blob: 28c7cbd53936b41aaf0169d3e296fbab4793efb7 [file] [log] [blame]
type=page
status=published
title=Administering Message Security
next=security-in-cluster-mode.html
prev=user-security.html
~~~~~~
= Administering Message Security
[[GSSCG00037]][[ablrk]]
[[administering-message-security]]
== 3 Administering Message Security
This chapter provides information and procedures on configuring the
message layer security for web services in the {productName} environment.
[NOTE]
====
Message security (JSR 196) is supported only in the Full Platform
Profile of {productName}, not in the Web Profile.
====
The following topics are addressed here:
* link:#ablrn[About Message Security in {productName}]
* link:#giood[Enabling Default Message Security Providers for Web Services]
* link:#giouf[Configuring Message Protection Policies]
* link:#giosl[Administering Non-default Message Security Providers]
* link:#gdhgg[Enabling Message Security for Application Clients]
* link:#gglrb[Additional Information About Message Security]
Some of the material in this chapter assumes a basic understanding of
security and web services concepts. For more information about security,
see link:system-security.html#ggktf[About System Security in {productName}].
Instructions for accomplishing the tasks in this chapter by using the
Administration Console are contained in the Administration Console online help.
[[ablrn]][[GSSCG00153]][[about-message-security-in-glassfish-server]]
=== About Message Security in {productName}
Message security enables a server to perform end-to-end authentication
of web service invocations and responses at the message layer. Security
information is inserted into messages so that it travels through the
networking layers and arrives with the intact message at the message
destination(s). Message security differs from transport layer security
in that message security can be used to decouple message protection from
message transport so that messages remain protected after transmission.
Web services deployed on {productName} are secured by binding SOAP
layer message security providers and message protection policies to the
containers in which the applications are deployed, or to web service
endpoints served by the applications. SOAP layer message security
functionality is configured in the client-side containers of {productName} by binding SOAP layer message security providers and message
protection policies to the client containers or to the portable service
references declared by client applications.
Message-level security can be configured for the entire {productName}
or for specific applications or methods. Configuring message security at
the application level is discussed in the
link:application-development-guide.html#GSDVG[
{productName} Application Development Guide].
The following topics are addressed here:
* link:#ablrs[Security Tokens and Security Mechanisms]
* link:#ablrx[Authentication Providers]
* link:#ablrw[Message Protection Policies]
* link:#ablrz[Application-Specific Web Services Security]
* link:#gioom[Message Security Administration]
* link:#ablsa[Sample Application for Web Services]
[[ablrs]][[GSSCG00218]][[security-tokens-and-security-mechanisms]]
==== Security Tokens and Security Mechanisms
WS-Security is a specification that provides a communications protocol
for applying security to web services. The security mechanisms implement
the specification. Web Services Interoperability Technologies (WSIT)
implements WS-Security so as to provide interoperable message content
integrity and confidentiality, even when messages pass through
intermediary nodes before reaching their destination endpoint.
WS-Security as provided by WSIT is in addition to existing
transport-level security, which can still be used.
The Simple Object Access Protocol (SOAP) layer message security
providers installed with {productName} can be used to employ
username/password and X.509 certificate security tokens to authenticate
and encrypt SOAP web services messages.
* Username Tokens. {productName} uses username tokens in SOAP
messages to authenticate the message sender. The recipient of a message
containing a username token (within embedded password) validates that
the message sender is authorized to act as the user (identified in the
token) by confirming that the sender knows the password of the user.
+
When using a username token, a valid user database must be configured on
{productName}.
* Digital Signatures. {productName} uses XML digital signatures to
bind an authentication identity to message content. Clients use digital
signatures to establish their caller identity. Digital signatures are
verified by the message receiver to authenticate the source of the
message content (which might be different from the sender of the
message.)
+
When using digital signatures, valid keystore and truststore files must
be configured on {productName}.
* Encryption. The purpose of encryption is to modify the data so that it
can only be understood by its intended audience. This is accomplished by
substituting an encrypted element for the original content. When based
on public key cryptography, encryption can be used to establish the
identity of the parties who are authorized to read a message.
+
When using encryption, a Java Cryptography Extension (JCE) provider that
supports encryption must be installed.
[[ablrx]][[GSSCG00219]][[authentication-providers]]
==== Authentication Providers
The authentication layer is the message layer on which authentication
processing must be performed. {productName} enforces web services
message security at the SOAP layer. The types of authentication that are
supported include the following:
* Sender authentication, including username-password authentication
* Content authentication, including XML digital signatures
{productName} invokes authentication providers to process SOAP
message layer security. The message security providers provide
information such as the type of authentication that is required for the
request and response messages. The following message security providers
are included with {productName}:
* Client-side Provider. A client-side provider establishes (by signature
or username/password) the source identity of request messages and/or
protects (by encryption) request messages such that they can only be
viewed by their intended recipients. A client-side provider also
establishes its container as an authorized recipient of a received
response (by successfully decrypting it) and validates passwords or
signatures in the response to authenticate the source identity
associated with the response. Client-side providers configured in
{productName} can be used to protect the request messages sent and
the response messages received by server-side components (servlets and
EJB components) acting as clients of other services.
+
The default client provider is used to identify the client—side provider
to be invoked for any application for which a specific client provider
has not been bound.
* Server-side Provider. A server-side provider establishes its container
as an authorized recipient of a received request (by successfully
decrypting it), and validates passwords or signatures in the request to
authenticate the source identity associated with the request. A
server-side provider also establishes (by signature or
username/password) the source identity of response messages and/or
protects (by encryption) response messages such that they can only be
viewed by their intended recipients. Server-side providers are only
invoked by server-side containers.
The default server provider is used to identify the server—side provider
to be invoked for any application for which a specific server provider
has not been bound.
[[ablrw]][[GSSCG00220]][[message-protection-policies]]
==== Message Protection Policies
A request policy defines the authentication policy requirements
associated with request processing performed by the authentication
provider. Policies are expressed in message sender order such that a
requirement that encryption occur after content would mean that the
message receiver would expect to decrypt the message before validating
the signature. The response policy defines the authentication policy
requirements associated with response processing performed by the
authentication provider.
Message protection policies are defined for request message processing
and response message processing. The policies are expressed in terms of
requirements for source and/or recipient authentication. The providers
apply specific message security mechanisms to cause the message
protection policies to be realized in the context of SOAP web services
messages.
* Source Authentication Policy. A source authentication policy
represents a requirement that the identity of the entity that sent a
message or that defined the content of a message be established in the
message such that it can be authenticated by the message receiver.
* Recipient Authentication Policy. A recipient authentication policy
represents a requirement that the message be sent such that the identity
of the entities that can receive the message can be established by the
message sender.
Request and response message protection policies are defined when a
security provider is configured into a container. Application-specific
message protection policies (at the granularity of the web service port
or operation) can also be configured within the {productName}
deployment descriptors of the application or application client. In any
situation where message protection policies are defined, the request and
response message protection policies of the client must be equivalent t)
the request and response message protection policies of the server. For
more information about defining application-specific message protection
policies, see "link:application-development-guide/securing-apps.html#GSDVG00006[Securing Applications]" in {productName} Application Development Guide.
[[ablrz]][[GSSCG00221]][[application-specific-web-services-security]]
==== Application-Specific Web Services Security
Application-specific web services security functionality is configured
(at application assembly) by defining the `message-security-binding`
elements in the {productName} deployment descriptors of the
application. These `message-security-binding` elements are used to
associate a specific security provider or message protection policy with
a web service endpoint or service reference, and might be qualified so
that they apply to a specific port or method of the corresponding
endpoint or referenced service.
For information about defining application-specific message protection
policies, see "link:application-development-guide/securing-apps.html#GSDVG00006[Securing Applications]" in {productName} Application Development Guide.
[[gioom]][[GSSCG00222]][[message-security-administration]]
==== Message Security Administration
When {productName} is installed, SOAP layer message security
providers are configured in the client and server-side containers of
{productName}, where they are available for binding for use by the
containers, or by individual applications or clients deployed in the
containers. During installation, the default providers are configured
with a simple message protection policy that, if bound to a container,
or to an application or client in a container, would cause the source of
the content in all request and response messages to be authenticated by
XML digital signature.
{productName} administrative interfaces can be used as follows:
* To modify the message protection policies enforced by the providers
* To bind the existing providers for use by the server-side containers
of {productName}
* To create new security provider configurations with alternative
message protection policies
Analogous administrative operations can be performed on the SOAP message
layer security configuration of the application client container. If you
want web services security to protect all web services applications
deployed on {productName}. See link:#gdhgg[Enabling Message Security
for Application Clients].
By default, message layer security is disabled on {productName}. To
configure message layer security for the {productName} see
link:#giood[Enabling Default Message Security Providers for Web
Services].
In most cases, you must restart {productName} after performing
administrative tasks. This is especially true if you want the effects of
the administrative change to be applied to applications that were
already deployed on {productName} at the time the operation was
performed.
[[giose]][[GSSCG00199]][[message-security-tasks]]
===== Message Security Tasks
The general implementation tasks for message security include some or
all of the following:
1. If you are using a version of the Java SDK prior to version 1.5.0,
and using encryption technology, configuring a JCE provider
2. If you are using a username token, verifying that a user database is
configured for an appropriate realm
+
When using a username/password token, an appropriate realm must be
configured and a user database must be configured for the realm.
3. Managing certificates and private keys, if necessary
4. Enabling the {productName} default providers
5. Configuring new message security providers
[[ablro]][[GSSCG00200]][[message-security-roles]]
===== Message Security Roles
In {productName}, the administrator and the application deployer are
expected to take primary responsibility for configuring message
security. In some situations, the application developer might also
contribute.
[[ablrp]][[GSSCG00057]][[system-administrator]]
System Administrator
The system administrator is responsible for the following message
security tasks:
* Administering server security settings and certificate databases
* Administering keystore and truststore files
* Configuring message security providers on {productName}
* Turning on message security
* (If needed) Installing the samples server
[[ablrq]][[GSSCG00058]][[application-deployer]]
Application Deployer
The application deployer is responsible for the following message
security tasks:
* Specifying (at application reassembly) any required
application-specific message protection policies if such policies have
not already been specified by the developer/assembler.
* Modifying {productName} deployment descriptors to specify
application-specific message protection policies information
(message-security-binding elements) to web service endpoint and service references.
[[ablrr]][[GSSCG00059]][[application-developerassembler]]
Application Developer/Assembler
The application developer/assembler is responsible for the following
message security tasks:
* Determining if an application-specific message protection policy is
required by the application
+
If so, the developer ensures that the required policy is specified at
application assembly time.
* Specifying how web services should be set up for message security
+
Message security can be set up by the administrator so that all web
services are secured, or by the application deployer when the security
provider or protection policy bound to the application must be different
from that bound to the container.
* Turning on message security if authorized to do so by the administrator
[[ablsa]][[GSSCG00223]][[sample-application-for-web-services]]
==== Sample Application for Web Services
{productName} includes a sample application named `xms`. The `xms`
application features a simple web service that is implemented by both a
Jakarta EE EJB endpoint and a Java servlet endpoint. Both endpoints share
the same service endpoint interface. The service endpoint interface
defines a single operation, `sayHello`, which takes a string argument,
and returns a `String` composed by pre-pending `Hello` to the invocation argument.
The `xms` sample application is provided to demonstrate the use of
{productName} WS-Security functionality to secure an existing web
services application. The instructions which accompany the sample
describe how to enable the WS-Security functionality of {productName}
such that it is used to secure the `xms` application. The sample also
demonstrates the binding of WS-Security functionality directly to the
application as described in link:#ablrz[Application-Specific Web
Services Security] application.
For information about compiling, packaging, and running the `xms` sample
application, "link:application-development-guide/securing-apps.html#GSDVG00006[
Securing Applications]" in
{productName} Application Development Guide.
The `xms` sample application is installed in the following directory:
as-install``/samples/webservices/security/ejb/apps/xms/``
[[giood]][[GSSCG00154]][[enabling-default-message-security-providers-for-web-services]]
=== Enabling Default Message Security Providers for Web Services
By default, message security is disabled on {productName}. Default
message security providers have been created, but are not active until
you enable them. After the providers have been enabled, message security
is enabled.
The following topics are addressed here:
* link:#giork[To Enable a Default Server Provider]
* link:#giort[To Enable a Default Client Provider]
[[giork]][[GSSCG00123]][[to-enable-a-default-server-provider]]
==== To Enable a Default Server Provider
To enable message security for web services endpoints deployed in
{productName}, you must specify a security provider to be used by
default on the server side. If you enable a default provider for message
security, you also need to enable providers to be used by clients of the
web services deployed in {productName}.
1. Specify the default server provider by using the
link:reference-manual/set.html#GSRFM00226[`set`] subcommand.
+
Use the following syntax:
+
[source]
----
asadmin set --port admin-port
server-config.security-service.message-security-config.SOAP.
default_provider=ServerProvider
----
2. To apply your changes to applications that are already running,
restart {productName}.
+
See "link:administration-guide/domains.html#GSADG00337[To Restart a Domain]" in {productName} Administration Guide.
[[giort]][[GSSCG00124]][[to-enable-a-default-client-provider]]
==== To Enable a Default Client Provider
To enable message security for web service invocations originating from
deployed endpoints, you must specify a default client provider. If you
enabled a default client provider for {productName}, you must ensure
that any services invoked from endpoints deployed in {productName}
are compatibly configured for message layer security.
1. Specify the default client provider by using the
link:reference-manual/set.html#GSRFM00226[`set`] subcommand.
+
Use the following syntax:
+
[source]
----
asadmin set --port admin-port
server-config.security-service.message-security-config.SOAP.
default_client_provider=ClientProvider
----
2. To apply your changes to applications that are already running,
restart {productName}.
+
See "link:administration-guide/domains.html#GSADG00337[To Restart a Domain]" in {productName} Administration Guide.
[[giouf]][[GSSCG00155]][[configuring-message-protection-policies]]
=== Configuring Message Protection Policies
Message protection policies are defined for request message processing
and response message processing. The policies are expressed in terms of
requirements for source and/or recipient authentication. The providers
apply specific message security mechanisms to cause the message
protection policies to be realized in the context of SOAP web services
messages.
The following topics are addressed here:
* link:#giraj[Message Protection Policy Mapping]
* link:#gioqu[To Configure the Message Protection Policies for a
Provider]
* link:#ablsl[Setting the Request and Response Policy for the
Application Client Configuration]
[[giraj]][[GSSCG00224]][[message-protection-policy-mapping]]
==== Message Protection Policy Mapping
The following table shows message protection policy configurations and
the resulting message security operations performed by the WS-Security
SOAP message security providers for that configuration.
[[sthref30]][[fxjcu]]
Table 3-1 Message Protection Policy Mapping to WS-Security SOAP Operations
[width="100%",cols="34%,66%",options="header",]
|===
|Message Protection Policy |Resulting WS-Security SOAP Message Protection Operations
|auth-source="sender"
|The message contains a `wsse:Security` header that contains
a `wsse:UsernameToken` (with password).
|auth-source="content"
|The content of the SOAP message Body is signed.
The message contains a `wsse:Security` header that contains the message
Body signature represented as a `ds`:`Signature`.
a|auth-source="sender" +
auth-recipient="before-content" +
OR +
auth-recipient="after-content"
|The content of the SOAP message Body is encrypted and replaced with
the resulting `xend:EncryptedData`. The message contains
`a wsse:Security` header that contains a
`wsse:UsernameToken (with password)` and an `xenc:EncryptedKey`. The
`xenc:EncryptedKey` contains the key used to encrypt the SOAP message
body. The key is encrypted in the public key of the recipient.
a|auth-source="content" +
auth-recipient="before-content"
|The content of the SOAP message Body is encrypted and replaced with
the resulting `xend:EncryptedData`. The `xenc:EncryptedData` is signed.
The message contains `a wsse:Security` header that contains an
`xenc:EncryptedKey` and a `ds`:`Signature`. The `xenc:EncryptedKey`
contains the key used to encrypt the SOAP message body. The key is
encrypted in the public key of the recipient.
a|
auth-source="content" +
auth-recipient="after-content"
|The content of the SOAP message Body is signed, then encrypted, and
then replaced with the resulting `xend:EncryptedData`. The message
contains a `wsse:Security` header that contains an `xenc:EncryptedKey`
and a `ds:Signature`. The `xenc:EncryptedKey` contains the key used to
encrypt the SOAP message body. The key is encrypted in the public key of
the recipient.
a|auth-recipient="before-content" +
OR +
auth-recipient="after-content"
|The content of the SOAP message Body is encrypted and replaced with
the resulting `xend:EncryptedData`. The message contains
`a wsse:Security` header that contains an `xenc:EncryptedKey`.
The `xenc:EncryptedKey` contains the key used to encrypt the SOAP message
body. The key is encrypted in the public key of the recipient.
|No policy specified. |No security operations are performed by the modules.
|===
[[gioqu]][[GSSCG00125]][[to-configure-the-message-protection-policies-for-a-provider]]
==== To Configure the Message Protection Policies for a Provider
Typically, you would not reconfigure a provider. However, if needed for
your situation, you can modify a provider's message protection policies
by changing provider type, implementation class, and provider-specific
configuration properties. To understand the results of different
combinations, see link:#fxjcu[Table 3-1].
Use the link:reference-manual/set.html#GSRFM00226[`set`] subcommand to set the response policy,
then replace the word `request` in the following commands with the word
`response`.
1. Add a request policy to the client and set the authentication source
by using the link:reference-manual/set.html#GSRFM00226[`set`] subcommand.
+
For example:
+
[source]
----
asadmin> set server-config.security-service.message-security-config.SOAP.
provider-config.ClientProvider.request-policy.auth_source=[sender | content]
----
2. Add a request policy to the server and set the authentication source
by using the `set` subcommand.
+
For example:
+
[source]
----
asadmin> set server-config.security-service.message-security-config.SOAP.
provider-config.ServerProvider.request-policy.auth_source=[sender | content]
----
3. Add a request policy to the client and set the authentication
recipient by using the `set` subcommand:
+
For example:
+
[source]
----
asadmin> set server-config.security-service.message-security-config.SOAP.
provider-config.ClientProvider.request-policy.auth_recipient=[before-content | after-content]
----
4. Add a request policy to the server and set the authentication
recipient by using the `set` subcommand:
+
For example:
+
[source]
----
asadmin> set server-config.security-service.message-security-config.SOAP.
provider-config.ServerProvider.request-policy.auth_recipient=[before-content | after-content]
----
[[ablsl]][[GSSCG00225]][[setting-the-request-and-response-policy-for-the-application-client-configuration]]
==== Setting the Request and Response Policy for the Application Client Configuration
The request and response policies define the authentication policy
requirements associated with request and response processing performed
by the authentication provider. Policies are expressed in message sender
order such that a requirement that encryption occur after content would
mean that the message receiver would expect to decrypt the message
before validating the signature.
To achieve message security, the request and response policies must be
enabled on both the server and client. When configuring the policies on
the client and server, make sure that the client policy matches the
server policy for request/response protection at application-level
message binding.
To set the request policy for the application client configuration,
modify the {productName}-specific configuration for the application
client container as described in link:#gdhgg[Enabling Message Security
for Application Clients].
[[GSSCG00088]][[gipxo]]
Example 3-1 Message Security Policy Setting for Application Clients
In the application client configuration file, the `request-policy` and
`response-policy` elements are used to set the request policy, as shown
in the following code snippet. (Additional code in the snippet is
provided as illustration and might differ slightly in your installation.
Do not change the additional code.)
[source,xml]
----
<client-container>
<target-server name="your-host" address="your-host"
port="your-port"/>
<log-service file="" level="WARNING"/>
<message-security-config auth-layer="SOAP"
default-client-provider="ClientProvider">
<provider-config
class-name="com.sun.enterprise.security.jauth.ClientAuthModule"
provider-id="clientprovider" provider-type="client">
<request-policy auth-source="sender | content"
auth-recipient="after-content | before-content"/>
<response-policy auth-source="sender | content"
auth-recipient="after-content | before-content"/>
<property name="security.config"
value="as-install/lib/appclient/wss-client-config.xml"/>
</provider-config>
</message-security-config>
</client-container>
----
Valid values for `auth-source` include `sender` and `content`. Valid
values for `auth-recipient` include `before-content` and
`after-content`. A table describing the results of various combinations
of these values can be found in link:#giouf[Configuring Message
Protection Policies].
To not specify a request or response policy, leave the element blank,
for example:
[source,xml]
----
<response-policy/>
----
[[giosl]][[GSSCG00156]][[administering-non-default-message-security-providers]]
=== Administering Non-default Message Security Providers
The following topics are addressed here:
* link:#giory[To Create a Message Security Provider]
* link:#giotv[To List Message Security Providers]
* link:#giwkd[To Update a Message Security Provider]
* link:#giorr[To Delete a Message Security Provider]
* link:#gkxru[To Configure a Servlet Layer Server Authentication Module
(SAM)]
[[giory]][[GSSCG00126]][[to-create-a-message-security-provider]]
==== To Create a Message Security Provider
Use the `create-message-security-provider` subcommand in remote mode to
create a new message provider for the security service. If the message
layer does not exist, the message layer is created, and the provider is
created under it.
1. Ensure that the server is running. Remote subcommands require a running server.
2. Create the message security provider by using the
link:reference-manual/create-message-security-provider.html#GSRFM00045[`create-message-security-provider`] subcommand.
+
Information about properties for this subcommand is included in the help
page.
3. If needed, restart the server.
+
Some properties require server restart. See
"link:administration-guide/overview.html#GSADG00628[Configuration Changes That Require Restart]" in
{productName} Administration Guide. If your
server needs to be restarted, see "link:administration-guide/domains.html#GSADG00337[To Restart a
Domain]" in {productName} Administration Guide.
[[GSSCG00089]][[giosd]]
Example 3-2 Creating a Message Security Provider
This example creates the new message security provider
`mySecurityProvider`.
[source]
----
asadmin> create-message-security-provider
--classname com.sun.enterprise.security.jauth.ClientAuthModule
--providertype client mySecurityProvider
Command create-message-security-provider executed successfully.
----
[[sthref31]]
See Also
You can also view the full syntax and options of the subcommand by
typing `asadmin help create-message-security-provider` at the command
line.
[[giotv]][[GSSCG00127]][[to-list-message-security-providers]]
==== To List Message Security Providers
Use the `list-message-security-providers` subcommand in remote mode to
list the message providers for the security layer.
1. Ensure that the server is running. Remote subcommands require a running server.
2. List the message security providers by using the
link:reference-manual/list-message-security-providers.html#GSRFM00184[`list-message-security-providers`] subcommand.
[[GSSCG00090]][[gioui]]
Example 3-3 Listing Message Security Providers
This example lists the message security providers for a message layer.
[source]
----
asadmin> list-message-security-providers --layer SOAP
XWS_ClientProvider
ClientProvider
XWS_ServerProvider
ServerProvider
Command list-message-security-providers executed successfully.
----
[[sthref32]]
See Also
You can also view the full syntax and options of the subcommand by
typing `asadmin help list-message-security-providers` at the command
line.
[[giwkd]][[GSSCG00128]][[to-update-a-message-security-provider]]
==== To Update a Message Security Provider
1. Ensure that the server is running. Remote subcommands require a running server.
2. List the message security providers by using the
link:reference-manual/list-message-security-providers.html#GSRFM00184[`list-message-security-providers`] subcommand.
3. Modify the values for the specified message security provider by
using the link:reference-manual/set.html#GSRFM00226[`set`] subcommand.
+
The message security provider is identified by its dotted name.
[[giorr]][[GSSCG00129]][[to-delete-a-message-security-provider]]
==== To Delete a Message Security Provider
Use the `delete-message-security-provider` subcommand in remote mode to
remove a message security provider.
1. Ensure that the server is running. Remote subcommands require a running server.
2. List the message security providers by using the
link:reference-manual/list-message-security-providers.html#GSRFM00184[`list-message-security-providers`] subcommand.
3. Delete the message security provider by using the
link:reference-manual/delete-message-security-provider.html#GSRFM00097[`delete-message-security-provider`] subcommand.
[[GSSCG00091]][[gioug]]
Example 3-4 Deleting a Message Security Provider
This example deletes the `myServerityProvider` message security
provider.
[source]
----
asadmin> delete-message-security-provider --layer SOAP myServerityProvider
Command delete-message-security-provider executed successfully.
----
[[sthref33]]
See Also
You can also view the full syntax and options of the subcommand by
typing `asadmin help delete-message-security-provider` at the command
line.
[[gkxru]][[GSSCG00130]][[to-configure-a-servlet-layer-server-authentication-module-sam]]
==== To Configure a Servlet Layer Server Authentication Module (SAM)
You configure a JSR 196 Server Authentication Module (SAM) as an
HttpServlet-layer message security provider, either through the
Administration Console or with the `create-message-security-provider`
subcommand.
1. Ensure that the server is running. Remote subcommands require a running server.
2. Create the message security provider by using the
link:reference-manual/create-message-security-provider.html#GSRFM00045[`create-message-security-provider`] subcommand.
+
Information about properties for this subcommand is included in the help page.
3. Bind the message security provider for use with your application.
+
You do this by defining the `httpservlet-security-provider` attribute in
the `glassfish-web.xml` file corresponding to your application. Set the
value of the attribute to the provider name you assigned to the message
security provider. For example, if you use MySAM when you create the
message security provider the entry would be
httpservlet-security-provider="MySAM".
4. If needed, restart the server.
+
Some properties require server restart. See
"link:administration-guide/overview.html#GSADG00628[Configuration Changes That Require Restart]" in
{productName} Administration Guide. If your
server needs to be restarted, see "link:administration-guide/domains.html#GSADG00337[To Restart a
Domain]" in {productName} Administration Guide.
[[GSSCG00092]][[gkxqz]]
Example 3-5 Creating a Message Security Provider
This example creates the new message security provider `mySAM`.
[source]
----
asadmin> create-message-security-provider --layer=HttpServlet
--classname com.sun.glassfish.oamsam.OAMAuthenticatorSAM
--providertype server
--property oam.resource.hostid.variation="your-host-system.com" mySAM
Creation of message security provider named mySAM completed successfully
Command create-message-security-provider executed successfully.
----
The subcommand results in the following `domain.xml` entry:
[source,xml]
----
<message-security-config auth-layer="HttpServlet">
<provider-config provider-type="server" provider-id="mysam"
class-name="com.sun.glassfish.oamsam.OAMAuthenticatorSAM">
<property name="oam.resource.hostid.variation" value="your-host-system.com"></property>
<request-policy></request-policy>
<response-policy></response-policy>
</provider-config>
</message-security-config>
----
To list the HttpServlet message security providers, use the
`list-message-security-providers` subcommand:
[source]
----
asadmin> list-message-security-providers --layer HttpServlet
list-message-security-providers successful
GFConsoleAuthModule
mySAM
Command list-message-security-providers executed successfully.
----
[[sthref34]]
See Also
You can also view the full syntax and options of the subcommand by
typing `asadmin help create-message-security-provider` at the command line.
[[gdhgg]][[GSSCG00157]][[enabling-message-security-for-application-clients]]
=== Enabling Message Security for Application Clients
The message protection policies of client providers must be configured
such that they are equivalent to the message protection policies of the
server-side providers they will be interacting with. This is already the
situation for the providers configured (but not enabled) when {productName} is installed.
To enable message security for client applications, modify the {productName} specific configuration for the application client container. The
process is analogous to the process in link:#giouf[Configuring Message
Protection Policies].
[[gglrb]][[GSSCG00158]][[additional-information-about-message-security]]
=== Additional Information About Message Security
For additional information about message security, see the following documentation:
* https://eclipse-ee4j.github.io/jakartaee-tutorial/#security-2[
Introduction to Security in the Jakarta EE Platform] in The Jakarta EE Tutorial
* "link:application-development-guide/securing-apps.html#GSDVG00006[Securing Applications]"
in {productName} Application Development Guide