Subscriber Resources

Remote Patron Authentication

Welcome to LexisNexis Remote Patron Authentication!

Remote Patron Authentication (RPA) for the LexisNexis Academic product suite and nexis.com is a process for authenticating users of these web products who may be attempting to access them from an IP address (such as one provided by their own ISP) that is not recognized by the usual IP address authentication process. It is particularly useful in those cases, such as when the user is a patron of a library that subscribes to the product, where it would be undesirable to disclose an ID and password for the product to the user, who could potentially pass this information along to unauthorized users. RPA essentially provides a way for a subscribing customer to securely authenticate users to LexisNexis by proxy, once the users have been authenticated by the customer. The user simply clicks on a link to the product from the customer's own web site, and is immediately granted access to the product.

Does Your Institution Need RPA?

Probably not. Only institutions that have off-campus users but do not provide them with a proxy server or VPN (virtual private network) connection will need to use RPA for authentication.

How To Get Started with RPA

To use RPA, your institution must:

• Have its own secure patron authentication system
• Sign the license addendum that governs the use of the RPA script
• Receive your unique RPA ID and Password from LexisNexis
• Install the RPA script on your secure server

The first steps are to review the technical requirements below with your network administrator to make sure RPA will work in your environment, and then to request the license addendum from LexisNexis Academic & Library Solutions Customer Service by calling 1-800-638-8380 or 301-654-1550 or by sending an email to academicinfo@lexisnexis.com

Technical Support

If you have any problems with this installation process, please contact LexisNexis Customer Service in Dayton at 1-800-897-3419. You will need your bill group number in order for Customer Service to assist you. If you do not know your bill group number, please call LexisNexis Academic & Library Solutions Customer Service in Bethesda at 1-800-638-8380. LexisNexis Customer Service in Dayton cannot help you without this number.

RPA Technical Description

RPA is implemented as a CGI script or ASP page that executes on the customer's web server to make a secure connection to the LexisNexis authentication server. The following diagram illustrates how a request from a user's web browser is authenticated and ultimately directed to the LexisNexis product:

The arrows in the diagram indicate the following steps in the process:

1. The user's web browser invokes the RPA proxy script, typically when the user clicks on a link from a page on the customer's Intranet. It is assumed that the script is located in a place that is only accessible by authorized users of the product and that appropriate authentication has already taken place between the user and the customer.
   
   
2. The RPA proxy script opens a secure SSL connection (indicated by the red arrows) to a LexisNexis Authentication Server, sending the customer's authentication information (e.g. ID and password). An SSL connection is used so that this information cannot be easily intercepted by a "sniffer" program as it is transmitted to LexisNexis over the Internet.
   
   
3. LexisNexis responds to the RPA proxy script with an authentication "key" that can be used by the user's web browser to request access to the customer's subscriptions to LexisNexis products. This key is encrypted and time-sensitive, and must be used within a short period of time or it will expire.
   
   
4. The RPA proxy script, responding to the initial request from the user's web browser (step 1), instructs the browser to redirect to the LexisNexis authentication server, including the authentication key in the URL.
   
   
5. The user's web browser redirects to the LexisNexis authentication server, passing it the authentication key.
   
   

If the authentication key is good and has not expired, the LexisNexis authentication server responds by setting an authentication cookie on the web browser for the product and redirecting the browser to the product.

The user's web browser is connects to the LexisNexis product and is automatically authenticated by the cookie that it obtained from the authentication server. Subsequent requests from the user go directly to the LexisNexis product and will be accepted as long as the cookie remains valid. When the cookie expires (typically at the end of the day), the user will have to go through the RPA process again to get to the product.

All of this is accomplished within a few seconds and is completely transparent to the user. From the user's perspective, he or she has simply clicked on a link and gone directly to the LexisNexis product.

