Borland VisiBroker® 7.0 - Borland Technical Publications
Borland VisiBroker® 7.0 - Borland Technical Publications Borland VisiBroker® 7.0 - Borland Technical Publications
Server and Client IdentificationCertificate mechanismThe Certificate mechanism is a mechanism that is used for identification usingcertificates. This mechanism is different from GSSUP; certificates are used instead ofusername/password, and these identities are used at the SSL layer and not at thehigher CSIv2 over IIOP layer.You can put certificates into VisiSecure using certificate login or wallet APIs. Whenusing wallet APIs, you need to specify the usage through the constant definitions in thevbsec.h file, class vbsec::WalletFactory. For more information, see “classvbsec::WalletFactory” on page 101.NoteUsing certificate login, you need to specify the target realm using the following format:Certificate#If you do not specify the usage, the default is ALL.The following describes the available targets defined for the certificate loginmechanism.Table 3.1TargetCertificate#CLIENTCertificate#SERVERCertificate#ALLTargets Defined for the Certificate Login MechanismDescriptionIdentifies this process in a client role. When a user establishes anidentity for this target, the certificate identity established will be usedwhen this process acts as a client. In other words, this certificate willidentify this process when it establishes outgoing SSL connections.Identifies this process in a server role. When a user establishes anidentity for this target, this process will use the certificate identityestablished to identify itself when it is accepting SSL connections.Identifies this process in all roles. This identity is used in both of theabove roles.NoteA process can have either a client and server identity that are different or an identitythat is used in all roles, but not both. In other words, you cannot establish an identity inthe Certificate#CLIENT and the Certificate#ALL targets simultaneously.For backward compatibility, wallet properties and SSL APIs are supported; certificateidentities established this way are only treated as Certificate#ALL.Using a VaultWhen running clients, the security subsystem has the opportunity to interact with usersto acquire credentials for authentication. This is done using a callback handler asdefined by JAAS. However, when running servers (your Visibroker server or aPartition), it is not desirable or even possible to have user interaction at start up time. Atypical example of this if the server is started as a service at the startup time of a hostor from a automated script of some sort.The vault was designed to provide the identity information to the security subsystem insuch environments. Note that the vault itself is not directly tied to the securitysubsystem. It is merely a tool to replace the user interaction. In other words, a vaultdoes not contain authenticated credentials. The security service will perform allappropriate authentication, but will receive information from the vault rather than byinteracting with a callback handler. Due to the fact that no user interaction is required,the data in the vault, while sufficiently secure, does contain sensitive information (theusernames and passwords). Hence the vault file that is used for authentication of suchservers must be protected using host security mechanisms (file permissions forexample) or other equivalent approaches.38 VisiBroker Security Guide
Server and Client IdentificationCreating a VaultTo create a vault, you can use the vaultgen command-line tool from your installation'sbin directory. It's usage is as follows:vaultgen [] -config -vault [] are optional, and can be any of the following:■-J: passes a -J Java option directly to the JVM■-VBJVersion: prints VBJ version information■-VBJDebug: prints VBJ debugging information■-VBJClasspath: specify a classpath that will precede the CLASSPATH environmentvariable■-VBJProp : passes the name/value pair to the VM■-VBJjavavm: specify the path to the Java VM■-VBJaddJar : appends the JAR file to the CLASSPATH before executing theVM-config points to the location of the config.jaas file containing therealms the identities in the vault will authenticate to. -vault is the path tothe vault to be generated. You can also specify an existing vault in order to addadditional identities to it. are other optional arguments, and can be any of the following:■-?, -h, -help, -usage: prints usage information■-driverusage: prints usage information, including driver options■-interactive: enables an interactive shell is the command you want vaultgen to execute. You can select any one of thefollowing:■login : establishes an identity in the vault for a given realmor formatted target. The identity is first established when the vault is used for loginduring system startup.■logout : removes an identity from the vault for a givenrealm or formatted target.■runas : configures a run-as alias with the identity provided for agiven realm.■removealias : removes a configured run-as alias from the vault.■■■■realms: lists the available realms for this configuration.mechanisms: lists the available mechanisms (for formatted targets) for thisconfiguration.aliases: lists configured aliases in the vault.identities: lists configured identities in the vault.Chapter 3: Authentication 39
- Page 1 and 2: Security GuideBorlandVisiBroker ®
- Page 3 and 4: ContentsChapter 1Introduction to Bo
- Page 5 and 6: Security for the Borland web contai
- Page 7 and 8: Chapter1Introduction to Borland Vis
