Sun GlassFish Enterprise Server v2.1.1 Administration Guide

Chapter 10 Configuring Message Security

Some of the material in this chapter assumes a basic understanding of security and web services concepts. This chapter describes the configuration of message layer security for web services in the Enterprise Server. This chapter contains the following topics:

Overview of Message Security

In message security, security information is inserted into messages so that it travels through the networking layers and arrives with the message at the message destination(s). Message security differs from transport layer security (which is discussed in the Security chapter of the Java EE 5.0 Tutorial) in that message security can be used to decouple message protection from message transport so that messages remain protected after transmission.

Web Services Security: SOAP Message Security (WS-Security) is an international standard for interoperable Web Services Security that was developed in OASIS by a collaboration of all the major providers of web services technology (including Sun Microsystems). WS-Security is a message security mechanism that uses XML Encryption and XML Digital Signature to secure web services messages sent over SOAP. The WS-Security specification defines the use of various security tokens including X.509 certificates, SAML assertions, and username/password tokens to authenticate and encrypt SOAP web services messages.

The WS-Security specification can be viewed at http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0.pdf.

Understanding Message Security in the Enterprise Server

The Enterprise Server offers integrated support for the WS-Security standard in its web services client and server-side containers. This functionality is integrated such that web services security is enforced by the containers of the Enterprise Server on behalf of applications, and such that it can be applied to protect any web service application without requiring changes to the implementation of the application. The Enterprise Server achieves this effect by providing facilities to bind SOAP layer message security providers and message protection policies to containers and to applications deployed in containers.

Assigning Message Security Responsibilities

In the Enterprise Server, the System Administrator and Application Deployer roles are expected to take primary responsibility for configuring message security. In some situations, the Application Developer may also contribute, although in the typical case either of the other roles may secure an existing application without changing its implementation without involving the developer. The responsibilities of the various roles are defined in the following sections:

System Administrator

The system administrator is responsible for:

A system administrator uses the Admin Console to manage server security settings and uses a command line tool to manage certificate databases. In Platform Edition, certificates and private keys are stored in key stores and are managed with keytool. Standard Edition and Enterprise Edition store certificates and private keys in an NSS database, where they are managed using certutil. This document is intended primarily for system administrators. For an overview of message security tasks, see Configuring the Enterprise Server for Message Security.

Application Deployer

The application deployer is responsible for:

Application Developer

The application developer can turn on message security, but is not responsible for doing so. Message security can be set up by the System Administrator so that all web services are secured, or by the Application Deployer when the provider or protection policy bound to the application must be different from that bound to the container.

The application developer or assembler is responsible for the following:

About Security Tokens and Security Mechanisms

The WS-Security specification provides an extensible mechanism for using security tokens to authenticate and encrypt SOAP web services messages. The SOAP layer message security providers installed with the Enterprise Server may be used to employ username/password and X.509 certificate security tokens to authenticate and encrypt SOAP web services messages. Additional providers that employ other security tokens including SAML assertions will be installed with subsequent releases of the Enterprise Server.

About Username Tokens

The Enterprise Server uses Username tokens in SOAP messages to establish the authentication identity of the message sender. The recipient of a message containing a Username token (within embedded password) validates that the message sender is authorized to act as the user (identified in the token) by confirming that the sender knows the secret (the password) of the user.

When using a Username token, a valid user database must be configured on the Enterprise Server

About Digital Signatures

The Enterprise Server uses XML Digital signatures to bind an authentication identity to message content. Clients use digital signatures to establish their caller identity, analogous to the way basic authentication or SSL client certificate authentication have been used to do the same thing when transport layer security is being used. Digital signatures are verified by the message receiver to authenticate the source of the message content (which may be different from the sender of the message.)

When using digital signatures, valid keystore and truststore files must be configured on the Enterprise Server. For more information on this topic, read About Certificate Files.

About Encryption

The purpose of encryption is to modify the data such that it can only be understood by its intended audience. This is accomplished by substituting an encrypted element for the original content. When predicated on public key cryptography, encryption can be used to establish the identity of the parties that can read a message.

When using Encryption, you must have an installed JCE provider that supports encryption. For more information on this topic, read Configuring a JCE Provider.

