create-message-security-provider(1) (Sun GlassFish Enterprise Server 2.1 Reference Manual)

Sun GlassFish Enterprise Server 2.1 Reference Manual

create-message-security-provider(1)

Name

message-security-config

provider-config

domain.xml

Synopsis

create-message-security-provider 
[--terse={true|false}][ --echo={true|false} ] 
[ --interactive={true|false} ] [ --host  host] 
[--port port] [--secure| -s ] [ --user  admin_user]
[--passwordfile filename] [--help]

 [ --target   target] --classname  provider_class
 [--layer   message_layer ] [--providertype provider_type ]
 [--requestauthsource  request_auth_source  ]
 [--requestauthrecipient  request_auth_recipient ]
 [--responsetauthsource  response_auth_source  ]
 [--responseauthrecipient  response_auth_recipient ]
 [--isdefaultprovider] [ --property  name=value[:name=value]*  ]
 provider_name

Description

Enables the administrator to create the message-security-config and provider-config sub-elements for the security service in domain.xml (the file that specifies parameters and properties of a domain to the Enterprise Server). The options specified in the list below apply to attributes within the message-security-config and provider-config sub-elements of the domain.xml file.

If the message-layer (message-security-config) element does not exist, this command creates it, and then provider-config is created under it.

This command is supported in remote mode only.

Options

If an option has a short option name, then the short option precedes the long option name. Short options have one dash whereas long options have two dashes.

-t --terse

Indicates that any output data must be very concise, typically avoiding human-friendly sentences and favoring well-formatted data for consumption by a script. Default is false.

-e --echo

Setting to true will echo the command line statement on the standard output. Default is false.

-I --interactive

If set to true (default), only the required password options are prompted.

-H --host

The machine name where the domain administration server is running. The default value is localhost.

-p --port

The HTTP/S port for administration. This is the port to which you should point your browser in order to manage the domain. For example, http://localhost:4848.

The default port number is 4848.

-s --secure

If set to true, uses SSL/TLS to communicate with the domain administration server.

-u --user

The authorized domain administration server administrative username.

If you have authenticated to a domain using the asadmin login command, then you need not specify the --user option on subsequent operations to this particular domain.

--passwordfile

The --passwordfile option specifies the name, including the full path, of a file containing the password entries in a specific format. The entry for the password must have the AS_ADMIN_ prefix followed by the password name in uppercase letters.

For example, to specify the domain administration server password, use an entry with the following format: AS_ADMIN_PASSWORD=password, where password is the actual administrator password. Other passwords that can be specified include AS_ADMIN_MAPPEDPASSWORD, AS_ADMIN_USERPASSWORD, and AS_ADMIN_ALIASPASSWORD.

All remote commands must specify the admin password to authenticate to the domain administration server, either through --passwordfile or asadmin login, or interactively on the command prompt. The asadmin login command can be used only to specify the admin password. For other passwords, that must be specified for remote commands, use the --passwordfile or enter them at the command prompt.

If you have authenticated to a domain using the asadmin login command, then you need not specify the admin password through the --passwordfile option on subsequent operations to this particular domain. However, this is applicable only to AS_ADMIN_PASSWORD option. You will still need to provide the other passwords, for example, AS_ADMIN_USERPASSWORD, as and when required by individual commands, such as update-file-user.

For security reasons, passwords specified as an environment variable will not be read by asadmin.

The default value for AS_ADMIN_MASTERPASSWORD is changeit.

--help

Displays the help text for the command.

--target

This operand is valid in domains that are configured to support clusters, such as domains that are created with the cluster profile or the enterprise profile.. Specifies the target on which you are creating the message security provider. The following values are valid:

server- Specifies the default server instance as the target. server is the name of the default server instance and is the default value.
domain- Specifies a certain domain as the target.
cluster_name- Specifies a certain cluster as the target.
instance_name- Specifies a certain server instance as the target.

Optional Attributes

The following optional attribute name/value pairs are available:

classname: Defines the Java implementation class of the provider. Client authentication providers must implement the com.sun.enterprise. security.jauth.ClientAuthModule interface. Server-side providers must implement the com.sun.enterprise.security jauth.ServerAuthModule interface. A provider may implement both interfaces, but it must implement the interface corresponding to its provider type.
layer: The message-layer entity used to define the value of the auth-layer attribute of message-security-config elements. The default is SOAP.
providertype: Establishes whether the provider is to be used as client authentication provider, server authentication provider, or both. Valid options for this property include client, server, or client-server. The default value is client-server.
requestauthsource: The auth-source attribute defines a requirement for message-layer sender authentication (e.g. username password) or content authentication (e.g. digital signature) to be applied to request messages. Possible values are sender or content. When this argument is not specified, source authentication of the request is not required.
requestauthrecipient: The auth-recipient attribute defines a requirement for message-layer authentication of the receiver of a message to its sender (e.g. by XML encryption). Possible values are before-content or after-content. The default value is after-content.
responseauthsource: The auth-source attribute defines a requirement for message-layer sender authentication (e.g. username password) or content authentication (e.g. digital signature) to be applied to response messages. Possible values are sender or content. When this option is not specified, source authentication of the response is not required.
responseauthrecipient: The auth-recipient attribute defines a requirement for message-layer authentication of the receiver of the response message to its sender (e.g. by XML encryption). Possible values are before-content or after-content. The default value is after-content.
isdefaultprovider: The default-provider attribute is used to designate the provider as the default provider (at the layer) of the type or types identified by the providertype argument. There is no default associated with this option.
property: Use this property to pass provider-specific property values to the provider when it is initialized. Properties passed in this way might include key aliases to be used by the provider to get keys from keystores, signing, canonicalization, encryption algorithms, etc.

Operands

provider_name: The name of the provider used to reference the provider-config element.

Examples

Example 1 Using create-message-security-provider

The following example shows how to create a message security provider for a client.

asadmin> create-message-security-provider --user admin
--passwordfile pwd_file 
--classname com.sun.enterprise.security.jauth.ClientAuthModule
--providertype client mySecurityProvider

Exit Status

0: command executed successfully
1: error in executing the command