Sun Java™ System Application Server Platform Edition 8 Administration Guide |
Chapter 9
SecurityThis chapter describes some core application server security concepts, and describes how to configure security for the Sun Java System Application Server Platform Edition 8. This chapter contains the following topics:
About Application Server SecurityOverview of Security
Security is about protecting data: how to prevent unauthorized access or damage to it in storage or transit. The Application Server has a dynamic, extensible security architecture based on the J2EE standard. Built in security features include cryptography, authentication and authorization, and public key infrastructure. The Application Server is built on the Java security model, which uses a "sandbox" where applications can run safely, without potential risk to systems or users.
Application and System Security
Broadly, there are two kinds of application security:
- In programmatic security, application code written by the developer handles security chores. As a administrator, you don’t have any control over this mechanism. Generally, programmatic security is discouraged since it hard-codes security configuration in the application instead of managing it through the J2EE containers.
- In declarative security, the container (the Application Server) handles security through an application’s deployment descriptors. You can control declarative security by editing deployment descriptors directly or with a tool such as
deploytool
. Because deployment descriptors can change after an application is developed, declarative security allows for more flexibility.In addition to application security, there is also system security, which affects all the applications on an Application Server system.
Programmatic security is controlled by the applications developer, so this document will not discuss it; declarative security is somewhat less so, and this document will touch on it occasionally. This document is intended for system administrators, and so will focus on system security.
Tools for Managing Security
The Application Server provides two tools for managing security:
- Admin Console, a browser-based tool you use to configure security for the entire server, to manage users, groups, and realms, and perform other system-wide security tasks. For a general introduction to Admin Console, see Tools for Administration. For an overview of the security tasks you can perform with Admin Console, see Security Managment With the Admin Console.
asadmin
, a command-line tool that performs many of the same tasks as the Admin Console. You may be able to do some things withasadmin
that you cannot do with Admin Console. You performasadmin
commands either from a command prompt or from a scripts, to automate repetitive tasks. For a general introduction toasadmin
, see Tools for Administrationdeploytool
, a graphical packaging and deployment tool for editing application deployment descriptors to control individual applications’ security. Becausedeploytool
is intended for application developers, this document will not describe its use in detail. For instructions on usingdeploytool
, see the tool’s online help and The J2EE 1.4 Tutorial at http://java.sun.com/j2ee/1.4/docs/tutorial/doc/index.html.Additionally, Java 2 Platform, Standard Edition (J2SE) provides two tools for managing security:
For more information on using
keytool
,policytool
, and other Java security tools, see Java2 SDK Tools and Utilities at http://java.sun.com/j2se/1.4.2/docs/tooldocs/tools.html#security.Security Responsibilities
Security responsibilities are assigned to the following:
Application Developer
The application developer is responsible for the following:
An application developer may use tools such as
deploytool
to edit application deployment descriptors.Application Deployer
The application deployer is responsible for:
An application deployer may use tools such as
deploytool
to edit application deployment descriptors.System Administrator
The system administrator is responsible for:
- Configuring security realms.
- Managing user accounts and groups.
- Managing audit logs.
- Managing server certificates and configuring the server’s use of secure sockets layer (SSL).
- Handling other miscellaneous system-wide security features, such as security maps for connector connection pools, additional JACC Providers, and so on.
A system administrator may use the Admin Console to manage server security settings, and
keytool
to manage certificates.Authentication and Authorization
Authentication and authorization are central concepts of application server security.
Authentication
Authentication is the way an entity (a user, an application, or a component) determines that another entity is who it claims to be. An entity uses security credentials to authenticate itself. The credentials may be a user name and password, a digital certificate, or something else.
Typically, authentication means a user logging in to an application with a username and password; but it might also refer to an EJB providing security credentials when it requests a resource from the server. Usually, servers or applications require clients to authenticate; additionally, clients may require servers to authenticate themselves, too. When authentication is bidirectional, it is called mutual authentication.
When an entity tries to access a protected resource, the Application Server uses the authentication mechanism configured for that resource to determine whether to grant access. For example, a user may enter a user name and password in a web browser, and if the application verifies those credentials, the user is authenticated. The user is associated with this authenticated security identity for the remainder of the session.
The Application Server supports four types of authentication, as outlined in Table 9-1. An application specifies the type of authentication it uses in its deployment descriptors. Use
deploytool
to configure the authentication method for an application. For more information, see Tools for Managing Security.
Single Sign-On
Single sign-on enables multiple applications in one virtual server instance to share user authentication state. With single sign-on, a user who logs in to one application becomes implicitly logged in to other applications that require the same authentication information.
Single sign-on is based on groups. All web applications whose deployment descriptor defines the same group and use the same authentication method (basic, form, digest, certificate) share single sign-on.
Single sign-on is enabled by default for virtual servers defined for the Application Server. For information on disabling single sign-on, see Configuring Single Sign-On (SSO).
