Sun Microsystems 820433510 manual

Using Hardware Crypto Accelerator With Enterprise Server

To create a custom configuration file:

1.Create a configuration file calledas-install/mypkcs11.cfg with the following code and save the file.

name=HW1000

library=/opt/SUNWconn/crypto/lib/libpkcs11.so

slotListIndex=0 disabledMechanisms = { CKM_RSA_PKCS CKM_RSA_PKCS_KEY_PAIR_GEN

}

omitInitialize=true

2.Update the NSS database, if necessary. In this case, update the NSS database so that it will disable RSA.

Run the following command :

modutil -undefault "Sun Crypto Accelerator" -dbdir AS_NSS_DB -mechanisms RSA

The name of the algorithm on the mechanisms list differs from the one in the default configuration. For a list of valid mechanisms in NSS, see the modutil documentation on the NSS Security Tools site at http://www.mozilla.org/projects/security/pki/nss/tools.

3.Update the server with this change by adding a property in the appropriate location, as follows:

<property name="mytoken" value="&InstallDir;/mypkcs11.cfg"/>

The location for the property could be one of the following:

■If the provider is for a DAS or server instance, add the property under the associated <security-service>.

■If the provider is for a node agent, add the property under the associated <node-agent> element in the domain.xml file.

4.Restart the Enterprise Server.

The customized configurations will be in effect after the restart.

Chapter 9 • Configuring Security

125

Image 125

Sun Microsystems 820433510 manual Name=HW1000 Library=/opt/SUNWconn/crypto/lib/libpkcs11.so

