test

Sun Java System Application Server Platform Edition 8.1 2005Q2 Update 2 Administration Guide

Admin Console Tasks for Listeners and JMX Connectors

ProcedureTo configure security for HTTP listeners

Each virtual server in the HTTP service provides network connections through one or more HTTP listeners. With the Admin Console, create new HTTP listeners and edit the security settings of existing HTTP listeners.

  1. In the Admin Console tree component, expand the Configuration node.

  2. Expand the HTTP Service node.

  3. Select the HTTP Listeners node.

  4. Select an HTTP listener to edit an existing listener or click New and follow the procedure in To create an HTTP listener to create a new listener.

  5. Follow the procedure in To set listener security properties to set security properties.

  6. Click Save to save the changes, or click the browser’s Back button to cancel without saving.

Equivalent asadmin command

create-http-listener

See Also

ProcedureTo configure security for IIOP listeners

The Application Server supports CORBA (Common Object Request Broker Architecture) objects, which use the Internet Inter-Orb Protocol (IIOP) to communicate across the network. An IIOP listener accepts incoming connections from remote clients of EJB components and from other CORBA-based clients. With the Admin Console, create new IIOP listeners and edit the settings of existing IIOP listeners.

  1. In the Admin Console tree component, expand the Configuration node.

  2. Expand the ORB node.

  3. Select the IIOP Listeners node.

  4. Select an IIOP listener to edit that listener or click New and follow the procedure in To create an IIOP listener to create a new listener.

  5. Follow the procedure in To set listener security properties to set security properties.

  6. Click Save to save the changes, or click Load Defaults to restore the properties to their default values.

    If a new listener was created, it will now be listed in the Current Listeners table on the IIOP Listeners page.

Equivalent asadmin command

create-iiop-listener

See Also

ProcedureTo configure security for the Admin Service’s JMX connector

  1. In the Admin Console tree component, expand the Configuration node.

  2. Expand the Admin Service node.

  3. Select the admin service to be modified.

  4. Follow the procedure in To set listener security properties to set security properties.

  5. Click Save to save the changes, or click Load Defaults to restore the properties to their default values.

See Also

ProcedureTo set listener security properties

This procedure applies to HTTP listener, IIOP listener, and JMX Connector security properties.

  1. In the Edit HTTP Listener, Edit IIOP Listener, or Edit JMX Connector page, go to the section labeled SSL.

  2. Check the Enabled box in the Security field to enable security for this listener. When this option is selected, you must select SSL3 or TLS to specify which type of security is enabled, and you must enter a certificate nickname.

  3. Check the Enabled box in the Client Authentication field if clients are to authenticate themselves to the Application Server when using this listener.

  4. Enter the keystore alias in the Certificate Nickname field if the Enabled box is checked. The keystore alias is a single value that identifies an existing server key pair and certificate. The certificate nickname for the default keystore is s1as.

    To find the Certificate Nickname, use keytool, as shown in the following example:keytool -list -v -keystore keystore.jks.

    If the name has changed in the keystore file, then use that name instead of keystore.jks.

  5. Select SSL3 and/or TLS if the Enabled box is checked. By default, both SSL3 and TLS are enabled.

  6. Enable individual cipher suites, if needed. By default, all supported cipher suites are enabled. Ciphers are discusses in About Ciphers.

  7. Select Save to save the changes or Load Defaults to cancel.

See Also

ProcedureTo secure CORBA objects

CORBA objects include Java RMI-IIOP and Java IDL or POA based CORBA objects, excluding EJB modules. By default, authentication is not required for CORBA objects.

  1. Configure authentication, if desired.

    1. Expand the ORB node, and then the IIOP Listeners node.

    2. Click the SSL listener.

    3. Select the Security Enabled checkbox.

    4. Click Save.

    5. Restart the Application Server.

    Once authentication is turned on, all clients need to authenticate by supplying a user name and password (if using basic authentication) or a certificate (if using SSL mutual authentication).

  2. Configure authorization.

    To turn on authorization for CORBA objects, specify the appropriate security policy in the server’s security configuration file, domain-dir/config/server.policy.

    By default, all users are allowed to access all non-EJB CORBA objects in the server, as specified by the following default grant block:

    grant { permission com.sun.enterprise.security.CORBAObjectPermission "*", "*"; }

    CORBAObjectPermission is a special Java Permission class that controls which users are allowed to access non-EJB CORBA objects in the server. CORBAObjectPermission takes two parameters:

    • A CORBA object name.

      In the Application Server, only the name “*” is supported, that is, it is not possible to specify a specific CORBA object name.

    • A comma-separated list of method names.

      In the Application Server, only “*” is supported, that is, it is not possible to specify a specific method name.

    The general form of a CORBAObjectPermission grant block is:

    grant principal principal-class-name "principal-name" { 
   permission com.sun.enterprise.security.CORBAObjectPermission "*", "*"; 
}

    where the principal-class-name is either:

    • com.sun.enterprise.deployment.PrincipalImpl (for a single principal)

    • com.sun.enterprise.deployment.Group (for a named group of principals)

  3. Configure message protection:

    Integrity and confidentiality of IIOP messages used in requests and replies during CORBA invocations can be protected by using SSL. By default, the server supports both plain IIOP and IIOP-over-SSL invocations.

    1. To force clients to use only SSL for IIOP invocations, remove all non-SSL iiop-listener elements in the iiop-service element in domain.xml.

      This ensures that the server will not service plain IIOP invocations. By default, application clients use plain IIOP for making requests if the server supports plain IIOP.

    2. To force the client to use SSL, a change is needed in the application client configuration file sun-acc.xml (which is also located in the domain’s config directory).

      Specifically, the property ssl with value required should be added inside the <client-container> element, as follows:

      <client-container>
   <property name=”ssl” value=”required”/>
   <target-server .... />
</client-container>