Sun Microsystems 820433510 Managing Security of Passwords

Formore information on using certutil,pk12util, and other NSS security tools, see NSS

SecurityTools at http://www.mozilla.org/projects/security/pki/nss/tools.

Managing Security of Passwords

Inthe Enterprise Server, the le domain.xml, which contains the specications for a particular

domain,initially contains the password of the Message Queue broker in clear text. The element

inthe domain.xml le that contains this password is the admin-password attribute of the

jms-hostelement. Because this password is not changeable at installation time, it is not a

signicantsecurity impact.

However,use the Admin Console to add users and resources and assign passwords to these

usersand resources. Some of these passwords are written to the domain.xml le in clear text, for

example,passwords for accessing a database. Having these passwords in clear text in the

domain.xmlle can present a security hazard. You can encrypt any password in domain.xml,

includingthe admin-password attribute or a database password. Instructions for managing the

securitypasswords is included in the following topics:

■“Encryptinga Password in the domain.xml File” on page 99

■“ProtectingFiles with Encoded Passwords” on page 100

■“Changingthe Master Password” on page 100

■“Workingwith the Master Password and Keystores” on page 101

■“Changingthe Admin Password” on page 101

Encrypting a Passwordin the domain.xml File

Toencrypt a password in the domain.xml le. Follow these steps:

1. Fromthe directory where the domain.xml le resides (domain-dir/config by default), run

thefollowing asadmin command:

asadmin create-password-alias --user admin alias-name

Forexample,

asadmin create-password-alias --user admin jms-password

Apassword prompt appears (admin in this case). Refer to the man pages for the

create-password-alias,list-password-aliases,delete-password-aliascommands

formore information.

2. Removeand replace the password in domain.xml. This is accomplished using the asadmin

setcommand. An example of using the set command for this purpose is as follows:

asadmin set --user admin server.jms-service.jms-host.

default_JMS_host.admin-password=’${ALIAS=jms-password}’

ManagingSecurity of Passwords

Chapter9 •Conguring Security 99

Contents

Main Page Contents Page Page Page Page Page Page Page Page Page Page Page Tables Page Examples Page Preface Sun GlassFishEnterprise S erver DocumentationS et Default Pathsand File Names Thefollowing table describes the default paths and le names that are used in this book. TypographicConventions Thefollowing table describes the typographic changes that are used in this book. SymbolConventions Thefollowing table explains symbols that might be used in this book. Documentation, Support, andTraining Third-PartyWeb Site References SunWelcomes Your Comments Enterprise Server Overview Enterprise Server Overview and Concepts EnterpriseS erver Overview Toolsfor Administration AdminConsole Command-lineInterface (asadmin Utility) JConsole Enterprise Server Concepts Domain Domain AdministrationSer ver(DAS) UsageProles Cluster Node Agent Server Instance Portsin the Enterprise Server Basic Enterprise Server Commands Creatinga Domain Deleting a Domain Listing Domains Starting the Domain Page Starting a Cluster Stoppinga Cluster Creatinga Node Agent Starting a Node Agent Stoppinga Node Agent Starting an Instance Stoppingan Instance Restarting an Instance Recreatingthe Domain Administration Server Tomigrate the DAS Page Page Java Business Integration JBI Environment JBI Components ServiceEngines BindingComponents JBIComponent Loggers Service Assemblies SharedLibraries JBI Descriptors JDBC Resources JDBC Resources JDBC Connection Pools How JDBC Resourcesand Connection Pools Work Together Setting Up Database Access Workingwith JDBC Connection Pools Creatinga JDBC Connection Pool Creatinga JDBC Connection Pool and JDBC Resource Using the Admin Console Creatinga JDBC Connection Pool and JDBC Resource Using the CLI Editing a JDBC Connection Pool Page Editing JDBC Connection PoolAdvanced Attributes Page Congurationsfor Specic JDBC Drivers JavaDB Type 4 Driver Sun GlassFishJDBC Driver for DB2 Databases Sun GlassFishJDBC Driver for Oracle 8.1.7 and 9.x Sun GlassFishJDBC Driver for Microsoft SQL Server Sun GlassFishJDBC Driver for Sybase Databases IBM DB2 8.1Type 2 Driver JConnectType 4 Driver for Sybase ASE 12.5 Databases MySQLType 4 Driver Inet OraxoJDBC Driver for Oracle 8.1.7 and 9.x Inet Merlia JDBC Driverfor Microsoft SQL Ser ver Inet SybeluxJDBC Driver for Sybase Databases OracleThin Type 4 Driver for Oracle 8.1.7 and 9.x OCI OracleType 2 Driver for Oracle 8.1.7 and 9.x IBM InformixType 4 Driver CloudScape 5.1Type 4 Driver Page Conguring Java Message Service Resources JMS Resources The RelationshipBetween JMS Resources and Connector Resources JMS Connection Factories JMS Destination Resources JMS PhysicalDestinations ConguringJMS Provider Properties AccessingRemote Servers ForeignJMS Providers Conguringthe Generic Resource Adapter for JMS Conguringthe Generic Resource Adapter ResourceAdapter Properties Page Page ManagedConnectionFactory Properties AdministeredObject Resource Properties ActivationSpec Properties Page Page Conguring JavaMail Resources Creatinga JavaMail Session Page JNDI Resources JavaEE Naming S ervices Naming Referencesand Binding Information UsingCustom Resources UsingEx ternal JNDI Repositoriesand Resources Page Connector Resources An Overview of Connectors Managing Connector Connection Pools ToCreate a Connector Connection Pool ToEdit a Connector Connection Pool ClickSave. ClickLoad Defaults if you want to restorethe default values of all the settings. Usingthe asadmin commands to change connection pool properties. ToEdit Connector Connection Pool Advanced Attributes Usingthe asadmin commands to change connection pool properties. ToEdit Connection Pool Properties Managing Security Maps Tocreate security maps for connector connection pools ToEdit Security Maps for Connector Connection Pools ToDelete a Connector Connection Pool ToSet Up EIS Access Managing Connector Resources ToCreate a Connector Resource ToEdit a Connector Resource ToDelete a Connector Resource ToCongure the Connector Service Managing AdministeredObjec t Resources ToCreate an Administered Object Resource ToEdit an Administered Object Resource ToDelete an Administered Object Resource Web and EJB Containers The SIP Servlet Container Editing the Properties of the SIP Container EditingSIP Container General Attributes EditingSIP Container Session Properties EditingSIP Container Session Manager Properties TheWeb Container The EJB Container Page Conguring Security Understanding Application and SystemSecurity Toolsfor Managing Security Managing Security of Passwords Encrypting a Passwordin the domain.xml File Protecting Fileswith Encoded Passwords Changing the MasterPassword Workingwith the Master Password and Keystores Changing the AdminPassword About Authentication and Authorization AuthenticatingEntities VerifyingSingle Sign-On AuthorizingUsers Specifying JACCProviders AuditingAuthentication and Authorization Decisions ConguringMessage Security Understanding Users,Groups, Roles, and Realms Users Groups Roles Realms ToCongure a JDBC Realm for aWeb, EJB Application Introduction to Certicates and SSL About Digital Certicates AboutCerticate Chains About Secure SocketsLayer AboutCiphers UsingName-based Virtual Hosts About Firewalls About Certicate Files Changing the Locationof Cer ticateFiles Using JavaSecure Socket Extension (JSSE) Tools Usingthe keytool Utility Page Generatinga Certicate Using the keytool Utility Signing a Digital Certicate Usingthe keytool Utility Deleting a Certicate Usingthe keytool Utility UsingNetwork Security Ser vices (NSS)Tools Usingthe certutil Utility Importing and Exporting Certicates Using the pk12util Utility Addingand Deleting PKCS11 Modules using modutil Using HardwareCrypto Accelerator With Enterprise Server About ConguringHardware Crypto Accelerators ConguringPKCS#11 Tokens Managing KeysAnd Certicates ListingKeys and Certicates WorkingWith PrivateKeys and Certicates ConguringJ2SE 5.0 PKCS#11 Providers Page Page Conguring Message Security Overview of Message Security Understanding Message Security in the Enterprise Server Assigning Message Security Responsibilities SystemAdministrator ApplicationDeployer ApplicationDeveloper About SecurityTokens and Security Mechanisms AboutUsername Tokens AboutDigital Signatures AboutEncryption AboutMessage Protection Policies Glossary of Message SecurityTerminology Securing aWeb Service ConguringApplication-Specic Web Services Security Securing the Sample Application Conguringthe Enterprise Ser ver forMessage Security Actions of Request and Response Policy Congurations ConguringO ther Security Facilities AfterYouFinish Conguringa JCE Provider Page Message Security Setup Enabling Providersfor Message Security Conguringthe Message Security Provider Creatinga Message Security Provider Enabling Message Security for Application Clients Setting the Request and Response Policy forthe Application Client Conguration Further Information Conguring the Diagnostic Service Whatis the Diagnostic Framework? Diagnostic Service Framework Generatinga Diagnostic Repor t Transactions AboutTransactions Whatis a Transaction? Transactionsin Java EE Technology Workaroundsfor Specic Databases AdminConsole Tasks for Transactions ConguringTransactions Tocongure how the Enterprise Server recoversfrom transactions Toset a transaction timeout value Toset the location of the transaction logs Toset the keypoint interval Conguring the HTTP Service Virtual Servers HTTP Listeners Page Page Managing Web Services Overview ofWeb Services WebServices Standards JavaEE Web Service Standards Deploying andTesting WebSer vices DeployingWeb Services ViewingDeployed Web Services TestingWeb Services WebServices Security UsingWeb Services Registries Addinga Registr y Publishinga Web Service to a Registry TransformingMessages with XSLT Filters MonitoringWeb Services ViewingWeb Service Statistics MonitoringWeb Service Messages Page Conguring the Object Request Broker An Overview of the Object Request Broker CORBA Whatis the ORB? IIOP Listeners Conguringthe ORB Managing IIOP Listeners Thread Pools Workingwith Thread Pools Conguring Logging About Logging LogRecords TheLogger Namespace Hierarchy Page ConguringLogging ConguringGeneral Logging Settings ConguringLog Levels ViewingSer verLogs Page Monitoring Components and Services About Monitoring Monitoringin the Enterprise Se rver Overview of Monitoring About theTree Structure of Monitorable Objects TheApplications Tree TheHTTP Service Tree TheResources Tree TheConnector Service Tree TheJMS Service Tree TheORB Tree TheThread Pool Tree About Statisticsfor Monitored Components and Services EJBContainer Statistics Thestatistics for EJB Session Stores are listed in the following table. Thestatistics available for EJB pools are listed in the following table. Thestatistics available for EJB caches are listed in the following table. Thestatistics available for Timers are listed in the following table. WebContainer Statistics Statisticsavailable for web modules are shown in Web Container Statistics on page 180. HTTPSer viceStatistics JDBCConnection Pools Statistics Thestatistics available for the JDBC connection pool are shown in the following table. JMS/ConnectorService Statistics Statisticsavailable for Connector Work Management are listed in the following table. Statisticsfor Connection Managers in an ORB Thestatistics available for the connection manager in an ORB are listed in the following table. ThreadPools Statistics Thestatistics available for the thread pool are shown in the following table. TransactionService Statistics JavaVirtual Machine (JVM) Statistics JVMStatistics in Java SE Thestatistics available for compilation in the JVM in Java SE are shown in the following table. Thestatistics available for memory in the JVM in Java SE are shown in the following table. Thestatistics available for the runtime in the JVM in Java SE are shown in the following table. Thestatistics available for ThreadInfo in the JVM in Java SE are shown in the following table. Thestatistics available for threads in the JVM in Java SE are shown in the following table. Enabling and Disabling Monitoring Thissection contains the following topics: ConguringMonitoring Levels Using the Admin Console ToCongure Monitoring Levels Using asadmin ViewingMonitoring Data ViewingMonitoring Data in the Admin Console ViewingMonitoring Data With the asadmin Tool ToUse the asadmin monitor Command toView Monitoring Data ToUse the asadmin get and list Commands toView Monitoring Data Understandingand Specifying Dotted Names Examplesof the list and get Commands Examplesfor the list --user admin-user --monitor Command Example1 Example2 Examplesfor the get --user admin-user --monitor Command Example1 Example2 Example3 Example4 ToUse the PetStoreExample Page Page Toalsoget a specic statistic, such as execution time, use a command such as the following: ExpectedOutput for list and get Commands at All Levels applicationslevel. Page Page HTTPService level. threadpools level. resourceslevel. transactionservice level. Thefollowing table shows the command, dotted name, and corresponding output for the ORB level. UsingJConsole Securing JConsoleto Application Ser verConnec tion Prerequisitesfor Connecting JConsole to Application Server Connecting JConsoleto Application Ser ver Connecting JConsoleSecurely to Application Ser ver Page Page Conguring Management Rules About Management Rules ConguringManagement Rules Page Page JavaVirtual Machine and Advanced Settings Tuningthe JVM Settings ConguringAdvanced Settings A Automatically Restarting a Domain or Node Agent Restarting Automatically on Solaris 10 Page Restarting Automatically Using inittab on Solaris 9 and Linux Platforms Restarting Automatically on the MicrosoftWindows Platform Creatinga Windows Service Page Preventingthe Service From Shutting Down When a UserLogs Out Security for AutomaticRestar ts Page B Dotted Name Attributes for domain.xml TopLevel Elements Page Elements Not Aliased Page C The asadmin Utility The asadmin Utility Page CommonOptions for Remote Commands The Multimode Command The Get,S et,and List Commands Server Lifecycle Commands List and Status Commands Thelist and status commands display the status of a deployed component. Deployment Commands Thedeployment commands deploy an application or get the client stubs. VersionCommands Message Queue AdministrationCommands TheMessage Queue administration commands allow you to manage the JMS destinations. ResourceManagement Commands Theresource commands allow you to manage the various resources used in your application. Page CongurationCommands HTTP and IIOP Listener Commands Lifecycleand Audit Module Commands Prolerand SSL Commands JVM Options andVirtual Server Commands TheJVM options and Virtual Server commands allow you to control these elements. These Threadpooland Auth-Realm Commands Thethreadpool and auth-realm commands allow you to control these elements. These Transactionand Timer Commands Registry Commands Theregistry commands allow you to publish or unpublish webservice artifacts. User Management Commands Rules and Monitoring Commands Rulesand monitoring commands allow you to manage rules and monitor the server. These Database Commands Diagnostic and Logging Commands WebSer viceCommands Theweb service commands allow you to monitor a deployed web service and manage transformationrules. Security Service Commands PasswordCommands Thepassword commands allow you to manage passwords and ensure security for the applicationserver. VerifyCommand TheXML verier command veries the content of the domain.xml le. CustomMBean Commands Service Command Theservice command allows you to congure the starting of the Domain Administration Server(DAS). Property Command Index A B C D F G H I J M N O P Q T V