BP Browser Security

TEMENOS T24
Browser Security
User Guide
Information in this document is subject to change without notice.
No part of this document may be reproduced or transmitted in any form or by any means,
electronic or mechanical, for any purpose, without the express written permission of TEMENOS Holdings NV.
Copyright 2007 TEMENOS Holdings NV. All rights reserved.

Browser Security
Table of Contents
Overview ..................................................................................................................................................4
Setup ........................................................................................................................................................5
Security Configuration............................................................................................................................. 5
Default Security Configuration ............................................................................................................ 5
Version & Enquiries Filter .................................................................................................................... 6
T24 XML Filter ..................................................................................................................................... 8
Form field filter..................................................................................................................................... 8
Obfuscation ......................................................................................................................................... 9
User Name Stripping ........................................................................................................................... 9
Configuring Single-Sign-On (SSO) for T24 Browser ............................................................................ 10
Single Sign-On Filter ......................................................................................................................... 10
HTTP Request................................................................................................................................... 10
Configuring HTTP BASIC Authentication for T24 Browser................................................................... 11
Secure the BrowserWeb application ................................................................................................. 11
Specify the JAAS Realm for BrowserWeb ........................................................................................ 12
Deploy the JAAS Login Module ........................................................................................................ 12
Create & Deploy the JAAS Configuration File .................................................................................. 12
Login to T24 ...................................................................................................................................... 13
BASIC Authentication as a Single Sign-On Mechanism ................................................................... 13
Single Sign-On with Siteminder ........................................................................................................ 14
Configuring the ARC-IB Authentication Environment for 4TRESS ....................................................... 16
Java Security Configuration (both Web Server and T24 Server) ...................................................... 16
Creating a JCE Keystore ................................................................................................................... 18
Tomcat Server Java Environment ..................................................................................................... 18
Websphere server java environment ................................................................................................ 19
T24 Server Environment ................................................................................................................... 20
4TRESS Authentication Server Configuration .................................................................................. 21
4TRESS Configuration for Challenge-Response .............................................................................. 24
Configuring the ARC-IB Authentication Environment for RSA ............................................................. 25
Java Security Configuration (both Web Server and T24 Server) ...................................................... 25
Creating a JCE Keystore ................................................................................................................... 26
Tomcat server java environment ....................................................................................................... 27
Websphere server java environment ................................................................................................ 28
T24 Server Environment ................................................................................................................... 28
RSA sdconf.rec File........................................................................................................................... 28
RSA Properties File ........................................................................................................................... 28
TEMENOS T24 User Guide Page 2 of 35

Browser Security
RSA Port Configuration ..................................................................................................................... 29

Appendix ................................................................................................................................................30
Appendix A - arc_jaas.config for token based authentication in ARC-IB with 4TRESS ....................... 30
Appendix B - arc_jaas.config for generic authentication in ARC-IB with 4TRESS ............................... 31
Appendix C - Example server.config file for ARC-IB ............................................................................ 32
Appendix D - arc_jaas.config for token based authentication in ARC-IB with RSA ............................. 33
Appendix E – rsa-server.config for token based authentication in ARC-IB with RSA .......................... 34
Appendix F - sample.properties for token based authentication in ARC-IB with RSA ......................... 35

Browser Security
Overview
The T24 Browser product is primarily a user interface to the T24 banking product used by the bank’s
own staff via their internal intranet. However, T24 Browser can be used over the internet, in particular,
the ARC Internet Banking (ARC-IB) product is aimed at the bank’s customers.
With this mind, this user guide details how to configure T24 Browser to take advantage of the additional
security features required for internet use.

Browser Security
Setup
Security Configuration
A number of security features have been implemented in the T24 Browser application.
These include:
• Integration with a third party authentication server
• Single Sign-On (SSO)
• HTTP BASIC Authentication
• Version / enquiries filter
• T24 XML filter
• Form field filter
• Obfuscation (internal and external)
• Strip user name
This section will discuss the security features implemented within the Browser application.
Details of the Integration with a third party authentication server follow in the next section.
Default Security Configuration

The table below shows the default security settings for the main T24 Browser product and the ARC
Internet Banking product :-
Item Configuration Defaults

T24 Browser ARC-IB
Version & Enquiries
Disabled Enabled
Filter
T24 XML Filter Disabled Enabled
Form field filter Disabled Enabled
Obfuscation Disabled Enabled
User name stripping Disabled Enabled

Browser Security
Version & Enquiries Filter

The version & enquiries filter is a crude means to control which versions and enquiries may be run by
customers using the Internet Banking capability of Browser.
It is enabled by default in the ARC-IB configuration, and disabled in the others.
This is to protect against internet users from deliberately running versions and enquiries that should not
be made available over the internet (e.g. by hacking the HTTP request), and to ensure that a conscious
decision is made to enable versions and enquiries for internet use.
Note that this is not intended to replace SMS, which must still be set up correctly; it is simply another
layer of protection.
Configuration for the filter is in the file versionsEnquiriesFilterConfig.xml, in the WEB-INF/conf directory.
This contains a top level <arcIbServletFilter>, which has zero or more <filterItem> child tags.
Each <filterItem> tag contains details of the version or enquiry that is to be allowed to pass into T24.
Any requests made to the BrowserServlet which do not satisfy one of the <filterItem> conditions will be
rejected (with an HTTP 403 error).
Within the <filterItem> tag, the following tags are used to specify details of the allowed requests:
• <requestType>
• <routineName>
• <application>
• <version>
• <enqname>
Each of these has a <match> tag, with an operator attribute of “equal” or “startsWith”, and the content of
the tag determines which requests to allow.

Browser Security
For example, the following filter will let through any requests with a request type of CREATE.SESSION:
<filterItem>
<requestType>
<match operator="equal">CREATE.SESSION</match>
</requestType>
</filterItem>
The following filter will let through the ARC.IB.ACCOUNT.SUMMARY enquiry:

<filterItem>
<requestType>
<match operator="equal">OFS.ENQUIRY</match>
</requestType>
<enqname>
<match operator="equal">ARC.IB.ACCOUNT.SUMMARY</match>
</enqname>
</filterItem>
The following filter will let through any enquiries whose name begins with ARC.IB:
<filterItem>
<requestType>
<match operator="equal">OFS.ENQUIRY</match>
</requestType>
<enqname>
<match operator="startsWith">ARC.IB </match>
</enqname>
</filterItem>

Browser Security
T24 XML Filter

The T24 XML filter validates XML that is returned from T24 to the Browser web application.
This is to help with security – specifically in the instance where a cross site scripting attack is attempted.
Note that although the ARC-IB configuration protects against such attacks by preventing them from
making it to T24 in the first place (via the Form Field Filter, see below), it may be the case that such
data is already in T24, or is entered by a Browser deployment in a different configuration.
The property T24XmlFilterRegEx, as described previously, defines a regular expression.

