Security Service

This service provides user and group management in SAP J2EE Engine 6.20, as well as management of user authorization for access to system resources. Each user or resource is associated with a unique ID – a PID for the resources and SID for the users. Security Service provides a variety of SID processing methods, and flexible usage of PIDs and SIDs. It also manages the login procedures to the system.

Visual Administrator

Runtime Control

Security Service can be configured at runtime using the “Runtime” tab of Visual Administrator. The function is available using six subtabs.

Resources

This subtab maps access rights from users to resources. A user with administrative privileges can grant access to a particular resource from the list of available resources.

System resource tree includes telnet and security resource instances. The security resources are identified by unique names: user.management , resource.management (which includes JNDI resources, admin resources, and keystore resources), permission.management , login.sessions , jaas.configuration , and connector.management . The only available option for access permissions to the telnet and to the security resources is ALL .

JNDI resources are the contexts in the Naming tree. They are identified by unique names. Users can be granted the following access permissions to JNDI operation resources:

All – grants all types of permissions
Jndi_change_security – assigned by default to the system administrator. It enables you to allow or deny user access to a specific operation.
Jndi_lookup – Jndi_lookup – given to all users by default. It enables search, lookup and lookupLink operations. With Bind and Unbind permissions, it enables the rename operation.
Jndi_modify_attributes – enables replace, modify and remove attributes operations
Jndi_bind – enables bind and rebind operations
Jndi_create_subcontext – allows subcontext creation operation
Jndi_get_attributes – enables getAttributes operation
Jndi_unbind – enables unbind operation
Jndi_destroy_suncontext – enables destroySubContext operation
Jndi_list – lists permissions
Jndi_list_bindings – enables listBindings operation

Note: For detailed description of the permissions listed above, refer to the Naming Service section in this document.

The permission mappings for the com.inqmy.services.admin.server.Admin FrameworkImpl resource specify users and groups that have access to information about manager modules in the cluster, and are allowed to perform particular administrative tasks on them. The following action options are provided:

All – access to all actions that are listed below
getAllManagers(int) – access to the getAllManagers(int) method, which returns a String array with the names of all manager modules running either on the current cluster node, or on a cluster node with specified ID
getAllManagersInCluster() – access to the getAllManagersInCluster() method, which returns bi-dimensional array with the names of the manager modules, running on all cluster nodes
getClusterElementInfo(int) – access to the getClusterElement Info(int) method, which provides information about either current cluster node, or cluster node with specified ID. Information includes cluster element name, ID, host, join port, and type (server or dispatcher).
getClusterName() – access to the getClusterName() method, which returns the name of SAP J2EE Engine 6.20 cluster
getManagerStatus(int,java.lang.String) – access to the getManager Status(int,java.lang.String) method, which returns the load level of specified manager module, running on a particular cluster element
getManagerDiagramCount(int,java.lang.String) – access to the getManagerDiagramCount(int,java.lang.String) method. For a specified manager module, running on a particular cluster element, this method returns a number of diagrams that are visualized in Visual Administrator. These diagrams represent statistics about a manager’s performance.
getManagerStatisticName(int,java.lang.String,byte) – access to the getManagerStatisticName(int,java.lang.String,byte) method. For a specified-by-name manager module, running on a particular cluster element, this method provides the names of the statistics items that are represented in a diagram with a given index.
getManagerMaxStatisticValues(int,java.lang.String,byte) – access to the getManagerMaxStatisticValues(int,java.lang.String,byte) method. For a specified-by-name manager module, running on a particular cluster element, this method provides the maximum values of properties that are included in statistics items, which are represented in a diagram with a given index.
getManagerStatisticValues(int,java.lang.String,byte) – access to the getManagerStatisticValues(int,java.lang.String,byte) method. For a specified-by-name manager module, running on a particular cluster element, this method provides the current values of properties that are included in statistics items, which are represented in a diagram with a given index.
getManagerProps(int,java.lang.String) – access to the getManagerProps (int,java.lang.String) method, which returns current properties of a specified manager module running on particular cluster element
changeManagerProps(int,java.lang.String,java.Util.Properties) – access to the changeManagerProps(int,java.lang.String, java.util.Properties) method, which allows for runtime modifications of the properties of a specified manager module running on particular cluster element
reboot(int) – access to the reboot(int) method, which enables rebooting of either a single cluster element with specified ID, or the whole cluster if no ID is provided
shutDown(int) – access to the shutDown(int) method, which shuts down either a single cluster element with specified ID, or the whole cluster if no ID is provided
dropdown(boolean) – access to the dropDown(boolean) method. If set to true , this method reboots the whole system; if set to false , it shuts down the whole system.
getClusterInfo() – access to the getClusterInfo(int) method, which returns a bi-dimensional String array with information about all elements in the cluster. Information includes cluster elements names, IDs, connection ports, hosts, and types (server or dispatcher).

Keystore entries are displayed in the “Runtime” tab of Keystore Service. The following permissions can be granted for available keystore entries:

All – enables all operations on keystore entries
Read – enables only read operations on keystore entries
Change – enables changes on keystore entries

The “Users on Server” pane presents the tree of users registered with SAP J2EE Engine 6.20. The “Granted Users” pane displays users who are granted access to a selected resource. The “Denied Users” pane displays a list of users explicitly denied access to a specified resource. The administrator can add or remove users from the lists of granted or denied users.

User Management

This subtab provides options to manage login rights of SAP J2EE Engine 6.20 users and user groups. When installing SAP J2EE Engine 6.20, four default groups are created – “Root,” “guests” (default user – Guest, default password – “guest”), “administrators” (default users – Administrator, default password – empty string, System, (default password – empty string), and “external,” which is a child of the “guests” group. “Root” is the parent group for “administrators” and “guests” groups. The “Runtime” tab provides the following options for managing groups and users:

Create User – the system administrator can add a new user to an existing group. A password can be set for the user. An option for setting random password is also available.
Create Group – register a new group. The system administrator can select parent group and child group, and subscribe users to the new group. If no parent group is selected, the new group is added to the “Root” group.
Remove – remove a registered user or group
Group – add a user or group to an existing group, thus assigning it all permissions that the selected parent group has been given
Ungroup – a user or group is removed from an existing parent group
Properties –the system administrator can activate the “force to change user’s password” option and set time in days, after which the selected user’s password must be changed. User can be set to “enable” or “disable.” When user is set to “disable,” the selected user has no login rights to SAP J2EE Engine 6.20.
Set Filter – set user password filter. System administrator can define minimum and maximum number of characters used, and allow or forbid the use of space and digits in the password.
Change User Password – the system administrator can change a user password. Specifying the old password is not required.
Refresh – updates Security Service “Runtime” tab

Crypt Providers

This tab has two boxes that display the name of the security providers and information about them.

When a particular provider from the “Providers” box is highlighted, the relevant information about it appears in the “Info” box below. After restarting the server the order, in which the crypt providers have been last used, remains the same.

At server startup the default provider settings are obtained from a file named java.security , located in the JAVA_HOME/jre/lib/security directory and are inserted in the database. IAIK provider is added when the Keystore Service is started (if the additional IAIK jars have been added). Then the IAIK provider for the current cluster element is added to the database. At server startup, if the database is not empty, the providers are read from the database.

The different providers for the current cluster element are displayed in the “Providers” tab in the order they are used. For each cluster element might be available different providers. All providers for all cluster elements are kept in DBMS Service.

This tab has the following options for manipulating providers:

Create – create new provider. The class name of the new provider should be entered.
Delete – delete a provider
Move up – assign a higher priority to a particular provider
Move down – assign a lower priority to a particular provider
Set – set changes made as permanent
Restore – restore settings of the service established with the last Set option

JAAS

This tab refers to the JAAS (Java Authentication and Authorization Service) functions implemented within SAP J2EE Engine 6.20 Security Service. A list of applications that are configured to use JAAS login mechanisms is displayed in the “Available Applications” pane. Users can add applications to the list using “Add.” A name for the application should be specified. To remove an application, users must select it and choose “Remove.” Two applications are provided by default: InQMyLoginSystem and other .

When an application is selected, the Login Modules configured for this application are displayed in the right-hand pane of the “JAAS” tab. The authentication proceeds in the order the Login Modules are listed. Additional Login Modules may be specified for a selected application. Users must provide name identifier for the Login Module in the “LoginModule” text box of the right-hand pane. Control flag must be selected from the “Flag” drop-down menu. The flag defines the overall behavior as authentication proceeds down the stack. The following options are provided:

REQUIRED – Login Module is required to succeed. Authentication proceeds down the list either if the module has succeeded or has failed.
REQUISITE – Login Module is required to succeed. If successful, the authentication proceeds down the list, otherwise control returns to the application – that is, the authentication does not proceed.
SUFFICIENT – Login Module is not required to succeed. If the authentication is successful, control returns to application; otherwise, authentication proceeds.
OPTIONAL – Login Module is not required to succeed. Authentication proceeds down the list either if the module has succeeded or has failed.
INVALID – used for visualization in cases when an incorrect flag has been specified in the configuration file.

Overall authorization is successful when all REQUIRED and REQUISITE Login Modules succeed. If no REQUIRED and REQUISITE modules are included in the configuration, then at least one SUFFICIENT or OPTIONAL module must succeed for the authorization process to succeed.

In the “Options” dialog box, you can specify Login Module-specific options that control the behavior within the module. They are specified in key=value format. For example, if the module must support debugging, the following option is specified:

debug=true

Options are separated by a space, when there are more than one.

R3 Properties Manager

The R3Security.properties file is located in ../server/services/work . The com.sap.security.Security class uses it to initialise the connection to a SAP Web Application Server. The R3Security.properties file is used for logging on to SAP Web Application Server and getting the SAP R/3 System users.

All the servers in the cluster have the same R3Security.properties file. The “R3 Properties Manager” tab enables you to manipulate the file. You can access R3PropertiesFileManagerImpl remotely by using the getRemoteR3PropertiesFileManager() method of the RemoteSecurity interface. For more information about this interface, refer to Development Manual ®Security Service ®RemoteSecurity Interface .

You can use the following options to manage this file:

Load - loads the R3Security.properties file to be reviewed or modified
Save - modifies the files for the whole cluster and then saves their value to DBMS. If any of the files cannot be modified (for example, it is read-only), the changes made on the other servers are rolled back and an exception is thrown.

Note: If the property file has been changed using the Visual Administrator, the changes take effect after restarting the cluster. If the file has been changed manually, and it differs from the file stored in DBMS, the value from the file in DBMS will replace the files on the servers.

Connector

You can grant rights to users to manage connectors using Resource tab ® root ®system ®security ®connector.management .

“Connector” enables management of connectors and the available identities for them. The left-hand pane in the tab contains the following options for manipulating connectors:

Add - adds a new connector resource with a specified name
Remove - removes the selected connector resource

The right-hand pane contains the following options:

Add - adds a new identity. The name and the password for the identity must be specified.
Remove - removes the selected identity
Change - changes the password of the selected identity

Protection Domains

This tab provides options to grant particular permissions for available protection domains. All protection domains within SAP J2EE Engine 6.20 are displayed in the “Available Domains” pane. Each service running on the server is a separate protection domain. In addition, there is a protection domain for Sevlets and JSPs – @comp@webContainer/applications/default: default . Thus, for example, users can run a JSP that has not been deployed on the server; the JSP uses the default application in this protection domain.

