Improved Credential and SSL Configuration for EE 7



Similar documents
SSL Certificate Generation

How to Create Keystore and Truststore Files for Secure Communication in the Informatica Domain

DOCUMENTUM CONTENT SERVER CERTIFICATE BASED SSL CONFIGURATION WITH CLIENTS

SSL Considerations for CAS: Planning, Management, and Troubleshooting. Marvin Addison Middleware Services Virginia Tech October 13, 2010

SolarWinds Technical Reference

Junio SSL WebLogic Oracle. Guía de Instalación. Junio, SSL WebLogic Oracle Guía de Instalación CONFIDENCIAL Página 1 de 19

HTTPS Configuration for SAP Connector

SSL Configuration on Weblogic Oracle FLEXCUBE Universal Banking Release [August] [2014]

What in the heck am I getting myself into! Capitalware's MQ Technical Conference v

To install and configure SSL support on Tomcat 6, you need to follow these simple steps. For more information, read the rest of this HOW-TO.

DOCUMENTUM CONTENT SERVER CERTIFICATE BASED SSL CONFIGURATION AND TROUBLESHOOTING

Enabling SSL and Client Certificates on the SAP J2EE Engine

Introduction to Mobile Access Gateway Installation

Chapter 1: How to Configure Certificate-Based Authentication

Universal Content Management Version 10gR3. Security Providers Component Administration Guide

SSL Configuration on WebSphere Oracle FLEXCUBE Universal Banking Release [September] [2013] Part No. E

Configuring IBM WebSphere Application Server 7 for Secure Sockets Layer and Client-Certificate Authentication on SAS 9.3 Enterprise BI Server Web

Configuring SSL in OBIEE 11g

Enterprise Content Management System Monitor 5.1 Security Considerations Revision CENIT AG Brandner, Marc

The GlobalCerts TM Secur Gateway TM

Deploying Certificates with Cisco pxgrid. Using Self-Signed Certificates with ISE pxgrid node and pxgrid Client

Installing Apache as an HTTP Proxy to the local port of the Secure Agent s Process Server

Configuring Secure Socket Layer (SSL) for use with BPM 7.5.x

CHAPTER 7 SSL CONFIGURATION AND TESTING

Working with Portecle to update / create a Java Keystore.

Metastorm BPM Interwoven Integration. Process Mapping solutions. Metastorm BPM Interwoven Integration. Introduction. The solution

END-TO-END SSL SETUP SAP WEB DISPATCHER Helps you to setup the End-To-End SSL Scenario for SAP Web Dispatcher

How to Implement Two-Way SSL Authentication in a Web Service

Understanding digital certificates

Creating and Managing Certificates for My webmethods Server. Version 8.2 and Later

Installation valid SSL certificate

Enabling SSO between Cognos 8 and WebSphere Portal

Overview of Web Services API

Enable SSL in Go2Group SOAP Server

BEA Weblogic Guide to Installing Root Certificates, Generating CSR and Installing SSL Certificate

Certificate Management. PAN-OS Administrator s Guide. Version 7.0

Implementation Guide SAP NetWeaver Identity Management Identity Provider

Customizing SSL in CA WCC r11.3 This document contains guidelines for customizing SSL access to CA Workload Control Center (CA WCC) r11.3.

Enabling Single-Sign-On on WebSphere Portal in IBM Cognos ReportNet

1 Reflection ZFE 5. 2 Security Considerations Troubleshooting the Installation 19. Contents 1

Director and Certificate Authority Issuance

Configuring Secure Socket Layer and Client-Certificate Authentication on SAS 9.3 Enterprise BI Server Systems That Use Oracle WebLogic 10.

How to Prepare Your Salesforce Service for Certificate Changes

Enabling Single-Sign-On between IBM Cognos 8 BI and IBM WebSphere Portal

Developers Integration Lab (DIL) Certificate Installation Instructions. Version 1.4

PowerChute TM Network Shutdown Security Features & Deployment

Encrypted Connections

Entrust Certificate Services. Java Code Signing. User Guide. Date of Issue: December Document issue: 2.0

KMIP installation Guide. DataSecure and KeySecure Version SafeNet, Inc

CA Nimsoft Unified Management Portal

IUCLID 5 Guidance and Support

Wildcard Certificates

Installing Digital Certificates for Server Authentication SSL on. BEA WebLogic 8.1