About Message Protection Policies

Message protection policies are defined for request message processing and response message processing and are expressed in terms of requirements for source and/or recipient authentication. A source authentication policy represents a requirement that the identity of the entity that sent a message or that defined the content of a message be established in the message such that it can be authenticated by the message receiver. A recipient authentication policy represents a requirement that the message be sent such that the identity of the entities that can receive the message can be established by the message sender. The providers apply specific message security mechanisms to cause the message protection policies to be realized in the context of SOAP web services messages.

Request and response message protection policies are defined when a provider is configured into a container. Application-specific message protection policies (at the granularity of the web service port or operation) may also be configured within the Sun-specific deployment descriptors of the application or application client. In any case, where message protection policies are defined, the request and response message protection policies of the client must match (be equivalent to) the request and response message protection policies of the server. For more information on defining application-specific message protection policies, refer to the Securing Applications chapter of the Developers Guide.

Glossary of Message Security Terminology

The terminology used in this document is described below. The concepts are also discussed in Configuring the Enterprise Server for Message Security.

Securing a Web Service

Web services deployed on the Enterprise Server are secured by binding SOAP layer message security providers and message protection policies to the containers in which the applications are deployed or to web service endpoints served by the applications. SOAP layer message security functionality is configured in the client-side containers of the Enterprise Server by binding SOAP layer message security providers and message protection policies to the client containers or to the portable service references declared by client applications.

When the Enterprise Server is installed, SOAP layer message security providers are configured in the client and server-side containers of the Enterprise Server, where they are available for binding for use by the containers, or by individual applications or clients deployed in the containers. During installation, the providers are configured with a simple message protection policy that, if bound to a container, or to an application or client in a container, would cause the source of the content in all request and response messages to be authenticated by XML digital signature.

The administrative interfaces of the Enterprise Server can be employed to bind the existing providers for use by the server-side containers of the Enterprise Server, to modify the message protection policies enforced by the providers, or to create new provider configurations with alternative message protection policies. Analogous administrative operations can be performed on the SOAP message layer security configuration of the application client container as defined in Enabling Message Security for Application Clients.

By default, message layer security is disabled on the Enterprise Server. To configure message layer security for the Enterprise Server follow the steps outlined in Configuring the Enterprise Server for Message Security. If you want to cause web services security to be used to protect all web services applications deployed on the Enterprise Server, follow the steps in Enabling Providers for Message Security.

Once you have completed the above steps (which may include restarting the Enterprise Server), web services security will be applied to all web services applications deployed on the Enterprise Server.

Configuring Application-Specific Web Services Security

Application-specific web services security functionality is configured (at application assembly) by defining message-security-binding elements in the Sun-specific deployment descriptors of the application. These message-security-binding elements are used to associate a specific provider or message protection policy with a web services endpoint or service reference, and may be qualified so that they apply to a specific port or method of the corresponding endpoint or referenced service.

For more information on defining application specific message protection policies, refer to Chapter 5, Securing Applications, in Sun GlassFish Enterprise Server v2.1.1 Developer’s Guide.

Securing the Sample Application

The Enterprise Server ships with a sample application named xms. The xms application features a simple web service that is implemented by both a J2EE EJB endpoint and a Java Servlet endpoint. Both endpoints share the same service endpoint interface. The service endpoint interface defines a single operation, sayHello, which takes a string argument, and returns a String composed by pre-pending Hello to the invocation argument.

The xms sample application is provided to demonstrate the use of the Enterprise Server’s WS-Security functionality to secure an existing web services application. The instructions which accompany the sample describe how to enable the WS-Security functionality of the Enterprise Server such that it is used to secure the xms application. The sample also demonstrates the binding of WS-Security functionality directly to the application (as described in Configuring Application-Specific Web Services Security application.

The xms sample application is installed in the directory: as-install/samples/webservices/security/ejb/apps/xms/.

For information on compiling, packaging, and running the xms sample application, refer to the Securing Applications chapter of the Developers’ Guide.

Configuring the Enterprise Server for Message Security

Actions of Request and Response Policy Configurations

The following table shows message protection policy configurations and the resulting message security operations performed by the WS-Security SOAP message security providers for that configuration.

