Contents

About This Guide

Who Should Use This Book
Using the Documentation
How This Guide Is Organized
Documentation Conventions

General Conventions
Conventions Referring to Directories

Product Support

Introducing Sun ONE Application Server Security

Application Server Security

Certificate Administration
SSL/TLS Encryption
Authentication
Auditing

HTTP Server Security Features

HTTP Server User-Group Authentication
HTTP Server Host-IP Authentication
HTTP Server SSL Client Authentication
HTTP Server Access Control
Netscape API (NSAPI)

J2EE Application Security Features

Declarative Security
Programmatic Security
User Authentication
Realm Administration
Single Sign-On
Resource Authentication
Pluggable Authentication

Good Practices
Files Associated With Server Security

The init.conf File
The dbswitch.conf File
The server.xml File
The obj.conf File
The password.conf File
The certmap.conf File
ACL Files
The htaccess Files
Keyfile
The server.policy File

General Security Measures

About General Security
Limiting Physical Access
Using Firewalls

Single Firewall
Double Firewall - DMZ Configuration
Triple Firewall - DMZ With Database Protection

Limiting Administration Access
Managing Passwords

Creating Hard-to-Crack Passwords
Managing the Superuser Password
Changing Passwords or PINs
Using the password.conf File

Limiting Other Applications on the Server
Securing Against an Unprotected Server

Administering Certificates

About Certificates and Authentication
Implementing the Trust Database

Creating a Trust Database
Changing a Trust Database Password

Implementing a Certificate

Required CA Information
Requesting a Certificate
Installing a Certificate

Using the Built-in Root Certificate Module
Managing Certificates
Managing CRLs and CKLs

Installing a CRL or CKL
Deleting a CRL or CKL

Administering SSL/TLS Encryption

About Encryption

SSL and TLS Protocols
Public and Private Keys
Task Sequence

Enabling SSL Communication with LDAP
Turning Security On

Turning Security On When Creating as HTTP Listener
Turning Security On When Editing an HTTP Listener

Enabling SSL and TLS
Configuring Security Globally

SSL Configuration File Directives

SSLCacheEntries
SSLClientAuthDataLimit
SSLClientAuthTimeout
SSLSessionTimeout
SSL3SessionTimeout

Setting Values for SSL Directives

Using External Encryption Modules

Installing the PKCS11Module
Starting the Server with an External Certificate
Enabling FIPS-140 Standard

Setting Strong Ciphers
Preventing Clients from Caching SSL Files

Administering HTTP Server Access Control

About HTTP Server Access Control

HTTP Server User-Group Authentication

Basic Authentication
SSL Authentication
Digest Authentication

Host-IP Authentication
Access Control List (ACL) Files
Client Authentication

Implementing Digest Authentication

Installing the Digest Authentication Plug-in

Digest Authentication on UNIX
Digest Authentication on Windows

Setting the Sun ONE Directory Server to Use the DES Algorithm

Implementing Host-IP Authentication
Working With ACL Files

ACL File Syntax
Type Statement
Authentication Statement
Authorization Statement

Hierarchy of Authorization Statements
Attribute Expressions
Operators

Sample ACL File
Writing Customized ACL Expressions

Setting Up Client Authentication

Setting Client Authentication for the Admin Server
Setting Client Authentication for a Server Instance
Working with the certmap.conf File

Default Properties
Creating Custom Properties
Sample Mappings

ACL/ACE Settings

Setting to Allow or Deny
Setting for User-Group Authentication
Specifying the From Host
Setting Access Rights

Referencing ACL Files in the obj.conf File
Configuring the ACL User Cache

ACLCacheLifetime
ACLUserCacheSize
ACLGroupCacheSize

Setting Access Control for a Server Instance
Restricting Access to Areas of Your Server

Restricting Access to the Entire Server
Restricting Access to a Directory (Path)
Restricting Access to a URI (Path)
Restricting Access to a File Type
Restricting Access Based on Time of Day
Restricting Access Based on Security

Turning Off Access Control
Responding When Access is Denied
Controlling Access for Virtual Servers

Accessing Databases from Virtual Servers

Using the dbswitch.conf File
Creating a New Authentication Database
Specifying Databases in the User Interface

Editing Access Control Lists for Virtual Servers

Using htaccess Files

Enabling htaccess from the User Interface
Enabling htaccess from init.conf
Using htaccess-register
Supported htaccess Directives

Index