The Compatible One Application and Platform Service 1 (COAPS) API User Guide

Windows Azure Pack Installation and Initial Configuration

Managing Data Storage in the Public Cloud. October 2009

SSO Plugin. Case study: Integrating with Ping Federate. J System Solutions. Version 4.0

Exchange Reporter Plus SSL Configuration Guide

IBM Security Identity Manager Version 6.0. Security Guide SC

ACE Management Server Deployment Guide VMware ACE 2.0

App Orchestration 2.5

SSL Configuration Best Practices for SAS Visual Analytics 7.1 Web Applications and SAS LASR Authorization Service

EMC Documentum Composer

The Use of the Simple Certificate Enrollment Protocol (SCEP) and Untrusted Devices

Foundations for your. portable cloud

SSL CONFIGURATION GUIDE

GlobalProtect Configuration for IPsec Client on Apple ios Devices

SSL Certificates and Bomgar

Application Notes for Microsoft Office Communicator Clients with Avaya Communication Manager Phones - Issue 1.1

TIBCO Runtime Agent Domain Utility User s Guide Software Release November 2012

Configuration Guide for RFMS 3.0 Initial Configuration. WiNG 5 How-To Guide. Digital Certificates. July 2011 Revision 1.0

1. If there is a temporary SSL certificate in your /ServerRoot/ssl/certs/ directory, move or delete it. 2. Run the following command:

Setting Up Resources in VMware Identity Manager

WebService Security. A guide to set up highly secured client-server communications using WS-Security extensions to the SOAP protocol

EMC XDS Repository Connector for ViPR

NetBeans IDE Field Guide

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Creating an authorized SSL certificate

SafeNet KMIP and Google Cloud Storage Integration Guide

Java SSL - sslecho SSL socket communication with client certificate

WebLogic Server 7.0 Single Sign-On: An Overview

App Orchestration 2.0

Configuring TLS Security for Cloudera Manager

Enterprise effectiveness of digital certificates: Are they ready for prime-time?

Certificate technology on Pulse Secure Access

SafeNet KMIP and Amazon S3 Integration Guide

Setting Up SSL From Client to Web Server and Plugin to WAS

RHEV 2.2: REST API INSTALLATION

ADAPTIVE AUTHENTICATION ADAPTER FOR JUNIPER SSL VPNS. Adaptive Authentication in Juniper SSL VPN Environments. Solution Brief

TIBCO ActiveMatrix BPM BPM Deployment

Acano solution. Certificate Guidelines R1.7. for Single Combined Acano Server Deployments. December H

HP Device Manager 4.7

JSR 375 (EE Security API) Review

Cisco Prime Central Managing Certificates

(n)code Solutions CA A DIVISION OF GUJARAT NARMADA VALLEY FERTILIZERS COMPANY LIMITED P ROCEDURE F OR D OWNLOADING

Browser-based Support Console

Application Note AN1502

Security Guide vcenter Operations Manager for Horizon View 1.5 TECHNICAL WHITE PAPER

Transcription:

Improved Credential and SSL Configuration for EE 7 1. Introduction: SSL, trust stores, keystores and credential repositories are generally difficult areas to configure for Java EE environments. The configuration and management interfaces are vendor specific and non-standard. Java EE 7's goal for providing PaaS functionality for application developers makes this even more important. In order to make application archives portable from one cloud provider to another, we need to unify and simplify the approach to this configuration and provisioning. Standardizing the ability to provision keystores and metadata (as necessary) by bundling them with an application at deployment time will provide portability of this configuration across PaaS providers. It will also require that platform implementations differentiate these key entries and certificates by application when they are provided with the application. The method of differentiating this configuration is an implementation specific detail. It may result in application level configuration, the leveraging of server instances that are dedicated to an application or any number of other means for platforms to ensure application level semantics for the SSL configuration. The addition of this provisioning facility is supplemental to the existing functionality and platform specific mechanisms available today. Backward compatibility is expected for applications that require this configuration to be done but do not provide it with the application itself. The SSL related networking components of a EE 7 PaaS platform implementation will utilize the provisioned certificates and keys as required to meet the requirements for secure interaction. The SSL termination point in any given implementation is specific to that offering and not dictated by the platform specification. Client specific SSL configuration will be leveraged by a platform implementation also through vendor specific means. JAX-WS Dispatch objects, for instance, will be able to leverage the provisioned certificates through configuration specific to the Dispatch implementation and/or the consumer's instantiation and initialization properties. 1.1. Standardized Aspects: Configuration by Convention well-known aliases for SSL related key pairs and passphrases well-known filenames for the stores themselves differentiated by application Alias Mapping mapping of the well-known aliases to actual aliases within the repositories to address inability to set the actual alias to point multiple well-known aliases to the same key material Secure provisioning of keys, certs and passwords with applications it is assumed that the platform implementation will likely provide alias management

