Friday August 01, 2008

Students part of GFGC community program student_gfqc_blogs

In this blog, I am excited to give the details about a relation of Students with GlassFish Project. It is specifically about Students part of the GlassFish Quality Community (GFQC) [1].

The program is all about connecting, engaging and mentoring of Students to the GlassFish projects [2]. Under this program, students are going to develop the applications on top of GlassFish and contribute the application code along with test code with the help of mentors from Sun Engineers. Even though this program is just started (about a month ago), we have seen the students interest for GlassFish projects. I feel very excited with this!

As part of the program, we have a list of GlassFish projects that students can work. The projects proposals are mainly submitted by the Sun engineers. The students are being connected via different channels - visits to universities, contacting friends & Alumni, contacting ambassadors etc. Once students interested in any of the projects, then mentor and student relationship established. The process is outlined at [3].

At JavaOne 2008, Sun staff met SJSU and SFSU professors on GlassFish and java.net and Mural projects. Sandeep catpured notes and nice photos at blog [4].

Some of the universities that we are already have students working on GlassFish Projects [2]

US Universities: San Jose State University (SJSU);
Indian Universities: Amrita University; IGIT Delhi; JIIT, Noida; SMVDU, Jammu&Kashmir

It is awesome to see more students engaged with technology/industry experts working on great open source products with support from companies like Sun!

[1] GFQC - https://glassfish.dev.java.net/quality/portal/
[2] GlassFish Project Ideas - http://wiki.glassfish.java.net/Wiki.jsp?page=ProjectIdeas
[3] Process for Students and Mentors - http://wiki.glassfish.java.net/Wiki.jsp?page=ProjectIdeasProcess
[4] SJSU and SFSU meet java.net, Mural and Glass Fish - http://blogs.sun.com/skonchady/entry/sjsu_and_sfsu_meet_java

Posted by Jagadesh Babu Munta ( Aug 01 2008, 07:10:56 PM PDT ) Permalink

Friday June 13, 2008

GlassFish security references (part1) GF_security_references

It useful to have a reference for all GlassFish application server related information. Here is what I could collect now ( as part1)!

The security startup information is easily found at Security FAQ - https://glassfish.dev.java.net/javaee5/security/faq.html

Few other document resources

GlassFish Project - Security home page - https://glassfish.dev.java.net/javaee5/security/
GlassFish Security Configuration Guide - https://glassfish.dev.java.net/javaee5/docs/AG/ablnk.html

Technical tips/articles

Using SSL with GlassFish V2 - http://java.sun.com/mailers/techtips/enterprise/2007/TechTips2_Nov07.html
Key Management and PKCS#11 Tokens in Sun Java System Application Server 8.1 - http://developers.sun.com/appserver/reference/techart/keymgmt.html
Adding Authentication Mechanisms to the GlassFish Servlet Container - http://blogs.sun.com/enterprisetechtips/entry/adding_authentication_mechanisms_to_the
Using Security Annotations in Enterprise Beans - http://java.sun.com/mailers/techtips/enterprise/2007/TechTips_March07.html#2
Accessing a Secure Enterprise Bean From a Java Client or Through Java Web Start Technology - http://java.sun.com/developer/EJTechTips/2006/tt0225.html#2
Authentication Using Custom Realms in Sun Java System Application Server - http://developers.sun.com/appserver/reference/techart/as8_authentication/index.html

Blogs

http://blogs.sun.com/swchan/
http://blogs.sun.com/jdbabu/category/Security+in+Glassfish+AppServer
http://weblogs.java.net/blog/tchangu/archive/j2ee/index.html

Posted by Jagadesh Babu Munta ( Jun 13 2008, 10:52:01 AM PDT ) Permalink

Thursday June 05, 2008

Configure Solaris Trusted Extensions and run GlassFish Application Server Blog_TX_GF

(From Jagadesh Babu Munta and Shaline Gowda)

About

Trusted Extensions software package is a layered product on top of the Solaris operating system.

Trusted Extensions provides special security features that enable an organization to define and implement a security policy on a Solaris system. A security policy is the set of rules and practices that help protect information and other resources, such as computer hardware, at your site. Typically, security rules handle such issues as who has access to which information or who is allowed to write data to removable media. Security practices are recommended procedures for performing tasks[1]. See the answers to the common questions on Trusted Extensions can be found at [2]. Currently the product is being evaluated for CCC [3].

