Borland VisiBroker® 7.0 - Borland Technical Publications

More documents

Recommendations

Info

Security for the Apache web serverThe following describes the mod_ssl directives:SSLEngine onSSLRandomSeed startup builtinSSLRandomSeed connect builtinSSLCertificateFile /var/domains//configurations//mos//conf/ssl.crt/server.crtSSLCertificateKeyFile /var/domains//configurations//mos//conf/ssl.key/server.key## Uncomment the following to enable SSL certificate and related information tobe exported to the apache environment#SSLOptions +StdEnvVars +ExportCertDataWarningThe mod-ssl Apache module causes the Apache web server to become unstable whenused with the KeepAlive connection option on (the default). This is a known defect andusers should use caution after enabling the mod-ssl Apache module.Table 8.1 mod_ssl directivesSSL-specific directiveSSLEngineSSLRandomSeedSSLCertificateFileSSLCertificateKeyFileSSLOptions +StdEnvVars +ExportCertDataDescriptionThe placement of the SSLEngine is significant. It can be placed either at theserver level, in which case the server will respond only to HTTPS connections orwithin a particular virtual host, which can then be associated with a particularport number (usually 443), so that both regular HTTP connections and HTTPSconnections can be handled.Determines the source of randomness used by the mod_ssl encryption facilities.The randomness built into mod_ssl is sufficient to get you started, however, it isnot really random enough to be used in a truly secure environment. Preferably,a UNIX random device such as /dev/random or /dev/urandom is used. TheSSLRandomSeed directive must be defined at the server level.The placement of the SSLCertificateFile is significant. It can be placed either atthe server level, in which case the server will respond only to HTTPSconnections or within a particular virtual host, which can then be associated witha particular port number (usually 443), so that both regular HTTP connectionsand HTTPS connections can be handled. This file can be given any name andmay be placed in any accessible directory.The placement of the SSLCertificateKeyFile is significant. It can be placed eitherat the server level, in which case the server will respond only to HTTPSconnections or within a particular virtual host, which can then be associated witha particular port number (usually 443), so that both regular HTTP connectionsand HTTPS connections can be handled. This file can be given any name andmay be placed in any accessible directory.By default, commented out. If you want to enable Certificate Passthrough, youmust uncomment this directive which instructs mod_ssl to export the SSLcertificate and related information passed to it by the browser into a sharedenvironment.ImportantThe VisiBroker Server does not provide the key_file and certificate_file which mustbe generated. See “Creating key and certificate files” on page 79.For additional information on mod_ssl configuration, visit http://www.modssl.org/docs.78 VisiBroker Security Guide
Security for the Apache web serverCreating key and certificate filesNoteNoteThe VisiBroker Server provides the “openssl” utility so that you can generate therequired key and certificate files for mod_ssl. The openssl utility is located in:/bin//openssl/■For Windows, after double-clicking the openssl executable, a command windowappears.■For UNIX, simply follow the steps below.UNIX also requires a random data source for seeding. If you do not have a /dev/randdevice installed, you need to provide a file with a random number greater than 512bytes in length.The openssl executable first searches the environment for a variable named“RANDFILE”. If that is found, that value is assumed to be a file containing at least 512bytes of data. If the environment variable RANDFILE is not found, the executablesearches the root of your home directory for a .rnd. If that is found, it isassumed to contain at least 512 bytes of data for the seed. If you do not have a /dev/rand device, and do not provide any other alternative, certificate generation will fail.To generate the files:1 Create a private key for your server:OpenSSL> genrsa -out 2 Generate a certificate request:OpenSSL> req -new -key -out -config /bin//openssl.cnf3 Create a temporary certificate:OpenSSL> req -x509 -key -in -out -config /bin//openssl.cnfUsing the configuration from:/bin//openssl.cnfYou are prompted for the following information.Pressing Enter in response to each query (accepting each default value) is sufficientfor creating a temporary certificate.Using configuration from/bin//openssl.cnfYou are about to be asked to enter information that will be incorporated intoyour certificate request.What you are about to enter is what is called a Distinguished Name or aDN.There are quite a few fields but you can leave some blank.For some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [AU]:State or Province Name (full name) [Some-State]:Locality Name (such as, city) []:Organization Name (such as, company) [Internet Widgits Pty Ltd]:Organizational Unit Name (such as, section) []:Common Name (such as, YOUR name) []:Email Address []:Chapter 8: Security for the Web components 79