All of the XML received by the Browser from T24 is matched against this expression. If there is one or
more match, the offending data is removed.
By default, in the ARC-IB configuration the property is set to:

• < */? *((?i)script|img|form|object|applet|embed|frameset|iframe) *>
Thus, it will block the tags commonly used for cross site scripting attacks:
• <script>
• <img>
• <form>
• <object>
• <applet>
• <embed>
• <frameset>
• <iframe>
In the internal configuration, this property is empty which means that no checks take place.
Form field filter

The form field filter is enabled in the ARC-IB configurations.
It checks the input entered into any form field in the application, checking for the tags commonly used
for cross site scripting attacks.
If such a tag is detected in the user’s input, it will be rejected and the request blocked.
This filter is used for the HelpServlet and BrowserServlet.

Browser Security
For the BrowserServlet filter, the default for the ARC-IB configuration is:
• < */? *((?i)script|img|form|object|applet|embed|frameset|iframe) *>
Thus, it will block the tags commonly used for cross site scripting attacks outlined above.
For the HelpServlet, it simply stops a user from trying to break out of the help directory by using ‘..’:
• \.\.
The regular expressions used is specified in the web.xml (see the valid_input_regex parameter).
Obfuscation
The internal obfuscation functionality ‘mixes up’ the names of versions and enquiries on the client. This
is for security – to ensure that an end user cannot determine details of the exact versions and enquiries
that are being run.
The external obfuscation functionality ‘mixes up’ the Java Script code that makes it to the client. This is
again for security – a first line of defence to stop hackers from being able to understand how our
application works (by decoding the client side JavaScript functionality).
User Name Stripping

In T24 Browser, the T24 user name (which is used to log in) is sent to the client, for use in window titles,
etc.
In the ARC-IB product, however, we do not want the user to know their T24 log on name (it’s not the
same as their log in name when an authentication server is in use). Thus, the capability exists to strip
this name out of any XML or HTML that makes it to the client.

Browser Security
Configuring Single-Sign-On (SSO) for T24 Browser

T24 Browser implements a Single Sign-On (SSO) mechanism. This allows already authenticated users
to provide credentials in the login request so to suppress the standard T24 Browser login page.
To configure the SSO mechanism the following must be done:
Single Sign-On Filter

In the ‘web.xm’l file ensure the following entries exist and are active (un-commented):
<filter>
<filter-name>SingleSignOnFilter</filter-name>
<description>
This filter handles Single Sign On requests
</description>
<filter-class>
com.temenos.t24browser.security.SingleSignOnFilter
</filter-class>
</filter>
.
.
<filter-mapping>
<filter-name>SingleSignOnFilter</filter-name>
<url-pattern>/servlet/BrowserServlet</url-pattern>
</filter-mapping>
HTTP Request
To ensure that the single sign on filter is invoked all http requests should contain a ‘Principal’, i.e. an
object that implements the public abstract interface java.security.Principal.
The Single Sign-On filter extracts the principal object from the http request using the ‘getUserPrincipal()’
function. This principal object is routed to the TC-Client where it will invoke an impersonate service to
reference the corresponding T24 username & password.
For further information on SSO configuration including LDAP, Certificates & Identities refer to the
‘Security Service – Installation & Configuration Guide – Release 1.5’
If the sign-on attempt fails the Browser sevlet will return a HTTP error 403 forbidden, if successful the
user will be presented with the appropriate T24 home page.

Browser Security
Configuring HTTP BASIC Authentication for T24 Browser

The T24 Browser servlet can be protected by the standard HTTP BASIC Authentication mechanism.
Refer to http://www.w3.org/Protocols/HTTP/1.0/spec.html#AA for information on this protocol.
The implementation of this access authentication mechanism in T24 Browser relies on the Java
Authentication and Authorization Service (JAAS). Refer to http://java.sun.com/products/jaas/ for further
information.
A prerequisite to configuring BASIC Authentication in T24 Browser is that the web server that T24
Browser is published on must support JAAS which has been integrated into the Java 2 SDK, version
1.4 onwards.
The following configuration procedure will use Tomcat 5.5 Servlet/JSP Container as its web server. If
an alternative web server is used, refer to its accompanying documentation for details on how these
steps can be completed.
Secure the BrowserWeb application

In the ‘web.xml’ ensure the following entries exist and are active (un-commented):
<filter>
<filter-name>BasicAuthenticationFilter</filter-name>
<description>
This filter handles BASIC Authentication requests
</description>
<filter-class>
com.temenos.t24browser.security.BasicAuthFilter
</filter-class>
</filter>
<filter-mapping>
<filter-name>BasicAuthenticationFilter</filter-name>
</filter-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>BrowserWeb</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>t24user</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>T24</realm-name>
</login-config>

Browser Security
Specify the JAAS Realm for BrowserWeb

This will be specific to the web server that the BrowserWeb is deployed on.
• In Tomcat 5.5 locate the Context configuration file:
<TOMCAT-DIR>\conf\Catalina\localhost\<WebAppName>.xml
In a typical installation the path would be:
<TOMCAT-DIR>\conf\Catalina\localhost\BrowserWeb.xml
• Ensure that the following entries exist:
<Context reload="true">
<Realm appName="T24"
className="org.apache.catalina.realm.JAASRealm"
roleClassNames="com.temenos.t24browser.security.authentication.T24RolePrincipal"
userClassNames="com.temenos.t24browser.security.authentication.T24UserPrincipal,
com.temenos.t24browser.security.authentication.T24Principal"/>
</Context>
Deploy the JAAS Login Module

The ‘t24BasicAuth.jar’ must be copied to the <TOMCAT_DIR>/common/lib directory.
The ‘t24BasicAuth.jar’ can be found within the Browser release package.
Create & Deploy the JAAS Configuration File
• Create a file and call it ‘t24BasicAuth.config’

• Enter the following text:
•
T24 {
com.temenos.t24browser.security.authentication.BasicAuthLoginModule
Requisite
debug="true"
;
};
• Save this file to a location of your choice e.g. C:\JAASConfig\T24Browser\

• Tell the Tomcat server java VM to use this authorisation login configuration file via a command
line parameter:
-Djava.security.auth.login.config=" C:\JAASConfig\T24Browser\t24BasicAuth.config"
NOTE: Ensure that this path does NOT have spaces with-in it otherwise TomCat may report the
following exception:
java.io.IOException: "C:\JASS Config\t24BasicAuth.config" (No such file or directory)
Note the space between ‘JAAS’ and ‘Config’.

Browser Security
Login to T24
Once the above has been configured correctly, and the web server full reset, it is possible to test this
functionality by attempting to login to T24.
As soon as the user navigates to the T24 Browser URL e.g.
http://localhost:8080/BrowserWeb/servlet/BrowserServlet
A dialog will appear to prompt for a User name & Password. The T24 user name and password should
be supplied and ‘OK’ pressed.
If the credentials supplied are valid then the user will be presented with the appropriate T24 home page.
If the credentials are not valid and result in a ‘SECURITY VIOLATION’ then the servlet will respond with
a HTTP error 401 unauthorised.
NOTE: Due to web browsers such as IE & Firefox caching the user credentials and automatically re-
submitting them when required, it is necessary to close the browser window before an alternative set of
credentials can be supplied. This is standard behaviour of web browsers and BASIC authentication.
BASIC Authentication as a Single Sign-On Mechanism

It is possible to override the authentication dialog by supplying the user credentials in a specified format
in the HTTP header section of the request.
To receive authorisation, the client sends the user name and password, separated by a single colon
(":") character, within a base64 encoded string in the credentials
If the user agent wishes to send the username "Aladdin" and password "open sesame", it would use the
following header field:
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
Users can be authorised & logged on to T24 in one step. If the credentials are not valid and result in a
‘SECURITY VIOLATION’ then the servlet will respond with a HTTP error 401 unauthorised.

Browser Security
Single Sign-On with Siteminder

T24 Browser uses an interactive screen to allow the users to log into the T24 system. With this
enhancement, no login screen will be displayed. Users will click a hyperlink from a third party web
application to access T24 browser.
T24 Browser request will intercepted by a filter called CookieFilter, the filter will extract the User Name
from the cookie and pass the sign on name to the T24. No password is stored in the request and no
password will be passed to the T24. This user is already authenticated by external systems so
password validation will be bypassed in T24.
T24 users are authenticated externally by third party system.
Cookie-name is configurable in the serv.config property file, the location of the property file should be
mentioned in the system property of the server.
Perform the following changes in the <Web–Server- Home>/BrowserWeb/WEB-INF/web.xml
To process the request by CookieFilter, remove the comment from the below tags. With this your
request and response will be processed by CookieFilter.
<filter>
<filter-name>CookieFilter</filter-name>
<description>This filter handles authentication for user based on Cookie</description>
<filter-class>com.temenos.t24browser.security.CookieFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CookieFilter</filter-name>
</filter-mapping>
A generic customizable page is designed for sign out from t24 and for other error scenarios.
<error-page>
<exception-type>
com.temenos.t24browser.exceptions.GenericAuthenticationException
</exception-type>
<location>/jsps/customMessage.jsp</location>
</error-page>

Browser Security
To allow the user to log into the T24 Browser, following changes need to be done in the
OFS.SOURCE record of browser.
OFS.SOURCE record updated
If the value for the field ATTRIBUTES is set as “PREAUTHENTICATED” and if value for the field
SOURCE.TYPE is set as SESSION, T24 BROWSER user will be treated as pre authenticated user. Only
sign on name authentication will be done.

Browser Security
Configuring the ARC-IB Authentication Environment for 4TRESS

The ARC-IB product is set up to delegate authentication of the internet banking solution to an instance
of the ActivIdentity 4tress authentication server.
This section discusses how the integration is configured. See the security white paper for
implementation details.
By default, integration with an authentication server is not enabled.
To enable it, the web.xml file which is deployed to the applications WEB-INF directory must be updated.
To do so, replace the existing web.xml with the appropriate file, as shown in the table below. On both
Websphere and Tomcat, the ARC-IB should first be deployed and then the correct web.xml can be
renamed as the web.xml file. The other settings such as channels should be set up as they are in T24
Browser.
Authentication server configuration File to rename to web.xml
4TRESS with tokens web_4TRESS_TOKEN_INTEGRATION.xml
4TRESS with username and password web_4TRESS_PASSWORD_INTEGRATION.xml
4TRESS with multiple login methods on one
web_4TRESS_Generic.xml
page
4TRESS with multiple login methods on one
web_4TRESS_Generic_Websphere.xml
page for deployment on Websphere
Java Security Configuration (both Web Server and T24 Server)

ARC-IB authentication uses Advanced Encryption Standard (AES) 256bit encryption in order to encrypt
the T24 user id and password in the 4TRESS server. This is strong encryption that is not enabled by
default in Java installations.
On a Sun Java installation on any platform, or an HP-UX Java installation or an AIX platform with an
HSM (Hardware Security Module) for key storage:
• Download the unrestricted security policy files from the Sun Java website appropriate for
the version of Java installed (1.5 or above).
• Extract the policy jar files and copy them to <JRE_DIR>/lib/security directory
• Download a provider jar for AES 256bit encryption. Two possibilities for this are from
bouncy castle (a free implementation, http://www.bouncycastle.org/latest_releases.html) or
if available the IBM JCE provider jars available in IBM java implementations
(ibmjceprovider.jar and ibmpkcs.jar). Alternatively, other commercial providers are
available.
If you are using an HSM for key storage, the HSM should be supplied with a security
provider jar (see HSM vendor documentation for details).
• Copy the relevant jars into the <JRE_DIR>/lib/ext directory
• Modify the JRE_DIR/lib/security/java.security file as follows:
#
# List of providers and their preference orders (see above):
#
security.provider.1=sun.security.provider.Sun
security.provider.2=sun.security.rsa.SunRsaSign

Browser Security
security.provider.3=com.sun.net.ssl.internal.ssl.Provider
security.provider.4=com.sun.crypto.provider.SunJCE
security.provider.5=sun.security.jgss.SunProvider
security.provider.6=com.sun.security.sasl.Provider

