Contents

• Notices

• Preface

• Part 1: Overview

  • 1. Application Server Functionality

    • 1.1 Classifications of functionality

      • 1.1.1 Functionality for an application execution infrastructure

      • 1.1.2 Functionality for operating and maintaining the execution infrastructure for applications

      • 1.1.3 Functionality and associated manuals

    • 1.2 Functionality and associated system purposes

      • 1.2.1 Authentication functionality

      • 1.2.2 Encryption functionality

      • 1.2.3 Invalid processing prevention functionality

      • 1.2.4 Other functionality

    • 1.3 Format of functional descriptions in this manual

      • 1.3.1 Parts of the descriptions

      • 1.3.2 Parts of the functional descriptions - example table

    • 1.4 Major functional changes in Application Server 11-10

      • 1.4.1 Facilitating system implementation and creation

      • 1.4.2 Implementing standard and existing functionality

      • 1.4.3 Maintaining and enhancing reliability

      • 1.4.4 Other purposes

  • 2. Security Management with the Application Server

    • 2.1 Organization of this chapter

    • 2.2 Measures for ensuring security

      • 2.2.1 Realizing a system configuration that will ensure security

      • 2.2.2 Operating the system securely

      • 2.2.3 Preventing unauthorized users from accessing the system (authentication functionality)

      • 2.2.4 Ensuring communication path security (encryption functionality)

      • 2.2.5 Preventing invalid processing

      • 2.2.6 Taking other actions

    • 2.3 Details about the methods and functionality for ensuring security

    • 2.4 Notes about using the methods and functionality for ensuring security

      • 2.4.1 About certificates

• Part 2: System Design

  • 3. System Configurations for Ensuring Security

    • 3.1 Organization of this chapter

    • 3.2 System configurations using a firewall

      • 3.2.1 Deployment of a firewall for servlets and JSPs

      • 3.2.2 Deployment of a firewall for Session and Entity Bean

      • 3.2.3 Firewall deployment with Resource Manager

    • 3.3 Deployment of reverse proxies in a DMZ

      • 3.3.1 Deployment of reverse proxies

  • 4. Considerations in the Design of a Secure System

    • 4.1 Organization of this chapter

    • 4.2 Overview of considerations in the design of a secure system

    • 4.3 Considering the configuration of a secure system

    • 4.4 Considering the users of the system

    • 4.5 Considering the resources handled by the system

    • 4.6 Checking the preconditions for a secure system

      • 4.6.1 Physical preconditions

      • 4.6.2 Operational preconditions

    • 4.7 Analyzing expected threats

    • 4.8 Considering countermeasures

      • 4.8.1 Countermeasures to be implemented against preconditions

      • 4.8.2 Countermeasures to be implemented against expected threats

      • 4.8.3 Secure system behavior with the countermeasures implemented

    • 4.9 Considering work procedures

      • 4.9.1 Overview of work procedure documents to be prepared

      • 4.9.2 Considering the system setup procedures

      • 4.9.3 Considering the system re-setup procedures

      • 4.9.4 Considering system operating procedures

    • 4.10 Checking how to audit the system

      • 4.10.1 Obtaining audit logs

      • 4.10.2 Examining audit logs

    • 4.11 Considering the security of systems that use external networks

      • 4.11.1 Security threats that can be expected with respect to systems that use external networks

      • 4.11.2 Deploying a firewall and intrusion detection system

      • 4.11.3 Using an SSL accelerator to process encrypted communication

      • 4.11.4 Authenticating users from within applications

• Part 3: Description of Functions

  • 5. Integrated User Management-based Authentication

    • 5.1 Organization of this chapter

    • 5.2 Overview of integrated user management

      • 5.2.1 Purpose of integrated user management

      • 5.2.2 User management and user mapping using realms

      • 5.2.3 Overview of Java Authentication and Authorization Service (JAAS)-based user authentication

      • 5.2.4 Management method of user information used for integrated user management

      • 5.2.5 Validity period of user authentication and the inheritance of authentication states