For each protection domain, users can set permissions that are listed in the “Permissions” drop-down menu. When a particular permission is selected, the list of available actions is displayed in the “Action” drop-down menu. Each permission has a number of names associated with it. For example, the “property” permission is associated with ManagersCommandsProperties , java.runtime.name , inqmyxml , and so on. These names are displayed in the “All Names” pane. The “Granted Names” pane displays permission names that have been granted for the selected protection domain. Users can either add permissions from the list of available ones to the “Granted Names” list, or remove permissions from the list of granted ones.

Login Sessions

This tab displays a list of current login sessions on the selected server node. The following information is provided for each session:

Session ID – unique identifier of login session
UserName – the name of the user that is associated with the login session
Login Date – date and time of session creation
Expiration Date – expiry date and time

The system administrator can terminate a particular session using “Kill Session.”

Properties

	Server
Property Key	Description	Default Value

UserAdmins.*	This group of properties includes userAdmins.name, userAdmins.password, userAdmins.parentGroups, userAdmins.isUser. They refer to the “administrators” default user group.
UserGuests.*	This group of properties includes userGuests.name, userGuests.password, userGuests.parentGroups, userGuests.isUser. They refer to the “guests” default user group.
userN.*	This group of properties includes userN.name, userN.password, userN.parentGroups, userN.isUser.
MaxUsersCount	Specifies the maximum number of users that can log on to the system simultaneously.	1000
SessionExpirationPeriod	Specifies expiration period for user session in milliseconds.	100000000
ForceCreateAllUserEntries	This property is boolean value that specifies if default users and groups are recreated after server restart.	false
CaseSensitive	Specifies if the username and password are case-sensitive.	true
ZipDirectory	Specifies the directory in which the log files are archived.	logBackup
UnicodeLog	This is a boolean flag specifying whether to write log records in UNICODE.	false
MaxFileLength	Specifies the maximum size of the log file (in bytes). If it is exceeded, the file is added to the archive.	1048576

Console Administrator

Security Service can be administered using the Shell commands from LOGIN , POLICY, RESOURCE and USERS command groups.

Note: For information on Security Service Shell commands, refer to the Shell Commands Reference section.

Property Files

../cluster/server/services/security/properties
Security Service properties specified in the Visual Administrator section can be set from this property file as well.

Critical Information and Troubleshooting Tips

Security Service arranges SAP J2EE Engine 6.20 users into groups and creates a hierarchical structure of these groups. A default group root that is the parent group of all others is provided. This default group cannot be removed and groups that are its parents cannot be created. Other default groups – Administrators and Guests – are provided as well. The system administrator can add new groups and remove old ones. The newly added groups can be parent or child groups of other ones. The Administrators’ group cannot be removed.

Security Service allows the system administrator(s) to add and remove users and groups, to change user passwords (including those of other administrators), to enable and disable users, to set password filters, and to add and remove users from groups. The system administrator has the authority to do everything concerning SAP J2EE Engine 6.20 users.

The main reason for arranging users into groups is to assign specific permissions. Of course, permissions can be granted for each user individually, but it is more convenient to arrange users with the same permissions into groups and work with several entities only. In general, from the “Security” tab in the Visual Administrator tool of each service, the system administrator can specify security roles that can then be associated with real server users and groups. Security roles can grant access of the assigned users or groups to the entire service, or only to some of its methods. This is also true for application deployment. When an application is deployed on SAP J2EE Engine 6.20, security roles are specified to grant access to this application for users. Again, server users can have access to the entire application, or only to some of its methods.

Another point of consideration in this section is setting the SidMemorySizes and PidMemorySizes properties. When setting them, the system administrator must consider that these are percentage values and can be assigned a number in [0, 100]. The default values provided are recommended for optimal performance.

Typically, when setting the MaxUsersCount property, the system administrator must take into consideration the system resources available. If they are scarce, the value of the property must not be a great number.