3 — Using the NetCrusader/CORBA Security Service

[Previous] [Table of Contents]

This chapter describes how to initialize and use the NetCrusader/CORBA Security Service to secure your CORBA application. This is done using command line arguments that you add to the CORBA application's startup script.

This chapter describes how to use command-line arguments for:

3.1 Initializing the Security Service
3.2 Specifying Principal Name/Password Authentication
3.3 Specifying Principal Name/Keytab Authentication
3.4 Specifying the Default Domain
3.5 Configuring the Audit Log
3.6 Setting the Policy Cache Lifetime

Applications are required to pass command-line arguments:

n To initialize the security service (Section 3.1).

n To authenticate a principal for secure servers (servers that will participate in secure communications with a client). You can use either Principal Name/Password authentication (Section 3.2) or Principal Name/Keytab Authentication (Section 3.3).

In addition to the required initialization arguments, NetCrusader/CORBA supports additional, optional arguments that you can use to choose domains, configure the audit log, and set the policy cache lifetime.

All arguments are passed to the CORBA::ORB_init (ORB initialization) routine so that the security runtime can process them.

NOTE: Because Java options are passed as System properties, you can also use any other mechanism in Java that sets System properties to pass the arguments. However, the properties must be set before the call to ORB_init() is performed.

3.1 Initializing the Security Service

When the application starts up, it must initialize the security service for any security functionality to work. No changes to the application source itself are necessary.

NetCrusader/CORBA automatically registers its client- and server-side interceptors with the ORB at startup. Start the application with the following command-line argument:

Example:

java -DORBservices=com.gradient.NetCCorba 

As an option, you can set the properties in code, as follows:

System.getProperties.setProperty("ORBservices", "com.gradient.NetCCorba");

You must execute this command prior to calling ORB_init(), which initializes the CORBA ORB and the NetCrusader Security service.

3.2 Specifying Principal Name/Password Authentication

An application can specify the name of the principal to authenticate. Applications are not required to authenticate principals, but if you specify the principal name on the command line then the "own" credentials for the application will contain credentials for this principal.

NOTE: Servers that will be communicating securely with clients require some form of principal authentication (either Principal Name/Password authentication as described in this section, or Principal Name/Keytab authentication, as described in the following section), even if delegation is not used..

Applications can modify their own credentials at runtime by using the PrincipalAuthenticator interface (see the NetCrusader/CORBA Application Developer's Guide for information).

Pass both of the following parameters:

n -GradPrincipal parameter — Allows the application to specify the name of the principal to authenticate.

n -GradPassword parameter — Specifies that an authentication attempt uses the username/password method, and supplies the password to be used. Do not use this parameter with the -GradKeytab parameter.

For example, the following command specifies that the principal to be authenticated is admin:

C:\> java -DORBservices=com.gradient.NetCCorba -DGradPrincipal=admin 
-DGradPassword=passwd02 FinanceManager

3.3 Specifying Principal Name/Keytab Authentication

Using command-line options, you can use a keytab file rather than a username/password scheme to authenticate a CORBA server.NetCrusader/CORBA also provides a utility that you can use to generate the keytab file.

NOTE: Servers that will be communicating securely with clients require some form of principal authentication (either Principal Name/Keytab authentication as described in this section, or Principal Name/Password authentication, as described in the following section).

3.3.1 Using the Keytab Creation Utility

NetCrusader/CORBA includes a utility for creating keytab files called Createkt.exe. This utility creates a keytab file and configures the matching settings in the Security Server repository, allowing your CORBA server application to log in using the file.

The keytab file created is usable only on the machine on which it was created. If the same server identity will be used for running CORBA servers on another machine, run Createkt on that machine.

Parameters for Createkt are:

n Name and password of the server account

n Name and password of the admin account

n Create (-c) parameter (optional). If you specify the -c parameter, then Createkt creates the server account. If you do not specify the -c parameter, Createkt assumes that the server account exists.

NOTE: When you specify the -c parameter to create a new account, Createkt generates a new account with the specified name even if there was an existing account with the same name. The old account will no longer be available.

The syntax for the createkt.exe utility is:

createkt server_name server_password admin_name admin_principal file_name 
[-c]

After you create the keytab file, configure the CORBA server application to use it by specifying the appropriate command line arguments, as described in Section 3.3.2.

3.3.2 Specifying Command Line Options

The parameter -GradKeytab <filename> specifies that the authentication attempt uses the username/keytab method, and supplies the filename in which the keytable is stored. You must also pass the username using the -GradPrincipal parameter.

Do not use this parameter with the -GradPassword parameter.

Example:

C:\> java -DORBservices=com.gradient.NetCCorba -DGradPrincipal=fred 
-DGradKeytab=c:\NetCCorba\bin\keytable.tab FinanceManager

The parameter -GradPolicy <domain> specifies the name of the capsule domain for the application. All runtime policies are retrieved from this domain, and all objects served by the application belong to this domain.

If this parameter is not specified, the default domain for the application is the root domain.

For example, the following command starts up the application financemanager, loads the NetCrusader/CORBA security runtime, and specifies the domain bank for all application objects:

C:\> java -DORBservices=com.gradient.NetCCorba -DGradPolicy=bank 
FinanceManager

You can direct NetCrusader/CORBA to filter all auditable events to a local log file.

Specify the log file, its name, and location using the parameter -GradLogFile <path-specifier>. You can specify a full path or only a filename.

n If you specify only a filename, the file is created in the working directory for the application.

n If you specify a full path, the file is created in the directory specified in the path, with the name specified in the full path.

n If you do not GradLogFile parameter, no log file is created.

For example, the following command sets the name of the log file as log8_99.log and places it in the directory C:\NetCCorba\Logs:

C:\> java -DORBservices=com.gradient.NetCCorba 
-DGradLogFile=c:\NetCCorba\Logs\log8_99.log FinanceManager

The parameter -GradCacheLifetime <seconds> allows the application to set the lifetime of the domain's policy cache. The cache lifetime value determines how soon an administrator's changes — made through the NetCrusader Commander management program — are applied.

Newly initialized applications and applications that make changes always have the most up-to-date policies.

By default, a domain's policy cache lifetime is 60 minutes. A cache lifetime of 0 turns off caching. The special constant infinite prevents the cache from ever being refreshed.

For example, the following command changes the cache lifetime to 30 minutes (1800 seconds):

Java Sample:C:\> java -DORBservices=com.gradient.NetCCorba 
-DGradCacheLifetime=1800 FinanceManager

The following command line prevents the cache from being refreshed:

Example:

C:\> java -DORBservices=com.gradient.NetCCorba -DGradCacheLifetime=infinite 
FinanceManager

[Previous] [Table of Contents]

To make comments or ask for help, contact support@gradient.com.

Copyright © 1999 Gradient Technologies, Inc.