Table 7–1 summarizes the options that need to be configured for each of the security mechanisms. Each of the columns is briefly discussed after the table.
Table 7–1 Summary of Service-Side Configuration Requirements
Mechanism |
Keystore |
Truststore |
STS |
SSL |
User in GlassFish |
---|---|---|---|---|---|
Username Authentication with Symmetric Keys |
X |
X |
|||
Mutual Certificates |
X |
X (no alias) | |||
Transport Security |
X |
X |
|||
Message Authentication over SSL - Username Token |
X |
X |
|||
Message Authentication over SSL - X.509 Token |
X (no alias) |
X | |||
SAML Authorization over SSL |
X |
X (no alias) |
X | ||
Endorsing Certificate |
X |
X | |||
SAML Sender Vouches with Certificate |
X |
X (no alias) | |||
SAML Holder of Key |
X |
X (no alias) | |||
STS Issued Token |
X |
X |
X | ||
STS Issued Token with Service Cert. |
X |
X |
X | ||
STS Issued Endorsing Token |
X |
X |
X |
Keystore: If this column has an X, click the Keystore button and configure the keystore to specify the alias identifying the service certificate and private key. For the GlassFish keystores, the file is keystore.jks and the alias is xws-security-server, assuming that you’ve updated the GlassFish default certificate stores as described in To Update GlassFish Certificates.
Truststore: If this column has an X, click the Truststore button and configure the truststore to specify the alias that contains the certificate and trusted roots of the client. For the GlassFish keystores, the file is cacerts.jks and the alias is xws-security-client, assuming that you’ve updated the GlassFish default certificate stores as described in To Update GlassFish Certificates.
STS: If this column has an X, you must have a Security Token Service that can be referenced by the service. An example of an STS can be found in the section To Create and Secure the STS (STS). The STS is secured using a separate (non-STS) security mechanism. The security configuration for the client-side of this application is dependent upon the security mechanism selected for the STS, and not on the security mechanism selected for the application.
SSL: To use a mechanism that uses secure transport (SSL), you must configure the system to point to the client and server keystore and truststore files. Steps for doing this are described in Configuring SSL For Your Applications.
User in Glassfish: To use a mechanism that requires a user database for authentication, you can add a user to the file realm of GlassFish. Instructions for doing this can be found at Adding Users to GlassFish.