capabilities in addition to support for these bundled stores 1.1.1. Configuration by Convention By specifying the filenames of the repositories and aliases expected within them in the EE platform spec, configuration will not be necessary for deployment machinery and/or runtime code to resolve the key pairs and related passphrases that are needed for establishing SSL connections. The following optional repositories are expected to be found within an application's META-INF directory. Listing 1. Store Names and Location META-INF/ passwdstore.p12 // password aliases and passwords truststore.p12 // trusted certs keystore.p12 // keys and certs Listing 2. Well-known Aliases within keystore.p12 ssl-server // server identity to connecting clients ssl-client // server identity when acting as a client to another server Listing 3. Well-known Aliases within passwdstore.p12 ssl-server // password alias for accessing the ssl-server cert in keystore.p12 ssl-client // password alias for accessing the ssl-client cert keystore.p12 keystore-phrase // passphrase for the keystore.p12 The password required to access the aliases within the passwdstore.p12 is required to be provided by the deployer of the application into the deployment interface for the platform implementation. It is then used to retrieve the passphrase for accessing the keystore.p12 in order to retrieve the key pairs for SSL connections. There may be a need to support an optional alias mapping facility within the archive as well. This would enable stores that do contain key material for the well-known aliases to be used by mapping the expected names to the actual aliases within the store. (See Open Issues 2.2. Alias Mapping) 1.1.2. Alias Mapping In addition to the well-known aliases there may be a need to provide a mapping from the well-known aliases to the actual aliases within the keystore. 1.1.2.1. Mapping to Actual Aliases In some instances, the alias used within the keystore itself may not be the well-known alias expected by this proposal. This facility would enable the packager to map the well-known alias to that within the actual store and allow the alias to be resolved to the appropriate key material. For instance, when using openssl to create a self-signed cert and key, there is no way to indicate what the alias in the resulting store should be. The default alias is 1. 1.1.2.2. Server Identity as Client Identity In other cases, it may be desired that the same certificate be used whether the server is acting as a server or a client. By providing a mapping from the ssl-client alias to the ssl-server alias the certificate

chain is only stored once in the repository but both aliases are resolved. 1.1.2.4. Mapping Syntax Without the ability to specify the alias it may make sense to provide a mapping syntax to indicate which of the aliases within the actual store represent the well-known usage aliases. Something like: Listing 4. alias-mapping <alias-mapping> <alias>ssl-server</alias> <alias-mapping> <alias>ssl-client</alias> In listing 4 above, we have a mapping from the well-known ssl-server alias to an actual alias within the keystore.p12 called '1'. We also have a mapping for the well-known alias ssl-client to the same cert as the server. 1.1.3. Secure Provisioning of Keys, Certs and Passwords with Applications In order to facilitate the provisioning of key material, certificates, passwords and aliases at deployment time in a cross platform manner, we need to introduce an archive for bundling them securely. Platform vendors may use the deployed archives directly as the credential stores for resolving password aliases or extract the contents of the artifacts and populate preferred repositories at deployment time for use by the platform runtime. The PKCS#12 standard provides a Personal Information Exchange file format. Previously, there has been a focus on providing interoperability for the exchange of certificates and private keys. However there has been no real standardization of using PKCS#12 SecretKey support and therefore the interoperability for password exchange is not pre-existing. (See Open Issues 2.1. File Format for Standard EE Password Store) We will need to define the usage of the PKCS#12 format for this purpose in terms of: how to represent the SecretKey within the PKCS#12 SecretBag how to associate the alias to be used to resolve the secretkey (friendly name, localkeyid) any metadata needed for advanced management of passwords (expiry date, etc) Existing tooling for the management of PKCS#12 files, at least for certificates and keys, is generally available and can be leveraged for creating these stores. The use of JKS and JCEKS has been ruled out due to their proprietary natures. 2. Example of Provisioning Processing The following is an abstracted example of how this mechanism would be utilized during application deployment and related dependency provisioning.