You must change it to:
#
#
security.provider.2=org.bouncycastle.jce.provider.BouncyCastleProvider
If using the IBM provider, instead of the BouncyCastleProvider, you must add
security.provider.2=com.ibm.crypto.provider.IBMJCE
If using an HSM, you must add the appropriate class for the HSM you are using. Please
see the documentation from your HSM vendor for details.
Also in the java.security file, you must change the line:
#
# Default keystore type.
#
keystore.type=jks
to
#
#
keystore.type=JCEKS
On an AIX or any other platform using an IBM java implementation without an HSM for key storage:
• Download the unrestricted security policy files from the IBM website appropriate for the
version of Java installed (1.5 or above).
In the java.security file, you must change the line:
#
#
keystore.type=jks
to
#
#
keystore.type=JCEKS

Browser Security
Creating a JCE Keystore

The ARC-IB system requires that AES 256bit encryption keys are stored in a format accessible through
the Java Cryptography Extension (JCE) API. At the simplest level this can be in the form of a keystore
file. Alternatively for a more secure approach, an HSM (Hardware Security Module) can be used. For
information on creating keys and JCE interface to your HSM, please see the user documentation
supplied by your HSM vendor.
The keystore must be on both the tomcat server and the T24 server. The details of the key must be in
the relevant config fields of the arc_jaas.config file (see Appendices A or B):
temenos.arc.security.crypto.keystore.password="<JCE_KEYSTORE_PASSWORD>"
temenos.arc.security.crypto.keystore="<JCE_KEYSTORE_FILE_PATH>"
temenos.arc.security.crypto.key.password="<ENCRYPTION_KEY_PASSWORD>"
temenos.arc.security.crypto.key.alias="<KEY_ALIAS>"
temenos.arc.security.crypto.class="com.temenos.arc.security.authenticationserver.common.AESC
ryptographyService"
If you wish to create your own JCE keystore file, several commercial key manager tools are available to
do so (e.g. IBMs Encryption Key Manager). Alternatively, a free tool such as JSTK (JavaSpaces
Technology Kit).
For JSTK, the appropriate commands are:
• Extract all files from jstk-1_0_1.zip.
• Open a command window and go to the expanded directory, \jstk-1.0.1.
• Run:
o bin\crypttool.bat genk -action store -keystore test.jceks -storepass foo -alias testKey -
keypass bar -keysize 256 -algorithm AES -kstype JCEKS
o Copy the test.jceks file to the appropriate location, as specified in the
temenos.arc.security.crypto.keystore property of the ARC-IB configuration files
See the appropriate vendor documentation on how to download and use IBM Encryption Key Manager.
Tomcat Server Java Environment

If 4TRESS is deployed on JBoss:
-Dcom.temenos.t24.commons.logging.LoggerFactory="com.temenos.t24.commons.logging.impl.Lo
g4jLoggerFactory"
-Djava.naming.factory.initial=org.jnp.interfaces.NamingContextFactory
-Djava.naming.provider.url=jnp://<4TRESS_SERVER_IP>:1099
-Djava.naming.factory.url.pkgs=org.jboss.naming:org.jnp.interfaces
-Djava.security.auth.login.config=<CONFIG_DIR>\arc_jaas.config
-DARC_CONFIG_APP_NAME=ARC
-DARC_CONFIG_PATH=<CONFIG_DIR>\bind.config
If 4TRESS is deployed on Websphere:

-Dcom.temenos.t24.commons.logging.LoggerFactory="com.temenos.t24.commons.logging.impl.Lo
g4jLoggerFactory"
-Djava.naming.factory.initial=com.ibm.websphere.naming.WsnInitialContextFactory
-Djava.naming.provider.url=iiop://<4TRESS_SERVER_IP>:2809
-Djava.naming.factory.url.pkgs=com.ibm.websphere.naming
-DARC_CONFIG_PATH=<CONFIG_DIR>\bind.config
Configuration Property Description

java.naming.factory.initial specifies the naming service factory class for accessing the
4TRESS

Browser Security
java.naming.provider.url specifies the URL to the 4TRESS server

java.naming.factory.url.pkgs specifies the naming packages for 4TRESS
java.security.auth.login.config specifies the arc_jaas.config file for ARC-IB
ARC_CONFIG_APP_NAME specifies the application name in use for the application
ARC_CONFIG_PATH specifies the configuration file for token binding configuration (not
required if not using hardware tokens for creating One-Time
Passwords)
com.temenos.t24.commons.lo Specifies the logger class to use. If it is set to
gging.LoggerFactory
"com.temenos.t24.commons.logging.impl.Log4jLogger
Factory"
Then log4j logging will be used. An appropriate log4j.properties
file should be supplied on the classpath.
The following jars must be copied to the <TOMCAT_DIR>/common/lib directory (<TOMCAT_DIR>/lib

directory in Tomcat v6):
authentication-webcommon.jar (from this archive)
temenos-commons-logging.jar (from this archive, can also be found inside the ARC-IB war file)
log4j-1.2.9.jar (can be found inside the ARC-IB war file)
authapi.jar(can be found in authentication library jar files)
Also the following jars must be taken from the 4TRESS deployment:
jbossall-client.jar (if 4TRESS is deployed on JBoss)
or
ws_runtime.jar (if 4TRESS is deployed on Websphere, not necessary if ARC-IB is on Websphere)
SS_4TRESS_PUBLIC_Client.jar (The 4TRESS client jar, available from the 4TRESS installation)
Examples of the arc_jaas.config for token based authentication and password based authentication can
be found in Appendices A and B respectively.
Websphere server java environment

Note: The 4TRESS installation MUST be on Websphere if deploying ARC-IB on Websphere.
Note: Websphere must not have global security enabled. Authentication is handled in the application
filters.
The properties below must be set in the Websphere GUI so that they are available to the authentication
part of the ARC-IB application.
java.naming.factory.initial specifies the naming service factory class for accessing the 4TRESS
java.naming.provider.url specifies the URL to the 4TRESS server
java.naming.factory.url.pkgs specifies the naming packages for 4TRESS

Browser Security
java.security.auth.login.config This is set automatically by Websphere to the value:

