Red Hat NETSCAPE ENTERPRISE SERVER 6.0 - PROGRAMMER GUIDE TO SERVLETS Podręcznik Użytkownika

Interstage Application Server V7.0 Security System Guide

Security System Guide: Table of Contents x Security Measures for Operation of the Web Server (Interstage HTTP Server)...2-4

Chapter 3: Authentication and Access Control for the Interstage HTTP Server 3-4 Online Collation This function is used to control and store the user

Setting the User Authentication 3-5 Setting the User Authentication User authentication is set according to the following procedures. 1. Registering

Chapter 3: Authentication and Access Control for the Interstage HTTP Server 3-6 Editing the Environment Definition File To allow the users whose pass

Setting the User Authentication 3-7 Relating Directives • AuthName • AuthType • AuthUserFile • <Directory> • Require Relating Directives When u

Chapter 3: Authentication and Access Control for the Interstage HTTP Server 3-8 AuthName Name AuthName Synopsis AuthName 'title' Descripti

Setting the User Authentication 3-9 AuthUserFile Name AuthUserFile Synopsis AuthUserFile file-name Description Specifies the name of the password fil

Chapter 3: Authentication and Access Control for the Interstage HTTP Server 3-10 Require Name Require Synopsis Require valid-user|user user-name|gro

Setting the IP Access Control 3-11 Setting the IP Access Control For IP access control, you can allow only specified hosts to make access to directori

Chapter 3: Authentication and Access Control for the Interstage HTTP Server 3-12 Relating Directives When IP access control is used, the following di

Setting the IP Access Control 3-13 Description Specifies a host or network that is granted access to the directories. Specifying 'all' for t

Security System Guide - Table of Contents xi Security Measures for Portable-ORB ...

Chapter 3: Authentication and Access Control for the Interstage HTTP Server 3-14 <Directory> Name <Directory> Synopsis <Directory dire

Setting the Online Collation Function 3-15 Setting the Online Collation Function Set the operation of the online collation function according to the f

Chapter 3: Authentication and Access Control for the Interstage HTTP Server 3-16 Operation without Using SSL Configuration Procedure 1 This section e

Setting the Online Collation Function 3-17 Configuration Procedure 3 (when Interstage HTTP Server and Smart Repository are on different systems) The f

Chapter 3: Authentication and Access Control for the Interstage HTTP Server 3-18 Setting the Directory Server Environment To use the online collation

Setting the Online Collation Function 3-19 Example of User Entry Configuration Figure 3-4 Creating User Entry Creating Group Entry Create the group

Chapter 3: Authentication and Access Control for the Interstage HTTP Server 3-20 Example of Group Entry Figure 3-5 Group Entry Configuration Set th

Setting the Online Collation Function 3-21 Setting 1: Operation without Using SSL Example Running the online collation function without using SSL, u

Chapter 3: Authentication and Access Control for the Interstage HTTP Server 3-22 Example Running the online collation function without using SSL,

Setting the Online Collation Function 3-23 Setting 2: Operation Using the SSL (setting for using an Interstage certificate environment or for using SS

Security System Guide: Table of Contents xii Relating Directives...

Chapter 3: Authentication and Access Control for the Interstage HTTP Server 3-24 Example Running the online collation function without using SSL,

Setting the Online Collation Function 3-25 Setting 3: Operation Using the SSL (setting for using a certificate/key management environment configured w

Chapter 3: Authentication and Access Control for the Interstage HTTP Server 3-26 # Token label AuthLDAPTknLbl token01 # User PIN file

Setting the Online Collation Function 3-27 # (389:optional value for not using SSL, 636:optional value for using SSL) AuthLDAPPort 636

Chapter 3: Authentication and Access Control for the Interstage HTTP Server 3-28 • <Directory> • Group • LoadModule • Require • User Relating D

Setting the Online Collation Function 3-29 Module Name of the module that implements the directive function. A directive with no module name indicati

Chapter 3: Authentication and Access Control for the Interstage HTTP Server 3-30 Description Specifies the name of the tree that is storing informati

Setting the Online Collation Function 3-31 AuthLDAPBindPassword Name AuthLDAPBindPassword Synopsis AuthLDAPBindPassword BindPassword Description When

Chapter 3: Authentication and Access Control for the Interstage HTTP Server 3-32 Module mod_ldap AuthLDAPEnabled Name AuthLDAPEnabled Synopsis AuthL

Setting the Online Collation Function 3-33 Default Value localhost Module mod_ldap AuthLDAPPort Name AuthLDAPPort Synopsis AuthLDAPPort Port-number

Security System Guide - Table of Contents xiii ServerRoot...

Chapter 3: Authentication and Access Control for the Interstage HTTP Server 3-34 Description Specifies whether to use SSL for the operation of the on

Setting the Online Collation Function 3-35 AuthLDAPTknLbl Name AuthLDAPTknLbl Synopsis AuthLDAPTknLbl token-label Description Specifies the token lab

Chapter 3: Authentication and Access Control for the Interstage HTTP Server 3-36 AuthName Name AuthName Synopsis AuthName 'title' Descript

Setting the Online Collation Function 3-37 <Directory> Name <Directory> Synopsis <Directory directory-path> ... </Directory> D

Chapter 3: Authentication and Access Control for the Interstage HTTP Server 3-38 Default Value None #-1 Note Group ID operates as 4294967295 when

Setting the Online Collation Function 3-39 Module mod_so Require Name Require Synopsis Require valid-user|user user-name|group group-name Descriptio

Chapter 3: Authentication and Access Control for the Interstage HTTP Server 3-40 Examples To authenticate a user 'taro': Require user ta

Setting the Online Collation Function 3-41 User Name User Synopsis User userID Description Specifies the name of the user who executes the server

Chapter 3: Authentication and Access Control for the Interstage HTTP Server 3-42

Part III Firewall and Proxy Server

Security System Guide: Table of Contents xiv Registering the CA Certificate...

