Borland VisiBroker® 7.0 - Borland Technical Publications
Borland VisiBroker® 7.0 - Borland Technical Publications Borland VisiBroker® 7.0 - Borland Technical Publications
Security Properties for JavaProperty Description Defaultvbroker.security.authentication.config This specifies the path to the configuration file used for nullauthentication.vbroker.security.authentication.retryCount Number of times to retry if remote authentication failed. 3vbroker.security.authentication.clearCredentialsOnFailurevbroker.security.loginvbroker.security.login.realmsvbroker.security.vaultvbroker.security.identity.reauthenticateOnFailureBy default, if the authorization realm finds the authenticator isincorrect after the maximum number of retries have beenattained, the ORB retains the authenticator. If you want theORB to clear the authenticator (the credential) after themaximum number of retries, set this property to true.If set to true, at initialization-time this property tries to login toall the realms listed by propertyvbroker.security.login.realms.This gives a list of comma-separated realms to login to. Thisis used when login takes place, either through propertyvbroker.security.login (set to true) or API login using login().This property is used to specify the path to the vault file. Thisproperty will take effect regardless of whethervbroker.security.login is set to true or false.When set to true the security service will attempt to reacquireauthentication information using the CallbackHandler. Thisproperty require the callback handler to be set either usingthe appropriate property or at runtime by calling theappropriate method.vbroker.security.identity.enableReactiveLogin When set to true, the security service behaves as follows: Ifthe security service cannot find an identity for any of thetargets supported by a server it is attempting to communicatewith, it will then attempt to acquire credentials for one of thetargets in the target object's IOR. If a correspondingauthentication realm is available for this target (that the userchooses to provide credentials for), then authentication isalso attempted locally.Reactive login requires a callback handler to be set eitherusing the appropriate property or at runtime by calling theappropriate method.vbroker.security.authDomainsvbroker.security.domain..rolemap_pathvbroker.security.domain..rolemap_enableRefreshvbroker.security.domain..rolemap_refreshTimeInSecondsvbroker.security.domain..runas.vbroker.security.peerAuthenticationModeSpecifies a comma-separated list of available authorizationdomains. For example:vbroker.security.authDomains=,…Specifies the location of the RoleDB file that describes theroles used for authorization. This is scoped within the domain specified in vbroker.security.authDomains.When set to true, enables dynamic loading of the RoleDB filespecified invbroker.security.domain..rolemap_path property.The interval of dynamic loading is specified by propertyvbroker.security.domain..rolemap_refreshTimeInSeconds.falsefalsen/an/afalsetruenulln/afalseSpecifies the rolemap refresh time in seconds. 300Specifies the name of the run-as role. The value can beeither use-caller-identity to have the caller principal be in therun-as role, or specify an alias for a run-as principal for therun-as role name.Sets the peer authentication Mode. Possible values are:REQUIREREQUIRE_AND_TRUSTREQUESTREQUEST_AND_TRUSTNONENote that the REQUEST and REQUEST_AND_TRUST modes cannotreceive peer certificate chains due to JSSE restrictions.n/aNONE88 VisiBroker Security Guide
Security Properties for JavaProperty Description Defaultvbroker.security.trustpointsRepositoryvbroker.security.defaultJSSETrustvbroker.security.assertions.trust.Specifies a path to the directory containing trustedcertificates and CRLs or to a trusted Keystore whose valuesare implementations of TrustedCertificateEntry. Defaultvalues are either a directory, given in the formatDirectory: or a Keystore, given in the formatKeystore:.If set to true, the JSSE default trust files like cacerts andjssecacerts, if present in JRE, will be used to load trustedcertificates.This property is used to specify a list of trusted roles(specified with the format @). is a uniquely identified for each trust assertion rule as a list ofdigits.For example, settingvbroker.security.assertions.trust.1=ServerAdmin@defaultmeans this process trusts any assertion made by