Sun Microsystems 820433510 Usingthe certutil Utility

Usingthe certutil Utility

Beforerunning certutil, make sure that LD_LIBRARY_PATH points to the location of the

librariesrequired for this utility to run. This location can be identied from the value of

AS_NSS_LIBin asenv.conf (product wide conguration le).

Thecerticate database tool, certutil, is an NSS command-line utility that can create and

modifythe Netscape Communicator cert8.db and key3.db database les. It can also list,

generate,modify, or delete certicates within the cert8.db le and create or change the

password,generate new public and private key pairs, display the contents of the key database, or

deletekey pairs within the key3.db le.

Thekey and certicate management process generally begins with creating keys in the key

database,then generating and managing certicates in the certicate database. The following

documentdiscusses certicate and key database management with NSS, including the syntax

forthe certutil utility:

http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html.

Eachof the items in the list below gives an example using NSS and JSSE security tools to create

and/ormanage certicates.

■Generatea self-signed server and client certicate. In this example, the CN must be of the

formhostname.domain.[com|org|net|...].

Inthis example, domain-dir/config. The serverseed.txt and clientseed.txt les can

containany random text. This random text will be used for generating the key pair.

certutil -S -n $SERVER_CERT_NAME -x -t "u,u,u"

-s "CN=$HOSTNAME.$HOSTDOMAIN, OU=Java Software, O=Sun Microsystems Inc.,

L=Santa Clara, ST=CA, C=US"

-m 25001 -o $CERT_DB_DIR/Server.crt

-d $CERT_DB_DIR -f passfile <$CERT_UTIL_DIR/serverseed.txt

Generatethe client certicate. This certicate is also a self-signed certicate.

certutil -S -n $CLIENT_CERT_NAME -x -t "u,u,u"

-s "CN=MyClient, OU=Java Software, O=Sun Microsystems Inc.,

L=Santa Clara, ST=CA, C=US"

-m 25002 -o $CERT_DB_DIR/Client.crt

-d $CERT_DB_DIR -f passfile <$CERT_UTIL_DIR/clientseed.txt

■Verifythe certicates generated in the previous bullet.

certutil -V -u V -n $SERVER_CERT_NAME -d $CERT_DB_DIR

certutil -V -u C -n $CLIENT_CERT_NAME -d $CERT_DB_DIR

■Displayavailable certicates.

certutil -L -d $CERT_DB_DIR

UsingNetworkSecurit y Services (NSS)Tools

Chapter9 • Conguring Security 117

Contents

Main Page Contents Page Page Page Page Page Page Page Page Page Page Page Tables Page Examples Page Preface Sun GlassFishEnterprise S erver DocumentationS et Default Pathsand File Names Thefollowing table describes the default paths and le names that are used in this book. TypographicConventions Thefollowing table describes the typographic changes that are used in this book. SymbolConventions Thefollowing table explains symbols that might be used in this book. Documentation, Support, andTraining Third-PartyWeb Site References SunWelcomes Your Comments Enterprise Server Overview Enterprise Server Overview and Concepts EnterpriseS erver Overview Toolsfor Administration AdminConsole Command-lineInterface (asadmin Utility) JConsole Enterprise Server Concepts Domain Domain AdministrationSer ver(DAS) UsageProles Cluster Node Agent Server Instance Portsin the Enterprise Server Basic Enterprise Server Commands Creatinga Domain Deleting a Domain Listing Domains Starting the Domain Page Starting a Cluster Stoppinga Cluster Creatinga Node Agent Starting a Node Agent Stoppinga Node Agent Starting an Instance Stoppingan Instance Restarting an Instance Recreatingthe Domain Administration Server Tomigrate the DAS Page Page Java Business Integration JBI Environment JBI Components ServiceEngines BindingComponents JBIComponent Loggers Service Assemblies SharedLibraries JBI Descriptors JDBC Resources JDBC Resources JDBC Connection Pools How JDBC Resourcesand Connection Pools Work Together Setting Up Database Access Workingwith JDBC Connection Pools Creatinga JDBC Connection Pool Creatinga JDBC Connection Pool and JDBC Resource Using the Admin Console Creatinga JDBC Connection Pool and JDBC Resource Using the CLI Editing a JDBC Connection Pool Page Editing JDBC Connection PoolAdvanced Attributes Page Congurationsfor Specic JDBC Drivers JavaDB Type 4 Driver Sun GlassFishJDBC Driver for DB2 Databases Sun GlassFishJDBC Driver for Oracle 8.1.7 and 9.x Sun GlassFishJDBC Driver for Microsoft SQL Server Sun GlassFishJDBC Driver for Sybase Databases IBM DB2 8.1Type 2 Driver JConnectType 4 Driver for Sybase ASE 12.5 Databases MySQLType 4 Driver Inet OraxoJDBC Driver for Oracle 8.1.7 and 9.x Inet Merlia JDBC Driverfor Microsoft SQL Ser ver Inet SybeluxJDBC Driver for Sybase Databases OracleThin Type 4 Driver for Oracle 8.1.7 and 9.x OCI OracleType 2 Driver for Oracle 8.1.7 and 9.x IBM InformixType 4 Driver CloudScape 5.1Type 4 Driver Page Conguring Java Message Service Resources JMS Resources The RelationshipBetween JMS Resources and Connector Resources JMS Connection Factories JMS Destination Resources JMS PhysicalDestinations ConguringJMS Provider Properties AccessingRemote Servers ForeignJMS Providers Conguringthe Generic Resource Adapter for JMS Conguringthe Generic Resource Adapter ResourceAdapter Properties Page Page ManagedConnectionFactory Properties AdministeredObject Resource Properties ActivationSpec Properties Page Page Conguring JavaMail Resources Creatinga JavaMail Session Page JNDI Resources JavaEE Naming S ervices Naming Referencesand Binding Information UsingCustom Resources UsingEx ternal JNDI Repositoriesand Resources Page Connector Resources An Overview of Connectors Managing Connector Connection Pools ToCreate a Connector Connection Pool ToEdit a Connector Connection Pool ClickSave. ClickLoad Defaults if you want to restorethe default values of all the settings. Usingthe asadmin commands to change connection pool properties. ToEdit Connector Connection Pool Advanced Attributes Usingthe asadmin commands to change connection pool properties. ToEdit Connection Pool Properties Managing Security Maps Tocreate security maps for connector connection pools ToEdit Security Maps for Connector Connection Pools ToDelete a Connector Connection Pool ToSet Up EIS Access Managing Connector Resources ToCreate a Connector Resource ToEdit a Connector Resource ToDelete a Connector Resource ToCongure the Connector Service Managing AdministeredObjec t Resources ToCreate an Administered Object Resource ToEdit an Administered Object Resource ToDelete an Administered Object Resource Web and EJB Containers The SIP Servlet Container Editing the Properties of the SIP Container EditingSIP Container General Attributes EditingSIP Container Session Properties EditingSIP Container Session Manager Properties TheWeb Container The EJB Container Page Conguring Security Understanding Application and SystemSecurity Toolsfor Managing Security Managing Security of Passwords Encrypting a Passwordin the domain.xml File Protecting Fileswith Encoded Passwords Changing the MasterPassword Workingwith the Master Password and Keystores Changing the AdminPassword About Authentication and Authorization AuthenticatingEntities VerifyingSingle Sign-On AuthorizingUsers Specifying JACCProviders AuditingAuthentication and Authorization Decisions ConguringMessage Security Understanding Users,Groups, Roles, and Realms Users Groups Roles Realms ToCongure a JDBC Realm for aWeb, EJB Application Introduction to Certicates and SSL About Digital Certicates AboutCerticate Chains About Secure SocketsLayer AboutCiphers UsingName-based Virtual Hosts About Firewalls About Certicate Files Changing the Locationof Cer ticateFiles Using JavaSecure Socket Extension (JSSE) Tools Usingthe keytool Utility Page Generatinga Certicate Using the keytool Utility Signing a Digital Certicate Usingthe keytool Utility Deleting a Certicate Usingthe keytool Utility UsingNetwork Security Ser vices (NSS)Tools Usingthe certutil Utility Importing and Exporting Certicates Using the pk12util Utility Addingand Deleting PKCS11 Modules using modutil Using HardwareCrypto Accelerator With Enterprise Server About ConguringHardware Crypto Accelerators ConguringPKCS#11 Tokens Managing KeysAnd Certicates ListingKeys and Certicates WorkingWith PrivateKeys and Certicates ConguringJ2SE 5.0 PKCS#11 Providers Page Page Conguring Message Security Overview of Message Security Understanding Message Security in the Enterprise Server Assigning Message Security Responsibilities SystemAdministrator ApplicationDeployer ApplicationDeveloper About SecurityTokens and Security Mechanisms AboutUsername Tokens AboutDigital Signatures AboutEncryption AboutMessage Protection Policies Glossary of Message SecurityTerminology Securing aWeb Service ConguringApplication-Specic Web Services Security Securing the Sample Application Conguringthe Enterprise Ser ver forMessage Security Actions of Request and Response Policy Congurations ConguringO ther Security Facilities AfterYouFinish Conguringa JCE Provider Page Message Security Setup Enabling Providersfor Message Security Conguringthe Message Security Provider Creatinga Message Security Provider Enabling Message Security for Application Clients Setting the Request and Response Policy forthe Application Client Conguration Further Information Conguring the Diagnostic Service Whatis the Diagnostic Framework? Diagnostic Service Framework Generatinga Diagnostic Repor t Transactions AboutTransactions Whatis a Transaction? Transactionsin Java EE Technology Workaroundsfor Specic Databases AdminConsole Tasks for Transactions ConguringTransactions Tocongure how the Enterprise Server recoversfrom transactions Toset a transaction timeout value Toset the location of the transaction logs Toset the keypoint interval Conguring the HTTP Service Virtual Servers HTTP Listeners Page Page Managing Web Services Overview ofWeb Services WebServices Standards JavaEE Web Service Standards Deploying andTesting WebSer vices DeployingWeb Services ViewingDeployed Web Services TestingWeb Services WebServices Security UsingWeb Services Registries Addinga Registr y Publishinga Web Service to a Registry TransformingMessages with XSLT Filters MonitoringWeb Services ViewingWeb Service Statistics MonitoringWeb Service Messages Page Conguring the Object Request Broker An Overview of the Object Request Broker CORBA Whatis the ORB? IIOP Listeners Conguringthe ORB Managing IIOP Listeners Thread Pools Workingwith Thread Pools Conguring Logging About Logging LogRecords TheLogger Namespace Hierarchy Page ConguringLogging ConguringGeneral Logging Settings ConguringLog Levels ViewingSer verLogs Page Monitoring Components and Services About Monitoring Monitoringin the Enterprise Se rver Overview of Monitoring About theTree Structure of Monitorable Objects TheApplications Tree TheHTTP Service Tree TheResources Tree TheConnector Service Tree TheJMS Service Tree TheORB Tree TheThread Pool Tree About Statisticsfor Monitored Components and Services EJBContainer Statistics Thestatistics for EJB Session Stores are listed in the following table. Thestatistics available for EJB pools are listed in the following table. Thestatistics available for EJB caches are listed in the following table. Thestatistics available for Timers are listed in the following table. WebContainer Statistics Statisticsavailable for web modules are shown in Web Container Statistics on page 180. HTTPSer viceStatistics JDBCConnection Pools Statistics Thestatistics available for the JDBC connection pool are shown in