Server-Side Authentication

Authentication is disabled by default on the server for backward compatibility. Even if clients supply user credentials, they are accepted without verification.

To enable authentication on the server, you must set the Nirvana.auth.enabled system property in the Server_Common.conf file to Y.

Even when you enable authentication, authenticating clients can exist side-by-side with non-authenticating ones, meaning it is optional for clients to supply user credentials. If clients do not supply user credentials, they use authorization of the ACL model only.

To make authentication mandatory, you must set the Nirvana.auth.mandatory system property in the Server_Common.conf file to Y. Then clients that do not supply a username and password are rejected.

The following users are exempt from mandatory authentication:

• The super-user on localhost to prevent being locked out.
• A set of users in a .txt file specified in the optional JVM property -DNirvana.auth.exempt=<path_to_file>. You list the users in the exempt file one per line in ACL-style notation, for example, username1@10.140.2.95.

  The exempt file supports wildcard-character entries using the * (asterisk) symbol, such as user@* and *@host. However, *@* is not supported because it will allow any user to bypass authentication.

  Note: The username * is a valid username, but if you add such a user to the exempt list, the user will be read as a wildcard. In such cases, IBM recommends against using the * username.

When a client authenticates, the client provides the supplied credentials over a SASL mechanism where the server uses the configured modules to authenticate.

You can use the Nirvana.sasl.server.localhostResolve property to control whether the reverse hostname resolution for localhost is enabled on the server instance. Configure this property in the Server_Common.conf file. Valid values are:

• true (default) - enables reverse hostname resolution.
• false - disables reverse hostname resolution. Set to false if you experience SASL-related client connection exceptions over the Universal Messaging Socket Protocol (nsp).