Content Platform Engine retrieves
security data from directory servers for the purpose of authenticating
security principals and authorizing users and groups. Both authentication
and authorization rely on a directory service repository.
- Introduction
Content Platform Engine does
not implement its own authentication module. Instead, it uses the
Java™ 2 Enterprise Edition (Java EE) application server's authentication
mechanism. Before clients can log in to a Content Platform Engine server, the application
server's authentication providers must be configured to point to specified
directory servers.
Content Platform Engine security
objects, such as realms, groups and users, are stored in directory
servers. Content Platform Engine retrieves
those objects through a Directory Service Provider layer. There are
different provider implementations for different types of directory
servers.
A directory server is divided into partitions, each
of which is called a naming context (or namespace). There are different
types of naming contexts, such as the configuration naming context
which holds configuration information, and data naming contexts, which
contain all directory data. Each data naming context is defined as
a Content Platform Engine realm. Each
realm contains groups and users.
FileNet® P8 has been designed and
extensively tested and optimized for directory servers with very large
numbers of users. Optimization has particularly focused on FileNet P8 querying for accounts
using pattern matching (starts with, exact match) and whether the
search is optimized for short name or display name.
- Terminology and basic concepts
- Distinguished Name
- A name that uniquely defines a directory entry within an LDAP
server. The DN contains one component for each level of the directory
hierarchy from the root down to the level where the entry resides.
A typical distinguished name might be: CN=StephenHawking,CN=Users,DC=Filenet,DC=Com.
This distinguished name identifies the Stephen Hawking user object
in the Filenet.com domain.
- User Principal Name
- A user principal name (UPN) is a friendly name that is short and
easy to remember. The user principal name consists of a shorthand
name that represents the user and typically the DNS name of the domain
where the user object resides, or any other designated name.
- The user principal name format consists of the user name, the at sign
(@), and a user principal name suffix. For example, the user James
Smith, who has a user account in the reskit.com domain, might have
the user principal name JSmith@reskit.com. The user principal name
is independent of the distinguished name of the user object, so a
user object can be moved or renamed without affecting the user principal
name.
- Among the types of directory servers that Content Platform Engine supports, only Active
Directory has a UPN attribute. The attribute name is userPrincipalName.
- Short Name
- Short name is a property in both Content Platform Engine User and Group classes:
- User.ShortName
- Group.ShortName
User short names and group short names must be unique across
all configured directory servers.
User short name is also persisted
to a Content Platform Engine object
store as a property such as Document.Creator. User.ShortName and Group.ShortName
are configurable through the Configuration Manager, the Content Platform Engine API, and Administration Console for Content Platform Engine.
Values for user
and group short names have the following restrictions:
- The short name cannot be a null value.
- The short name cannot contain any of the following special characters:
= \.
- Realm
- In this document the term realm describes a base object
for searching the directory. When Content Platform Engine interacts with a directory
service, most operations are done in the context of a realm.
- FileNet P8 domain
- When you install and configure Content Platform Engine, you create a new FileNet P8 domain which provides
the security context for authenticating applications.
- Authentication Provider
- All interaction with the directory server that has been configured
during installation as the FileNet P8 authentication
provider is read-only and is initiated only from Content Platform Engine servers.
- Login
- FileNet P8 lets you
configure a login supporting a number of different parameters. Because
authentication and login attributes are persisted in databases, workflow
definitions, and stored searches you cannot change the attribute at
a later time, including during upgrade. See the sections describing
logging on in the topic that describes your directory server.
- Find
- Documentation refers frequently to finding users and groups. This
refers to the activities of the Administration Console for Content Platform Engine Select Users and Groups
dialog box, which Administration Console for Content Platform Engine uses
to search for accounts to add to the ACL of an object. On the Content Platform Engine API level, finding refers
to the FindUsers and FindGroups methods.
- SSL
- You should configure SSL to avoid passing credentials in clear
text between the FileNet P8 servers
and the directory server.
- Group support
- FileNet P8 supports
groups that can include any number of users and other nested groups.
Also, it honors any account states and restrictions (such as whether
disabled and login hours) defined by the directory server.
- Configuration Overview
Directory configuration for Content Platform Engine is conducted in the
following two areas: authentication and authorization. Content Platform Engine does not support different
types of directory servers in the same Content Platform Engine domain.
- Directory Configuration for Authentication
Directory configuration for authentication, including configuring
login formats, occurs in the application server's authentication providers
and is done using FileNet P8 Configuration
Manager.
Content Platform Engine server
does not implement its own authentication module. Instead, it uses
a Java EE application server's authentication mechanism.
- Directory Configuration for Authorization
A GCD administrator (gcd_admin) can log
in to Administration Console for Content Platform Engine and configure
the direct connection between Content Platform Engine and the directory service.
Third-party
developers can also directly call the Content Platform Engine APIs to automatically
configure it.