Contents

Sun Microsystems, Inc Network Circle Santa Clara, CA Sun GlassFish Enterprise Server 2.1 Administration Guide 090122@21808 Contents Jdbc Resources Java Business Integration Configuring JMS Provider Properties Accessing Remote ServersIBM Informix Type 4 Driver CloudScape 5.1 Type 4 Driver Foreign JMS Providers Web and EJB Containers Configuring Security 127 149 141Virtual Servers 149 Http Listeners 150 153 158 What is the ORB? 162 Iiop Listeners161 163 Tuning the JVM Settings 219 About Management Rules 215 Configuring Management Rules 216215 219 Profiler and SSL Commands Asadmin Utility231 244Page Figures Page JVM Statistics for Java SE Runtime 189 Tables Server Lifecycle Commands 237 Remote Commands Required Options 234List and Status Commands 238 Deployment Commands 239 Examples Page Table P-1Books in the Enterprise Server Documentation Set PrefaceSun GlassFish Enterprise Server Documentation Set Table P-2Default Paths and File Names Default Paths and File Names Symbol Conventions Symbol ConventionsTypographic Conventions Table P-3Typographic Conventions Sun Welcomes Your Comments Documentation, Support, and TrainingThird-Party Web Site References Enterprise Server Overview and Concepts Enterprise Server OverviewEnterprise Server Overview This section contains the following topics Admin Console Tools for AdministrationFor example Http//hostnameport JConsole Command-line Interface asadmin UtilityTo list the commands available within asadmin Domain Domain Administration Server DASEnterprise Server Concepts Usage Profiles 1Features Available for Each Profile Node Agent Features Available for Each ProfileCluster 1Enterprise Server Instance Server Instance 2Enterprise Server Listeners that Use Ports Ports in the Enterprise Server Http//hostname5000 Basic Enterprise Server CommandsCreating a Domain Starting the Domain Deleting a DomainListing Domains Stopping the Default Domain on Windows Starting the Default Domain on WindowsStopping the Domain Restarting the Domain Stopping a Cluster Starting a ClusterCreating a Node Agent Starting a Node Agent Starting an Instance Stopping a Node AgentStopping an Instance Restarting an Instance To migrate the DAS Recreating the Domain Administration Server Change Page Java Business Integration Service EnginesJBI Environment JBI Components JBI Component Loggers Binding Components Service Assemblies JBI Descriptors Shared Libraries Jdbc Resources Jdbc Resources How Jdbc Resources and Connection Pools Work Together Jdbc Connection Pools Setting Up Database Access Creating a Jdbc Connection Pool Working with Jdbc Connection Pools Click OK Editing a Jdbc Connection Pool Change connection validation settings By calling the con.getAutoCommit and con.getMetaData methods Editing Jdbc Connection Pool Advanced Attributes Creation Retry Attempts is greater than Configurations for Specific Jdbc Drivers Configurations for Specific Jdbc Drivers DataSource Classname Specify one of the following Java DB Type 4 Driver DataSource Classname com.sun.sql.jdbcx.db2.DB2DataSource Sun GlassFish Jdbc Driver for DB2 Databases Sun GlassFish Jdbc Driver for Microsoft SQL Server Databases DataSource Classname com.ibm.db2.jcc.DB2SimpleDataSource IBM DB2 8.1 Type 2 DriverDeferPrepares Set to false DataSource ClassnameSpecify one of the following Com.mysql.jdbc.jdbc2.optional.MysqlDataSource MySQL Type 4 DriverInet Oraxo Jdbc Driver for Oracle 8.1.7 and 9.x Databases DataSource Classname com.inet.ora.OraDataSource Inet Merlia Jdbc Driver for Microsoft SQL Server DatabasesDataSource Classname com.inet.tds.TdsDataSource Jdbcinetoralocalhost1521payrolldb DataSource Classname com.inet.syb.SybDataSource Inet Sybelux Jdbc Driver for Sybase Databases Jdbcoracleoci@localhost1521customerdb OCI Oracle Type 2 Driver for Oracle 8.1.7 DatabasesJdbcoraclethin@localhost1521customerdb DataSource Classname com.ibm.db2.jcc.DB2DataSource IBM Informix Type 4 DriverCloudScape 5.1 Type 4 Driver Page JMS Resources Configuring Java Message Service Resources Relationship Between JMS Resources and Connector Resources JMS Physical Destinations JMS Connection FactoriesJMS Destination Resources Configuring JMS Provider Properties Foreign JMS Providers Accessing Remote Servers Resource Adapter Properties Configuring the Generic Resource Adapter False Foreign JMS Providers ManagedConnectionFactory Properties Activation Spec Properties Administered Object Resource Properties Configuring Java Message Service Resources Message causes a runtime exception Creating a JavaMail Session Configuring JavaMail Resources Creating a JavaMail Session Jndi Resources Java EE Naming Services Naming References and Binding Information 1JNDI Lookups and Their Associated References Using Custom ResourcesUsing External Jndi Repositories and Resources Using External Jndi Repositories and Resources An Overview of Connectors Connector Resources Specify this name when creating a connector resource Managing Connector Connection PoolsTo Create a Connector Connection Pool Create-connector-connection-pool To Edit a Connector Connection Pool Same transaction level as that specified in resource To Edit Connector Connection Pool Advanced Attributes Pool. Default value is false To create security maps for connector connection pools To Delete a Connector Connection PoolTo Edit Security Maps for Connector Connection Pools To Edit Connection Pool Properties To Set Up EIS Access Managing Connector ResourcesTo Create a Connector Resource Delete-connector-connection-pool Create-connector-resource To Edit a Connector ResourceTo Delete a Connector Resource Delete-connector-resource Managing Administered Object ResourcesTo Configure the Connector Service To Create an