NOTE: This is not intended to be a blueprint for a required implementation but as one example of a valid interpretation of a provisioning algorithm for this proposal. The details of any particular implementation's algorithm will be as unique as their PaaS offering. 2.1. General Flow Description 2.2 Application Deployed to PaaS Environment 2.3 Dependency Discovery 2.3.1. Detects services that need to be provisioned in order to support the application 2.4 Provisioning of Required Services is Orchestrated 2.4.1. Domain names are communicated to the DNS as required 2.4.2. Load balancers are configured to accommodate the application and its specific configuration 2.4.2.1. Utilized the well-known aliases and mapping facility as appropriate the required certificates and keys are extracted from the provided stores 2.4.2.2. Propagates the certificates and keys required for SSL 2.4.2.3. Ensures that the domain name and embedded hostname within the certificates meet any hostname verification requirements 2.4.3. Client side certificates (for outbound connections) are made available to the application for client access 2.5 Public PaaS Application Domains are be published out of band 2.5.1. Customer owned domains must have their DNS records updated to reflect the provided IP address of the PaaS provider exposed endpoint 3. Open Issues 3.1. File Format for the Standard EE Password Store We need a standard format to securely exchange/deploy credentials to an EE platform. It is desired for this standard to be a well known industry standard that is interoperable and has sufficient support in tooling and consuming APIs. Our primary candidate has been PKCS#12. PKCS#12 is a standard format established and published by RSA Laboratories and is recognized as a defacto standard for Personal Information Exchange. Even though PKCS#12 is not a product of an actual industry standards body, RSA makes no patent claims on the general constructions within it. There are a couple interesting issues with using PKCS#12 for password exchange. 3.1.1. Interoperability Given the open nature of much of the PKCS#12 specification there are numerous ways to represent the standard content and related metadata within a PKCS#12 file. Interoperability would need to be addressed by clearly specifying the scheme to use in encoding the

aliases, passwords and required metadata within PKCS#12. 2.1.1.1. QUESTION: Can we define the encoding scheme for storing passwords within PKCS#12? It would also require enforcement within the TCK to ensure that the expected file format is consumed properly by the platform implementation. 3.1.2. Tooling Currently there is a lack of generally available tooling for the management of passwords within the generic SecretBag constructs of PKCS#12. JDK 7 support for PKCS#12 keystores is limited to private keys and certificate chains. Support for secret keys and trusted certs will be added in JDK 8. There is also planned enhancements to Keytool for management of secret keys within the JDK 8 timeframe. Vendors can provide their own tooling that complies with the scheme defined within the standard use as described in the final specification or utilize tooling that is provided as part of the RI. 3.1.2.1. QUESTION: Are these tooling constraints acceptable given the envisioned support from keytool, and the PKCS12Keystore in the JDK 8 timeframe and the RI? 3.1.3. Existing Providers A number of providers have only implemented those portions of the PKCS#12 specification that is pertinent to existing PKI requirements and potentially entirely skip SecretBag entries within the stores while loading them. Existing provider implementations will need to be aware of the specifics of the scheme used to represent EE password aliases and metadata in order to add support for them. We would need to make a provider that is capable of consuming this particular usage pattern of PKCS#12 generally available to platform implementations and tooling providers. 2.1.3.1. QUESTION: Is the requirement to support passwords through PKCS#12 SecretBag on providers acceptable? 2.1.3.2. QUESTION: Is the requirement to support passwords through PKCS#12 SecretBag on providers necessary given a generally available provider through the RI? 3.2. Keystore and Password Store Consolidation It is likely that the credentials stored within the passwdstore.p12 described in this document could be consolidated into the keystore.p12. This document initially describes them separately in order to allow them to evolve separately into the best approach to meet all requirements. Expert group deliberations can decide to consolidate them or leave them separate.

3.2.1. QUESTION: Should we consolidate the passwdstore.p12 and keystore.p12 initially and only separate them if need be? 3.3. Multiple Domains for a Given Application In the event that multiple domains are to be requested for a given application, we would need to accommodate this through the alias mapping mechanism. The details of how to map from the ssl-server for one domain to the actual alias in the keystore.p12 as well as another domain name and its alias needs to be determined. One possibility would be to include the domain name as an attribute on the alias-mapping element as seen in Listing 5. Listing 5. alias-mapping with domain names <alias-mapping domain= mydomain > <alias>ssl-server</alias> <alias-mapping domain= yourdomain > <alias>ssl-server</alias> <alias-mapping domain= mydomain > <alias>ssl-client</alias> 3.3.1. QUESTION: Are multiple domains for an application required? 3.3.2. QUESTION: Would the additional element in the mapping suffice?

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information