IBM WebSphere V5.0 Security - CGISecurity

More documents

Recommendations

Info

Available functionsActiveXclientAppletclientJ2EEclientPluggable clientThinclientEnables initialization ofclient app’s runtimeenvironmentSupportsauthentication to localresourcesRequires app isdistributed to clientmachineNo No Yes No NoNo No Yes No NoNo No Yes Yes YesThis chapter will concentrate on securing the J2EE application client and thinapplication client.6.2 CSIv2 and SASThe Common Secure Interoperability (CSI) security specification is defined bythe OMG (see http://www.omg.org). Currently in its second version, thespecification defines the Security Attribute Service (SAS) protocol to address therequirements of CORBA security for interoperable authentication, delegation andprivileges. The SAS protocol is designed to exchange its protocol elements in theservice context of GIOP request and reply messages that are communicatedover a connection-based transport. The protocol is intended to be used inenvironments where transport layer security, such as that available via SecureSockets Layer (SSL)/ Transport Layer Security (TLS) or Secure InterORBProtocol (SECIOP), is used to provide message protection (that is, integrity andor confidentiality) and server-to-client authentication. The protocol provides clientauthentication, delegation, and privilege functionality that may be applied toovercome corresponding deficiencies in an underlying transport. The SASprotocol facilitates interoperability by serving as the higher-level protocol underwhich secure transports may be unified.The SAS protocol is divided into two layers:► The authentication layer is used to perform client authentication wheresufficient authentication could not be accomplished in the transport.► The attribute layer may be used by a client to deliver security attributes, suchas identity and privilege, to a target where they may be applied in accesscontrol decisions.100 IBM WebSphere V5.0 Security Handbook
The attribute layer also provides the means for a client to assert identityattributes that differ from the client’s authentication identity (as established in thetransport or SAS authentication layers). This identity assertion capability is thebasis of a general-purpose impersonation mechanism that makes it possible foran intermediate to act on behalf of some identity other than itself. This canimprove the performance of a system since the authentication of a client isrelatively expensive. The server can validate the request by checking its trustrules.In order to invoke an EJB method that has been secured, a protocol is requiredto determine the level of security and type of authentication to be agreed upon bythe client and server. During the method invocation, the protocol must coalescethe server’s authentication requirements, which is determined by the object’sIOR, with the client’s authentication requirements, which is determined by theclient’s configuration and select the appropriate policy.The Application Server can be configured to support both CSIv2 and IBM’sSecure Association Service (SAS). In fact, both protocols can be supportedsimultaneously; that is to say the Application Server may receive a request usingone protocol and then receive another request using the other protocol. IBM’sSAS is the protocol used in previous versions of the Application Server andalthough deprecated, is provided in version five for interoperability with olderclients and servers. CSIv2, which is the focus of this chapter, allows vendors tosecurely interoperate and provides a greater number of features over SAS.CSIv2 and SAS are add-on IIOP services, where IIOP is the communicationsprotocol used to send messages between two ORBs. In preparation for a requestto flow from client to server, a connection between the two ORBs must beestablished over TCP/IP. The client ORB will invoke the authentication protocol’sclient connection interceptor which is used to read the tagged components in theIOR of the server-based object being requested. This is how the authenticationpolicy is established. Once the policy has been established, the ORB will makethe connection, with the optional addition of the SSL cipher.The client ORB invokes the client request interceptor once the connection hasbeen established and sends security information other than what wasestablished by the transport. This may include a user ID and password token,which is authenticated by the server, an authentication mechanism-specifictoken, which is validated by the server or an identity assertion token, whichallows an intermediate to act on behalf of some identity other than itself. Thisadditional security information is sent with the message in a GIOP servicecontext.Chapter 6. Securing Java clients 101
Page 1:
Front coverIBM WebSphere V5.0Securi
Page 4 and 5:
Take Note! Before using this inform
Page 6 and 7:
4.2.1 Configuring Web module securi
Page 8 and 9:
10.6 LTPA . . . . . . . . . . . . .
Page 10 and 11:
Lotus Domino . . . . . . . . . . .
Page 12 and 13:
TrademarksThe following terms are t
Page 14 and 15:
The team that wrote this redbookThi
Page 16 and 17:
Stephen Pipes is a WebSphere consul
Page 18 and 19:
xviIBM WebSphere V5.0 Security Hand
Page 20 and 21:
1.1 How to read this bookThere are
Page 22 and 23:
4 IBM WebSphere V5.0 Security Handb
Page 24 and 25:
2.1 SecurityAs new business practic
Page 26 and 27:
2.2 Security fundamentals2.2.1 Auth
Page 28 and 29:
For example, in a distributed objec
Page 30 and 31:
►►►Users are mapped directly
Page 32 and 33:
If Bob wants to answer, he should u
Page 34 and 35:
identifies the client before issuin
Page 36 and 37:
2.3 Security in useSince security i
Page 38 and 39:
20 IBM WebSphere V5.0 Security Hand
Page 40 and 41:
3.1 J2EE applicationThe Java 2 Ente
Page 42 and 43:
Principals and GroupsSecurity Roles
Page 44 and 45:
3.4 Application deployment descript
Page 46 and 47:
3.5 J2EE application security confi
Page 48 and 49:
Figure 3-4 Application-level Securi
Page 50 and 51:
Security role mapping in the Admini
Page 52 and 53:
Figure 3-7 Searching for the manage
Page 54 and 55:
36 IBM WebSphere V5.0 Security Hand
Page 56 and 57:
4.1 Static componentsWebSphere Appl
Page 58 and 59:
1. ldap.prop is an LDAP configurati
Page 60 and 61:
Figure 4-2 Defining authentication
Page 62 and 63:
A .htaccess file placed in one dire
Page 64 and 65:
4.2 Web module securityIn a J2EE ap
Page 66 and 67:
Figure 4-4 Login Method Configurati
Page 68 and 69: higher level of protection. User Da
Page 70 and 71: 8. Next to HTTP Methods click Add.
Page 72 and 73: 8. Add the GET and POST HTTP method
Page 74 and 75: 4.4 Security role referenceDuring t
Page 76 and 77: 7. Save and close the web.xml file.
Page 78 and 79: Form login configurationThe followi
Page 80 and 81: 4.5.2 Custom loginThere are situati
Page 82 and 83: employeeType will be stored as a se
Page 84 and 85: 3. From the Filter Type Selection w
Page 86 and 87: As a next step, you have to make su
Page 88 and 89: If the user in role 'A' accesses /h
Page 90 and 91: As a universal solution for the pro
Page 92 and 93: 5.1 Securing EJBsEJBs, or Enterpris
Page 94 and 95: 5.3 Assigning EJB method permission
Page 96 and 97: defined in the EJB module. For info
Page 98 and 99: These unprotected methods can have
Page 100 and 101: Figure 5-6 New Security Role Refere
Page 102 and 103: Important: Although this feature is
Page 104 and 105: 4. The Role Name option menu will c
Page 106 and 107: 5.5.2 Method level delegationIn add
Page 108 and 109: Figure 5-11 Method-level Run-as rol
Page 110 and 111: Figure 5-13 Selecting methods for t
Page 112 and 113: If one or more method-level delegat
Page 114 and 115: 96 IBM WebSphere V5.0 Security Hand
Page 116 and 117: 6.1 Java clientsA client is a gener
Page 120 and 121: Upon receiving the message, the ser
Page 122 and 123: The sas.client.props fileThe CORBA
Page 124 and 125: The CSIv2 configuration properties
Page 126 and 127: server. For example, if the client
Page 128 and 129: Client01Java clientJServer01EJB ser
Page 130 and 131: 2. Configure Server01 for outgoing
Page 132 and 133: Configuring Client02Client02 requir
Page 134 and 135: 3. Enable SSL for the connection, i
Page 136 and 137: Configuring Client01Client01 requir
Page 138 and 139: WebSphere V4SAS onlyWebSphere V5SAS
Page 140 and 141: The ITSOBank application provided w
Page 142 and 143: ►►►sas.jarecutils.jardirector
Page 144 and 145: 7.1 Web Services securityWeb Servic
Page 146 and 147: Figure 7-2 Creating a new Web Servi
Page 148 and 149: Figure 7-4 Web Service Deployment S
Page 150 and 151: Figure 7-7 Web Service Java Bean Me
Page 152 and 153: 12.As shown in Figure 7-10 on page
Page 154 and 155: Follow the steps below to use the g
Page 156 and 157: Using the ITSOBank Web Service clie
Page 158 and 159: Example 7-1 SOAP request with certi
Page 160 and 161: oVD/QxRYXFg02v6rK53DZKntqlI=/vhLHTE
Page 162 and 163: 3. In that window, under Security -
Page 164 and 165: Example 7-4 Secured and non-secured
Page 166 and 167: WS-Policy will be fully extensible
Page 168 and 169:
PolicyRequesterSecurityTokenService
Page 170 and 171:
Direct Trust using Security TokensT
Page 172 and 173:
6. The service fetches the certific
Page 174 and 175:
Security can be applied at two leve
Page 176 and 177:
ii. Browse to select the file /scri
Page 178 and 179:
►Messages sent and received can p
Page 180 and 181:
Important: Message Driven Bean is a
Page 182 and 183:
quser01readwrite
Page 184 and 185:
- Container-managed Authentication
Page 186 and 187:
The authority service component pro
Page 188 and 189:
J2EE Connector architecture establi
Page 190 and 191:
As a next step, the following list
Page 192 and 193:
CMP EJB 2.0Persistence ManagerDatas
Page 194 and 195:
J2EE 1.3 ApplicationEJB ContainerBe
Page 196 and 197:
2. Configure each resource adapter
Page 198 and 199:
8.1 Programmatic securityJ2EE secur
Page 200 and 201:
8.2.2 Servlet security methodsThe S
Page 202 and 203:
There is one point worth noting in
Page 204 and 205:
Figure 8-3 Custom Registry properti
Page 206 and 207:
Method signatureString getUserSecur
Page 208 and 209:
also ask for a X.509 certificate fi
Page 210 and 211:
Required libraries from WebSphere f
Page 212 and 213:
Testing the custom Trust Associatio
Page 214 and 215:
local or remote code (signed or not
Page 216 and 217:
To call a piece of trusted code to
Page 218 and 219:
►►►►►java.net.NetPermissi
Page 220 and 221:
►It is also possible to specify a
Page 222 and 223:
Java 2 security can be enabled on t
Page 224 and 225:
►The following callbacks are prov
Page 226 and 227:
applicationLoginContext LoginModule
Page 228 and 229:
lc=new LoginContext("ClientContaine
Page 230 and 231:
Note: Without initializing the ORB,
Page 232 and 233:
8.8 Where to find more informationF
Page 234 and 235:
9.1 WebSphere security modelThe IBM
Page 236 and 237:
DeploymentManagerCell-wideconfigura
Page 238 and 239:
From a security point of view, each
Page 240 and 241:
►Application Security determines
Page 242 and 243:
9.2.2 WebSphere Application Server
Page 244 and 245:
LTPA requires that the configured U
Page 246 and 247:
HTTP / HTTPSHTTP ServerWebSphere pl
Page 248 and 249:
9.3 Performance considerationsFrom
Page 250 and 251:
232 IBM WebSphere V5.0 Security Han
Page 252 and 253:
10.1 Administration toolsWebSphere
Page 254 and 255:
A Web browser, for instance, must b
Page 256 and 257:
the two types of registry provided
Page 258 and 259:
Roleconfiguratoroperatoradministrat
Page 260 and 261:
Figure 10-4 Mapping a group to an A
Page 262 and 263:
Mapping a group to a CosNaming role
Page 264 and 265:
1. In the Admin Console, select Sec
Page 266 and 267:
6. In the Configuration tab provide
Page 268 and 269:
8. The changes will need to be save
Page 270 and 271:
In a scenario presented in this cha
Page 272 and 273:
2. Save the configuration for WebSp
Page 274 and 275:
Figure 10-16 Application Login Conf
Page 276 and 277:
Figure 10-18 J2C Authentication ent
Page 278 and 279:
Figure 10-19 An SSL configuration w
Page 280 and 281:
WebSphere supports the concept of t
Page 282 and 283:
The file used by a Java client to r
Page 284 and 285:
Figure 10-22 Saving the new key sto
Page 286 and 287:
Figure 10-25 Provide details for th
Page 288 and 289:
24.From the menu bar, select Key Da
Page 290 and 291:
10.Enter a Key Label which will ide
Page 292 and 293:
Figure 10-30 A personal certificate
Page 294 and 295:
10.9.3 Using the Java keytoolAnothe
Page 296 and 297:
SSL connection #1 SSL connection #2
Page 298 and 299:
Figure 10-33 The IBM HTTP Server ik
Page 300 and 301:
The IBM HTTP Server Administration
Page 302 and 303:
15.Select Basic Settings -> Module
Page 304 and 305:
In the case of a self-signed certif
Page 306 and 307:
Note: If the Cipher Specification l
Page 308 and 309:
Make sure that the certificate is i
Page 310 and 311:
Figure 10-41 Certificate detailsThi
Page 312 and 313:
Configuring WebSphere to use certif
Page 314 and 315:
3. If you decide the use the IBM HT
Page 316 and 317:
Example 10-5 trace.log...[10/14/02
Page 318 and 319:
Configuring WebSphere to use exact
Page 320 and 321:
[10/14/02 19:39:38:358 EDT] 7a37602
Page 322 and 323:
publicly circulating root certifica
Page 324 and 325:
Exchanging public certificatesThe f
Page 326 and 327:
Modifying the Web Container to supp
Page 328 and 329:
The new certificate should appear u
Page 330 and 331:
3. Client Certificate Authenticatio
Page 332 and 333:
Figure 10-47 CSIv2 transport config
Page 334 and 335:
Table 10-5 sas.client.props configu
Page 336 and 337:
10.13.1 IBM SecureWay Directory Ser
Page 338 and 339:
2. Click the Add Server button. The
Page 340 and 341:
8. Click OK; a new window appears f
Page 342 and 343:
Figure 10-56 LDAP directory with us
Page 344 and 345:
Figure 10-57 WebSphere LDAP Configu
Page 346 and 347:
Configuring the secure LDAP (LDAPS)
Page 348 and 349:
Figure 10-59 Configuring SSL for Se
Page 350 and 351:
Figure 10-60 SSL encryption setting
Page 352 and 353:
choose not to differentiate between
Page 354 and 355:
- Port: specify 636 which correspon
Page 356 and 357:
A sample scenario is depicted next.
Page 358 and 359:
Item Cell Node Server Appl.CosNamin
Page 360 and 361:
JAAS configurationThe JAAS configur
Page 362 and 363:
Individual CSI and SAS settingsThe
Page 364 and 365:
The server security settings availa
Page 366 and 367:
Page 368 and 369:
11.1 Patterns for e-businessPattern
Page 370 and 371:
►►►Buy-Side HubSell-Side HubT
Page 372 and 373:
ClientTierSynchronousApplicationSyn
Page 374 and 375:
►Application tier: may represent
Page 376 and 377:
►certificates, access groups, etc
Page 378 and 379:
Figure 11-6 presents the Runtime pa
Page 380 and 381:
11.4 Product mappingsThis section p
Page 382 and 383:
- Authorization ServerThe Authoriza
Page 384 and 385:
The following secure communications
Page 386 and 387:
Page 388 and 389:
This chapter covers four different
Page 390 and 391:
andwidth to and from the server unt
Page 392 and 393:
All of these benefits contribute to
Page 394 and 395:
The Policy Server replicates this d
Page 396 and 397:
ServerTivoli Access Manager WebSEAL
Page 398 and 399:
Server Nameappsrv01, appsrv02Applic
Page 400 and 401:
1. First, log in with your favorite
Page 402 and 403:
1. In the Administrative Console, n
Page 404 and 405:
12.4.1 Single Sign-On with WebSEALW
Page 406 and 407:
correct. Then it trusts that the id
Page 408 and 409:
8. In the Single Sign-On (SSO) pane
Page 410 and 411:
User RegistryClient1. Request2. Aut
Page 412 and 413:
Property keycom.ibm.Websphere.secur
Page 414 and 415:
Figure 12-8 Trust Association Panel
Page 416 and 417:
2. We will first configure LTPA aut
Page 418 and 419:
e prompted for the keyfile password
Page 420 and 421:
Example 12-2 WebSphere Security ini
Page 422 and 423:
[8/22/02 7:42:44:163 CDT] 277a2e5c
Page 424 and 425:
[8/22/02 7:42:47:449 CDT] 277a2e5c
Page 426 and 427:
[8/22/02 7:42:51:655 CDT] 277a2e5c
Page 428 and 429:
In this example, we have configured
Page 430 and 431:
►►►WebSEAL can forward modifi
Page 432 and 433:
LDAPServerPolicy/AuthorizationServe
Page 434 and 435:
of inetOrg.Person as each junction
Page 436 and 437:
Figure 12-13 Web Portal Manager Men
Page 438 and 439:
Select the boxes Is Account Valid,
Page 440 and 441:
Creating Access Manager JunctionsAt
Page 442 and 443:
Figure 12-18 Protected Object Prope
Page 444 and 445:
Figure 12-20 Create an ACL Entry4.
Page 446 and 447:
Testing the junctionsThe following
Page 448 and 449:
Figure 12-22 Successful access to i
Page 450 and 451:
WebSEALAuthenticated Usersbefore fo
Page 452 and 453:
At the same time, the tool creates
Page 454 and 455:
- pdacld_port: the port number of t
Page 456 and 457:
8. The next application migrated wa
Page 458 and 459:
Do not make changes to the deployme
Page 460 and 461:
Page 462 and 463:
Page 464 and 465:
Sample applicationThe purpose of th
Page 466 and 467:
5. The Transfer EJB uses two entity
Page 468 and 469:
The process flows as described belo
Page 470 and 471:
You can download the clients from h
Page 472 and 473:
Configuring WebSphere Application S
Page 474 and 475:
Use this DataSource in container ma
Page 476 and 477:
e. On the Map RunAs roles to users
Page 478 and 479:
Page 480 and 481:
SecureWay Directory ServerThe confi
Page 482 and 483:
Ensure that Domino is using the LDA
Page 484 and 485:
Figure B-3 Domino LDAP settings in
Page 486 and 487:
Figure B-4 Domino CA application2.
Page 488 and 489:
Enable SSL on Domino ServerEnable S
Page 490 and 491:
1. Open the ikeyman tool that comes
Page 492 and 493:
3. WebSphere will validate your ent
Page 494 and 495:
Figure B-9 iPlanet Directory Server
Page 496 and 497:
Figure B-13 iPlanet Certificate Req
Page 498 and 499:
Figure B-16 Certificate Install Wiz
Page 500 and 501:
Figure B-19 iPlanet Encryption sett
Page 502 and 503:
Tip from a battle scarred veteran p
Page 504 and 505:
Figure B-21 Active Directory Users
Page 506 and 507:
Figure B-24 New User password panel
Page 508 and 509:
group membership, and other group a
Page 510 and 511:
WebSphere-Domino SSO scenariosIn th
Page 512 and 513:
7. Once the user is authenticated a
Page 514 and 515:
6. Click OK to create a database.7.
Page 516 and 517:
- On the Rules tab, specify the fol
Page 518 and 519:
3. A new Document will be displayed
Page 520 and 521:
Figure C-7 TCP/IP port status setti
Page 522 and 523:
1. To add new user names or groups
Page 524 and 525:
Figure C-10 Default Domino server l
Page 526 and 527:
Figure C-13 Successful submission o
Page 528 and 529:
Using Domino LDAP for user registry
Page 530 and 531:
Enabling Single Sign-On for WebSphe
Page 532 and 533:
wsadmin scriptingWebSphere Applicat
Page 534 and 535:
3. In the line com.ibm.SOAP.loginUs
Page 536 and 537:
You can also set the user registry
Page 538 and 539:
Page 540 and 541:
Using the Web materialThe additiona
Page 542 and 543:
SPISSLSSOSWAMUDDIURIURLVPNWARWASWSA
Page 544 and 545:
Referenced Web sitesThese Web sites
Page 546 and 547:
Page 548 and 549:
Application patternDirectly Integra
Page 550 and 551:
EJB permissionsExclude 80Role 80Unc
Page 552 and 553:
Llaunchclient 122LDAPAdvanced setti
Page 554 and 555:
ORB 102System 366Unprotected method
Page 556 and 557:
Gateway Security 155Gateway-level a
Page 558 and 559:
Page 562:
Back coverIBM WebSphere V5.0Securit
show all

IBM WebSphere V5.0 Security - CGISecurity

Create successful ePaper yourself

Delete template?

Save as template?