Chapter 7. Security Management

Table of Contents

7.1. Account Management
7.2. Encrypting and Storing the Password
7.2.1. Using WebAdmin
7.2.2. Using the Console Tool
7.2.3. Using Encryption Tools
7.3. Managing the Secret Key File
7.3.1. Creating and Managing the Secret Key File
7.3.2. Encrypting the Secret Key File
7.4. Managing the Keystore and Truststore
7.5. Managing Executable Scripts in a SSL-Enabled Domain

This chapter briefly explains some approaches to security, including encrypting the password that is required to use JEUS server and manage accounts. The security information is shared by all servers in the domain and is configured using DAS.

Note

Refer to "JEUS Security Guide" for detailed information about JEUS security.

JEUS has both user and group accounts.

In JEUS, roles are granted rights to the resources. These rights are granted to the user by assigning the user to the role.

There are three ways to assign a role to a user.

  • Assign the role to a user name

  • Assign the role to a group that the user belongs to

  • Assign the role to a parent group of the group that the user belongs to

Since the account hierarchy consists of users, groups, and subgroups, users with similar roles in JEUS can be granted similar permissions at once.

Refer to JEUS Security Guide. "2.6. Configuring Security System Policies" for detailed information about security policies.

From JEUS 7, passwords for system management can be encrypted and stored.

The encrypted information is stored in the following format.

{Algorithm}Cryptogram 

The following encryption algorithms are available for use.

  • AES

  • DES

  • DESede

  • blowfish

  • SEED

The password can be encrypted and stored using WebAdmin or the console tool, or manually by using the encryption tool. This section describes each method.

This section describes how to create, manage, and protect the secret key file.

This section briefly describes how to manage the keystore and truststore that are used in SSL communication.

Both keystore and truststore are a Java Key Store (JKS). They can be created and managed by using key tools provided by the JDK.

By default, JEUS uses the following files as the keystore and truststore. To use an alternate path or file name, it must be configured manually.

The configuration can be done at the system level or separately wherever a keystore and truststore are needed.

The following describes each system property.

System PropertyDescription
jeus.ssl.keystore

Path to the keystore file.

Default value is JEUS_HOME/domains/<domain-name>/config/security/keystore.

jeus.ssl.truststore

Path to the truststore file.

Default value is JEUS_HOME/domains/<domain-name>/config/security/truststore.

jeus.ssl.keypass

Password for the keystore.

Default value is jeuskeypass.

jeus.ssl.trustpass

Password for the truststore.

Default value is jeustrustpass.

A password is required to use a keystore or truststore. As previously mentioned, the passwords for the keystore and truststore can be configured in JEUS. Similar to the file path setting, passwords can be configured at the system level or separately as needed.

A keystore requires a password for the keys in the keystore, and a password for the keystore itself. In general, the key password is same as the keystore password.

If the key password is different from the repository's password, set the key password in <keystore-keypassword>. Also, in order to use the keystore all the keys in the keystore must use the same key password.

Caution

Although a keystore and truststore are created when JEUS is installed, it is recommended to create and configure them manually.

This section describes the configurations that must be added to various executable scripts when the Base Listener of each server is set to SSL in the domain.

When setting each server in the domain to SSL, the server's SSL configuration is used for inter-server communication. However, additional SSL configuration is required for the processes that run on the client side such as Console Admin or executable scripts.

Additional configurations are required for the following.

NameDescription
jeusadminScript to start the Console Admin
startManagedServerScript to directly start an MS.
stopServerScript to stop the server.
Other Standalone ClientStandalone Client that is not a script, but must communicate with a server using SSL.

In the following example, the bolded texts are the configurations that must be added to the scripts.

. . .
# execute jeusadmin
"${JAVA_HOME}/bin/java" -classpath "${BOOTSTRAP_CLASSPATH}" ${TOOL_OPTION}
-Djmx.remote.x.request.timeout=600000
-Djava.library.path="${JEUS_LIBPATH}"
-Djeus.home="${JEUS_HOME}"
-Djeus.baseport=${JEUS_BASEPORT}
-Djeus.tool.console.useJLine="false"
-Djava.endorsed.dirs="${JEUS_HOME}/lib/endorsed"
-Djava.naming.factory.initial=jeus.jndi.JEUSContextFactory
-Djava.naming.factory.url.pkgs=jeus.jndi.jns.url
-Djava.util.logging.config.file="${JEUS_HOME}/bin/logging.properties"
-Djeus.net.client.use-ssl=true
-Djavax.net.ssl.trustStore=${JEUS_HOME}/domains/domain1/config/truststore
-Djavax.net.ssl.trustStorePassword=changeit
-Djavax.net.ssl.trustStoreType=JKS
-Dssl.TrustManagerFactory.algorithm=SunX509
-Djavax.net.ssl.keyStore=${JEUS_HOME}/domains/domain1/config/keystore
-Djavax.net.ssl.keyStorePassword=changeit
-Djavax.net.ssl.keyStoreType=JKS
-Dssl.KeyManagerFactory.algorithm=SunX509
${JAVA_ARGS}
jeus.tool.console.ConsoleBootstrapper ${BOOT_PARAMETER}