Masoud Kalali's Blog

Security Archives

How to Secure GlassFish installation, Part II

In order to secure the application server you need to secure its communication ways with outside world, It means you will need to secure all ports and listeners.

There are 3 kind of listeners in Glassfish application server that you will need to take care of them

First of all make sure that you secured the administration listener, make sure that you have enabled Security for administrator listener and set an specific IP address for it to listen on. Usually we are not going to use administration console from outside of the internal network, so let it listen only on interfaces that you need it to listen perhaps the interface that connect the server to your LAN. In order to do this, open administration console and navigate to:

Configuration> HTTP Service> HTTP Listeners> admin-listener

Change the Network Address as appropriated, check the Security check box, and in the SSL Tab enable Client Authentication, in order to find out how you should use Client Certificate, take a look at my previous posts about SSL and securing GlassFish Application Server. You have two other Http listeners to take care of, so make sure that you change their Network Address and enable the Security facilities if required

There is another listener which you need to take care of, It is your IIOP listener. IIOP listener let you create a context to lookup into your JNDI, etc. In order to configure the IIOP listeners you should navigate to:

Configuration> ORB> IIOP Listeners

Here you can see that there are 3 different listeners already created and configure for different purposes. You should not allow the first non-secure listener (orb-listener-1) to listen over a public network as there is no authentication or transfer layer security for this listener, but the second one (SSL) have transport layer security and the third one (SSL_MUTUALAUTH) has mutual authentication which guarantee that listener will only process request come after a client cert authentication. make sure that you configure the listeners to listen on correct Network address and remove or disable the listeners those that you do not need. You can disable a listener by looking at listener details page which provides a check box for it.

Another listener which you need to take care of is your JMX connector listener, You can view and edit its configuration by navigating to:

Configuration> Admin Service> system

Here you are able to change the realm that this listener use to authenticate the users that are trying to connect to JMX listener, you can change the realm to an specific realm which you have made only for JMX users or let it use you administration realm. You can change the Network Address that this listener is using along with enabling the SSL and Client Cert Authentication in order to secure the data transfer and guarantee that only users with correct digital certification can use your JMX connector to control the application server

PS: All of the listeners that you can configure in your administration console allows you to have Mutual Authentication (Client Cert Authentication) which ensure that both parties have verify-able certifications. This certifications can come from well known providers like VeriSign or your own CA. on the other hand all listeners allows you to specify an specific alias for them, which means that each listener mutual authentication can be configured completely independent from other listeners, for example you can have two alias one for administration console and one for JMX connector in order to prevent JMX users to connect to administration console.

For more information you can take a look at my older posts related to this matter:

• How to secure GlassFish application server, Part I
• Make your Own CA using EJBCA, Part I
• Make you own CA using EJBCA, Part II

How to have your Own CA and configure Glassfish and your clients for mutual authentication?, Part II

In the second part of the series, you can see how we can utilize EJBCA to create certification for a client side application which will communicate with Glassfish server when Client cert authentication (Mutual Authentication) is enabled whether by changing the listener attributes or by describing it in the web-config.xml.

In order to create client certification we will need to perform following steps as described in 4 sections:

Section 1: Creating clients certification profile:

• Go to https://localhost:8080/ejbca/ and select Administration.
• Select Edit Certification profiles from the left side menu.
• Enter a name for the profile and press add button. I choose Clients as the name.
• From the list select Clients Item and press Edit button.
• Now profile edit page will open change the attribute as follow:
  • for Key Usage  you should select at least Digital Signature and Key Encypherment.
  • From  Extended Key Usage select Client Authentication
• press save button.

Section 2: Create servers end entities profile:

Now you have create a profile which in next sections you can create certifications which will comply with it. Now we will need to create an End Entity Profile so follow these steps to create it.

• From the left side menu click on  edit end entities profile .
• Enter ClientsProfile as profile name and press add button.
• From the list select ClientsProfile and press Edit End Entity Profile button.
• Enter a user name and a password for the profile, I choose cAdmin/ cAdminAdmin.
• Enter the common name
• From the list of Available Certificate Profiles  select Clients which we made in last step.
• select JKS as default token.
• click Save

Now we are reaching an step in which we will create the real certificate that client will use to prove its identity and initiate SSL enabled session. To create the certificate perform following steps:

Section 3: Create Client certification

• From the left side menu select add end entity link.
• Select ClientsProfile as End Entity Profile.
• Enter all information as you like.
• Select JKS as Token.
• press add end entity button

Section 4: Use the certification in Client Application.