the following table. JMS/ConnectorService Statistics Statisticsavailable for Connector Work Management are listed in the following table. Statisticsfor Connection Managers in an ORB Thestatistics available for the connection manager in an ORB are listed in the following table. ThreadPools Statistics Thestatistics available for the thread pool are shown in the following table. TransactionService Statistics JavaVirtual Machine (JVM) Statistics JVMStatistics in Java SE Thestatistics available for compilation in the JVM in Java SE are shown in the following table. Thestatistics available for memory in the JVM in Java SE are shown in the following table. Thestatistics available for the runtime in the JVM in Java SE are shown in the following table. Thestatistics available for ThreadInfo in the JVM in Java SE are shown in the following table. Thestatistics available for threads in the JVM in Java SE are shown in the following table. Enabling and Disabling Monitoring Thissection contains the following topics: ConguringMonitoring Levels Using the Admin Console ToCongure Monitoring Levels Using asadmin ViewingMonitoring Data ViewingMonitoring Data in the Admin Console ViewingMonitoring Data With the asadmin Tool ToUse the asadmin monitor Command toView Monitoring Data ToUse the asadmin get and list Commands toView Monitoring Data Understandingand Specifying Dotted Names Examplesof the list and get Commands Examplesfor the list --user admin-user --monitor Command Example1 Example2 Examplesfor the get --user admin-user --monitor Command Example1 Example2 Example3 Example4 ToUse the PetStoreExample Page Page Toalsoget a specic statistic, such as execution time, use a command such as the following: ExpectedOutput for list and get Commands at All Levels applicationslevel. Page Page HTTPService level. threadpools level. resourceslevel. transactionservice level. Thefollowing table shows the command, dotted name, and corresponding output for the ORB level. UsingJConsole Securing JConsoleto Application Ser verConnec tion Prerequisitesfor Connecting JConsole to Application Server Connecting JConsoleto Application Ser ver Connecting JConsoleSecurely to Application Ser ver Page Page Conguring Management Rules About Management Rules ConguringManagement Rules Page Page JavaVirtual Machine and Advanced Settings Tuningthe JVM Settings ConguringAdvanced Settings A Automatically Restarting a Domain or Node Agent Restarting Automatically on Solaris 10 Page Restarting Automatically Using inittab on Solaris 9 and Linux Platforms Restarting Automatically on the MicrosoftWindows Platform Creatinga Windows Service Page Preventingthe Service From Shutting Down When a UserLogs Out Security for AutomaticRestar ts Page B Dotted Name Attributes for domain.xml TopLevel Elements Page Elements Not Aliased Page C The asadmin Utility The asadmin Utility Page CommonOptions for Remote Commands The Multimode Command The Get,S et,and List Commands Server Lifecycle Commands List and Status Commands Thelist and status commands display the status of a deployed component. Deployment Commands Thedeployment commands deploy an application or get the client stubs. VersionCommands Message Queue AdministrationCommands TheMessage Queue administration commands allow you to manage the JMS destinations. ResourceManagement Commands Theresource commands allow you to manage the various resources used in your application. Page CongurationCommands HTTP and IIOP Listener Commands Lifecycleand Audit Module Commands Prolerand SSL Commands JVM Options andVirtual Server Commands TheJVM options and Virtual Server commands allow you to control these elements. These Threadpooland Auth-Realm Commands Thethreadpool and auth-realm commands allow you to control these elements. These Transactionand Timer Commands Registry Commands Theregistry commands allow you to publish or unpublish webservice artifacts. User Management Commands Rules and Monitoring Commands Rulesand monitoring commands allow you to manage rules and monitor the server. These Database Commands Diagnostic and Logging Commands WebSer viceCommands Theweb service commands allow you to monitor a deployed web service and manage transformationrules. Security Service Commands PasswordCommands Thepassword commands allow you to manage passwords and ensure security for the applicationserver. VerifyCommand TheXML verier command veries the content of the domain.xml le. CustomMBean Commands Service Command Theservice command allows you to congure the starting of the Domain Administration Server(DAS). Property Command Index A B C D F G H I J M N O P Q T V