®

IBM FILENET SECURITY –

P8 4.0 Authentication and Single Sign-On

© 2007 IBM Corporation

 Information Management software | Enterprise Content Management

Agenda
ƒ Single Sign-On Support (SSO)
ƒ Authentication for
– Content Engine
– Process Engine
– Application Engine

© 2007 IBM Corporation

 Information Management software | Enterprise Content Management

History of Content Engine Authentication

Options
ƒ Prior to 3.5.1: Username / Password only option
ƒ In 3.5.1:
– Extensible authentication framework
– Kerberos credentials

© 2007 IBM Corporation

 Information Management software | Enterprise Content Management

Two Standards of Content Engine

Authentication Options in 4.0
ƒ JAAS Framework
– Security interoperability in J2EE world
ƒ WS-Security Framework
– Security interoperability through web services interfaces
ƒ P8 4.0 enables wide range of authentication integrations

© 2007 IBM Corporation

 Information Management software | Enterprise Content Management

Content Engine 4.0 API’s

CE Web CE 3.5
CE 3.x
Service JAVA API
COM API
4.0 Client

CE Web Service SOAP CE 4.0 .Net API CE 4.0

JAVA API
3.5 Client
SOAP IIOP/T3
SOAP
SOAP

J2EE App Server – CE Application

Web Container Web Service Listener Layer

Web Service Listener Layer

EJB Container
EJB Layer

Resource Adapter Content Engine Core

© 2007 IBM Corporation

 Information Management software | Enterprise Content Management

Content Engine 4.0 API’s

CE Web CE 3.5 JAVA
CE 3.x
Service API
COM API
4.0 Client

CE Web Service SOAP CE 4.0 .Net API CE 4.0 JAVA

API
3.5 Client
SOAP IIOP/T3
SOAP
SOAP

J2EE App Server – CE Application

Web Container Web Service Listener Layer

Web Service Listener Layer

EJB Container
EJB Layer

Resource Adapter Content Engine Core

© 2007 IBM Corporation

 Information Management software | Enterprise Content Management

Content Engine 4.0 API’s

CE Web CE 3.5
CE 3.x
Service JAVA API
COM API
4.0 Client

CE Web Service SOAP CE 4.0 .Net API CE 4.0

JAVA API
3.5 Client
SOAP IIOP/T3
SOAP
SOAP

J2EE App Server – CE Application

Web Container Web Service Listener Layer

Web Service Listener Layer

EJB Container
EJB Layer

Resource Adapter Content Engine Core

© 2007 IBM Corporation

 Information Management software | Enterprise Content Management

EJB Protocol Authentication

ƒ JAAS standard is key architecture benefit of J2EE
– Policy based framework
– Pluggable framework
– Stackable framework
– J2EE Container performs the authentication
– No IBM FileNet P8 code involved in authentication

© 2007 IBM Corporation

 Information Management software | Enterprise Content Management

Key JAAS Concepts: LoginContext and

Configuration

© 2007 IBM Corporation

 Information Management software | Enterprise Content Management

Key JAAS Concepts: LoginModule and

Subject

© 2007 IBM Corporation

 Information Management software | Enterprise Content Management

Limitations of JAAS
ƒ Requires a trust mechanism between client and server.
– Mechanics of this trust mechanism are non-standard or are
proprietary
ƒ No interoperability between J2EE application server
vendors
ƒ Support for stand-alone Java client applications is lacking

© 2007 IBM Corporation

 Information Management software | Enterprise Content Management

Browser-based J2EE Clients

ƒ Talk to servlets / JSP pages
– Managed by the Servlet Container
ƒ Application Managed Authentication
– Servlet issues JAAS calls to login programmatically
ƒ Container Managed Authentication
– The J2EE Servlet container performs the authentication, based
on configuration options

© 2007 IBM Corporation

 Information Management software | Enterprise Content Management

Container Managed Authentication Options

ƒ HTTP Basic Authentication
ƒ HTTP Digest Authentication
ƒ Forms Based Authentication
ƒ HTTPS Client Authentication
– This option is chosen for perimeter authentication schemes

