Red Hat JBoss Enterprise Application Platform 7.1 Security ... chapter 2. how red hat jboss enterprise

  • View
    4

  • Download
    0

Embed Size (px)

Text of Red Hat JBoss Enterprise Application Platform 7.1 Security ... chapter 2. how red hat jboss...

  • Red Hat JBoss Enterprise Application Platform 7.1

    Security Architecture

    For Use with Red Hat JBoss Enterprise Application Platform 7.1

    Last Updated: 2018-10-11

  • Red Hat JBoss Enterprise Application Platform 7.1 Security Architecture

    For Use with Red Hat JBoss Enterprise Application Platform 7.1

  • Legal Notice

    Copyright © 2018 Red Hat, Inc.

    The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/ . In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.

    Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.

    Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.

    Linux ® is the registered trademark of Linus Torvalds in the United States and other countries.

    Java ® is a registered trademark of Oracle and/or its affiliates.

    XFS ® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.

    MySQL ® is a registered trademark of MySQL AB in the United States, the European Union and other countries.

    Node.js ® is an official trademark of Joyent. Red Hat Software Collections is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.

    The OpenStack ® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.

    All other trademarks are the property of their respective owners.

    Abstract

    This document focuses on the high-level concepts of security within JBoss EAP and what components exist to implement those concepts. This document focuses on what and why and much less on how, meaning specifics on how to configure a specific scenario will be housed in other documents. When completing this document, readers should have a solid conceptual understanding of the components of security within JBoss EAP, as well as how those components fit together.

  • . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

    . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

    Table of Contents

    CHAPTER 1. OVERVIEW OF GENERAL SECURITY CONCEPTS 1.1. AUTHENTICATION 1.2. AUTHORIZATION 1.3. AUTHENTICATION AND AUTHORIZATION IN PRACTICE 1.4. ENCRYPTION 1.5. SSL/TLS AND CERTIFICATES 1.6. SINGLE SIGN-ON

    1.6.1. Third-Party SSO Implementations 1.6.2. Claims-Based Identity

    1.7. LDAP

    CHAPTER 2. HOW RED HAT JBOSS ENTERPRISE APPLICATION PLATFORM 7.1 HANDLES SECURITY OUT OF THE BOX

    2.1. CORE SERVICES, SUBSYSTEMS, AND PROFILES 2.2. MANAGEMENT INTERFACES 2.3. JMX 2.4. ROLE-BASED ACCESS CONTROL 2.5. DECLARATIVE SECURITY AND JAAS 2.6. ELYTRON SUBSYSTEM

    2.6.1. Core Concepts and Components 2.6.1.1. Capabilities and Requirements 2.6.1.2. APIs, SPIs and Custom Implementations 2.6.1.3. Security Domains 2.6.1.4. Security Realms 2.6.1.5. Role Decoders 2.6.1.6. Role Mappers 2.6.1.7. Permission Mappers 2.6.1.8. Principal Transformers 2.6.1.9. Principal Decoders 2.6.1.10. Realm Mappers 2.6.1.11. Authentication Factories 2.6.1.12. KeyStores 2.6.1.13. Key Managers 2.6.1.14. Trust Managers 2.6.1.15. SSL Context 2.6.1.16. Secure Credential Store

    2.6.2. Elytron Authentication Process Pre-realm Mapping Realm Name Mapping Post-realm Mapping Final Principal Transformation Obtain the Realm Identity

    2.6.3. HTTP Authentication 2.6.4. SASL Authentication 2.6.5. Interaction between the Elytron Subsystem and Legacy Systems 2.6.6. Resources in the Elytron Subsystem

    Factories Principal Transformers Principal Decoders Realm Mappers Realms

    5 5 5 5 5 6 6 7 8 9

    10 10 10 11 11 13 14 15 15 16 16 16 16 16 17 17 17 17 17 17 17 17 17 18 18 18 19 20 21 22 22 22 23 23 23 24 25 25 25

    Table of Contents

    1

  • . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

    . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

    Permission Mappers Role Decoders Role Mappers SSL Components Other

    2.7. CORE MANAGEMENT AUTHENTICATION 2.7.1. Security Realms 2.7.2. Default Security

    2.7.2.1. Local and Remote Client Authentication with the Native Interface 2.7.2.2. Local and Remote Client Authentication with the HTTP Interface

    2.7.3. Advanced Security 2.7.3.1. Updating the Management Interfaces 2.7.3.2. Adding Outbound Connections 2.7.3.3. Adding RBAC to the Management Interfaces 2.7.3.4. Using LDAP with the Management Interfaces 2.7.3.5. JAAS and the Management Interfaces

    2.8. SECURITY SUBSYSTEM 2.8.1. Security Domains

    Comparison Between Elytron and PicketBox Security Domains 2.8.2. Using Security Realms and Security Domains 2.8.3. Security Auditing 2.8.4. Security Mapping 2.8.5. Password Vault System 2.8.6. Security Domain Configuration

    2.8.6.1. Login Modules 2.8.6.2. Password Stacking 2.8.6.3. Password Hashing

    2.8.7. Security Management 2.8.7.1. Deep Copy Mode

    2.8.8. Additional Components 2.8.8.1. JASPI 2.8.8.2. JACC 2.8.8.3. About Fine-Grained Authorization and XACML 2.8.8.4. SSO

    CHAPTER 3. ADDITIONAL USE CASES FOR SSO WITH RED HAT JBOSS ENTERPRISE APPLICATION PLATFORM

    3.1. BROWSER-BASED SSO USING SAML 3.1.1. Identity Provider Initiated Flow 3.1.2. Global Logout

    3.2. DESKTOP-BASED SSO 3.3. SSO USING STS

    CHAPTER 4. ELYTRON SUBSYSTEM EXAMPLE SCENARIOS 4.1. OUT OF THE BOX

    4.1.1. Security 4.1.2. How It Works

    4.2. USING SSL/TLS TO SECURE THE MANAGEMENT INTERFACES AND APPLICATIONS 4.2.1. Security 4.2.2. How It Works

    4.3. SECURING THE MANAGEMENT INTERFACES AND APPLICATIONS WITH A NEW IDENTITY STORE 4.3.1. Security 4.3.2. How It Works

    27 27 27 28 28 29 29 30 30 31 32 32 32 32 34 35 35 35 36 36 36 37 37 37 37 39 40 40 40 40 41 41 41 42

    43 43 43 44 44 44

    46 46 47 48 48 49 49 49 49 50

    Red Hat JBoss Enterprise Application Platform 7.1 Security Architecture

    2

  • . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

    4.4. USING RBAC TO SECURE THE MANAGEMENT INTERFACES 4.4.1. Security 4.4.2. How It Works

    4.5. USING KERBEROS TO PROVIDE SSO FOR WEB APPLICATIONS 4.5.1. Security 4.5.2. How It Works

    CHAPTER 5. LEGACY CORE MANAGEMENT AND SECURITY SUBSYSTEM EXAMPLE SCENARIOS 5.1. RED HAT JBOSS ENTERPRISE APPLICATION PLATFORM OUT OF THE BOX

    5.1.1. Core Management Authentication out of the Box 5.1.1.1. Security 5.1.1.2. How It Works

    5.1.2. Security Subsystem out of the Box 5.1.2.1. Security 5.1.2.2. How It Works

    5.2. RED HAT JBOSS ENTERPRISE APPLICATION PLATFORM WITH HTTPS AND