Security Considerations

As suggested above, it is very important that the RPA proxy script be installed in such a way that only authorized users of the product can invoke it. Any user who executes the RPA script will be granted immediate access to the product. You would not want to install the script where it could be reached by anyone on the Internet, for example. We suggest that you install it on a private Intranet web server, which can only be reached by authorized users. In addition, since the script contains your private customer ID and password, it is important to restrict read access to the script on the server only to authorized administrators. This is implicit if access to the web server is limited to administrators, but if other users have even read-only access to it as well, then it may be necessary to restrict read access to the script in order to secure the ID and password information contained in it. Finally, the security of the transmission of this information to LexisNexis (step 2 in the process description above) is only as strong as the implementation of the underlying SSL protocol, so it is important to carefully follow all security precautions when setting up your web server (and the OpenSSL library if applicable).

Installation Instructions

The LexisNexis RPA process is designed to be implemented entirely in software without any extra hardware or special Internet configuration requirements for our customers. You will need to install some additional software, which is provided at no cost by LexisNexis and other organizations, on your Intranet web server, however. There are many different web servers running on various different machine types and operating systems, but we have provided a number of different options, one of which should work for your server's environment. If you have difficulty installing this software or can't determine which option is best for you, contact LexisNexis Customer Service at 1-800-897-3419 for assistance.

If you have a Unix-based web server:

Unix systems vary widely (even systems from the same vendor may be very differently configured), so it may be necessary for you to install and build portions of the RPA proxy program from source code if they are not already available on your system. The following options for the RPA proxy script are provided for Unix systems:

• Perl CGI script: This option uses the Net::SSLeay Perl module to make a secure connection to LexisNexis. This module requires at least Perl version 5.005 and the OpenSSL library.
• Perl CGI script and external program: This option will work with older versions of Perl but it uses an external program (gethttps.exe) to make the secure connection to the LexisNexis authentication server. It also includes the C/C++ source code (gethttps.c) of this program that uses the OpenSSL library, which you will have to compile for creating the executable program.
• Shell CGI script and external program: This option also depends on an external program such as gethttps to connect to LexisNexis, but it is usable even if Perl is not available on your system because it uses only standard UNIX shell commands.
• C/C++ CGI program: This option consists of a stand-alone C/C++ program which will have your remote access ID and password compiled in. It requires the OpenSSL library to compile.

The software needed for any of these options is available from these locations:

• LexisNexis RPA software: download (42K) > lnrpaproxy_2007-01.tar
• Perl programming language: http://www.cpan.org/
• Net::SSLeay Perl module: http://search.cpan.org/
• OpenSSL library: http://www.openssl.org/

See the readme file contained in the lnrpaproxy_2007-01.tar file for more information.

If you have a Windows-based web server:

Because Windows systems have a common hardware architecture, you may find it easiest to use the pre-compiled components of this software, but source code is provided if you want to see it or compile it yourself for possible performance benefits. Some of these options will probably work with other i86-based servers (such as Novell NetWare), but such configurations have not been tested at this time. The following options for the RPA proxy script are provided for Windows systems:

• ASP page for IIS servers: This option uses an ASP page for Microsoft IIS servers. It depends on the Microsoft WinHttp object to make a secure connection to LexisNexis.
• Perl CGI script: This option uses the Net::SSLeay Perl module to make a secure connection to LexisNexis. This module requires at least Perl version 5.005 and the OpenSSL library.
• Perl CGI script and external program: This option will work with older versions of Perl but it uses an external program to make the secure connection to the LexisNexis authentication server. It includes the gethttps.exe program (and its C/C++ source code, gethttps.c) for this purpose.
• C/C++ CGI program: This option consists of a stand-alone C/C++ program which will have your remote access ID and password compiled in. It requires the OpenSSL library to compile.
• Ready-to-run CGI executable: This option uses a stand-alone binary executable program (the C/C++ source code is included). The remote access ID and password are obtained from the Windows registry. It includes Registry setting file (lnrpa.reg) for setting Remote ID and password in the windows registry.

The software needed for any of these options is available from these locations:

• LexisNexis RPA software: download (287K) > lnrpaproxy_2007-01.zip
• Perl programming language: http://www.cpan.org/
• Net::SSLeay Perl module: http://search.cpan.org/
• OpenSSL library: http://www.openssl.org/

See the readme file within lnrpaproxy_2007-01.zip file for more information.

Again, if you have any problems with this installation process, please contact LexisNexis Customer Service at 1-800-897-3419.

Acknowledgements (pursuant to OpenSSL license):

• This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)
• This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/)