Contents

List of Examples

List of Figures

List of Tables

Title and Copyright Information

Preface

• GlassFish Server Documentation Set
• Related Documentation
• Typographic Conventions
• Symbol Conventions
• Default Paths and File Names
• Documentation, Support, and Training
• Searching Oracle Product Documentation
• Documentation Accessibility

1 Administering System Security

• About System Security in GlassFish Server
  • Authentication
    • Authentication Types
    • JSR 196 Server Authentication Modules
    • Passwords
    • Password Aliases
    • Single Sign-on
  • Authorization
    • Roles
    • Java Authorization Contract for Containers
    • Working With the server.policy Policy File
  • Auditing
  • Firewalls
  • Certificates and SSL
    • Certificates
    • Certificate Chains
    • Certificate Files
    • Secure Sockets Layer
    • Custom Authentication of Client Certificate in SSL Mutual Authentication
  • Tools for Managing System Security
• Administering Passwords
  • To Change the Master Password
  • Additional Considerations for the start-instance and start-cluster Subcommands
  • Using start-instance and start-cluster With a Password File
  • To Change an Administration Password
  • To Set a Password From a File
  • Administering Password Aliases
    • To Create a Password Alias
    • To List Password Aliases
    • To Delete a Password Alias
    • To Update a Password Alias
• Administering Audit Modules
  • To Create an Audit Module
  • To List Audit Modules
  • To Delete an Audit Module
• Administering JSSE Certificates
  • To Generate a Certificate by Using keytool
  • To Sign a Certificate by Using keytool
  • To Delete a Certificate by Using keytool
• Administering JACC Providers
  • Administering JACC Providers From the Administration Console
  • Administering JACC Providers from the Command Line

2 Administering User Security

• Administering Authentication Realms
  • Overview of Authentication Realms
  • To Create an Authentication Realm
  • To List Authentication Realms
  • To Update an Authentication Realm
  • To Delete an Authentication Realm
  • To Configure a JDBC or Digest Authentication Realm
  • To Configure LDAP Authentication with OID
  • To Configure LDAP Authentication with OVD
  • To Enable LDAP Authentication on the GlassFish Server DAS
• Administering File Users
  • To Create a File User
  • To List File Users
  • To List File Groups
  • To Update a File User
  • To Delete a File User

3 Administering Message Security

• About Message Security in GlassFish Server
  • Security Tokens and Security Mechanisms
  • Authentication Providers
  • Message Protection Policies
  • Application-Specific Web Services Security
  • Message Security Administration
    • Message Security Tasks
    • Message Security Roles
  • Sample Application for Web Services
• Enabling Default Message Security Providers for Web Services
  • To Enable a Default Server Provider
  • To Enable a Default Client Provider
• Configuring Message Protection Policies
  • Message Protection Policy Mapping
  • To Configure the Message Protection Policies for a Provider
  • Setting the Request and Response Policy for the Application Client Configuration
• Administering Non-default Message Security Providers
  • To Create a Message Security Provider
  • To List Message Security Providers
  • To Update a Message Security Provider
  • To Delete a Message Security Provider
  • To Configure a Servlet Layer Server Authentication Module (SAM)
• Enabling Message Security for Application Clients
• Additional Information About Message Security

4 Administering Security in Cluster Mode

• Configuring Certificates in Cluster Mode
• Dynamic Reconfiguration
  • Enabling Dynamic Configuration
• Understanding Synchronization

5 Managing Administrative Security

• Secure Administration Overview
• How Secure Admin Works: The Big Picture
  • Functions Performed by Secure Admin
  • Which Administration Account is Used?
  • What Authentication Methods Are Used for Secure Administration?
  • Understanding How Certificate Authentication is Performed
  • What Certificates Are Used?
    • Self-Signed Certificates and Trust
    • Using Your Own Certificates
  • An Alternate Approach: Using Distinguished Names to Specify Certificates
  • Guarding Against Unwanted Connections
• Considerations When Running GlassFish Server With Default Security
• Running Secure Admin
  • Prerequisites for Running Secure Admin
  • An Alternate Approach: Using A User Name and Password for Internal Authentication and Authorization
  • Example of Running enable-secure-admin
• Additional Considerations When Creating Local Instances
• Secure Admin Use Case
• Upgrading an SSL-Enabled Secure GlassFish Installation to Secure Admin

6 Running in a Secure Environment

• Determining Your Security Needs
  • Understand Your Environment
  • Hire Security Consultants or Use Diagnostic Software
  • Read Security Publications
• Installing GlassFish Server in a Secure Environment
  • Enable the Secure Administration Feature
• Remove Unused Components
  • Removing Installed Components
    • Procedure To Remove an Installed Component
  • Remove Services You Are Not Using
• Run on the Web Profile if Possible
• Securing the GlassFish Server Host
• Securing GlassFish Server
• Securing Applications

7 Integrating Oracle Access Manager

• About OAM Security Provider for Glassfish
  • Obtaining Oracle Access Manager Group Information
• About Oracle Access Manager
• Understanding OAM Security Provider Use Cases
  • Use Case: Authentication for Web Resources Via Access Gate
  • Use Case: Identity Assertion for Web Resources via WebGate
  • Use Case: Authorization Checks Based on Policy Manager
• Configuring the OAM Security Provider
• Determining Which Authentication Method is Used
• Integrating OAM Security Provider with Oracle Access Manager 10g
  • Integrating OAM Security Provider with Oracle Access Manager 10g
• Integrating OAM Security Provider with Oracle Access Manager 11g
  • Integrating OAM Security Provider with Oracle Access Manager 11g
  • Addtional Considerations for Certificate Authentication
• Integrating OAM Security Provider with Oracle Access Manager 11g and WebGate
  • Integrating OAM Security Provider with Oracle Access Manager 11g and WebGate
  • Additional Considerations for Certificate Authentication With a WebGate
  • Session Synchronization