It is the choice of authentication method that decides which authorization settings to use. When a specific authentication method has been chosen the corresponding authorization settings must be used!

There are three different implementations for handling how users are authenticated (with a corresponding authorization method):

Table 1 Authentication and authorization methods

All different implementations requires configuration in the sitedef.xml to work properly. Please see the Comflow sitedef server setup reference manual for more information about the sitedef.

Authentication and authorization handling in the sitedef.xml consists of two main parts:

• The “Authentication” tag: This tag describes which implementation is used. The tag consists of a set of parameters which are used to control how the implementation is loaded and executed.
• The “Authorization” tag: This tag describes how the implementation should handle users and groups.

Apart from the generic authentication- and authorization parts in the bullets above, some implementations might need additional sitedef.xml configuration.

Using CA embedded authentication/authorization

Comflow has an embedded authentication/authorization implementation that can easily be used.

The authentication related tables are all, when using embedded authentication, core functionality tables. The COMFLOW – Site Definition Manual explains how the runtime server can locate the core functionality database tables.

Sitedef alterations

Below we will see how the sitedef.xml should be defined to work with the embedded authentication/authorization system. There are two parts in the sitedef.xml that has to be configured; authentication and authorization.

Sitedef authentication part

In the example below, the sitedef.xml (authentication part) has been configured to function with the embedded Comflow authentication implementation:

<Authentication name=”CA” class=”net.comactivity.core.authentication.CAAuthentication”

<Parameters>

<parameter name="default.enterprise" value=""/>

<parameter name="default.company" value=""/>

<parameter name="soap.userid" value=""/>

<parameter name="soap.password" value=""/>

</Parameters>

</Authentication>

<Authentication name=”CA” class=”net.comactivity.core.authentication.CAAuthentication”

Sitedef authorization part

In the example below, the sitedef.xml (authorization part) has been configured to function with the embedded Comflow authentication implementation:

<Authorization>

<User>

<Properties>

<Property name="class" value="net.comactivity.core.authorization.localdb.CAUserManagement"/>

</Properties>

</User>

<Group>

<Properties>

<Property name="class" value="net.comactivity.core.authorization.localdb.CAGroupManagement"/>

<Property name="admin.group" value="P-ADMIN"/>

</Properties>

<Group>

</Authorization >

Using Microsoft Active Directory

Comflow can be used in conjunction with Microsoft Active Directory. To achieve an AD connection a number of different work steps must be performed. These steps will be described in this chapter.

Sitedef alterations

Below we will see how the sitedef.xml should be defined to function with MS Active Directory. There are three parts in the sitedef.xml that has to be configured; the two generic parts (authentication and authorization) and an additional JVM part.

Sitedef authentication part

In the example below, the sitedef.xml (authentication part) has been configured to function with MS Active Directory:

		<Authentication class="net.comactivity.core.authentication.ActiveDirectoryAuthentication" name="CorziaAuthentication">
			<Parameters>
				<parameter name="use.conection.pool" value="true"/>
				<parameter name="provider.url" value="ldaps://CN-STO-DC1.comact.comactivity.net:686"/>
				<parameter name="require.group" value="cat"/>
				<parameter name="check.envusers" value="false"/>
				<parameter name="check.companypersons" value="false"/>
				<parameter name="autocreate.companypersons" value="true"/>
				<parameter name="default.enterprise" value="001"/>
				<parameter name="default.company" value="1"/>
				<parameter name="admin.role" value="cat_admins"/>
				<parameter name="use.ad.groups.as.roles" value="true"/>
				<parameter name="adjust.ad.username" value="true"/>
				<parameter name="search.base.all.groups" value="OU=Groups,OU=ComActivity,DC=comact,DC=comactivity,DC=net"/>
				<parameter name="search.base.user.groups" value="OU=cat_SecurityGroups,OU=Services,OU=ComActivity,DC=comact,DC=comactivity,DC=net"/>
				<parameter name="search.base.user.info" value="OU=Users,OU=ComActivity,DC=comact,DC=comactivity,DC=net"/>
				<parameter name="search.base.printers" value=""/>
				<parameter name="jaas.context.name" value="net.comactivity.core.authentication.Kerberos"/>
				<parameter name="soap.userid" value="userid"/>
				<parameter name="soap.password" value="password"/>
			</Parameters>
		</Authentication>

Sitedef authorization part

In the example below, the sitedef.xml (authorization part) has been configured to function with MS Active Directory:

<Authorization>
    <User>
        <Properties>
            <Property name="class" value="net.comactivity.core.authorization.ldap.LdapUserManagement"/>
            <Property name="user.id" value="acmeuser@acme.com"/>
            <Property name="password" value="acmeuserPassword"/>
            <Property name="provider.url" value="ldap://ldap.acme.com:389"/>
            <Property name="provider.url.ssl" value="ldap://ldap.acme.com:636"/>
            <Property name="provider.search.base" value="OU=acme,OU=com"/>
            <Property name="user.search.base" value=""/>
            <Property name="jaas.context.name" value="net.comactivity.core.authentication.Kerberos"/>
            <Property name="admin.user.id" value="acmeadmin"/>
            <Property name="admin.user.password" value="acmeadminPassword"/>
            <Property name="admin.jaas.context.name" value=""/>
            <Property name="java.keystore.path" value=""/>
            <Property name="java.keystore.password" value=""/>
            <Property name="password.policy.expire.days" value="30"/>
        </Properties            >
    </User>
    <Group>
        <Properties>
            <Property name="class" value="net.comactivity.core.authorization.ldap.LdapGroupManagement"/>
            <Property name="user.id" value="acmeuser@acme.com"/>
            <Property name="password" value="acmeuserPassword"/>
            <Property name="provider.url" value="ldap://ldap.acme.com:389"/>
            <Property name="provider.url.ssl" value="ldap://ldap.acme.com:636"/>
            <Property name="admin.group" value="PortalAdmin"/>
            <Property name="provider.search.base"value="OU=acme,OU=com"/>
            <Property name="all.groups.search.base" value="OU=Groups"/>
            <Property name="global.group.filter" value="P-%"/>
            <Property name="global.group.filter.include" value="true"/>
            <Property name="admin.user.id" value="acmeadmin@acme.com"/>
            <Property name="admin.user.password" value="acmeadminPassword"/>
            <Property name="admin.jaas.context.name" value="net.comactivity.core.authentication.Kerberos"/>
            <Property name="java.keystore.path" value=""/>
            <Property name="java.keystore.password" value=""/>
        </Properties>
    <Group>
</Authorization >

Sitedef JVM part

Apart from the authentication- and authorization part settings described above there are some additional parameters (that should be passed to the JVM) required for the MS Active Directory to work properly.

These settings are passed to the JVM during initialization.

<JVMProperties>
    <Property name="javax.net.ssl.trustStore" value="${approot}/WEB-INF/conf/jssecacerts" />
    <Property name="javax.net.ssl.trustStorePassword" value="default" />
    <Property name="java.security.krb5.conf" value="${approot}/WEB-INF/conf/krb5.conf"/>
    <Property name="java.security.auth.login.config" value="${approot}/WEB-INF/conf/jaas.conf" />
</JVMProperties>

Configuration files

To communicate successfully with the Microsoft Active Directory, some configuration files are required.

Trust Store configuration file (SSL certificate).

Please read  How to configure Comflow for accessing Active Directory with SSL 1_9 for updating the trust store for the current Java version.

Thejavax.net.ssl.trustStore property should point to the generated trust store.

Kerberos configuration files

The krb5.conf file contains Kerberos configuration information, including the locations of KDCs and admin servers for the Kerberos realms of interest, defaults for the current realm and for Kerberos applications, and mappings of host names onto Kerberos realms.

This file is mandatory for the Active Directory implementation!

You need to create a “krb5.conf” file in your project under “Configuration” folder and make sure it's deployed. The example below can be used as template.

To read more about the syntax, please see:

http://web.mit.edu/Kerberos/krb5-1.5/krb5-1.5/doc/krb5-admin/krb5.conf.html

NOTE! With Comflow version 2.24, combined with Java17,  default_tkt_enctypes and default_tgs_enctypes should NOT be present. Either remove them or comment them with '#' as in example below.

Example:

[libdefaults]

        default_realm = ACME.COM

        ticket_lifetime = 24000

#default_tkt_enctypes = rc4-hmac  

#default_tgs_enctypes = rc4-hmac 

#default_tkt_enctypes = des-cbc-md5

#default_tgs_enctypes = des-cbc-md5

#default_tkt_enctypes = des-cbc-crc

#default_tgs_enctypes = des-cbc-crc

#udp_preference_limit=1

#dns_lookup_kdc = true        

noaddresses = false

        

default_checksum = rc4-hmac 

#default_checksum = des-cbc-crc

#default_checksum = rsa-md5

#default_checksum = crc32

 

[realms]

        ACME.COM = {

                kdc = ldap.acme.com:88

                default_domain = acme.com

        }

 

[domain_realm]

        .acme = ACME.COM

        acme.com = ACME.COM

        .acme.com = ACME.COM

 

[logging]

default = FILE:c:/temp/kdc.log

kdc = FILE:c:/temp/kdc.log

kdc_rotate = {

 

  # How often to rotate kdc.log. Logs will get rotated no more

  # often than the period, and less often if the KDC is not used

  # frequently.

 

  period = 1d

 

  # how many versions of kdc.log to keep around 

 

  versions = 10

}

 

[appdefaults]

gkadmin = {

  help_url = http://localhost:8888/ab2/coll.384.2/SEAM

}

kinit = {

  renewable = true

  forwardable= true

}

rlogin = {

  forwardable= true

}

rsh = {

  forwardable= true

}

telnet = {

  autologin = true 

  forwardable= true

}

JAAS bundle

Understanding LDAP URLs

An LDAP URL is a URL that begins with the ldap:// protocol prefix (or ldaps://, if the server is communicating over an SSL connection) and specifies a search request sent to an LDAP server.

LDAP URLs have the following syntax:

ldap[s]://hostname:port/base_dn?attributes?scope?filter 

The ldap:// protocol is used to connect to LDAP servers over unsecured connections, and the ldaps:// protocol is used to connect to LDAP servers over SSL connections.

Table 2 Components of an LDAP URL

Any "unsafe" characters in the URL need to be represented by a special sequence of characters (this is often called escaping unsafe characters). For example, a space must be represented as %20. Thus, the distinguished name "ou=Product Development" must be encoded as "ou=Product%20Development".

Note that attributes, scope, and filter are identified by their positions in the URL. If you do not want to specify any attributes, you still need to include the question marks delimiting that field.

For example, to specify a sub tree search starting from "dc=example,dc=com" that returns all attributes for entries matching "(sn=Jensen)", use the following URL:

ldap://ldap.example.com/dc=example,dc=com??sub?(sn=Jensen) 

Note that the two consecutive question marks ("??") indicates that no attributes have been specified. Since no specific attributes are identified in the URL, all attributes are returned in the search.

Useful tools

This tool can be useful when configuring the LDAP settings

• Softterra LDAP browser:https://www.ldapadministrator.com/download.htm
   + Easy to use
   - Can only read
  - Only works on Windows platform

  Troubleshooting

KDC has no support for encryption type(14) for Windows.
If you are using Windows 2003 or Windows 2000 SP4, you will need to add
registry key "allowtgtsessionkey" to enable Kerberos session key.
 
For details refer to following docs:
http://java.sun.com/j2se/1.5.0/docs/guide/security/jgss/tutorials/Troubleshooting.html
Look for "KDC has no support for encryption type" Solution 2.

Using AS400

Comflow can be used in conjunction with AS400. To achieve an AS400 authentication/authorization connection a number of different work steps must be performed. These steps will be described in this chapter

Sitedef alterations

Below we will see how the sitedef.xml should be defined to function with AS400 authentication/authorization. There are two parts in the sitedef.xml that has to be configured; authentication and authorization.