      • 5.2.6 Integrated user management process flow

    • 5.3 User authentication mechanism based on Cosminexus standard login modules

      • 5.3.1 Types and functions of Cosminexus standard login modules

      • 5.3.2 WebPasswordLoginModule

      • 5.3.3 WebCertificateLoginModule

      • 5.3.4 WebPasswordLDAPLoginModule

      • 5.3.5 WebPasswordJDBCLoginModule

      • 5.3.6 DelegationLoginModule

      • 5.3.7 WebSSOLoginModule

      • 5.3.8 Repository access by Cosminexus standard login modules

      • 5.3.9 Enhanced support of authentication password encryption

      • 5.3.10 Configuration file parameters used by login modules

    • 5.4 Sessions managed in integrated user management

      • 5.4.1 Types of sessions

      • 5.4.2 Registration of login user IDs

      • 5.4.3 Deletion of user IDs registered in the integrated user management session

      • 5.4.4 Examples of JAAS configuration file definition

    • 5.5 Use of single sign-on

      • 5.5.1 Necessary procedures for single sign-on

      • 5.5.2 Application of single sign-on to existing application user management

    • 5.6 Use of custom login modules

      • 5.6.1 Overview of custom login modules

      • 5.6.2 Invocation of custom login modules

    • 5.7 Management of user information

      • 5.7.1 Registration of user information to the LDAP directory server

      • 5.7.2 Connection failover by multiplexing the LDAP directory server

    • 5.8 API provided by the integrated user management framework

      • 5.8.1 JSP tag library

      • 5.8.2 Integrated user management framework libraries

    • 5.9 Implementation of user authentication based on the integrated user management framework

    • 5.10 Implementation of API-based user authentication

      • 5.10.1 Implementation of the API-based login session

      • 5.10.2 Implementation of the API-based session to obtain user IDs

      • 5.10.3 Implementation of the API-based session to obtain user attributes

      • 5.10.4 Implementation of the session to register the successfully authenticated subject to HttpSession

      • 5.10.5 Implementation of the API-based logout session

      • 5.10.6 Checking the login state (if the API is used)

      • 5.10.7 Implementation of enhanced support of authentication password encryption

      • 5.10.8 Notes on API-based implementation

    • 5.11 Implementation of tag library-based user authentication

      • 5.11.1 Implementation of tag library-based login session

      • 5.11.2 Implementation of the tag library-based session to obtain user ID

      • 5.11.3 Implementation of the tag library-based session to obtain user attributes

      • 5.11.4 Implementation of tag library-based logout session

      • 5.11.5 Copying uatags.jar and uatags.tld and defining DD

    • 5.12 Implementation of custom login module-based user authentication

      • 5.12.1 Implementation for integration with Cosminexus standard login modules

      • 5.12.2 Points to remember when implementing custom login modules

      • 5.12.3 Examples of implementing custom login modules

    • 5.13 Procedures to set up the integrated user management function

    • 5.14 Determination of realm names

    • 5.15 LDAP directory server setup

      • 5.15.1 Installation of the LDAP directory server

      • 5.15.2 User registration and access permission setup

      • 5.15.3 Extension of object class and user definition attributes

    • 5.16 Registration of user information

      • 5.16.1 Registration by using commands

      • 5.16.2 Registration by using the integrated user management framework library

      • 5.16.3 Formatting used to register the user information

      • 5.16.4 Settings when using Active Directory

    • 5.17 Creation of encryption key files (When using single sign-on)

      • 5.17.1 Creating encryption key files

      • 5.17.2 Changing encryption key files

    • 5.18 Registration of user information (When using single sign-on)