<Websphere Server Instance>/properties/wsjaas.conf
Websphere will overwrite any value of this system property, so it is
important that this file is updated with the correct JAAS config.
ARC_CONFIG_APP_NAME specifies the application name in use for the application (ARC)
ARC_CONFIG_PATH specifies the configuration file for token binding configuration (not
required if not using hardware tokens for creating One-Time
Passwords)
com.temenos.t24.commons.logging. Specifies the logger class to use. If it is set to
LoggerFactory
"com.temenos.t24.commons.logging.impl.Log4jLoggerF
actory"
Then log4j logging will be used. An appropriate log4j.properties file
should be supplied on the classpath.
The following jars must be copied to the <WEBSPHERE_HOME>/lib/ext directory:

log4j-1.2.9.jar (can be found inside the ARC-IB war file)
authapi.jar(can be found in authentication library jar files)
Examples of the arc_jaas.config for token based authentication and password based authentication can
be found in Appendices A and B respectively. The contents of the appropriate example JAAS config file
must be added to the beginning of the Websphere wsjaas.conf file.
T24 Server Environment

When running the TCServer, the following environment variables should be set (usually in .profile):
4TRESS on JBoss
export JBCJVMOPT1=-DARC_CONFIG_PATH=<CONFIG_DIR>/server.config
export JBCJVMOPT2=-DARC_CONFIG_APP_NAME=ARC
export JBCJVMOPT3=-Djava.naming.factory.initial=org.jnp.interfaces.NamingContextFactory
export JBCJVMOPT4=-Djava.naming.provider.url=jnp://<4TRESS_SERVER_IP>:1099
export JBCJVMOPT5=-Djava.naming.factory.url.pkgs=org.jboss.naming:org.jnp.interfaces
4TRESS on Websphere
export JBCJVMOPT1=-DARC_CONFIG_PATH=<CONFIG_DIR>/server.config
export JBCJVMOPT3=-Djava.naming.factory.initial=
com.ibm.websphere.naming.WsnInitialContextFactory
export JBCJVMOPT4=-Djava.naming.provider.url= iiop://<4TRESS_SERVER_IP>:2809
export JBCJVMOPT5=-Djava.naming.factory.url.pkgs= com.ibm.websphere.naming
The following jars must be copied to <T24RUNDIR>/jars:

authentication-t24server.jar (from this archive)
commons-codec-1.3.jar (apache)

Browser Security
jbossall-client.jar (if 4TRESS is deployed on JBoss)
or
ws_runtime.jar (if 4TRESS is deployed on Websphere)
A server configuration file must also be set which contains the cryptography and 4TRESS system user
information. The system user properties to set are:
temenos.arc.security.ftress.upauth.user <ENCRYPTED_4TRESS_SYSTEM_USERID>
temenos.arc.security.ftress.upauth.password <ENCRYPTED_4TRESS_SYSTEM_PASSWORD>
An example file can be seen in appendix C.
4TRESS Authentication Server Configuration

Note that integration with other authentication servers, or other types of authentication (such as
memorable data instead of one time passwords) is possible, with a little additional work.
Deployment of this functionality requires:
• A running and configured ActivIdentity 4TRESS server
o Please refer to the ActivIdentity documentation for further details.
o Token devices must have been loaded onto the server.
The next part of this section assumes that a 4TRESS configurer user has been set up as well as user
administrator operator user who has permissions to create function sets and assign them to user sub
groups.
Setup Under Configurer User
Authentication Types
All settings when creating the authentication types should be default except the following:
One Time Password Authentication Types
Authentication Name Authentication Authenticator Token/Password/Both
Type Adapter Manager
Adapter
AT_AIOTP One Time FTRESS_TOK FTRESS_DAM Token
Password
Authentication Name Seeding Authentication Authenticator Token/

Type Type Adapter Manager Password/
Adapter Both
AT_CUSTMW Customer SEEDED (2 FTRESS_UP FTRESS_UPM Both
Memorable seeds) for
Word Password,
UNSEEDED
for Token

Browser Security
AT_CUSTPW Customer UNSEEDED FTRESS_UP FTRESS_UPM Password

Password
AT_CUSTPIN Customer UNSEEDED FTRESS_UP FTRESS_UPM Token
PIN
Fields such as “Valid days on creation”, “Valid days on update”, “Disable Threshold” and “Session
Inactivity Timeout” should be configured according to the banks policies.
Attribute Types
Attribute Type Name Description

ATR_T24UID T24 User ID The impersonation ID for login to T24
ATR_T24PW T24 User's Password The encrypted, string-encoded T24 user's password
ATR_CUSTPW Customer Password Encrypted, string encoded ARC password
User Groups
The following fields should be added to the user groups so that they are visible when editing users. If
customers do not wish 4TRESS administrators to see the encrypted user ids and passwords then this
step can be ignored.
User Group Attribute Description
UG_EXTN Customer Password The customer password attribute
T24 Password The T24 password attribute
T24 User Id The T24 User Id attribute
Setup Under Operator Admin User
Function Sets
Function Set Permissions Token/Password/Both

FS_CUST Create device authenticator Token
Create login authenticator Both
Delete login authenticator Both
Read user details Password
Update user attributes Password
Change password user not Password
present
Read reference data Password
Reset password user not present Password
Read audit log Password
Search users Password
Update device authenticator Password

Browser Security
status
Update login authenticator status Password
Update user external reference id Password
FS_T24FS Create login authenticator Both
Create user Both
Delete device authenticator Both
Delete user Both
Read user details Both
Search users Both
Update user attributes Both
FS_BIND Create device authenticator Token
Create login authenticator Token
Delete login authenticator Token
Search devices Token
Change password user not Token
present
Read reference data Token
Read audit log Token
Read user details Token
Search users Token
Update device authenticator Token
status
Update login authenticator status Token
Update user attributes Token
Update user external reference id Token
User Subgroups and Permissions
Subgroup Parent Group Function Set Authentication Token/Password/Both

Type
USG_T24SYS UG_SYSTEMS FS_T24FS System Login Both
USG_CUST UG_EXTN FS_CUST Customer PIN Token
FS_BIND Memorable Word Token
FS_CUST Customer Password
Password

Browser Security
4TRESS Configuration for Challenge-Response

Ensure that the Device Authenticator Type, AT_AIOTP has the challenge handling field set as “User
Defined Challenge” and has the channel “Direct” in the selected Channels.