4-1 Chapter 4 HTTP Tunneling This chapter describes HTTP Tunneling. Note HTTP tunneling can be used with the following products running in the Wind

Chapter 4: HTTP Tunneling 4-2 HTTP Data Communication Using HTTP Tunneling In HTTP tunneling, data communication using the HTTP protocol can be condu

HTTP Data Communication Using HTTP Tunneling 4-3 Developing the CORBA Application When HTTP tunneling is used by a CORBA application, the ordinary COR

Chapter 4: HTTP Tunneling 4-4 HTTP Tunneling Setup This section describes the procedure for setting the environment when using the HTTP tunneling in

HTTP Tunneling Setup 4-5 (1) Using Interstage HTTP Server Copy the following file (the installation path is the default) to the modules directory of

Chapter 4: HTTP Tunneling 4-6 Notes • When the Web server is Interstage HTTP Server, messages od40001 and od40002 are not output. (2) Using InfoP

HTTP Tunneling Setup 4-7 For IIS 6.0: 1. Select [Control Panel] > [Administrative Tools] > [Internet Information Services (IIS) Manager] to sta

Chapter 4: HTTP Tunneling 4-8 <applet code=”Sample.class” width=280 height=300> <param name=ORB_FJ_HTTP value=yes> <pa

HTTP Tunneling Setup 4-9 Parameter Name Meaning Specify the cgi ID if Web Server is used. If using Internet Information Services, specify the alia

Security System Guide - Table of Contents xv Registering the User PIN...

Chapter 4: HTTP Tunneling 4-10 Application Other than the Java Applet Specify the parameter in the following way when a client application (sample_c)

HTTP Tunneling Setup 4-11 <applet code="Sample.class" width=300 height=250> <PARAM NAME=ORB_FJ_HTTP VALUE=yes> <PARAM NAME=

Chapter 4: HTTP Tunneling 4-12 <PARAM NAME=ORB_FJ_SSL VALUE=yes> <PARAM NAME=ORB_FJ_HTTPGW VALUE=http://host.com/od-httpgw> </applet&g

HTTP Tunneling Setup 4-13 Setting to be Made When an HTTP Proxy Server is to be Used When performing HTTP tunneling through an HTTP proxy server in th

Chapter 4: HTTP Tunneling 4-14

5-1 Chapter 5 HTTP Tunneling of J2EE This chapter describes the HTTP Tunneling of J2EE. HTTP tunneling for J2EE can be used with the following: •

Chapter 5: HTTP Tunneling of J2EE 5-2 Use of HTTP Tunneling in J2EE Application Client To use HTTP tunneling with a J2EE application client, specify

Use of HTTP Tunneling in J2EE Application Client 5-3 The environment property in which the gateway is specified is shown in Table 5-1. Table 5-1 Envi

Chapter 5: HTTP Tunneling of J2EE 5-4 (1) For Interstage HTTP Server http://ipv4address_host-name/url-name http://ipv4address_host-name:Port_numb

Method for Using HTTP Tunneling with IJServer (Contains Web Applications Only) 5-5 Method for Using HTTP Tunneling with IJServer (Contains Web Applica

Security System Guide: Table of Contents xvi Setting the SSL Information in the CORBA Application (Server Application Only)...10-4 Ope

Chapter 5: HTTP Tunneling of J2EE 5-6 Method for Using HTTP Tunneling with Java Applets When Java applets start, HTTP tunneling is specified with par

6-1 Chapter 6 Linkage of the Proxy This chapter describes the linkage of the Proxy.

Chapter 6: Linkage of the Proxy 6-2 Linkage of the Proxy and SOAP Service SOAP service can be used with the following products: • Interstage Applica

Part IV Authentication and Encrypted Communications through Support for SSL This part of the manual explains how to perform encryption communication

Table 7-1 shows which service can support which environment. Table 7-1 Services and Environments Service name Interstage certificate environment Cer

7-1 Chapter 7 Setting and Use of the Interstage Certificate Environment This chapter explains what is required for signature and encryption processi

Chapter 7: Setting and Use of the Interstage Certificate Environment 7-2 Certificates and Private Keys This section explains certificates and private

Certificates and Private Keys 7-3 Table 7-2 shows the situations in which certificates including UTF-8 cannot be used. If a certificate including UTF

Chapter 7: Setting and Use of the Interstage Certificate Environment 7-4 CA (Certification Authority) The CA (Certification Authority) is required to

Configuring Environments 7-5 Configuring Environments The Interstage Certificate Environment is an environment in which certificates, private keys, an

Security System Guide - Table of Contents xvii Constructing a Key Pair/Certificate Management Environment...