      • 5.18.1 Registration by using commands

      • 5.18.2 Registration by using the integrated user management framework library

      • 5.18.3 Formatting used to register the user information

    • 5.19 Creating configuration files

      • 5.19.1 Creating jaas.conf

      • 5.19.2 Creating ua.conf

      • 5.19.3 Example of setting the configuration file

    • 5.20 Java VM property setup

    • 5.21 Deployment of files

  • 6. Authentication by Application Setup

    • 6.1 Organization of this chapter

    • 6.2 Web container-based authentication using DD settings

      • 6.2.1 Web container-based authentication functionality using DD settings

      • 6.2.2 Definitions in DD files

      • 6.2.3 Setup in an execution environment (J2EE application setup)

      • 6.2.4 Precautions for using authentication functionalities

    • 6.3 Authentication with security identities

      • 6.3.1 Security identity functionality

      • 6.3.2 Security implementation in EJB client applications

      • 6.3.3 Authentication setup with security identities

  • 7. SSL/TLS Encryption of Authentication Information and Data

    • 7.1 Organization of this chapter

    • 7.2 SSL encryption of authentication information and data

      • 7.2.1 The authentication functionality of the Web server

      • 7.2.2 SSL setup with Cosminexus HTTP Server

  • 8. Directly Accessing Load Balancers Through the API and Controlling Them via the Operation Management Functionality

    • 8.1 Organization of this chapter

    • 8.2 Directly accessing a load balancer through the API

    • 8.3 Load balancer APIs executed using the operation management functionality

      • 8.3.1 Load balancer APIs executed using Management Server (Smart Composer functionality)

      • 8.3.2 Load balancer API executed using Virtual Server Manager

    • 8.4 Load balancer access environment setup

      • 8.4.1 Access list (ACL) settings (ACOS)

      • 8.4.2 Creating a cookie persistence template

      • 8.4.3 Configuring a trust store

      • 8.4.4 hosts file settings (BIG-IP)

    • 8.5 Load balancer connection information setup with Management Server (Smart Composer functionality)

    • 8.6 Load balancer connection information setup with Virtual Server Manager

      • 8.6.1 Configuring load balancer connection information with Virtual Server Manager

      • 8.6.2 Configuring load balancer connection information with the management unit

• Part 4: Setup

  • 9. Server Management Command-based Security Role and Application Setup

    • 9.1 Organization of this chapter

    • 9.2 Security role setup

      • 9.2.1 Setting users

      • 9.2.2 Setting roles

    • 9.3 Definition of security role references

      • 9.3.1 Defining Enterprise Bean security role references

      • 9.3.2 Defining servlet and JSP security role references

    • 9.4 Security definition (Method permission)

      • 9.4.1 Enterprise Bean method permissions

    • 9.5 Security definition (Security identities)

      • 9.5.1 Enterprise Bean security identities

      • 9.5.2 Servlet and JSP security identities

  • 10. Management Portal-based Integrated User Management Operation (INTENTIONALLY DELETED)

    • 10.1 INTENTIONALLY DELETED

  • 11. Management Portal-based Repository Management (Integrated User Management) (INTENTIONALLY DELETED)

    • 11.1 INTENTIONALLY DELETED

  • 12. Resource Monitoring (Integrated User Management) (INTENTIONALLY DELETED)

    • 12.1 INTENTIONALLY DELETED

• Part 5: Reference

  • 13. Commands Used in Integrated User Management

    • 13.1 List of commands used in integrated user management

    • 13.2 Details of commands used in integrated user management

      • convpw (Password encryption)

      • ssoexport (Referencing the single sign-on information repository)

      • ssogenkey (Creating encryption key files)

      • ssoimport (Registering the single sign-on information repository)

      • uachpw (Password change)

  • 14. Files Used by Integrated User Management

    • 14.1 List of files used by integrated user management

    • 14.2 Details of files used for integrated user management

      • 14.2.1 jaas.conf (JAAS configuration file)

      • 14.2.2 ua.conf (integrated user management configuration file)

