1. Administering System Security
2. Administering User Security
Administering Authentication Realms
Overview of Authentication Realms
To Create an Authentication Realm
To Update an Authentication Realm
To Delete an Authentication Realm
To Configure a JDBC or Digest Authentication Realm
To Configure LDAP Authentication with OID
3. Administering Message Security
4. Administering Security in Cluster Mode
5. Managing Administrative Security
6. Running in a Secure Environment
The following topics are addressed here:
An authentication realm, also called a security policy domain or security domain, is a scope over which the GlassFish Server defines and enforces a common security policy. GlassFish Server is preconfigured with the file, certificate, and administration realms. In addition, you can set up LDAP, JDBC, digest, Oracle Solaris, or custom realms. An application can specify which realm to use in its deployment descriptor. If the application does not specify a realm, GlassFish Server uses its default realm (file).
GlassFish Server stores user credentials locally in a file named keyfile. The file realm is the initial default realm.
The administration realm is also a file realm and stores administrator user credentials locally in a file named admin-keyfile.
GlassFish Server stores user credentials in a certificate database. When using the certificate realm, the server uses certificates with the HTTPS protocol to authenticate web clients.
GlassFish Server can get user credentials from a Lightweight Directory Access Protocol (LDAP) server such as Oracle Virtual Directory (OVD), Oracle Internet Directory (OID), and Oracle Directory Server Enterprise Edition. LDAP is a protocol for enabling anyone to locate organizations, individuals, and other resources such as files and devices in a network, whether on the public Internet or on a corporate intranet.
See To Configure LDAP Authentication with OID for instructions on configuring GlassFish Server to work with an OVD/OID LDAP provider.
GlassFish Server gets user credentials from a database. The server uses the database information and the enabled JDBC realm option in the configuration file.
Digest Authentication authenticates a user based on a user name and a password. However, the authentication is performed by transmitting the password in an encrypted form.
GlassFish Server gets user credentials from the Oracle Solaris operating system. This realm is supported on the Oracle Solaris 9 and Oracle Solaris 10 operating systems. Consult your Oracle Solaris documentation for information about managing users and groups in the Oracle Solaris realm.
A Pluggable Authentication Module (PAM) realm allows applications deployed on GlassFish Server to authenticate users against a native Unix (Solaris/Linux/Mac OS) users list. PAM realms use the class name com.sun.enterprise.security.auth.realm.pam.PamRealm and the JAAS Context pamRealm.
This realm is supported on all Unix Operating Systems, including the Oracle Solaris 9 and Oracle Solaris 10 operating systems
You can create other repositories for user credentials, such as a relational database or third-party components. For more information about custom realms, see the Administration Console online help. For instructions on creating a custom realm, see Creating a Custom Realm in Oracle GlassFish Server 3.1 Application Development Guide.
The GlassFish Server authentication service can govern users in multiple realms.
Use the create-auth-realm subcommand in remote mode to create an authentication realm.
Remote subcommands require a running server.
Information about properties for this subcommand is included in this help page.
Example 2-1 Creating a Realm
This example creates a realm named db.
asadmin> create-auth-realm --classname com.iplanet.ias.security. auth.realm.DB.Database --property defaultuser=admin:Password=admin db Command create-auth-realm executed successfully.
See Also
You can also view the full syntax and options of the subcommand by typing asadmin help create-auth-realm at the command line.
For information on creating a custom realm, see Creating a Custom Realm in Oracle GlassFish Server 3.1 Application Development Guide.
Use the list-auth-realms subcommand in remote mode to list the existing authentication realms.
Remote subcommands require a running server.
Example 2-2 Listing Realms
This example lists the authentication realms on localhost.
asadmin> list-auth-realms db certificate file admin-realm Command list-auth-realms executed successfully.
See Also
You can also view the full syntax and options of the subcommand by typing asadmin help list-auth-realms at the command line.
Use the set subcommand to modify an existing authentication realm.
Note - A custom realm does not require server restart.
The thread pool is identified by its dotted name.
See To Restart a Domain in Oracle GlassFish Server 3.1 Administration Guide.
Use the delete-auth-realm subcommand in remote mode to delete an existing authentication realm.
Remote subcommands require a running server.
Example 2-3 Deleting a Realm
This example deletes an authentication realm named db.
asadmin> delete-auth-realm db Command delete-auth-realm executed successfully.
See Also
You can also view the full syntax and options of the subcommand by typing asadmin help delete-auth-realm at the command line.
GlassFish Server enables you to specify a user's credentials (user name and password) in the JDBC realm instead of in the connection pool. Using the jdbc type realm instead of the connection pool prevents other applications from browsing the database tables for user credentials.
Note - By default, storage of passwords as clear text is not supported in the JDBC realm. Under normal circumstances, passwords should not be stored as clear text.
How you create the database tables depends on the database that you are using.
How you add user credentials to the database tables depends on the database that you are using.
See To Create a JDBC Connection Pool in Oracle GlassFish Server 3.1 Administration Guide.
To Create a JDBC Resource in Oracle GlassFish Server 3.1 Administration Guide.
For instructions, see To Create an Authentication Realm.
Note - The JAAS context should be jdbcDigestRealm for digest authentication or jdbcRealm for other authentication types.
Modify the deployment descriptor that is associated with your application.
For more information about how to specify a realm, see How to Configure a Realm in Oracle GlassFish Server 3.1 Application Development Guide.
To assign a security role to a user, add a security-role-mapping element to the deployment descriptor that you modified.
If needed, see To Start the Database in Oracle GlassFish Server 3.1 Administration Guide.
See To Restart a Domain in Oracle GlassFish Server 3.1 Administration Guide.
Example 2-4 Assigning a Security Role
This example shows a security-role-mapping element that assigns the security role Employee to user Calvin
<security-role-mapping> <role-name>Employee</role-name> <principal-name>Calvin</principal-name> </security-role-mapping>
This procedure explains how to configure GlassFish Server to use LDAP authentication with Oracle Internet Directory.
Instructions for installing Oracle Enterprise Manager are provided in the Oracle Enterprise Manager documentation set.
Instructions for installing the Oracle Identity Management suite are provided in the Oracle Fusion Middleware Installation Guide for Oracle Identity Management.
Instructions for configuring SSL for OID are provided in the SSL chapter of the Oracle Internet Directory Administrator's Guide.
Instructions for using Oracle Wallet Manager to create and export SSL certificates are provided in the Configure Oracle Internet Directory for SSL section of the SSL chapter in the Oracle Internet Directory Administrator's Guide.
The keytool command is available in the $JAVA_HOME/bin directory. Use the following syntax:
keytool -importcert -alias "alias-name" -keystore domain-dir/config/cacerts.jks -file cert-name
where the variables are defined as follows:
Name of an alias to use for the certificate
Name of the domain for which the certificate is used
Path to the certificate that you exported with Oracle Wallet Manager.
For example, to import a certificate named oi.cer for a GlassFish Server domain in /glassfishv3/glassfish/domains/domain1, using an alias called “OID self-signed certificate,” you would use the following command:
keytool -importcert -alias "OID self signed certificate" -keystore \ /glassfishv3/glassfish/domains/domain1/config/cacerts.jks -file oid.cer
See To Restart a Domain in Oracle GlassFish Server 3.1 Administration Guide.
For example:
ldapmodify -D cn=orcladmin -q -p portNum -h hostname -f ldifFile
In this example, the LDIF file might contain the following:
dn: cn=oid1,cn=osdldapd,cn=subconfigsubentry changetype: modify replace: orclAnonymousBindsFlag orclAnonymousBindsFlag: 1
To disable all anonymous binds, you would use a similar LDIF file with the last line changed to:
orclAnonymousBindsFlag: 0
See Managing Anonymous Binds in the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory for complete instructions on the ldapmodify command.
This procedure explains how to configure GlassFish Server to use LDAP authentication with Oracle Virtual Directory.
Also, configure the SSL for the OVD listener in server authentication mode.
The keytool command is available in the $JAVA_HOME/bin directory. Use the following syntax:
keytool -importcert -alias "alias-name" -keystore domain-dir/config/cacerts.jks -file cert-name
where the variables are defined as follows:
Name of an alias to use for the certificate
Name of the domain for which the certificate is used
Path to the certificate that you exported from the keystore.
For example, to import a certificate named ovd.cer for a GlassFish Server domain in /glassfishv3/glassfish/domains/domain1, using an alias called “OVD self-signed certificate,” you would use the following command:
keytool -importcert -alias "OVD self signed certificate" -keystore \ /glassfishv3/glassfish/domains/domain1/config/cacerts.jks -file ovd.cer
See To Restart a Domain in Oracle GlassFish Server 3.1 Administration Guide.
This procedure explains how to enable LDAP authentication for logins to the GlassFish Server Domain Administration Server (DAS). Logging in to the DAS is typically only performed by GlassFish Server administrators who want to use the GlassFish Server Administration Console or asadmin command. See To Configure LDAP Authentication with OID for instructions on enabling general LDAP authentication for GlassFish Server.
Before You Begin
Ensure that you have followed the configuration instructions in To Configure LDAP Authentication with OID
Use the following syntax:
asadmin configure-ldap-for-admin --basedn "dn-list" --url [ldap|ldaps]://ldap-url --ldap-group group-name
where the variables are defined as follows:
basedn parameters
URL and port number for the LDAP server; can use standard (ldap) or secure (ldaps) protocol
LDAP group name for allowed users, as defined on the LDAP server.
For example:
asadmin configure-ldap-for-admin --basedn "dc=red,dc=iplanet,dc=com" \ --url ldap://interopoel54-1:3060 --ldap-group sqestaticgroup
asadmin configure-ldap-for-admin --basedn "dc=red,dc=iplanet,dc=com" \ --url ldaps://interopoel54-1:7501 --ldap-group sqestaticgroup
See Also
See configure-ldap-for-admin(1) for more information about the configure-ldap-for-admin subcommand.