- Page 9 and 10: VisiBroker DocumentationImportant
- Page 11 and 12: Contacting Borland support■■■
- Page 13 and 14: Chapter2Getting Started with Securi
- Page 15 and 16: Basic security model■■■■Web
- Page 17 and 18: Distributed environments and VisiSe
- Page 19 and 20: Authentication and IdentificationAu
- Page 21 and 22: Authentication and IdentificationDi
- Page 23 and 24: Secure TransportationSecure Transpo
- Page 25 and 26: Context PropagationContext Propagat
- Page 27 and 28: Context PropagationTrusting Asserti
- Page 29 and 30: Using IIOP/HTTPSHere are several ex
- Page 31 and 32: ChapterChapter 3AuthenticationJAAS
- Page 33 and 34: Authentication mechanisms and Login
- Page 35 and 36: LoginContext class and LoginModule
- Page 37 and 38: Associating a LoginModule with a re
- Page 39 and 40: Borland LoginModulesThe elements in
- Page 41 and 42: Borland LoginModulesLDAP LoginModul
- Page 43: Server and Client IdentificationIn
- Page 47 and 48: Server and Client IdentificationCli
- Page 49 and 50: ChapterChapter4AuthorizationAuthori
- Page 51 and 52: Defining access control with Role D
- Page 53 and 54: Authorization domainsTo accomplish
- Page 55 and 56: CORBA authorizationwhere is a taut
- Page 57 and 58: Chapter5Configuring Security Profil
- Page 59 and 60: Security ProfilesEnabling SecurityF
- Page 61 and 62: Security ProfilesConfiguring Authen
- Page 63 and 64: Security ProfilesTo access the Auth
- Page 65 and 66: Security ProfilesWorking with Autho
- Page 67 and 68: Security ProfilesAdding and Removin
- Page 69 and 70: Associating a Profile with a Domain
- Page 71 and 72: Chapter6Making Secure Connections (
- Page 73 and 74: Steps to secure clients and servers
- Page 75 and 76: Examining SSL related informationEx
- Page 77 and 78: Chapter7Making Secure Connections (
- Page 79 and 80: Steps to secure clients and servers
- Page 81 and 82: Creating Custom PluginsLoginModules
- Page 83 and 84: ChapterChapter8Security for the Web
- Page 85 and 86: Security for the Apache web serverC
- Page 87 and 88: Enabling certificate passthrough to
- Page 89 and 90: Security for the Borland web contai
- Page 91 and 92: Three-tier authorization schemeNote
- Page 93 and 94: Chapter9Security Properties for Jav
Server and Client IdentificationCertificate mechanismThe Certificate mechanism is a mechanism that is used for identification usingcertificates. This mechanism is different from GSSUP; certificates are used instead ofusername/password, and these identities are used at the SSL layer and not at thehigher CSIv2 over IIOP layer.You can put certificates into VisiSecure using certificate login or wallet APIs. Whenusing wallet APIs, you need to specify the usage through the constant definitions in thevbsec.h file, class vbsec::WalletFactory. For more information, see “classvbsec::WalletFactory” on page 101.NoteUsing certificate login, you need to specify the target realm using the following format:Certificate#If you do not specify the usage, the default is ALL.The following describes the available targets defined for the certificate loginmechanism.Table 3.1TargetCertificate#CLIENTCertificate#SERVERCertificate#ALLTargets Defined for the Certificate Login MechanismDescriptionIdentifies this process in a client role. When a user establishes anidentity for this target, the certificate identity established will be usedwhen this process acts as a client. In other words, this certificate willidentify this process when it establishes outgoing SSL connections.Identifies this process in a server role. When a user establishes anidentity for this target, this process will use the certificate identityestablished to identify itself when it is accepting SSL connections.Identifies this process in all roles. This identity is used in both of theabove roles.NoteA process can have either a client and server identity that are different or an identitythat is used in all roles, but not both. In other words, you cannot establish an identity inthe Certificate#CLIENT and the Certificate#ALL targets simultaneously.For backward compatibility, wallet properties and SSL APIs are supported; certificateidentities established this way are only treated as Certificate#ALL.Using a VaultWhen running clients, the security subsystem has the opportunity to interact with usersto acquire credentials for authentication. This is done using a callback handler asdefined by JAAS. However, when running servers (your Visibroker server or aPartition), it is not desirable or even possible to have user interaction at start up time. Atypical example of this if the server is started as a service at the startup time of a hostor from a automated script of some sort.The vault was designed to provide the identity information to the security subsystem insuch environments. Note that the vault itself is not directly tied to the securitysubsystem. It is merely a tool to replace the user interaction. In other words, a vaultdoes not contain authenticated credentials. The security service will perform allappropriate authentication, but will receive information from the vault rather than byinteracting with a callback handler. Due to the fact that no user interaction is required,the data in the vault, while sufficiently secure, does contain sensitive information (theusernames and passwords). Hence the vault file that is used for authentication of suchservers must be protected using host security mechanisms (file permissions forexample) or other equivalent approaches.38 VisiBroker Security Guide
Change language