Editing a Realm

To edit a realm, follow these steps.

  1. In the Admin Console tree component, expand the Configuration node.
  2. Expand the Security node.
  3. Expand the Realms node.
  4. Select the name of an existing realm.
  5. The Edit Realm page displays.

  6. Edit existing properties and their values as desired.
  7. For information on file realm properties, see "Editing the file and admin-realm Realms". To manage users in the file realm, click the Manage Users button; see "Managing file Realm Users" for more information.

    For information on certificate realm properties, see "Editing the certificate Realm".

  8. To add additional properties, click the Add Properties button. The page displays a new row. Enter a valid property name and property value. See the following tables for a description of the optional properties that can be configured:
  9. Click Save to save the changes.

Editing the file and admin-realm Realms

The server maintains all user, group, and password information in a file named keyfile for the file realm and admin-keyfile for the admin-realm. For both, the file property specifies the location of the keyfile. Table 0-40 shows required properties for a file realm.

Table 0-40  Required properties for file realms 

Property name

Description

Default Value

file

Full path and name of the keyfile.

install_dir/domains/domain-name/
config/keyfile

jaas-context

Type of login module to use for this realm.

fileRealm is the only valid value

The keyfile is initially empty, so users must be added before the file realm is used. For instructions, see "Managing file Realm Users".

The admin-keyfile initially contains the admin user name, the admin password in an encrypted format, and the group to which this user belongs, which is asadmin by default. For more information on adding users to the admin-realm, read "Controlling Access to Administration Tools".

Note: Users in the group asadmin in the admin-realm are authorized to use the Admin Console and asadmin tools. Add only users to this group that have server administrative privileges.

Managing Users with Network Security Services (NSS)

In the Enterprise Edition only, you can manage users using the Admin Console as discussed in "Managing file Realm Users" or you can manage users using NSS tools. Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled client and server applications. Applications built with NSS can support SSL v2 and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other security standards. For detailed information, link to the following URLs:

Managing file Realm Users

Manage file realm users with the Admin Console. Users and groups in the file realm are listed in the keyfile, whose location is specified by the file property.

Note: It is also possible to use these steps to add users to any file realm, including the admin-realm. Simply substitute the name of the target realm in place of the file realm referenced in this section.

A user in the file realm can belong to a J2EE group, a category of users classified by common traits. For example, customers of an e-commerce application might belong to the CUSTOMER group, but the big spenders would belong to the PREFERRED group. Categorizing users into groups makes it easier to control the access of large numbers of users.

Initially after installation of the Application Server, the only user is the administrator entered during installation. By default, this user belongs to the group asadmin, in the realm admin-realm, which gives rights to modify the Application Server. Any users assigned to this group will have administrator privileges, that is, they will have access to the asadmin tool and the Admin Console.

To manage file realm users, follow these steps.

  1. In the Admin Console tree component, expand the Configuration node.
  2. Expand the Security node.
  3. Expand the Realms node.
  4. Select the file node.
  5. Click the Manage Users button from the Edit Realm page.
  6. The File Users page displays. In this page, perform the following tasks:

Adding a User

In the File Users page, add a new user by following these steps:

  1. Click New to add a new user to the file realm.
  2. Enter the following information on the File Users page:
  3. Click OK to add this user to the list of users in the file realm. Click Cancel to quit without saving.

Equivalent asadmin command: create-file-user

Editing a User

In the File Users page, change a user’s information by following these steps:

  1. In the User ID column, click the name of the user to be modified.
  2. The Edit File Realm User page displays.

  3. Change the user’s password by entering a new password in the Password and Confirm Password fields.
  4. Change the groups to which the user belongs by adding or deleting groups in the Group List field. Separate group names with commas. Groups need not be previously defined.
  5. Click Save to save this user to the list of users in the file realm. Click Close to quit without saving.
Deleting a User

In the File Users page, delete a user by following these steps:

  1. Select the checkbox to the left of the name of the user(s) to be deleted.
  2. Click Delete.
  3. Click Close to return to the Edit Realm page.

Equivalent asadmin command: delete-file-user

Editing the certificate Realm

The certificate realm supports SSL authentication. This realm sets up the user identity in the Application Server’s security context, and populates it with user data obtained from cryptographically verified client certificates in the trust-store and keystore files (see ). Add users to these files using keytool. For more information, see The J2EE 1.4 Tutorial chapter titled Security at:

With the certificate realm, J2EE containers handle authorization processing based on each user’s Distinguished Name (DN) from his or her certificate. The DN is the name of the entity whose public key the certificate identifies. This name uses the X.500 standard, so it is intended to be unique across the Internet. For more information on keystores and trust-stores, refer to the keytool documentation at:

Table 0-41 lists the optional properties for the certificate realm.

Table 0-41  Optional properties for certificate realm 

Property

Description

assign-groups

A comma-separated list of group names. All clients who present valid certificates are assigned to these groups. For example, employee,manager, where these are the names of user groups.

jaas-context

Type of login module to use for this realm. For the certificate realm, the value must be certificateRealm.

See also:

Configuring Mutual Authentication

In mutual authentication, both server and client-side authentication are enabled. To test mutual authentication, a client with a valid certificate must exist. For information on mutual authentication, see the Security chapter of The J2EE 1.4 Tutorial at:

Enabling Mutual Authentication for all Applications

The Application Server uses the certificate realm for HTTPS authentication.

To specify mutual authentication for all the applications that use this realm, follow these steps.

  1. In the Admin Console tree component, expand the Configuration node.
  2. Expand the Security node.
  3. Expand the Realms node.
  4. Select the certificate realm.
  5. Click the Add Property button.
  6. Click Save.
  7. Restart the Application Server if Restart Required displays in the console.
  8. After restarting the server, client authentication is required for all applications that use the certificate realm.

Enabling Mutual SSL Authentication in an Application

To enable mutual authentication for a specific application, use deploytool to set the method of authentication to Client-Certificate. For more information about using deploytool, refer to the Security chapter of The J2EE 1.4 Tutorial at:


Legal Notices