Table 10–1 Message protection policy to WS-Security SOAP message security operation mapping

Message Protection Policy 

Resulting WS-Security SOAP message protection operations 

auth-source="sender" 

The message contains a wsse:Security header that contains a wsse:UsernameToken (with password).

auth-source="content" 

The content of the SOAP message Body is signed. The message contains a wsse:Security header that contains the message Body signature represented as a ds:Signature.

auth-source="sender" 

auth-recipient="before-content" 

OR 

auth-recipient="after-content" 

The content of the SOAP message Body is encrypted and replaced with the resulting xend:EncryptedData. The message contains a wsse:Security header that contains a wsse:UsernameToken (with password) and an xenc:EncryptedKey. The xenc:EncryptedKey contains the key used to encrypt the SOAP message body. The key is encrypted in the public key of the recipient.

auth-source="content" 

auth-recipient="before-content" 

The content of the SOAP message Body is encrypted and replaced with the resulting xend:EncryptedData. The xenc:EncryptedData is signed. The message contains a wsse:Security header that contains an xenc:EncryptedKey and a ds:Signature. The xenc:EncryptedKey contains the key used to encrypt the SOAP message body. The key is encrypted in the public key of the recipient.

auth-source="content" 

auth-recipient="after-content" 

The content of the SOAP message Body is signed, then encrypted, and then replaced with the resulting xend:EncryptedData. The message contains a wsse:Security header that contains an xenc:EncryptedKey and a ds:Signature. The xenc:EncryptedKey contains the key used to encrypt the SOAP message body. The key is encrypted in the public key of the recipient.

auth-recipient="before-content" 

OR 

auth-recipient="after-content" 

The content of the SOAP message Body is encrypted and replaced with the resulting xend:EncryptedData. The message contains a wsse:Security header that contains an xenc:EncryptedKey. The xenc:EncryptedKey contains the key used to encrypt the SOAP message body. The key is encrypted in the public key of the recipient.

No policy specified. 

No security operations are performed by the modules. 

Configuring Other Security Facilities

The Enterprise Server implements message security using message security providers integrated in its SOAP processing layer. The message security providers depend on other security facilities of Enterprise Server.

  1. If using a version of the Java SDK prior to version 1.5.0, and using encryption technology, configure a JCE provider.

  2. Configuring a JCE provider is discussed in Configuring a JCE Provider.

  3. If using a username token, configure a user database, if necessary. When using a username/password token, an appropriate realm must be configured and an appropriate user database must be configured for the realm.

  4. Manage certificates and private keys, if necessary.

After You Finish

Once the facilities of the Enterprise Server are configured for use by message security providers, then the providers installed with the Enterprise Server may be enabled as described in Enabling Providers for Message Security.

Configuring a JCE Provider

The Java Cryptography Extension (JCE) provider included with J2SE 1.4.x does not support RSA encryption. Because the XML Encryption defined by WS-Security is typically based on RSA encryption, in order to use WS-Security to encrypt SOAP messages you must download and install a JCE provider that supports RSA encryption.


Note –

RSA is public-key encryption technology developed by RSA Data Security, Inc. The acronym stands for Rivest, Shamir, and Adelman, the inventors of the technology.


If you are running the Enterprise Server on version 1.5 of the Java SDK, the JCE provider is already configured properly. If you are running the Enterprise Server on version 1.4.x of the Java SDK, you can add a JCE provider statically as part of your JDK environment, as follows.

  1. Download and install a JCE provider JAR (Java ARchive) file.

    The following URL provides a list of JCE providers that support RSA encryption: http://java.sun.com/products/jce/javase_providers.html.

  2. Copy the JCE provider JAR file to java-home/jre/lib/ext/.

  3. Stop the Enterprise Server.

    If the Enterprise Server is not stopped and then restarted later in this process, the JCE provider will not be recognized by the Enterprise Server.

  4. Edit the java-home/jre/lib/security/java.security properties file in any text editor. Add the JCE provider you’ve just downloaded to this file.

    The java.security file contains detailed instructions for adding this provider. Basically, you need to add a line of the following format in a location with similar properties:


    security.provider.n=provider-class-name
    

    In this example, n is the order of preference to be used by the Enterprise Server when evaluating security providers. Set n to 2 for the JCE provider you’ve just added.

    For example, if you’ve downloaded The Legion of the Bouncy Castle JCE provider, you would add this line.


    security.provider.2=org.bouncycastle.jce.provider.
       BouncyCastleProvider

    Make sure that the Sun security provider remains at the highest preference, with a value of 1.


    security.provider.1=sun.security.provider.Sun

    Adjust the levels of the other security providers downward so that there is only one security provider at each level.