© 2007 IBM Corporation

 Information Management software | Enterprise Content Management

Perimeter Authentication
ƒ Real authentication occurs at a “network perimeter”
ƒ Authentication credentials are passed to the J2EE container
ƒ Servlet container intercepts credentials and verifies

Unauthenticated Only Authenticated

Users on this side Requests on this
side of the fence

Browser based Authentication J2EE Servlet

Client Perimeter Container

© 2007 IBM Corporation

 Information Management software | Enterprise Content Management

Reverse Proxy Servers

ƒ Intermediary between browser and server
ƒ Single sign-on agent may reside on the reverse proxy,
enforcing security
ƒ Reverse proxy forms the perimeter at which authentication
occurs
ƒ Examples: Apache, IIS, IBM WebSeal

Browser based Reverse Proxy Server J2EE Servlet

Client (Perimeter) Container

© 2007 IBM Corporation

 Information Management software | Enterprise Content Management

Supported JAAS Configurations

ƒ Content Engine and Process Engine Programmatic Access
– Any valid JAAS LoginModule supported by the J2EE application
server vendor
ƒ Application Engine Access: SSO support in 4.0 limited to a
few configurations
– CA/Netegrity with WebLogic 8.1, Apache is reverse proxy
server
– IBM/TAM with WebSphere 6.0 WebSeal is reverse proxy server

© 2007 IBM Corporation

 Information Management software | Enterprise Content Management

Sample CA/Netegrity Config

Content Engine
(20) Response Proxy Server AE/Web Server
Server
(9) Request
with session (16) EJB
(1) Request Web Container EJB Container
Proxy Server call
JSP/servlet CE EJB(s)
(19) Response
(18) EJB
(2) Prompt for credentials return
(10) Login (15) Subject Content Engine Core
(8) Request with session
Client with session
(11) Authenticate
JAAS
(3) Credentials
Netegrity SiteMinder Authn Providers
(7) Session cookie Web Agent (14) Subject
SiteMinder ASA
Identity Asserter

(12) Validate
(6) SMSession session
token (13) Credentials

(4) Validate (17) Group

credentials membership
(5) Validate user exists Enterprise
Directory
SiteMinder
Policy Server

© 2007 IBM Corporation

 Information Management software | Enterprise Content Management

Sample IBM/Tivoli Access Manager

Configuration
(8) Request for JSP page
(forwarded w/TAM cookie)
(2) Request for JSP page
Web Container
Web Container
(3) Reply: Denied – Use SPNEGO CE WS
Customer Listener
(5) Request for JSP page, JSP App
With SPNEGO credentials
EJB Container
(9) Perform JAAS
Logon Against TAM(10) Call to custom EJB CE EJB(s)
Client
WebSeal (11) Call to CE EJB
(1) Logon to
Windows Domain
Proxy Server EJB Container Content Engine

(4) Obtain Kerberos (6) Validate Ticket Customer

Ticket For Server1 (7) Return EJB
TAM Credential

(6a) Validate Ticket

Active
Directory
(KDC)

Tivoli
Access Manager
Policy Server

© 2007 IBM Corporation

 Information Management software | Enterprise Content Management

Web Service Protocol Authentication

ƒ Available to all Content Engine 4.0 API’s
ƒ Also available to the Process Engine Web Service API
ƒ Relevant Standard is WS-Security
– Security Token Propagation
– Message Integrity
– Message Confidentiality

© 2007 IBM Corporation

 Information Management software | Enterprise Content Management

WS-Security Profiles
ƒ Supported Out-Of-The-Box in P8 4.0
– Username Profile
– Kerberos Profile
ƒ Support for other WS-Security profile available through
custom development

© 2007 IBM Corporation

 Information Management software | Enterprise Content Management

Kerberos Support for Web Service Clients

ƒ Only for pure Content Engine web service clients, or
clients of Content Engine 4.0 .NET API
ƒ Only for clients using Windows Integrated Logon in an
Active Directory environment
ƒ Used in IBM FileNet Enterprise Manager to support
integrated logon

© 2007 IBM Corporation

 Information Management software | Enterprise Content Management

Kerberos Network Diagram

Content Engine Server1
(5) Send Content Engine
Web Service Request Web Container

(6) Perform JAAS Logon CE WS

w/Kerberos LoginModule Listener
Client (4) Return Service
Ticket For Server1
Kerberos (7) Return
(3) Request Service JAAS JAAS Subject
Login- (8) Call EJB w/
Ticket For Server1
Module JAAS Subject
(2) Return Ticket
Granting Ticket (TGT)

(1) Logon to
Windows Domain
EJB Container
Content Engine EJB(s)

Content Engine Core

Directory Kerberos
Service KDC

© 2007 IBM Corporation

 Information Management software | Enterprise Content Management

4.0.0 Extensible Authentication Framework

Clients
ƒ EJB transport
– JAAS is the framework
– App server specific JAAS logon modules for client and server
ƒ Web Service transport
– Create WS-Security compliant credentials on client side
– Implement IBM FileNet Web Service Authentication SPI
provider on server side

© 2007 IBM Corporation

 Information Management software | Enterprise Content Management

Username / Password Case

ƒ All existing API clients continue to work unchanged
ƒ CE 4.0 .NET API clients
– Supported via Microsoft UsernameToken class
ƒ CE 4.0 Java API clients
– Perform a JAAS Logon using an app server specific
UsernamePassword Logon module
– Or pass username & password into
UserContext.createSubject()

© 2007 IBM Corporation

 Information Management software | Enterprise Content Management

Upgrading 3.5.1 Extensible Authentication

Framework Clients
ƒ New server side components required
– For EJB case, commodity JAAS Authentication Providers may
be available
• Requires client side changes as well
– For web service case, new code must be written to new SPI
• Can be implemented without changing client

© 2007 IBM Corporation

 Information Management software | Enterprise Content Management

Process Engine Authentication

ƒ PE Java API will provide same SSO options as CE
ƒ Caller of PE API performs a JAAS logon
ƒ Caller is authenticated on Content Engine
ƒ Caller receives a “P8 Identity Token” which establishes
identity to the PE server

© 2007 IBM Corporation

 Information Management software | Enterprise Content Management

Process Engine Client Diagram

© 2007 IBM Corporation

 Information Management software | Enterprise Content Management

Directory Service Integration

ƒ Used for authorization and user/group enumeration in
Content and Process
ƒ Supported Directory Services
– Microsoft Active Directory
• Limited support for multi-forest configurations
– Sun ONE Directory Server 5.1 SP2
– Sun Java System Directory Server 5.2
– Novell eDirectory
– IBM Tivoli Directory Server

© 2007 IBM Corporation

 Information Management software | Enterprise Content Management

Application Engine Authentication

ƒ SSO support in 4.0 limited to a few configurations
– CA/Netegrity with WebLogic 8.1 (Apache as reverse proxy
server)
– IBM/TAM with WebSphere 6.0 (WebSeal is reverse proxy
server)

© 2007 IBM Corporation

 Information Management software | Enterprise Content Management

Application Engine Authentication

ƒ SSO support not available for certain apps
– Application Integration clients
– WebDAV clients
– BPM Process Orchestration

WorkPlace Client

Reverse Proxy
Server & SSO Agent

WebDAV Client

Application Engine

Application
Integration Client BPM Process
Orchestration Client

© 2007 IBM Corporation

 Information Management software | Enterprise Content Management

Knowledge Checkpoint

© 2007 IBM Corporation

 Information Management software | Enterprise Content Management

You are now ready to take IBM FileNet

Security: P8 Authentication and Single
Sign On Exam, #201916T

All IBM ECM course materials, whether delivered as printed or electronic files, are protected by copyright. No part of this publication
may be reproduced in any form by any means without prior written authorization of IBM. This publication is provided for educational
purposes only. Any product specifications are subject to change without notice. ©Copyright 2007 IBM. All Rights Reserved.

© 2007 IBM Corporation