Interstage Application Server V7.0 Security System Guide
Security System Guide: Table of Contents x Security Measures for Operation of the Web Server (Interstage HTTP Server)...2-4
Chapter 3: Authentication and Access Control for the Interstage HTTP Server 3-4 Online Collation This function is used to control and store the user
Setting the User Authentication 3-5 Setting the User Authentication User authentication is set according to the following procedures. 1. Registering
Chapter 3: Authentication and Access Control for the Interstage HTTP Server 3-6 Editing the Environment Definition File To allow the users whose pass
Setting the User Authentication 3-7 Relating Directives • AuthName • AuthType • AuthUserFile • <Directory> • Require Relating Directives When u
Chapter 3: Authentication and Access Control for the Interstage HTTP Server 3-8 AuthName Name AuthName Synopsis AuthName 'title' Descripti
Setting the User Authentication 3-9 AuthUserFile Name AuthUserFile Synopsis AuthUserFile file-name Description Specifies the name of the password fil
Chapter 3: Authentication and Access Control for the Interstage HTTP Server 3-10 Require Name Require Synopsis Require valid-user|user user-name|gro
Setting the IP Access Control 3-11 Setting the IP Access Control For IP access control, you can allow only specified hosts to make access to directori
Chapter 3: Authentication and Access Control for the Interstage HTTP Server 3-12 Relating Directives When IP access control is used, the following di
Setting the IP Access Control 3-13 Description Specifies a host or network that is granted access to the directories. Specifying 'all' for t
Security System Guide - Table of Contents xi Security Measures for Portable-ORB ...
Chapter 3: Authentication and Access Control for the Interstage HTTP Server 3-14 <Directory> Name <Directory> Synopsis <Directory dire
Setting the Online Collation Function 3-15 Setting the Online Collation Function Set the operation of the online collation function according to the f
Chapter 3: Authentication and Access Control for the Interstage HTTP Server 3-16 Operation without Using SSL Configuration Procedure 1 This section e
Setting the Online Collation Function 3-17 Configuration Procedure 3 (when Interstage HTTP Server and Smart Repository are on different systems) The f
Chapter 3: Authentication and Access Control for the Interstage HTTP Server 3-18 Setting the Directory Server Environment To use the online collation
Setting the Online Collation Function 3-19 Example of User Entry Configuration Figure 3-4 Creating User Entry Creating Group Entry Create the group
Chapter 3: Authentication and Access Control for the Interstage HTTP Server 3-20 Example of Group Entry Figure 3-5 Group Entry Configuration Set th
Setting the Online Collation Function 3-21 Setting 1: Operation without Using SSL Example Running the online collation function without using SSL, u
Chapter 3: Authentication and Access Control for the Interstage HTTP Server 3-22 Example Running the online collation function without using SSL,
Setting the Online Collation Function 3-23 Setting 2: Operation Using the SSL (setting for using an Interstage certificate environment or for using SS
Security System Guide: Table of Contents xii Relating Directives...
Chapter 3: Authentication and Access Control for the Interstage HTTP Server 3-24 Example Running the online collation function without using SSL,
Setting the Online Collation Function 3-25 Setting 3: Operation Using the SSL (setting for using a certificate/key management environment configured w
Chapter 3: Authentication and Access Control for the Interstage HTTP Server 3-26 # Token label AuthLDAPTknLbl token01 # User PIN file
Setting the Online Collation Function 3-27 # (389:optional value for not using SSL, 636:optional value for using SSL) AuthLDAPPort 636
Chapter 3: Authentication and Access Control for the Interstage HTTP Server 3-28 • <Directory> • Group • LoadModule • Require • User Relating D
Setting the Online Collation Function 3-29 Module Name of the module that implements the directive function. A directive with no module name indicati
Chapter 3: Authentication and Access Control for the Interstage HTTP Server 3-30 Description Specifies the name of the tree that is storing informati
Setting the Online Collation Function 3-31 AuthLDAPBindPassword Name AuthLDAPBindPassword Synopsis AuthLDAPBindPassword BindPassword Description When
Chapter 3: Authentication and Access Control for the Interstage HTTP Server 3-32 Module mod_ldap AuthLDAPEnabled Name AuthLDAPEnabled Synopsis AuthL
Setting the Online Collation Function 3-33 Default Value localhost Module mod_ldap AuthLDAPPort Name AuthLDAPPort Synopsis AuthLDAPPort Port-number
Security System Guide - Table of Contents xiii ServerRoot...
Chapter 3: Authentication and Access Control for the Interstage HTTP Server 3-34 Description Specifies whether to use SSL for the operation of the on
Setting the Online Collation Function 3-35 AuthLDAPTknLbl Name AuthLDAPTknLbl Synopsis AuthLDAPTknLbl token-label Description Specifies the token lab
Chapter 3: Authentication and Access Control for the Interstage HTTP Server 3-36 AuthName Name AuthName Synopsis AuthName 'title' Descript
Setting the Online Collation Function 3-37 <Directory> Name <Directory> Synopsis <Directory directory-path> ... </Directory> D
Chapter 3: Authentication and Access Control for the Interstage HTTP Server 3-38 Default Value None #-1 Note Group ID operates as 4294967295 when
Setting the Online Collation Function 3-39 Module mod_so Require Name Require Synopsis Require valid-user|user user-name|group group-name Descriptio
Chapter 3: Authentication and Access Control for the Interstage HTTP Server 3-40 Examples To authenticate a user 'taro': Require user ta
Setting the Online Collation Function 3-41 User Name User Synopsis User userID Description Specifies the name of the user who executes the server
Chapter 3: Authentication and Access Control for the Interstage HTTP Server 3-42
Part III Firewall and Proxy Server
Security System Guide: Table of Contents xiv Registering the CA Certificate...
