Chapter 1 Introducing Jaguar CTS

Declarative security

Jaguar CTS provides built-in support for user authentication and authorization. Users are authenticated when a client application creates a proxy or stub object (a connection is made when the application creates the first proxy or stub; other proxies or stubs may use the same connections or allocate new connections as needed). Each component has access control lists that determine which users are allowed to invoke the component; if a user is not authorized to use a component, attempts to create stubs or proxies with that user name fail.

Authentication support

Options for user authentication include:

Native operating system authentication User names for a Jaguar connection map directly to a login name on the host operating system. You can enable native authentication with Jaguar Manager using the server's property sheet.
No authentication No user name/password authentication of session user names is performed. This is the default configuration for new servers.
SSL certificate-based authentication You can configure a secure IIOP port that requires mutual (client and server) authentication. Clients must have a valid SSL certificate in order to connect to this port, and the certificate must be issued by a certificate authority that is trusted by the Jaguar server.
When clients connect with an SSL client-side certificate, the client also supplies a Jaguar user name and password for the connection in addition to the certificate. Jaguar performs authorization checking based on the Jaguar user name. The SSL user name and certificate information are available to components through the built-in CtsSecurity/SessionInfo component.

Jaguar Server provides native SSL support without the use of proxies. On the client side, the Jaguar Java ORB supports SSL when run in Netscape 4.0. Java applets and Java applications, C++, PowerBuilder, and ActiveX components can use SSL natively. Other types of clients require the use of an SSL proxy.

C++ and PowerBuilder clients require that a public key infrastructure (PKI) system be available on the client to manage digital certificates. You can use Security Manager, which manages Jaguar's certificate database, or you can use Entrust/Entelligence, available separately from Entrust Technologies (http://www.entrust.com).
Quality of protection Jaguar Manager allows you to set the quality of protection (QOP) for Jaguar packages, components, and methods. QOP establishes a minimum level of encryption and authentication that a client must meet before it can access your business logic.
Custom authentication You can code a service component to be installed in Jaguar to perform your own authentication checks. For example, you can retrieve the client user name and password and check to see if they allow a login to a remote database server. See "User-Installed authentication services" for more information.

Jaguar provides a special user name, jagadmin, for the Jaguar Administrator login. Administrator authentication is performed independently of the authentication option you configure. By default, the "jagadmin" user name has no password.

See "Security Configuration" in the Jaguar CTS System Administration Guide for more information on configuring authentication options.

Set the administrator password for new servers Immediately after you create a new server, you must secure access to the server by defining the jagadmin password and configuring the authentication mechanism of your choice. See "Security Configuration" in the Jaguar CTS System Administration Guide for more information.

User-Installed authentication services You can install your own service component to authenticate clients for any Jaguar server. For example, if you require the client user name to match a remote database user name, you can code the component to retrieve the client user name and password and attempt to login to the remote database.

The component must implement the CtsSecurity::AuthService IDL interface as well as the CtsServices::GenericService interface, and you must set the com.sybase.jaguar.server.authservice server property to specify the name of your component (this property must be set using the All Properties tab in the Server Properties dialog box).

This interface contains one method, checkSession. Your code for this method can check the client's user name and password and the status of other authentication checks, that is, whether the client's credentials have passed OS authentication or SSL authentication checks. Your code can perform additional authentication checks and auditing. For more information, see the documentation for the CtsSecurity::AuthService IDL interface.

A sample Java implementation is provided in the Jaguar html/classes/Sample/AuthServiceDemo directory in your Jaguar installation. A sample C++ implementation is available in the sample/AuthServiceDemo subdirectory.

Authorization support

Jaguar's authorization model is based on roles. Roles are defined in Jaguar Manager. Each role can include and exclude specific user names and digital certificates. If you use native operating system authentication, you can also include and exclude operating system group names; all users in the specified group are affected.

Roles are attached to Jaguar packages and components. Attaching a role to a package controls access to all components in the package. In order to use a component, a user must be allowed by both the roles that are attached to the component and the roles that are attached to the package that contains the component.

See "Security Configuration" in the Jaguar CTS System Administration Guide for more information on defining roles.

Intercomponent call authorization using identities You can use identities to restrict intercomponent calls. Identities map logical identity names to a user name, password, and required SSL session characteristics. The identity names are used in the run-as mode settings for components and component methods.