Security Management

This chapter briefly explains some approaches to security, including encrypting the password that is required to use JEUS server and manage accounts. The security information is shared by all servers in the domain and is configured using MASTER.

For detailed information about JEUS security, refer to JEUS Security Guide.

1. Managing the Account

JEUS has both user and group accounts.

In JEUS, roles are granted rights to the resources. These rights are granted to the user by assigning the user to the role.

There are three ways to assign a role to a user.

Assign the role to a user name
Assign the role to a group that the user belongs to
Assign the role to the parent group of the group the user belongs to

Since the account hierarchy consists of users, groups, and subgroups, users with similar roles in JEUS can be granted similar permissions at once. Refer to Configuring Security System Policies for detailed information about security policies.

2. Encrypting and Storing the Password

Passwords for system management can be encrypted and stored.

The encrypted information is stored in the following format.

{algorithm}password

The following encryption algorithms are available for use.

AES
DES
DESede
blowfish
SEED

The password can be encrypted and stored using the console tool (jeusadmin), or manually by using the encryption tool. This section describes each method.

2.1. Using the Console Tool

The following is an example of encrypting and storing the password "password' for the account "administrator" using the AES encryption algorithm through the console tool jeusadmin.

[MASTER]domain1.adminServer>set-password administrator password -algorithm AES
The password is set for [administrator].

[MASTER]domain1.adminServer>exit

JEUS_HOME/bin$ jeusadmin -u administrator -p password

Attempting to connect to 127.0.0.1:9736.
The connection has been established to JEUS Master Server [adminServer]
in the domain domain1.
JEUS 9 Administration Tool
To view help, use the 'help' command.

2.2. Using Encryption Tools

The password can be manually encrypted using an encryption tool. For example, the DB password and the passwords in accounts.xml can be encrypted instead of using plain text.

The encrypted text is configured in the following format anywhere a password is required.

{algorithm}password

Use the encryption tool provided by JEUS to encrypt the string. Enter the string to encrypt and the algorithm, and the tools will output the encrypted text.

For more information about the encryption tool, refer to encryption in JEUS Reference Guide.

Both base64 are hashing algorithms that always produce the same output for a given string. Other algorithms require a secret key. Refer to Managing the Secret Key File for detailed information about how to manage this secret key.

The following is an example of configuring an encrypted password in accounts.xml.

Using Encryption Tool - <accounts.xml>

<accounts xmlns="http://www.tmaxsoft.com/xml/ns/jeus">
    <users>
        <user>
            <name>administrator</name>
            <password>{base64}amV1czEyMw==</password>
        </user>
        <user>
            <name>user1</name>
            <password>{AES}i06wYRz3Gqun2sKtXHIq+Tw3vUcc=</password>
        </user>
        . . .
    </users>
    . . .
</accounts>

XML can be directly edited when a domain is first created, but afterward it is recommended to use the console tool, jeusadmin.

3. Managing the Secret Key File

This section describes how to create, manage, and protect the secret key file.

3.1. Creating and Managing the Secret Key File

The AES, DES, DESede, SEED, and BlowFish algorithms that are provided by the encryption tool in 'JEUS_HOME/bin' require a secret key to encrypt or decrypt. JEUS stores the secret key in a file. This file is automatically created when the encryption tool is used for the first time.

The file is named security.key and can be found in the following path.

JEUS_HOME/domains/<domain-name>/config/security

The path can be configured with the system property jeus.security.keypath which can be an absolute or relative path. For a relative path, the base path is the path to JVM. If the path points to a directory, the security.key file in that directory is used. If the path points to a file, that file is used.

3.2. Encrypting the Secret Key File

JEUS can encrypt the secret key file. A password called the master password is required to encrypt the secret key file. Use the -protectkey option with the encryption tool to protect the secret key file with this master password.

The master password is required to start a server.

There are two ways to enter the master password.

If a server is started by a background process, the master password can be set in the jeus.security.master system property.
If a server is started by JEUS script, the master password can be entered in the console tool.

Using a shell script to set the master password in jeus.security.master is not secure. It is recommended to directly enter the master password in the console tool.

For detailed information on server startup, refer to Script Mode Usage and Script Writing Method in JEUS Reference Guide.
Refer to encryption in JEUS Reference Guide for detailed information about secret keys.

4. Managing the Keystore and Truststore

This section briefly describes how to manage the keystore and truststore that are used in SSL communication.

Both keystore and truststore are a Java Key Store (JKS). They can be created and managed by using key tools provided by the JDK.

For detailed information about JSSE, JKS, and keytools, refer to the Java documentation. For detailed information about keystores, truststores, and SSL, refer to Oracle Java Technical Documentation.

By default, JEUS uses the following files as the keystore and truststore. To use an alternate path or file name, it must be configured manually.

Keystore

The repository where private keys are saved.

JEUS_HOME/domains/<domain-name>/config/security/keystore files

Truststore

The repository where public keys are saved.

JEUS_HOME/domains/<domain-name>/config/security/truststore files

The properties can be configured at the system level or separately wherever a keystore and truststore are needed.

The following describes each system property.

System Property	Description
jeus.ssl.keystore	Path to the keystore file. (Default value: JEUS_HOME/domains/<domain-name>/config/security/keystore)
jeus.ssl.truststore	Path to the truststore file. (Default value: JEUS_HOME/domains/<domain-name>/config/security/truststore)
jeus.ssl.keypass	Password for the keystore. (Default value: jeuskeypass)
jeus.ssl.trustpass	Password for the truststore. (Default value: jeustrustpass)

System Property

Description

jeus.ssl.keystore

Path to the keystore file.

(Default value: JEUS_HOME/domains/<domain-name>/config/security/keystore)

jeus.ssl.truststore

Path to the truststore file.

(Default value: JEUS_HOME/domains/<domain-name>/config/security/truststore)

jeus.ssl.keypass

Password for the keystore. (Default value: jeuskeypass)

jeus.ssl.trustpass

Password for the truststore. (Default value: jeustrustpass)

A password is required to use a keystore or truststore. As previously mentioned, the passwords for the keystore and truststore can be configured in JEUS. Similar to the file path setting, passwords can be configured at the system level or separately as needed.

A keystore requires a password for the keys in the keystore, and a password for the keystore itself. In general, the key password is same as the keystore password.

If the key password is different from the repository’s password, set the key password in <keystore-keypassword>. Also, in order to use the keystore all the keys in the keystore must use the same key password.

Although a keystore and truststore are created when JEUS is installed, it is recommended to create and configure them manually.

5. Managing Executable Scripts in a SSL-Enabled Domain

This section describes the configurations that must be added to various executable scripts when the Base Listener of each server is set to SSL in the domain.

When setting each server in the domain to SSL, the server’s SSL configuration is used for inter-server communication. However, additional SSL configuration is required for the processes that run on the client side such as the consol tool or executable scripts.

SSL settings are required for the following.

Subdirectory	Description
jeusadmin	Script to start the Console Admin.
startManagedServer	Script to directly start an MS.
stopServer	Script to stop the server.
Other Standalone Client	Standalone Client that is not a script, but must communicate with a server using SSL.

Subdirectory

Description

jeusadmin

Script to start the Console Admin.

startManagedServer

Script to directly start an MS.

stopServer

Script to stop the server.

Other Standalone Client

Standalone Client that is not a script, but must communicate with a server using SSL.

In the following example, the bolded texts are the configurations that must be added to the scripts.

jeusadmin script that specifies SSL-related client configurations

. . .
# execute jeusadmin
"${JAVA_HOME}/bin/java" -Xmx128m -classpath "${BOOTSTRAP_CLASSPATH}" ${TOOL_OPTION}
-Djmx.remote.x.request.timeout=600000
-Djeus.home="${JEUS_HOME}"
-Djeus.baseport=${JEUS_BASEPORT}
-Djeus.tool.console.useJLine="false"
-Djava.naming.factory.initial=jeus.jndi.JEUSContextFactory
-Djava.naming.factory.url.pkgs=jeus.jndi.jns.url
-Djava.util.logging.config.file="${JEUS_HOME}/bin/logging.properties"
-Djeus.net.client.use-ssl=true
-Djavax.net.ssl.trustStore=${JEUS_HOME}/domains/domain1/config/truststore
-Djavax.net.ssl.trustStorePassword=changeit
-Djavax.net.ssl.trustStoreType=JKS
-Dssl.TrustManagerFactory.algorithm=SunX509
-Djavax.net.ssl.keyStore=${JEUS_HOME}/domains/domain1/config/keystore
-Djavax.net.ssl.keyStorePassword=changeit
-Djavax.net.ssl.keyStoreType=JKS
-Dssl.KeyManagerFactory.algorithm=SunX509
-Djeus.security.keypath=${JEUS_HOME}/domains/domain1/config/security/security.key
${JAVA_ARGS}
jeus.tool.console.ConsoleBootstrapper ${BOOT_PARAMETER}

The bolded text is a separate file that contains the SSL-related client configurations.

jeusadmin script that specifies a separate file containing SSL-releated client configurations

. . .
# execute jeusadmin
"${JAVA_HOME}/bin/java" -Xmx128m -classpath "${BOOTSTRAP_CLASSPATH}" ${TOOL_OPTION}
-Djmx.remote.x.request.timeout=600000
-Djeus.home="${JEUS_HOME}"
-Djeus.baseport=${JEUS_BASEPORT}
-Djeus.tool.console.useJLine="false"
-Djava.naming.factory.initial=jeus.jndi.JEUSContextFactory
-Djava.naming.factory.url.pkgs=jeus.jndi.jns.url
-Djava.util.logging.config.file="${JEUS_HOME}/bin/logging.properties"
-Djeus.net.client.ssl-properties-file=ssl.properties
${JAVA_ARGS}
jeus.tool.console.ConsoleBootstrapper ${BOOT_PARAMETER}

The following is an example file that defines SSL-releated client configurations. Note that a relative path beginning with ${JEUS_HOME} cannot be used in a file.

SSL-related client configuration - <ssl.properties>

javax.net.ssl.keyStore=/Users/tmax/JEUS9/domains/domain1/config/keystore
javax.net.ssl.trustStore=/Users/tmax/JEUS9/domains/domain1/config/truststore
javax.net.ssl.keyStorePassword=jeus
javax.net.ssl.trustStorePassword={AES}i06wYRz3Gqun2sKtXHIq+Tw3vUcc=
jeus.ssl.keystorekeypass={base64}amV1czEyMw==
jeus.security.keypath=/Users/tmax/JEUS9/domains/domain1/config/security/security.key

The password property can be set to an encoded or encrypted character string in the same way that they are used in accounts.xml. Use the encryption tool provided by JEUS.

For more information about the encryption tool, refer to encryption in JEUS Reference Guide.