Naming Interoperability

Security Interoperability

The security interoperability requirements for EJB 2.0 and J2EE 1.3 are based on Conformance Level 0 of the Common Secure Interoperability version 2 (CSIv2) Specification from the OMG.

The goal of security interoperability for EJB is to provide support for propagating security context information from one J2EE container to another during an invocation of a request for service. The target server needs the security context information to authenticate and authorize the request for the user . Another goal is to support standard security technologies that are part of almost every enterprise, including X.509 certificate-based public key mechanisms and Kerberos-based secret key mechanisms.

Security Interoperability Between Containers

When a J2EE container invokes an operation on an EJB container, the data must be protected and the proper authentication and authorization must be performed. EJB, Web, and client application containers are required to support both Secure Sockets Layer (SSL) 3.0 and Transport Layer Security (TLS) 1.0 protocols. The following public cipher suites are required to be supported by containers:

• TLS_RSA_WITH_RC4_128_MD5

• SSL_RSA_WITH_RC4_128_MD5

• TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA

• SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA

• TLS_RSA_EXPORT_WITH_RC4_40_MD5

• SSL_RSA_EXPORT_WITH_RC4_40_MD5

• TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA

• SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA

Because J2EE containers are already required to support SSL for secure HTTP protocol, SSL provides a safe route for security interoperability at the transport layer.

Propagating Principal and Authorization Data Using IIOP

The EJB security interoperability requirements support the propagation of security- related information to be passed in the service context of the IIOP message. This feature might be necessary when the security principal needs to be propagated on to be authenticated by another container, for example. Authentication can also take place at the transport layer using X.509 certificates as well.

In many cases, the principal is propagated to the container and extracted and used for authentication and authorization. J2EE containers are required to support the stateless mode of propagating principal and authentication information. The container can also support the stateful mode, as described in the CSIv2 specification, but it is not currently required to do so.

More information on the CSIv2 Specification can be found at the OMG Web site

http://www.omg.org