Chapter 7: Setting and Use of the Interstage Certificate Environment 7-6 Using PKCS#12 Data Use PKCS#12 data when a private Certification Authority i

Configuring Environments 7-7 Note • Execute the commands as a superuser. • For effective users to be registered in the Interstage certificate enviro

Chapter 7: Setting and Use of the Interstage Certificate Environment 7-8 Configuring the Interstage Certificate Environment with CSR This section des

Configuring the Interstage Certificate Environment with CSR 7-9 Configuring an Interstage Certificate Environment and Creating a Certificate Signing R

Chapter 7: Setting and Use of the Interstage Certificate Environment 7-10 The services listed below are concerned: − Interstage SOAP Service − Smar

Configuring the Interstage Certificate Environment with CSR 7-11 Registering the CA Certificate Register the obtained CA certificate. An example of re

Chapter 7: Setting and Use of the Interstage Certificate Environment 7-12 Registering the Certificate of Another Reliable Site Register the certifica

Configuring the Interstage Certificate Environment with PKCS#12 7-13 Configuring the Interstage Certificate Environment with PKCS#12 This section desc

Chapter 7: Setting and Use of the Interstage Certificate Environment 7-14 Registering PKCS#12 Data, Certificates, and CRLs Register the PKCS#12 data,

Configuring the Interstage Certificate Environment with PKCS#12 7-15 Importing the PKCS#12 data Import the site certificate and private key delivered

Security System Guide: Table of Contents xviii Chapter 16 How to Use Reliable Messaging Function for Web Services (SOAP) PUSH Model (Receiving Mess

Chapter 7: Setting and Use of the Interstage Certificate Environment 7-16 Registering a CRL Register the obtained CRL. An example of registration is

Configuring Certificate Settings 7-17 Configuring Certificate Settings After configuring the Interstage certificate environment, you need to make the

Chapter 7: Setting and Use of the Interstage Certificate Environment 7-18 • CORBA Service [System] > [Environment setup] tab > [Detail setting]

Certificate Management 7-19 Certificate Management After system operation begins, certificates, private keys, and CRLs must be correctly managed. The

Chapter 7: Setting and Use of the Interstage Certificate Environment 7-20 If a New Certificate and CRL are Obtained If a new certificate is issued or

8-1 Chapter 8 Setting and Use of the Certificate/Key Management Environment Using the SMEE Command This chapter describes the requirements for SSL c

Chapter 8: Setting and Use of the Certificate/Key Management Environment Using the SMEE Command 8-2 SSL Libraries Used with the Certificate/Key Manag

SSL Libraries Used with the Certificate/Key Management Environment 8-3 SSL Library SMEE2 SMEE3 CORBA Service X O Certificate/Key Management Env

Chapter 8: Setting and Use of the Certificate/Key Management Environment Using the SMEE Command 8-4 In addition, you can import PKCS#12 data exported

SSL Libraries Used with the Certificate/Key Management Environment 8-5 Figure 8-2 Relationship between Slot, Token and Private Key The slot password

Security System Guide - Table of Contents xix Appendix B Authentication and Access Control for the Component Transaction Service User Authentication

Chapter 8: Setting and Use of the Certificate/Key Management Environment Using the SMEE Command 8-6 3. Register the certificate and CRL. − Register

SSL Libraries Used with the Certificate/Key Management Environment 8-7 Creating a Certificate/Key Management Environment Create a certificate/key mana

Chapter 8: Setting and Use of the Certificate/Key Management Environment Using the SMEE Command 8-8 mkslt -sd d:\sslenv\slot #Generation and init

SSL Libraries Used with the Certificate/Key Management Environment 8-9 Creating a Private Key and Acquiring a Certificate Make a request to issue a ce

Chapter 8: Setting and Use of the Certificate/Key Management Environment Using the SMEE Command 8-10 Registering the Certificate and CRL Register the

SSL Libraries Used with the Certificate/Key Management Environment 8-11 The example below assumes the site certificate is contained in /export/hom

Chapter 8: Setting and Use of the Certificate/Key Management Environment Using the SMEE Command 8-12 Obtaining the Client Certificate To obtain a cli

SSL Libraries Used with the Certificate/Key Management Environment 8-13 The following shows the procedure for migration: 1. Search for existing resou

Chapter 8: Setting and Use of the Certificate/Key Management Environment Using the SMEE Command 8-14 The example below assumes the newly created Cer

SSL Libraries Used with the Certificate/Key Management Environment 8-15 Management of a Certificate/Key Management Environment Because each user certi

Security System Guide - Preface ii Trademarks Trademarks of other companies are used in this user guide only to identify particular products or system

Security System Guide: Table of Contents xx

Chapter 8: Setting and Use of the Certificate/Key Management Environment Using the SMEE Command 8-16

9-1 Chapter 9 How to Use SSL with Interstage HTTP Server This chapter explains how to use the SSL for the Interstage HTTP Server. The Interstage HTT

Chapter 9: How to Use SSL with Interstage HTTP Server 9-2 Setting SSL for Interstage Certificate Environments To use SSL for an Interstage certificat

Setting SSL for Certificate/Key Management Environments Configured with the SMEE Commands 9-3 Setting SSL for Certificate/Key Management Environments

Chapter 9: How to Use SSL with Interstage HTTP Server 9-4 Example When the user PIN (dialog input) is encrypted and registered to the user PIN mana

Setting SSL for Certificate/Key Management Environments Configured with the SMEE Commands 9-5 ServerName main.example.com # Using SSL SSLExec on # SS

Chapter 9: How to Use SSL with Interstage HTTP Server 9-6 # Server name ServerName main.example.com # User of creating a certificate/key management

Setting SSL for Certificate/Key Management Environments Configured with the SMEE Commands 9-7 # Slot information directory SSLSlotDir d:/ssl/slotdir

