Borland VisiBroker® 7.0 - Borland Technical Publications
Share Embed Flag
Download ePaper

Borland VisiBroker® 7.0 - Borland Technical Publications

Borland VisiBroker® 7.0 - Borland Technical Publications Borland VisiBroker® 7.0 - Borland Technical Publications

borland.com
11.07.2015 Views

Steps to secure clients and serversSteps to secure clients and serversNoteImportantListed below are the common steps required for developing a secure client or secureserver. For CORBA users the properties are all stored in files that are located throughconfig files. Where ever appropriate the usage models for clients and servers areseparately discussed. All properties can be set in the VisiBroker Management Consoleby right-clicking the node of interest in the Navigation Pane and selecting “EditProperties.”These steps are similar for both Java and C++ applications.All security information, including RoleDBs, LoginModule configurations, and such canbe set through the Management Console on the appropriate properties tabs.Step One: Providing an identityClientsServersAn identity can be a username/password/realm triad, or certificates can be used.These can be collected through JAAS modules or through APIs.For clients using usernames and passwords, there can be constraints about what theclient knows about the server's realms. Clients may have intimate knowledge of theserver's supported realms or none at all at the time of identity inquiry. Note also thatclients authenticate at the server end.For servers using username and password identities, authentication is performedlocally since the realms are always known.There can be constraints on certificate identities as well, depending on whether theyare stored in a KeyStore or whether they are specified through APIs.Keeping these constraints in mind, the Borland VisiBroker Server supports thefollowing usage models, any of which could be used to provide an identity to the serveror client:■“Username/password authentication, using JAAS modules, for known realms” onpage 66■“Username/password authentication, using APIs” on page 67■“Certificate-based authentication, using KeyStores through property settings” onpage 67■“Certificate-based authentication, using KeyStores through APIs” on page 67■“Certificate-based authentication, using APIs” on page 67■“pkcs12-based authentication, using KeyStores” on page 67■“pkcs12-based authentication, using APIs” on page 67Username/password authentication, using JAAS modules, for knownrealmsIf the realm to which the client wishes to authenticate is known, the client-side JAASconfiguration would take the following form:vbroker.security.login=truevbroker.security.login.realms=66 VisiBroker Security Guide

Steps to secure clients and serversUsername/password authentication, using APIsThe following code sample demonstrates the use of the login APIs. This case uses awallet. For a full description of the four login modes supported, go to the VisiSecure forJava API and SPI sections.public static void main(String[] args) {//initialize the ORBorg.omg.CORBA.ORB orb = org.omg.CORBA.ORB.init(args, null);com.borland.security.Context ctx = (com.borland.security.Context)orb.resolve_initial_references("VBSecurityContext");if(ctx != null) {com.borland.securty.IdentityWallet wallet =new com.borland.security.IdentityWallet(,.toCharArray(), );ctx.login(wallet);}}Certificate-based authentication, using KeyStores through propertysettingsBy setting the property vbroker.security.login.realms=Certificate#ALL, the client willbe prompted for keystore location and access information. For valid values, see“Certificate mechanism” on page 38.Certificate-based authentication, using KeyStores through APIsYou can use the same APIs discussed in ““Username/password authentication, usingAPIs” on page 67” to login using certificates through KeyStores. The realm name in theIdentityWallet should be CERTIFICATE#ALL, the username corresponds to an alias name inthe default KeyStore that refers to a Key entry, and the password refers to the PrivateKey password (also the KeyStore password) corresponding to the same Key entry.Certificate-based authentication, using APIsIf you do not want to use KeyStores directly, you can specify certificates and privatekeys using the CertificateWalletAPI. This class also supports the pkcs12 file format.X509Certificate[] certChain = ...list-of-X509-certificates...PrivateKey privKey = private-keycom.borland.security.CertificateWallet wallet =new com.borland.security.CertificateWallet(alias,certChain, privKey, "password".toCharArray());The first argument in the new Certificate wallet is an alias to the entry in the KeyStore,if any. If you are not using keystores, set this argument to null.pkcs12-based authentication, using KeyStoresYou can use the same APIs discussed in “Username/password authentication, usingAPIs” on page 67 to login using pkcs12 KeyStores. The realm name in theIdentityWallet should be CERTIFICATE#ALL, the username corresponds to an alias name inthe default KeyStore that refers to a Key entry, and the password refers to the passwordneeded to unlock the pkcs12 file. The property javax.net.ssl.KeyStore specifies thelocation of the pkcs12 file.pkcs12-based authentication, using APIsSee “Certificate-based authentication, using APIs” on page 67.Chapter 6: Making Secure Connections (Java) 67

Steps to secure clients and serversSteps to secure clients and serversNoteImportantListed below are the common steps required for developing a secure client or secureserver. For CORBA users the properties are all stored in files that are located throughconfig files. Where ever appropriate the usage models for clients and servers areseparately discussed. All properties can be set in the VisiBroker Management Consoleby right-clicking the node of interest in the Navigation Pane and selecting “EditProperties.”These steps are similar for both Java and C++ applications.All security information, including RoleDBs, LoginModule configurations, and such canbe set through the Management Console on the appropriate properties tabs.Step One: Providing an identityClientsServersAn identity can be a username/password/realm triad, or certificates can be used.These can be collected through JAAS modules or through APIs.For clients using usernames and passwords, there can be constraints about what theclient knows about the server's realms. Clients may have intimate knowledge of theserver's supported realms or none at all at the time of identity inquiry. Note also thatclients authenticate at the server end.For servers using username and password identities, authentication is performedlocally since the realms are always known.There can be constraints on certificate identities as well, depending on whether theyare stored in a KeyStore or whether they are specified through APIs.Keeping these constraints in mind, the <strong>Borland</strong> VisiBroker Server supports thefollowing usage models, any of which could be used to provide an identity to the serveror client:■“Username/password authentication, using JAAS modules, for known realms” onpage 66■“Username/password authentication, using APIs” on page 67■“Certificate-based authentication, using KeyStores through property settings” onpage 67■“Certificate-based authentication, using KeyStores through APIs” on page 67■“Certificate-based authentication, using APIs” on page 67■“pkcs12-based authentication, using KeyStores” on page 67■“pkcs12-based authentication, using APIs” on page 67Username/password authentication, using JAAS modules, for knownrealmsIf the realm to which the client wishes to authenticate is known, the client-side JAASconfiguration would take the following form:vbroker.security.login=truevbroker.security.login.realms=66 VisiBroker Security Guide

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!