Browser Security
Configuring the ARC-IB Authentication Environment for RSA

The ARC-IB product is set up to delegate authentication of the internet banking solution to an instance
of the RSA ACE authentication server.
This section discusses how the integration is configured. See the security white paper for
implementation details.
By default, integration with an authentication server is not enabled.
To enable it, the web.xml file which is deployed to the applications WEB-INF directory must be updated.
To do so, replace the existing web.xml with the appropriate file, as shown in the table below. On both
Websphere and Tomcat, the ARC-IB should first be deployed and then the correct web.xml can be
renamed as the web.xml file. The other settings such as channels should be set up as they are in T24
Browser.
Authentication server configuration File to rename to web.xml
RSA with tokens web_RSA_TOKEN_INTEGRATION.xml
RSA with tokens for deployment on Web_RSA_TOKEN_INTEGRATION_Websphere.x
Websphere ml
Java Security Configuration (both Web Server and T24 Server)

ARC-IB authentication uses Advanced Encryption Standard (AES) 256bit encryption in order to encrypt
the T24 user id and password in the 4TRESS server. This is strong encryption that is not enabled by
default in Java installations.
On a Sun Java installation on any platform, or an HP-UX Java installation or an AIX platform with an
HSM (Hardware Security Module) for key storage:
• Download the unrestricted security policy files from the Sun Java website appropriate for
the version of Java installed (1.5 or above).
• Download a provider jar for AES 256bit encryption. Two possibilities for this are from
bouncy castle (a free implementation, http://www.bouncycastle.org/latest_releases.html) or
if available the IBM JCE provider jars available in IBM java implementations
(ibmjceprovider.jar and ibmpkcs.jar). Alternatively, other commercial providers are
available.
If you are using an HSM for key storage, the HSM should be supplied with a security
provider jar (see HSM vendor documentation for details).
• Copy the relevant jars into the <JRE_DIR>/lib/ext directory
#
#

You must change it to:

Browser Security
#
#
security.provider.2=org.bouncycastle.jce.provider.BouncyCastleProvider
If using the IBM provider, instead of the BouncyCastleProvider, you must add
security.provider.2=com.ibm.crypto.provider.IBMJCE
If using an HSM, you must add the appropriate class for the HSM you are using. Please
see the documentation from your HSM vendor for details.
Also in the java.security file, you must change the line:
#
#
keystore.type=jks
to
#
#
keystore.type=JCEKS
On an AIX or any other platform using an IBM java implementation without an HSM for key storage:
• Download the unrestricted security policy files from the IBM website appropriate for the
version of Java installed (1.5 or above).
In the java.security file, you must change the line:
#
#
keystore.type=jks
to
#
#
keystore.type=JCEKS
Creating a JCE Keystore

The ARC-IB system requires that AES 256bit encryption keys are stored in a format accessible through
the Java Cryptography Extension (JCE) API. At the simplest level this can be in the form of a keystore
file. Alternatively for a more secure approach, an HSM (Hardware Security Module) can be used. For
information on creating keys and JCE interface to your HSM, please see the user documentation
supplied by your HSM vendor.

Browser Security
The keystore must be on the tomcat server. The same keystore must be copied to the T24 server if
using RSA managed PIN instead of the T24 managed external user password. The details of the key
must be in the relevant config fields of the arc_jaas.config file (see Appendices A or B):
temenos.arc.security.crypto.keystore.password="<JCE_KEYSTORE_PASSWORD>"
temenos.arc.security.crypto.keystore="<JCE_KEYSTORE_FILE_PATH>"
temenos.arc.security.crypto.key.password="<ENCRYPTION_KEY_PASSWORD>"
temenos.arc.security.crypto.key.alias="<KEY_ALIAS>"
temenos.arc.security.crypto.class="com.temenos.arc.security.authenticationserver.common.AESC
ryptographyService"
If you wish to create your own JCE keystore file, several commercial key manager tools are available to
do so (e.g. IBMs Encryption Key Manager). Alternatively, a free tool such as JSTK (JavaSpaces
Technology Kit).
For JSTK, the appropriate commands are:
• Extract all files from jstk-1_0_1.zip.
• Open a command window and go to the expanded directory, \jstk-1.0.1.
• Run:
o bin\crypttool.bat genk -action store -keystore test.jceks -storepass foo -alias testKey -
keypass bar -keysize 256 -algorithm AES -kstype JCEKS
o Copy the test.jceks file to the appropriate location, as specified in the
temenos.arc.security.crypto.keystore property of the ARC-IB configuration files
See the appropriate vendor documentation on how to download and use IBM Encryption Key Manager.
Tomcat server java environment

Most of these are standard except the final two entries:
-Dcatalina.home=<TOMCAT_DIR>
-Dcatalina.base=<TOMCAT_DIR>
-Djava.endorsed.dirs=<TOMCAT_DIR>\common\endorsed
-Djava.io.tmpdir=<TOMCAT_DIR>\temp
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
-Djava.util.logging.config.file=<TOMCAT_DIR>\conf\logging.properties
-Djava.security.auth.login.config=<CONFIG_DIR>\arc_jaas.config

ARC_CONFIG_APP_NAME specifies the application name in use for the
application
The following jars must be copied to the <TOMCAT_DIR>/common/lib directory:

authapi.jar (from this archive)
commons-codec-1.3.jar (from this archive, can also be obtained from apache)
log4j-1.2.9.jar (from this archive, can also be obtained from apache)
Examples of the arc_jaas.config for token based authentication can be found in Appendix D.

Browser Security
Websphere server java environment

java.security.auth.login.config This is set automatically by Websphere to the value:
<Websphere Server Instance>/properties/wsjaas.conf
Websphere will overwrite any value of this system
property, so it is important that this file is updated with
the correct JAAS config.
ARC_CONFIG_APP_NAME specifies the application name in use for the application
The following jars must be copied to the <WEBSPHERE_HOME>/lib/ext directory:

authapi.jar (from this archive)
commons-codec-1.3.jar (from this archive, can also be obtained from apache)
log4j-1.2.9.jar (from this archive, can also be obtained from apache)
Examples of the arc_jaas.config for token based authentication can be found in Appendix D. The
contents of the appropriate example JAAS config file must be added to the beginning of the Websphere
wsjaas.conf file.
T24 Server Environment

When running the TCServer, the following environment variables should be set (usually in .profile):
export JBCJVMOPT1=-DARC_CONFIG_PATH=<CONFIG_DIR>/rsa-server.config
The following jars must be copied to <T24RUNDIR>/jars:

authentication-t24server.jar (from this archive)
commons-codec-1.3.jar (apache)
RSA sdconf.rec File

The sdconf.rec file when created from the RSA Authentication server must be placed in the
<CONFIG_DIR>. This file ensures that only servers that have the sdconf.rec file explicitly copied to
them are able to communicate with RSA Authenication Manager.
RSA Properties File

There is an RSA properties file (specified in the jaas config file on the web server). This contains
information telling the RSA API jar how to connect to the RSA Server. Some of the important
parameters in the file are as follows:

Browser Security
Parameter Value/Description
RSA_AGENT_HOST This parameter overrides the IP address of the
RSA agent host. In this case it should be set to
the IP address of the ARC-IB Web Server
machine.
SDCONF_LOC This gives the full path and name of the sdconf.rec
file generated in the RSA Authentication Manager
server. E.g. C:\RSA-config\sdconf.rec
RSA_LOG_FILE The path and name of the RSA log file. This will
contain log information for all RSA AM requests
through the API jar.
RSA_LOG_LEVEL This dictates the log level of which log messages
will be reported in the above log file.
RSA Port Configuration

It is essential that a port is configured in the /etc/services file
(C:\WINDOWS\System32\drivers\etc\services on Windows) through which the RSA AM API jar can
communicate to the RSA AM Server. The port must be named “securid”.
Note that the API will use a default port if none is set as long as the default is not allocated for a
different purpose.

Browser Security
Appendix
Appendix A - arc_jaas.config for token based authentication in ARC-
IB with 4TRESS
ARC {
com.temenos.arc.security.jaas.ArcLoginModule
Requisite
debug="true"
temenos.arc.security.ftress.userid.length="9"
temenos.arc.security.ftress.password.length="6"
temenos.arc.security.t24.password.length="12"
temenos.arc.security.ftress.isseeded="false"
temenos.arc.jaas.delegate="com.temenos.arc.security.jaas.DeviceAuthenticator"
temenos.arc.jaas.committer="com.temenos.arc.security.jaas.JaasCommitter"
temenos.arc.jaas.callback.override=""
temenos.arc.security.charset="UTF-8"
temenos.arc.security.ftress.user.attribute.t24user=""
temenos.arc.security.ftress.user.attribute.t24pass=""
temenos.arc.security.ftress.channel="CH_WEB"
temenos.arc.security.ftress.domain="DOMAIN1"
temenos.arc.security.ftress.authtype="AT_AIOTP"
temenos.arc.security.ftress.device.mode="SYNC"
temenos.arc.security.ftress.delimiter="|"
temenos.arc.security.crypto.keystore.password="keystorepass"
temenos.arc.security.crypto.keystore="C:/T24/config/test.jceks"
temenos.arc.security.crypto.key.password="keypass"
temenos.arc.security.crypto.key.alias="testKey"
temenos.arc.security.crypto.class="com.temenos.arc.security.authenticationserver.common.
AESCryptographyService"
;
Required
debug="true"
temenos.arc.jaas.delegate="com.temenos.arc.security.jaas.
JaasUsernamePasswordAuthenticator"
temenos.arc.jaas.committer="com.temenos.arc.security.jaas.T24AttributeCommitter"
temenos.arc.security.ftress.user.attribute.t24user="ATR_T24UID"
temenos.arc.security.ftress.user.attribute.t24pass="ATR_T24PW"
temenos.arc.security.ftress.authtype="AT_CUSTPIN"
temenos.arc.security.ftress.create.session="false"
;
};
For R9 and above version use

com.temenos.arc.security.authenticationserver.ftress.FtressLoginModule
instead of

Browser Security
Appendix B - arc_jaas.config for generic authentication in ARC-IB

with 4TRESS
ARC {
com.temenos.arc.security.authenticationserver.ftress.FtressLoginModule
Requisite
debug="true"
temenos.arc.security.ftress.user.attribute.arcpass="ATR_CUSTPW"
temenos.arc.security.ftress.authtype.password="AT_CUSTPW"
temenos.arc.security.ftress.authtype.pin="AT_CUSTPIN"
temenos.arc.security.ftress.authtype.device="AT_AIOTP"
temenos.arc.security.ftress.authtype.memword="AT_CUSTMW"
temenos.arc.security.channel.otppin="INTERNET.OTPPIN"
temenos.arc.security.channel.otp="INTERNET.OTP"
temenos.arc.security.channel.pwmw="INTERNET.PWMW"
temenos.arc.security.channel.pw="INTERNET.PW"
temenos.arc.jaas.delegate="com.temenos.arc.security.authenticationserver.ftress.GenericA
uthenticator"
temenos.arc.jaas.committer="com.temenos.arc.security.authenticationserver.ftress.FtressC
ommitter"
temenos.arc.homepage="/modelbank/unprotected/Ftressformlogin.jsp"
temenos.arc.security.crypto.keystore.password="foo"
temenos.arc.security.crypto.keystore="C:/ARCIB-CONFIG/key/test.jceks"
temenos.arc.security.crypto.key.password="bar"
;
};

Browser Security
Appendix C - Example server.config file for ARC-IB

ARC{
temenos.arc.security.ftress.user.attribute.arcpass="ATR_CUSTPW"
temenos.arc.security.ftress.upauth.user="5/J9EfAi86tKW7TyuIClaQ=="
temenos.arc.security.ftress.upauth.password="u+I6Icw7kFSjVGzea31o3g=="
temenos.arc.security.authserver="4TRESS"
temenos.arc.security.ftress.authtype="AT_SYSLOG"
temenos.arc.security.channel.otppin="INTERNET.OTPPIN"
temenos.arc.security.channel.otp="INTERNET.OTP"
temenos.arc.security.channel.pwmw="INTERNET.PWMW"
temenos.arc.security.channel.pw="INTERNET.PW"
temenos.arc.security.ftress.authtype.password="AT_CUSTPW"
temenos.arc.security.ftress.authtype.pin="AT_CUSTPIN"
temenos.arc.security.ftress.authtype.device="AT_AIOTP"
temenos.arc.security.ftress.authtype.memword="AT_CUSTMW"
temenos.arc.security.ftress.channel="CH_DIRECT"
temenos.arc.security.ftress.userid.length="9"
temenos.arc.security.ftress.userid.shared="true"
temenos.arc.security.ftress.password.length="6"
temenos.arc.security.crypto.keystore.password="keypass"
temenos.arc.security.crypto.keystore="/infra1/TestBase/TestBase.run/key/test.jceks"
temenos.arc.security.crypto.key.password="password"
;
};
Note: The Encrypted 4TRESS system user id and password in the configuration file can be encrypted
using the encryption tool supplied in the ARC-IB package.

Browser Security
Appendix D - arc_jaas.config for token based authentication in ARC-

IB with RSA
ARC {
Requisite
debug="true"
temenos.arc.jaas.delegate="com.temenos.arc.security.rsa.DeviceAuthenticator"
temenos.arc.jaas.committer="com.temenos.arc.security.rsa.T24AttributeCommitter"
temenos.arc.security.crypto.keystore="C:/T24/Browser/test.jceks"
temenos.arc.security.crypto.class="com.temenos.arc.security.authenticationserver.common.AESCryp
tographyService"
temenos.arc.security.rsa.configpath="C:/T24/Browser/sample.properties"
;
};

Browser Security
Appendix E – rsa-server.config for token based authentication in

ARC-IB with RSA
ARC {
temenos.arc.security.authserver="RSA"
temenos.arc.security.rsa.user.file="c:/T24/Browser/rsa_users.txt"
temenos.arc.security.t24.userid.minlength="6"
temenos.arc.security.crypto.keystore="C:/T24/Browser/test.jceks"
;
};

Browser Security
Appendix F - sample.properties for token based authentication in

ARC-IB with RSA
# RSA Authentication API Properties
# Override Host IP Address

RSA_AGENT_HOST=10.50.1.89
# Interval in seconds between which configuration is refreshed.

RSA_CONFIG_READ_INTERVAL=600
# [This section is for Data Repository configuration.]

# Type of the Server configuration.
SDCONF_TYPE=FILE
# Path of the Server configuration.
#SDCONF_LOC=sdconf.rec
SDCONF_LOC=C:/T24/Browser/sdconf.rec
# Type of the Server statuses.
SDSTATUS_TYPE=FILE
# Path of the Server statuses.
#SDSTATUS_LOC=JAStatus.1
SDSTATUS_LOC=C:/T24/Browser/JAStatus.1
# Type of the Server options.
SDOPTS_TYPE=FILE
# Path of the Server options.
#SDOPTS_LOC=sdopts.rec
SDOPTS_LOC=sdopts.rec
# Type of the Node Secret.
SDNDSCRT_TYPE=FILE
# Path of the Node Secret.
SDNDSCRT_LOC=C:/T24/Browser/securid
# [This section is for event logger.]

# Logs event messages to the console.
RSA_LOG_TO_CONSOLE=YES
# Logs event messages to a file.
RSA_LOG_TO_FILE=YES
# Name of the log file.
RSA_LOG_FILE=C:/T24/Browser/rsa_api.log
# Minimum severity level allowed to log.
RSA_LOG_LEVEL=INFO
# [This section is for debugger.]

# Enables debug tracing.
RSA_ENABLE_DEBUG=YES
# Sends tracing to the console.
RSA_DEBUG_TO_CONSOLE=YES
# Sends tracing to a file.
RSA_DEBUG_TO_FILE=YES
# Name of the trace file.
RSA_DEBUG_FILE=rsa_api_debug.log
# Allows function entry tracing.
RSA_DEBUG_ENTRY=YES
# Allows function exit tracing.
RSA_DEBUG_EXIT=YES
# Allows control flow tracing.
RSA_DEBUG_FLOW=YES
# Allows regular tracing.
RSA_DEBUG_NORMAL=YES
# Traces the location.
RSA_DEBUG_LOCATION=NO

BP Browser Security

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

BP Browser Security

Hochgeladen von

Copyright:

Verfügbare Formate

TEMENOS T24

Information in this document is subject to change without notice.

Copyright 2007 TEMENOS Holdings NV. All rights reserved.

TEMENOS T24 User Guide Page 2 of 35

RSA Port Configuration ..................................................................................................................... 29

TEMENOS T24 User Guide Page 3 of 35

TEMENOS T24 User Guide Page 4 of 35

Default Security Configuration

Item Configuration Defaults

TEMENOS T24 User Guide Page 5 of 35

Version & Enquiries Filter

TEMENOS T24 User Guide Page 6 of 35

The following filter will let through the ARC.IB.ACCOUNT.SUMMARY enquiry:

TEMENOS T24 User Guide Page 7 of 35

T24 XML Filter

The property T24XmlFilterRegEx, as described previously, defines a regular expression.

By default, in the ARC-IB configuration the property is set to:

Form field filter

TEMENOS T24 User Guide Page 8 of 35

User Name Stripping

TEMENOS T24 User Guide Page 9 of 35

Configuring Single-Sign-On (SSO) for T24 Browser

Single Sign-On Filter

TEMENOS T24 User Guide Page 10 of 35

Configuring HTTP BASIC Authentication for T24 Browser

Secure the BrowserWeb application

TEMENOS T24 User Guide Page 11 of 35

Specify the JAAS Realm for BrowserWeb

Deploy the JAAS Login Module

Create & Deploy the JAAS Configuration File

• Create a file and call it ‘t24BasicAuth.config’

• Save this file to a location of your choice e.g. C:\JAASConfig\T24Browser\

TEMENOS T24 User Guide Page 12 of 35

BASIC Authentication as a Single Sign-On Mechanism

TEMENOS T24 User Guide Page 13 of 35

Single Sign-On with Siteminder

TEMENOS T24 User Guide Page 14 of 35

OFS.SOURCE record updated

TEMENOS T24 User Guide Page 15 of 35

Configuring the ARC-IB Authentication Environment for 4TRESS

Java Security Configuration (both Web Server and T24 Server)

TEMENOS T24 User Guide Page 16 of 35

TEMENOS T24 User Guide Page 17 of 35

Creating a JCE Keystore

Tomcat Server Java Environment

If 4TRESS is deployed on Websphere:

Configuration Property Description

TEMENOS T24 User Guide Page 18 of 35

java.naming.provider.url specifies the URL to the 4TRESS server

The following jars must be copied to the <TOMCAT_DIR>/common/lib directory (<TOMCAT_DIR>/lib

Websphere server java environment

TEMENOS T24 User Guide Page 19 of 35

java.security.auth.login.config This is set automatically by Websphere to the value:

The following jars must be copied to the <WEBSPHERE_HOME>/lib/ext directory:

T24 Server Environment

The following jars must be copied to <T24RUNDIR>/jars:

TEMENOS T24 User Guide Page 20 of 35

An example file can be seen in appendix C.

4TRESS Authentication Server Configuration

Setup Under Configurer User

Authentication Name Seeding Authentication Authenticator Token/

TEMENOS T24 User Guide Page 21 of 35

AT_CUSTPW Customer UNSEEDED FTRESS_UP FTRESS_UPM Password

Attribute Type Name Description