Chapter 9: How to Use SSL with Interstage HTTP Server 9-8 SSLVersion 2-3 # Level of client certification SSLVerifyClient require # Operation

Setting SSL for Certificate/Key Management Environments Configured with the SMEE Commands 9-9 # # Virtual host not using SSL (Port number: 80) # # Se

Part I Security Risks and Measures If the system security is violated, unauthorized access by malicious attackers can cause interference and unautho

Chapter 9: How to Use SSL with Interstage HTTP Server 9-10 # Nickname of the site certificate SSLCertName cert_for_manager # Nickname of the cl

Setting SSL for Certificate/Key Management Environments Configured with the SMEE Commands 9-11 Relating Directives The following directives are relat

Chapter 9: How to Use SSL with Interstage HTTP Server 9-12 AddModule Name AddModule Synopsis AddModule module [module] ... Description Enables read m

Setting SSL for Certificate/Key Management Environments Configured with the SMEE Commands 9-13 CustomLog Name CustomLog Synopsis CustomLog “|ihsrlog-c

Chapter 9: How to Use SSL with Interstage HTTP Server 9-14 Initial value CustomLog "|ihsrlog -s logs/accesslog 1 5" common Cu

Setting SSL for Certificate/Key Management Environments Configured with the SMEE Commands 9-15 Example Accesses "/usr/web/index.html" when s

Chapter 9: How to Use SSL with Interstage HTTP Server 9-16 ErrorLog "|/opt/FJSVihs/bin/ihsrlog -s /var/opt/FJSVihs/logs/errorlog 1 5"

Setting SSL for Certificate/Key Management Environments Configured with the SMEE Commands 9-17 Listen Name Listen Synopsis Listen [IP-address:]port D

Chapter 9: How to Use SSL with Interstage HTTP Server 9-18 %l Personal information of a user returned from a client %{Cookie}n Client IP address and

Setting SSL for Certificate/Key Management Environments Configured with the SMEE Commands 9-19 Port Name Port Synopsis Port port-number Description T

Chapter 9: How to Use SSL with Interstage HTTP Server 9-20 Initial value ScriptAlias /cgi-bin/ "C:/Interstage/F3FMihs/cgi-bin/"

Setting SSL for Certificate/Key Management Environments Configured with the SMEE Commands 9-21 Context Global context, Virtual host Default value none

Chapter 9: How to Use SSL with Interstage HTTP Server 9-22 SetEnvIf Name SetEnvIf Synopsis SetEnvIf attribute attribute-value environment-variable[

Setting SSL for Certificate/Key Management Environments Configured with the SMEE Commands 9-23 Synopsis SSLCertName nickname Description Specifies the

Chapter 9: How to Use SSL with Interstage HTTP Server 9-24 SSLCipherSuite Name SSLCipherSuite Synopsis SSLCipherSuite encryption-method Description

Setting SSL for Certificate/Key Management Environments Configured with the SMEE Commands 9-25 Point The encryption types shown in the encryption meth

Chapter 9: How to Use SSL with Interstage HTTP Server 9-26 SSLEnvDir Name SSLEnvDir Synopsis SSLEnvDir operation-control-directory-name Description S

Setting SSL for Certificate/Key Management Environments Configured with the SMEE Commands 9-27 Default value off Module mod_ihs_ssl SSLSlotDir Name SS

Chapter 9: How to Use SSL with Interstage HTTP Server 9-28 Context Global context Default value none Module mod_ihs_ssl SSLUserPINFile Name SSLUserPI

Setting SSL for Certificate/Key Management Environments Configured with the SMEE Commands 9-29 SSLVerifyClient Name SSLVerifyClient Synopsis SSLVerify

1-1 Chapter 1 Security Risks This chapter explains the resources to be protected (protection target resources), possible threats to the protection t

Chapter 9: How to Use SSL with Interstage HTTP Server 9-30 SSLVersion Name SSLVersion Synopsis SSLVersion [2|3|2-3] Description Specifies the version

Setting SSL for Certificate/Key Management Environments Configured with the SMEE Commands 9-31 User Name User Synopsis User userID Description Spe

Chapter 9: How to Use SSL with Interstage HTTP Server 9-32 <VirtualHost> Name <VirtualHost> Synopsis <VirtualHost> address[:port]&

10-1 Chapter 10 How to Use SSL with the CORBA Service Client-server application linkage using the CORBA Service enables encrypted communication via

Chapter 10: How to Use SSL with the CORBA Service 10-2 Use the following procedure to add executing user access authority to the certificate/key mana

SSL Linkage of the CORBA Service 10-3 SSL Linkage of the CORBA Service The SSL linkage function of the CORBA Service performs encrypted communication

Chapter 10: How to Use SSL with the CORBA Service 10-4 Constructing SSL Linkage Environment To perform encryption communication using SSL, the follow

SSL Linkage of the CORBA Service 10-5 Operating the SSL Linkage The application linkage that uses SSL can be performed by accessing the server applica

Chapter 10: How to Use SSL with the CORBA Service 10-6 CORBA Server Environment Setup Configure an Interstage certificate environment, or configure a

SSL Environment Setup in Client 10-7 SSL Environment Setup in Client To use an Interstage certificate environment, set an SSL environment using the I

Chapter 1: Security Risks 1-2 Interstage Management Console and Interstage Operation Tool The Interstage Management Console and the Interstage Operat

Chapter 10: How to Use SSL with the CORBA Service 10-8 Example Define a private key/certificate in the CORBA Service. odsetSSL -sd C:\slot -ed C:

Environment Setup for Event Service 10-9 Environment Setup for Event Service The Event Service can be used with the following products: • Interstage

Chapter 10: How to Use SSL with the CORBA Service 10-10 For Dynamic Generation and Operation (for Environment Setting using the Event Service Operati

11-1 Chapter 11 How to Use SSL with J2EE This chapter describes how to use SSL with J2EE.