Authorization
Once a user is authenticated, his or her level of authorization determines what operations he can perform. A user’s authorization is based on his role. For example, a human resources application may authorize managers to view personal employee information for all employees, but allow employees to only view their own personal information. For more on roles, see Users, Groups, Roles, and Realms.
JACC Providers
JACC (Java Authorization Contract for Containers) is part of the J2EE 1.4 specification that defines an interface for pluggable authorization providers. This enables you to set up third-party “plug in” modules to perform authorization.
By default, the Application Server provides a simple, file-based authorization engine that complies with the JAAC specification. In addition, you may specify additional third-party JAAC providers.
JACC providers use the Java Authentication and Authorization Service (JAAS) APIs. JAAS enables services to authenticate and enforce access controls upon users. It implements a Java technology version of the standard Pluggable Authentication Module (PAM) framework.
Audit Logging
The Application Server can provide an audit trail of all authentication and authorization decisions through audit modules. The Application Server provides a default audit module, and you can also configure your own custom audit modules. For information on developing custom audit modules, see the J2EE 1.4 Application Server Developer's Guide.
Users, Groups, Roles, and Realms
The Application Server enforces its authentication and authorization policies upon the following entities:
- User: An individual identity defined in the Application Server. In general, a user may be a person or a software component such as an EJB, or even a service. A user who has been authenticated is sometimes called a Principal. Users are sometimes referred to as subjects.
- Group: A set of users defined in the Application Server, classified by common traits.
- Role: A named authorization level defined by an application. A role can be compared to a key that opens a lock. Many people might have a copy of the key. The lock doesn't care who you are, only that you have the right key.
Note: Users and groups are designated for the entire Application Server, whereas each application defines its own roles. Then, the applications specify mappings between users/groups and roles, as illustrated in Figure 9-1.
A realm is a repository containing user and group information and their security credentials. A realm is also called a security policy domain.
Figure 9-1 Role Mapping
Groups
A J2EE group (or simply group) is a category of users classified by common traits, such as job title or customer profile. For example, users of an e-commerce application might belong to the “customer” group, but the big spenders would belong to the “preferred” group. Categorizing users into groups makes it easier to control the access of large numbers of users.
Roles
A role defines which applications and what parts of each application users can access and what they can do. In other words, roles determine users’ and authorization levels.
For example, in a personnel application all employees might have access to phone numbers and email addresses, but only managers would have access to salary information. The application could define at least two roles: employee and manager; only users in the manager role could view salary information.
A role is different from a user group in that a role defines a function in an application, while a group is a set of users who are related in some way. For example, in the personnel application there might be groups such as “full-time,” “part-time,” and “on-leave,” but users in all these groups would still be in the employee role.
Roles are defined in application deployment descriptors. In contrast, groups are defined for an entire server and realm. The application developer or deployer maps roles to one or more groups for each application in its deployment descriptor.
Realms
A realm, also called a security policy domain or security domain, is a scope over which the server defines and enforces a common security policy. In practical terms, a realm is a repository where the server stores user and group information.
The Application Server comes pre-configured with two realms: file (the initial default realm) and certificate. You can set up two other realms: ldap and solaris, in addition to custom realms. Applications can specify the realm to use in their deployment descriptor. If they do not specify a realm, the Application Server will use its default realm.
In the file realm, the server stores user credentials locally in a file. You can use the Admin Console to manage users in the file realm. For more information, see Managing file Realm Users
In the certificate realm, the server stores user credentials in a certificate database. When using the certificate realm, the server uses certificates with the HTTPS protocol to authenticate web clients. For more information about certificates, see Introduction to Certificates and SSL.
In the ldap realm the server gets user credentials from a Lightweight Directory Access Protocol (LDAP) server such as the Sun Java System Directory Server. LDAP is a protocol for enabling anyone to locate organizations, individuals, and other resources such as files and devices in a network, whether on the public Internet or on a corporate intranet. Consult your LDAP server documentation for information on managing users and groups in the ldap realm.
In the solaris realm the server gets user credentials from the Solaris operating system. This realm is supported on the Solaris 9 OS and later versions. Consult your Solaris documentation for information on managing users and groups in the solaris realm.
A custom realm is any other repository of user credentials, such as a relational database or third-party component. For more information, see Creating a Custom Realm.
Introduction to Certificates and SSL
Digital Certificates
Digital certificates (or simply certificates) are electronic files that uniquely identify people and resources on the Internet. Certificates also enable secure, confidential communication between two entities.
There are different kinds of certificates, such as personal certificates, used by individuals, and server certificates, used to establish secure sessions between the server and clients through secure sockets layer (SSL). For more information on SSL, see Secure Sockets Layer.
Certificates are based on public key cryptography, which uses pairs of digital keys (very long numbers) to encrypt, or encode, information so it can be read only by its intended recipient. The recipient then decrypts (decodes) the information to read it.
A key pair contains a public key and a private key. The owner distributes the public key and makes it available to anyone. But the owner never distributes the private key; it is always kept secret. Because the keys are mathematically related, data encrypted with a key can be decrypted only with the other key in the pair.
