Message Security Setup

Most of the steps for setting up the Enterprise Server for using message security can be accomplished using the Admin Console, the asadmin command-line tool, or by manually editing system files. In general, editing system files is discouraged due to the possibility of making unintended changes that prevent the Enterprise Server from running properly, therefore, where possible, steps for configuring the Enterprise Server using the Admin Console are shown first, with the asadmin tool command shown after. Steps for manually editing system files are shown only when there is no Admin Console or asadmin equivalent.

Support for message layer security is integrated into the Enterprise Server and its client containers in the form of (pluggable) authentication modules. By default, message layer security is disabled on the Enterprise Server. The following sections provide the details for enabling, creating, editing, and deleting message security configurations and providers.

• Enabling Providers for Message Security

• Configuring the Message Security Provider

• Creating a Message Security Provider

• Enabling Message Security for Application Clients

• Setting the Request and Response Policy for the Application Client Configuration

• Further Information

In most cases, it will be necessary to restart the Enterprise Server after performing the administrative operations listed above. This is especially the case if you want the effects of the administrative change to be applied to applications that were already deployed on the Enterprise Server at the time the operation was performed.

Enabling Providers for Message Security

To enable message security for web services endpoints deployed in the Enterprise Server, you must specify a provider to be used by default on the server side. If you enable a default provider for message security, you also need to enable providers to be used by clients of the web services deployed in the Enterprise Server. Information for enabling the providers used by clients is discussed in Enabling Message Security for Application Clients.

To enable message security for web service invocations originating from deployed endpoints, you must specify a default client provider. If you enabled a default client provider for the Enterprise Server, you must ensure that any services invoked from endpoints deployed in the Enterprise Server are compatibly configured for message layer security.

Use the command-line utility:

• To specify the default server provider:

  asadmin set --user admin-user --port admin-port server-config.security-service.message-security-config.SOAP. default_provider=ServerProvider

• To specify the default client provider:

  asadmin set --user admin-user --port admin-port server-config.security-service.message-security-config.SOAP. default_client_provider=ClientProvider

Configuring the Message Security Provider

Typically, a provider would be re-configured to modify its message protection policies, although the provider type, implementation class, and provider-specific configuration properties may also be modified.

Use the command-line utility to set the response policy, replace the word request in the following commands with response.

• Add a request policy to the client and set the authentication source:

  asadmin set --user admin-user --port admin-port server-config.security-service.message-security-config.SOAP. provider-config.ClientProvider.request-policy.auth_source= sender | content

• Add a request policy to the server and set the authentication source:

  asadmin set --user admin-user --port admin-port server-config.security-service.message-security-config.SOAP. provider-config.ServerProvider.request-policy.auth_source= sender | content

• Add a request policy to the client and set the authentication recipient:

  asadmin set --user admin-user --port admin-port server-config.security-service.message-security-config.SOAP. provider-config.ClientProvider.request-policy.auth_recipient= before-content | after-content

• Add a request policy to the server and set the authentication recipient:

  asadmin set --user admin-user --port admin-port server-config.security-service.message-security-config.SOAP. provider-config.ServerProvider.request-policy.auth_recipient= before-content | after-content

Creating a Message Security Provider

To configure an existing provider using the Admin Console, select Configuration node > the instance to Configure> Security node > Message Security node > SOAP node > Providers tab.

For more detailed instructions on creating a message security provider, see the Admin Console online help.

Enabling Message Security for Application Clients

The message protection policies of client providers must be configured such that they are equivalent to the message protection policies of the server-side providers they will be interacting with. This is already the case for the providers configured (but not enabled) when the Enterprise Server is installed.

To enable message security for client applications, modify the Enterprise Server specific configuration for the application client container.

Setting the Request and Response Policy for the Application Client Configuration

The request and response policies define the authentication policy requirements associated with request and response processing performed by the authentication provider. Policies are expressed in message sender order such that a requirement that encryption occur after content would mean that the message receiver would expect to decrypt the message before validating the signature.

To achieve message security, the request and response policies must be enabled on both the server and client. When configuring the policies on the client and server, make sure that the client policy matches the server policy for request/response protection at application-level message binding.

To set the request policy for the application client configuration, modify the Enterprise Server specific configuration for the application client container as described in Enabling Message Security for Application Clients. In the application client configuration file, add the request-policy and response-policy elements as shown to set the request policy.

The other code is provided for reference. The other code may differ slightly in your installation. Do not change it.

<client-container>
  <target-server name="your-host" address="your-host"
      port="your-port"/>
  <log-service file="" level="WARNING"/>
  <message-security-config auth-layer="SOAP"
      default-client-provider="ClientProvider">
    <provider-config
        class-name="com.sun.enterprise.security.jauth.ClientAuthModule"
        provider-id="ClientProvider" provider-type="client">
      <request-policy auth-source="sender | content"
        auth-recipient="after-content | before-content"/>
      <response-policy auth-source="sender | content"
        auth-recipient="after-content | before-content"/>
       <property name="security.config"
           value="as-install/lib/appclient/wss-client-config.xml"/>
    </provider-config>
  </message-security-config>
</client-container>

Valid values for auth-source include sender and content. Valid values for auth-recipient include before-content and after-content. A table describing the results of various combinations of these values can be found in Actions of Request and Response Policy Configurations.

To not specify a request or response policy, leave the element blank, for example:

<response-policy/>

Further Information

• The Java 2 Standard Edition discussion of security can be viewed from http://java.sun.com/j2se/1.4.2/docs/guide/security/index.html.

• The Java EE 5.0 Tutorial chapter titled Security can be viewed from http://java.sun.com/javaee/5/docs/tutorial/doc/index.html.

• The Administration Guide chapter titled .

• The Developer’s Guide chapter titled Securing Applications.

• The XML-Signature Syntax and Processing document can be viewed at http://www.w3.org/TR/xmldsig-core/.

• The XML Encryption Syntax and Processing document can be viewed at http://www.w3.org/TR/xmlenc-core/.