    The following is an example of a java.security file that provides the necessary JCE provider and keeps the existing providers in the correct locations.


    security.provider.1=sun.security.provider.Sun
    security.provider.2=org.bouncycastle.jce.provider.
       BouncyCastleProvider
    security.provider.3=com.sun.net.ssl.internal.ssl.Provider
    security.provider.4=com.sun.rsajca.Provider
    security.provider.5=com.sun.crypto.provider.SunJCE
    security.provider.6=sun.security.jgss.SunProvider
  5. Save and close the file.

  6. Restart the Enterprise Server.

Message Security Setup

Most of the steps for setting up the Enterprise Server for using message security can be accomplished using the Admin Console, the asadmin command-line tool, or by manually editing system files. In general, editing system files is discouraged due to the possibility of making unintended changes that prevent the Enterprise Server from running properly, therefore, where possible, steps for configuring the Enterprise Server using the Admin Console are shown first, with the asadmin tool command shown after. Steps for manually editing system files are shown only when there is no Admin Console or asadmin equivalent.

Support for message layer security is integrated into the Enterprise Server and its client containers in the form of (pluggable) authentication modules. By default, message layer security is disabled on the Enterprise Server. The following sections provide the details for enabling, creating, editing, and deleting message security configurations and providers.

In most cases, it will be necessary to restart the Enterprise Server after performing the administrative operations listed above. This is especially the case if you want the effects of the administrative change to be applied to applications that were already deployed on the Enterprise Server at the time the operation was performed.

Enabling Providers for Message Security

To enable message security for web services endpoints deployed in the Enterprise Server, you must specify a provider to be used by default on the server side. If you enable a default provider for message security, you also need to enable providers to be used by clients of the web services deployed in the Enterprise Server. Information for enabling the providers used by clients is discussed in Enabling Message Security for Application Clients.

To enable message security for web service invocations originating from deployed endpoints, you must specify a default client provider. If you enabled a default client provider for the Enterprise Server, you must ensure that any services invoked from endpoints deployed in the Enterprise Server are compatibly configured for message layer security.

Use the command-line utility:

Configuring the Message Security Provider

Typically, a provider would be re-configured to modify its message protection policies, although the provider type, implementation class, and provider-specific configuration properties may also be modified.

Use the command-line utility to set the response policy, replace the word request in the following commands with response.

Creating a Message Security Provider

To configure an existing provider using the Admin Console, select Configuration node > the instance to Configure> Security node > Message Security node > SOAP node > Providers tab.

For more detailed instructions on creating a message security provider, see the Admin Console online help.

Enabling Message Security for Application Clients

The message protection policies of client providers must be configured such that they are equivalent to the message protection policies of the server-side providers they will be interacting with. This is already the case for the providers configured (but not enabled) when the Enterprise Server is installed.

To enable message security for client applications, modify the Enterprise Server specific configuration for the application client container.

Setting the Request and Response Policy for the Application Client Configuration

The request and response policies define the authentication policy requirements associated with request and response processing performed by the authentication provider. Policies are expressed in message sender order such that a requirement that encryption occur after content would mean that the message receiver would expect to decrypt the message before validating the signature.

To achieve message security, the request and response policies must be enabled on both the server and client. When configuring the policies on the client and server, make sure that the client policy matches the server policy for request/response protection at application-level message binding.

To set the request policy for the application client configuration, modify the Enterprise Server specific configuration for the application client container as described in Enabling Message Security for Application Clients. In the application client configuration file, add the request-policy and response-policy elements as shown to set the request policy.

The other code is provided for reference. The other code may differ slightly in your installation. Do not change it.


<client-container>
  <target-server name="your-host" address="your-host"
      port="your-port"/>
  <log-service file="" level="WARNING"/>
  <message-security-config auth-layer="SOAP"
      default-client-provider="ClientProvider">
    <provider-config
        class-name="com.sun.enterprise.security.jauth.ClientAuthModule"
        provider-id="ClientProvider" provider-type="client">
      <request-policy auth-source="sender | content"
        auth-recipient="after-content | before-content"/>
      <response-policy auth-source="sender | content"
        auth-recipient="after-content | before-content"/>
       <property name="security.config"
           value="as-install/lib/appclient/wss-client-config.xml"/>
    </provider-config>
  </message-security-config>
</client-container>

Valid values for auth-source include sender and content. Valid values for auth-recipient include before-content and after-content. A table describing the results of various combinations of these values can be found in Actions of Request and Response Policy Configurations.

To not specify a request or response policy, leave the element blank, for example:


<response-policy/>

Further Information