Administered Object Resource To Delete an Administered Object Resource To Edit an Administered Object ResourceCreate-admin-object Delete-admin-object SIP Servlet Container Web and EJB Containers Editing SIP Container Session Properties Editing the Properties of the SIP ContainerEditing SIP Container General Attributes Editing SIP Container Session Manager Properties Web ContainerEJB Container Page Understanding Application and System Security Configuring Security Tools for Managing Security Encrypting a Password in the domain.xml File Managing Security of PasswordsAsadmin create-password-alias --user admin alias-name Asadmin create-password-alias --user admin jms-password Changing the Master Password Protecting Files with Encoded PasswordsRestart the Enterprise Server for the relevant domain Restart the Enterprise Server Working with the Master Password and Keystores Changing the Admin Password 1Enterprise Server Authentication Methods About Authentication and AuthorizationAuthenticating Entities Verifying Single Sign-On Authorizing UsersSpecifying Jacc Providers Understanding Users, Groups, Roles, and Realms Configuring Message Security Groups Users Realms Roles Create a Jdbc realm To Configure a Jdbc Realm for a Web, EJB Application Following topics are discussed in this section Introduction to Certificates and SSLAbout Digital Certificates About Certificate Chains About Secure Sockets Layer About Ciphers Using Name-based Virtual Hosts About Certificate Files About Firewalls Changing the Location of Certificate Files Using Java Secure Socket Extension Jsse ToolsUsing the keytool Utility Delete a certificate from a keystore of type JKS Display certificate information from a keystore of type JKS Generating a Certificate Using thekeytool Utility Certificate was added to keystore Saving cacerts.jks Deleting a Certificate Using thekeytool Utility Keytool -delete Using Network Security Services NSS ToolsStorepass password Verify the certificates generated in the previous bullet Using the certutil UtilityDisplay available certificates Certutil -L -d $CERTDBDIR Move a certificate from an NSS database to JKS format Delete a certificate from an NSS certificate database Add a new PKCS11 module or token Modutil -list -dbdir $admin.domain.dir/$admin.domain/configDelete a PKCS11 module from an NSS store List available token modules in an NSS store About Configuring Hardware Crypto Accelerators Using Hardware Crypto Accelerator With Enterprise Server Modutil -list -dbdir Asnssdb Configuring PKCS#11 TokensStandard output will look similar to the following This section describes the following topics Managing Keys And Certificates Standard output will be similar to the following Listing Keys and Certificates Working With Private Keys and Certificates Configuring J2SE 5.0 PKCS#11 ProvidersConfiguration for the SCA 1000 hardware accelerator Name=HW1000 Library=/opt/SUNWconn/crypto/lib/libpkcs11.so Property name=mytoken value=&InstallDir/mypkcs11.cfg 126 Overview of Message Security Configuring Message Security Assigning Message Security Responsibilities System AdministratorUnderstanding Message Security in the Enterprise Server About Username Tokens Application DeployerApplication Developer About Message Protection Policies About Digital SignaturesAbout Encryption Response Policy Glossary of Message Security Terminology Securing a Web Service Securing the Sample Application Configuring the Enterprise Server for Message SecurityConfiguring Application-Specific Web Services Security Actions of Request and Response Policy Configurations After You Finish Configuring Other Security FacilitiesConfiguring a JCE Provider Security.provider.1=sun.security.provider.Sun Save and close the file Enabling Providers for Message Security Message Security Setup To specify the default client provider Configuring the Message Security ProviderTo specify the default server provider Enabling Message Security for Application Clients Creating a Message Security Provider Response-policy Further Information Diagnostic Service Framework Configuring the Diagnostic ServiceWhat is the Diagnostic Framework? Generating a Diagnostic Report About Transactions What is a Transaction?Transactions Transactions in Java EE Technology What is a Transaction? on Configuring Transactions on Configuring Transactions Admin Console Tasks for TransactionsThis section explains how to configure transaction settings Workarounds for Specific Databases Set any needed properties To set a transaction timeout value To set the location of the transaction logs To set the keypoint interval Default value is Virtual Servers Configuring the Http Service Http Listeners Configuring the Http Service 151 152 Overview of Web Services Managing Web Services Java EE Web Service Standards Web Services Standards Deploying Web Services Deploying and Testing Web Services Viewing Deployed Web Services Using Web Services RegistriesTesting Web Services Web Services Security Adding a Registry Publishing a Web Service to a Registry Transforming Messages with Xslt Filters Monitoring Web Services Monitoring Web Service Messages Viewing Web Service Statistics 160 An Overview of the Object Request Broker Configuring the Object Request Broker What is the ORB? Configuring the ORBManaging Iiop Listeners Iiop Listeners Thread Pools Working with Thread Pools Log Records Configuring LoggingAbout Logging 1Enterprise Server Logger Namespaces Logger Namespace Hierarchy JTS Enterprise Server Logger Namespaces Configuring Log Levels Configuring LoggingConfiguring General Logging Settings Details Viewing Server Logs171000.000 ThreadID=13 Monitoring in the Enterprise Server Monitoring Components and ServicesAbout Monitoring About the Tree Structure of Monitorable Objects Overview of MonitoringApplications Tree Following sections describe these sub-trees Http Service Tree Resources Tree Connector Service TreeJMS Service Tree ORB Tree About Statistics for Monitored Components and ServicesThread Pool Tree Orb Connection-managers Connection-manager-1 1EJB Statistics EJB Container Statistics 3EJB Session Store Statistics 2EJB Method Statistics EJB Session Store Statistics 5EJB Cache Statistics 4EJB Pool Statistics 7Web Container Servlet Statistics 6Timer StatisticsWeb Container Statistics 8Web Container Web Module Statistics Http Service Statistics Jdbc Connection Pools Statistics 9HTTP Service Statistics Developer Profile 10JDBC Connection Pool Statistics 11Connector Connection Pool Statistics JMS/Connector Service Statistics 13Connection Manager in an ORB Statistics 12Connector Work Management StatisticsStatistics for Connection Managers in an ORB 15Transaction Service Statistics Transaction Service StatisticsThread Pools Statistics 14Thread Pool Statistics Java Virtual Machine JVM Statistics 15 Transaction Service StatisticsJVM Statistics 17JVM Statistics for Java SE- Class Loading 20JVM Statistics for Java SE- Memory 18JVM Statistics for Java SE- Compilation19JVM Statistics for Java SE- Garbage Collection 22JVM Statistics for Java SE Runtime Following table21JVM Statistics for Java SE Operating System 23JVM Statistics for Java SE Thread Info 24JVM Statistics for Java SE Threads Enabling and Disabling Monitoring Returns Configuring Monitoring Levels Using the Admin ConsoleTo Configure Monitoring Levels Using asadmin Viewing Monitoring Data With the asadmin Tool Viewing Monitoring Data in the Admin ConsoleTo Use the asadmin monitor Command to View Monitoring Data Viewing Monitoring Data 531628032 45940736 Asadmin get --user adminuser --monitor server.jvm Command returns the following attributes and dataServer.http-service Understanding and Specifying Dotted Names Server.applications.petstore Examples of the list and get Commands Examples for the get --user admin-user --monitor Command Examples for the list --user admin-user --monitor CommandAsadmin list --user admin-user--monitor server Asadmin list --user admin-user--monitor server.applications Attempt to get all attributes from a Java EE application Asadmin get --user admin-user--monitor server.jvm To Use the PetStore Example Asadmin get --user admin-user--monitor server.jvm.badnameAttempt to get a specific attribute from a subsystem Returns output will be similar to Returns with dotted name removed for space considerations Server.http-service Server.resources Server.thread-poolsAsadmin list -m server.applications.petstore.signon-ejbjar Monitoring Components and Services 201 Expected Output for list and get Commands at All Levels Applications Level Top Level Application has been deployed. It is not applicable if a Monitoring Components and Services 205 List -m Server.applications.app1 29Thread-Pools Level 28HTTP-Service Level ORB Level 31Transaction-Service LevelResources Level JVM Level Using JConsoleLevel Securing JConsole to Application Server Connection Connecting JConsole to Application Server Prerequisites for Connecting JConsole to Application Server Connecting JConsole Securely to Application Server Monitoring Components and Services 213 214 About Management Rules Configuring Management Rules Configuring Management Rules Configuring Management Rules 217 218 Tuning the JVM Settings Java Virtual Machine and Advanced Settings Configuring Advanced Settings This Appendix contains the following topics Automatically Restarting a Domain or Node AgentRestarting Automatically on Solaris Restarting Automatically on Solaris Restarting Automatically on the Microsoft Windows Platform Creating a Windows Service Start= auto DisplayName= display-name Jvm-options-Xrs/jvm-options Process name=as-service-name Sysproperty key=-XrsSecurity for Automatic Restarts 226 Top Level Elements Dotted Name Attributes for domain.xml Top Level Elements Elements Not Aliased Elements Not Aliased 230 Asadmin Utility Asadmin Utility Appendix C The asadmin Utility 233 Table C-1Remote Commands Required Options Common Options for Remote Commands Prefix followed by the password name in uppercase letters Multimode Command Get, Set, and List Commands Table C-2Server Lifecycle Commands Server Lifecycle Commands Table C-3List and Status Commands List and Status CommandsTable C-2 Server Lifecycle Commands Table C-4Deployment Commands Deployment Commands Message Queue Administration Commands Version CommandsTable C-5Version Commands Table C-6Message Queue Commands Table C-7Resource Management Commands Resource Management Commands Table C-7 Resource Management Commands Http and Iiop Listener Commands Configuration CommandsLifecycle and Audit Module Commands Table C-8IIOP Listener Commands JVM Options and Virtual Server Commands Profiler and SSL CommandsTable C-9Lifecycle Module Commands Table C-10Profiler and SSL Commands Transaction and Timer Commands Threadpool and Auth-Realm CommandsTable C-11JVM Options and Virtual Server Commands Table C-12Threadpool and Auth-Realm Commands Registry Commands User Management CommandsTable C-13Transaction Commands Table C-14Transaction Commands Table C-16Rules and Monitoring Commands Rules and Monitoring CommandsDatabase Commands Web Service Commands Diagnostic and Logging CommandsTable C-17Database Commands Table C-18Diagnostic and Logging Commands Table C-20Security Commands Security Service Commands Table C-21Password Commands Password Commands Service Command Verify CommandCustom MBean Commands Table C-25Property Command Property Command ACC Index JMS Logging ORB 256