Integration Server 11.1 | Integration Server Administrator's Guide | Authenticating Clients | Basic Authentication
Basic Authentication
When Integration Server uses basic authentication, it prompts the client for a user name and password. If a user account is found for the supplied user name, Integration Server authenticates the user name by comparing the supplied password to the password in the user account. If the password is correct, Integration Server proceeds with the request. If the password is not correct, Integration Server rejects the request.
If the client does not supply a user name or password, Integration Server uses the Default user account for the client.
The following table summarizes how an Integration Server proceeds with a client request when basic authentication is in use and the client supplies a correct username/password combination.
Client supplied a user name/password?
User Name found?
Password correct?
is rejected
is rejected
proceeds using the Default user account
Integration Server stores user names and passwords in the authentication cache. The authentication cache is a caching layer in Integration Server that stores the user names and passwords in hash format. Integration Server uses the dedicated password hashing algorithm Password-Based Key Derivation Function 2 (PBKDF2) to hash all user passwords.
After the first successful authentication of a user name and password (whether for a local user or central user/LDAP), Integration Server stores the credentials in the authentication cache for future reference. On subsequent authentication requests, Integration Server checks to see if the credentials already exist in the authentication cache. If the credentials already exist in the authentication cache, Integration Server does not perform any additional validation of the credentials.
Once a user has changed the password and logged in successfully with the new password, Integration Server removes the old password from the authentication cache.
You control the authentication cache through the following server configuration parameters:
*watt.server.auth.cache.enabled. Enables and disables the authentication cache.
*watt.server.auth.cache.timeout. Specifies the number of milliseconds that each cache entry can remain unused before Integration Server removes it from the authentication cache.
*watt.server.auth.cache.capacity. Specifies the number of user name and password combinations Integration Server stores in the authentication cache.
For more information about the server configuration parameters that control the authentication cache, see Server Configuration Parameters. For more information on setting up user accounts, see Defining a User Account. You can also use externally defined user accounts. For more information on how to use external directories and how basic authentication works when using external user accounts, see Configuring a Central User Directory or LDAP.