Borland VisiBroker® 7.0 - Borland Technical Publications

More documents

Recommendations

Info

Authentication and IdentificationSystem identificationAny system first needs to identify itself before being allowed access to resources.Client identification is always required for resource access. In a CORBA/J2EEenvironment, the need for identification also exists for servers as well. Servers needidentification in two cases:■One, when using SSL for transport layer security, the server typically needs toidentify itself to the client.■Two, when mid-tier servers make further invocations to other mid-tier or end-tierservers, they need to identify themselves before being allowed (potentially) to act onbehalf of the original caller.For more information, see “System Identification” on page 36.Authentication and pluggabilityAuthentication in VisiBroker is a JAAS implementation allowing pluggableauthentication. The JAAS logon service separates the configuration fromimplementation. A low-level system programming interface called the LoginModule,provides an anchor point for pluggable security modules.At the same time as system identification, the authentication mechanism concept isemployed to represent the “format” for communicating (or transporting) authenticationinformation between various components of the security subsystem. The securityservice provider for the authentication/identification process implements the specificformat (encoding and decoding process) that is to be used by the underlying coresystem.In a distributed environment, the authentication process is further complicated by thefact that the representation of the entity and the corresponding credential must betransported among peers in a generic fashion. Therefore, the VisiSecure Java SPIemploys the concept of the AuthenticationMechanism and defines a set of classes fordoing authentication/identification in a distributed environment.Server and/or client authenticationWith the VisiBroker implementation of JAAS, you can set different mechanisms ofauthentication. You can have server authentication, where servers are authenticatedby clients using public-key certificates. You can also have client authentication. Clientscan be authenticated using passwords or public-key certificates. That is, the server canbe configured to authenticate clients with a password or clients with public-keycertificates.Authenticating clients with usernames and passwordsIf server-side authentication is not required, authentication can be accomplished usinga standard username/password combination. To authenticate clients using usernamesand passwords, several things need to happen. The server should expose a set ofrealms to which it can authenticate a client. Each realm should correspond to a JAASLoginModule that actually does the authentication. Finally, the client should provide ausername and password, and a realm under which it wishes to authenticate itself. Formore information, see Chapter 3, “Authentication.”12 VisiBroker Security Guide
Authentication and IdentificationAuthentication property settingsThe authentication policy—whether it is server or client authentication and whether it isdone using public-key certificates or passwords—is determined by property settings.For more information, see Chapter 10, “Security Properties for C++” and Chapter 9,“Security Properties for Java.”Public-key encryptionIn addition to username/password-based authentication, VisiSecure also supportspublic-key encryption. In public-key encryption, each user holds two keys: a public keyand a private key. A user makes the public key widely available, but keeps the privatekey secret.Data that has not been encrypted is often referred to as clear-text, while data that hasbeen encrypted is called cipher-text. When a public key and a private key are used withthe public-key encryption algorithm, they perform inverse functions of one another, asshown in the following diagram.■■In the first case, the public key is used to encrypt a clear-text message into a ciphertextmessage; the private key is used to decrypt the resulting cipher-text message.In the second case, the private key is used to encrypt a message (typically in thecase of digital signatures—that is, “signed” messages), while the public key is usedto decrypt it.If someone wants to send you sensitive data, they acquire your public key and use it toencrypt that data. Once encrypted, the data can only be decrypted with the private key.Not even the sender of the data will be able to decrypt the data. Note that encryptioncan be asymmetric or symmetric.Asymmetric encryptionAsymmetric encryptions has both a public and a private key. Both keys are linkedtogether such that you can encrypt with the public key but can only decrypt with theprivate key, and vice-versa. This is the most secure form of encryption.Chapter 2: Getting Started with Security 13