4-1 Chapter 4 HTTP Tunneling This chapter describes HTTP Tunneling. Note HTTP tunneling can be used with the following products running in the Wind
Chapter 4: HTTP Tunneling 4-2 HTTP Data Communication Using HTTP Tunneling In HTTP tunneling, data communication using the HTTP protocol can be condu
HTTP Data Communication Using HTTP Tunneling 4-3 Developing the CORBA Application When HTTP tunneling is used by a CORBA application, the ordinary COR
Chapter 4: HTTP Tunneling 4-4 HTTP Tunneling Setup This section describes the procedure for setting the environment when using the HTTP tunneling in
HTTP Tunneling Setup 4-5 (1) Using Interstage HTTP Server Copy the following file (the installation path is the default) to the modules directory of
Chapter 4: HTTP Tunneling 4-6 Notes • When the Web server is Interstage HTTP Server, messages od40001 and od40002 are not output. (2) Using InfoP
HTTP Tunneling Setup 4-7 For IIS 6.0: 1. Select [Control Panel] > [Administrative Tools] > [Internet Information Services (IIS) Manager] to sta
Chapter 4: HTTP Tunneling 4-8 <applet code=”Sample.class” width=280 height=300> <param name=ORB_FJ_HTTP value=yes> <pa
HTTP Tunneling Setup 4-9 Parameter Name Meaning Specify the cgi ID if Web Server is used. If using Internet Information Services, specify the alia
Security System Guide - Table of Contents xv Registering the User PIN...
Chapter 4: HTTP Tunneling 4-10 Application Other than the Java Applet Specify the parameter in the following way when a client application (sample_c)
HTTP Tunneling Setup 4-11 <applet code="Sample.class" width=300 height=250> <PARAM NAME=ORB_FJ_HTTP VALUE=yes> <PARAM NAME=
Chapter 4: HTTP Tunneling 4-12 <PARAM NAME=ORB_FJ_SSL VALUE=yes> <PARAM NAME=ORB_FJ_HTTPGW VALUE=http://host.com/od-httpgw> </applet&g
HTTP Tunneling Setup 4-13 Setting to be Made When an HTTP Proxy Server is to be Used When performing HTTP tunneling through an HTTP proxy server in th
Chapter 4: HTTP Tunneling 4-14
5-1 Chapter 5 HTTP Tunneling of J2EE This chapter describes the HTTP Tunneling of J2EE. HTTP tunneling for J2EE can be used with the following: •
Chapter 5: HTTP Tunneling of J2EE 5-2 Use of HTTP Tunneling in J2EE Application Client To use HTTP tunneling with a J2EE application client, specify
Use of HTTP Tunneling in J2EE Application Client 5-3 The environment property in which the gateway is specified is shown in Table 5-1. Table 5-1 Envi
Chapter 5: HTTP Tunneling of J2EE 5-4 (1) For Interstage HTTP Server http://ipv4address_host-name/url-name http://ipv4address_host-name:Port_numb
Method for Using HTTP Tunneling with IJServer (Contains Web Applications Only) 5-5 Method for Using HTTP Tunneling with IJServer (Contains Web Applica
Security System Guide: Table of Contents xvi Setting the SSL Information in the CORBA Application (Server Application Only)...10-4 Ope
Chapter 5: HTTP Tunneling of J2EE 5-6 Method for Using HTTP Tunneling with Java Applets When Java applets start, HTTP tunneling is specified with par
6-1 Chapter 6 Linkage of the Proxy This chapter describes the linkage of the Proxy.
Chapter 6: Linkage of the Proxy 6-2 Linkage of the Proxy and SOAP Service SOAP service can be used with the following products: • Interstage Applica
Part IV Authentication and Encrypted Communications through Support for SSL This part of the manual explains how to perform encryption communication
Table 7-1 shows which service can support which environment. Table 7-1 Services and Environments Service name Interstage certificate environment Cer
7-1 Chapter 7 Setting and Use of the Interstage Certificate Environment This chapter explains what is required for signature and encryption processi
Chapter 7: Setting and Use of the Interstage Certificate Environment 7-2 Certificates and Private Keys This section explains certificates and private
Certificates and Private Keys 7-3 Table 7-2 shows the situations in which certificates including UTF-8 cannot be used. If a certificate including UTF
Chapter 7: Setting and Use of the Interstage Certificate Environment 7-4 CA (Certification Authority) The CA (Certification Authority) is required to
Configuring Environments 7-5 Configuring Environments The Interstage Certificate Environment is an environment in which certificates, private keys, an
Security System Guide - Table of Contents xvii Constructing a Key Pair/Certificate Management Environment...
Chapter 7: Setting and Use of the Interstage Certificate Environment 7-6 Using PKCS#12 Data Use PKCS#12 data when a private Certification Authority i
Configuring Environments 7-7 Note • Execute the commands as a superuser. • For effective users to be registered in the Interstage certificate enviro
Chapter 7: Setting and Use of the Interstage Certificate Environment 7-8 Configuring the Interstage Certificate Environment with CSR This section des
Configuring the Interstage Certificate Environment with CSR 7-9 Configuring an Interstage Certificate Environment and Creating a Certificate Signing R
Chapter 7: Setting and Use of the Interstage Certificate Environment 7-10 The services listed below are concerned: − Interstage SOAP Service − Smar
Configuring the Interstage Certificate Environment with CSR 7-11 Registering the CA Certificate Register the obtained CA certificate. An example of re
Chapter 7: Setting and Use of the Interstage Certificate Environment 7-12 Registering the Certificate of Another Reliable Site Register the certifica
Configuring the Interstage Certificate Environment with PKCS#12 7-13 Configuring the Interstage Certificate Environment with PKCS#12 This section desc
Chapter 7: Setting and Use of the Interstage Certificate Environment 7-14 Registering PKCS#12 Data, Certificates, and CRLs Register the PKCS#12 data,
Configuring the Interstage Certificate Environment with PKCS#12 7-15 Importing the PKCS#12 data Import the site certificate and private key delivered
Security System Guide: Table of Contents xviii Chapter 16 How to Use Reliable Messaging Function for Web Services (SOAP) PUSH Model (Receiving Mess
Chapter 7: Setting and Use of the Interstage Certificate Environment 7-16 Registering a CRL Register the obtained CRL. An example of registration is
Configuring Certificate Settings 7-17 Configuring Certificate Settings After configuring the Interstage certificate environment, you need to make the
Chapter 7: Setting and Use of the Interstage Certificate Environment 7-18 • CORBA Service [System] > [Environment setup] tab > [Detail setting]
Certificate Management 7-19 Certificate Management After system operation begins, certificates, private keys, and CRLs must be correctly managed. The
Chapter 7: Setting and Use of the Interstage Certificate Environment 7-20 If a New Certificate and CRL are Obtained If a new certificate is issued or
8-1 Chapter 8 Setting and Use of the Certificate/Key Management Environment Using the SMEE Command This chapter describes the requirements for SSL c
Chapter 8: Setting and Use of the Certificate/Key Management Environment Using the SMEE Command 8-2 SSL Libraries Used with the Certificate/Key Manag
SSL Libraries Used with the Certificate/Key Management Environment 8-3 SSL Library SMEE2 SMEE3 CORBA Service X O Certificate/Key Management Env
Chapter 8: Setting and Use of the Certificate/Key Management Environment Using the SMEE Command 8-4 In addition, you can import PKCS#12 data exported
SSL Libraries Used with the Certificate/Key Management Environment 8-5 Figure 8-2 Relationship between Slot, Token and Private Key The slot password
Security System Guide - Table of Contents xix Appendix B Authentication and Access Control for the Component Transaction Service User Authentication
Chapter 8: Setting and Use of the Certificate/Key Management Environment Using the SMEE Command 8-6 3. Register the certificate and CRL. − Register
SSL Libraries Used with the Certificate/Key Management Environment 8-7 Creating a Certificate/Key Management Environment Create a certificate/key mana
Chapter 8: Setting and Use of the Certificate/Key Management Environment Using the SMEE Command 8-8 mkslt -sd d:\sslenv\slot #Generation and init
SSL Libraries Used with the Certificate/Key Management Environment 8-9 Creating a Private Key and Acquiring a Certificate Make a request to issue a ce
Chapter 8: Setting and Use of the Certificate/Key Management Environment Using the SMEE Command 8-10 Registering the Certificate and CRL Register the
SSL Libraries Used with the Certificate/Key Management Environment 8-11 The example below assumes the site certificate is contained in /export/hom
Chapter 8: Setting and Use of the Certificate/Key Management Environment Using the SMEE Command 8-12 Obtaining the Client Certificate To obtain a cli
SSL Libraries Used with the Certificate/Key Management Environment 8-13 The following shows the procedure for migration: 1. Search for existing resou
Chapter 8: Setting and Use of the Certificate/Key Management Environment Using the SMEE Command 8-14 The example below assumes the newly created Cer
SSL Libraries Used with the Certificate/Key Management Environment 8-15 Management of a Certificate/Key Management Environment Because each user certi
Security System Guide - Preface ii Trademarks Trademarks of other companies are used in this user guide only to identify particular products or system
Security System Guide: Table of Contents xx
Chapter 8: Setting and Use of the Certificate/Key Management Environment Using the SMEE Command 8-16
9-1 Chapter 9 How to Use SSL with Interstage HTTP Server This chapter explains how to use the SSL for the Interstage HTTP Server. The Interstage HTT
Chapter 9: How to Use SSL with Interstage HTTP Server 9-2 Setting SSL for Interstage Certificate Environments To use SSL for an Interstage certificat
Setting SSL for Certificate/Key Management Environments Configured with the SMEE Commands 9-3 Setting SSL for Certificate/Key Management Environments
Chapter 9: How to Use SSL with Interstage HTTP Server 9-4 Example When the user PIN (dialog input) is encrypted and registered to the user PIN mana
Setting SSL for Certificate/Key Management Environments Configured with the SMEE Commands 9-5 ServerName main.example.com # Using SSL SSLExec on # SS
Chapter 9: How to Use SSL with Interstage HTTP Server 9-6 # Server name ServerName main.example.com # User of creating a certificate/key management
Setting SSL for Certificate/Key Management Environments Configured with the SMEE Commands 9-7 # Slot information directory SSLSlotDir d:/ssl/slotdir
Chapter 9: How to Use SSL with Interstage HTTP Server 9-8 SSLVersion 2-3 # Level of client certification SSLVerifyClient require # Operation
Setting SSL for Certificate/Key Management Environments Configured with the SMEE Commands 9-9 # # Virtual host not using SSL (Port number: 80) # # Se
Part I Security Risks and Measures If the system security is violated, unauthorized access by malicious attackers can cause interference and unautho
Chapter 9: How to Use SSL with Interstage HTTP Server 9-10 # Nickname of the site certificate SSLCertName cert_for_manager # Nickname of the cl
Setting SSL for Certificate/Key Management Environments Configured with the SMEE Commands 9-11 Relating Directives The following directives are relat
Chapter 9: How to Use SSL with Interstage HTTP Server 9-12 AddModule Name AddModule Synopsis AddModule module [module] ... Description Enables read m
Setting SSL for Certificate/Key Management Environments Configured with the SMEE Commands 9-13 CustomLog Name CustomLog Synopsis CustomLog “|ihsrlog-c
Chapter 9: How to Use SSL with Interstage HTTP Server 9-14 Initial value CustomLog "|ihsrlog -s logs/accesslog 1 5" common Cu
Setting SSL for Certificate/Key Management Environments Configured with the SMEE Commands 9-15 Example Accesses "/usr/web/index.html" when s
Chapter 9: How to Use SSL with Interstage HTTP Server 9-16 ErrorLog "|/opt/FJSVihs/bin/ihsrlog -s /var/opt/FJSVihs/logs/errorlog 1 5"
Setting SSL for Certificate/Key Management Environments Configured with the SMEE Commands 9-17 Listen Name Listen Synopsis Listen [IP-address:]port D
Chapter 9: How to Use SSL with Interstage HTTP Server 9-18 %l Personal information of a user returned from a client %{Cookie}n Client IP address and
Setting SSL for Certificate/Key Management Environments Configured with the SMEE Commands 9-19 Port Name Port Synopsis Port port-number Description T
Chapter 9: How to Use SSL with Interstage HTTP Server 9-20 Initial value ScriptAlias /cgi-bin/ "C:/Interstage/F3FMihs/cgi-bin/"
Setting SSL for Certificate/Key Management Environments Configured with the SMEE Commands 9-21 Context Global context, Virtual host Default value none
Chapter 9: How to Use SSL with Interstage HTTP Server 9-22 SetEnvIf Name SetEnvIf Synopsis SetEnvIf attribute attribute-value environment-variable[
Setting SSL for Certificate/Key Management Environments Configured with the SMEE Commands 9-23 Synopsis SSLCertName nickname Description Specifies the
Chapter 9: How to Use SSL with Interstage HTTP Server 9-24 SSLCipherSuite Name SSLCipherSuite Synopsis SSLCipherSuite encryption-method Description
Setting SSL for Certificate/Key Management Environments Configured with the SMEE Commands 9-25 Point The encryption types shown in the encryption meth
Chapter 9: How to Use SSL with Interstage HTTP Server 9-26 SSLEnvDir Name SSLEnvDir Synopsis SSLEnvDir operation-control-directory-name Description S
Setting SSL for Certificate/Key Management Environments Configured with the SMEE Commands 9-27 Default value off Module mod_ihs_ssl SSLSlotDir Name SS
Chapter 9: How to Use SSL with Interstage HTTP Server 9-28 Context Global context Default value none Module mod_ihs_ssl SSLUserPINFile Name SSLUserPI
Setting SSL for Certificate/Key Management Environments Configured with the SMEE Commands 9-29 SSLVerifyClient Name SSLVerifyClient Synopsis SSLVerify
1-1 Chapter 1 Security Risks This chapter explains the resources to be protected (protection target resources), possible threats to the protection t
Chapter 9: How to Use SSL with Interstage HTTP Server 9-30 SSLVersion Name SSLVersion Synopsis SSLVersion [2|3|2-3] Description Specifies the version
Setting SSL for Certificate/Key Management Environments Configured with the SMEE Commands 9-31 User Name User Synopsis User userID Description Spe
Chapter 9: How to Use SSL with Interstage HTTP Server 9-32 <VirtualHost> Name <VirtualHost> Synopsis <VirtualHost> address[:port]&
10-1 Chapter 10 How to Use SSL with the CORBA Service Client-server application linkage using the CORBA Service enables encrypted communication via
Chapter 10: How to Use SSL with the CORBA Service 10-2 Use the following procedure to add executing user access authority to the certificate/key mana
SSL Linkage of the CORBA Service 10-3 SSL Linkage of the CORBA Service The SSL linkage function of the CORBA Service performs encrypted communication
Chapter 10: How to Use SSL with the CORBA Service 10-4 Constructing SSL Linkage Environment To perform encryption communication using SSL, the follow
SSL Linkage of the CORBA Service 10-5 Operating the SSL Linkage The application linkage that uses SSL can be performed by accessing the server applica
Chapter 10: How to Use SSL with the CORBA Service 10-6 CORBA Server Environment Setup Configure an Interstage certificate environment, or configure a
SSL Environment Setup in Client 10-7 SSL Environment Setup in Client To use an Interstage certificate environment, set an SSL environment using the I
Chapter 1: Security Risks 1-2 Interstage Management Console and Interstage Operation Tool The Interstage Management Console and the Interstage Operat
Chapter 10: How to Use SSL with the CORBA Service 10-8 Example Define a private key/certificate in the CORBA Service. odsetSSL -sd C:\slot -ed C:
Environment Setup for Event Service 10-9 Environment Setup for Event Service The Event Service can be used with the following products: • Interstage
Chapter 10: How to Use SSL with the CORBA Service 10-10 For Dynamic Generation and Operation (for Environment Setting using the Event Service Operati
11-1 Chapter 11 How to Use SSL with J2EE This chapter describes how to use SSL with J2EE.
Chapter 11: How to Use SSL with J2EE 11-2 Environment Setup for Servlet Service This section explains how to operate the Interstage Management Consol
Environment Setting for EJB Service 11-3 Environment Setting for EJB Service When using SSL linkage, use the Interstage Management Console to set encr
Chapter 11: How to Use SSL with J2EE 11-4 Environment Setting for Interstage JMS Interstage JMS can be used with the following products. • Interstag
12-1 Chapter 12 Using SSL for Smart Repository Smart Repository supports encrypted communication using SSL. This chapter explains SSL communication
Chapter 12: Using SSL for Smart Repository 12-2 SSL linkage Environment Setup To implement encrypted communication using SSL between a Smart Reposi
Environment Setup for Using SSL between Smart Repository Client and Server 12-3 Environment Setup for Using SSL between Smart Repository Client and
Interstage Management Console and Interstage Operation Tool 1-3 Possible Security Risks to Resources The following describes possible security threats
Chapter 12: Using SSL for Smart Repository 12-4 Environment Setup for Using SSL between Master and Slave in Smart Repository Replication Operation
Part V Security Systems for Web Services (SOAP)
13-1 Chapter 13 Security Functions for Web Services (SOAP) Security at the SOAP message level can be ensured by using the digital signature (SOAP di
Chapter 13: Security Functions for Web Services (SOAP) 13-2 Digital Signature Function The digital signature (SOAP digital signature) function is use
Encryption Function of SOAP Messages 13-3 Encryption Function of SOAP Messages The encryption (XML encryption) function is used to encrypt communicati
Chapter 13: Security Functions for Web Services (SOAP) 13-4 Reliable Messaging Function and Non-repudiation Function The reliable messaging function
Attachment Function of the User ID/Password to SOAP Messages 13-5 Attachment Function of the User ID/Password to SOAP Messages The attachment function
Chapter 13: Security Functions for Web Services (SOAP) 13-6 Communication via the Proxy Client applications could exchange SOAP messages with a Web s
14-1 Chapter 14 How to Prepare PKI Environment for Web Services (SOAP) To allow the Web service to use SSL encrypted communication, SOAP digital sig
Chapter 1: Security Risks 1-4 Countermeasures Against Exploitation of User IDs and Passwords In an environment open to limited users like an intranet
Chapter 14: How to Prepare PKI Environment for Web Services (SOAP) 14-2 Configuring a Certificate Environment on the Server System This section expla
Configuring a Certificate Environment on the Server System 14-3 Alternatively, from the Interstage Management Console, select [System] > [WorkUnits
Chapter 14: How to Prepare PKI Environment for Web Services (SOAP) 14-4 Relations between Certificate Environment and Application Operation Applicati
Configuring an Old Certificate Environment or Client Certificate Environment 14-5 Configuring an Old Certificate Environment or Client Certificate Env
Chapter 14: How to Prepare PKI Environment for Web Services (SOAP) 14-6 Table 14-4 Environment Variable Settings Environment variable Description
Constructing a Key Pair/Certificate Management Environment 14-7 Constructing a Key Pair/Certificate Management Environment If the security function is
Chapter 14: How to Prepare PKI Environment for Web Services (SOAP) 14-8 In the following cases the creation of a key pair and the acquisition of a si
Constructing a Key Pair/Certificate Management Environment 14-9 Example If SystemWalker/PkiMGR is the certification authority. Example 1. Create a We
Chapter 14: How to Prepare PKI Environment for Web Services (SOAP) 14-10 • Root certificates issued by Japan Certification Services Inc. − SecureSig
Constructing a Key Pair/Certificate Management Environment 14-11 Example Register the site certificate and certification authority certificate with th
J2EE Application 1-5 J2EE Application This section gives an overview of security risks in J2EE applications. Generally, a J2EE application performs op
Chapter 14: How to Prepare PKI Environment for Web Services (SOAP) 14-12 Example 2. Create a Web service security environment information file and
Constructing a Key Pair/Certificate Management Environment 14-13 The following certificates are stored in the certificate management file as the root
Chapter 14: How to Prepare PKI Environment for Web Services (SOAP) 14-14 Registering Site Certificates of the Communication Parties When encrypting m
Using a CORBA/SOAP Gateway 14-15 Using a CORBA/SOAP Gateway If SSL encrypted communication is to be performed in a system environment using a CORBA/SO
Chapter 14: How to Prepare PKI Environment for Web Services (SOAP) 14-16
15-1 Chapter 15 User Authentication, SOAP Digital Signature and XML Encryption for Web Services (SOAP) This chapter explains how to use user authent
Chapter 15: User Authentication, SOAP Digital Signature and XML Encryption for Web Services (SOAP) 15-2 Setting User Authentication for SOAP Messages
Setting User Authentication for SOAP Messages 15-3 Figure 15-1 Web Service Configuration Edit Tool • Web service identifier Enter the identifier of
Chapter 15: User Authentication, SOAP Digital Signature and XML Encryption for Web Services (SOAP) 15-4 • Request transmission setting: destination
Setting User Authentication for SOAP Messages 15-5 Business Server Environment Setup The server system that implements a Web service to execute user a
Chapter 1: Security Risks 1-6 Resources to be Protected The following table lists the resources that are used when the corresponding function availab
Chapter 15: User Authentication, SOAP Digital Signature and XML Encryption for Web Services (SOAP) 15-6 Notes • Without the single sign-on function
Setting User Authentication for SOAP Messages 15-7 Figure 15-2 Entering User Authentication information
Chapter 15: User Authentication, SOAP Digital Signature and XML Encryption for Web Services (SOAP) 15-8 • Web service identifier Enter the identifie
Settings for the SOAP Digital Signature 15-9 Settings for the SOAP Digital Signature This section explains the following topics: • Generating a SOAP
Chapter 15: User Authentication, SOAP Digital Signature and XML Encryption for Web Services (SOAP) 15-10 _ap.setContentType("image/jpeg")
Settings for the SOAP Digital Signature 15-11 • Web service identifier Enter the identifier of the Web service. For information on how to specify the
Chapter 15: User Authentication, SOAP Digital Signature and XML Encryption for Web Services (SOAP) 15-12 Notes • If the SOAP digital signature gener
Settings for the SOAP Digital Signature 15-13 Specifying the Signature Target Using XPath Filtering If XPath is specified, nodes for which the result
Chapter 15: User Authentication, SOAP Digital Signature and XML Encryption for Web Services (SOAP) 15-14 Figure 15-4 Web Service Information Edit T
Settings for the SOAP Digital Signature 15-15 • [Client Function]: Response Receiving setup: SOAP signature verification Set whether to verify the SO
J2EE Application 1-7 Function Resource to be protected Execution environment setup for Servlet and EJB IJServer environment definition file Execution
Chapter 15: User Authentication, SOAP Digital Signature and XML Encryption for Web Services (SOAP) 15-16 Settings for the XML Encryption This section
Settings for the XML Encryption 15-17 Figure 15-5 Settings for Encryption using the XML Encryption • Web service identifier Enter the identifier of
Chapter 15: User Authentication, SOAP Digital Signature and XML Encryption for Web Services (SOAP) 15-18 • [Client Function]: Request Sending setup:
Settings for the XML Encryption 15-19 Specifying the Encryption Target The following two types of encryption target can be specified for encryption us
Chapter 15: User Authentication, SOAP Digital Signature and XML Encryption for Web Services (SOAP) 15-20 • descendant::*[local-name()='ResponseB
Settings for the XML Encryption 15-21 Settings for Decryption Using the XML Encryption The Web Service Information Edit Tool is used to make the setti
Chapter 15: User Authentication, SOAP Digital Signature and XML Encryption for Web Services (SOAP) 15-22 • Web service role (actor) name Specify the
Fault Codes 15-23 Fault Codes In addition to the faults defined in the “Implementing Messaging Applications” and “Implementing RPC Applications” secti
Chapter 15: User Authentication, SOAP Digital Signature and XML Encryption for Web Services (SOAP) 15-24 The following fault code belongs to the name
Supported Algorithms 15-25 Supported Algorithms The high-reliability Web service supports the following algorithms. The namespace prefix "wsse&qu
Security System Guide - Preface iii Preface Purpose of this Document This manual provides information on how to set up and operate a secure Interstage
Chapter 1: Security Risks 1-8 Resource to be protected Possible threat IJServer log file Tampering of data recorded in the file Exploitation of inf
Chapter 15: User Authentication, SOAP Digital Signature and XML Encryption for Web Services (SOAP) 15-26 Verifying the SOAP Digital Signature • Diges
Supported Algorithms 15-27 Items Related to WS-Security • Security token − wsse:BinarySecurityToken − wsse:UsernameToken • Encoding method − wsse:
Chapter 15: User Authentication, SOAP Digital Signature and XML Encryption for Web Services (SOAP) 15-28
16-1 Chapter 16 How to Use Reliable Messaging Function for Web Services (SOAP) This chapter explains how to use the Reliable Messaging function with
Chapter 16: How to Use Reliable Messaging Function for Web Services (SOAP) 16-2 PUSH Model (Receiving Messages by the Server System) In the PUSH mod
PUSH Model (Receiving Messages by the Server System) 16-3 Next, prepare a public key for the sender client. Since the sender client also needs the pu
Chapter 16: How to Use Reliable Messaging Function for Web Services (SOAP) 16-4 Figure 16-1 Reliable Messaging PUSH Screen - Deploying the Receiver
PUSH Model (Receiving Messages by the Server System) 16-5 • Message type ID Specify the ID that represents the type of message agreed upon with the s
Chapter 16: How to Use Reliable Messaging Function for Web Services (SOAP) 16-6 Preparing a Key Pair and Public Key Used by the Sender Client This se
PUSH Model (Receiving Messages by the Server System) 16-7 Figure 16-2 Reliable Messaging PUSH Screen - Deploying the Sender Application dialog • W
J2EE Application 1-9 Possible Countermeasures The following outlines possible countermeasures against security risks. For further details, refer to t
Chapter 16: How to Use Reliable Messaging Function for Web Services (SOAP) 16-8 • Receiver ID (Receiver server ID) Specify the ID of the receiver se
PULL Model (Receiving Messages by the Client System) 16-9 PULL Model (Receiving Messages by the Client System) In the PULL model, the sender applicat
Chapter 16: How to Use Reliable Messaging Function for Web Services (SOAP) 16-10 The following shows an example of command execution to output the pu
PULL Model (Receiving Messages by the Client System) 16-11 • Web service identifier Identifies the receiver application. For details on how to specif
Chapter 16: How to Use Reliable Messaging Function for Web Services (SOAP) 16-12 Notes The Sender server ID, Receiver client ID, and message type ID
PULL Model (Receiving Messages by the Client System) 16-13 Figure 16-4 Reliable Messaging PULL Screen - Deploying the Receiver Application dialog •
Chapter 16: How to Use Reliable Messaging Function for Web Services (SOAP) 16-14 • Message type ID Specify the ID that represents the type of messag
Part VI Security Systems for the ebXML Message Service The ebXML Message Service can be used with the following Windows(R) system or Solaris OE sy
17-1 Chapter 17 How to use SSL with the ebXML Message Service This chapter explains how to use SSL with the ebXML Message Service. With the ebXML Mes
Chapter 1: Security Risks 1-10 Countermeasures Against Damage to Data There are some J2EE applications that use databases. For this type of applicat
Chapter 17: How to use SSL with the ebXML Message Service 17-2
18-1 Chapter 18 How to use XML Digital Signature with ebXML Message Service This chapter explains how to use the XML digital signature with the ebXM
Chapter 18: How to use XML Digital Signature with ebXML Message Service 18-2
Index-1 Index access control, B-4 Acquiring and Registering Certificates (for both the Server and Client), 10-4 Append a User Name and a Password, 15-
Security System Guide - Index Index-2 Configuring the Interstage Certificate Environment with CSR, 7-8 Configuring the Interstage Certificate Environm
Security System Guide - Index Index-3 parameters, 4-8 setup, 4-8 writing HTML, 4-7 HTTP Tunneling Setup, 4-4 HTTP-IIOP gateway, 4-4 IJServer execution
Security System Guide - Index Index-4 threat countermeasures, 1-9 J2EE deployment tool security measures, 2-15 unauthorized resource file access, 2-15
Security System Guide - Index Index-5 CORBA Service, A-4 EJB Service, A-16 EJB Service operation, A-18 environment, A-17 environment construction, A-1
Security System Guide - Index Index-6 Settings for Encryption Using the XML Encryption, 15-16 Settings for the Generation of the SOAP Digital Signatur
Web Services 1-11 Web Services Web services can be used with the following products: • Interstage Application Server Enterprise Edition • Interstage
Chapter 1: Security Risks 1-12 Database Linkage Service The Database Linkage Service can be used with the following products: • Interstage Applicati
Database Linkage Service 1-13 Resources to be Protected The following table lists the resources used when the database linkage service is used. If hi
Chapter 1: Security Risks 1-14 The following describes the locations of the resources to be protected: • Folder storing the OTS system information
Database Linkage Service 1-15 Possible Threats to Resources The following describes the possible security risks to the database linkage service: Table
Chapter 1: Security Risks 1-16 Countermeasures Against Threats For the database linkage service, the following are effective measures against securit
Database Linkage Service 1-17 Using only the authorization of the selected users, start construction of the environment and operation of the database
Security System Guide - Preface iv Organization of this Document This document is organized as follows: Part I Security Risks and Measures • Chapter
Chapter 1: Security Risks 1-18 Periodic Backup If you backup information periodically, you can restore the environment even if the information is tam
OLTP Function 1-19 OLTP Function The OLTP function can be used with the following products: • Interstage Application Server Enterprise Edition • Int
Chapter 1: Security Risks 1-20 Resources to be Protected The following table lists the resources when an OLTP application is used. If high security
OLTP Function 1-21 Possible Threats to Resources The following describes the possible security threats posed to resources to be protected in operation
Chapter 1: Security Risks 1-22 Resource to be protected Possible threat Naming Service for load balance Tampering of data recorded in the file Expl
OLTP Function 1-23 Countermeasures Against Tampering of Data Recorded in the File There are environment definition files and other such files in the o
Chapter 1: Security Risks 1-24 Smart Repository The Smart Repository function can be used with the following products: • Interstage Application Serv
Smart Repository 1-25 Potential Security Threats The following indicates the potential security threats to the resources requiring Smart Repository pr
Chapter 1: Security Risks 1-26 Password Encryption When an entry search is requested from a client to Smart Repository, the password included in an
Smart Repository 1-27 Periodic Data Backup By performing data backup periodically, the environment can be restored even if information is altered thro
Security System Guide - Preface v Part V Security Systems for Web Services (SOAP) • Chapter 13 Security Functions for Web Services (SOAP) This chapt
Chapter 1: Security Risks 1-28 Interstage Single Sign-on This section explains the security threats for Interstage single sign-on and the countermeas
Interstage Single Sign-on 1-29 Possible Threats This section explains the possible threats when using Interstage Single Sign-on. Deleting, Rewriting,
Chapter 1: Security Risks 1-30 Application Risk Interstage Single Sign-on stores important information in the Web browser cookie. The attacker could
Interstage Single Sign-on 1-31 Protecting Communication Contents Encryption is an effective way of protecting communication contents from being rewrit
Chapter 1: Security Risks 1-32 Difficult-to-guess Password Use a password that cannot be easily guessed by others or identified mechanically by some
Interstage Single Sign-on 1-33 Operating and Managing a Business Server To prevent unauthorized access to the protection resources of the business ser
Chapter 1: Security Risks 1-34 For Java Applications Using Single Sign-on JavaAPIs Possible threat Action Application alteration - Periodically ch
Multi Server Management 1-35 Multi Server Management This section describes how to deal with security threats using Multi Server Management. The Admin
Chapter 1: Security Risks 1-36 Configuration Model When using Multi Server Management, the LAN for the flow of the actual business data and the LAN f
Multi Server Management 1-37 Figure 1-2 Multi Server Management Configuration Model In a typical Multi Server Management configuration, one Admin Se
Security System Guide - Preface vi
Chapter 1: Security Risks 1-38 Resources to be Protected This section describes the resources to be protected when Multi Server Management is used. F
Multi Server Management 1-39 Threat Prevention The following table lists countermeasures that can be taken against possible security risks. Table 1-14
Chapter 1: Security Risks 1-40 Countermeasures Against Exploitation of Information Recorded in Files The information required for operation of the In
Configuration Management Function 1-41 Configuration Management Function This section describes how to deal with security threats using the Configurat
Chapter 1: Security Risks 1-42 Resources to be Protected The following resources are used in the Interstage Management Console. If advanced security
Configuration Management Function 1-43 Countermeasures Against Overwriting Information Recorded in Files Various items of Interstage information are s
Chapter 1: Security Risks 1-44
2-1 Chapter 2 Security Measures Generally, the services alone cannot completely protect resources from security attacks. Taking operational measure
Chapter 2: Security Measures 2-2 Common Security Measures This section explains the following topics: • Notes on User Accounts • Backup • Notes on
Security Measures for Interstage Operation Tool 2-3 Security Measures for Interstage Operation Tool The Interstage Operation Tool can be used with the
vii Table of Contents Chapter 1 Security Risks Interstage Management Console and Interstage Operation Tool...
Chapter 2: Security Measures 2-4 Security Measures for Operation of the Web Server (Interstage HTTP Server) This section explains the following topic
Security Measures for Operation of the Web Server (Interstage HTTP Server) 2-5 • IP access control: It is possible to permit access only to specific
Chapter 2: Security Measures 2-6 Risk of Exploiting the HTTP TRACE Method Malicious users (or machines) on the network may read private information i
Security Measures for Operation of the Web Server (Interstage HTTP Server) 2-7 LoadModule rewrite_module libexec/mod_rewrite.so AddModule mod_re
Chapter 2: Security Measures 2-8 Making all documents, except for “user3” and “user4”, under “user home directory/public_html” public. UserDir pub
Security Measures for Operation of the Web Server (InfoProvider Pro) 2-9 Security Measures for Operation of the Web Server (InfoProvider Pro) The I
Chapter 2: Security Measures 2-10 Security Measures for the Servlet Service This section explains the following topics: • Notes on the Use of Sessio
Security Measures for the Servlet Service 2-11 Notes on Communication Data Possible threats to communication between the Web server connector and Serv
Chapter 2: Security Measures 2-12 Security Measures for the EJB Service This section gives an outline of security risks when the EJB service is used.
Security Measures for the EJB Service 2-13 Possible Threats to Resources The following countermeasures can defend EJB Service against security invasio
Security System Guide: Table of Contents viii Operations Confined to Specific Users...
Chapter 2: Security Measures 2-14 Selection of Specific Users By fixing the operators of the entire system to a pre-specified set of users, you can p
Security Measures for J2EE Deployment Tool 2-15 Security Measures for J2EE Deployment Tool This topic explains the following topic: • Unauthorized Ac
Chapter 2: Security Measures 2-16 Security Measures for the J2EE Resource Access Definition This section explains the following topic: • Leakage of
Security Measures for Interstage JMS 2-17 Security Measures for Interstage JMS Interstage JMS can be used with the following products: • Interstage A
Chapter 2: Security Measures 2-18 Security Measures for CORBA Service This section explains the following topics: • Unauthorized Access to Resource
Security Measures for CORBA Service 2-19 These files may be exposed to the threat of unauthorized access from an ill-intentioned person. To protect th
Chapter 2: Security Measures 2-20 Security Measures for Portable-ORB Portable-ORB can be used with the following products: • Interstage Application
Security Measures for Portable-ORB 2-21 Notes on Creation and Operation of Java Applet Be careful about the following points when creating and operati
Chapter 2: Security Measures 2-22 Security Measures for Event Service Event service can be used with the following products: • Interstage Applicatio
Security Measures for IJServer Operation 2-23 Security Measures for IJServer Operation IJServer is an operating environment for JEEE applications. Una
Security System Guide - Table of Contents ix Setting Access Permission for Operating Resources...
Chapter 2: Security Measures 2-24 Security Measures Concerning Operation of Smart Repository Smart Repository can be used with the following products
Security Measures for Fujitsu Enabler 2-25 Security Measures for Fujitsu Enabler This section explains how to configure the security settings for the
Chapter 2: Security Measures 2-26 Measures for Multi server Management This section explains the use of "roles" in Multi server Management.
Measures for Configuration Manager 2-27 Measures for Configuration Manager This section explains the security measures for the Configuration Manager.
Chapter 2: Security Measures 2-28
Part II Authentication and Access Control
3-1 Chapter 3 Authentication and Access Control for the Interstage HTTP Server This chapter describes the authentication and access control that Int
Chapter 3: Authentication and Access Control for the Interstage HTTP Server 3-2 Types of Authentication There are three types of authentication, as s
Types of Authentication 3-3 Remarks When SSL is used between the client and the server for user authentication, the user name and the password are enc
Commenti su questo manuale