Sun Microsystems 820433510 guide

Configuring the Enterprise Server for Message Security

Actions of Request and Response Policy

Configurations

The following table shows message protection policy configurations and the resulting message security operations performed by the WS-Security SOAP message security providers for that configuration.

TABLE 10–1Message protection policy to WS-Security SOAP message security operation mapping

	Message Protection Policy	Resulting WS-Security SOAP message protection operations

	auth-source="sender"	The message contains a wsse:Security header that
		contains a wsse:UsernameToken (with password).

	auth-source="content"	The content of the SOAP message Body is signed. The
		message contains a wsse:Security header that contains
		the message Body signature represented as a
		ds:Signature.

	auth-source="sender"	The content of the SOAP message Body is encrypted and
	auth-recipient="before-content"	replaced with the resulting xend:EncryptedData. The
	auth-recipient="before-content"	message contains a wsse:Security header that contains
		message contains a wsse:Security header that contains
	OR	a wsse:UsernameToken (with password) and an
	auth-recipient="after-content"	xenc:EncryptedKey. The xenc:EncryptedKey contains
	auth-recipient="after-content"	the key used to encrypt the SOAP message body. The key
		is encrypted in the public key of the recipient.

	auth-source="content"	The content of the SOAP message Body is encrypted and
	auth-recipient="before-content"	replaced with the resulting xend:EncryptedData. The
	auth-recipient="before-content"	xenc:EncryptedData is signed. The message contains a
		xenc:EncryptedData is signed. The message contains a
		wsse:Security header that contains an
		xenc:EncryptedKey and a ds:Signature. The
		xenc:EncryptedKey contains the key used to encrypt the
		SOAP message body. The key is encrypted in the public
		key of the recipient.

	auth-source="content"	The content of the SOAP message Body is signed, then
	auth-recipient="after-content"	encrypted, and then replaced with the resulting
	auth-recipient="after-content"	xend:EncryptedData. The message contains a
		xend:EncryptedData. The message contains a
		wsse:Security header that contains an
		xenc:EncryptedKey and a ds:Signature. The
		xenc:EncryptedKey contains the key used to encrypt the
		SOAP message body. The key is encrypted in the public
		key of the recipient.

134	Sun GlassFish Enterprise Server 2.1 Administration Guide • December 2008

Image 134

Sun Microsystems 820433510 manual Actions of Request and Response Policy Configurations