A certificate is like a passport: it identifies the holder and provides other important information. Certificates are issued by a trusted third party called a Certification Authority (CA). The CA is analogous to passport office: it validates the certificate holder’s identity and “signs” the certificate so that it cannot be forged or tampered with. Once a CA has signed a certificate, the holder can present it to prove their identity and establish encrypted, confidential communications.
Most importantly, a certificate binds the owner’s public key to the owner’s identity. Like a passport binds a photograph to personal information about its holder, a certificate binds a public key to information about its owner.
In addition to the public key, a certificate typically includes information such as:
Digital Certificates are governed by the technical specifications of the x.509 format. To verify the identity of a user in the certificate realm, the authentication service verifies an X.509 certificate, using the common name field of the X.509 certificate as the principal name.
Certificate Chains
Web browsers are pre-configured with a set of “root” CA certificates that the browser automatically trusts. Any certificates from elsewhere must come with a certificate chain to verify their validity. A certificate chain is series of certificates issued by successive CAs, eventually ending in a root CA certificate.
When a certificate is first generated, it is a self-signed certificate. A self-signed certificate is one for which the issuer (signer) is the same as the subject (the entity whose public key is being authenticated by the certificate). When the owner sends a certificate signing request (CSR) to a CA then and imports the response, the self-signed certificate is replaced by a chain of certificates. At the bottom of the chain is the certificate (reply) issued by the CA authenticating the subject's public key. The next certificate in the chain is one that authenticates the CA's public key. Usually, this is a self-signed certificate (that is, a certificate from the CA authenticating its own public key) and the last certificate in the chain.
In other cases, the CA may return a certificate chain of certificates. In this case, the bottom certificate in the chain is the same (a certificate signed by the CA, authenticating the public key of the key entry), but the second certificate in the chain is a certificate signed by a different CA, authenticating the public key of the CA you sent the CSR to. Then, the next certificate in the chain will be a certificate authenticating the second CA's key, and so on, until a self-signed "root" certificate is reached. Each certificate in the chain (after the first) thus authenticates the public key of the signer of the previous certificate in the chain.
Secure Sockets Layer
Secure Sockets Layer (SSL) is the most popular standard for securing Internet communications and transactions. Web applications use HTTPS (HTTP over SSL). HTTPS uses digital certificates to ensure secure, confidential communications between server and clients. In an SSL connection, both the client and the server encrypt data before sending it, then decrypt it upon receipt
When a web browser (client) wants to connect to a secure site, an “SSL handshake” happens:
- The browser sends a message over the network requesting a secure session (typically, by requesting a URL that begins with
https
instead ofhttp
).- The server responds by sending its certificate (including its public key).
- The browser verifies that the server’s certificate is valid and has been signed by a CA whose certificate is in the browser’s database (and who is trusted). It also verifies that the CA certificate has not expired.
- If the certificate is valid, the browser generates a one-time, unique “session” key and encrypts it with the server’s public key. The browser then sends the encrypted session key to the server so that they both have a copy.
- The server decrypts the message using its private key and recovers the session key.
After the “handshake,” the client has verified the identity of the Web site, and only the client and the web server have a copy of the session key. From then, on the client and the server use the session key to encrypt all their communications with each other. Thus, their communications is ensured to be secure.
The newest version of the SSL standard is called TLS (Transport Layer Security). The Application Server supports the Secure Sockets Layer (SSL) 3.0 and the Transport Layer Security (TLS) 1.0 encryption protocols.
To use SSL, the Application Server must have a certificate for each external interface, or IP address, that accepts secure connections. The HTTPS service of most web servers will not run unless a digital certificate has been installed. Use the procedure in Generating a Server Certificate to set up a digital certificate that your web server can use for SSL.
Ciphers
A cipher is a cryptographic algorithm used for encryption or decryption. SSL and TLS protocols support a variety of ciphers used to authenticate the server and client to each other, transmit certificates, and establish session keys.
Some ciphers are stronger and more secure than others. Clients and servers may support different cipher suites. You can choose ciphers from the SSL3 and TLS protocols. During a secure connection, the client and the server agree to use the strongest cipher they both have enabled for communication, so it is usually sufficient to enable all ciphers.
Using Name-based Virtual Hosts
Using name-based virtual hosts for a secure application can be problematic. This is a design limitation of the SSL protocol itself. The SSL handshake, where the client browser accepts the server certificate, must occur before the HTTP request is accessed. As a result, the request information containing the virtual host name cannot be determined prior to authentication, and it is therefore not possible to assign multiple certificates to a single IP address.
If all virtual hosts on a single IP address need to authenticate against the same certificate, the addition of multiple virtual hosts should not interfere with normal SSL operations on the server. Be aware, however, that most browsers will compare the server’s domain name against the domain name listed in the certificate, if any (applicable primarily to official, CA-signed certificates). If the domain names do not match, these browsers will display a warning. In general, only address-based virtual hosts are commonly used with SSL in a production environment.
