2.2 Security
Moving from pre-production to production usually involves hardening the security aspects of the system. In sandbox testing, you may have been using regular HTTP to connect the user application driver to JBoss, or you may have been using a self-signed certificate (as a temporary measure) for driver/app-server communication. In production, on the other hand, you will probably use secure connections, with server authentication based on your company’s Verisign (or other trusted-provider) certificate.
It is typical for X.509 certificates to be used in a variety of places in the Identity Manager user application environment, as shown in the diagram below.
All communication between the user application and the identity vault is secure, using Transport Layer Security, by default. The installation of the identity vault (eDirectory) certificate into the JBoss keystore is done automatically at install time. Unless you specify otherwise, the user application installer places a copy of the eDirectory certificate in the JRE’s default cacerts store.
The server certificate needs to be in several places, if communications are to be secure, as shown in the diagram. Different setup steps may be needed depending on whether you intend to use a self-signed certificate in the various places in the diagram shown with a JBoss cert box, or you intend (instead) to use a certificate issued by a trusted certificate authority (CA) such as Verisign.
Self-Signed Certificates
If you are using a certificate from a well-known trusted issuer (for example, Verisign), no special configuration steps should be necessary. But if you intend to create and use a self-signed certificate, you will need to do these steps:
-
Create a keystore with a self-signed certificate, using command-line syntax similar to the following:
keytool -genkey -alias tomcat -keyalg RSA -storepass changeit -keystore jboss.jks -dname "cn=JBoss,ou=exteNd,o=Novell,l=Waltham,s=MA,c=US" -keypass changeit
Notice that you are creating the file “jboss.jks” as well as the certificate.
-
Copy the keystore file (jboss.jks) to your JBoss user application directory, for example:
cp jboss.jks ~/jboss-4.0.2/server/spitfire/conf
Turning on SSL in JBoss
To enable SSL in JBoss, locate jbossweb-tomcat55.sar file under [IDM]/jboss/server/IDM/deploy/. In it, find server.xml and open that file in a text editor. Enable SSL by uncommenting or adding a section that looks like:
<Connector port="8443" address="${jboss.bind.address}"
maxThreads="100" strategy="ms" maxHttpHeaderSize="8192"
emptySessionPath="true"
scheme="https" secure="true" clientAuth="false"
keystoreFile="${jboss.server.home.dir}/spitfire/conf/jboss.jks"
keystorePass="changeit" sslProtocol = "TLS" />
Turning on SOAP Security
In IDM.war, find the web.xml file and open it in a text editor. At the bottom of the file, uncomment the following section:
<security-constraint>
<web-resource-collection>
<web-resource-name>IDMProv</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
<description>IDM Provisioning Edition</description>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport guarantee>
</user-data-constraint>
</security-constraint>
Save the file and the archive. Restart JBoss.
2.2.1 Mutual Authentication
The Identity Manager user application supports traditional server authentication scenarios (as commonly used in https sessions with secure web pages on the Web), but does not support bidirectional certificate-based authentication out of the box. That functionality can be obtained, however, by using Novell iChain. So if (for example) your organization has a need to allow users to log in via a user certificate, rather than via password, you would be able to achieve this by adding iChain to your environment.
See your Novell representative for more information.