Sitedef authentication part

In the example below, the sitedef.xml (authentication part) has been configured to function with AS400:

<Authentication name=”AS400” class=”net.comactivity.core.authentication.AS400Authentication”>
    <Parameters>
        <parameter name="system" value=""/>
        <parameter name="check.movex" value=""/>
        <parameter name="movex.user" value=""/>
        <parameter name="check.envusers" value=""/>
        <parameter name="default.enterprise" value=""/>
        <parameter name="default.company" value=""/>
        <parameter name="check.companypersons" value=""/>
        <parameter name="soap.userid" value=""/>
        <parameter name="soap.password" value=""/>
        <parameter name="user.id.caseing" value=""/>
        <parameter name="require.group" value=""/>
    </Parameters>
</Authentication>

Sitedef authorization part

In the example below, the sitedef.xml (authorization part) has been configured to function with AS400:

<Authorization>
    <Properties>
        <Property name="system" value="MyAS400.stockholm.com"/>
        <Property name="user.id" value=""/>
        <Property name="password""/>
        <Property name="group.filter" value=""/>
        <Property name="group.filter.include" value=""/>
        <Property name="user.filter" value=""/>
        <Property name="user.filter.include" value=""/>
        <Property name="admin.group" value=""/>
    </Properties>
    <User>
        <Properties>
            <Property name="class" value="net.comactivity.core.authorization.as400.AS400UserManagement"/>
        </Properties>
    </User>
    <Group>
        <Properties>
            <Property name="class" value="net.comactivity.core.authorization.as400.AS400GroupManagement"/>
        </Properties>
    <Group>
</Authorization >

URL Login

This chapter describes how you set up and use URL login, which means that you can access a specific task for a specific user directly, bypassing login screen in Comflow. 

What is URL login?

URL login is a method to sign in to Comflow from external applications or just via an URL and get directly to a function with possibly filter data set. An example would be when you want to access data when in another application.

How?

There are two different methods:

• Send sign on information online
• Use Single Sign-on (SSO)

Use Single Sign-on is a better method as the login data is not sent and is not accessible.

Sitedef Configuration

The behavior of the URL login function can be controlled from parameters in the sitedef.

All parameters should be entered under the Authentication section. 

The following parameters can be used:

• url.login : true | false, turn URL function on or off
• url.login.sso.mode : true | false, use single sign mechanism for authentication
  1. Note: Single Sign On need to be configured and activated. 
• session.values.in.url : true | false, accept session values in URL
• start.task.in.url : true | false, accept start of task from URL
• start.task.in.url.hide.navigator : true | false, Hide navigator if start task exist
• mapdata.in.url : true | false, accept map data in URL
• url.login.single.session : true | false, closes other sessions for the user if true 

Example:

<Authentication name="CA" class="net.comactivity.core.authentication.CAAuthentication"> 
         <Parameters> 
                   <parameter name="url.login" value="true" /> 
         </Parameters> 
</Authentication>

URL Syntax

The behavior is controlled by setting parameters in url.

The following parameters can be used

Example:

http://anyhost:8080/comflow?userid=mike&_sessCONO=1&_sessDIVi=OF&_startTask=WorkWithABCClass&_startEntryPoint=child4&_mapdataCAAPPS_ABCClass_ABCClass=B&_dataModelEvent=_model_update

Explanation of the example:

This URL would sign in for the Comflow installation on anyshost via port 8080 for the user mike. Company (CONO) and division (DIVI) would be set to 1 and OF respectively. The function (task) WorkWithABCClass would be started with the entry point (starting portlet/view) child4. Filter data would be ABCClass=B and the function would be set into update mode.

Detect URL login in rules

To detect if a certain session is made via URL login, you can use the code below in a rule:

if (StringUtil.getBooleanParameter((String) sessionWorkspace.getTemp("_urllogin"), false)) {

        // URL login for this session

        }