Java Proxy process authentication

Java Proxy receives passwords from the Password Synchronizers and redirects them to the Password Store component. The Java Proxy manages lifecycle of the Password Storage component and handles the inter-process communication with Security Directory Integrator plug-ins.

The proxy and the directory plug-in share a common binary command protocol. The communication happens over the sockets. The proxy acts as a server, listening for commands. The directory plug-in connects to the proxy, transmits a command, and reads the response.

Depending on the configuration, the Java Proxy can also do a preliminary validation on the password strength. You can validate the password policies that are defined only in a remote IBM Security Identity Manager server. The Java Proxy is responsible for storing password changes that are received by the plug-in in the configured Password Store.

The communication between the various plug-ins and the Java Proxy happens over sockets. It is restricted only to the loopback network interface. A two-way authentication takes place each time a connection between the client plug-in and the Java Proxy is established. Authentication is based on the file system permissions. The authentication procedure uses the Authentication Folder, the place where the pwsync.props file is located. You must protect the Authentication Folder with file system permissions because the authentication process creates one-time-passwords and stores them as files in the folder.

You must secure the Authentication Folder after the password synchronizer is set up. To secure the folder, make it readable or writable only by the user who runs the process by loading the plug-in. For example, for the Domino® HTTP Password Synchronizer, the user notes runs the Domino Server. The user must have full control over the Authentication Folder for the Password Synchronizer to work.

Note: The Java Proxy process automatically starts from the plug-in side and thus is run with the same privileges as the plug-in. If the Java Proxy is started manually by another user, you must grant the read and write access to the Authentication Folder. For example, if the user has full control over the Authentication Folder, run the commands with the privileges of that user for the authentication.

On Windows

runas /user:user startProxy.bat configuration_file
runas /user:user stopProxy.bat configuration_file

On Linux and UNIX

su - user
startProxy.sh configuration_file
stopProxy.sh configuration_file

• Restricting file access on Windows
  You must restrict access to the Authentication Folder for the Windows Password Synchronizer. Grant folder access only to the administrator group.
• Restricting file access on Linux and UNIX
  You must restrict access to the Authentication Folder for the PAM Password Synchronizer. The authentication folder contains the pwsync.props plug-in configuration file.

Parent topic:

Password synchronization architecture and workflow