theServerAdmin role in the default authorization domain.vbroker.security.assertions.trust.all Setting to true will trust all the assertion made by peers. falsevbroker.security.server.requireUPIdentity Set this to true if the server requires the client to send aUsername/Password for authentication (regardless ofcertificate-based authentication). This is a server-sideproperty.n/avbroker.security.cipherListvbroker.security.controlAdminAccessvbroker.security.serverManager.authDomainvbroker.security.serverManager.role.allvbroker.security.serverManager.role.vbroker.security.support.gatekeeper.replyForSASvbroker.security.domain..defaultAccessRulevbroker.se.iiop_tp.scm.ssl.listener.trustInClientvbroker.security.wallet.typevbroker.security.wallet.identityvbroker.security.wallet.passwordSet this to a list of comma-separated ciphers to be enabledby default on startup. If not set, a default list of ciphersuiteswill be enabled. These should be valid SSL Ciphers.Set this to true for enabling Server Manager operations on aSecure Server.Points to a security domain listed invbroker.security.authDomains. The specified domain is usedfor the Server Manager's role-based access control checks.A rolemap must be specified for the domain.Specifies the role name required for accessing all ServerManager operations.Specifies the role name required for accessing the specifiedmethod of the Server Manager.This property is used with GateKeeper with security enabled.When set to true, the username and password will not bedelegated to the backend server for authentication.Specifies whether to grant or deny access to the domain bydefault in the absence of security roles for the provideddomain. Acceptable values are grant or deny.A server side property. Set to true to have the server requirecertificates from the client. These certificates must also betrusted by the server by setting the appropriate server-sidetrust properties. For more information, see thevbroker.security.trustpointsRepository property and thevbroker.security.defaultJSSETrust property.A wallet is a set of directories containing encrypted privatekeys and certificate chains for each identity. Use thisproperty to point to the directory containing the directories forall identities, using the format: Directory:Use to point to a directory within the path defined invbroker.security.wallet.type that contains keys and/orcertificate information for a specific identity. Note that thevalue of this property must consist only of lower-case letters.Specifies the password used to decrypt the private key or thepassword associated with the login.n/afalsen/an/afalsen/an/an/afalsegrantfalsen/an/an/aChapter 9: Security Properties for Java 89
- Page 43 and 44: Server and Client IdentificationIn
- Page 45 and 46: Server and Client IdentificationCre
- Page 47 and 48: Server and Client IdentificationCli
- Page 49 and 50: ChapterChapter4AuthorizationAuthori
- Page 51 and 52: Defining access control with Role D
- Page 53 and 54: Authorization domainsTo accomplish
- Page 55 and 56: CORBA authorizationwhere is a taut
- Page 57 and 58: Chapter5Configuring Security Profil
- Page 59 and 60: Security ProfilesEnabling SecurityF
- Page 61 and 62: Security ProfilesConfiguring Authen
- Page 63 and 64: Security ProfilesTo access the Auth
- Page 65 and 66: Security ProfilesWorking with Autho
- Page 67 and 68: Security ProfilesAdding and Removin
- Page 69 and 70: Associating a Profile with a Domain
- Page 71 and 72: Chapter6Making Secure Connections (
- Page 73 and 74: Steps to secure clients and servers
- Page 75 and 76: Examining SSL related informationEx
- Page 77 and 78: Chapter7Making Secure Connections (
- Page 79 and 80: Steps to secure clients and servers
- Page 81 and 82: Creating Custom PluginsLoginModules
- Page 83 and 84: ChapterChapter8Security for the Web
- Page 85 and 86: Security for the Apache web serverC
- Page 87 and 88: Enabling certificate passthrough to
- Page 89 and 90: Security for the Borland web contai
- Page 91 and 92: Three-tier authorization schemeNote
- Page 93: Chapter9Security Properties for Jav
- Page 97 and 98: Chapter10Security Properties for C+
- Page 99 and 100: Security Properties for C++Property
- Page 101 and 102: Chapter11VisiSecure for C++ APIsCha
- Page 103 and 104: General APIUse this to login to the
- Page 105 and 106: General APISets the cipher suites t
- Page 107 and 108: General APIReturnsA set of the publ
