Overview of Security

Security is about protecting data: how to prevent unauthorized access or damage to it in storage or transit. The Application Server has a dynamic, extensible security architecture based on the J2EE standard. Built in security features include cryptography, authentication and authorization, and public key infrastructure. The Application Server is built on the Java security model, which uses a sandbox where applications can run safely, without potential risk to systems or users. The following topics are discussed:

• Understanding Application and System Security

• Tools for Managing Security

• Managing Security of Passwords

• Assigning Security Responsibilities

Understanding Application and System Security

Broadly, there are two kinds of application security:

• In programmatic security, application code written by the developer handles security chores. As an administrator, you don’t have any control over this mechanism. Generally, programmatic security is discouraged since it hard-codes security configurations in the application instead of managing it through the J2EE containers.

• In declarative security, the container (the Application Server) handles security through an application’s deployment descriptors. You can control declarative security by editing deployment descriptors directly or with a tool such as deploytool. Because deployment descriptors can change after an application is developed, declarative security allows for more flexibility.

In addition to application security, there is also system security, which affects all the applications on an Application Server system.

Programmatic security is controlled by the application developer, so this document does not discuss it; declarative security is somewhat less so, and this document touches on it occasionally. This document is intended primarily for system administrators, and so focuses on system security.

Tools for Managing Security

The Application Server provides the following tools for managing security:

• Admin Console, a browser-based tool used to configure security for the entire server, to manage users, groups, and realms, and to perform other system-wide security tasks. For a general introduction to the Admin Console, see Tools for Administration. For an overview of the security tasks you can perform with the Admin Console, see Managing Security With the Admin Console.

• asadmin, a command-line tool that performs many of the same tasks as the Admin Console. You may be able to do some things with asadmin that you cannot do with Admin Console. You perform asadmin commands from either a command prompt or through a script, to automate repetitive tasks. For a general introduction to asadmin, see Tools for Administration.

The Java Enterprise Edition 5 platform (Java EE 5), provides two tools for managing security:

• keytool, a command-line utility for managing digital certificates and key pairs. Use keytool to manage users in the certificate realm.

• policytool, a graphical utility for managing system-wide Java security policies. As an administrator, you will rarely need to use policytool.

For more information on using keytool, policytool, and other Java security tools, see Java 2 SDK Tools and Utilities at http://java.sun.com/j2se/1.5.0/docs/tooldocs/index.html#security.

Managing Security of Passwords

In this release of the Application Server, the file domain.xml, which contains the specifications for a particular domain, initially contains the password of the Sun Java System Message Queue broker in clear text. The element in the domain.xml file that contains this password is the admin-password attribute of the jms-host element. Because this password is not changeable at installation time, it is not a significant security impact.

However, use the Admin Console to add users and resources and assign passwords to these users and resources. Some of these passwords are written to the domain.xml file in clear text, for example, passwords for accessing a database. Having these passwords in clear text in the domain.xml file can present a security hazard. You can encrypt any password in domain.xml, including the admin-password attribute or a database password using the following procedure.

To encrypt a password in domain.xml

1. From the directory where the domain.xml file resides (domain-dir/config by default), run the following asadmin command:

   asadmin create-password-alias --user admin alias-name

   For example,

   asadmin create-password-alias --user admin jms-password

   A password prompt appears (admin in this case). Refer to the man pages for the create-password-alias, list-password-aliases, delete-password-alias commands for more information.

2. Remove and replace the password in domain.xml using the asadmin set command. For example:

   asadmin set --user admin server.jms-service.jms-host.default_JMS_host.admin-password='${ALIAS=jms-password}'

3. Restart the Application Server for the relevant domain.

Protecting files with encoded passwords

Some files contain encoded passwords that need protecting using file system permissions. These files include the following:

• domain-dir/master-password

  This file contains the encoded master password and should be protected with file system permission, 600.

• Any password file created to pass as an argument using the --passwordfile argument to asadmin should be protected with file system permission, 600.

To change the master password

The master password (MP) is an overall shared password. It is never used for authentication and is never transmitted over the network. This password is the choke point for overall security; the user can choose to enter it manually when required, or obscure it in a file. It is the most sensitive piece of data in the system. The user can force prompting for the MP by removing this file. When the master password is changed, it is saved again in the master-password keystore.

1. Stop the Application Server for the domain. Use the asadmin change-master-password command, which prompts for the old and new passwords, then re-encrypts all dependent items. For example,

   asadmin change-master-password> Please enter the new master password> Please enter the the new master password again>

2. Restart the Application Server.

To change the admin password

Encrypting the admin password was discussed in Managing Security of Passwords. Encrypting the admin password is strongly encouraged. If you want to change the admin password before encrypting it, use the asadmin set command. The following example shows the use of set command for changing the password:

asadmin set --user admin 
server.jms-service.jms-host.default_JMS_host.admin-password=new_pwd

It is also possible to change the admin password using the Admin Console as in the following procedure.

1. In the Admin Console tree component, expand the Configuration node.

2. Expand the Security node.

3. Expand the Realms node.

4. Select the admin-realm node.

5. Click the Manage Users button from the Edit Realm page.

6. Select the user named admin.

7. Enter the new password and confirm the password.

8. Click Save to save or click Close to close without saving.

Assigning Security Responsibilities

Security responsibilities are assigned to the following:

• Application Developer

• Application Deployer

• System Administrator

Application Developer

The application developer is responsible for the following:

• Specifying roles and role-based access restrictions for application components.

• Defining an application’s authentication method and specifying the parts of the application that are secured.

An application developer can use tools such as NetBeans to edit application deployment descriptors. These security tasks are discussed in more detail in the Security chapter of The Java EE 5 Tutorial, which can be viewed at Java EE 5 Tutorial.

Application Deployer

The application deployer is responsible for:

• Mapping users or groups (or both) to security roles.

• Refining the privileges required to access component methods to suit the requirements of the specific deployment scenario.

System Administrator

The system administrator is responsible for:

• Configuring security realms.

• Managing user accounts and groups.

• Managing audit logs.

• Managing server certificates and configuring the server’s use of secure sockets layer (SSL).

• Handling other miscellaneous system-wide security features, such as security maps for connector connection pools, additional JACC Providers, and so on.

A system administrator uses the Admin Console to manage server security settings and keytool to manage certificates. This document is intended primarily for system administrators.