B1FW-5951-01ENZ0(01)January 2012

Windows

Interstage Application Server V1 powered by Windows Azure

Operation Guide

Preface

Purpose of This Document

This document explains how to build the environment and operate the applications to work with Interstage Application Server V1 poweredby Windows Azure.

This document is intended for operators of applications that use this product.

Assumed Knowledge

This document assumes that readers already have a basic knowledge in the following:

- Java

- GlassFish v3.1

- Internet

- Microsoft Windows Azure

Organization of This Document

This document is organized as follows:

Chapter 1 Overview of Interstage Application Server V1 powered by Windows Azure

This chapter provides an overview of this product.

Chapter 2 Application Development

This chapter explains how the application is designed and created, and also explains deployment descriptor.

Chapter 3 Application Operations

This chapter explains how to operate the application.

Chapter 4 Security Feature

This chapter explains the Java EE application security feature.

Appendix A Ports

This chapter lists the ports used by this product.

Appendix B Time Settings

This chapter explains how to configure the time settings for this product.

Registered trademarks

- Microsoft, Windows Azure, Windows and Windows Server are trademarks or registered trademarks of Microsoft Corporation in theUnited States and other countries.

- Java and all references to Java are registered trademarks of Oracle Corporation and its subsidiaries and affiliated companies in theUnited States and other countries. Company names and product names in this document may be trademarks or registered trademarksof their respective companies.

- Other proper names, such as product names, are trademarks or registered trademarks of their respective companies.

Terminology

In this document, 'Eclipse' is used to refer to both the Interstage Studio and Eclipse development environments.

Cautions about URLs mentioned in the manuals

The URL links in the manuals are accurate as of June 2011.

The Interstage Studio directory configuration may be different from the Eclipse directory configuration.

- i -

About Management Portal

The Management Portal operations are accurate as of June 2011. These may change.

Legal Notices and Disclaimers

This document contains technology relating to strategic products controlled by export control laws of the producing and/ or exportingcountries.

This document or a portion thereof should not be exported (or re-exported) without authorization from the appropriate governmentauthorities in accordance with such laws.

Copyrights

Copyright 2012 FUJITSU LIMITED

- ii -

ContentsChapter 1 Overview of Interstage Application Server V1 powered by Windows Azure............................................................1

1.1 Overall Structure..................................................................................................................................................................................11.1.1 Component Structure....................................................................................................................................................................11.1.2 Structure on Windows Azure........................................................................................................................................................2

Chapter 2 Application Development.........................................................................................................................................32.1 How to Design Java EE 6 Applications...............................................................................................................................................3

2.1.1 Application Format.......................................................................................................................................................................32.1.2 Cautions Regarding the Application Design................................................................................................................................3

2.2 How to Create the Application............................................................................................................................................................32.2.1 Application Definition..................................................................................................................................................................4

2.3 Application Interface...........................................................................................................................................................................62.4 About the Development Environment.................................................................................................................................................82.5 Application Coding..............................................................................................................................................................................92.6 Application Debug...............................................................................................................................................................................9

2.6.1 Application debug information.....................................................................................................................................................92.6.2 Debugger.......................................................................................................................................................................................9

Chapter 3 Application Operations...........................................................................................................................................103.1 Advance Preparation..........................................................................................................................................................................103.2 Operations that use the Eclipse Plug-in.............................................................................................................................................10

3.2.1 Overview of Eclipse Plug-in.......................................................................................................................................................103.2.2 Installation of the Eclipse plug-in...............................................................................................................................................113.2.3 Overview of the Eclipse plug-in feature.....................................................................................................................................123.2.4 Windows Azure Connection Settings.........................................................................................................................................123.2.5 Application Platform Settings.....................................................................................................................................................153.2.6 Definitions using the Eclipse plug-in..........................................................................................................................................203.2.7 User Application Deployment....................................................................................................................................................23

3.3 Application operation........................................................................................................................................................................243.3.1 Start.............................................................................................................................................................................................243.3.2 Stop.............................................................................................................................................................................................243.3.3 Deploy.........................................................................................................................................................................................253.3.4 Redeploy.....................................................................................................................................................................................253.3.5 Operation....................................................................................................................................................................................253.3.6 Deleting the Hosted Service.......................................................................................................................................................26