Contents

Sun GlassFish Enterprise Server 2.1 Administration Guide Sun Microsystems, Inc Network Circle Santa Clara, CA 090122@21808 Contents Java Business Integration Jdbc Resources IBM Informix Type 4 Driver CloudScape 5.1 Type 4 Driver Accessing Remote ServersConfiguring JMS Provider Properties Foreign JMS Providers Configuring Security Web and EJB Containers 127 Virtual Servers 149 Http Listeners 150 141149 153 161 What is the ORB? 162 Iiop Listeners158 163 215 About Management Rules 215 Configuring Management Rules 216Tuning the JVM Settings 219 219 231 Asadmin UtilityProfiler and SSL Commands 244Page Figures Page Tables JVM Statistics for Java SE Runtime 189 List and Status Commands 238 Remote Commands Required Options 234Server Lifecycle Commands 237 Deployment Commands 239 Examples Page Table P-1Books in the Enterprise Server Documentation Set PrefaceSun GlassFish Enterprise Server Documentation Set Default Paths and File Names Table P-2Default Paths and File Names Typographic Conventions Symbol ConventionsSymbol Conventions Table P-3Typographic Conventions Sun Welcomes Your Comments Documentation, Support, and TrainingThird-Party Web Site References Enterprise Server Overview Enterprise Server OverviewEnterprise Server Overview and Concepts This section contains the following topics For example Tools for AdministrationAdmin Console Http//hostnameport JConsole Command-line Interface asadmin UtilityTo list the commands available within asadmin Domain Domain Administration Server DASEnterprise Server Concepts 1Features Available for Each Profile Usage Profiles Node Agent Features Available for Each ProfileCluster Server Instance 1Enterprise Server Instance Ports in the Enterprise Server 2Enterprise Server Listeners that Use Ports Http//hostname5000 Basic Enterprise Server CommandsCreating a Domain Starting the Domain Deleting a DomainListing Domains Stopping the Domain Starting the Default Domain on WindowsStopping the Default Domain on Windows Restarting the Domain Creating a Node Agent Starting a ClusterStopping a Cluster Starting a Node Agent Stopping an Instance Stopping a Node AgentStarting an Instance Restarting an Instance Recreating the Domain Administration Server To migrate the DAS Change Page JBI Environment Service EnginesJava Business Integration JBI Components Binding Components JBI Component Loggers Service Assemblies Shared Libraries JBI Descriptors Jdbc Resources Jdbc Resources Jdbc Connection Pools How Jdbc Resources and Connection Pools Work Together Setting Up Database Access Working with Jdbc Connection Pools Creating a Jdbc Connection Pool Click OK Change connection validation settings Editing a Jdbc Connection Pool By calling the con.getAutoCommit and con.getMetaData methods Editing Jdbc Connection Pool Advanced Attributes Creation Retry Attempts is greater than Configurations for Specific Jdbc Drivers Configurations for Specific Jdbc Drivers Java DB Type 4 Driver DataSource Classname Specify one of the following Sun GlassFish Jdbc Driver for DB2 Databases DataSource Classname com.sun.sql.jdbcx.db2.DB2DataSource Sun GlassFish Jdbc Driver for Microsoft SQL Server Databases DeferPrepares Set to false IBM DB2 8.1 Type 2 DriverDataSource Classname com.ibm.db2.jcc.DB2SimpleDataSource DataSource ClassnameSpecify one of the following Com.mysql.jdbc.jdbc2.optional.MysqlDataSource MySQL Type 4 DriverInet Oraxo Jdbc Driver for Oracle 8.1.7 and 9.x Databases DataSource Classname com.inet.tds.TdsDataSource Inet Merlia Jdbc Driver for Microsoft SQL Server DatabasesDataSource Classname com.inet.ora.OraDataSource Jdbcinetoralocalhost1521payrolldb Inet Sybelux Jdbc Driver for Sybase Databases DataSource Classname com.inet.syb.SybDataSource Jdbcoracleoci@localhost1521customerdb OCI Oracle Type 2 Driver for Oracle 8.1.7 DatabasesJdbcoraclethin@localhost1521customerdb DataSource Classname com.ibm.db2.jcc.DB2DataSource IBM Informix Type 4 DriverCloudScape 5.1 Type 4 Driver Page Configuring Java Message Service Resources JMS Resources Relationship Between JMS Resources and Connector Resources JMS Physical Destinations JMS Connection FactoriesJMS Destination Resources Configuring JMS Provider Properties Accessing Remote Servers Foreign JMS Providers Configuring the Generic Resource Adapter Resource Adapter Properties False Foreign JMS Providers ManagedConnectionFactory Properties Administered Object Resource Properties Activation Spec Properties Configuring Java Message Service Resources Message causes a runtime exception Configuring JavaMail Resources Creating a JavaMail Session Creating a JavaMail Session Java EE Naming Services Jndi Resources Naming References and Binding Information 1JNDI Lookups and Their Associated References Using Custom ResourcesUsing External Jndi Repositories and Resources Using External Jndi Repositories and Resources Connector Resources An Overview of Connectors Specify this name when creating a connector resource Managing Connector Connection PoolsTo Create a Connector Connection Pool To Edit a Connector Connection Pool Create-connector-connection-pool Same transaction level as that specified in resource To Edit Connector Connection Pool Advanced Attributes Pool. Default value is false To Edit Security Maps for Connector Connection Pools To Delete a Connector Connection PoolTo create security maps for connector connection pools To Edit Connection Pool Properties To Create a Connector Resource Managing Connector ResourcesTo Set Up EIS Access Delete-connector-connection-pool Create-connector-resource To Edit a Connector ResourceTo Delete a Connector Resource Delete-connector-resource Managing Administered Object ResourcesTo Configure the Connector Service To Create an Administered Object Resource Create-admin-object To Edit an Administered Object ResourceTo Delete an Administered Object Resource Delete-admin-object Web and EJB Containers SIP Servlet Container Editing SIP Container Session Properties Editing the Properties of the SIP ContainerEditing SIP Container General Attributes Editing SIP Container Session Manager Properties Web ContainerEJB Container Page Configuring Security Understanding Application and System Security Tools for Managing Security Asadmin create-password-alias --user admin alias-name Managing Security of PasswordsEncrypting a Password in the domain.xml File Asadmin create-password-alias --user admin jms-password Restart the Enterprise Server for the relevant domain Protecting Files with Encoded PasswordsChanging the Master Password Restart the Enterprise Server Changing the Admin Password Working with the Master Password and Keystores 1Enterprise Server Authentication Methods About Authentication and AuthorizationAuthenticating Entities Verifying Single Sign-On Authorizing UsersSpecifying Jacc Providers Configuring Message Security Understanding Users, Groups, Roles, and Realms Users Groups Roles Realms To Configure a Jdbc Realm for a Web, EJB Application Create a Jdbc realm Following topics are discussed in this section Introduction to Certificates and SSLAbout Digital Certificates About Secure Sockets Layer About Certificate Chains Using Name-based Virtual Hosts About Ciphers About Firewalls About Certificate Files Changing the Location of Certificate Files Using Java Secure Socket Extension Jsse ToolsUsing the keytool Utility Display certificate information from a keystore of type JKS Delete a certificate from a keystore of type JKS Generating a Certificate Using thekeytool Utility Deleting a Certificate Using thekeytool Utility Certificate was added to keystore Saving cacerts.jks Keytool -delete Using Network Security Services NSS ToolsStorepass password Display available certificates Using the certutil UtilityVerify the certificates generated in the previous bullet Certutil -L -d $CERTDBDIR Delete a certificate from an NSS certificate database Move a certificate from an NSS database to JKS format Delete a PKCS11 module from an NSS store Modutil -list -dbdir $admin.domain.dir/$admin.domain/configAdd a new PKCS11 module or token List available token modules in an NSS store Using Hardware Crypto Accelerator With Enterprise Server About Configuring Hardware Crypto Accelerators Modutil -list -dbdir Asnssdb Configuring PKCS#11 TokensStandard output will look similar to the following Managing Keys And Certificates This section describes the following topics Listing Keys and Certificates Standard output will be similar to the following Working With Private Keys and Certificates Configuring J2SE 5.0 PKCS#11 ProvidersConfiguration for the SCA 1000 hardware accelerator Property name=mytoken value=&InstallDir/mypkcs11.cfg Name=HW1000 Library=/opt/SUNWconn/crypto/lib/libpkcs11.so 126 Configuring Message Security Overview of Message Security Assigning Message Security Responsibilities System AdministratorUnderstanding Message Security in the Enterprise Server About Username Tokens Application DeployerApplication Developer About Message Protection Policies About Digital SignaturesAbout Encryption Glossary of Message Security Terminology Response Policy Securing a Web Service Securing the Sample Application Configuring the Enterprise Server for Message SecurityConfiguring Application-Specific Web Services Security Actions of Request and Response Policy Configurations After You Finish Configuring Other Security FacilitiesConfiguring a JCE Provider Save and close the file Security.provider.1=sun.security.provider.Sun Message Security Setup Enabling Providers for Message Security To specify the default client provider Configuring the Message Security ProviderTo specify the default server provider Creating a Message Security Provider Enabling Message Security for Application Clients Further Information Response-policy Diagnostic Service Framework Configuring the Diagnostic ServiceWhat is the Diagnostic Framework? Generating a Diagnostic Report About Transactions What is a Transaction?Transactions What is a Transaction? on Configuring Transactions on Transactions in Java EE Technology This section explains how to configure transaction settings Admin Console Tasks for TransactionsConfiguring Transactions Workarounds for Specific Databases To set a transaction timeout value Set any needed properties To set the location of the transaction logs Default value is To set the keypoint interval Configuring the Http Service Virtual Servers Http Listeners Configuring the Http Service 151 152 Managing Web Services Overview of Web Services Web Services Standards Java EE Web Service Standards Deploying and Testing Web Services Deploying Web Services Testing Web Services Using Web Services RegistriesViewing Deployed Web Services Web Services Security Publishing a Web Service to a Registry Adding a Registry Monitoring Web Services Transforming Messages with Xslt Filters Viewing Web Service Statistics Monitoring Web Service Messages 160 Configuring the Object Request Broker An Overview of the Object Request Broker Managing Iiop Listeners Configuring the ORBWhat is the ORB? Iiop Listeners Thread Pools Working with Thread Pools Log Records Configuring LoggingAbout Logging Logger Namespace Hierarchy 1Enterprise Server Logger Namespaces Enterprise Server Logger Namespaces JTS Configuring Log Levels Configuring LoggingConfiguring General Logging Settings Details Viewing Server Logs171000.000 ThreadID=13 Monitoring in the Enterprise Server Monitoring Components and ServicesAbout Monitoring Applications Tree Overview of MonitoringAbout the Tree Structure of Monitorable Objects Following sections describe these sub-trees Http Service Tree Resources Tree Connector Service TreeJMS Service Tree Thread Pool Tree About Statistics for Monitored Components and ServicesORB Tree Orb Connection-managers Connection-manager-1 EJB Container Statistics 1EJB Statistics 2EJB Method Statistics 3EJB Session Store Statistics EJB Session Store Statistics 4EJB Pool Statistics 5EJB Cache Statistics 7Web Container Servlet Statistics 6Timer StatisticsWeb Container Statistics Http Service Statistics 8Web Container Web Module Statistics 9HTTP Service Statistics Developer Profile Jdbc Connection Pools Statistics 10JDBC Connection Pool Statistics JMS/Connector Service Statistics 11Connector Connection Pool Statistics 13Connection Manager in an ORB Statistics 12Connector Work Management StatisticsStatistics for Connection Managers in an ORB Thread Pools Statistics Transaction Service Statistics15Transaction Service Statistics 14Thread Pool Statistics JVM Statistics 15 Transaction Service StatisticsJava Virtual Machine JVM Statistics 17JVM Statistics for Java SE- Class Loading 20JVM Statistics for Java SE- Memory 18JVM Statistics for Java SE- Compilation19JVM Statistics for Java SE- Garbage Collection 22JVM Statistics for Java SE Runtime Following table21JVM Statistics for Java SE Operating System 23JVM Statistics for Java SE Thread Info Enabling and Disabling Monitoring 24JVM Statistics for Java SE Threads Returns Configuring Monitoring Levels Using the Admin ConsoleTo Configure Monitoring Levels Using asadmin To Use the asadmin monitor Command to View Monitoring Data Viewing Monitoring Data in the Admin ConsoleViewing Monitoring Data With the asadmin Tool Viewing Monitoring Data 531628032 45940736 Server.http-service Command returns the following attributes and dataAsadmin get --user adminuser --monitor server.jvm Understanding and Specifying Dotted Names Examples of the list and get Commands Server.applications.petstore Asadmin list --user admin-user--monitor server Examples for the list --user admin-user --monitor CommandExamples for the get --user admin-user --monitor Command Asadmin list --user admin-user--monitor server.applications Asadmin get --user admin-user--monitor server.jvm Attempt to get all attributes from a Java EE application Attempt to get a specific attribute from a subsystem Asadmin get --user admin-user--monitor server.jvm.badnameTo Use the PetStore Example Returns output will be similar to Returns with dotted name removed for space considerations Server.http-service Server.resources Server.thread-poolsAsadmin list -m server.applications.petstore.signon-ejbjar Monitoring Components and Services 201 Expected Output for list and get Commands at All Levels Top Level Applications Level Application has been deployed. It is not applicable if a Monitoring Components and Services 205 List -m Server.applications.app1 28HTTP-Service Level 29Thread-Pools Level ORB Level 31Transaction-Service LevelResources Level JVM Level Using JConsoleLevel Securing JConsole to Application Server Connection Prerequisites for Connecting JConsole to Application Server Connecting JConsole to Application Server Connecting JConsole Securely to Application Server Monitoring Components and Services 213 214 Configuring Management Rules About Management Rules Configuring Management Rules Configuring Management Rules 217 218 Java Virtual Machine and Advanced Settings Tuning the JVM Settings Configuring Advanced Settings This Appendix contains the following topics Automatically Restarting a Domain or Node AgentRestarting Automatically on Solaris Restarting Automatically on Solaris Creating a Windows Service Restarting Automatically on the Microsoft Windows Platform Start= auto DisplayName= display-name Jvm-options-Xrs/jvm-options Process name=as-service-name Sysproperty key=-XrsSecurity for Automatic Restarts 226 Dotted Name Attributes for domain.xml Top Level Elements Top Level Elements Elements Not Aliased Elements Not Aliased 230 Asadmin Utility Asadmin Utility Appendix C The asadmin Utility 233 Common Options for Remote Commands Table C-1Remote Commands Required Options Multimode Command Prefix followed by the password name in uppercase letters Get, Set, and List Commands Server Lifecycle Commands Table C-2Server Lifecycle Commands Table C-3List and Status Commands List and Status CommandsTable C-2 Server Lifecycle Commands Deployment Commands Table C-4Deployment Commands Table C-5Version Commands Version CommandsMessage Queue Administration Commands Table C-6Message Queue Commands Resource Management Commands Table C-7Resource Management Commands Table C-7 Resource Management Commands Lifecycle and Audit Module Commands Configuration CommandsHttp and Iiop Listener Commands Table C-8IIOP Listener Commands Table C-9Lifecycle Module Commands Profiler and SSL CommandsJVM Options and Virtual Server Commands Table C-10Profiler and SSL Commands Table C-11JVM Options and Virtual Server Commands Threadpool and Auth-Realm CommandsTransaction and Timer Commands Table C-12Threadpool and Auth-Realm Commands Table C-13Transaction Commands User Management CommandsRegistry Commands Table C-14Transaction Commands Table C-16Rules and Monitoring Commands Rules and Monitoring CommandsDatabase Commands Table C-17Database Commands Diagnostic and Logging CommandsWeb Service Commands Table C-18Diagnostic and Logging Commands Security Service Commands Table C-20Security Commands Password Commands Table C-21Password Commands Service Command Verify CommandCustom MBean Commands Property Command Table C-25Property Command Index ACC JMS Logging ORB 256