You are done, the certification is ready to be downloaded and used.

• Go to https://localhost:8080/ejbca/  and select Certification Enrollment.
• Select Manually for a Server
• Enter user name and password which you have entered for end entity in previous step.
• Click OK.

By pressing OK a JKS file will download to your computer.

Create two copies of the file and Rename them  to keystore.JKS and cacerts.jks. In order to create a SSL enabled client, either web service client or any type of socket client which need to use SSL you can follow one of the following path:

• When you want to run your java application pass following parameter to JVM, it will ask JVM to use your cacerts.jks and keystore.jks during initialing SSL communication and authentication.

-Djavax.net.ssl.trustStore="Truststore_Location"    -Djavax.net.ssl.trustStorePassword="Truststore_Password"   -Djavax.net.ssl.keyStore ="Keystore_Location" -Djavax.net.ssl.keyStorePassword="Keystore_Password"

• Second way is adding the same parameter to your JVM during execution of your application code. using this way you are not forced to pass parameter and disclose your key stores passwords.

System.getProperties.put("javax.net.ssl.trustStore","Truststore_Location");
System.getProperties.put("javax.net.ssl.trustStorePassword","Truststore_Password");
System.getProperties.put("javax.net.ssl.keyStore","Keystore_Location"); 
System.getProperties.put("javax.net.ssl.keyStorePassword","Keystore_Password");

Make sure that you are using correct location and password for your files, passwords are same as one you used to download the JKS files.

I should say again that you can explore and perhaps learn more about jks files, keys and certification by exploreing your stores, you can use jks file editor located at http://members.aon.at/bhuber14/nbm.html. Also if you are may find more cool key store editor in NetBeans Module Portal

For more information or maybe to find some of your questions answered you may take a look at:

• http://www.ryandelaplante.com/rdelaplante/entry/ssl_and_http_basic_authentication
• blogs.sun.com/swchan/entry/how_to_use_verisign_cert

How to have your Own CA and configure Glassfish and your clients for mutual authentication?

One of the most repeated question in GlassFish mailing list is SSL, Certification, Mutual Authentication,.... In this Entry I will try to address some of this questions by giving an step by step guide for using EJBCA to issue certificate, use them in both glassfish and clients which connect to glassfish in some manner. clients like web browser, standalone java applications,...

There are several tutorial and blog entry about configuring glassfish to use some specific certification in order to perform server authentication for clients over SSL and each of those weblog is an invaluable source of information. In this blog entry and perhaps the next one I will address another concerns which some people has for their GlassFish and client security. Some times we are running an application within an enterprise and we need to have mutual authentication for every clients that connect to server so we will need to have one certification for client and another one for our glassfish server. both of this certification should be valid (issued by an already known CA within glassfish trust store and client trust store). For these two entries I assume that our client and server will just accept certification issued by our own CA which is based on EJBCA.

Before we start the main job you will need to download and install EJBCA from its web site, then you will need to install it according to its manual which you can find in documentation section. After you installed and could view EJBCA administration console then you can follow the rest of the entry.

In order to create server certification we will need to perform following steps as described in 4 sections:

Section 1: Creating servers certification profile:

• Go to https://localhost:8080/ejbca/ and select Administration.
• Select Edit Certification profiles from the left side menu.
• Enter a name for the profile and press add button. I choose servers as the name.
• From the list select servers Item and press Edit button.
• Now profile edit page will open change the attribute as follow:
  • for Key Usage  you should select at least Digital Signature and Key Encypherment.
  • From  Extended Key Usage select Server Authentication
• press save button.

Section 2: Create servers end entities profile:

Now you have create a profile which in next sections you can create certifications which will comply with it. Now we will need to create an End Entity Profile so follow these steps to create it.

• From the left side menu click on  edit end entities profile .
• Enter ServersProfile as profile name and press add button.
• From the list select ServersProfile and press Edit End Entity Profile button.
• Enter a user name and a password for the profile, I choose sAdmin/ sAdminAdmin.
• Enter the common name
• From the list of Available Certificate Profiles  select Servers which we made in last step.
• select JKS as default token.
• click Save

Now we are reaching an step in which we will create the real certificate that Glassfish will use  in its SSL enabled listener. To create the certificate perform following steps:

Section 3: Create server certification

• From the left side menu select add end entity link.
• Select ServersProfile as End Entity Profile.
• Enter all information as you like but make sure that CN should be Exact and fully qualified name of your sever as will access it from clients, for example if you are going to access the serve as computer1.mydomain.com then the CN should be the same if you are going to access it as Comuter1 then the CN should be that.
• Select JKS as Token.
• press add end entity button

Section 4: Use the certification in Application Server.