3.4 Monitoring.........................................................................................................................................................................................263.4.1 Logs............................................................................................................................................................................................263.4.2 Operational Status.......................................................................................................................................................................263.4.3 Performance................................................................................................................................................................................27

3.5 Resources that are stored in Windows Azure storage........................................................................................................................273.6 Custom error log................................................................................................................................................................................28

3.6.1 JDK/JRE log...............................................................................................................................................................................283.6.2 Application platform log.............................................................................................................................................................293.6.3 User application log....................................................................................................................................................................30

3.7 Tuning................................................................................................................................................................................................313.7.1 Changing the Instance size.........................................................................................................................................................313.7.2 Concurrency level.......................................................................................................................................................................313.7.3 Changing a Java VM option.......................................................................................................................................................313.7.4 Environment variables................................................................................................................................................................33

Chapter 4 Security Feature....................................................................................................................................................344.1 Java EE Application Security Feature...............................................................................................................................................34

4.1.1 Authentication.............................................................................................................................................................................344.1.2 Authorization..............................................................................................................................................................................354.1.3 User/Group/Role.........................................................................................................................................................................35

- iii -

4.1.4 Realm..........................................................................................................................................................................................364.1.5 Encryption communication using SSL.......................................................................................................................................364.1.6 Transmission of authentication information to the EJB container.............................................................................................36

4.2 Operations that Run using the Security Feature................................................................................................................................374.2.1 Mapping a user/group to a role...................................................................................................................................................374.2.2 Creating the realm.......................................................................................................................................................................374.2.3 Using SSL...................................................................................................................................................................................37

Appendix A Ports....................................................................................................................................................................40

Appendix B Time Settings......................................................................................................................................................41

- iv -

Chapter 1 Overview of Interstage Application Server V1powered by Windows Azure

This product is comprised of a series of services that enable Windows Azure to use an application platform based on the open sourcesoftware GlassFish v3.1.

1.1 Overall StructureThis section explains the structure of this product.

1.1.1 Component StructureThis product is comprised of the following components:

- Eclipse plug-ins

- Boot programs

- An application platform based on GlassFish v3.1

Figure 1.1 Component Structure

Eclipse plug-ins

Using the Eclipse plug-in, Java applications created by the user are deployed to the application platform on Windows Azure.Additionally, it executes changes to instance size and instance number and application platform configurations, and the informationabout these changes is notified to the boot program.

Boot programs

The boot program executes the application platform environment settings and startup according to instructions from the Eclipse plug-in. It also deploys Java EE 6 applications.

An application platform based on GlassFish v3.1

An application platform based on GlassFish v3.1is started from the boot program. This platform contains GlassFish v3.1-based Fujitsu-specific feature improvements.

- 1 -

For details on the Java EE 6 WebProfile terms, refer to JSR 316: JavaTM Platform, Enterprise Edition 6 (Java EE 6) Specification(http://www.jcp.org/en/jsr/detail?id=316)

1.1.2 Structure on Windows AzureThis product is executed on hosted services under the subscription.

One application platform exists on one Worker role instance.

High availability can be realized using multiple Windows Azure role instances.

The product cannot use "Remort Desktop Connection" and "Local Drive".

- 2 -

Chapter 2 Application DevelopmentThis chapter explains how to design and create Java EE 6 applications, and also explains the deployment descriptor.

When Eclipse is used as the development environment, it is assumed that GlassFish v3.1 and GlassFish Plug-ins have been installed.

2.1 How to Design Java EE 6 ApplicationsThis section explains how to design Java EE 6 applications to be run on Windows Azure.

2.1.1 Application FormatOnly one Java EE application module (war file) can be deployed to the application runtime environment for this product per WindowsAzure Platform Worker role.

Design the Java EE applications so that they can be stored in one war file.

2.1.2 Cautions Regarding the Application DesignNote the following when designing applications:

- Output the user application log to the current folder.

- UDP Transport is not supported.

- The connection to SQL Azure may break.

For details, refer to the Microsoft Corporation TechNet Wiki "SQL Azure: Connection Management in SQL Azure" (http://social.technet.microsoft.com/wiki/contents/articles/1541.aspx).

- An additional JDBC driver is not required, since the application platform supported in SQL Azure is set to "SQL Server JDBC Driver3.0". For this reason,. For details on connecting to SQL Azure, refer to “2.2 How to Create the Application” >> ”Connecting to SQLAzure”.

- If the connection has been idle for one minute when communication via the Internet is used, the connection will be broken by WindowsAzure.

- Environment variables that are defined as the normal default in Windows Server may not have been defined.

- Access to the registry is restricted.

- Objects saved in the Servlet session may implement the java.io.Serializable interface and may be serialized.

- Event listener methods for the following Servlet sessions may be called by multiple roles when the Servlet session has timed out:

- javax.servlet.http.HttpSessionListener#sessionDestroyed

- javax.servlet.http.HttpSessionAttributeListener#attributeRemoved

- javax.servlet.http.HttpSessionBindingListener#valueUnbound

- If an object stored in the Servlet session attribute has implemented the javax.servlet.http.HttpSessionActivationListener interface, thenthe methods below will be called:

- sessionDidActivate: When the request is received

- sessionWillPassivate: After the application has ended

2.2 How to Create the ApplicationRefer to the Java EE 6 Web Profile terms and subterms, and create the application module (.war file) accordingly.

Refer to the Java EE 6 Web Profile terms and subterms for the deployment descriptor as well.

- 3 -

For details on the format of the Java EE application module that can be deployed to the Java EE application runtime environment for thisservice, refer to “2.1.1 Application Format".

Connecting to SQL Azure

When JDBC resources are used, the application can be connected to the SQL Azure specified in the Eclipse plug-in definition. TheJDBC Resource JNDI Name is fixed as "jdbc/__default".

For details on how to use the JDBC resources, refer to the Java EE 6 Web Profile terms and subterms, and "persistence.xml" of “2.2.1Application Definition”.

2.2.1 Application DefinitionThe application is defined in the deployment descriptors shown below.

For details, refer to the Java EE 6 Web Profile terms and subterms.

The deployment descriptor in which this service's behavior is defined (Interstage deployment descriptor) can be included in the deploymentmodule.

- Web application deployment descriptor (web.xml)

Add the /web-app/distributable element (as an empty tag) to the Web application deployment descriptor (web.xml).

- Web fragments (web-fragment.xml)

Add the /web-fragment/distributable element (as an empty tag) to the Web fragments (web-fragment.xml).

- EJB application deployment descriptor(ejb-jar.xml)

EJB application deployment descriptor (ejb-jar.xml) only supports definition items of features defined in EJB3.1 Lite. The behaviorwhen the following unsupported definition item settings are changed cannot be guaranteed:

- The ejb-jar/enterprise-beans/session/remote element and all its child elements

- The ejb-jar/enterprise-beans/session/business-remote element and all its child elements

- The ejb-jar/enterprise-beans/session/service-endpoint element and all its child elements

- The ejb-jar/enterprise-beans/session/timeout-method element and all its child elements

- The ejb-jar/enterprise-beans/session/timer element and all its child elements

- The ejb-jar/enterprise-beans/session/async-method element and all its child elements

- The ejb-jar/enterprise-beans/entity element and all its child elements

- The ejb-jar/enterprise-beans/message-driven element and all its child elements

- persistence.xml

- Do not define the <provider> tag - it will be used automatically by the persistence provider provided in this product (which isautomatically used).

- Do not define the <jta-data-source> and <non-jta-data-source> tags - the JDBC resource "jdbc/__default" will be usedautomatically.