Chapter 11: How to Use SSL with J2EE 11-2 Environment Setup for Servlet Service This section explains how to operate the Interstage Management Consol

Environment Setting for EJB Service 11-3 Environment Setting for EJB Service When using SSL linkage, use the Interstage Management Console to set encr

Chapter 11: How to Use SSL with J2EE 11-4 Environment Setting for Interstage JMS Interstage JMS can be used with the following products. • Interstag

12-1 Chapter 12 Using SSL for Smart Repository Smart Repository supports encrypted communication using SSL. This chapter explains SSL communication

Chapter 12: Using SSL for Smart Repository 12-2 SSL linkage Environment Setup To implement encrypted communication using SSL between a Smart Reposi

Environment Setup for Using SSL between Smart Repository Client and Server 12-3 Environment Setup for Using SSL between Smart Repository Client and

Interstage Management Console and Interstage Operation Tool 1-3 Possible Security Risks to Resources The following describes possible security threats

Chapter 12: Using SSL for Smart Repository 12-4 Environment Setup for Using SSL between Master and Slave in Smart Repository Replication Operation

Part V Security Systems for Web Services (SOAP)

13-1 Chapter 13 Security Functions for Web Services (SOAP) Security at the SOAP message level can be ensured by using the digital signature (SOAP di

Chapter 13: Security Functions for Web Services (SOAP) 13-2 Digital Signature Function The digital signature (SOAP digital signature) function is use

Encryption Function of SOAP Messages 13-3 Encryption Function of SOAP Messages The encryption (XML encryption) function is used to encrypt communicati

Chapter 13: Security Functions for Web Services (SOAP) 13-4 Reliable Messaging Function and Non-repudiation Function The reliable messaging function

Attachment Function of the User ID/Password to SOAP Messages 13-5 Attachment Function of the User ID/Password to SOAP Messages The attachment function

Chapter 13: Security Functions for Web Services (SOAP) 13-6 Communication via the Proxy Client applications could exchange SOAP messages with a Web s

14-1 Chapter 14 How to Prepare PKI Environment for Web Services (SOAP) To allow the Web service to use SSL encrypted communication, SOAP digital sig

Chapter 1: Security Risks 1-4 Countermeasures Against Exploitation of User IDs and Passwords In an environment open to limited users like an intranet

Chapter 14: How to Prepare PKI Environment for Web Services (SOAP) 14-2 Configuring a Certificate Environment on the Server System This section expla

Configuring a Certificate Environment on the Server System 14-3 Alternatively, from the Interstage Management Console, select [System] > [WorkUnits

Chapter 14: How to Prepare PKI Environment for Web Services (SOAP) 14-4 Relations between Certificate Environment and Application Operation Applicati

Configuring an Old Certificate Environment or Client Certificate Environment 14-5 Configuring an Old Certificate Environment or Client Certificate Env

Chapter 14: How to Prepare PKI Environment for Web Services (SOAP) 14-6 Table 14-4 Environment Variable Settings Environment variable Description

Constructing a Key Pair/Certificate Management Environment 14-7 Constructing a Key Pair/Certificate Management Environment If the security function is

Chapter 14: How to Prepare PKI Environment for Web Services (SOAP) 14-8 In the following cases the creation of a key pair and the acquisition of a si

Constructing a Key Pair/Certificate Management Environment 14-9 Example If SystemWalker/PkiMGR is the certification authority. Example 1. Create a We

Chapter 14: How to Prepare PKI Environment for Web Services (SOAP) 14-10 • Root certificates issued by Japan Certification Services Inc. − SecureSig

Constructing a Key Pair/Certificate Management Environment 14-11 Example Register the site certificate and certification authority certificate with th

J2EE Application 1-5 J2EE Application This section gives an overview of security risks in J2EE applications. Generally, a J2EE application performs op

Chapter 14: How to Prepare PKI Environment for Web Services (SOAP) 14-12 Example 2. Create a Web service security environment information file and

Constructing a Key Pair/Certificate Management Environment 14-13 The following certificates are stored in the certificate management file as the root

Chapter 14: How to Prepare PKI Environment for Web Services (SOAP) 14-14 Registering Site Certificates of the Communication Parties When encrypting m

Using a CORBA/SOAP Gateway 14-15 Using a CORBA/SOAP Gateway If SSL encrypted communication is to be performed in a system environment using a CORBA/SO

Chapter 14: How to Prepare PKI Environment for Web Services (SOAP) 14-16

15-1 Chapter 15 User Authentication, SOAP Digital Signature and XML Encryption for Web Services (SOAP) This chapter explains how to use user authent

Chapter 15: User Authentication, SOAP Digital Signature and XML Encryption for Web Services (SOAP) 15-2 Setting User Authentication for SOAP Messages

Setting User Authentication for SOAP Messages 15-3 Figure 15-1 Web Service Configuration Edit Tool • Web service identifier Enter the identifier of

Chapter 15: User Authentication, SOAP Digital Signature and XML Encryption for Web Services (SOAP) 15-4 • Request transmission setting: destination