    • 14.3 CSV files containing single sign-on authentication information

      • 14.3.1 Basic CSV file specifications

      • 14.3.2 Definition file for acquiring user information

      • 14.3.3 Definition file for adding or modifying user information

      • 14.3.4 Definition file for user mapping and authentication information

      • 14.3.5 CSV file specification example

      • 14.3.6 Line operation

  • 15. APIs Used with the Integrated User Management Framework

    • 15.1 List of APIs for the integrated user management framework

    • 15.2 The AttributeEntry class

      • The AttributeEntry constructor

      • The getAlias method

      • The getAttributeName method

      • The getSubcontext method

      • The setAlias method

      • The setAttributeName method

      • The setSubcontext method

    • 15.3 The ChangeDataFailedException class

      • The ChangeDataFailedException constructor

    • 15.4 The DelegationLoginModule class

    • 15.5 The LdapSSODataManager class

      • The LdapSSODataManager constructor

      • The addSSOData method

      • The addSSODataListener method

      • The getSSOData method

      • The getSSODataListeners method

      • The listUsers method (syntax 1)

      • The listUsers method (syntax 2)

      • The modifySSOData method

      • The removeSSOData method

      • The removeSSODataListener method

    • 15.6 The LdapUserDataManager class

      • The LdapUserDataManager constructor

      • The addUserData method (syntax 1)

      • The addUserData method (syntax 2)

      • The getUserData method

      • The listUsers method (syntax 1)

      • The listUsers method (syntax 2)

      • The modifyUserData method

      • The removeUserData method

    • 15.7 The LdapUserEnumeration interface

      • The close method

      • The hasMore method

      • The hasMoreElements method

      • The next method

      • The nextElement method

    • 15.8 The LoginUtil class

      • The check method (syntax 1)

      • The check method (syntax 2)

