15 Common Secure Interoperability Protocol

OC4J supports the Common Secure Interoperability Version 2 protocol (CSIv2). CSIv2 specifies different conformance levels; OC4J complies with the EJB specification, which requires conformance level 0.

This chapter covers the following topics:

• EJB Server Security Properties in internal-settings.xml

• EJB Client Security Properties in ejb_sec.properties

• Introduction to CSIv2 Security Properties

• CSIv2 Security Properties in internal-settings.xml

• CSIv2 Security Properties in ejb_sec.properties

• CSIv2 Security Properties in orion-ejb-jar.xml

Note: If your application uses JAAS, you must configure the OracleAS JAAS Provider to use CSIv2. See information about the supportCSIv2 option in "Configuring RealmLoginModule".

EJB Server Security Properties in internal-settings.xml

Specify server security properties in internal-settings.xml.

Note: You cannot update internal-settings.xml with the Application Server Control.

This file specifies certain properties as values within <sep-property> entities. Table 15-1 contains a list of properties.

The table refers to keystore and truststore files, which use the Java Key Store (JKS), a JDK-specified format, to store keys and certificates. A keystore stores a map of private keys and certificates. A truststore stores trusted certificates for the certificate authorities (CAs, such as VeriSign and Thawte).

Table 15-1 EJB Server Security Properties

Property	Meaning
port	IIOP port number (defaults to 5555).
ssl	A true setting indicates IIOP/SSL is supported.
ssl-port	IIOP/SSL port number (defaults to 5556). This port is used for server-side authentication only. If your application uses client and server authentication, you also need to set ssl-client-server-auth-port.
ssl-client-server-auth-port	Port used for client and server authentication (defaults to 5557). This is the port on which OC4J listens for SSL connections that require both client and server authentication. If not set, OC4J will listen on ssl-port + 1 for client-side authentication.
keystore	Name and path of the keystore (used only if ssl is true). An absolute path is recommended.
keystore-password	Keystore password (used only if ssl is true).
trusted-clients	Comma-delimited list of hosts whose identity assertions can be trusted. Each entry in the list can be an IP address, a host name, a host name pattern (for example, *.example.com), or * (where "*" alone means that all clients are trusted). The default is to trust no clients.
truststore	Name and path of the truststore. An absolute path is recommended. If you do not specify a truststore for a server, OC4J uses the keystore as the truststore (used only if ssl is true).
truststore-password	Truststore password (used only if ssl is true).

• If OC4J is started by the Oracle Process Manager and Notification Server (OPMN) in an Oracle Application Server environment, then ports specified in internal-settings.xml are overridden. Note that IIOP SSL ports may fail to start if the keystore or truststore location or password is missing or incorrect. In such a case, you are advised to look at the appropriate OPMN log file to see the exact nature of the failure.

• If OPMN is configured to disable IIOP for a particular OC4J instance, then, even though IIOP may be enabled through internal-settings.xml (as pointed to by server.xml), IIOP is not enabled.

• Keystore and truststore settings are supported in internal-settings.xml for both standalone OC4J and a full Oracle Application Server environment. In Oracle Application Server, there are no OPMN options to set these values, so they must be configured manually.

The following example shows a typical internal-settings.xml file:

<server-extension-provider name="IIOP"
        class="com.oracle.iiop.server.IIOPServerExtensionProvider">
    <sep-property name="port" value="5555" />
    <sep-property name="host" value="localhost" />
    <sep-property name="ssl" value="true" />
    <sep-property name="ssl-port" value="5556" />
    <sep-property name="ssl-client-server-auth-port" value="5557" />
    <sep-property name="keystore" value="keystore.jks" />
    <sep-property name="keystore-password" value="123456" />
    <sep-property name="truststore" value="truststore.jks" />
    <sep-property name="truststore-password" value="123456" />
    <sep-property name="trusted-clients" value="*" />
</server-extension-provider>

Note: Although here the default value of port is one less than the default value for ssl-port, this relationship is not required.

Here is the DTD for internal-settings.xml:

<!-- A server extension provider that is to be plugged in to the server. --> 
<!ELEMENT server-extension-provider (sep-property*) (#PCDATA)> 
<!ATTLIST server-extension-provider name class CDATA #IMPLIED>
<!ELEMENT sep-property (#PCDATA)> 
<!ATTLIST sep-property name value CDATA #IMPLIED>
<!-- This file contains internal server configuration settings. --> 
<!ELEMENT internal-settings (server-extension-provider*)>

See Also: "CSIv2 Security Properties in internal-settings.xml"

EJB Client Security Properties in ejb_sec.properties

Any client, whether running inside a server or not, has EJB security properties. Table 15-2 lists the EJB client security properties controlled by the ejb_sec.properties file. By default, OC4J searches for this file in the current directory when running as a client, or in ORACLE_HOME/j2ee/home/config when running in the server. You can specify the location of this file explicitly with the system property setting -Dejb_sec_properties_location=pathname.

