Security Configuration

The security menu contains selections for adding additional users for the console (through the console security realm), for configuring security realms in general (realms are usable by both Geronimo and applications running on Geronimo), and also for configuration of the keystore (the keystore is used to store and maintain security certificates for SSL operations).

Configuration of Console Realm

The console realm maintains group, user, and password information for users of the Web console application.

Security Realm Configuration

The security subsystem in Geronimo is built around the concepts of Login Modules and Security Realms. Chapter 15 has a lot more information on these concepts, For now, think of a security realm as a database for group, user, and password information, used by applications and/or the server itself, during the user authentication process.

When you select Security→Security Realm, you can use the Security Realms portlet to edit an existing security realm, or create a new security realm. Figure 8-18 shows the security realms portlet in action.

Figure 8-18: Creating a new security realm with the Security Realms Portlet

Figure 8-18 shows the first screen after clicking Add a New Security Realm. A security realm can be of different types, depending on where it stores and retrieves authentication information. The types supported by Geronimo include:

• Certificate properties file

• Database realm (uses a relational database to store and retrieve authentication information)

• LDAP realm (users LDAP interface typically to a directory service for authentication information)

• Properties file realm (uses properties file to maintain authentication information - the default realm is of this type)

• Other custom implementation realm type (developers may take advantage of this for specialized applications)

Chapter 15 features a detailed discussion of the relationship between security realms and login domains, and shows how to use the Security Realm portlet to add new realms or modify existing one.

Keystore Configuration

Geronimo can use a HTTPS listener to receive requests over an encrypted connection. Secured HTTP implementation is based on public key encryption and requires the server to maintain a certificate issued by (usually purchased from) third-party trusted certificate authority (CA), along with the server’s own private key.

The Security→Keystore Configuration menu selection enables you to create a keystore to store your own private key and your certificates. Figure 8-19 shows the portlet.

Figure 8-19: Using the Keystore Configuration portlet

In Figure 8-19, there are two keystores, the default keystore and a newly created one called newkeystore.