test

Sun Java System Application Server Platform Edition 9 Administration Guide

Configuring Listeners and JMX Connectors

Configuring Security for HTTP Listeners

Each virtual server in the HTTP service provides network connections through one or more HTTP listeners. To configure security for HTTP listeners using the Admin Console, go to Configuration > HTTP Service > HTTP Listeners. Select an HTTP listener to modify its settings. Follow the procedure in To set listener security properties to set security properties.

Equivalent asadmin command: create-http-listener.

Configuring Security for IIOP Listeners

The Application Server supports CORBA (Common Object Request Broker Architecture) objects, which use the Internet Inter-Orb Protocol (IIOP) to communicate across the network. An IIOP listener accepts incoming connections from remote clients of EJB components and from other CORBA-based clients. With the Admin Console, create new IIOP listeners and edit the settings of existing IIOP listeners.

To configure security for IIOP listeners, in the Admin Console, go to Configuration > ORB > IIOP Listeners. Follow the procedure in To set listener security properties to set security properties.

Equivalent asadmin command: create-iiop-listener.

Configuring Security For The Admin Service’s JMX Connector

In the Admin Console, go to Configuration > Admin Service. Select the admin service to modify. Follow the procedure in To set listener security properties to set security properties.

ProcedureTo set listener security properties

This procedure applies to HTTP listener, IIOP listener, and JMX Connector security properties.

  1. In the Edit HTTP Listener, Edit IIOP Listener, or Edit JMX Connector page, go to the section labeled SSL.

  2. Check the Enabled box in the Security field to enable security for this listener. When this option is selected, you must select SSL3 or TLS to specify which type of security is enabled, and you must enter a certificate nickname.

  3. Check the Enabled box in the Client Authentication field if clients are to authenticate themselves to the Application Server when using this listener.

  4. Enter the keystore alias in the Certificate Nickname field if the Enabled box is checked. The keystore alias is a single value that identifies an existing server key pair and certificate. The certificate nickname for the default keystore is s1as.

    To find the Certificate Nickname, use keytool, as shown in the following example:keytool -list -v -keystore keystore.jks.

    If the name has changed in the keystore file, then use that name instead of keystore.jks.

  5. Select SSL3 and/or TLS if the Enabled box is checked. By default, both SSL3 and TLS are enabled.

  6. Enable individual cipher suites, if needed. By default, all supported cipher suites are enabled. Ciphers are discusses in About Ciphers.

  7. Select Save to save the changes or Load Defaults to cancel.

See Also

ProcedureTo secure CORBA objects

CORBA objects include Java RMI-IIOP and Java IDL or POA based CORBA objects, excluding EJB modules. By default, authentication is not required for CORBA objects.

  1. Configure authentication, if desired.

    1. Expand the ORB node, and then the IIOP Listeners node.

    2. Click the SSL listener.

    3. Select the Security Enabled checkbox.

    4. Click Save.

    5. Restart the Application Server.

    Once authentication is turned on, all clients need to authenticate by supplying a user name and password (if using basic authentication) or a certificate (if using SSL mutual authentication).

  2. Configure authorization.

    To turn on authorization for CORBA objects, specify the appropriate security policy in the server’s security configuration file, domain-dir/config/server.policy.

    By default, all users are allowed to access all non-EJB CORBA objects in the server, as specified by the following default grant block:

    grant { permission com.sun.enterprise.security.CORBAObjectPermission "*", "*"; }

    CORBAObjectPermission is a special Java Permission class that controls which users are allowed to access non-EJB CORBA objects in the server. CORBAObjectPermission takes two parameters:

    • A CORBA object name.

      In the Application Server, only the name “*” is supported, that is, it is not possible to specify a specific CORBA object name.

    • A comma-separated list of method names.

      In the Application Server, only “*” is supported, that is, it is not possible to specify a specific method name.

    The general form of a CORBAObjectPermission grant block is:

    grant principal principal-class-name "principal-name" { 
   permission com.sun.enterprise.security.CORBAObjectPermission "*", "*"; 
}

    where the principal-class-name is either:

    • com.sun.enterprise.deployment.PrincipalImpl (for a single principal)

    • com.sun.enterprise.deployment.Group (for a named group of principals)

  3. Configure message protection:

    Integrity and confidentiality of IIOP messages used in requests and replies during CORBA invocations can be protected by using SSL. By default, the server supports both plain IIOP and IIOP-over-SSL invocations.

    1. To force clients to use only SSL for IIOP invocations, remove all non-SSL iiop-listener elements in the iiop-service element in domain.xml.

      This ensures that the server will not service plain IIOP invocations. By default, application clients use plain IIOP for making requests if the server supports plain IIOP.

    2. To force the client to use SSL, a change is needed in the application client configuration file sun-acc.xml (which is also located in the domain’s config directory).

      Specifically, the property ssl with value required should be added inside the <client-container> element, as follows:

      <client-container>
   <property name=”ssl” value=”required”/>
   <target-server .... />
</client-container>