- orm.xml

The settings for Interstage Application Server V1 powered by Windows Azure are configured in the following Interstage deploymentdescriptors:

- Interstage Web application deployment descriptor (glassfish-web.xml)

- Interstage EJB application deployment descriptor (glassfish-ejb-jar.xml)

- 4 -

- Interstage Web application deployment descriptor (glassfish-web.xml)

Format

<!DOCTYPE glassfish-web-app PUBLIC

"-//GlassFish.org//DTD GlassFish Application Server 3.1 Servlet 3.0//EN"

"http://glassfish.org/dtds/glassfish-web-app_3_0-1.dtd">

<glassfish-web-app>

<security-role-mapping>

<role-name>...</role-name>

<principal-name>...</principal-name>

<group-name>...</group-name>

</security-role-mapping>

<servlet>

<servlet-name>...</servlet-name>

<principal-name>...</principal-name>

</servlet>

<resource-ref>

<res-ref-name>...</res-ref-name>

<jndi-name>...</jndi-name>

</resource-ref>

<class-loader delegate="..." />

</glassfish-web-app>

- Interstage EJB application deployment descriptor (glassfish-ejb-jar.xml)

Format

<!DOCTYPE glassfish-ejb-jar PUBLIC

"-//GlassFish.org//DTD GlassFish Application Server 3.1 EJB 3.1//EN"

"http://glassfish.org/dtds/glassfish-ejb-jar_3_1-1.dtd">

<glassfish-ejb-jar>

<enterprise-beans>

<ejb>

<ejb-name>...</ejb-name>

<resource-ref>

<res-ref-name>...</res-ref-name>

<jndi-name>...</jndi-name>

</resource-ref>

<principal>

<name>...</name>

</principal>

</ejb>

</enterprise-beans>

</glassfish-ejb-jar>

The elements are explained below:

Element Description

<glassfish-web-app>

<security-role-mapping>

Maps the user or group defined for the security role and file realm.

<role-name> Security role.

<principal-name> User name.

<group-name> Group name.

<servlet> Section for the servlet or JSP behavior.

<servlet-name> Servlet or JSP name.

- 5 -

Element Description

Specify the name defined in the <servlet-name> tag of the deployment descriptor (web.xml).

<principal-name> Principal name (user name) of to the security role specified for the <run-as> tag or @RunAsannotation in the deployment descriptor (web.xml).

This does not need to be specified when there is the security role has only one user.

<class-loader> Defines a common value that controls the class loader (Web class loader) that loads the application.

Attribute delegate

Value true (default)/false

Explanation Specifies the Web class loader delegation model.

Classes held by the application (application classes) are loaded by the Web classloader.

Classes held by the application platform (internal classes) are loaded by theparent class loader of the Web class loader.

If the application class and internal class names clash, in the default setting theinternal class will be loaded by the class loader delegation model.

By setting this value, it is possible for the Web class loader to search for classesbefore the parent class loader.

- true: Searches the class in the parent class loader before searching it in theWeb class loader.

- false: Searches the class in the Web class loader before searching it in theparent class loader.

<glassfish-web-app> or <ejb>

<resource-ref> JDBC data source or network address of the URL operating environment, which corresponds tothe references registered in <resource-ref> tag of the deployment descriptor based on the Java EEor the @Resource or @Resources annotation.

<res-ref-name> Resource reference name.

This is the name defined for the deployment descriptor <res-ref-name> tag regulated by the JavaEE terms.

<jndi-name> JNDI name for the operating environment.

<ejb>

<principal> Principal name (user name) of the security role specified for the <run-as> tag or @RunAs annotationdefined in the Java EE terms.

Not necessary if there is only one user for the security role.

<name> Specifies the principal name (user name).

2.3 Application InterfaceThe section lists the features supported by Java EE 6 Web Profile and by this product.

Table 2.1 List of supported features

Feature Supported

Servlet 3.0 x

JSP 2.2 x

- 6 -

Feature Supported

JSF 2.0 x

JSTL 1.2 x

EL 2.2 x

EJB 3.1

EJB 3.1Lite x (*1)

JPA 2.0 x

JTA 1.1 x

Debugging Support for Other Languages 1.0(JSR-45) x

Common Annotations for Java 1.1 x

Dependency Injection for Java 1.0 x

Managed Beans 1.0 x

Interceptors 1.1 x

Contexts and Dependency Injection for Java EE Platform 1.0 x

Bean Validation 1.0 x

Web Services 1.3

Web Services Metadata for the Java Platform 2.1

JAX-RS 1.1

JAX-WS 2.2

JAXB 2.2

JAX-RPC 1.1

JAXR 1.0

Java EE Connector Architecture 1.6

JMS 1.1

Java Mail 1.4

JACC 1.4

Java EE Application Deployment 1.2

Java EE(J2EE) Management 1.1

JSP Debugging 1.0

JASPIC 1.0

*1: EJB3.1Lite (supported by Java EE 6 Web Profile) is a subset of EJB3.1.