You are done, the certification is ready to be downloaded and used.

• Go to https://localhost:8080/ejbca/  and select Certification Enrollment.
• Select Manually for a Server
• enter user name and password which you have entered for end entity in previous step.
• Click OK.

By pressing OK a JKS file will download to your computer.

• Create two copies of the file and Rename them  to keystore.JKS and cacerts.jks.
• Goto Glassfish/domains/domain1 (If domain 1 is the domain that you want to configure for SSL).
• Make sure that application server is stopped by issuing the following command.

	Glassfish_home/bin/asadmin  stop-domain domain1	

• Now we need to change the master password in order to let glassfish open our new cacert.jks and keystore.jks so perform following command.

	Glassfish_home/bin/asadmin  change-master-password  \\\Here you should write the password that you choosed in last step/// --savemasterpassword=true

• Now Goto glassfish_home/domains/domain1/config and create a backup from cacert.jks and keystore.jks.
• Copy files that we create in first step of this section to this folder (overwrite the original files).
• Open domain.xml (it is in domain1/config folder) by a text editor and replace all s1as occurrences with CN name that you have choose in section 3.
• Start the application server.

You are done, you application server should start normally, but you have some more steps before you complete the mutual authentication capability.

Section 5: Enabling mutual authentication for a listener.

Open application server administration console and from the left side menu select Configuration> HTTP Service> HTTP Listeners> http-listener-2, now you should check the Security check box and select SSL tab, now make sure that you have checked Client Authentication check box.

You are done, point your browser to https://computer1.mydomain.com:8181 you will see that this page will only open for the browser that you have imported EJBCA administration certification. it means that both server and client must prove their identity before they could communicate.

In next entry of this series I will demonstrate steps that you need to follow in order to create a stand alone web service client.

Make sure that you need to delete the private key of you server from cacerts.jks (it is not necessary by the way). Best way to explore you key stores is using keytool which you can find more information about it Here. Also if you are may find more cool key store editor in NetBeans Module Portal

For more information or maybe to find some of your questions answered you may take a look at:

• http://www.ryandelaplante.com/rdelaplante/entry/ssl_and_http_basic_authentication
• blogs.sun.com/swchan/entry/how_to_use_verisign_cert

How to install and use OpenSSO CLI (Command Line Administration Interface)

OpenSSO  which is open source branch of Sun Java Access Manager has several module which you should install and configure in case that you want to have similar bundle from its open source branch.

One of main components is OpenSSO itself which you can obtain from  Its nightly builds page; just make sure to select latest link which will take you to the download page with links to OpenSSO modules.
OpenSSO file name should be OpenSSO.war; this file is server side application that handle all authentication and authorization related activities. in the download page you can see several other modules, for this blog entry I will give you some details about installing OpenSSO and Administration Command Line Tools. ((It should be last row link in component download page).

To install OpenSSO, you can follow a detailed installation instruction in OpenSSO easy installation just make sure that you remember value that you determined for  Configuration directory because we will use it to install CLI (Command Line administration Interface).

Now that you have installed OpenSSO you can install its CLI package. Download amAdminTools.zip and extract it somewhere in your hard dist. after you have extracted it follow this sequence to complete its installation open a terminal (cmd)  and navigate to directory that you extract the amAdminTools.zip; execute: setup -p  <OPENSSO_CONFIGURATION_DIRECTORY>

It should echo some text indicating that installation is successful. If you want to know more, Installation is nothing more than creation of batch files that I will talk about one of  them in next step. this batch files use some files that are located in opensso configuration directory to perform their operations.

the file that I will talk about is named amadm.bat or amadm.sh this file let you manage your OpenSSO installation from a command line interface even if opensso server is running. all sub commands of this command has a set of 2 common parameter

1. -u amAdmin : this is default administration username. you can create more users with administration privileges.
2. -w <password> it is your password which you determined during opensso installation.

Now lets try some commands

amadm.bat create-realm -e /realm12 -u amAdmin -w adminadmin

amadm.bat list-realms -e / -u amAdmin -w adminadmin

amadm.bat list-identities -e / -x "*" -t User -u amAdmin -w adminadmin

amadm.bat

By default root realm is named openSSO and your created realm will be a child of that realm, Now you can open openSSO web based administraton console and check the result of CLI with it

This work is licensed under a Creative Commons License.