Setting User Authentication for SOAP Messages 15-5 Business Server Environment Setup The server system that implements a Web service to execute user a

Chapter 1: Security Risks 1-6 Resources to be Protected The following table lists the resources that are used when the corresponding function availab

Chapter 15: User Authentication, SOAP Digital Signature and XML Encryption for Web Services (SOAP) 15-6 Notes • Without the single sign-on function

Setting User Authentication for SOAP Messages 15-7 Figure 15-2 Entering User Authentication information

Chapter 15: User Authentication, SOAP Digital Signature and XML Encryption for Web Services (SOAP) 15-8 • Web service identifier Enter the identifie

Settings for the SOAP Digital Signature 15-9 Settings for the SOAP Digital Signature This section explains the following topics: • Generating a SOAP

Chapter 15: User Authentication, SOAP Digital Signature and XML Encryption for Web Services (SOAP) 15-10 _ap.setContentType("image/jpeg")

Settings for the SOAP Digital Signature 15-11 • Web service identifier Enter the identifier of the Web service. For information on how to specify the

Chapter 15: User Authentication, SOAP Digital Signature and XML Encryption for Web Services (SOAP) 15-12 Notes • If the SOAP digital signature gener

Settings for the SOAP Digital Signature 15-13 Specifying the Signature Target Using XPath Filtering If XPath is specified, nodes for which the result

Chapter 15: User Authentication, SOAP Digital Signature and XML Encryption for Web Services (SOAP) 15-14 Figure 15-4 Web Service Information Edit T

Settings for the SOAP Digital Signature 15-15 • [Client Function]: Response Receiving setup: SOAP signature verification Set whether to verify the SO

J2EE Application 1-7 Function Resource to be protected Execution environment setup for Servlet and EJB IJServer environment definition file Execution

Chapter 15: User Authentication, SOAP Digital Signature and XML Encryption for Web Services (SOAP) 15-16 Settings for the XML Encryption This section

Settings for the XML Encryption 15-17 Figure 15-5 Settings for Encryption using the XML Encryption • Web service identifier Enter the identifier of

Chapter 15: User Authentication, SOAP Digital Signature and XML Encryption for Web Services (SOAP) 15-18 • [Client Function]: Request Sending setup:

Settings for the XML Encryption 15-19 Specifying the Encryption Target The following two types of encryption target can be specified for encryption us

Chapter 15: User Authentication, SOAP Digital Signature and XML Encryption for Web Services (SOAP) 15-20 • descendant::*[local-name()='ResponseB

Settings for the XML Encryption 15-21 Settings for Decryption Using the XML Encryption The Web Service Information Edit Tool is used to make the setti

Chapter 15: User Authentication, SOAP Digital Signature and XML Encryption for Web Services (SOAP) 15-22 • Web service role (actor) name Specify the

Fault Codes 15-23 Fault Codes In addition to the faults defined in the “Implementing Messaging Applications” and “Implementing RPC Applications” secti

Chapter 15: User Authentication, SOAP Digital Signature and XML Encryption for Web Services (SOAP) 15-24 The following fault code belongs to the name

Supported Algorithms 15-25 Supported Algorithms The high-reliability Web service supports the following algorithms. The namespace prefix "wsse&qu

Security System Guide - Preface iii Preface Purpose of this Document This manual provides information on how to set up and operate a secure Interstage

Chapter 1: Security Risks 1-8 Resource to be protected Possible threat IJServer log file Tampering of data recorded in the file Exploitation of inf

Chapter 15: User Authentication, SOAP Digital Signature and XML Encryption for Web Services (SOAP) 15-26 Verifying the SOAP Digital Signature • Diges

Supported Algorithms 15-27 Items Related to WS-Security • Security token − wsse:BinarySecurityToken − wsse:UsernameToken • Encoding method − wsse:

Chapter 15: User Authentication, SOAP Digital Signature and XML Encryption for Web Services (SOAP) 15-28

16-1 Chapter 16 How to Use Reliable Messaging Function for Web Services (SOAP) This chapter explains how to use the Reliable Messaging function with

Chapter 16: How to Use Reliable Messaging Function for Web Services (SOAP) 16-2 PUSH Model (Receiving Messages by the Server System) In the PUSH mod

PUSH Model (Receiving Messages by the Server System) 16-3 Next, prepare a public key for the sender client. Since the sender client also needs the pu

Chapter 16: How to Use Reliable Messaging Function for Web Services (SOAP) 16-4 Figure 16-1 Reliable Messaging PUSH Screen - Deploying the Receiver

PUSH Model (Receiving Messages by the Server System) 16-5 • Message type ID Specify the ID that represents the type of message agreed upon with the s

Chapter 16: How to Use Reliable Messaging Function for Web Services (SOAP) 16-6 Preparing a Key Pair and Public Key Used by the Sender Client This se

PUSH Model (Receiving Messages by the Server System) 16-7 Figure 16-2 Reliable Messaging PUSH Screen - Deploying the Sender Application dialog • W

J2EE Application 1-9 Possible Countermeasures The following outlines possible countermeasures against security risks. For further details, refer to t

Chapter 16: How to Use Reliable Messaging Function for Web Services (SOAP) 16-8 • Receiver ID (Receiver server ID) Specify the ID of the receiver se

PULL Model (Receiving Messages by the Client System) 16-9 PULL Model (Receiving Messages by the Client System) In the PULL model, the sender applicat