Firewalls
A firewall controls the flow of data between two or more networks, and manages the links between the networks. A firewall may consist of both hardware and software elements. This section describes some common firewall architectures and their configuration. The information here pertains primarily to the Application Server. For details about a specific firewall technology refer to the documentation from your firewall vendor.
In general, you must configure you firewalls so that clients can access the necessary TCP/IP ports. For example, if the HTTP listener is operating on port 8080, you must, you must configure the firewall to allow HTTP requests on port 8080. Likewise, if HTTPS requests are setup for port 1043, you must configure your firewalls to allow HTTPS requests on port 1043.
If you want to allow direct RMI/IIOP access from the Internet to EJB modules, you must open the RMI/IIOP listener port as well, but this is strongly discouraged since it creates security risks.
In the double firewall architecture, you must configure the outer firewall to allow for HTTP and HTTPS transactions. You must configure the inner firewall to allow the HTTP server plug in to communicate with the Application Server behind the firewall.
Security Managment With the Admin Console
The Admin Console enables you to manage:
Server Security Settings
On the Security Settings page, you can set properties for the server as a whole, such as the default realm, the anonymous role, the default principal user name and password. For more information, see Configuring Security Settings.
Realms and file Realm Users
The concept of realms was introduced in Users, Groups, Roles, and Realms. With the Admin Console, you can:
See Admin Console Tasks for Realms for details on these tasks.
JACC Providers
JACC providers were introduced in JACC Providers. With the Admin Console, you can:
See Admin Console Tasks for JACC Providers for details on these tasks.
Audit Modules
Auditing is the method by which significant events, such as errors or security breaches, are recorded for subsequent examination. All authentication events are logged to the Application Server logs. A complete access log provides a sequential trail of Application Server access events.
With the Admin Console, you can:
See Admin Console Tasks for Audit Modules for details on these tasks.
HTTP and IIOP Listener Security
Each virtual server in the HTTP service provides network connections through one or more HTTP listeners. For general information about the HTTP service and HTTP listeners, see What Is the HTTP Service?
The Application Server supports CORBA (Common Object Request Broker Architecture) objects, which use the Internet Inter-Orb Protocol (IIOP) to communicate across the network. An IIOP listener accepts incoming connections from remote clients of EJBs and from other CORBA-based clients. For general information on IIOP listeners, see IIOP Listeners.
With the Admin Console you can:
See Admin Console Tasks for Listeners for details on these tasks.
Admin Console Tasks for SecurityConfiguring Security Settings
The Security page in the Admin Console enables you to set a variety of system-wide security settings. To edit these settings:
- In the tree component, select the Security node in the Admin Console tree.
The Security page displays.
- Modify the values as desired. Table 9-2 describes the settings on this page.
- Enter additional properties to pass to the Java Virtual Machine (JVM) in the Additional Properties section.
- Valid properties are dependent upon the type of realm being configured.
Select Save to save the changes or Load Defaults to restore the default values.
Table 9-2 General Security Settings
Setting
Description
Audit Logging
Whether audit logging is enabled. If enabled, the server will load and run all the audit modules specified in the Audit Modules setting. Otherwise, the server does not access audit modules. Disabled by default.
Default Realm
The active (default) realm the server uses for authentication. Applications will use this realm unless they specify a different realm in their deployment descriptor. All configured realms appear in the list. The initial default realm is the file realm.
Anonymous Role
The name for the default or anonymous role. The anonymous role is assigned to all users. Applications can use this role in their deployment descriptors to grant authorization to anyone.
Default Principal
Specifies the default user name. The server uses this when no principal is provided. If you enter a value in this field, you must enter a corresponding value in the Default Principal Password field.
You do not need to set this attribute for normal server operation.
Default Principal Password
Password of the default principal specified in the Default Principal field.
You do not need to set this attribute for normal server operation.
JACC
Class name of a configured JACC provider. See Creating a JACC Provider for Information on adding JACC providers.
Audit Modules
List of audit module provider classes, delimited by commas. A module listed here must be already configured. If Audit Logging is enabled, this setting must list audit modules. By default, the server uses an audit module named
default
. For information on creating new audit modules, see Creating an Audit Module.Controlling Access to Administration Tools
Only users in the
asadmin
group are able to access Admin Console andasadmin
command line utility. To give a user access to these administration tools, add them to theasadmin
group, as follows:
- Expand the Security node in the Admin Console tree.
- Expand the Realms node.
- Select the file node.
- Click the Manage Users button from the Edit Realm page.
Initially after installation, only the administrator user name and password entered during installation will be listed. By default, this user belongs to the group
asadmin
, which gives rights to modify the Application Server. Assign users to this group only if you want to grant them administrator privileges for the Application Server.- Click New to add a new user to the file realm.
- Enter the correct information into the User Id, Password, and Group List fields. To authorize a user to make modifications to the Application Server, include the asadmin group in the Group List.