GlassFish is a free, open source, production quality, enterprise application server which implements the newest features in the Java EE platform. It is the reference implementation fro the JavaEE standard from Sun [8].

Installing TX

The simplest way of getting TX is to install Solaris 10 U5 (Solaris 10 11/06) [5]. No need to install any additional TX related packages. TX packages are already installed when you install S10 U5.

However, one has to start up “labeld” process so it can be a TX system.

Run the command:

svcadm enable -s labeld

and must reboot. Note that at this time, you can only access the system through console (until remote access is enabled).

For all other OS cases, refer the document [6].

The next preparation step is to create zfs pool for zones. Creating zones using zfs cloning is the quickest method to create zones, but you may need to do extra steps to make sure the zones are stable.

Follow the steps:

Login as root user to global zone.
Comment out the /zone entry in /etc/vfstab file added by editing the jumpstart profile . Note the partition name for /zone, for example /dev/dsk/c1t0d0s0
Unmount /zones #umount /zone
Create zone pool

zpool create -f zone /dev/dsk/c1t0d0s0

Check the spool status, use the following commands:

zpool status -x zone

zpool list

Setup remote access to TX machine

The following 3 steps are good enough to enable the remote access [6].

Comment out CONSOLE from /etc/default/login file. Below is the snapshot from a TX system.

# If CONSOLE is set, root can only login on that device.

# Comment this line out to allow remote login by root.
#
#CONSOLE=/dev/console

Add the DNS name servers in /etc/resolv.conf file. Below is the snapshot from a TX system.

# cat /etc/resolv.conf
domain sfbay.sun.com
search sfbay.sun.com sun.com
options ndots:2 timeout:3 retrans:3 retry:1
nameserver 129.146.11.51 ; sfbay-dns-1.sfbay
nameserver 129.146.11.103 ; na-umpk11-01.sfbay
nameserver 129.145.155.226 ; sfbay-dns-2.sfbay

#

Edit /etc/pam.conf to allow remote user and from the non TX systems. Below is the snapshot from a TX system. Basically change the following line to have allow_remote and allow_unlabeled at the end.

# cat /etc/pam.conf | egrep allow
other account requisite pam_roles.so.1 allow_remote
other account required pam_tsol_account.so.1 allow_unlabeled
#

On Solaris 10 U5, open the netservices because by default disabled due to Secure By Default (SBD) feature. Run the following command to disable SBD:

netservices open

Setup Labeled Zones

Trusted Extensions uses solaris containers or zones for labeling. The global zone is an administrative zone, and is not available to users. Non-global zones are called labeled zones. Labeled zones are used by users. The global zone shares some system files with users. When these files are visible in a labeled zone, the label of these files is ADMIN_LOW. Network communication is restricted by label. By default, zones cannot communicate with each other because their labels are different. Therefore, one zone cannot write into another zone [1].

The simplest way to create and manage the labeled zones is to use “txzonemgr”, an easy to use GUI tool.

A typical states of a labled zone is as follows [7]:

Undefined --> Configured --> Installed --> Ready -->Running

Before start creating the labeld zones, check if the network interfaces shared by all zones are not. You can do this by doing “ifconfig -a” and look for “all-zones”.

If not, use txzonemgr to create the network interface for the non global zones. Run the tool, /usr/sbin/txzonemgr that creates networks interface and zones . Select Manage Networks Interface, then select the physical interface and share it.

In the labeled zones creation process, the first step is to create a labeled zone and configure it. Later create a snapshot and clone it for other labeled zones.

Follow the below steps from the /usr/sbin/txzonemgr GUI interface:-

Create first new labeled zone (say public) --> Select -->Install --> Zone console --> Boot --> Configure NFS and domain --> Running (public)
Running labeled zone (public) -->Halt --> Create snapshot
Create other new labeled zone (internal) --> Select -->Clone -->select the snapshot (public) --> Zone console --> Boot -->Running (internal)
Repeat above steps for all other labels such as needtoknow, restricted etc.