Table 2.2 Component

Feature Supported

Session Bean(Stateful, Stateless, Singleton) x

Message-driven Bean

2.x/1.s CMP/BMP Entity Bean

Java Persistence 2.0 x

- 7 -

Table 2.3 Session Bean ClientViewsFeature Supported

Local/ No-interface x

3.0 Remote

2.x Remote Home/Component

JAX-WS Web Services Endpoint

JAX-RPC Web Service Endpoint

Table 2.4 Services

Feature Supported

EJB Timer Services

Asynchronous session bean invocations

Interceptors x

RMI-IIOP Interoperability

Container-managed transactions/Bean-managed transactions x

Declarative and Programmatic Security x

Table 2.5 Miscellaneous

Feature Supported

Embeddable API

2.4 About the Development EnvironmentInstalling GlassFish

In order to execute application development and the debug tasks locally, install GlassFish v3.1 in the environment in which Eclipsehas been installed.

1. Download the GlassFish v3.1 installer (or zip) file from the GlassFish website (http://glassfish.java.net/public/downloadsindex.html).

2. Install (or deploy) the downloaded installer (or zip) file.

Installing the GlassFish plug-in

1. Start Eclipse.

2. Click Help > Install New Software - the Install window will be displayed.

3. Set Work with to https://ajax.dev.java.net/eclipse, then click Add.

4. Set Name to GlassFish v2 Java EE 5 and v3 Java EE 6 Eclipse Plugin.

5. Select Glassfish Java EE 5 and Java EE 6 support, then click Next.

Note

If an error occurs, return to the previous window, clear Show only the latest versions of available software, then select a versionother than the latest one.

- 8 -

2.5 Application CodingThe application developer can develop applications freely using the Java EE development environment.

Use Eclipse for deployment to the Windows Azure

2.6 Application DebugThis section describes how to debug the application in a local environment.

Using the application debug information

Checks the debug information output to the standard output or standard error by the application.

Using the debugger

Checks the behavior of the application while referencing or updating variables in the program using the debugger provided in Eclipse.

2.6.1 Application debug informationImplementing a process to output the debug information in the application will help to identify the problem area using the debug informationoutput to the log file

The application debug information sent to the standard output and standard error output is stored in the server log (for details, refer to"Server log").

2.6.2 DebuggerThe application developer can use the debugger to debug the application created in the application developer-specific environment.

Using the debugger, logical processing errors can be detected while the application is running.

Normally, debug is performed by setting breakpoints on the source code, and referencing or updating variables while the program issuspended at the breakpoint.

- 9 -

Chapter 3 Application OperationsThis chapter explains how to operate an application.

The operation of the application is executed according to the following flow:

3.1 Advance PreparationIn order to use this product, the following advance preparation will be required (for details, refer to "Tutorial" > "Advance Preparationbefore Environment Settings" in the Getting Started guide):

1. Create the Affinity Group and Hosted Service.

2. Create the Windows Azure Storage Account.

3. Create the certificate.

4. Register the certificate from Management Portal.

5. Create the PKCS#12 format certificate.

3.2 Operations that use the Eclipse Plug-inIn this product, the plug-in used to deploy the application to the Windows Azure environment is installed in Eclipse, and then deployed.

3.2.1 Overview of Eclipse Plug-inConditions for operation

The table below lists the environments that support the Eclipse plug-in:

Environment Supported value Remarks

Eclipse Version 3.6.2 or later Java EE will be required because of application platforms based onGlassFish v3.1.

