Red Hat Training

A Red Hat training course is available for JBoss Enterprise SOA Platform

Chapter 7. Securing Your System

7.1. Securing Your JBoss Enterprise SOA Platform Installation

Introduction

The JBoss Enterprise SOA Platform can be made secure, in the sense that you can configure the product so that services will only be executed if caller authentication succeeds and said caller possesses the correct permissions. The default security implementation is based on JAAS.

There are two ways in which to invoke a service:
  1. through a gateway
  2. directly via the ServiceInvoker.
When you use the gateway option, it is made responsible for obtaining the security information needed to authenticate the caller. It does this by extracting the needed information from the transport. Once it has done so, it creates an authentication request that is encrypted and passed to the Enterprise Service Bus.
If you use the ServiceInvoker instead, it becomes the client application's responsibility to make the authentication request prior to invoking the service. This entails extracting either the UsernameToken or the BinarySecurityToken from the SOAP header's security element.

7.2. Java Authentication and Authorization Service (JAAS)

The JAAS 1.0 API consists of a set of Java packages designed for user authentication and authorization. The API implements a Java version of the standard Pluggable Authentication Modules (PAM) framework and extends the Java 2 Platform access control architecture to support user-based authorization.
JAAS was first released as an extension package for JDK 1.3 and is bundled with JDK 1.6.

7.3. JaasSecurityService

JaasSecurityService is the default implementation of JAAS used in the JBoss Enterprise SOA Platform.

7.4. Secure Your System

Procedure 7.1. Task

Open the global configuration file in a text editor: vi SOA_ROOT/jboss-as/server/PROFILE/deployers/esb.deployer/jbossesb-properties.xml.
  1. Scroll down to the section that contains properties name="security" and edit the settings to suit your system: 
    <properties name="security"> 
<property name="org.jboss.soa.esb.services.security.implementationClass"
value="org.jboss.internal.soa.esb.services.security.JaasSecurityService"/>

<property name="org.jboss.soa.esb.services.security.callbackHandler" 
value= 
"org.jboss.internal.soa.esb.services.security.UserPassCallbackHandler"/>
        
<property name="org.jboss.soa.esb.services.security.sealAlgorithm" 
value="TripleDES"/> 

<property name="org.jboss.soa.esb.services.security.sealKeySize" 
value="168"/>

<property name="org.jboss.soa.esb.services.security.contextTimeout" 
value="30000"/>

<property name= 
"org.jboss.soa.esb.services.security.contextPropagatorImplemtationClass" 
value= 
"org.jboss.internal.soa.esb.services.security.JBossASContextPropagator"/>
        
<property name="org.jboss.soa.esb.services.security.publicKeystore" 
value="/publicKeyStore"/> 


<property name="org.jboss.soa.esb.services.security.publicKeystorePassword" 
value="testKeystorePassword"/> 

<property name="org.jboss.soa.esb.services.security.publicKeyAlias" 
value="testAlias"/> 

<property name="org.jboss.soa.esb.services.security.publicKeyPassword" 
value="testPassword"/> 

<property name="org.jboss.soa.esb.services.security.publicKeyTransformation" 
value="RSA/ECB/PKCS1Padding"/> 

</properties>
  2. Save the file and exit.
  3. Open the log-in configuration file in your text editor: vi SOA_ROOT/server/PROFILE/conf/login-config.xml
  4. Configure the JAAS log-in modules by editing the settings in this file. (You can use either a pre-configured option or create your own custom solution.)
  5. Save the file and exit.

7.5. Create an Encrypted Password File

Procedure 7.2. Task

  1. Go to the conf directory: cd SOA_ROOT/jboss-as/server/PROFILE/conf
  2. Execute this command: java -cp ../../../lib/jbosssx.jar org.jboss.security.plugins.FilePassword welcometojboss 13 testpass esb.password
Result

An encrypted password file is created.

7.6. Encryption Options

Table 7.1. Encryption Options

Option Description
Salt
This is the "salt" used to encrypt the password file. (In the example above, it is the welcometojboss string .)
Iteration
This is the number of iterations. (In the example above, it is the number 13.)
Password File Name
This is the name of the file where the encrypted password will be saved. In the example above, it is the esb.password string.
testpass
This is the test password.

7.7. Clear-Text Password

A clear-text password is the plain text version of a password. It has either not been encrypted or has just been decrypted. Clear text passwords are unsecure.