Some of the screen shots from txzonemgr are listed here for your checks.

Fig-1. List of all labeled zones from labled zone manager (txzonemgr)

Fig-2. Installed public zone (txzonemgr). Ready to Boot or Create Snapshot.

Fig-3. Installing a labled zone from a configured one. Clone from existing snapshot (txzonemgr)

Fig-4. List of options from an installed (public) zone (txzonemgr)

Fig-5. Available ZFS zone snapshot created from public zone (txzonemgr)

Fig-6. List of options available on a running labeled zone (txzonemgr)

Fig-7. List of network interfaces (txzonemgr)

To check the created zones, use the following command.

# zoneadm list -cv

ID NAME STATUS PATH BRAND IP

0 global running / native shared
10 internal running /zone/internal native shared
12 public running /zone/public native shared

...

To check the labels on the files, run the following commands:

# getlabel /
/: ADMIN_HIGH
#

To login to a public zone from global zone, use the following command.

#
# zlogin public
[Connected to zone 'public' pts/8]
Last login: Tue Jun 3 16:29:53 on pts/8
Sun Microsystems Inc. SunOS 5.10 Generic January 2005
# getlabel /export
/export: PUBLIC
#

To login to a labeled zone, do the following alternatives.

#rlogin -l root <tx-system>

#zonelogin public
(or)
Run /usr/sbin/txzonemgr.

Select the zone (public/internal), select OK and then select "Zone Console". Login using the root id and password. From there you can operate on that console.

Run GlassFish Application Server

Download and Install GlassFish [8]. Get the latest GF FCS version and is GFv2 UR2 from [10]. The installation instructions can be found at [10]. You could download on a different machine and copy to the required labeled zone.

There are sanity tests for GF called Quick Look (QL) tests and can be checked out the GF workspace. See the steps at [9].

Run QL tests on the following 3 cases.

“public” zone only (run only public and halt internal zone)
“internal” zone only
simultaneously on both “public” and “internal” while both are running.

If you don't want to use maven, then do the following after setting the environment.

“ant all-pe”

Edit <as-install>/config/asadminenv.conf and change to “cluster” from “developer” profile.

“ant only-ee”

No issues found. All the sanity/QL tests passed.

References

[1] Trusted Extensions User Guide - http://docs.sun.com/app/docs/doc/819-7313

[2] Solaris Trusted Extensions FAQ http://www.sun.com/bigadmin/sundocs/articles/txfaq.jsp

[3] Solaris Common Criteria Certification - http://www.sun.com/software/security/securitycert/#in-eval

[4] Trusted Extensions Developer Guide - http://docs.sun.com/app/docs/doc/819-7312

[5] Solaris Trusted Extensions Collection - http://docs.sun.com/app/docs/coll/175.12

[6] Trusted Extensions Installation and Configuration - http://docs.sun.com/app/docs/doc/819-7314

[7] Solaris Zones http://www.softpanorama.org/Solaris/Virtualization/zones.shtml

[8] GlassFish http://glassfish.dev.java.net

[9] GlassFish QL instructions - https://glassfish.dev.java.net/public/GuidelinesandConventions.html#Quicklook_Tests

[10] GFv2 UR2 download - https://glassfish.dev.java.net/downloads/v2ur2-b04.html

Acknowledgments

We would like to thank the following people are who provided guidance and information on TX and greatly helped in setting up the TX setup during this exercise with timely manner.

Satya Dodda
Lokanath Das
Parameswaran Namboodiri

Thats all.
Enjoy more security for your enterprise resources!

Posted by Jagadesh Babu Munta ( Jun 05 2008, 02:40:30 PM PDT ) Permalink Comments [1]

Wednesday May 14, 2008

Authentication for SIPServlet resources in SailFin Application Server sip_digestauth
The authentication of SIPServlet resources can be done with Digest Authentication. In SailFin, the digest authentication is implemented using the JDBC realm. You can check the details on Shingwai's blog about JDBC realm in Glassfish.

Note that at this time, ONLY this JDBC realm for digest authentication is supported on SailFin server. Other realms such as LDAP support might happen in future releases.

