To edit a realm, follow these steps.
The Edit Realm page displays.
For information on file
realm properties, see "Editing the file and admin-realm Realms". To manage users in the file
realm, click the Manage Users button; see "Managing file Realm Users" for more information.
For information on certificate
realm properties, see "Editing the certificate Realm".
The server maintains all user, group, and password information in a file named keyfile
for the file
realm and admin-keyfile
for the admin-realm
. For both, the file
property specifies the location of the keyfile. Table 0-40 shows required properties for a file
realm.
The keyfile
is initially empty, so users must be added before the file
realm is used. For instructions, see "Managing file Realm Users".
The admin-keyfile
initially contains the admin user name, the admin password in an encrypted format, and the group to which this user belongs, which is asadmin
by default. For more information on adding users to the admin-realm
, read "Controlling Access to Administration Tools".
Note: Users in the group asadmin
in the admin-realm
are authorized to use the Admin Console and asadmin
tools. Add only users to this group that have server administrative privileges.
In the Enterprise Edition only, you can manage users using the Admin Console as discussed in "Managing file Realm Users" or you can manage users using NSS tools. Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled client and server applications. Applications built with NSS can support SSL v2 and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other security standards. For detailed information, link to the following URLs:
Manage file
realm users with the Admin Console. Users and groups in the file
realm are listed in the keyfile, whose location is specified by the file
property.
Note: It is also possible to use these steps to add users to any file realm, including the admin-realm
. Simply substitute the name of the target realm in place of the file
realm referenced in this section.
A user in the file
realm can belong to a J2EE group, a category of users classified by common traits. For example, customers of an e-commerce application might belong to the CUSTOMER
group, but the big spenders would belong to the PREFERRED
group. Categorizing users into groups makes it easier to control the access of large numbers of users.
Initially after installation of the Application Server, the only user is the administrator entered during installation. By default, this user belongs to the group asadmin
, in the realm admin-realm
, which gives rights to modify the Application Server. Any users assigned to this group will have administrator privileges, that is, they will have access to the asadmin
tool and the Admin Console.
To manage file
realm users, follow these steps.
file
node. The File Users page displays. In this page, perform the following tasks:
In the File Users page, add a new user by following these steps:
file
realm.file
realm. Click Cancel to quit without saving.
Equivalent asadmin
command: create-file-user
In the File Users page, change a user’s information by following these steps:
The Edit File Realm User page displays.
file
realm. Click Close to quit without saving.In the File Users page, delete a user by following these steps:
Equivalent asadmin
command: delete-file-user
The certificate
realm supports SSL authentication. This realm sets up the user identity in the Application Server’s security context, and populates it with user data obtained from cryptographically verified client certificates in the trust-store and keystore files (see ). Add users to these files using keytool
. For more information, see The J2EE 1.4 Tutorial chapter titled Security at:
With the certificate
realm, J2EE containers handle authorization processing based on each user’s Distinguished Name (DN) from his or her certificate. The DN is the name of the entity whose public key the certificate identifies. This name uses the X.500 standard, so it is intended to be unique across the Internet. For more information on keystores and trust-stores, refer to the keytool
documentation at:
Table 0-41 lists the optional properties for the certificate
realm.
See also:
In mutual authentication, both server and client-side authentication are enabled. To test mutual authentication, a client with a valid certificate must exist. For information on mutual authentication, see the Security chapter of The J2EE 1.4 Tutorial at:
The Application Server uses the certificate
realm for HTTPS authentication.
To specify mutual authentication for all the applications that use this realm, follow these steps.
certificate
realm.clientAuth
.true
.
After restarting the server, client authentication is required for all applications that use the certificate
realm.
To enable mutual authentication for a specific application, use deploytool
to set the method of authentication to Client-Certificate
. For more information about using deploytool
, refer to the Security chapter of The J2EE 1.4 Tutorial at: