Chapter 2: Securing Component Access
This section describes various security features available to components, including:
Retrieving SSL information
Restricting access to EJBs
Authenticating non-EJB components within a server and for standalone clients
Issuing intercomponent calls using SSL
Clients can connect to a secure IIOP port using an SSL client certificate. You can issue intercomponent calls to the built-in CtsSecurity/SessionInfo component to retrieve the client certificate data, including:
The distinguished SSL user name
The client certificate fingerprint (MD5 message digest)
The client certificate data
The chain of issuing certificates
This component implements CtsSecurity::SessionInfo IDL interface. HTML documentation is available for the interface in the html/ir subdirectory of your EAServer installation. You can view it by loading the main EAServer HTML page, then clicking the “Interface Repository” link.
The CtsSecurity::UserCredentials interface is deprecated The CtsSecurity::UserCredentials interface, which is implemented by the CtsSecurity/UserCredentials component, has been replaced by the CtsSecurity::SessionInfo interface, which provides additional functionality such as certificate parsing. EAServer supports the CtsSecurity::UserCredentials interface for backward compatibility. Use the CtsSecurity::SessionInfo interface if you are developing new components.
For non-EJB CORBA components, the following mechanisms are used for authentication within a server and for standalone clients:
Embed the user name and password in the URL when creating a component instance. For example:
Module::Interface_var compInstance = Module::Interface::narrow( "iiop[s]://user:password:host:port/EAServerPackage/EAServerComponent");
Use the lookup method on SessionManager::Factory. You cannot embed a user name/password in the URL.
See the SessionManager IDL documentation for more information and these chapters:
C++ components (and PowerBuilder NVOs) can make intercomponent calls across different servers using SSL in much the same way as any other C++ client. However, be aware of these considerations:
The SSLServiceProvider interface is not available to components. Instead, set ORB-level SSL properties to initiate server-to-server intercomponent calls using SSL.
Components use $JAGUAR/Repository/Security path to locate certificates and key database files if not using Entrust IDs. That is, components making intercomponent calls use the EAServer’s certificate and key database managed by EAServer Manager.
For information about developing C++ components and clients, see these chapters in the EAServer Programmer’s Guide:
Your EAServer installation includes a sample C++ component that demonstrates how to call the CtsSecurity/SessionInfo component methods. See the following file in your EAServer installation for more information:
|Copyright © 2005. Sybase Inc. All rights reserved.|