The following steps can help in configuring the digest auth with jdbc realm on SailFin application server:

1.Create a jdbcresource from GUI based admin console (default user: admin and password: adminadmin) or update domain.xml in similar to the below snippet. There is a default JDBC connection pool "DerbyPool" which connects to default DB (JavaDB or Derby) supplied with SailFin. We just need to create the jdbc resource or use "jdbc/__default" datasource-jndi.

<jdbc-resource enabled="true" jndi-name="jdbc/digestauth" object-type="user" pool-name="DerbyPool"/>

2.Create a security auth realm from GUI based admin console (Configuration> Security> Realms> ) or update domain.xml in similar to the below snippet. Replace Your_Realm_Name to something meaningful in your config or just use as it is. Refer JDBCRealm configuration blog on how to create users in the DB and also the fields.

<auth-realm classname="com.sun.enterprise.security.auth.realm.jdbc.JDBCRealm" name="Your_Realm_Name">
         <property name="user-name-column" value="userid"/>
         <property name="password-column" value="password"/>
         <property name="group-name-column" value="groupid"/>
         <property name="jaas-context" value="jdbcDigestRealm"/>
         <property name="datasource-jndi" value="jdbc/digestauth"/>
         <property name="group-table" value="grouptable"/>
         <property name="user-table" value="usertable"/>
   </auth-realm>

GlassFish JDBC Realm

3.Check the following is already added to login.conf under domain/domain1/config

jdbcDigestRealm {
       com.sun.enterprise.security.auth.login.JDBCDigestLoginModule required;
};

4. Add the following to sip.xml or web.xml

<login-config>
       <auth-method>DIGEST</auth-method>
       <realm-name>Your_Realm_Name</realm-name>
</login-config>

Snapshot of sip.xml while protecting the REGISTER method for the SIP Servlet RegistrarServlet.

    <security-constraint>
        <display-name>RegistrarConstraint1</display-name>
        <resource-collection>
            <resource-name>RegistrarServlet</resource-name>
            <description>SIP Servlet resource protection</description>
            <servlet-name>RegistrarServlet</servlet-name>
            <sip-method>REGISTER</sip-method>
        </resource-collection>
        <auth-constraint>
            <description>User can Access the files</description>
            <role-name>User</role-name>
        </auth-constraint>
    </security-constraint>
    <login-config>
        <auth-method>DIGEST</auth-method>
        <realm-name>Your_Realm_Name</realm-name>
    </login-config>
    <security-role>
        <description>User Role</description>
        <role-name>User</role-name>
    </security-role>
    <security-role>
        <description>Admin Role </description>
        <role-name>Admin</role-name>
    </security-role>

4. Make sure the Derby is started and DB users/groups schemas created.
    To start/stop DB :

./bin/asadmin start-database
./bin/asadmin stop-database


5. Restart the SailFin Server and ready to use the DIGEST auth for your applications.

Thats it!

Posted by Jagadesh Babu Munta ( May 14 2008, 11:17:55 AM PDT ) Permalink Comments [1]

Monday May 12, 2008

JavaOne 2008 experience (more with GlassFish)
As a regular JavaOne attendee, this year 2008 also I was at JavaOne. It is a world's largest Java developers conference organized by Sun and happens every year at Moscone Center, San Francisco.
I feel the crowd is more than last year! Seen many students and stalls in the pavillion.
Here are few highlights!

GlassFish is everywhere wherever you go (in similar to Java) ! Many sessions and in the pavillion indicated the same.

V3 is amazingly fast! I heard that too from many folks. It is happy to share the same with others;)

Potential customers : few folks asked about support or subscriptions. Good to see this for future revenues!

GF Quality Community awareness was done fantastically. I am one of the community owners from Sun. Taking the testing as open source - not just a tool but the entire testing to community is great idea to face the challenges in the today's open integrations and maintaining the quality! More than 75 members interested in signing the SCA.

Students showed lot of interest in our GFQC program and also rewards. They listened! At least students from 4 different universities were met.

Others

Lot of free goodies. GF booths always had folks around!

Lot of network happened around the people.

Java Mobile and JavaFX have been highlighted. Posted by Jagadesh Babu Munta ( May 12 2008, 03:45:06 PM PDT ) Permalink

Tuesday May 29, 2007

Perspective on open source product testing I thought of having some key ideas on open source product testing.

