RSA Security SILVERSTREAM 3.75 User Manual

RSA ClearTrust Ready Implementation Guide

For Application Servers

Last Modified 2/19/02

1. Partner Information

Partner Name SilverStream
Web Site www.silverstream.com
Product Name eXtend Application Server
Version & Platform 3.75
Product Description SilverStream eXtend Application Server provides the most complete

foundation for building and deploying cross-platform, high
performance, standards-based applications. eXtend Workbench,
jBroker Web, jBroker MQ, and jBroker ORB are included with the
application server to provide you with the tools and infrastructure you
need to build enterprise applications. SilverStream's commitment to
J2EE and Web Services starts with our involvement in the
development of standards and results in your flexible, portable, future­proof applications.

Product Category Application Server

2. Contact Information

Sales contact Support Contact

Email noramsales@silverstream.com support@silverstream.com
Phone 888.823.9700 888.823.9700
Web www.silverstream.com www.silverstream.com

Page: 1

3. Product Requirements

Component Description

Operating system One of the following:

§ Windows NT Workstation or Windows NT Server 4.0
or higher with Service Pack 3 or higher
Service Pack 6a or later is recommended for Y2K
compliance. You must have Service Pack 5 or later to
run the server on a machine not connected to a
network.

§ Windows 2000 with Service Pack 1 or higher

§ Solaris 2.6, 7, or 8

§ HP-UX 11.0

§ IBM AIX 4.3.3.10

§ Red Hat Linux 6.2 or 7.1

Minimum RAM (memory) 128 MB for the server only; 256 MB for the server and the

Designer on the same machine

Minimum disk space 130 MB

Display mode 256 colors or higher for machines also running the

SilverStream Designer

Integration Modules

File Name Destination

WSI Module (agisapi.dll) User definable

Page: 2

4. Product Configuration

The goal of this Implementation Guide is to explain how ClearTrust and SilverStream eXtend Application
Server 3.75 can be integrated. It explains how to use ClearTrust as a single sign-on product and to secure
pages and other objects on a SilverStream Application Server. It is assumed that the reader has both
products up and running and has a working knowledge of them. This document is not intended to suggest
optimum installations or configurations.

Integration Overview

The SilverStream Web Server Integration (WSI) module and ClearTrust can be used together on a Web
server (IIS or iPlanet). When integrated, ClearTrust will provide authentication and authorization services
at the Web server, and the WSI module will provide the access to the SilverStream Application Server.

Authentication and authorization take place at the Web server with the ClearTrust service, therefore, the
SilverStream application does not need to know about and check the authorization of every user. Instead,
it only needs to authenticate and authorize a single user (the user that the WSI module is configured to
use). The WSI module intercepts the authentication headers that will be forwarded to the SilverStream
Application Server, and replaces the ClearTrust credentials with credentials of a single known
SilverStream user.

The WSI then returns the response. You specify which URLs the WSI module will forward using a
configuration file that the WSI reads when the Web server starts. To improve response time, the WSI
module will reuse socket connections between itself and the SilverStream server. The WSI maintains a
connection pool to the SilverStream server that reuses these connections as needed. With the WSI
module, there is no direct communication between the browser and the SilverStream server: all calls pass
through the WSI module.

Resource Authorization Process:

1. The user sends in a URL request to access a secure application.

2. The ClearTrust Web Server Plug-in configured on this Web Server checks with the Authorization
Server to see if this resource is protected.

3. The ClearTrust Web Server Plug-in then prompts the user to enter his credentials.

4. The ClearTrust Web Server Plug-in sends this to the Authorization Server to authenticate and
authorize this user.

5. If this is a user authorized to access SilverStream resources, the request is then processed by the
SilverStream WSI module.

6. The SilverStream WSI module forwards the request to the application server host specified in the
AgWSI.conf file. It also checks the request for an authentication header and then substitutes the
credentials set as defaults in the AgW SI.conf file.

7. The SilverStream server then returns the requested URL to ClearTrust and the user is redirected
to the appropriate page.

Page: 3

This integration supports the use either Microsoft’s IIS web server or Sun’s iPlanet web server (formerly
Netscape’s). Microsoft’s Web server (IIS 4.0) was used for testing and certification purposes

A. Configure the WSI module:

There are numerous references within this document to the ‘WSI’ or ‘WSI module’. This item
consists of the 3 files below. For a detailed explanation of each file, please reference the
SilverStream documentation.

a. agisapif.dll

b. AgWSIUser.exe

The agWSIuser utility will add the appropriate W SI.auth.user setting with the username and
password encrypted into the agWSI.conf file. At startup, the WSI module will decrypt the user
name and password and generate an HTTP authentication header that it will add to every
request it forwards to SilverStream server.

Note: You can either use the default SilverStream Administrator username/password or
create a new SilverStream user, which is the recommended method.

Example: AgWSIUser <Silverstream user> [<password>]

c. AgWSI.conf .

You will need to open this file and configure it specific to your configuration.

Example:

# -----------------------------------------­# SilverStream WSI Configuration
# -----------------------------------------­#
SilverServer.host=ps061.securitydynamics.com
SilverServer.http.port=80
SilverServer.https.port=443
WSI.root.dir=/WSI
SilverServer.urls=/SilverBooksCS
#
# Optional: Additional URLS
#
#
# Optional Settings:
#
WSI.debug=1
WSI.error.url=D:/myerror.html
WSI.auth.NTLM.remove=false
WSI.auth.echo=true
Connection.http.max=100
Connection.https.max=100
Connection.idle.time=60
WSI.auth.user=85BD2A821B28ACBBD3E5928D97093D29645AFA4C

Page: 4