7.8. Password Mask

A password mask is a template which determines what characters are allowed to be used in a password. For example, some password masks dictate that a password can only be alphanumeric while others allow special characters like ! and $ signs. Passwords which contain special characters are generally viewed as being more secure.

7.9. Masking Passwords

Introduction

Passwords are secret authentication tokens that are used to limit access to resources to authorized parties only. For a JBoss services to access password-protected resources, the password must obviously be made available to it.

This can be done by means of command line arguments passed to the JBoss Enterprise SOA Platform on launch, however this is not practical in a production environment. Instead, passwords are normally made available to JBoss services through their inclusion in configuration files.
All JBoss Enterprise SOA Platform configuration files should be stored on secure file systems, and be made readable by the process owner only.
For an added level of security, you can also mask the password in the configuration file. This section will tell you how to do so.

Important

There is no such thing as impenetrable security. Masking passwords is no exception - it is not impenetrable, but it does defeat casual inspection of configuration files, and increases the amount of effort that will be required to extract the password.

7.10. Mask a Clear-Text Password

Important

You should only perform this key store password encryption procedure once. If you make a mistake entering the keystore password, or you change the key store at a later date, you should delete the jboss-keystore_pass.dat file and repeat the procedure. Be aware that if you change the key store any masked passwords that were previously generated will no longer function.

Procedure 7.3. Task

  1. Generate a key pair using this command: keytool -genkey -alias jboss -keyalg RSA -keysize 1024 -keystore password.keystore and follow the prompts: 
            keytool -genkey -alias jboss -keyalg RSA -keysize 1024 -keystore password.keystore
Enter keystore password:  
Re-enter new password: 
What is your first and last name?
  [Unknown]:  Bob Bobson
What is the name of your organizational unit?
  [Unknown]:  Corporate_IT
What is the name of your organization?
  [Unknown]:  XYZ
What is the name of your City or Locality?
  [Unknown]:  BRISBANE
What is the name of your State or Province?
  [Unknown]:  QLD
What is the two-letter country code for this unit?
  [Unknown]:  AU
Is CN=Bob Bobson, OU=Corporate_IT, O=XYZ, L=BRISBANE, ST=QLD, C=AU correct?
  [no]:  yes

Enter key password for jboss
	(RETURN if same as keystore password):

    Note

    You must specify the same password for the key store and key pair.
  2. Run chown to change ownership to the JBoss Application Server process owner, and chmod 600 password.keystore to make sure only the file's owner can read it.

    Note

    The process owner should not have console log-in access. In that case you will be performing these operations as another user. Creating masked passwords requires read access to the key store, so you may wish to complete configuration of masked passwords before restricting the key store file permissions.
  3. Navigate to the jboss-as/bin directory: cd SOA_ROOT/jboss-as/bin
  4. Run the password tool, using the command ./password_tool.sh on Red Hat Enterprise Linux systems, (or password_tool.bat on Microsoft Windows-based systems.)
  5. Select 0: Encrypt Keystore Password by pressing 0, then Enter.
  6. Enter the key store password you specified above.
  7. Enter a random string of characters to aid with encryption strength. This is the salt.
  8. Enter a whole number for the iterator count to aid with encryption strength.
  9. Select 5: Exit to exit.

    Note

    The password tool will exit with the message: Keystore is null. Cannot store. This is normal.
  10. Use the chown command to change ownership of the password/jboss_keystore_pass.dat file to the process owner, and chmod 600 jboss-keystore_pass.dat to ensure that only that owner can read the file.
  11. Navigate to the jboss-as/bin directory: cd SOA_ROOT/jboss-as/bin
  12. Run the password tool, using the command ./password_tool.sh on Red Hat Enterprise Linux systems (or password_tool.bat on Microsoft Windows systems).
  13. Select 1: Specify KeyStore by pressing 1 then Enter.
  14. Enter the path to the key store you created above. (You can specify an absolute path, or the path relative to SOA_ROOT/jboss-as/bin. This should be SOA_ROOT/jboss-as/bin/password.keystore, unless you have changed the defaults.)
  15. Enter the key alias. This should be "jboss" (unless you have performed an advanced installation and changed the defaults).
  16. Select 2: Create Password by pressing 2, then Enter. You will be prompted for the security domain. Follow the prompts on screen. 
            /password_tool.sh 
**********************************
****  JBoss Password Tool********
**********************************
Error while trying to load data:Encrypted password file not located
Maybe it does not exist and need to be created.
0: Encrypt Keystore Password 1:Specify KeyStore 2:Create Password  3: Remove a domain 4:Enquire Domain 5:Exit
1
Enter Keystore location including the file name
password.keystore
Enter Keystore alias
jboss
0: Encrypt Keystore Password 1:Specify KeyStore 2:Create Password  3: Remove a domain 4:Enquire Domain 5:Exit
2
Enter security domain:

default
Enter passwd:
passwordmask
Password created for domain:default
0: Encrypt Keystore Password 1:Specify KeyStore 2:Create Password  3: Remove a domain 4:Enquire Domain 5:Exit
  17. Enter a name for the password mask. This is an arbitrary unique name that you will use to identify the password mask in configuration files.
  18. Enter the password that you wish to mask.
  19. Repeat the password mask creation process to create masks for all passwords you wish to mask.
  20. Exit the program by choosing 5: Exit
  21. Navigate to the password directory: cd SOA_ROOT/jboss-as/bin/password

7.11. Replace a Clear Text Password with its Password Mask

Prerequisites

  • Pre-existing password masks

Procedure 7.4. Task

  • Launch a text editor and replace each occurrence of a clear text password in the configuration files with an annotation referencing its mask.
    This is the general form of the annotation: 
    <annotation>
@org.jboss.security.integration.password.Password(securityDomain=MASK_NAME, methodName=setPROPERTY_NAME)
</annotation>
    As a concrete example, the JBoss Messaging password is stored in the server profile's deploy/messaging/messaging-jboss-beans.xml file. If you create a password mask named "messaging", then the before and after snippet of the configuration file will looks like this: 
    <property name="suckerPassword">
CHANGE ME!!
</property>

    <annotation>
@org.jboss.security.integration.password.Password(securityDomain=messaging,
methodName=setSuckerPassword)
</annotation>

7.12. Change the Default Password Mask Settings

By default the server profiles are configured to use the keystore SOA_ROOT/jboss-as/bin/password/password.keystore, and the key alias "jboss". If you store the key pair used for password masking elsewhere, or under a different alias, you will need to update the server profiles with the new location or key alias.

Procedure 7.5. Task

  1. Open the security configuration file in a text editor: vi SOA_ROOT/jboss-as/server/PROFILE/deploy/security/security-jboss-beans.xml.
  2. Edit the key store location and key alias. Here are some example settings: 
    <!-- Password Mask Management Bean-->
   <bean name="JBossSecurityPasswordMaskManagement"
         class="org.jboss.security.integration.password.PasswordMaskManagement" >
         <property name="keyStoreLocation">password/password.keystore</property>
         <property name="keyStoreAlias">jboss</property>
         <property name="passwordEncryptedFileName">password/jboss_password_enc.dat</property>
         <property name="keyStorePasswordEncryptedFileName">password/jboss_keystore_pass.dat</property>
   </bean>
  3. Save the file and exit.

7.13. Global Configuration File Security Settings

Table 7.2. jbossesb-properties.xml Security Settings

Property Description Required?
org.jboss.soa.esb.services.security.implementationClass
This is the "concrete"SecurityService implementation that should be used. The default setting is JaasSecurityService.
Yes
org.jboss.soa.esb.services.security.callbackHandler
This is a default CallbackHandler implementation, utilized when a JAAS-based SecurityService is employed. See “Customizing Security” for more information about the CallbackHandler property.
No
org.jboss.soa.esb.services.security.sealAlgorithm
This is the algorithm to use when "sealing" the SecurityContext.
No
org.jboss.soa.esb.services.security.sealKeySize
This is the size of the secret/symmetric key used to encrypt/decrypt the SecurityContext.
No
org.jboss.soa.esb.services.security.contextTimeout
This is the amount of time (in milliseconds) for which a security context is valid. A global setting, this may be over-ridden on a per-service basis. To do so, specify the property of the same name that exists on the security element in the jboss-esb.xml file.
No
org.jboss.soa.esb.services.security.contextPropagatorImplementationClass
Use this to configure a global SecurityContextPropagator. (For more details on the SecurityContextPropagator, please refer to the section on “Advanced Security Options”.)
No
org.jboss.soa.esb.services.security.publicKeystore
This is the Keystore which holds the keys used to encrypt and decrypt that data which is external to the Enterprise Service Bus. The Keystore is used to encrypt the AuthenticationRequest.
No
org.jboss.soa.esb.services.security.publicKeystorePassword
This is the password for the public keystore.
No
org.jboss.soa.esb.services.security.publicKeyAlias
This is the alias to use for the public key.
No
org.jboss.soa.esb.services.security.publicKeyPassword
This is the password for the alias if one was specified upon creation.
No
org.jboss.soa.esb.services.security.publicKeyPassword
This is a cipher transformation. It is in this format: algorithm/mode/padding. If this is not specified, the "keys" algorithm will be used by default.
No

7.14. Key Pair

A key pair is a set of security tools consisting of a public key and a private key. The public key is used for encryption and the private key is used for decryption.

7.15. Keystore

A keystore is a security mechanism. It contains a number of security certificates and their assigned "keys". It is used when client authentication is required.
The JBoss Enterprise SOA Platform ships with an example key-store, found in SOA_ROOT/jboss-as/samples/quickstarts/security_cert/keystore. Do not use this in a production environment. It is provided as an example only.

7.16. JBoss Rules and Security

By default, the JBoss Rules component does not deserialize rules packages or unsigned rule bases.

Important

You must activate this serialization security feature in order for your configuration to be supported by Red Hat. You need to configure system properties for both the application that serializes the packages and its rule bases (hereafter referred to as the server), as well as the application that deserializes the packages its rule bases (hereafter referred to as the client).

7.17. Enable Serialization on the Server

Procedure 7.6. Task

  1. Navigate to the SOA_ROOT directory: cd SOA_ROOT.
  2. Run the keytool command and follow the prompts on screen: 
    keytool -genkey -alias droolsKey -keyalg RSA -keystore MyDroolsPrivateKeyStore.keystore
Enter keystore password:  
Re-enter new password: 
What is your first and last name?
  [Unknown]:  Test User
What is the name of your organizational unit?
  [Unknown]:  HR
What is the name of your organization?
  [Unknown]:  Test Org
What is the name of your City or Locality?
  [Unknown]:  Brisbane
What is the name of your State or Province?
  [Unknown]:  QLD
What is the two-letter country code for this unit?
  [Unknown]:  AU
Is CN=Test User, OU=HR, O=Test Org, L=Brisbane, ST=QLD, C=AU correct?
  [no]:  yes
Enter key password for droolsKey
     (RETURN if same as keystore password):  
Re-enter new password:
    After answering all of the questions, a password-protected file named MyDroolsPrivateKeyStore.keystore is created. This keystore file has a private key called droolsKey with the password "drools". Store this file in a safe location in your environment, which will hereafter be referred to as the keystoredir.

    Important

    The passwords above are examples only and should not be used in production.
  3. Open the configuration file: vi jboss-as/server/default/deploy/properties-service.xml
  4. Configure the JBoss Enterprise SOA Platform to use the JBoss Rules serialization feature by adding this snippet to properties-service.xml: 
    <mbean code="org.jboss.varia.property.SystemPropertiesService"  name="jboss:type=Service,name=SystemProperties">
    <attribute name="Properties">
      # Drools Security Serialization specific properties
      drools.serialization.sign=true
      drools.serialization.private.keyStoreURL=file://$keystoredir/MyDroolsPrivateKeyStore.keystore
      drools.serialization.private.keyStorePwd=drools
      drools.serialization.private.keyAlias=droolsKey
      drools.serialization.private.keyPwd=drools
    </attribute>
</mbean>
  5. Set the drools.serialization.sign property to "true": 
    drools.serialization.sign=true
    • drools.serialization.private.keyStoreURL=<RL> is the URL of the private keystore location.
    • In the example above, replace keystoredir and MyDroolsKeyStore.keystore with your keystore directory and the name of the keystore you created with the keytool
    • drools.serialization.private.keyStorePwd=<password> is the password to access the private keystore.
    • drools.serialization.private.keyAlias=<key> is the key alias (identifier) of the private key.
    • drools.serialization.private.keyPwd=<password> is the private key password.
  6. Save the file and exit.
  7. Restart the server instance.

    Warning

    If the system properties were not configured properly, you will see this error when you try to build a rules package: 
    An error occurred building the package.

Error
signing object store: Key store with private key not configured. Please
configure it properly before using signed serialization

7.18. Enable Serialization on the Client

Prerequisites

  • Server serialization must already be enabled.

Procedure 7.7. Task

  1. Create a public key certificate from the private keystore. (You can access the keytool by running keytool -genkey -alias droolsKey -keyalg RSA -keystore.): 
    keytool -export -alias droolsKey -file droolsKey.crt -keystore

        
MyDroolsPrivateKeyStore.keystore 
Enter keystore password:  
Certificate stored in file <droolsKey.crtU>
  2. Import the public key certificate into a public keystore. (This is where it will be used by your client applications): 
    keytool -import -alias droolsKey -file droolsKey.crt -keystore

    MyPublicDroolsKeyStore.keystore
Enter keystore password:  
Re-enter new password: 
Owner: CN=Test User, OU=Dev, O=XYZ Corporation, L=Brisbane, ST=QLD, C=AU
Issuer: CN=Test User, OU=Dev, O=XYZ Corporation, L=Brisbane, ST=QLD, C=AU
Serial number: 4ca0021b
Valid from: Sun Sep 26 22:31:55 EDT 2010 until: Sat Dec 25 21:31:55 EST 2010
Certificate fingerprints:
     MD5:  31:1D:1B:98:59:CC:0E:3C:3F:57:01:C2:FE:F2:6D:C9
     SHA1: 4C:26:52:CA:0A:92:CC:7A:86:04:50:53:80:94:2A:4F:82:6F:53:AD
     Signature algorithm name: SHA1withRSA
     Version: 3
Trust this certificate? [no]:  yes
Certificate was added to keystore
  3. Open the server configuration file: vi grep drools jboss-as/server/default/deploy/properties-service.xml
  4. Replace keystoredir and MyPublicDroolsKeyStore.keystore with your keystore directory, and the name of the public keystore you created previously: 
    # Drools Client Properties for Security Serialization
drools.serialization.public.keyStoreURL=file://$keystoredir/MyPublicDroolsKeyStore.keystore
drools.serialization.public.keyStorePwd=drools
  5. Save the file and exit.
  6. Restart the JBoss Enterprise SOA Platform server.
  7. For Java client applications, set the system properties in your code like this: 
    // Set the client properties to deserialize the signed packages
URL clientKeyStoreURL = getClass().getResource( "MyPublicDroolsKeyStore.keystore" );
System.setProperty( KeyStoreHelper.PROP_SIGN,
                            "true" );
System.setProperty( KeyStoreHelper.PROP_PUB_KS_URL,
                            clientKeyStoreURL.toExternalForm() );
System.setProperty( KeyStoreHelper.PROP_PUB_KS_PWD,
                            "drools" );
...
    Alternatively, open the run.sh shell script (vi SOA_ROOT/jboss-as/bin/run.sh) script and edit the JAVA_OPTS section: 
    # Serialization Security Settings
JAVA_OPTS="-Ddrools.serialization.sign=true $JAVA_OPTS"
JAVA_OPTS="-Ddrools.serialization.private.keyStoreURL=file://$keystoredir/MyDroolsKeyStore.keystore $JAVA_OPTS"
JAVA_OPTS="-Ddrools.serialization.private.keyStorePwd=drools $JAVA_OPTS"
JAVA_OPTS="-Ddrools.serialization.private.keyAlias=droolsKey $JAVA_OPTS"
JAVA_OPTS="-Ddrools.serialization.private.keyPwd=drools $JAVA_OPTS"
JAVA_OPTS="-Ddrools.serialization.public.keyStoreURL=file://$keystoredir/MyPublicDroolsKeyStore.keystore $JAVA_OPTS"
JAVA_OPTS="-Ddrools.serialization.public.keyStorePwd=drools $JAVA_OPTS"
    Replace the values shown above with ones specific to your environment, and then restart the server instance.

7.19. Disable Serialization Signing

  1. Open the configuration file: vi SOA_ROOT/jboss-as/server/PROFILE/deploy/properties-service.xml.
  2. Remove the drools.serialization.sign property's value.
  3. Save the file and exit.
    An alternative way to do this task is to open the run.sh shell script (vi SOA_ROOT/jboss-as/bin/run.sh) and edit it as follows: 
    JAVA_OPTS="-Ddrools.serialization.sign=false $JAVA_OPTS"
  4. Restart the server instance.
  5. To turn signing off for Java client applications, remove the drools.serialization.sign property or add the following snippet to each application's code: 
    System.setProperty( KeyStoreHelper.PROP_SIGN, "false" );

7.20. Configure Security on a Per-Service Basis

  1. Open the global configuration file in a text editor: vi SOA_ROOT/jboss-as/server/PROFILE/deployers/esb.deployer/jboss-esb.xml.
  2. Scroll down to the service you want to configure.
  3. Add a security element. This setting shows you how to do so: 
    <service category="Security" name="SimpleListenerSecured"> 
   <security moduleName="messaging" runAs="adminRole"
    rolesAllowed="adminRole, normalUsers"
    callbackHandler="org.jboss.internal.soa.esb.services.security.UserPassCallbackHandler"> 
	    <property name="property1" value="value1"/> 
	    <property name="property2" value="value2"/> 
   </security>
   ...
</service>
  4. Save the file and exit.

7.21. Per-Service Security Properties

Table 7.3. Security Properties

Property Description Required?
moduleName
This is a module that exists in the SOA_ROOT/jboss-as/server/PROFILE/conf/login-config.xml file.
No
runAs
This is the runAs role.
No
rolesAllowed
This is an comma-separated list of those roles that have been granted the ability to execute the service. This is used as a check that is performed after a caller has been authenticated, in order to verify that they are indeed belonging to one of the roles specified. The roles will have been assigned after a successful authentication by the underlying security mechanism.
No
callbackHandler
This is the CallbackHandler that will override that which was defined in the jbossesb-properties.xml file.
No
property
These are optional properties that, once defined, will be made available to the CallbackHandler implementation.
No

7.22. Override Global Security Settings

Procedure 7.8. Task

  1. Open the global configuration file in a text editor: vi SOA_ROOT/jboss-as/server/PROFILE/deployers/esb.deployer/jbossesb-properties.xml.
  2. Configure the setting in question. Here is an example: 
    <security moduleName="messaging" 
  runAs="adminRole" rolesAllowed="adminRole">

<property 
    name="org.jboss.soa.esb.services.security.contextTimeout" 
    value="50000"/> 
  
<property name=
"org.jboss.soa.esb.services.security.contextPropagatorImplementationClass"
    value="org.xyz.CustomSecurityContextPropagator" /> 

</security>
  3. Save the file and exit.

7.23. Security Property Overrides

Table 7.4. Security Property Overrides:

Property Description Required?
org.jboss.soa.esb.services.security.contextTimeout
This property lets the service override the global security context time-out (milliseconds) that is specified in the jbossesb-properties.xml file.
No
org.jboss.soa.esb.services.security.contextPropagatorImplementationClass
This property lets the service to override the "global security context propagator" class implementation, that is specified in the jbossesb-properties.xml file.
No

7.24. Security Context

The SecurityContext is an object which is created after a security certificate is confirmed. After creation, it will be configured so that you do not have to re-authenticate the certificate every time you perform an action related to it. If the ESB detects that a message has a SecurityContext, it will check that it is still valid and, if so, it does not try to re-authenticate it. (Note that the SecurityContext is only valid for a single Enterprise Service Bus node. If the message is routed to a different ESB node, it will have to be re-authenticated.)

7.25. Authentication Request

An AuthenticationRequest carries the security information needed for authentication between either a gateway and a service or between two services. You must set an instance of this class on the message object prior to the authenticating service being called. The class must contain the principle and the credentials needed to authenticate a caller. This class is made available to the Callback Handler.

7.26. SecurityConfig

The SecurityConfig class grants access to the security configuration specified in the jboss-esb.xml file. This class is made available to the Callback Handler.

7.27. Add an Authentication Class to a Message Object

Procedure 7.9. Task

  • Execute this code: 
    byte[] encrypted = PublicCryptoUtil.INSTANCE.encrypt((Serializable)
 authRequest);
message.getContext.setContext(SecurityService.AUTH_REQUEST, encrypted);
Result

The authentication context is encrypted and then set within the message context. (It is later decrypted by the Enterprise Service Bus so that it can authenticate the request.)

7.28. security_basic Quick Start

The SOA_ROOT/jboss-as/samples/quickstarts/security_basic quick start demonstrates how to prepare the security on a message before you use the SecurityInvoker. The quick start also demonstrates how to configure the jbossesb-properties.xml global configuration file for use by client services.

7.29. Set a Time Limit for the Security Context Globally

Procedure 7.10. Task

  1. Open the global configuration file in a text editor: vi SOA_ROOT/jboss-as/server/PROFILE/deployers/esb.deployer/jbossesb-properties.xml.
  2. Scroll down to the section that contains security.contextTimeout. Set the time-out value (in milliseconds).
  3. Save the file and exit.

7.30. Set a Time Limit for the Security Context on a Per-Service Basis

Procedure 7.11. Task

  1. Open the service's configuration file in a text editor: vi jboss-esb.xml.
  2. Scroll down to the section that contains Security Context. Set the time-out value (in milliseconds).
  3. Save the file and exit.