In my view the following goals and strategies in the open source products testing can help in improving the quality and maintaining the testing pace.

1. Set reasonable Quality (see the decided quality metrics) and excellent user-experience: This is important as most of the open source projects to come up early in the users hand ahead rather than waiting for long product release time. Also these products need to focus on good user experience so that users can quickly adopt to the product.
Think about stack rather than a piece of the product.

2. Evangelize the product (more adoption): Try to envangelize the product as much as possible with various methods - well working samples, clear use case related examples (these are keys) in addition to blogs, feeds, webcasts, free tutorials, participating in universities etc. Again getting more user base is the key. Increase the testers and initial learners.

3. Full OpenSource (tools) and contribute the world: Try to use well known open source tools so that many users known of them and also easy to participate and contribute in the testing effort.

4. Re-use the testers/tests/infrastructure: Re-use save time and energy. So don't need to start from scratch unless there is no solution out-there. Improve on the existing test base and simplify.

5. Pro-active approach rather than re-active: It is important to keep in deal with the criticism and comments where everyone would like show their own way and known products. So be patient and response pro-actively rather than re-acting.

6. Automate tests in maximum: This is important to save lot of time to deal with changes happening with the product stack in the open source.

7. Measure the quality - define quality metrics : Unless we measure what we are doing, we can't really know where we are. In this angle, it is better to decide some level of metrics such as code coverage, bugs list etc.

8. Provide feedback as frequently as possible (say weekly or even daily) on the product quality to the community. This way people see the dynamism or vibration in the product community.

Do you have some more key or simple things to do? Please share.

Sharing is good for everyone!

Posted by Jagadesh Babu Munta ( May 29 2007, 12:52:59 PM PDT ) Permalink

Thursday May 24, 2007

Code quality and coverage
Here are the some of the interesting articles about code quality and code coverage analysis and relation to product quality.

My life as a Code Economist @Eric.Weblog() - talks about quality parameters.

Understand the quality...division of people into 2 groups -  
"  1. People who know why every good software company ships products with known bugs.
   2. People who don't.
"

Code Coverage Analysis By Steve Cornett -- talks about what is code coverage

"Code coverage analysis is the process of:

    * Finding areas of a program not exercised by a set of test cases,
    * Creating additional test cases to increase coverage, and
    * Determining a quantitative measure of code coverage, which is an indirect measure of quality. ".

Posted by Jagadesh Babu Munta ( May 24 2007, 06:57:27 PM PDT ) Permalink

Wednesday May 16, 2007

How to make money with open source? Today during my browsing for some strategies around open source, I come across the following interesting article, which talks about making money with open source. I know many of friends and collegues were asking similar questions that were address here. So thought of adding here. See article - How to make money from Open source By Con Zymaris .
Two interesting points -

"Services not licences: The open source revenue model is one based on a service revenue stream rather than a licence revenue stream."

"Why not use open source to form the basis of our product in the first place, reducing our own efforts? Programmer’s Maxim: good coders code, great coders reuse" Posted by Jagadesh Babu Munta ( May 16 2007, 07:01:44 PM PDT ) Permalink

Monday March 05, 2007

JAXWS/SSL - How to secure a WS endpoint at transport level (https)

In order to secure webservice endpoints developed using JavaEE components (Servlets/EJB) at transport level (https), there is a easy and simple declarative way in GlassFish application server. The following information helps in understanding and trying out a sample called SSL-JAXWS application in JavaEESDK samples.

You can get the samples bundle from Java EE SDK downloads page.
Steps:
->Java EE Downloads page
->Goto "Download the Components Independently"
->Goto "Java EE 5 Samples Download" and click on download.

Unzip the saved file and browse the samples index page and go to JavaEE5 samples @ .../java_ee_sdk-5_01-samples/javaee5/index.html .
The JAXWS/SSL sample is "webservices/ssl-jaxws-ear" and can be found @ .../javaee5/webservices/ssl-jaxws-ear/docs/index.html Posted by Jagadesh Babu Munta ( Mar 05 2007, 06:44:43 PM PST ) Permalink

Tuesday January 16, 2007

GlassFishV2: How to see WSS SOAP messages glassfish_v2_webservices debug messages

In GlassFish v2/ Sun Java System Application Server 9.1, one can see the SOAP messages dump in the client console by doing the following 2 simple steps:
1) Edit client container configuration file, sun-acc.xml   to have the log level above WARNING (default) level. Say set at INFO level log.

