Trusted Sites
Use this authentication variant if you are using a single sign-on protocol (for example, Central Authentication Service [CAS]) for user authentication on the client site.
When using the trusted sites feature, Rochade Server does not receive logon passwords and, therefore, only accepts clients that fulfil these requirements:
- The clients must run on a computer that is registered as a trusted client in the server initialization file. For more information, see <trusted_sites> Section.
- Java API-based clients must use the method getUserTrusted() for logging on the server.
- RPL clients must use the $LOGON command for logging on the server and contain corresponding settings in the client initialization file.
The server follows this process to validate the identity of the client site:
| 1. | If a client logs on to the server, the server trusts that the user already has been authenticated at the client site. The server validates the client’sIP address setting in the <trusted_sites> section. |
| 2. | If a valid setting exists in the <trusted_sites> section, the server generates random text and sends it to the client. |
| 3. | The client signs the text with a private RSA key, and sends it back to the server. |
| 4. | The server uses a public RSA key to validate the signature corresponding to the random text. |
| 5. | If the signature is correct, the server allows the client to log on. |
Java API provides the class de.rochade.security.GenKeyPair that you can use to create an RSA key pair (such as, one public key and one private key). The generated keys are written to a file that the server and the Java API-based clients can interpret.
| 1. | Open the Windows command prompt by selecting Start ► All Programs ► Accessories ► Command Prompt. |
| 2. | Enter this command: |
java -cp <rochade>\bin\rochade.jar de.rochade.security.GenKeyPair -private <privdir>\<privkey> -public <pubdir>\<pubkey>
where:
<privdir> is the target directory for the private key (for example, the directory of the application server).
<privkey> is the name of the file that contains the private key.
<pubdir> is the target directory for the public key (for example, the target directory of your server installation).
<pubkey> is the name of the file that contains the public key.
To activate authentication via Trusted Sites
| 1. | Create an RSA key pair for each client that you want to enable to access the server via Trusted Sites. For more information, Creating an RSA key pair. |
| 2. | Copy the public key files into a directory to that the Rochade Server has access rights. |
| 3. | Activate trusted sites on the Rochade Server side. |
| a. | Open the server initialization file in the editor. |
| b. | Add this setting in the server start section: |
TRUSTED_SITES=<trusted_sites>
where <trusted_sites> is the name of the section that contains the settings for the trusted clients and their corresponding public keys.
For example:
[SERV]
; Server start section
TRUSTED_SITES=T_SITES
| c. | Add the <trusted_sites> section as well as all public key settings in this format to the to the server initialization file. |
<client_address>=@<public_keyfile>
where:
<client_address> is an IP address (such as, IPv4 or IPv6) or host name of a client computer or the asterisk character (*). Using the asterisk, you can specify a default RSA key that will be used for all clients that have not specified explicitly.
<public_keyfile> is the name of the file that contains the public RSA key. For example:
[T_SITES]
; section with public keys for trusted hosts
10.10.20:7=@c:\rochade\appl\cli1.data
host.company.com=@c:\rochade\appl\.publickey
For information on how to specify the clients and keys under different operating systems, see <trusted_sites> Section.
| d. | Close the editor, and save your changes. |
The setting takes effect after the next server startup.
| 4. | Copy the private key file into a directory to that the Rochade Client has access rights. |
| 5. | Activate trusted sites on the client side |
For a Java API-based client:
Use the login method getUserTrusted() to log on to Rochade Server. Provide the interface SignatureData, which singes the random text using the private key and sends it back to the server.
Or
For a RPL client:
| a. | Add this setting to the start section of the client initialization file: |
TRUSTED=<t_settings>
where <t_settings> is the name of the section that contains the settings for trusted sites.
| b. | Add this setting to the <t_settings> section: |
KEYFILE=<priv_keyfile>
where <priv_keyfile> is the name and path of the private key file.
For example:
[CLIENT]
...
TRUSTED=T_SECTION
...
[T_SECTION]
KEYFILE=../appl/privateRSAKey.data
| c. | Close the editor, and save your changes. |
| 6. | Use the command $logon * to log on at the Rochade Server. |