Chapter 16: How to Use Reliable Messaging Function for Web Services (SOAP) 16-10 The following shows an example of command execution to output the pu

PULL Model (Receiving Messages by the Client System) 16-11 • Web service identifier Identifies the receiver application. For details on how to specif

Chapter 16: How to Use Reliable Messaging Function for Web Services (SOAP) 16-12 Notes The Sender server ID, Receiver client ID, and message type ID

PULL Model (Receiving Messages by the Client System) 16-13 Figure 16-4 Reliable Messaging PULL Screen - Deploying the Receiver Application dialog •

Chapter 16: How to Use Reliable Messaging Function for Web Services (SOAP) 16-14 • Message type ID Specify the ID that represents the type of messag

Part VI Security Systems for the ebXML Message Service The ebXML Message Service can be used with the following Windows(R) system or Solaris OE sy

17-1 Chapter 17 How to use SSL with the ebXML Message Service This chapter explains how to use SSL with the ebXML Message Service. With the ebXML Mes

Chapter 1: Security Risks 1-10 Countermeasures Against Damage to Data There are some J2EE applications that use databases. For this type of applicat

Chapter 17: How to use SSL with the ebXML Message Service 17-2

18-1 Chapter 18 How to use XML Digital Signature with ebXML Message Service This chapter explains how to use the XML digital signature with the ebXM

Chapter 18: How to use XML Digital Signature with ebXML Message Service 18-2

Index-1 Index access control, B-4 Acquiring and Registering Certificates (for both the Server and Client), 10-4 Append a User Name and a Password, 15-

Security System Guide - Index Index-2 Configuring the Interstage Certificate Environment with CSR, 7-8 Configuring the Interstage Certificate Environm

Security System Guide - Index Index-3 parameters, 4-8 setup, 4-8 writing HTML, 4-7 HTTP Tunneling Setup, 4-4 HTTP-IIOP gateway, 4-4 IJServer execution

Security System Guide - Index Index-4 threat countermeasures, 1-9 J2EE deployment tool security measures, 2-15 unauthorized resource file access, 2-15

Security System Guide - Index Index-5 CORBA Service, A-4 EJB Service, A-16 EJB Service operation, A-18 environment, A-17 environment construction, A-1

Security System Guide - Index Index-6 Settings for Encryption Using the XML Encryption, 15-16 Settings for the Generation of the SOAP Digital Signatur

Web Services 1-11 Web Services Web services can be used with the following products: • Interstage Application Server Enterprise Edition • Interstage

Chapter 1: Security Risks 1-12 Database Linkage Service The Database Linkage Service can be used with the following products: • Interstage Applicati

Database Linkage Service 1-13 Resources to be Protected The following table lists the resources used when the database linkage service is used. If hi

Chapter 1: Security Risks 1-14 The following describes the locations of the resources to be protected: • Folder storing the OTS system information

Database Linkage Service 1-15 Possible Threats to Resources The following describes the possible security risks to the database linkage service: Table

Chapter 1: Security Risks 1-16 Countermeasures Against Threats For the database linkage service, the following are effective measures against securit

Database Linkage Service 1-17 Using only the authorization of the selected users, start construction of the environment and operation of the database

Security System Guide - Preface iv Organization of this Document This document is organized as follows: Part I Security Risks and Measures • Chapter

Chapter 1: Security Risks 1-18 Periodic Backup If you backup information periodically, you can restore the environment even if the information is tam

OLTP Function 1-19 OLTP Function The OLTP function can be used with the following products: • Interstage Application Server Enterprise Edition • Int

Chapter 1: Security Risks 1-20 Resources to be Protected The following table lists the resources when an OLTP application is used. If high security

OLTP Function 1-21 Possible Threats to Resources The following describes the possible security threats posed to resources to be protected in operation

Chapter 1: Security Risks 1-22 Resource to be protected Possible threat Naming Service for load balance Tampering of data recorded in the file Expl

OLTP Function 1-23 Countermeasures Against Tampering of Data Recorded in the File There are environment definition files and other such files in the o

Chapter 1: Security Risks 1-24 Smart Repository The Smart Repository function can be used with the following products: • Interstage Application Serv

Smart Repository 1-25 Potential Security Threats The following indicates the potential security threats to the resources requiring Smart Repository pr

Chapter 1: Security Risks 1-26 Password Encryption When an entry search is requested from a client to Smart Repository, the password included in an

Smart Repository 1-27 Periodic Data Backup By performing data backup periodically, the environment can be restored even if information is altered thro

Security System Guide - Preface v Part V Security Systems for Web Services (SOAP) • Chapter 13 Security Functions for Web Services (SOAP) This chapt

Chapter 1: Security Risks 1-28 Interstage Single Sign-on This section explains the security threats for Interstage single sign-on and the countermeas

Interstage Single Sign-on 1-29 Possible Threats This section explains the possible threats when using Interstage Single Sign-on. Deleting, Rewriting,

Chapter 1: Security Risks 1-30 Application Risk Interstage Single Sign-on stores important information in the Web browser cookie. The attacker could

Interstage Single Sign-on 1-31 Protecting Communication Contents Encryption is an effective way of protecting communication contents from being rewrit

Chapter 1: Security Risks 1-32 Difficult-to-guess Password Use a password that cannot be easily guessed by others or identified mechanically by some

Interstage Single Sign-on 1-33 Operating and Managing a Business Server To prevent unauthorized access to the protection resources of the business ser

Chapter 1: Security Risks 1-34 For Java Applications Using Single Sign-on JavaAPIs Possible threat Action Application alteration - Periodically ch

Multi Server Management 1-35 Multi Server Management This section describes how to deal with security threats using Multi Server Management. The Admin

Chapter 1: Security Risks 1-36 Configuration Model When using Multi Server Management, the LAN for the flow of the actual business data and the LAN f

Multi Server Management 1-37 Figure 1-2 Multi Server Management Configuration Model In a typical Multi Server Management configuration, one Admin Se

Security System Guide - Preface vi

Chapter 1: Security Risks 1-38 Resources to be Protected This section describes the resources to be protected when Multi Server Management is used. F

Multi Server Management 1-39 Threat Prevention The following table lists countermeasures that can be taken against possible security risks. Table 1-14

Chapter 1: Security Risks 1-40 Countermeasures Against Exploitation of Information Recorded in Files The information required for operation of the In

Configuration Management Function 1-41 Configuration Management Function This section describes how to deal with security threats using the Configurat

Chapter 1: Security Risks 1-42 Resources to be Protected The following resources are used in the Interstage Management Console. If advanced security

Configuration Management Function 1-43 Countermeasures Against Overwriting Information Recorded in Files Various items of Interstage information are s

Chapter 1: Security Risks 1-44

2-1 Chapter 2 Security Measures Generally, the services alone cannot completely protect resources from security attacks. Taking operational measure

Chapter 2: Security Measures 2-2 Common Security Measures This section explains the following topics: • Notes on User Accounts • Backup • Notes on

Security Measures for Interstage Operation Tool 2-3 Security Measures for Interstage Operation Tool The Interstage Operation Tool can be used with the

vii Table of Contents Chapter 1 Security Risks Interstage Management Console and Interstage Operation Tool...

Chapter 2: Security Measures 2-4 Security Measures for Operation of the Web Server (Interstage HTTP Server) This section explains the following topic

Security Measures for Operation of the Web Server (Interstage HTTP Server) 2-5 • IP access control: It is possible to permit access only to specific

Chapter 2: Security Measures 2-6 Risk of Exploiting the HTTP TRACE Method Malicious users (or machines) on the network may read private information i

Security Measures for Operation of the Web Server (Interstage HTTP Server) 2-7 LoadModule rewrite_module libexec/mod_rewrite.so AddModule mod_re

Chapter 2: Security Measures 2-8 Making all documents, except for “user3” and “user4”, under “user home directory/public_html” public. UserDir pub

Security Measures for Operation of the Web Server (InfoProvider Pro) 2-9 Security Measures for Operation of the Web Server (InfoProvider Pro) The I

Chapter 2: Security Measures 2-10 Security Measures for the Servlet Service This section explains the following topics: • Notes on the Use of Sessio

Security Measures for the Servlet Service 2-11 Notes on Communication Data Possible threats to communication between the Web server connector and Serv

Chapter 2: Security Measures 2-12 Security Measures for the EJB Service This section gives an outline of security risks when the EJB service is used.

Security Measures for the EJB Service 2-13 Possible Threats to Resources The following countermeasures can defend EJB Service against security invasio

Security System Guide: Table of Contents viii Operations Confined to Specific Users...

Chapter 2: Security Measures 2-14 Selection of Specific Users By fixing the operators of the entire system to a pre-specified set of users, you can p

Security Measures for J2EE Deployment Tool 2-15 Security Measures for J2EE Deployment Tool This topic explains the following topic: • Unauthorized Ac

Chapter 2: Security Measures 2-16 Security Measures for the J2EE Resource Access Definition This section explains the following topic: • Leakage of

Security Measures for Interstage JMS 2-17 Security Measures for Interstage JMS Interstage JMS can be used with the following products: • Interstage A

Chapter 2: Security Measures 2-18 Security Measures for CORBA Service This section explains the following topics: • Unauthorized Access to Resource

Security Measures for CORBA Service 2-19 These files may be exposed to the threat of unauthorized access from an ill-intentioned person. To protect th

Chapter 2: Security Measures 2-20 Security Measures for Portable-ORB Portable-ORB can be used with the following products: • Interstage Application

Security Measures for Portable-ORB 2-21 Notes on Creation and Operation of Java Applet Be careful about the following points when creating and operati

Chapter 2: Security Measures 2-22 Security Measures for Event Service Event service can be used with the following products: • Interstage Applicatio

Security Measures for IJServer Operation 2-23 Security Measures for IJServer Operation IJServer is an operating environment for JEEE applications. Una

Security System Guide - Table of Contents ix Setting Access Permission for Operating Resources...

Chapter 2: Security Measures 2-24 Security Measures Concerning Operation of Smart Repository Smart Repository can be used with the following products

Security Measures for Fujitsu Enabler 2-25 Security Measures for Fujitsu Enabler This section explains how to configure the security settings for the

Chapter 2: Security Measures 2-26 Measures for Multi server Management This section explains the use of "roles" in Multi server Management.

Measures for Configuration Manager 2-27 Measures for Configuration Manager This section explains the security measures for the Configuration Manager.

Chapter 2: Security Measures 2-28

Part II Authentication and Access Control

3-1 Chapter 3 Authentication and Access Control for the Interstage HTTP Server This chapter describes the authentication and access control that Int

Chapter 3: Authentication and Access Control for the Interstage HTTP Server 3-2 Types of Authentication There are three types of authentication, as s

Types of Authentication 3-3 Remarks When SSL is used between the client and the server for user authentication, the user name and the password are enc