 |
|
 |
 |
||||||||||||||||||||||||||||||||||||||||||||
|
 Masoud Kalali's Blog
How to Secure GlassFish installation, Part IIPosted by kalali on February 17, 2008 at 12:34 PM | Permalink | Comments (0)In order to secure the application server you need to secure its communication ways with outside world, It means you will need to secure all ports and listeners. There are 3 kind of listeners in Glassfish application server that you will need to take care of them First of all make sure that you secured the administration listener, make sure that you have enabled Security for administrator listener and set an specific IP address for it to listen on. Usually we are not going to use administration console from outside of the internal network, so let it listen only on interfaces that you need it to listen perhaps the interface that connect the server to your LAN. In order to do this, open administration console and navigate to:
Change the Network Address as appropriated, check the Security check box, and in the SSL Tab enable Client Authentication, in order to find out how you should use Client Certificate, take a look at my previous posts about SSL and securing GlassFish Application Server. You have two other Http listeners to take care of, so make sure that you change their Network Address and enable the Security facilities if required There is another listener which you need to take care of, It is your IIOP listener. IIOP listener let you create a context to lookup into your JNDI, etc. In order to configure the IIOP listeners you should navigate to:
Here you can see that there are 3 different listeners already created and configure for different purposes. You should not allow the first non-secure listener (orb-listener-1) to listen over a public network as there is no authentication or transfer layer security for this listener, but the second one (SSL) have transport layer security and the third one (SSL_MUTUALAUTH) has mutual authentication which guarantee that listener will only process request come after a client cert authentication. make sure that you configure the listeners to listen on correct Network address and remove or disable the listeners those that you do not need. You can disable a listener by looking at listener details page which provides a check box for it. Another listener which you need to take care of is your JMX connector listener, You can view and edit its configuration by navigating to:
Here you are able to change the realm that this listener use to authenticate the users that are trying to connect to JMX listener, you can change the realm to an specific realm which you have made only for JMX users or let it use you administration realm. You can change the Network Address that this listener is using along with enabling the SSL and Client Cert Authentication in order to secure the data transfer and guarantee that only users with correct digital certification can use your JMX connector to control the application server PS: All of the listeners that you can configure in your administration console allows you to have Mutual Authentication (Client Cert Authentication) which ensure that both parties have verify-able certifications. This certifications can come from well known providers like VeriSign or your own CA. on the other hand all listeners allows you to specify an specific alias for them, which means that each listener mutual authentication can be configured completely independent from other listeners, for example you can have two alias one for administration console and one for JMX connector in order to prevent JMX users to connect to administration console. For more information you can take a look at my older posts related to this matter:
The train starts running, NetBeans Innovators Grants has just announced.Posted by kalali on January 29, 2008 at 07:41 AM | Permalink | Comments (0)The train start running, NetBeans Innovators Grants has just announced.
If you fit into one of the above categories, you can join the NetBeans Innovators Grants, a sub program of SUN Microsystems US$ 1 million Program which is intended to help people develop open source projects sponsored by SUN Microsystems. Take a look at NetBeans Innovators Grants Home Page, read it carefully, check SubMission Details page to gain some understanding of what is expected in your submission, and after you prepared your project proposal you can come to Proposal Submission page and file in the forms with your project details in order to jump into the contest train. Another item which could be the subject of a project is contributing articles, tutorials and sample codes to NetBeans Zone located at Netbeans Zone, this web site. it is intended to be the most complete source of articles, links,.... for NetBeans platform and IDE. P.S: Make sure that you read the legal page located at: Legal information  |
|
April 2008
Search this blog:CategoriesBusinessCommunity Community: Global Education and Learning Community Community: Java Communications Community: Java Enterprise Community: Java Tools Community: Java Web Services and XML Community: JavaDesktop Community: linux.java.net Community: NetBeans Community: Portlet J2EE J2SE Open Source Security Swing Web Services and XML Archives
February 2008 Recent EntriesHow to Secure GlassFish installation, Part II The train starts running, NetBeans Innovators Grants has just announced. Four open source Java application servers compared ArticlesExtending OpenPTK, the User Provisioning Toolkit Dynamic Load Balancing in GlassFish Application Server JavaDB End-to-End Security All articles by Masoud Kalali » | ||||||||||||||||||||||||||||||||||||||||||
Masoud Kalali holds a software engineering degree and has been programming for the last 8 years. Experienced with .Net and some other languages, his platform of choice is Java. He is experienced in system design and server side development, and is interested in portal systems and related JSRs, and database Development.
 java.net RSS Feeds
|
