Chapter 2 Securing Component Access
Jaguar Manager allows you to set the quality of protection (QOP) for EAServer packages, components, and methods. QOP establishes a minimum level of encryption and authentication that a client must meet before it can access your business logic. For example, if you do not set a QOP at the package level, all clients can access the package. You can then set a QOP that restricts access to components within that package, and a different QOP that further restricts access to methods within those components.
This chapter discusses setting server-side QOP. For information about configuring client-side QOP, see:
The component's QOP setting is ignored if the user is the system user; in other words, the user is jagadmin or the component is being called by a service or other component that runs with the system identity.
The client's QOP, EAServer listener's security profile, and the package, component, and method QOP work together to establish end-to-end security. To accommodate naming services and reduce connection time, a special CORBA component tag is set in the interoperable object reference (IOR). The naming service sends only profiles with QOPs that match a client's QOP so that the client tries to access only listeners and packages, components, and methods for which the client has a compatible QOP.
Figure 2-1 illustrates two clients trying to access component A. A QOP of sybpks_strong is set for the component. To access the component, the client must use a QOP that meets the minimum requirements of the component's QOP, and communicate with a listener that also meets the minimum requirements of the component's QOP.
Figure 2-1: QOP usage
In Figure 2-1:
Figure 2-2: QOP-compatible listener
Assuming that a compatible listener is configured on the server, Figure 2-3 illustrates a situation in which the client:
Setting a weaker QOP at the method than the component serves no purpose since the client will already be blocked at the component.
Figure 2-3: Using QOP to limit access
to methods
In addition to setting a QOP that establishes minimum encryption requirements, Jaguar provides another QOP, syb_osauth, for operating system authentication. You can set two QOP settings at the package, component, or method level, as long as one of them is syb_osauth:
For syb_osauth to work properly, you must enable operating-system- based authentication server-wide (not at the listener level). If you do not, you cannot load packages, components, or methods that have the syb_osauth QOP set. See "Configuring OS authentication" for information about enabling authentication for your operating system.
In Figure 2-4:
Configuring QOP from Jaguar Manager
Highlight the package, component, or method for which you want to establish a QOP.
com.sybase.package.qop
property
for a package.
com.sybase.component.qop
property
for a component.
com.sybase.method.qop
property
for a method.
After configuring QOP, you must either refresh or restart the server for your changes to take effect.
Table 2-1 provides a hierarchy of QOP settings. For a given client to access your business logic:
QOP hierarchy from weaker to stronger | Comments |
---|---|
syb_osauth sybpks_domestic_anon sybpks_simple sybpks_simple_mutual_auth sybpks_intl sybpks_intl_mutual_auth sybpks_domestic sybpks_domestic_mutual_auth sybpks_strong sybpks_strong_mutual_auth |
Some QOP profiles overlap. For example, sybpks_domestic supports
both 128-bit encryption and 40-bit encryption. If you use sybpks_domestic as
a package QOP, a client QOP of sybpks_intl meets
the minimum requirement of 40-bit encryption. sybpks_strong supports
only 128-bit encryption and is compatible with only one of the domestic
or strong profiles.
For a list of CipherSuites supported by each QOP profile, see Table 11-2. |
Copyright © 2002 Sybase, Inc. All rights reserved. |