The following lists the ORB security properties that apply to the Borland Security Service for Java applications.
ORB Security Properties for Java
// JAAS Config file
Realm1 {
...
};
Realm2 {
...
};
Setting the vbroker.security.login.realms property to the value:
vbroker.security.login.realms=Realm1, Realm3, GSSUP#Realm4, Certificate#ALL
and setting login to True or calling Context.login() will:
LoginModules configured for Realm1,Realm3 and Realm4 (note that since Realm3 is not defined in the JAAS configuration file, it is treated as GSSUP#Realm3),Security ORB Properties for Java (continued)
| Property | Description | Default |
|---|---|---|
vbroker.security.vault |
Points to the vault. The vault is loaded by the security service, irrespective of the value set for the vbroker.security.login property, as the vault contains more information than identities. |
n/a |
vbroker.security.authentication.config |
Specifies the location (full path) of the JAAS config file to use for authentication. | n/a |
vbroker.security.login |
If set to true, logs in interactively to the list of realms specified by the vbroker.security.login.realms property. If set to false, does not login; login is either not required or will be performed at run time through APIs. When the login() API (with no arguments) is called in code at run time, the API behaves in exactly the same way as the true case. |
false |
vbroker.security.authentication.callbackHandler |
Specifies the callback handler JAAS login modules use to prompt for login information. You can specify one of the following or your own custom callback handler. For more information, go to http://www.java.sun.com/security/jaas/doc/api.html.
|
n/a |
vbroker.security.logLevel |
Controls the degree of logging. 0 means no logging and 8 means maximum logging. |
0 |
vbroker.security.secureTransport |
Controls whether the transport connection is encrypted or not. If set to true, transport messages are encrypted. If set to false they are not encrypted. |
true |
vbroker.security.alwaysSecure |
Client side property you use together with the vbroker.security.secureTransport property. Controls client side default Quality of Protection (QoP). If both are set to true, then transport QoP is set to SECURE_ONLY (the client needs only secure transport). If either of these properties is set to false, then the client does not mandate security at transport. |
false |
vbroker.security.disable |
If set to true, disables all security. If set to false, all security is enabled. |
true |
vbroker.security.transport.protocol |
Use to select a security transport protocol. Possible values are: SSL, SSLv2, SSLv3, TLS, and TLSv1. For descriptions of these, go to http://www.java.sun.com/products/jsse/doc/guide/API_users_guide.html#SSC |
TLSv1 |
vbroker.security.requireAuthentication |
Server side property. If set to true, authentication is required from the client. If set to false, authentication is not required. |
false |
vbroker.security.enableAuthentication |
Server side property. If set to true, the server side supports client authentication. If set to false, the server side does not support client authentication. |
false |
vbroker.security.authentication.retryCount |
Use to specify the number of times (equal to or greater than 1)to retry if login fails. |
3 |
vbroker.security.login |
If set to true, at initialization time this property tries to login (calls SecurityContext.login) using the system configuration specified in the JAAS config file (See vbroker.security.authentication.config). If set to false, no login is attempted.
If set to a file name, the file is treated as a vault file and is used for logging in and the following API is used: |
false |
vbroker.security.authDomains |
Specifies a comma separated list of available security domains. Currently a security domain differentiates only authorization aspects. For example, vbroker.security.authDomains=<dom1>,<doma2>…
Note: In addition to the authorization domain(s) you specify, the |
n/a |
vbroker.security.domain.<domain-name>.defaultAccessRule |
Whether to grant|deny access to the domain by default in the absence of security roles for <domain-name> |
grant |
vbroker.security.domain.<domain name>.rolemap_path |
Specifies the location(full path) of the RoleDB file that describes the roles used for authorization. This is scoped within the domain <domain name>. Where <domain name> must be in the list of security domains. See vbroker.security.authDomains.
For the |
n/a |
vbroker.security.domain.<domain-name>.runas.<role-name> |
Use this property to set up a run-as alias if your beans and servlets use run-as code. You may also set this property to use-caller-identity to use the caller principal as the principal identity regardless of the run-as role. Run-as roles are set in the EJB deployment descriptor. |
n/a |
vbroker.security.domain.<domain name>.rolemap_enableRefresh |
If set to true, dynamic loading of the RoleDB file specified in vbroker.security.domain.<domain name>.rolemap_path property is enabled. If set to false, the dynamic loading of the RoleDB file is disabled.
For more information, see vbroker.security.authDomains.
|
false |
vbroker.security.domain.<domain name>.rolemap_refreshTimeInSeconds |
Use to specify the number of seconds (equal to or greater than 1) between each rolemap reload. For more information, go to vbroker.security.domain.<domain name>.rolemap_path and vbroker.security.authDomains. |
300 seconds(5 min) |
vbroker.security.peerAuthenticationMode |
Denotes peer authentication mode. Same as in 4.x. However, due to JSSE restrictions, request and request_and_trust modes cannot receive peer certificate chain in 5.x. Possible values are: None (no authentication of peer identity performed), Require (requires an identity to be presented by the peer. If no identity is presented, the connection is closed.), Require_and_trust (same as Require with the additional condition that the identity must be trusted, or the connection is closed.), Request (requests the peer identity, but still allows connection if no identity is presented from peer.), Request_and_trust (same as Request with the additional condition that if an identity is presented, the identity must be trusted, or the connection is closed.). |
For server, require_and_trust. For client, |
vbroker.security.trustpointsRepository |
Use to specify the location of a list of trusted certificates. The two possible options are: pointing to the directory containing trusted certificates and CRLs, or to a trusted keystore whose entries are TrustedCertificateEntry. Possible values are: Directory:<dir containing trusted certs> or KeyStore:<KeyStore file path>. |
n/a |
vbroker.security.defaultJSSETrust |
If set to true, the JSSE default trust files cacerts and jssecacerts, if present in JRE, are used to load trusted certificates. For more information, go to http://java.sun.com/products/jsse/doc/guide/API_users_guide.html. |
false |
vbroker.security.assertions.trust.<n> |
Use to specify a list of trusted principals. Specify as: <Principal>@<Realm>. Where <n> can be sequential numbers, such as: 1, 2, and so on. For example:
|
n/a |
vbroker.security.assertions.trust.all |
To trust all principals, set to true. To trust a list of specified principals using the vbroker.security.assertions.trust.<n> property, set to false. |
false |
vbroker.security.server.requireUPIdentity |
A server side property you set to true if the server requires a client to send username/password for authentication (irrespective of certificate-based authentication). For no username/password requirement, set to false. |
false |
vbroker.security.cipherList |
Use to specify a list of valid SSL ciphers to be enabled on startup. | n/a |
vbroker.security.controlAdminAccess |
To enabling ServerManager operations on a secure server, set to true. To disable, set to false. |
false |
vbroker.security.serverManager.authDomain |
Points to a security domain listed in vbroker.security.authDomains.
which is used for role-based access control checks on the ServerManager interface. Note: A rolemap must be specified for the domain. |
n/a |
vbroker.security.serverManager.role.all |
Specifies the role name required for accessing all ServerManager operations. |
n/a |
vbroker.security.serverManager.role.<method name> |
Specifies the role name required for accessing the ServerManager specified method. |
n/a |
vbroker.se.iiop_tp.scm.ssl.listener.trustInClient |
A server side property. Set to true to have the server require certificates from the client. Note: These certificates must also be trusted by the server. You should
configure trust on the server side using the trust properties. For more information, go to vbroker.security.trustpointsRepository property and vbroker.security.defaultJSSETrust property. |
false |