Page 1 and 2:
Security GuideBorlandVisiBroker ®
Page 3 and 4:
ContentsChapter 1Introduction to Bo
Page 5 and 6:
Security for the Borland web contai
Page 7 and 8:
Chapter1Introduction to Borland Vis
Page 9 and 10:
VisiBroker DocumentationImportant
Page 11 and 12:
Contacting Borland support■■■
Page 13 and 14:
Chapter2Getting Started with Securi
Page 15 and 16:
Basic security model■■■■Web
Page 17 and 18:
Distributed environments and VisiSe
Page 19 and 20:
Authentication and IdentificationAu
Page 21 and 22:
Authentication and IdentificationDi
Page 23 and 24:
Secure TransportationSecure Transpo
Page 25 and 26:
Context PropagationContext Propagat
Page 27 and 28:
Context PropagationTrusting Asserti
Page 29 and 30:
Using IIOP/HTTPSHere are several ex
Page 31 and 32:
ChapterChapter 3AuthenticationJAAS
Page 33 and 34: Authentication mechanisms and Login
Page 35 and 36: LoginContext class and LoginModule
Page 37 and 38: Associating a LoginModule with a re
Page 39 and 40: Borland LoginModulesThe elements in
Page 41 and 42: Borland LoginModulesLDAP LoginModul
Page 43 and 44: Server and Client IdentificationIn
Page 45 and 46: Server and Client IdentificationCre
Page 47 and 48: Server and Client IdentificationCli
Page 49 and 50: ChapterChapter4AuthorizationAuthori
Page 51 and 52: Defining access control with Role D
Page 53 and 54: Authorization domainsTo accomplish
Page 55 and 56: CORBA authorizationwhere is a taut
Page 57 and 58: Chapter5Configuring Security Profil
Page 59 and 60: Security ProfilesEnabling SecurityF
Page 61 and 62: Security ProfilesConfiguring Authen
Page 63 and 64: Security ProfilesTo access the Auth
Page 65 and 66: Security ProfilesWorking with Autho
Page 67 and 68: Security ProfilesAdding and Removin
Page 69 and 70: Associating a Profile with a Domain
Page 71 and 72: Chapter6Making Secure Connections (
Page 73 and 74: Steps to secure clients and servers
Page 75 and 76: Examining SSL related informationEx
Page 77 and 78: Chapter7Making Secure Connections (
Page 79 and 80: Steps to secure clients and servers
Page 81 and 82: Creating Custom PluginsLoginModules
Page 83: ChapterChapter8Security for the Web
Page 87 and 88: Enabling certificate passthrough to
Page 89 and 90: Security for the Borland web contai
Page 91 and 92: Three-tier authorization schemeNote
Page 93 and 94: Chapter9Security Properties for Jav
Page 95 and 96: Security Properties for JavaPropert
Page 97 and 98: Chapter10Security Properties for C+
Page 99 and 100: Security Properties for C++Property
Page 101 and 102: Chapter11VisiSecure for C++ APIsCha
Page 103 and 104: General APIUse this to login to the
Page 105 and 106: General APISets the cipher suites t
Page 107 and 108: General APIReturnsA set of the publ
Page 109 and 110: SSL APISSL APIThis section explains
Page 111 and 112: SSL APIclass CipherSuiteNameThis cl
Page 113 and 114: SSL APIExceptionsCORBA::BAD_OPERATI
Page 115 and 116: Certificate APICertificate APIThis
Page 117 and 118: Certificate APIclass CORBAsec::X509
Page 119 and 120: QoP APIQoP APIThe following section
Page 121 and 122: Authorization APIAuthorization APIT
Page 123 and 124: ChapterChapter12Security SPIfor C++
Page 125 and 126: ProvidersProvidersTable 12.1Each pr
Page 127 and 128: vbsec::CallbackHandlervbsec::Callba
Page 129 and 130: vbsec::AuthenticationMechanismsMeth
Page 131 and 132: vbsec::TargetReturnsExceptionsArgum
Page 133 and 134: vbsec::Resourcevbsec::ResourceThe R
Page 135 and 136:
vbsec::AttributeCodecFor the provid
Page 137 and 138:
vbsec::PermissionCollectionvbsec::P
Page 139 and 140:
vbsec::InitOptionsvbsec::InitOption
Page 141 and 142:
IndexSymbols... ellipsis 4.defaultA
Page 143 and 144:
Iidentitiessetting up 36setting up
Page 145 and 146:
security (C++)AttributeCodec 119, 1
Page 147 and 148:
VisiSecure APIs (C++) 95VisiSecure
show all

Borland VisiBroker® 7.0 - Borland Technical Publications

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?