        <log-service file="" level="INFO"/>

2) Edit application client configuration file, sun-acc.xml to update the wss debug property from 'false' to 'true'. See the following highlighted.
Example. <glassfish-install>/domains/domain1/config/sun-acc.xml
      <property name="debug" value="true"/>

Now you can re-run the webservice client again and see that SOAP messages are dumped on to the client console with new security elements (<wsse:>)

Example [ sample client side snapshot]:

     Jan 16, 2007 8:33:06 AM com.sun.xml.wss.impl.filter.DumpFilter process
     INFO: ==== Sending Message Start ====
     <?xml version="1.0" encoding="UTF-8"?>
     <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:enc="http://schemas.xmlsoap.org/soap/encoding
/" xmlns:ns0="http://tax.org/wsdl" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instanc
e" env:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
     <env:Header>
     <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" env:mustU
nderstand="1">
     <wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:
Id="XWSSGID-1168965182525-287094422">
     <wsse:Username>j2ee</wsse:Username>
     <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">*
***</wsse:Password>
     </wsse:UsernameToken>
     </wsse:Security>
     </env:Header>
     <env:Body>
     <ns0:getStateTax>
     <double_1 xsi:type="xsd:double">85000.0</double_1>
     <double_2 xsi:type="xsd:double">5000.0</double_2>
     </ns0:getStateTax>
     </env:Body>
     </env:Envelope>
     ==== Sending Message End ====
         Jan 16, 2007 8:33:13 AM com.sun.xml.wss.impl.filter.DumpFilter process
     INFO: ==== Received Message Start ====
     <?xml version="1.0" encoding="UTF-8"?>
     <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:enc="http://schemas.xmlsoap.org/soap/encoding
/" xmlns:ns0="http://tax.org/wsdl" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instanc
e" env:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
     <env:Body>
     <ns0:getStateTaxResponse>
     <result xsi:type="xsd:double">24000.0</result>
     </ns0:getStateTaxResponse>
     </env:Body>
     </env:Envelope>
     ==== Received Message End ====

Posted by Jagadesh Babu Munta ( Jan 16 2007, 01:13:32 PM PST ) Permalink

Friday November 03, 2006

My Experience with AJAX Overall my experience showed AJAX is cool but need more effort than without. Hope more GUI based development and debugging tools available soon. [Read More] Posted by Jagadesh Babu Munta ( Nov 03 2006, 05:23:42 PM PST ) Permalink

Wednesday April 19, 2006

How is iMac and Windows on iMac - (Apple + Intel) After playing with Apple's new iMac, my observation is that the desktop is cool and fast compared to Apple's PowerMac. The GlassFish/Sun Java System Application Server worked great without any problems!

iMac need more time for reliability?

During my usage, I found some glitches with the OS/applications i) While rebooting, OS gone infinite loop with "Process Table Full" message on the console. I had to do the hard stop (power off) ii) In another instance, Mail application is not able to close normally. These issues, I never observed with PowerMac.

Windows installation on iMac?
There are some restrictions on windows OS with bootcamp installation on iMac, which allows to install Windows-XP with SP2 from single disc.

See the detailed instructions at bootcamp . Download the guide and things just worked fine except the following one odd thing!

Initially struggled with a volume licensed win-xp CD, which has 3 sub versions, like professional, home edition, tablet PC edition. The CD recognition is ok and displayed A. B. C. and asked to select one of the operating systems. But keyboard and mouse are not recognized!

Finally, used a single CD with single windows-xp SP2 software, then everything went fine as it is loading the minimum drivers automatically and stops at partitioning of the disks.

Enjoy!
Posted by Jagadesh Babu Munta ( Apr 19 2006, 05:24:20 PM PDT ) Permalink Comments [1]

Monday April 17, 2006

How to configure Security Manager ON/OFF? By default, the security manager is off on GlassFish, Sun Java System application server. One can enable the security manager by setting the following jvm option in the server configuration and restart the server.

