Security

Authentication is performed in the process of obtaining the Session object. Once obtained, all methods called on the Session object or on other Server API objects retrieved directly or indirectly through this Session object are executed under the identity of the user that obtained the Session object.

Authorization is performed on each method call. Before executing the requested call, the Server will determine whether the identity associated with the current session is authorized to execute that call.

The following authentication options are available:

SSL-based authentication (the mechanism available in V6.0)

This option functions only when api.remote.ssl.client.auth.on=true (you will also need api.on=true, api.remote.on=true, api.remote.ssl.on=true.

The user is authorized as per the rights assigned to the SSL certificate user ID in the Server API User Registry.

Note: When SSL is used and the remote client application uses Server API listener objects, the client application must have its own certificate that is trusted by the IBM Security Directory Integrator Server (this is analogous to the setup for SSL client authentication). If there is no client certificate trusted by the IBM Security Directory Integrator Server, the listener objects will not work and the remote client application will not be able to receive notifications from the IBM Security Directory Integrator Server.

Username/password based authentication

This option functions only when api.custom.authentication is set to a JavaScript authentication file.

This authentication method works regardless of whether SSL is used and whether SSL client authentication is used. The user is authorized as per the rights assigned to the username user in the Server API User Registry.

An example authentication hook Javascript file is available in order to demonstrate what the Javascript of an authentication hook looks like. This example Javascript can also be used as the basis of real-world IBM Security Directory Integrator authentication hooks.

You can view an JavaScript example that demonstrates how an authentication hook can use an LDAP server (IBM Security Directory Server, Active Directory, etc.) for authenticating client request in the examples/auth_ldap IBM Security Directory Integrator Server folder. The example file is called ldap_auth.js.

LDAP authentication

The IBM Security Directory Integrator Server API provides support for LDAP Authentication. This allows customers to use their existing LDAP infrastructures which already hold their User IDs and Passwords.

In order to use LDAP authentication the appropriate properties must be configured in global.properties/solution.properties. These properties are described in the Installing and Administering section of the product documentation.

Host-based authentication

This option functions only when api.remote.ssl.on=false. If so, then opening of Server API sessions without username/password supplied from all hosts specified by the api.remote.nonssl.hosts property are successfully authenticated and granted admin authority. The api.remote.nonssl.hosts property can be specified in the global.properties/solution.properties files.

Note: It is strongly recommended that you use this authentication only for demo purposes, quick prototyping and in closed, trusted environments.

JAAS authentication

The Server API provides support for JAAS Authentication. If you already already have JAAS authentication modules, this allows you to use them with IBM Security Directory Integrator.

In order to use JAAS authentication the appropriate properties must be configured in global.properties or solution.properties and the JAAS Logon should be installed.

Note: IBM Security Directory Integrator does not configure any JAAS authentication modules. It relies on the understanding that you have such implemented and properly configured. IBM Security Directory Integrator can simply use them then.