- Page 109 and 110: SSL APISSL APIThis section explains
- Page 111 and 112: SSL APIclass CipherSuiteNameThis cl
- Page 113 and 114: SSL APIExceptionsCORBA::BAD_OPERATI
- Page 115 and 116: Certificate APICertificate APIThis
- Page 117 and 118: Certificate APIclass CORBAsec::X509
- Page 119 and 120: QoP APIQoP APIThe following section
- Page 121 and 122: Authorization APIAuthorization APIT
- Page 123 and 124: ChapterChapter12Security SPIfor C++
- Page 125 and 126: ProvidersProvidersTable 12.1Each pr
- Page 127 and 128: vbsec::CallbackHandlervbsec::Callba
- Page 129 and 130: vbsec::AuthenticationMechanismsMeth
- Page 131 and 132: vbsec::TargetReturnsExceptionsArgum
- Page 133 and 134: vbsec::Resourcevbsec::ResourceThe R
- Page 135 and 136: vbsec::AttributeCodecFor the provid
- Page 137 and 138: vbsec::PermissionCollectionvbsec::P
- Page 139 and 140: vbsec::InitOptionsvbsec::InitOption
- Page 141 and 142: IndexSymbols... ellipsis 4.defaultA
- Page 143 and 144: Iidentitiessetting up 36setting up
Security Properties for JavaProperty Description Defaultvbroker.security.authentication.config This specifies the path to the configuration file used for nullauthentication.vbroker.security.authentication.retryCount Number of times to retry if remote authentication failed. 3vbroker.security.authentication.clearCredentialsOnFailurevbroker.security.loginvbroker.security.login.realmsvbroker.security.vaultvbroker.security.identity.reauthenticateOnFailureBy default, if the authorization realm finds the authenticator isincorrect after the maximum number of retries have beenattained, the ORB retains the authenticator. If you want theORB to clear the authenticator (the credential) after themaximum number of retries, set this property to true.If set to true, at initialization-time this property tries to login toall the realms listed by propertyvbroker.security.login.realms.This gives a list of comma-separated realms to login to. Thisis used when login takes place, either through propertyvbroker.security.login (set to true) or API login using login().This property is used to specify the path to the vault file. Thisproperty will take effect regardless of whethervbroker.security.login is set to true or false.When set to true the security service will attempt to reacquireauthentication information using the CallbackHandler. Thisproperty require the callback handler to be set either usingthe appropriate property or at runtime by calling theappropriate method.vbroker.security.identity.enableReactiveLogin When set to true, the security service behaves as follows: Ifthe security service cannot find an identity for any of thetargets supported by a server it is attempting to communicatewith, it will then attempt to acquire credentials for one of thetargets in the target object's IOR. If a correspondingauthentication realm is available for this target (that the userchooses to provide credentials for), then authentication isalso attempted locally.Reactive login requires a callback handler to be set eitherusing the appropriate property or at runtime by calling theappropriate method.vbroker.security.authDomainsvbroker.security.domain..rolemap_pathvbroker.security.domain..rolemap_enableRefreshvbroker.security.domain..rolemap_refreshTimeInSecondsvbroker.security.domain..runas.vbroker.security.peerAuthenticationModeSpecifies a comma-separated list of available authorizationdomains. For example:vbroker.security.authDomains=,…Specifies the location of the RoleDB file that describes theroles used for authorization. This is scoped within the domain specified in vbroker.security.authDomains.When set to true, enables dynamic loading of the RoleDB filespecified invbroker.security.domain..rolemap_path property.The interval of dynamic loading is specified by propertyvbroker.security.domain..rolemap_refreshTimeInSeconds.falsefalsen/an/afalsetruenulln/afalseSpecifies the rolemap refresh time in seconds. 300Specifies the name of the run-as role. The value can beeither use-caller-identity to have the caller principal be in therun-as role, or specify an alias for a run-as principal for therun-as role name.Sets the peer authentication Mode. Possible values are:REQUIREREQUIRE_AND_TRUSTREQUESTREQUEST_AND_TRUSTNONENote that the REQUEST and REQUEST_AND_TRUST modes cannotreceive peer certificate chains due to JSSE restrictions.n/aNONE88 VisiBroker Security Guide