Show TOC Start of Content Area

Function documentation Resource Adapter Security  Locate the document in its SAP Library structure

Use

This function enables you to define:

      The authentication mechanism of the resource adapter

      The mechanism for authentication of a resource principal to the Enterprise Information System (EIS).

These mechanisms are defined at deployment time. You cannot change them runtime. After you define a mechanism for signing on to the EIS, this security information applies to all connections that the resource adapter provides.

The security information in the deployment descriptors of the resource adapter is encrypted.

Activities

ra.xml

In the standard deployment descriptor of the resource adapter (ra.xml) you must configure the following parameters:

·        Authentication mechanism

You can choose between BasicPassword (basic password-based authentication) or Single Sign-On with authentication assertion tickets SAPAssertionTicket (or the corresponding object ID 1.3.6.1.4.1.694.2.1.3.1). The J2EE Engine does not support Kerberos version 5-based authentication.

Example

<authentication-mechanism-type>BasicPassword</authentication-mechanism-type>

<authentication-mechanism-type> SAPAssertionTicket</authentication-mechanism-type>

·        Credential interface

You can choose either javax.resource.spi.security.PasswordCredential or javax.resource.spi.security.GenericCredential. The PasswordCredential class provides a holder for user name and password. The GenericCredential interface defines a security mechanism-independent interface for accessing the security credentials of a resource principal.

Example

<credential-interface>javax.resource.spi.security.PasswordCredential</credential-interface>

<credential-interface>javax.resource.spi.security.GenericCredential</credential-interface>

·        Reauthentication support

You must also specify if the resource adapter supports re-authentication. The re-authentication support enables the EIS sign-on after changing the security context of the ManagedConnection instances provided by this adapter.

Example

<reauthentication-support>true</reauthentication-support>

<reauthentication-support>false</reauthentication-support>

connector-j2ee-engine.xml

In the additional deployment descriptor of the resource adapter you must set the security parameters for the resource principal authentication:

·        Authentication type

You can choose one of the following options:

¡        Caller Impersonation – the credentials of the caller principal are directly passed to the EIS and used to authenticate the resource principal

¡        Credentials Mapping – you can use this mechanism when the application server and the EIS support different authentication domains. In this case, the credentials of the caller principal are transformed into the type of resource principal credentials using the authentication mechanism type of the EIS (if it is possible), and passed to EIS system using javax.security.auth.Subject object. You are required to specify the user store, where the application server can find the transformed credentials that correspond to the caller credentials.

More information about user stores: Managing User Stores

¡        Configured Identity – all caller principals obtain a connection from the EIS using the same identity; you can specify either the user store where the identity is stored, or a user name and a password for the configured identity (which is the resource principal in this case).

¡        Principal Mapping – this authentication type defines strict mapping between the caller principals and the resource principal; only authorized caller principals can obtain a connection using a specific identity. You must specify the user store where this identity is stored, and enter the name for the identity.

Recommendation

We recommend that you use either Caller Impersonation or Configured Identity authentication type.

If you choose not to specify a user store in the above cases, the system creates an internal user store, which is destroyed when the application containing the resource adapter is removed from the server. It is recommended that you do not use the internal user stores for other applications.

Example

<authentication-type>principal mapping</authentication-type>

<user-store>DBMS User Store</user-store>

·        Identity subject

You must set the mapping between a caller principal (that requests a connection to the EIS) and a resource principal (that is authorized to access the resources in the EIS). This mapping forms an identity subject.

Example

<identity-subject>

  <caller-principal>

<user-name>Administrator</user-name>

  </caller-principal>

<resource-principal>

<user-name>System</user-name>

</resource-principal>

</identity-subject>

More Information

Implementing Security Functions

End of Content Area