Comparison of Security features in GlassFish and SJSAS 8.x EE
Friday May 25, 2007
Security is very essential, especially in the enterprise environment. In this blog, we will compare security of Profiles in GlassFish (GF) v2 and also note those feature availability in Sun Java System Application Server (SJSAS) 8.x Enterprise Edition. Note that Enterprise Profile is not available in public yet and will be in beta around July 2007. More information on Profiles in GlassFish v2 can be found here.
| Feature | GlassFish | SJSAS 8.x EE | |||
|---|---|---|---|---|---|
| v1 | v2 Development Profile | v2 Cluster Profile | v2 Enterprise Profile | ||
| Support JSR 196 | no | yes | no | ||
| KeyStore for SSL | JKS | NSS | |||
| Key/Certificate management tools | keytool | certutil, pk12util, modutil | |||
| Java Security Manager | off (default) | on (default) | on | ||
| Support JDBCRealm | yes | no | |||
| SingleSignOn (SSO) | disable (default) | enable (default) | |||
| Virtual Server Realms | no | yes | no | ||
With JDK 1.5 and NSS 3.11.4, Enterprise Profile in GlassFish v2 and SJSAS 8.x EE (but not available in GF v2 Cluster Profile) support the following:
- management of the PKCS#11 modules using modutil
- explicit reference of keys in PKCS#11 providers for https or iiop/SSL listeners. (Note that with JDK 1.5 or later, one can add PKCS#11 providers to a given JDK. But those keys cannot be references by current server.)
- Elliptic Curve algorithm for SSL and other crypto operations (need Enterprise Profile GlassFish v2 and JDK 1.6)
In SJSAS 8.2 EE and the coming GlassFish v2 Enterprise Profile, there is support for the use of private key in Solaris 10 Softtoken. As an example, let us take a look at how to set up Solaris 10 Softtoken.
- Initialize Solaris 10 Softtoken password if you have not.
/bin/pktool setpin - Register the Solaris 10 Softtoken to NSS.
modutil -dbdir $SJSAS_HOME/domains/domain1/config -force -add "Solaris 10 Softtoken" -libfile /usr/lib/libpkcs11.so -mechanisms RSA:DSA - Verify that the token is added properly and find out
the corresponding token name.
modutil -dbdir $SJSAS_HOME/domains/domain1/config -listA sample output is as follows:
Using database directory .... Listing of PKCS #11 Modules ----------------------------------------------------------- 1. NSS Internal PKCS #11 Module slots: 2 slots attached status: loaded slot: NSS Internal Cryptographic Services token: NSS Generic Crypto Services slot: NSS User Private Key and Certificate Services token: NSS Certificate DB 2. Solaris 10 Softtoken library name: /usr/lib/libpkcs11.so slots: 1 slot attached status: loaded slot: Sun Crypto Softtoken token: Sun Software PKCS#11 softtoken -----------------------------------------------------------In this case, the token name is "Sun Software PKCS#11 softtoken". And this will be used in subsequent commands.
- Create a private key and certificate in Solaris 10 Softtoken.
certutil -S -x -n mytestcert -t "u,u,u" -v 120 -s "cn=j2ee,ou=J2EE,o=Sun,L=Santa Clara,ST=California,C=US" -d $SJSAS_HOME/domains/domain1/config -h "Sun Software PKCS#11 softtoken"A sample output is as follows:
Enter Password or Pin for "Sun Software PKCS#11 softtoken": A random seed must be generated that will be used in the creation of your key. One of the easiest ways to create a random seed is to use the timing of keystrokes on a keyboard. To begin, type keys on the keyboard until this progress meter is full. DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD! Continue typing until the progress meter is full: |************************************************************| Finished. Press enter to continue: Generating key. This may take a few moments...
- Change the
cert-nicknameto "Sun Software PKCS#11 softtoken:mytestcert" in your listeners. - Restart the server, then it will prompt the password for
Solaris 10 Softtoken as follows:
Please enter password for NSS slot Sun Software PKCS#11 softtoken>