- Click OK to add this user to the file realm or click Cancel to quit without saving.
Configuring Mutual Authentication
In mutual authentication, both server and client-side authentication are enabled. To test mutual authentication, you must have a client with a valid certificate. For information on creating a client certificate, see The J2EE 1.4 Tutorial.
Enabling Mutual Authentication for the Certificate Realm
The Application Server uses the certificate realm for HTTPS authentication. To specify mutual authentication for all the applications that use this realm, follow this procedure:
Enabling Mutual SSL Authentication an Application
If you to enable mutual authentication for a specific application, use
deploytool
to set the method of authentication toClient-Certificate
. For more information about usingdeploytool
, refer to the Security chapter of the J2EE Tutorial.Configuring Single Sign-On (SSO)
Single sign-on enables multiple applications to share user sign-on information, rather than requiring each application to have separate user sign-on. Applications using single sign-on authenticate the user one time, and the authentication information is propagated to all other involved applications.
Single sign-on applies to web applications configured for the same realm and virtual server.
Note: Single sign-on uses an HTTP cookie to transmit a token that associates each request with the saved user identity, so it can only be used when the browser client supports cookies.
Single sign-on operates according to the following rules:
- When a user accesses a protected resource in a web application, the server requires the user to authenticate himself or herself, using the method defined for that web application.
- Once authenticated, the Application Server will use the roles associated with the user for authorization decisions across all web applications on the virtual server, without challenging the user to authenticate to each application individually.
- When the user logs out of one web application (explicitly, or because of session expiration), the user’s sessions in all web applications become invalid. Thereafter, the user is required to login to access a protected resource in any application.
Single sign-on is enabled by default for the Application Server. To disable it or configure other properties, follow this procedure:
- In the tree component, expand the HTTP service node.
- Open the Virtual Servers node, and select the virtual server for which you want to disable single sign-on support.
- Click Add Property.
A blank property entry is added to the bottom of the list.
- Enter
sso-enable
in the new Name field.- Enter
false
in the new Property field.- Add or change any other single sign-on properties:
- Click Save.
- Restart the Application Server.
Admin Console Tasks for RealmsCreating a Realm
The Application Server comes preconfigured with two realms: file and certificate. You can create two other realms: ldap and solaris, in addition to custom realms. Generally, you will have one realm of each type on a server. However, you can have a different certificate database for each virtual server on your system.
To create a security realm, follow these steps:
Specify the class name for the realm you want to create, as shown in the following table:
- Add the required properties and any desired optional properties for the realm.
- For a description of ldap realm properties, see Creating the ldap Realm.
- For a description of solaris realm properties, see Creating the solaris Realm.
- For a description of custom realm properties, see Creating a Custom Realm.
To add a property:
- Click Add Property.
- In the Name field, enter the name of the property.
- In the Value field, enter the value of the property.
- Click OK.
Equivalent
asadmin
command:create-auth-realm
Creating the ldap Realm
The ldap realm performs authentication using information from an LDAP server. User information may include user name, password, and the groups to which the user belongs. You must create the desired users and groups in your LDAP directory, or the information must already exist.
You must add the three properties shown in Table 9-3.
Additionally, you may add any of the optional properties listed in Table 9-4.
Example
For example, suppose an LDAP user, Joe Java, is defined in your LDAP directory as follows:
uid=jjava,ou=People,dc=acme,dc=com
uid=jjava
givenName=joe
objectClass=top
objectClass=person
objectClass=organizationalPerson
objectClass=inetorgperson
sn=java
cn=Joe JavaThe required properties in the ldap realm would be:
Creating the solaris Realm
The solaris realm gets user and group information from the underlying Solaris user database, as determined by the system’s configuration. The Solaris realm invokes the underlying PAM infrastructure for authenticating. If the configured PAM modules require root privileges, the domain must run as root to use this realm. For details, see your Solaris documentation for security services.
The solaris realm has one required property,
jaas-context
that specifies the type of login module to use. The property value must besolarisRealm
.Note: The solaris realm is supported only for Solaris 9 or later.
Creating a Custom Realm
In addition to the four built-in realms, you can also create custom realms that store user data in some other way, such as in a relational database. Development of a custom realm is outside the scope of this document; for more information, see the Sun Java System Application Server Platform Edition 8 Developer's Guide. See http://developers.sun.com/prodtech/appserver/reference/techart/as8_authentication/index.html for an example implementation of a custom realm
As an administrator, the main thing you need to know is that a custom realm is implemented by a class derived from the Java Authentication and Authorization Service (JAAS) package: this class is called the LoginModule.
To configure the Application Server to use a custom realm:
- Follow the procedure outline in Creating a Realm, entering the name of your custom realm and the name of the LoginModule class. You can use any unique name for your custom realm, for example
myCustomRealm
.- Add the following properties:
- Click OK.