    • 15.9 The ObjectClassEntry class

      • The ObjectClassEntry constructor

      • The getObjectClasses method

      • The getSubcontext method

      • The setObjectClasses method

      • The setSubcontext method

    • 15.10 The PasswordCryptography interface

      • The encrypt method

    • 15.11 The PasswordUtil class

      • The changePassword method

    • 15.12 The Principal interface

    • 15.13 The SSOData class

      • The SSOData constructor

      • The getMapping method

      • The getMappingRealms method

      • The getPublicData method

      • The removeMapping method

      • The setMapping method

      • The setPublicData method

      • The setSecretData method

    • 15.14 The SSODataEvent class

      • The SSODataEvent constructor

      • The getOldPublicData method

      • The getOldSecretData method

      • The getPublicData method

      • The getSecretData method

      • The getUserId method

    • 15.15 The SSODataListener interface

      • The ssoDataAdded method

      • The ssoDataModified method

      • The ssoDataRemoved method

    • 15.16 The SSODataListenerException class

      • The SSODataListenerException constructor

      • The getException method

      • The getListeners method

      • The setException method

    • 15.17 The UserAttributes interface

      • The addAttribute method

      • The getAttribute method

      • The getAttributeNames method

      • The getAttributes method

      • The removeAttribute method

      • The size method

    • 15.18 The UserData class

      • The UserData constructor

      • The addAttribute method

      • The getAttribute method

      • The getAttributeNames method

      • The getAttributes method

      • The removeAttribute method

      • The setPassword method

      • The size method

    • 15.19 The WebCertificateCallback class

      • The WebCertificateCallback constructor

      • The getAttributeEntries method

      • The getRequest method

      • The getResponse method

      • The getSubjectID method

      • The getTagEntry method

      • The getTagID method

      • The setAttributeEntries method

      • The setRequest method

      • The setResponse method

      • The setSubjectID method

      • The setTagEntry method

      • The setTagID method

    • 15.20 The WebCertificateHandler class

      • The WebCertificateHandler constructor

      • The handle method

    • 15.21 The WebCertificateLoginModule class

    • 15.22 The WebLogoutCallback class

      • The WebLogoutCallback constructor

      • The getSession method

      • The getUserID method

      • The setSession method

      • The setUserID method

    • 15.23 The WebLogoutHandler class

      • The WebLogoutHandler constructor

      • The handle method

    • 15.24 The WebPasswordCallback class

      • The WebPasswordCallback constructor

      • The getAttributeEntries method

      • The getName method

      • The getOption method

      • The getPassword method

      • The getRequest method

      • The getResponse method

      • The getTagEntry method

      • The getTagID method

      • The setAttributeEntries method

      • The setName method

      • The setOption method

      • The setPassword method

      • The setRequest method

      • The setResponse method

      • The setTagEntry method

      • The setTagID method

    • 15.25 The WebPasswordHandler class

      • The WebPasswordHandler constructor

      • The handle method

    • 15.26 The WebPasswordJDBCLoginModule class

    • 15.27 The WebPasswordLDAPLoginModule class

    • 15.28 The WebPasswordLoginModule class

    • 15.29 The WebSSOCallback class

      • The WebSSOCallback constructor

      • The getRequest method

      • The getResponse method

      • The getTagEntry method

      • The getTagID method

      • The setRequest method

      • The setResponse method

      • The setTagEntry method

      • The setTagID method

    • 15.30 The WebSSOHandler class

      • The WebSSOHandler constructor

      • The handle method

    • 15.31 The WebSSOLoginModule class

    • 15.32 Exception classes

      • 15.32.1 Exception classes for JAAS login modules

      • 15.32.2 Exception classes for APIs offered by Hitachi

  • 16. Tag Library Used with the Integrated User Management Framework

    • 16.1 List of the tags contained in the tag library

    • 16.2 Details of the tags contained in the tag library

      • 16.2.1 The <ua:attributeEntries>Entries</ua:attributeEntries> tag

      • 16.2.2 The <ua:attributeEntry/> tag

      • 16.2.3 The <ua:chpw/> tag

      • 16.2.4 The <ua:exception>Body</ua:exception> tag

      • 16.2.5 The <ua:getPrincipalName/> tag

      • 16.2.6 The <ua:getAttribute/> tag

      • 16.2.7 The <ua:getAttributes/> tag

      • 16.2.8 The <ua:getAttributeNames/> tag

      • 16.2.9 The <ua:login/> tag

      • 16.2.10 The <ua:logout/> tag

      • 16.2.11 The <ua:notLogin>Body</ua:notLogin> tag

  • 17. APIs for Implementation of EJB Client Applications

    • 17.1 The LoginInfoManager class

      • The getLoginInfoManager method

      • The login method

      • The logout method

  • 18. Files Used to Control Load Balancers That Employ API-Based Direct Connections

    • 18.1 List of files used to control load balancers that employ API-based direct connections

    • 18.2 Details of files used to control load balancers that employ API-based direct connections

      • 18.2.1 lb.properties (load balancer definition property file)

      • 18.2.2 LB-information-distinguished-name.properties (virtual server manager-side load balancer connection configuration property file)

      • 18.2.3 tierlb.properties (tier-side load balancer connection configuration property file)

  • 19. Messages Output by the Security Management Functionality

    • 19.1 Message description format

    • 19.2 Messages starting with KDCGF

    • 19.3 Messages starting with KDCGK

    • 19.4 Messages starting with KDCGS

    • 19.5 Messages starting with KDCGW

    • 19.6 Messages from KEOS02000 to KEOS09999

    • 19.7 Messages starting with KEXS

    • 19.8 SSL-related messages

      • 19.8.1 Message description format

      • 19.8.2 Notes

      • 19.8.3 Messages starting with AH

      • 19.8.4 Messages starting with KH

• Appendixes

  • A. Major Functional Changes in Application Server Versions

    • A.1 Major functional changes in 09-87

    • A.2 Major functional changes in 09-80

    • A.3 Major functional changes in 09-70

    • A.4 Major functional changes in 09-60

    • A.5 Major functional changes in 09-50

    • A.6 Major functional changes in 09-00

    • A.7 Major functional changes in 08-70

    • A.8 Major functional changes in 08-53

    • A.9 Major functional changes in 08-50

    • A.10 Major functional changes in 08-00

  • B. Registration of Exception Lists (Windows)

  • C. Glossary

• Index

To Page Top