Table 15-2 EJB Client Security Properties

Property	Meaning
# oc4j.iiop.keyStoreLoc	The path and name of the keystore. An absolute path is recommended.
# oc4j.iiop.keyStorePass	The password for the keystore.
# oc4j.iiop.trustStoreLoc	The path name and name of the truststore. An absolute path is recommended.
# oc4j.iiop.trustStorePass	The password for the truststore.
# oc4j.iiop.enable.clientauth	Whether the client supports client-side authentication. If this property is set to true, you must specify a keystore location and password.
# oc4j.iiop.ciphersuites	Which cipher suites are to be enabled. The valid cipher suites are: TLS_RSA_WITH_RC4_128_MD5 SSL_RSA_WITH_RC4_128_MD5 TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA TLS_RSA_EXPORT_WITH_RC4_40_MD5 SSL_RSA_EXPORT_WITH_RC4_40_MD5 TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
nameservice.useSSL	Whether to use SSL when making the initial connection to the server.
client.sendpassword	Whether to send user name and password in clear form (unencrypted) in the service context when not using SSL. If this property is set to true, the user name and password are sent only to servers listed in the trustedServer list.
oc4j.iiop.trustedServers	A list of servers that can be trusted to receive passwords sent in clear form. This has no effect if client.sendpassword is set to false. The list is comma-delimited. Each entry in the list can be an IP address, a host name, a host name pattern (for example, *.example.com), or * (where "*" alone means that all servers are trusted.

Notes: The ejb_sec.properties file is used for client-side operations, where internal-settings.xml would not be present. The properties marked with # can be set either in ejb_sec.properties or as system properties. The settings in ejb_sec.properties override settings specified as system properties.

See Also: "CSIv2 Security Properties in ejb_sec.properties"

Introduction to CSIv2 Security Properties

CSIv2 is an Object Management Group (OMG) standard for a secure interoperable wire protocol that supports authorization and identity delegation. Configure CSIv2 properties in three different locations:

• internal-settings.xml (server side)

• ejb_sec.properties (client side)

• orion-ejb-jar.xml

These configuration files are discussed in "CSIv2 Security Properties in internal-settings.xml" (the next section), "CSIv2 Security Properties in ejb_sec.properties", and "CSIv2 Security Properties in orion-ejb-jar.xml".

CSIv2 Security Properties in internal-settings.xml

This section discusses the semantics of the values you set within the <sep-property> element in internal-settings.xml. For details of the syntax, see "EJB Server Security Properties in internal-settings.xml" .

To use the CSIv2 protocol with OC4J, you must both set ssl to true and specify an IIOP/SSL port (ssl-port).

• If you do not set ssl to true, then CSIv2 is not enabled. Setting ssl to true permits clients and servers to use CSIv2, but does not require them to communicate using SSL.

• If you do not specify ssl-port, then no CSIv2 component tag is created, even if you configure an <ior-security-config> entity in orion-ejb-jar.xml.

When IIOP/SSL is enabled on the server, OC4J listens on two different sockets—one for server authentication alone and one for server and client authentication. Specify the server authentication port number within the <sep-property> element. OC4J adds 1 to this for the server and client authentication port number.

For SSL clients using server authentication alone, you can specify:

• Truststore only

• Both keystore and truststore

• Neither

If you specify neither keystore nor truststore, the handshake may fail if there are no default truststores established by the security provider.

SSL clients using client-side authentication must specify both a keystore and a truststore. The certificate from the keystore is used for client authentication.

CSIv2 Security Properties in ejb_sec.properties

This section discusses usage of the ejb_sec.properties file for CSIv2 security settings. See "EJB Client Security Properties in ejb_sec.properties" for general information about this file and its syntax.

If the client does not use client-side SSL authentication, you must set client.sendpassword in the ejb_sec.properties file in order for the client runtime to insert a security context and send the user name and password. You must also set server.trustedhosts to include your server.

Note: Server-side authentication takes precedence over a user name and password.

If the client does use client-side SSL authentication, the server extracts the DN from the client's certificate and then looks it up in the corresponding security provider; it does not perform password authentication.

