Securing applications and dataAdded by IBM on October 4, 2010 | Version 1 (Original)
|The Lotus® Expeditor platform is a secure platform that protects your application data. Single sign-on with the operating system capabilities are built into the platform by default.
The Lotus® Expeditor platform is a secure platform that protects your application data. Single sign-on with the operating system capabilities are built into the platform by default.
It secures the applications and application data running on the client by doing the following:
- Limiting access to Target Features to only users with valid authentication credentials.
- Protecting user credentials by storing authentication information, such as user names and passwords, in an encrypted key store.
By default, the client uses the key store provided by IBM's JCE provider on JavaSE. This implementation of the Java Cryptography Extension (JCE) uses a password-based encryption with Triple DES (Data Encryption Standard) to protect the store's contents. The key store also provides storage for database and account-related passwords created using the PBEKey (Password Based Encryption Key) interface. The location of the platform key store is specified as the value of the keystore.url
security property set in the java.security
file. If no value is specified for the keystore.url
, the location defaults to the following directory:
is the absolute path to the user's workspace. If no key store exists, a key store is created when an application calls the login method. The SecurePlatform
class provides methods that you can use to access and log into the platform key store.
The JVM has changed from DesktopEE to JavaSE in Lotus Expeditor 6.2.1. Therefore, if you are upgrading from 6.2 or a prior release, you will not be able to read any data stored in the keystore (account passwords and so on), because the keystore file formats are different. Lotus Expeditor 6.2.1 creates a new, empty keystore and prompts you for a new platform login and accounts passwords. If you were using JavaSE when running on a prior Lotus Expeditor release, your keystore data is preserved.
You can implement authentication mechanisms in client applications using the following APIs:
- Accounts API -- Recommended. Enables you to store, access, and use properties that are required to make a connection to, and communicate with, local and remote services, including user passwords, which it directly accesses using the AccountsLoginContextService. Use the Accounts API to access the key store and make password changes outside of the login process. The Accounts API also simplifies HTTP, J2EE-FORM, Siteminder and TAM logins to a remote WebSphere® Portal server.
- Java Authentication and Authorization Service (JAAS) APIs -- Not recommended. Connects to servers and manages user information, including validated passwords, which it handles using a Subject object. Uses login modules to access the key store and retrieve or store passwords as part of the login process. You can use the existing LoginConfigurations (HTTP, J2EE-FORM, TAM-FORM, SM-FORM, and TAM-SPNEGO) for HTTP, J2EE-FORM, TAM-FORM, SM-FORM, and TAM-SPNEGO logins to authenticate with remote servers. The challenge of using straight JAAS APIs with the provided login configurations is that the Subject object must contain specific classes for the login modules to work. If you use the Accounts API, it handles the Subject object interaction for you, while enabling you to directly access the Subject and its contents, if necessary.
Accounts framework: XPD621
The Accounts framework enables you to store, access, and use properties that are required to make a connection to, and communicate with, a local or remote service.
Login configurations: XPD621
A login configuration provider tells the application which LoginModule
to use to authenticate users.
Using TrustManager and KeyManager: XPD621
The Java security system, at its core, is a fully pluggable system of interfaces and classes - allowing security providers to plug-in concrete implementations of security algorithms for the systems use.
Signing custom or thirdparty features and plugins for install and update: XPD621
Eclipse plug-ins can be created and used to extend Lotus Expeditor functionality. Plug-ins are provisioned with the client software. They are ordinarily signed with a certificate that is trusted by Notes® clients and which verifies that they contain secure data.
Configuring the proxy settings for Lotus Expeditor: XPD621
The proxy setting is global, that is, the whole runtime share the same proxy settings. The HTTP/HTTPS connection is stateless and picks up whatever proxy settings at the time the application opens the connect.
Parent topic: Developing Applications for Lotus Expeditor: XPD621