Page 1 and 2: Security GuideBorlandVisiBroker ®
Page 3 and 4: ContentsChapter 1Introduction to Bo
Page 5 and 6: Security for the Borland web contai
Page 7 and 8: Chapter1Introduction to Borland Vis
Page 9 and 10: VisiBroker DocumentationImportant
Page 11 and 12: Contacting Borland support■■■
Page 13 and 14: Chapter2Getting Started with Securi
Page 15 and 16: Basic security model■■■■Web
Page 17: Distributed environments and VisiSe
Page 21 and 22: Authentication and IdentificationDi
Page 23 and 24: Secure TransportationSecure Transpo
Page 25 and 26: Context PropagationContext Propagat
Page 27 and 28: Context PropagationTrusting Asserti
Page 29 and 30: Using IIOP/HTTPSHere are several ex
Page 31 and 32: ChapterChapter 3AuthenticationJAAS
Page 33 and 34: Authentication mechanisms and Login
Page 35 and 36: LoginContext class and LoginModule
Page 37 and 38: Associating a LoginModule with a re
Page 39 and 40: Borland LoginModulesThe elements in
Page 41 and 42: Borland LoginModulesLDAP LoginModul
Page 43 and 44: Server and Client IdentificationIn
Page 45 and 46: Server and Client IdentificationCre
Page 47 and 48: Server and Client IdentificationCli
Page 49 and 50: ChapterChapter4AuthorizationAuthori
Page 51 and 52: Defining access control with Role D
Page 53 and 54: Authorization domainsTo accomplish
Page 55 and 56: CORBA authorizationwhere is a taut
Page 57 and 58: Chapter5Configuring Security Profil
Page 59 and 60: Security ProfilesEnabling SecurityF
Page 61 and 62: Security ProfilesConfiguring Authen
Page 63 and 64: Security ProfilesTo access the Auth
Page 65 and 66: Security ProfilesWorking with Autho
Page 67 and 68: Security ProfilesAdding and Removin
Page 69 and 70:
Associating a Profile with a Domain
Page 71 and 72:
Chapter6Making Secure Connections (
Page 73 and 74:
Steps to secure clients and servers
Page 75 and 76:
Examining SSL related informationEx
Page 77 and 78:
Chapter7Making Secure Connections (
Page 79 and 80:
Steps to secure clients and servers
Page 81 and 82:
Creating Custom PluginsLoginModules
Page 83 and 84:
ChapterChapter8Security for the Web
Page 85 and 86:
Security for the Apache web serverC
Page 87 and 88:
Enabling certificate passthrough to
Page 89 and 90:
Security for the Borland web contai
Page 91 and 92:
Three-tier authorization schemeNote
Page 93 and 94:
Chapter9Security Properties for Jav
Page 95 and 96:
Security Properties for JavaPropert
Page 97 and 98:
Chapter10Security Properties for C+
Page 99 and 100:
Security Properties for C++Property
Page 101 and 102:
Chapter11VisiSecure for C++ APIsCha
Page 103 and 104:
General APIUse this to login to the
Page 105 and 106:
General APISets the cipher suites t
Page 107 and 108:
General APIReturnsA set of the publ
Page 109 and 110:
SSL APISSL APIThis section explains
Page 111 and 112:
SSL APIclass CipherSuiteNameThis cl
Page 113 and 114:
SSL APIExceptionsCORBA::BAD_OPERATI
Page 115 and 116:
Certificate APICertificate APIThis
Page 117 and 118:
Certificate APIclass CORBAsec::X509
Page 119 and 120:
QoP APIQoP APIThe following section
Page 121 and 122:
Authorization APIAuthorization APIT
Page 123 and 124:
ChapterChapter12Security SPIfor C++
Page 125 and 126:
ProvidersProvidersTable 12.1Each pr
Page 127 and 128:
vbsec::CallbackHandlervbsec::Callba
Page 129 and 130:
vbsec::AuthenticationMechanismsMeth
Page 131 and 132:
vbsec::TargetReturnsExceptionsArgum
Page 133 and 134:
vbsec::Resourcevbsec::ResourceThe R
Page 135 and 136:
vbsec::AttributeCodecFor the provid
Page 137 and 138:
vbsec::PermissionCollectionvbsec::P
Page 139 and 140:
vbsec::InitOptionsvbsec::InitOption
Page 141 and 142:
IndexSymbols... ellipsis 4.defaultA
Page 143 and 144:
Iidentitiessetting up 36setting up
Page 145 and 146:
security (C++)AttributeCodec 119, 1
Page 147 and 148:
VisiSecure APIs (C++) 95VisiSecure
show all

Borland VisiBroker® 7.0 - Borland Technical Publications

Create successful ePaper yourself

Delete template?

Save as template?