-Djava.security.manager

If the development of the applications happend without security manager and later enabled in the production, there is a possibility that the application need more permissions. These permissions can be set in the domain's server.policy .

How to add JVM option?
Admin console --> http://localhost:4848/ goto ApplicationServer-> JVM Settings -> JVM Options -> Add JVM Option

It is better to test the applications with security manager to get the production ready applications.
Posted by Jagadesh Babu Munta ( Apr 17 2006, 05:01:24 PM PDT ) Permalink Comments [1]

Tuesday March 14, 2006

WSS security - new XWS providers Webservices providers configuration - latest changes
On latest glassfish or Sun Java System AppServer9 builds, you can observe more default providers in the domain configuration compared to my previous blog entry. This to separate the new providers with old providers supported in previous Sun JavaSystem Appserver 8.1 and maintain the backward compatibility with old developed applications.

These new providers are named as XWS_ServerProvider and XWS_ClientProvider, mainly added the following new features to the earlier providers. 1. By default username token is encrypted. 2. Dynamically determine the encryption key from the request at the server.

At application level, one can use the above providers or configure at server level by default using admin console or CLI.

Enjoy using the Glassfish or Sun Java System Appserver with latest Java EE standards for your applications! Posted by Jagadesh Babu Munta ( Mar 14 2006, 11:43:09 AM PST ) Permalink Comments [1]

Friday February 03, 2006

Applying security to webservice message layer on glassfish wss_security_blog In this entry, I am going to provide the basic information on "how one can use the webservices security using Glassfish/ Sun Java System Application Server" where webservices' soap messages can be protected without changing the webservices implementation or invocation code.

When the webservice client send the soap messages to the webservice endpoint, these soap messages are in clear text. In order to protect your messages from source (client) to destination (endpoint), AppServer providers the message layer security for webservices (uses WS-Security spec defined by OASIS) by injecting <wsse:Security> elements based on the configured policy mechanisms. Glassfish appserver by default configurs the required providers and users can enable and/or change the required policies. The default policy configured in the appserver is Signing (<wsse:BinarySecurityToken> ..<ds:Signature..>).

How to use the default message protection [using default configured policy (Signature) ]-

Here are the basic steps one can use and refer the appserver administration guide for more details on the commands and additional functionality.

1. Enable the server side providers
    Using Admin console-> http://localhost: <adminport>/
                         Go to (left frame. click on the nodes) ->Configuration->Security->Message Security-->SOAP
                         Select (right frame) Default Provider ->"Server Provider" from the dropdown list
                                    Default Client Provider ->"Client Provider" from the dropdown list
                          Click "Save" button (notice that values saved and Restart Required warning)

    Using asadmin CLI command [    Note that passfile contain "AS_ADMIN_PASSWORD=<password>"] :

i) <appserver>/bin/asadmin set --user <admin-user> --passwordfile <passwordfilepath> --port <admin-port> server-config.security-service.message-security-config.SOAP.default_provider=ServerProvider

ii) <appserver>/bin/asadmin set --user <admin-user> --passwordfile <passwordfilepath> --port <admin-port> server-config.security-service.message-security-config.SOAP.default_client_provider=ClientProvider

2. Restart the server
   i) Stop domain
    <appserver>/bin/asadadmin stop-domain <domain-name>
    Ex. /export/munta/as9/bin/asadadmin stop-domain domain1
   ii) Start domain
    <appserver>/bin/asadadmin start-domain <domain-name>
    Ex. /export/munta/as9/bin/asadadmin start-domain domain1

At this point all deployed or future deployed webservices are protected at message layer with Signing policy. Your client should match with the same policy as in the server and is by default no changes required.