- Edit the domain's login configuration file install_dir
/domains/
domain_name/config/login.conf
, and add the fully-qualified class name of the JAAS LoginModule at the end of the file, as follows:realmName {
fully-qualified-LoginModule-classname required;
};For example,
nyCustomRealm {
com.foo.bar.security.customrealm.SimpleCustomRealm required;
};- Copy the LoginModule class and all dependent classes into the directory install_dir
/domains/
domain_name/lib/classes
.- Restart the Server.
- Make sure that the realm is properly loaded.
Check install_dir
/domains/
domain_name/logs/server.log
to make sure the server loaded the realm: The server should invoke the realm’sinit()
method.Editing a Realm
- In the tree component, expand the Security node.
- Expand the Realms node.
- Select the name of an existing realm.
The Edit Realm page displays.
- Edit existing properties and their values as desired.
For information on file realm properties, see Editing the file Realm. To manage users in the file realm, click the Manager Users button; see Managing file Realm Users for more information.
For information on certificate realm properties, see Editing the certificate Realm.
- To add additional properties, click the Add Properties button. The page displays a new row. Enter a valid property name and property value. Table 9-6 describes optional properties for the certificate realm. Table 9-3 and Table 9-4 describe optional properties for the ldap realm.
- Click Save to save the changes or Reload Defaults to discard your changes and restore the Application Server default values.
Editing the file Realm
The server maintains all user, group, and password information in a file called a keyfile. The file property specifies the location of the keyfile.
Except for a single admin user in the asadmin group, the keyfile is initially empty, so you must add users before you can use the file realm. For instructions, see Managing file Realm Users.
Note: Users in the group asadmin are authorized to use the Admin Console and asadmin tools. Add only users to this group that you want to have server administrative privileges.
Managing file Realm Users
You can manage file realm users with the Admin Console. Users and groups in the file realm are listed in the key file, whose location is specified by the file property.
A user in the file realm can belong to a J2EE group, a category of users classified by common traits. For example, customers of an e-commerce application might belong to the CUSTOMER group, but the big spenders would belong to the PREFERRED group. Categorizing users into groups makes it easier to control the access of large numbers of users.
Initially after installation of the Application Server, the only user is the administrator entered during installation. By default, this user belongs to the group asadmin, which gives rights to modify the Application Server. Any users you assign to this group will have administrator privileges, that is, they will have access to
asadmin
and Admin Console.To manage file realm users, follow this procedure:
Adding a User
In the File Users page, to add a new user:
Equivalent
asadmin
command:create-file-user
Editing a User
In the File Users page, to change a user’s information:
- In the User Id column, click the name of the user you want to modify.
- Change the user’s password by entering a new password in the Password and Confirm Password fields.
- Change the groups to which the user belongs by adding or deleting groups in the Group List field. Separate group names with commas. Groups need not be previously defined.
- Click Save to save this user to the list of users in the
file
realm. Click Cancel to quit without saving.Deleting a User
In the File Users page, to delete a user:
Equivalent
asadmin
command:delete-file-user
Editing the certificate Realm
The certificate realm supports SSL authentication. This realm sets up the user identity in the Application Server’s security context, and populates it with user data obtained from cryptographically verified client certificates in the trust-store and keystore files (see Certificate Files.) You an add users to these files using
keytool
; for more information see the J2EE 1.4 Tutorial chapter titled Security.With the certificate realm, J2EE containers handle authorization processing based on each user’s Distinguished Name (DN) from his or her certificate. The DN is the name of the entity whose public key the certificate identifies. This name uses the X.500 standard, so it is intended to be unique across the Internet. For more information on keystores and trust-stores, refer to the keytool documentation at:
http://java.sun.com/j2se/1.4.2/docs/tooldocs/solaris/keytool.html
Table 9-6 lists the optional properties for the certificate realm.
Deleting a Realm
Equivalent
asadmin
command:delete-auth-realm
Setting the Default Realm
The default realm is the realm that the Application Server will use for authentication and authorization if an application’s deployment descriptor does not specify a realm. To set the default realm:
Admin Console Tasks for JACC ProvidersCreating a JACC Provider
JACC (Java Authorization Contract for Containers) is part of the J2EE 1.4 specification that defines an interface for pluggable authorization providers. This enables you to set up third-party “plug in” modules to perform authorization. By default, the Application Server provides a simple, JACC-compliant file-based authorization engine. For more information, see JACC Providers.
To create a JACC provider:
- In the tree component, expand the Security node.
- Select the JACC Providers node.
- On the JACC Providers page, click New.
- On the Create JACC Provider page, enter the following:
- Add additional properties to the provider by clicking the Add Property button. Valid properties include:
- Click OK to save this configuration, or click Cancel to quit without saving.
Editing a JACC Provider
- In the tree component, expand the Security node.
- Expand the JACC Providers node.
- Select the node of the JACC provider that you want to edit.
- On the Edit JACC Provider page, modify the provider information as desired:
- To add additional properties, click the Add button. Enter the name and value for the property. Valid entries include:
- To delete an existing property, click in the checkbox to the left of the property, then click Delete Properties.
- Click Save.
Deleting a JACC Provider
Setting the Active JACC Provider
To specify the JACC provider that the server uses:
Admin Console Tasks for Audit ModulesCreating an Audit Module
The Application Server provides a simple default audit module; for more information, see Using the Default Audit Module.
To create a new audit module:
- In the tree component, expand the Security node.
- Select the Audit Modules node.
- On the Audit Modules page, click New.
- On the Create Audit Module page, enter the following information:
- To add additional JVM properties to this module, click Add Property. Specify a name and value for each property.
- Click OK to save your entries, or click Cancel to quit without saving.
Editing an Audit Module
To edit an audit module:
- In the tree component, expand the Security node.
- Expand the Audit Modules node.
- Click the node of the audit module that you want to edit.
- On the Edit Audit Module page, modify the class name if desired.
- Enter any additional properties for the module by selecting the Add button and entering the name and value of the property. Valid values include:
- Modify any existing properties by selecting the name or value to be modified, and entering the changes directly into the text field.
- Delete a property by selecting the checkbox to the left of the property and clicking Delete Properties.
- Click Save.
Deleting an Audit Module
To delete an audit module:
Setting the Active Audit Module
To specify the audit module that the server uses:
Using the Default Audit Module
The default audit module logs authentication and authorization requests to the server log file. For information on changing the location of the log file, see Configuring General Logging Settings.
Authentication log entries include the following information:
Regardless of whether audit logging is enabled, the Application Server logs all denied authentication events.
Authorization log entries include the following information:
Enabling and Disabling Audit Logging
To specify the audit module that the server uses:
Enabling and Disabling the Default Audit Module
In addition to enabling logging, you must set any properties required by the specific audit module you want to use. In the case of the default audit module, follow this procedure:
Admin Console Tasks for ListenersConfiguring Security for HTTP Listeners
Each virtual server in the HTTP service provides network connections through one or more HTTP listeners. With the Admin Console, you can create new HTTP listeners and edit the settings of existing HTTP listeners.
To edit security settings for an existing HTTP listener:
- Expand the HTTP Service node.
- Select the HTTP Listeners node.
- Click the name of the HTTP listener for which you want to enable security.
Alternatively, if you want to create a new listener, click New and follow the procedure in Creating an HTTP Listener.
- Follow the procedure in Setting Listener Security Properties to set security properties.
- Click Save to save the changes, or click Load Defaults to restore the listener to its default values.
Equivalent
asadmin
command:create-http-listener
Configuring Security for IIOP Listeners
The Application Server supports CORBA (Common Object Request Broker Architecture) objects, which use the Internet Inter-Orb Protocol (IIOP) to communicate across the network. An IIOP listener accepts incoming connections from remote clients of EJBs and from other CORBA-based clients. With the Admin Console, you can create new IIOP listeners and edit the settings of existing IIOP listeners.
To edit security properties for an IIOP listener:
- Expand the ORB node.
- Select the IIOP Listeners node.
- Click the name of the IIOP listener for which you want to enable security.
Alternatively, if you want to create a new listener, click New and follow the procedure in Creating an IIOP Listener.
- Follow the procedure in Setting Listener Security Properties to set security properties.
- When you are done setting all properties, click Save to save the changes, or click Load Defaults to restore the properties to their default values.
If you created a new listener, it will now be listed in the Current Listeners table on the IIOP Listeners page.
Equivalent
asadmin
command:create-iiop-listener
Setting Listener Security Properties
Follow this common procedure for setting both HTTP listener and IIOP listener security properties:
- In the Edit HTTP Listener or Edit IIOP Listener page, go to the section labeled Security.
- Check the Enabled box in the Security field. When this option is selected, you must select SSL3/TLS to specify which type of security is enabled.
- If you want clients to authenticate themselves to the Application Server when using this listener, check the Enabled box in the Client Authentication field.
- Enter the name of an existing server keypair and certificate in the Certificate Nickname field.
You can find the Certificate Nickname with the
keytool
commandkeytool -list -v -keystore keystore.jks.
Security Tasks for Connector Connection PoolsAbout Connector Connection Pools
A connector module (also called a resource adapter) enables J2EE applications to interact with enterprise information systems (EISs). A connector resource provides an application with a connection to an EIS. A connector connection pool is a group of reusable connections for a particular EIS.
Security maps enable you to create a mapping between J2EE users and groups and EIS users and groups. Use the
asadmin
command line utility to create, update, list, and delete security maps for connector connection pools.Note: In this context, users are referred to as principals.
Creating a Security Map
A security map for a connector connection pool maps application users and groups (principals) to EIS principals. Use a security map when an application user needs to execute EIS operations that require a specific identity in the EIS.
Use the
asadmin
commandcreate-connector-security-map
to create or update security maps for a connector connection pool. If a security map already exists for a connector connection pool, this command appends the existing security map to the map provided bycreate-connector-security-map
. This command supports supports the use of the wild-card asterisk (*) to indicate all users or all user groups.Mapping Principals
When an application principal initiates a request to an EIS, the application server first checks for an exact principal using the security map defined for the connector connection pool to determine the mapped backend EIS principal. If there is no exact match, then the application server uses the wild card character specification, if any, to determine the mapped backend EIS principal.
For example, to map
app_principal1
andapp_principal2
in the application todbuser1
in the EIS, use the followingasadmin
command:asadmin> create-connector-security-map --connectionpoolid TESTPOOL --principal app_principal1, app_principal2 --mappedusername dbuser1
Other Tasks for Security Maps
The
asadmin
utility also provides the following commands for working with security maps:
Working with Certificates and SSLCertificate Files
Installation of the Application Server generates a digital certificate suitable for internal testing. By default, the Application Server stores its certificate information in two files in the install_dir
/domains/
domain_name/config
directory:
- Trust-store file, by default named
cacerts.jks
, containing the Application Server’s "trusted certificates," including public keys for other entities. For a “trusted certificate”, the server has confirmed that the public key in the certificate belongs to the certificate’s owner. Trusted certificates generally include those of certification authorities (CAs).Changing the Location of Certificate Files
By default, the keystore and trust-store files are stored in the install_dir
/domains/
domain_name/config
directory. To change this default location:
- In the Admin Console tree component, select the Application Server node.
- Click the JVM Settings tab.
- Click the JVM Options sub-tab.
- On the JVM Options page, edit the Debug Options field as follows:
-Djavax.net.ssl.keyStore=${com.sun.aas.instanceRoot}/path/ks_name
-Djavax.net.ssl.trustStore=${com.sun.aas.instanceRoot}/path/ts_namewhere ks_name is the keystore file name and ts_name is the trust-store file name.
- Click Save.
- Restart the Application Server.
Using Keytool
You can use
keytool t
o set up and work with digital certificates.keytool
ships with the J2SE software and enables you to administer public/private key pairs and associated certificates. It also enables users to cache the public keys (in the form of certificates) of their communicating peers.To run keytool, you must have configured your shell environment properly such that the path refers to the J2SE
/bin
directory. For more information on keytool, see the keytool documentation at:http://java.sun.com/j2se/1.4.2/docs/tooldocs/solaris/keytool.html
Generating a Server Certificate
You can use
keytool
to generate, import, and export certificates. By default,keytool
creates a keystore file in the directory where you run it.To generate a server certificate:
- Change to the directory in which you want to generate the server certificate.
Always generate the certificate in the directory containing the server’s keystore and trust-store files, by default install_dir
/domains/
domain_name/config
. For information on changing the location of these files, see Changing the Location of Certificate Files.- Enter the following
keytool
command to generate the server certificate in the keystore file,keystore.jks
:keytool -genkey -alias keyAlias
-keyalg RSA
-keypass changeit
-storepass changeit
-keystore keystore.jks
Use any unique name as your keyAlias. If you have changed the keystore or private key password from their default, then substitute the new password for “changeit” in the above command.
You will be prompted for your name, organization, and other information that
keytool
uses to generate the certificate.
- Enter the following
keytool
command to export the generated server certificate to the fileserver.cer
:keytool -export -alias keyAlias
-storepass changeit
-file server.cer
-keystore keystore.jks- If you want to have the certificate signed by a certificate authority, see Signing a Digital Certificate for more information.
- To create the trust-store file
cacerts.jks
and add the server certificate to the trust-store, enter the followingkeytool
command:keytool -import -v -trustcacerts
-alias server-alias
-file server.cer
-keystore cacerts.jks
-keypass changeitFor complete information about using
keytool
, see thekeytool
documentation at:http://java.sun.com/j2se/1.4.2/docs/tooldocs/solaris/keytool.html
Signing a Digital Certificate
After creating a digital certificate, the owner must be sign it to prevent forgery. E-commerce sites, or those for which authentication of identity is important can purchase a certificate from a well-known Certificate Authority (CA). If authentication is not a concern, for example if you simply want to ensure private secure communications, you can save the time and expense involved in obtaining a CA certificate and use a self-signed certificate.
Using a Certificate From a CA
To use a digital certificate signed by a CA:
- Follow the instructions on the CA’s website for generating certificate keypairs.
- Download the generated certificate keypair.
Save the certificate in the directory containing the server keystore and trust-store files, by default install_dir
/domains/domain1/config
directory. See Changing the Location of Certificate Files for instructions on changing this location.- In your shell, change to the directory where you have saved the certificate.
- Use
keytool
to import the certificate into your local keystore and, if necessary, your local trust-store.keytool -import -v -trustcacerts
-alias server-alias
-file server.cer
-keystore cacerts.jks
-keypass changeit
-storepass changeitFor complete information about using keytool, see the keytool documentation at:
http://java.sun.com/j2se/1.4.2/docs/tooldocs/solaris/keytool.html
Deleting a Certificate
You can delete a certificate with
keytool
. Follow this procedure: