Notices

Summary of amendments

Preface

Part 1: Overview

1. Application Server Functionality

1.1 Classifications of functionality

1.1.1 Functionality for an application execution infrastructure

1.1.2 Functionality for operating and maintaining the execution infrastructure for applications

1.1.3 Functionality and associated manuals

1.2 Functionality and associated system purposes

1.2.1 Authentication functionality

1.2.2 Encryption functionality

1.2.3 Invalid processing prevention functionality

1.2.4 Other functionality

1.3 Format of functional descriptions in this manual

1.3.1 Parts of the descriptions

1.3.2 Parts of the functional descriptions - example table

1.4 Major functional changes in Application Server 09-50

2. Security Management with the Application Server

2.1 Organization of this chapter

2.2 Measures for ensuring security

2.2.1 Realizing a system configuration that will ensure security

2.2.2 Operating the system securely

2.2.3 Preventing unauthorized users from accessing the system (authentication functionality)

2.2.4 Ensuring communication path security (encryption functionality)

2.2.5 Preventing invalid processing

2.2.6 Taking other actions

2.3 Details about the methods and functionality for ensuring security

2.4 Notes about using the methods and functionality for ensuring security

Part 2: System Design

3. System Configurations for Ensuring Security

3.1 Organization of this chapter

3.2 System configurations using a firewall

3.2.1 Deployment of a firewall for servlets and JSPs

3.2.2 Deployment of a firewall for Session and Entity Bean

3.2.3 Firewall deployment with Resource Manager

3.3 Deployment of reverse proxies in a DMZ

3.3.1 Deployment of reverse proxies for Web server integration

3.3.2 Deployment of reverse proxies for using an in-process HTTP server

4. Considerations in the Design of a Secure System

4.1 Organization of this chapter

4.2 Overview of considerations in the design of a secure system

4.3 Considering the configuration of a secure system

4.4 Considering the users of the system

4.5 Considering the resources handled by the system

4.6 Checking the preconditions for a secure system

4.6.1 Physical preconditions

4.6.2 Operational preconditions

4.7 Analyzing expected threats

4.8 Considering countermeasures

4.8.1 Countermeasures to be implemented against preconditions

4.8.2 Countermeasures to be implemented against expected threats

4.8.3 Secure system behavior with the countermeasures implemented

4.9 Considering work procedures

4.9.1 Overview of work procedure documents to be prepared

4.9.2 Considering the system setup procedures

4.9.3 Considering the system re-setup procedures

4.9.4 Considering system operating procedures

4.10 Checking how to audit the system

4.10.1 Obtaining audit logs

4.10.2 Examining audit logs

4.11 Considering the security of systems that use external networks

4.11.1 Security threats that can be expected with respect to systems that use external networks

4.11.2 Deploying a firewall and intrusion detection system

4.11.3 Using an SSL accelerator to process encrypted communication

4.11.4 Authenticating users from within applications

5. Integrated User Management-based Authentication

5.1 Organization of this chapter

5.2 Overview of integrated user management

5.2.1 Purpose of integrated user management

5.2.2 User management and user mapping using realms

5.2.3 Overview of Java Authentication and Authorization Service (JAAS)-based user authentication

5.2.4 Management method of user information used for integrated user management

5.2.5 Validity period of user authentication and the inheritance of authentication states

5.2.6 Integrated user management process flow

5.3 User authentication mechanism based on Cosminexus standard login modules

5.3.1 Types and functions of Cosminexus standard login modules

5.3.2 WebPasswordLoginModule

5.3.3 WebCertificateLoginModule

5.3.4 WebPasswordLDAPLoginModule

5.3.5 WebPasswordJDBCLoginModule

5.3.6 DelegationLoginModule

5.3.7 WebSSOLoginModule

5.3.8 Repository access by Cosminexus standard login modules

5.3.9 Enhanced support of authentication password encryption

5.3.10 Configuration file parameters used by login modules

5.4 Sessions managed in integrated user management

5.4.1 Types of sessions

5.4.2 Registration of login user IDs

5.4.3 Deletion of user IDs registered in the integrated user management session

5.4.4 Examples of JAAS configuration file definition

5.4.5 Inheritance of the login state using session failover functionality

5.5 Use of single sign-on

5.5.1 Necessary procedures for single sign-on

5.5.2 Application of single sign-on to existing application user management

5.6 Use of custom login modules

5.6.1 Overview of custom login modules

5.6.2 Invocation of custom login modules

5.7 Management of user information

5.7.1 Registration of user information to the LDAP directory server

5.7.2 Connection failover by multiplexing the LDAP directory server

5.8 API provided by the integrated user management framework

5.8.1 JSP tag library

5.8.2 Integrated user management framework libraries

5.9 Implementation of user authentication based on the integrated user management framework

5.10 Implementation of API-based user authentication

5.10.1 Implementation of the API-based login session

5.10.2 Implementation of the API-based session to obtain user IDs

5.10.3 Implementation of the API-based session to obtain user attributes

5.10.4 Implementation of the session to register the successfully authenticated subject to HttpSession

5.10.5 Implementation of the API-based logout session

5.10.6 Implementation of enhanced support of authentication password encryption

5.10.7 Notes on API-based implementation

5.11 Implementation of tag library-based user authentication

5.11.1 Implementation of tag library-based login session

5.11.2 Implementation of the tag library-based session to obtain user ID

5.11.3 Implementation of the tag library-based session to obtain user attributes

5.11.4 Implementation of tag library-based logout session

5.11.5 Copying uatags.jar and uatags.tld and defining DD

5.12 Implementation of user authentication when using the session failover functionality

5.12.1 Session and authentication information that can be inherited by the session failover functionality

5.12.2 Implementation of login and logout when using the session failover functionality

5.12.3 Defining DD when using the session failover functionality

5.13 Implementation of custom login module-based user authentication

5.13.1 Implementation for integration with Cosminexus standard login modules

5.13.2 Points to remember when implementing custom login modules

5.13.3 Examples of implementing custom login modules

5.14 Procedures to set up the integrated user management function

5.15 Determination of realm names

5.16 LDAP directory server setup

5.16.1 Installation of the LDAP directory server

5.16.2 User registration and access permission setup

5.16.3 Extension of object class and user definition attributes

5.17 Registration of user information

5.17.1 Registration by using commands

5.17.2 Registration by using the integrated user management framework library

5.17.3 Formatting used to register the user information

5.17.4 Settings when using Active Directory

5.18 Creation of encryption key files (When using single sign-on)

5.18.1 Creating encryption key files

5.18.2 Changing encryption key files

5.19 Registration of user information (When using single sign-on)

5.19.1 Registration by using commands

5.19.2 Registration by using the integrated user management framework library

5.19.3 Formatting used to register the user information

5.20 Creating configuration files

5.20.1 Creating jaas.conf

5.20.2 Creating ua.conf

5.20.3 Example of setting the configuration file

5.21 JavaVM property setup

5.22 Deployment of files

6. Authentication by Application Setup

6.1 Organization of this chapter

6.2 Web container-based authentication using DD settings

6.2.1 Web container-based authentication functionality using DD settings

6.2.2 Definitions in DD files

6.2.3 Setup in an execution environment (J2EE application setup)

6.2.4 Precautions for using authentication functionalities

6.3 Authentication with security identities

6.3.1 Security identity functionality

6.3.2 Security implementation in EJB client applications

6.3.3 Authentication setup with security identities

7. SSL/TLS Encryption of Authentication Information and Data

7.1 Organization of this chapter

7.2 SSL encryption of authentication information and data

7.2.1 The authentication functionality of the Web server

7.2.2 Selecting a communication path security level

7.2.3 Acquiring an SSL certificate

7.2.4 Definitions in DD files

7.2.5 SSL setup with Cosminexus HTTP Server

7.2.6 Microsoft IIS setup (in Web redirector environments)

7.2.7 Setup in an execution environment

7.3 Using TLSv1.2 for SSL/TLS communication

7.3.1 Overview of the SSL/TLS communication functionality realized by RSA BSAFE SSL-J

7.3.2 Protocols and encryption suites

7.3.3 Secure socket communication

7.3.4 SSL-J provider setup

7.3.5 Setup in an execution environment (for HTTPS communication)

7.3.6 Deleting SSL-J providers

7.3.7 Precautions for using the SSL/TLS communication functionality realized by SSL-J

8. Directly Accessing Load Balancers Through the API and Controlling Them via the Operation Management Functionality

8.1 Organization of this chapter

8.2 Directly accessing a load balancer through the API

8.3 Load balancer APIs executed using the operation management functionality

8.4 Load balancer access environment setup

8.5 Load balancer connection information setup with Management Server (Smart Composer functionality)

8.6 Load balancer connection information setup with Virtual Server Manager

8.6.1 Configuring load balancer connection information with Virtual Server Manager

8.6.2 Configuring load balancer connection information with the management unit

Part 3: Setup

9. Server Management Command-based Security Role and Application Setup

9.1 Organization of this chapter

9.2 Security role setup

9.2.1 Setting users

9.2.2 Setting roles

9.3 Definition of security role references

9.3.1 Defining Enterprise Bean security role references

9.3.2 Defining servlet and JSP security role references

9.4 Security definition (Method permission)

9.5 Security definition (Security identities)

9.5.1 Enterprise Bean security identities

9.5.2 Servlet and JSP security identities

10. Management Portal-based Integrated User Management Operation (INTENTIONALLY DELETED)

11. Management Portal-based Repository Management (Integrated User Management) (INTENTIONALLY DELETED)

12. Resource Monitoring (Integrated User Management) (INTENTIONALLY DELETED)

Part 4: Reference

13. Commands Used in Integrated User Management

13.1 List of commands used in integrated user management

13.2 Details of commands used in integrated user management

convpw (Password encryption)

ssoexport (Referencing the single sign-on information repository)

ssogenkey (Creating encryption key files)

ssoimport (Registering the single sign-on information repository)

uachpw (Password change)

14. Files Used by Integrated User Management

14.1 List of files used by integrated user management

14.2 jaas.conf (JAAS configuration file)

14.3 ua.conf (integrated user management configuration file)

14.4 CSV files containing single sign-on authentication information

14.4.1 Basic CSV file specifications

14.4.2 Definition file for acquiring user information

14.4.3 Definition file for adding or modifying user information

14.4.4 Definition file for user mapping and authentication information

14.4.5 CSV file specification example

14.4.6 Line operation

15. APIs Used with the Integrated User Management Framework

15.1 List of APIs for the integrated user management framework

15.2 The AttributeEntry class

The AttributeEntry constructor

The getAlias method

The getAttributeName method

The getSubcontext method

The setAlias method

The setAttributeName method

The setSubcontext method

15.3 The ChangeDataFailedException class

The ChangeDataFailedException constructor

15.4 The DelegationLoginModule class

15.5 The LdapSSODataManager class

The LdapSSODataManager constructor

The addSSOData method

The addSSODataListener method

The getSSOData method

The getSSODataListeners method

The listUsers method (syntax 1)

The listUsers method (syntax 2)

The modifySSOData method

The removeSSOData method

The removeSSODataListener method

15.6 The LdapUserDataManager class

The LdapUserDataManager constructor

The addUserData method (syntax 1)

The addUserData method (syntax 2)

The getUserData method

The listUsers method (syntax 1)

The listUsers method (syntax 2)

The modifyUserData method

The removeUserData method

15.7 The LdapUserEnumeration interface

The close method

The hasMore method

The hasMoreElements method

The next method

The nextElement method

15.8 The LoginUtil class

The check method (syntax 1)

The check method (syntax 2)

15.9 The ObjectClassEntry class

The ObjectClassEntry constructor

The getObjectClasses method

The getSubcontext method

The setObjectClasses method

The setSubcontext method

15.10 The PasswordCryptography interface

The encrypt method

15.11 The PasswordUtil class

The changePassword method

15.12 The Principal interface

15.13 The SSOData class

The SSOData constructor

The getMapping method

The getMappingRealms method

The getPublicData method

The removeMapping method

The setMapping method

The setPublicData method

The setSecretData method

15.14 The SSODataEvent class

The SSODataEvent constructor

The getOldPublicData method

The getOldSecretData method

The getPublicData method

The getSecretData method

The getUserId method

15.15 The SSODataListener interface

The ssoDataAdded method

The ssoDataModified method

The ssoDataRemoved method

15.16 The SSODataListenerException class

The SSODataListenerException constructor

The getException method

The getListeners method

The setException method

15.17 The UserAttributes interface

The addAttribute method

The getAttribute method

The getAttributeNames method

The getAttributes method

The removeAttribute method

The size method

15.18 The UserData class

The UserData constructor

The addAttribute method

The getAttribute method

The getAttributeNames method

The getAttributes method

The removeAttribute method

The setPassword method

The size method

15.19 The WebCertificateCallback class

The WebCertificateCallback constructor

The getAttributeEntries method

The getRequest method

The getResponse method

The getSubjectID method

The getTagEntry method

The getTagID method

The setAttributeEntries method

The setRequest method

The setResponse method

The setSubjectID method

The setTagEntry method

The setTagID method

15.20 The WebCertificateHandler class

The WebCertificateHandler constructor

The handle method

15.21 The WebCertificateLoginModule class

15.22 The WebLogoutCallback class

The WebLogoutCallback constructor

The getSession method

The getUserID method

The setSession method

The setUserID method

15.23 The WebLogoutHandler class

The WebLogoutHandler constructor

The handle method

15.24 The WebPasswordCallback class

The WebPasswordCallback constructor

The getAttributeEntries method

The getName method

The getOption method

The getPassword method

The getRequest method

The getResponse method

The getTagEntry method

The getTagID method

The setAttributeEntries method

The setName method

The setOption method

The setPassword method

The setRequest method

The setResponse method

The setTagEntry method

The setTagID method

15.25 The WebPasswordHandler class

The WebPasswordHandler constructor

The handle method

15.26 The WebPasswordJDBCLoginModule class

15.27 The WebPasswordLDAPLoginModule class

15.28 The WebPasswordLoginModule class

15.29 The WebSSOCallback class

The WebSSOCallback constructor

The getRequest method

The getResponse method

The getTagEntry method

The getTagID method

The setRequest method

The setResponse method

The setTagEntry method

The setTagID method

15.30 The WebSSOHandler class

The WebSSOHandler constructor

The handle method

15.31 The WebSSOLoginModule class

15.32 Exception classes

16. Tag Library Used with the Integrated User Management Framework

16.1 List of the tags contained in the tag library

16.2 The <ua:attributeEntries>Entries</ua:attributeEntries> tag

16.3 The <ua:attributeEntry/> tag

16.4 The <ua:chpw/> tag

16.5 The <ua:exception>Body</ua:exception> tag

16.6 The <ua:getPrincipalName/> tag

16.7 The <ua:getAttribute/> tag

16.8 The <ua:getAttributes/> tag

16.9 The <ua:getAttributeNames/> tag

16.10 The <ua:login/> tag

16.11 The <ua:logout/> tag

16.12 The <ua:notLogin>Body</ua:notLogin> tag

17. APIs for Implementation of EJB Client Applications

17.1 The LoginInfoManager class

The getLoginInfoManager method

The login method

The logout method

18. Files Used to Control Load Balancers That Employ API-Based Direct Connections

18.1 List of files used to control load balancers that employ API-based direct connections

18.2 lb.properties (load balancer definition property file)

18.3 LB-information-distinguished-name.properties (virtual server manager-side load balancer connection configuration property file)

18.4 tierlb.properties (tier-side load balancer connection configuration property file)

19. Messages Output by the Security Management Functionality

19.1 Message description format

19.2 Messages starting with KDCGF

KDCGF0001-E

KDCGF0002-E

KDCGF0003-E

KDCGF0004-E

KDCGF0005-E

KDCGF0006-E

KDCGF0007-E

19.3 Messages starting with KDCGK

KDCGK0001-I

KDCGK0010-E

KDCGK0011-E

KDCGK0012-E

KDCGK0013-E

KDCGK0100-E

KDCGK0101-E

KDCGK9000-E

19.4 Messages starting with KDCGS

KDCGS0005-E

KDCGS0007-E

KDCGS0008-E

KDCGS0009-E

KDCGS0014-E

KDCGS0015-E

19.5 Messages starting with KDCGW

KDCGW0002-E

KDCGW0003-E

19.6 Messages from KEOS02000 to KEOS09999

KEOS02020-E (C)

KEOS02102-E (C)

KEOS02152-E (C)

KEOS02202-E (C)

KEOS02300-E (C/F)

KEOS13105-E (W/F)

KEOS13106-E (W/F)

KEOS13107-E (W/F)

KEOS13119-I (W/F)

KEOS13125-E (W/F)

KEOS13126-E (W/F)

19.7 Messages starting with KEXS

KEXS20006-E

KEXS20007-E

KEXS20008-E

KEXS20009-E

KEXS30010-E

KEXS30011-E

KEXS40001-E

KEXS40002-E

KEXS40003-E

KEXS40004-E

KEXS40009-E

KEXS40010-E

KEXS40011-E

KEXS40012-E

KEXS40013-E

KEXS40014-E

KEXS40015-E

KEXS40016-E

KEXS50001-E

KEXS50002-E

KEXS50003-E

KEXS50014-E

KEXS50015-E

KEXS50016-E

KEXS50017-E

KEXS50018-E

KEXS50019-E

KEXS50020-E

KEXS50021-E

KEXS50022-E

KEXS50023-E

19.8 SSL-related messages

19.8.1 Message description format

19.8.2 Notes

19.8.3 Message details

19.9 Messages output by the Web server (Cosminexus HTTP Server) sslpasswd command

Appendixes

A. Major Functional Changes in Application Server Versions

A.1 Major functional changes in 09-00

A.2 Major functional changes in version 08-70

A.3 Major functional changes in version 08-53

A.4 Major functional changes in version 08-50

A.5 Major functional changes in version 08-00

B. Registration of Exception Lists (Windows)

C. Terminology used in this manual

Index

[Trademarks]

All Rights Reserved. Copyright (C) 2013, Hitachi, Ltd