[Previous]
[Next]
[Contents]
[Index]
This appendix describes NetCrusader groups created during configuration. It contains the following sections:
A.1 Overview of Groups Created
A.2 Identity Mapping Group
A.3 Delegation Group
A.4 ACL Control Group
A.5 Servers Group
A.1 Overview of Groups Created
When you configure NetCrusader/Web, NetCrusader/Web creates three groups necessary for NetCrusader security. A group is a collection of users in the NetCrusader environment that have similar security requirements. Associating users into groups simplifies overall NetCrusader administration. For more information on NetCrusader groups, see the NetCrusader Commander online help.
The following sections briefly describe each of these groups.
A.2 Identity Mapping Group
The Identity Mapping group supports the identity mapping function. NetCrusader/Web must perform identity mapping in applications that use public key certificates (for example, SSL with Client Certificates).
When you add a new user, NetCrusader Commander lets you associate an X.500 name with the NetCrusader identity of this user. The X.500 name is obtained from the client certificate. Commander creates a security registry entry for the user that contains both the NetCrusader identity and the X.500 name.
In some applications, a user will authenticate him or herself to the Security Adapter via his or her X.500 name. However, the Security Adapter also needs the NetCrusader identity to perform any authorization that may be required. So the Security Adapter obtains the user's NetCrusader identity by submitting the X.500 name to the NetCrusader security service, which returns the associated NetCrusader identity. This operation is referred to as identity mapping.
Identity mapping is a protected operation. An entity can map a user's identity only if that user's ACL grants impersonate permission to the entity. So, for a Security Adapter to map a user's identity, the user's ACL must grant impersonate permission to that Security Adapter.
A.2.1 Using the Identity Mapping Group to Allow Identity Mapping
When Commander creates a user, it adds an entry to the user's ACL that grants impersonate permission to a specified group or user. Commander lets you select this group or user through the user's Properties dialog. Typically, you select the group wc-filters, which by default contains all of the Security Adapters you have configured in the security domain.
NOTE:
By default, the name of the Identity Mapping group is wc-filters. You
can change the name of the Identity Mapping group using the NetCrusader
property page of the Security Adapter configuration wizard.
For some users, you may not wish to grant impersonate permission to every Security Adapter in the security domain. If so, you must modify the ACLs for the individual users to restrict impersonate permission to the approved Security Adapters. In this case, it's probably simplest to create another group that contains the approved Security Adapters. Use Commander to modify user properties to grant impersonate permission to this group rather than wc-filters.
The Security Adapter configuration program creates the wc-filters group when you first configure a Security Adapter. Whenever you add a Security Adapter to a security domain, the configuration program adds the new Security Adapter to the wc-filters group.
A.3 Delegation Group
The Delegation group supports delegation functionality. Delegation allows entities such as web servers to make requests to other entities on behalf of a user. For example, a user may have access to Entity A, but wish to request a service from Entity B. Delegation allows Entity A to submit the request to Entity B on behalf of the user. In this scenario, Entity A is said to act as a delegate.
The delegation functionality allows a user to restrict which entities may act as its delegates. The list of allowed delegates is encoded in the request. The target of the request rejects any request that has been handled by an unapproved delegate. In a NetCrusader application, the Security Adapter that originally handles the request must appear in the list of approved delegates.
A.3.1 How NetCrusader/Web Uses the Delegation Group
When the Security Adapter receives a user request that requires delegation, it creates a delegatable credential on behalf of the user. The Security Adapter inserts its list of approved delegates into the credential. The web server includes this list in any request it makes on behalf of the user. By default, the Security Adapter uses the wc-delegates group as the list of approved delegates.
NOTE:
By default, the name of the Delegation group is wc-delegates. You can
change the name of the Delegation group using the NetCrusader property
page of the Security Adapter configuration wizard.
By default, the Security Adapter configuration program creates the wc-delegates group when you first configure a Security Adapter. Whenever you add a Security Adapter to a security domain, the configuration program adds the new Security Adapter to the wc-delegates group by default. You can specify a different group name for the Security Adapter if you prefer. The Security Adapter configuration program adds the Security Adapter to the group you specify, and that Security Adapter will use that group when creating delegated login contexts.
A.4 ACL Control Group
You need control access to change ACLs. By default, the Security Adapter configuration program creates the wccs-admin group when you first configure a Security Adapter. By default, members of this group have control access to the document root ACL on all web servers on which the Security Adapter has been installed. (For descriptions of the different access types, see the NetCrusader/Web Overview Guide).
When a Security Adapter starts for the first time, the ACL database is initialized with wccs-admin having control privileges to the root. After the ACL database is initialized, you can create a new group with these privileges or assign a different group or principal to each server. By creating a different group for each server, the principals in that group can set access controls only on that web server; otherwise, by default, all principals in the wccs-admin group can set access controls on all web servers.
Initially, there are no members of the wccs-admin group. Using Commander, you can:
By not limiting control access to a specific group, NetCrusader gives you the flexibility to assign different groups and users the rights to set access controls on any part of the document tree, on any web server, with any granularity.
A.5 Servers Group
The wc-servers group contains entries for every NetCrusader ACL Manager (one per machine on which the Security Adapter runs). This group provides the means for Commander to find the ACL managers.
A.5.1 Principal Name for the Web Server
Each web server has its own principal name. By default, principal names for instances of the web server take the form: wcsecad/hostname, but you can specify a different name. When you configure a web server, the principal name that you specify is automatically added to the wc-filters group in the registry.
If this is the first instance of the Security Adapter to be configured into your security domain, the configuration wizard will first create the wc-filters group and then create the principal and add it to the group.
[Previous]
[Next]
[Contents]
[Index]
To make comments or ask for help, contact
support@entegrity.com.
Copyright © 2000-2003 Entegrity Solutions Corporation & its subsidiaries