Sun ONE Application Server 7 Administrator's Guide to Security |
816-7158-10 |
Updated: October 15, 2002 |
ContentsWho Should Use This Book
Using the Documentation
How This Guide Is Organized
Documentation Conventions
General Conventions
Product Support
Conventions Referring to Directories
Introducing Sun ONE Application Server Security
Application Server Security
Certificate Administration
HTTP Server Security Features
SSL/TLS Encryption
Authentication
Auditing
HTTP Server User-Group Authentication
J2EE Application Security Features
HTTP Server Host-IP Authentication
HTTP Server SSL Client Authentication
HTTP Server Access Control
Netscape API (NSAPI)
Declarative Security
Good Practices
Programmatic Security
User Authentication
Realm Administration
Single Sign-On
Resource Authentication
Pluggable Authentication
Files Associated With Server Security
The init.conf File
The dbswitch.conf File
The server.xml File
The obj.conf File
The password.conf File
The certmap.conf File
ACL Files
The htaccess Files
Keyfile
The server.policy File
About General Security
Limiting Physical Access
Using Firewalls
Single Firewall
Limiting Administration Access
Double Firewall - DMZ Configuration
Triple Firewall - DMZ With Database Protection
Managing Passwords
Creating Hard-to-Crack Passwords
Limiting Other Applications on the Server
Managing the Superuser Password
Changing Passwords or PINs
Using the password.conf File
Securing Against an Unprotected Server
About Certificates and Authentication
Implementing the Trust Database
Creating a Trust Database
Implementing a Certificate
Changing a Trust Database Password
Required CA Information
Using the Built-in Root Certificate Module
Requesting a Certificate
Installing a Certificate
Managing Certificates
Managing CRLs and CKLs
Installing a CRL or CKL
Deleting a CRL or CKL
Administering SSL/TLS Encryption
About Encryption
SSL and TLS Protocols
Enabling SSL Communication with LDAP
Public and Private Keys
Task Sequence
Turning Security On
Turning Security On When Creating as HTTP Listener
Enabling SSL and TLS
Turning Security On When Editing an HTTP Listener
Configuring Security Globally
SSL Configuration File Directives
Using External Encryption Modules
SSLCacheEntries
Setting Values for SSL Directives
SSLClientAuthDataLimit
SSLClientAuthTimeout
SSLSessionTimeout
SSL3SessionTimeout
Installing the PKCS11Module
Setting Strong Ciphers
Starting the Server with an External Certificate
Enabling FIPS-140 Standard
Preventing Clients from Caching SSL Files
Administering HTTP Server Access Control
About HTTP Server Access Control
HTTP Server User-Group Authentication
Implementing Digest Authentication
Basic Authentication
Host-IP Authentication
SSL Authentication
Digest Authentication
Access Control List (ACL) Files
Client Authentication
Installing the Digest Authentication Plug-in
Implementing Host-IP Authentication
Digest Authentication on UNIX
Setting the Sun ONE Directory Server to Use the DES Algorithm
Digest Authentication on Windows
Working With ACL Files
ACL File Syntax
Setting Up Client Authentication
Type Statement
Authentication Statement
Authorization Statement
Hierarchy of Authorization Statements
Sample ACL File
Attribute Expressions
Operators
Writing Customized ACL Expressions
Setting Client Authentication for the Admin Server
ACL/ACE Settings
Setting Client Authentication for a Server Instance
Working with the certmap.conf File
Default Properties
Creating Custom Properties
Sample Mappings
Setting to Allow or Deny
Referencing ACL Files in the obj.conf File
Setting for User-Group Authentication
Specifying the From Host
Setting Access Rights
Configuring the ACL User Cache
Setting Access Control for a Server Instance
ACLCacheLifetime
ACLUserCacheSize
ACLGroupCacheSize
Restricting Access to Areas of Your Server
Restricting Access to the Entire Server
Turning Off Access Control
Restricting Access to a Directory (Path)
Restricting Access to a URI (Path)
Restricting Access to a File Type
Restricting Access Based on Time of Day
Restricting Access Based on Security
Responding When Access is Denied
Controlling Access for Virtual Servers
Accessing Databases from Virtual Servers
Using htaccess Files
Using the dbswitch.conf File
Editing Access Control Lists for Virtual Servers
Creating a New Authentication Database
Specifying Databases in the User Interface
Enabling htaccess from the User Interface
Enabling htaccess from init.conf
Using htaccess-register
Supported htaccess Directives