Two types of trust relationships exist:

• Clients trusting servers to transmit user names and passwords using non-SSL connections

• Servers trusting clients to send identity assertions, which delegate an originating client's identity

Clients list trusted servers in the EJB property oc4j.iiop.trustedServers. See Table 15-2, "EJB Client Security Properties" for details. Servers list trusted clients in the trusted-client property of the <sep-property> element in internal-settings.xml. See "EJB Server Security Properties in internal-settings.xml" for details.

Conformance level 0 of the EJB standard defines two ways of handling trust relationships:

• Presumed trust, in which the server presumes that the logical client is trustworthy, even if the logical client has not authenticated itself to the server, and even if the connection is not secure

• Authenticated trust, in which the target trusts the intermediate server based on authentication, either at the transport level or in the trusted-client list or both

  
  

  Note: You can also configure the server to both require SSL client-side authentication and specify a list of trusted client (or intermediate) hosts that are allowed to insert identity assertions.

  
  

OC4J supports both kinds of trust. Configure trust using the bean <ior-security-config> element in orion-ejb-jar.xml. See the next section, "CSIv2 Security Properties in orion-ejb-jar.xml", for details.

CSIv2 Security Properties in orion-ejb-jar.xml

This section discusses the CSIv2 security properties for an EJB. Configure the CSIv2 security policies of each individual bean in its orion-ejb-jar.xml file. The CSIv2 security properties are specified within <ior-security-config> elements. Each element contains a <transport-config> subelement, an <as-context> subelement, and a <sas-context> subelement.

The DTD for the <ior-security-config> element is as follows:

<!ELEMENT ior-security-config (transport-config?, as-context? sas-context?) >
<!ELEMENT transport-config (integrity, confidentiality, 
establish-trust-in-target, establish-trust-in-client) >
<!ELEMENT as-context (auth-method, realm, required) >
<!ELEMENT sas-context (caller-propagation) >
<!ELEMENT integrity (#PCDATA) > 
<!ELEMENT confidentiality (#PCDATA)> 
<!ELEMENT establish-trust-in-target (#PCDATA) > 
<!ELEMENT establish-trust-in-client (#PCDATA) >
<!ELEMENT auth-method (#PCDATA) > 
<!ELEMENT realm (#PCDATA) > 
<!ELEMENT required (#PCDATA)> <!-- Must be true or false --> 
<!ELEMENT caller-propagation (#PCDATA) >

The rest of this section covers the following elements:

• The <transport-config> element

• The <as-context> element

• The <sas-context> element

The <transport-config> element

This element specifies the transport security level. Each subelement under <transport-config> must be set to supported, required, or none. The setting none means that the bean neither supports nor uses that feature; supported means that the bean permits the client to use the feature; required means that the bean insists that the client use the feature. The subelements are:

• <integrity>: Is there a guarantee that all transmissions are received exactly as they were transmitted?

• <confidentiality>: Is there a guarantee that no third party was able to read transmissions?

• <establish-trust-in-target>: Does the server authenticate itself to the client? This element may be set to either supported or none; it cannot be set to required.

• <establish-trust-in-client>: Does the client authenticate itself to the server?

  
  

  Notes: If you set <establish-trust-in-client> to required, this overrides setting <auth-method> to username_password under <as-context>. If you do this, you must also set the <required> element in the <as-context> section to false; otherwise access permission issues will arise. Setting any of the <transport-config> properties to required means that the bean will use RMI/IIOP/SSL to communicate.

  
  

The <as-context> element

This element specifies the message-level authentication properties. Its subelements are:

• <auth-method>: Must be set to either username_password or none. If it is set to username_password, beans use user names and passwords to authenticate the caller.

• <realm>: Must be set to default in the current implementation.

• <required>: If this is set to true, the bean requires the caller to specify a user name and password.

The <sas-context> element

This element specifies the identity delegation properties. It has one subelement, <caller-propagation>, which can be set to supported, required, or none, as follows:

• If it is set to supported, the bean accepts delegated identities from intermediate servers.

• If it is set to required, the bean requires all other beans to transmit delegated identities.

• If it is set to none, the bean does not support identity delegation.

Example: <ior-security-config>

The following example uses the <ior-security-config> element and its subelements:

<ior-security-config> 
  <transport-config> 
    <integrity>supported</integrity> 
    <confidentiality>supported</confidentiality> 
    <establish-trust-in-target>supported</establish-trust-in-target> 
    <establish-trust-in-client>supported</establish-trust-in-client> 
  </transport-config> 
  <as-context> 
    <auth-method>username_password</auth-method> 
    <realm>default</realm> 
    <required>true</required> 
  </as-context> 
  <sas-context> 
    <caller-propagation>supported</caller-propagation> 
  </sas-context> 
</ior-security-config>