3. Enable the clide side provider

    Edit client container configuration file, <admin.domain.dir>/<admin.domain>/sun-acc.xml   to add a client provider to the soap layer that matched the provider-id.
    Ex. /export/munta/as9/domains/domain1/config/sun-acc.xml   --> add the highlighted provider

<!DOCTYPE client-container ....
<client-container>
<target-server name="munta" address="munta" port="53700"/>
<log-service file="" level="WARNING"/>
<message-security-config auth-layer="SOAP" default-client-provider="ClientProvider">
        
        <provider-config class-name="com.sun.xml.wss.provider.ClientSecurityAuthModule" provider-id="ClientProvider" provider-type="client">
        <request-policy auth-source="content"/>
         <response-policy auth-source="content"/>
         <property name="security.config" value="/export/munta/as9pe/lib/appclient/wss-client-config-2.0.xml"/>
</provider-config>
</message-security-config>
</client-container>

4. Access the webservice appclient with following default keyStore and trustStore properties (using Signing or binary token) and point the -xml to the above xml path (by default it is point to domain1/config/sun-acc.xml)

     Set the following environment variable before access the appclient:

   VMARGS ="-Djavax.net.ssl.keyStore=<admin.domain.dir>/<admin.domain>/config/keystore.jks -Djavax.net.ssl.trustStore=<admin.domain.dir>/<admin.domain>/config/cacerts.jks"
Ex. setenv VMARGS "-Djavax.net.ssl.keyStore=/export/munta/as9/domains/domain1/config/keystore.jks -Djavax.net.ssl.trustStore=/export/munta/as9/domains/domain1/config/cacerts.jks"

*Your client will be running normally but messages are protected!

How do I know webservice messages are protected?

You can see the SOAP messages dump in the client console by doing the following 2 steps:
1) Edit client container configuration file, sun-acc.xml   to have the INFO level log.

        <log-service file="" level="INFO"/>

2) Edit client side wss security configuration file (don't edit any other elements in the file as this configuration file is mainly used by the server and transparant to the user!)
      at <appserver>/lib/appclient/wss-client-config-2.0.xml to the following highlighted.
Example. /export/munta/as9pe/lib/appclient/wss-client-config-2.0.xml

<xwss:SecurityConfiguration xmlns:xwss="http://java.sun.com/xml/ns/xwss/config"
                            dumpMessages="true">

Now you can re-run the webservice client again and see that SOAP messages are dumped on to the client console with new security elements (<wsse:)

Example [ note: removed the content (filled with .....) to reduce the space]:

 Feb 3, 2006 7:26:11 PM com.sun.xml.wss.impl.filter.DumpFilter process
 INFO: ==== Sending Message Start ====
 <?xml version="1.0" encoding="UTF-8"?>
 <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:enc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:ns0="http://tax.org/wsdl" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" env:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
 <env:Header>
 <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" env:mustUnderstand="1">
 <wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="XWSSGID-11390235703121194903842">MIIClDCCAf0CBEPkDe4wDQYJKoZIhvcNAQEEBQAwgZAxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpD
 .......
 <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
 .......
 </wsse:Security>
 </env:Header>
 <env:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="XWSSGID-1139023571163-313201494">
 .......
 </env:Body>
 </env:Envelope>
 ==== Sending Message End ====

 Feb 3, 2006 7:26:12 PM com.sun.xml.wss.impl.filter.DumpFilter process
 INFO: ==== Received Message Start ====
 <?xml version="1.0" encoding="UTF-8"?>
 <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:enc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:ns0="http://tax.org/wsdl" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" env:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
 <env:Header>
 <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" env:mustUnderstand="1">
 <wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="XWSSGID-1139023367140-550544941">MIIClDCCAf0CBEPkDe4wDQYJKoZIhvcNAQEEBQAwgZAxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpD
 .......
 <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
 .......
 </wsse:Security>
 </env:Header>
 <env:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="XWSSGID-1139023571907-1675963724">
 .......
 </env:Body>
 </env:Envelope>

 ==== Received Message End ====

Posted by Jagadesh Babu Munta ( Feb 03 2006, 07:56:20 PM PST ) Permalink Comments [4]

About

Installing TX

Setup remote access to TX machine

Setup Labeled Zones

Run GlassFish Application Server

References

Acknowledgments

Calendar

RSS Feeds

Search

Links

Navigation

Referers

Sun	Mon	Tue	Wed	Thu	Fri	Sat
« October 2009
				1	2	3
4	5	6	7	8	9	10
11	12	13	14	15	16	17
18	19	20	21	22	23	24
25	26	27	28	29	30	31

Today