Technology insights, news and tips.

  • Sun
    May 25, 2007

Comparison of Security features in GlassFish and SJSAS 8.x EE

Security is very essential, especially in the enterprise
In this blog, we will compare security of Profiles in
GlassFish (GF) v2 and also note those feature availability in

Sun Java System Application Server (SJSAS) 8.x Enterprise Edition
Note that
Enterprise Profile is not available in public yet and will
be in beta around July 2007. More information on
Profiles in GlassFish v2 can be found

Comparison of Security with
GF and SJSAS 8.x EE
FeatureGlassFishSJSAS 8.x EE
v1v2 Development Profilev2 Cluster Profilev2 Enterprise Profile
Support JSR 196noyesno
KeyStore for SSLJKSNSS
Key/Certificate management toolskeytoolcertutil, pk12util, modutil
Java Security Manageroff (default)on (default)on
Support JDBCRealmyesno
SingleSignOn (SSO)disable (default)enable (default)
Virtual Server Realmsnoyesno

With JDK 1.5 and NSS 3.11.4, Enterprise Profile in
GlassFish v2 and SJSAS 8.x EE (but not available in GF v2
Cluster Profile) support the following:

  • management of the PKCS#11 modules usingmodutil
  • explicit reference of keys in PKCS#11 providers for https
    or iiop/SSL listeners. (Note that with JDK 1.5 or later, one
    can add PKCS#11 providers to a given JDK. But those
    keys cannot be references by current server.)
  • Elliptic Curve algorithm for SSL and other crypto operations
    (need Enterprise Profile GlassFish v2 and JDK 1.6)

In SJSAS 8.2 EE and the coming GlassFish v2 Enterprise Profile,
there is support for the use of private key in Solaris 10
Softtoken. As an example, let us take a look at how to set up
Solaris 10 Softtoken.

  1. Initialize Solaris 10 Softtoken password if you have not.

    /bin/pktool setpin

  2. Register the Solaris 10 Softtoken to NSS.

    modutil -dbdir $SJSAS_HOME/domains/domain1/config -force -add "Solaris 10 Softtoken" -libfile /usr/lib/libpkcs11.so -mechanisms RSA:DSA

  3. Verify that the token is added properly and find out
    the corresponding token name.

    modutil -dbdir $SJSAS_HOME/domains/domain1/config -list

    A sample output is as follows:

    Using database directory ....
    Listing of PKCS #11 Modules
    1. NSS Internal PKCS #11 Module
    slots: 2 slots attached
    status: loaded
    slot: NSS Internal Cryptographic Services
    token: NSS Generic Crypto Services
    slot: NSS User Private Key and Certificate Services
    token: NSS Certificate DB
    2. Solaris 10 Softtoken
    library name: /usr/lib/libpkcs11.so
    slots: 1 slot attached
    status: loaded
    slot: Sun Crypto Softtoken
    token: Sun Software PKCS#11 softtoken

    In this case, the token name is "Sun Software PKCS#11 softtoken".
    And this will be used in subsequent commands.

  4. Create a private key and certificate in Solaris 10 Softtoken.

    certutil -S -x -n mytestcert -t "u,u,u" -v 120 -s "cn=j2ee,ou=J2EE,o=Sun,L=Santa Clara,ST=California,C=US" -d $SJSAS_HOME/domains/domain1/config -h "Sun Software PKCS#11 softtoken"

    A sample output is as follows:

    Enter Password or Pin for "Sun Software PKCS#11 softtoken":
    A random seed must be generated that will be used in the
    creation of your key. One of the easiest ways to create a
    random seed is to use the timing of keystrokes on a keyboard.
    To begin, type keys on the keyboard until this progress meter
    Continue typing until the progress meter is full:
    Finished. Press enter to continue:
    Generating key. This may take a few moments...
  5. Change the cert-nickname to
    "Sun Software PKCS#11 softtoken:mytestcert" in your listeners.

  6. Restart the server, then it will prompt the password for
    Solaris 10 Softtoken as follows:

    Please enter password for NSS slot Sun Software
    PKCS#11 softtoken>

Join the discussion

Comments ( 1 )
  • legolas wood Wednesday, May 30, 2007
    Thank you for reading my post
    Does current builds of glassfish v2 support nss?
    does it provides certutils out of the box?
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.