JDK Java SE 6 u22 or later

Operating System Microsoft® Windows® XP

Microsoft® Windows Server® 2003

Microsoft® Windows Server® 2008

Windows® Vista

- 10 -

Environment Supported value Remarks

Windows® 7

Memory At least 2GB At least 4GB is recommended

Disk At least 5MB (plug-in only)

Network Internet connections will be possible

Note

The Eclipse plug-in will not run correctly if another plug-in has been installed.

Image of the operation

The diagram below illustrates the deployment of the user application using the Eclipse plug-in:

3.2.2 Installation of the Eclipse plug-inThe method used to install the Eclipse plug-in in Eclipse will depend on the mode you are using.

1. Start Eclipse.

2. Select Help > Install New Software - the Install window will be displayed.

3. Click Add - the Add Repository window will be displayed.

4. Click Archive, specify the archive (INTS_APS_TOOL<version>.zip) which is on the media, then click OK.

5. In the software list, select Interstage Tools, then click Next - the Install Details window will be displayed.

6. Make sure that the software list contains the entry "Interstage Application Server powered by Windows Azure plug-in", then clickNext - the Review Licenses window will be displayed.

7. Select I accept the terms of the license agreements, then click Finish.

Note

Click OK to continue when the security warning below is displayed:

“Warning: You are installing software that contains unsigned content. The authenticity or validity of this software cannot beestablished. Do you want to continue with the installation?”

- 11 -

8. Restart Eclipse.

9. Copy the downloaded license key (INTS_APS_<version>.lic) to [Eclipse dir]\plugins\com.fujitsu.interstage.azure.plugin.key_1.0.0.

3.2.3 Overview of the Eclipse plug-in featureThe Eclipse plug-in provides the following features.

- Windows Azure Connection Settings

Settings for connection to the application platform on Windows Azure from Eclipse:

- Subscription - Settings for connections to the application platform from Eclipse.

- Hosted Services - Environment settings for the deployment of the application platform.

- Application Platform Settings

Environment settings for the application platform that will run on Windows Azure:

- Security

- file Realms - Settings for the realm managed by the application platform.

- SSL/TLS - Settings for the HTTPS listener used by the application platform.

- Java settings - Settings for the Java runtime environment of the application platform.

- Databases - Settings for SQL Azure of the application platform.

- User Application Deployment

Deployment of the Web application to the application platform.

3.2.4 Windows Azure Connection SettingsConfigure the connection to Windows Azure from Eclipse.

In the Eclipse menu, click Window > Preferences > Interstage Application Server - the Settings window will be displayed.

The two connection information types set for connections to Windows Azure are:

- Subscription

- Hosted Services

Subscription

One subscription is supported in one Eclipse workspace.

The connections to the application platform from Eclipse can be configured in the Subscription settings window (for details, refer to"3.2.6 Definitions using the Eclipse plug-in" > "Subscription definitions"):

- 12 -

Hosted Services

One Hosted Service is supported in one Eclipse workspace.

The environment for deployment of the application platform can be configured in the Hosted Services settings window:

- 13 -

Additionally, configure the connections to Windows Azure storage that will be used to archive the information and log definitions forthe application platform. By clicking OK, the Worker role and application platform will be installed in the specified Hosted Serviceand automatically started once the installation is complete.

Note

- This cannot be set if Test Connection in the Subscription settings window failed.

- Depending on the Windows Azure load and the network convergence status, it may take a considerable while to install the Workerrole and application platform in the specified Hosted Service.

In the Hosted Services settings window, click New - the Hosted Service window will be displayed (for details, refer to "3.2.6Definitions using the Eclipse plug-in" > "Hosted Service definitions"):

- 14 -

You can configure Instance Size and Instance Num according to your requirements.

3.2.5 Application Platform SettingsConfigure the runtime environment for the application platform that will run on Windows Azure.

From the Eclipse Project context menu, select Interstage Application Server > Settings - the application platform settings window willbe displayed:

- 15 -

Note

This can only be set when a project has been selected.

The following items can be set in this window.

Security

file Realms settings

Configure the realm managed by the application platform.

Click sSecurity > file Realms - the file Realm window will be displayed:

- 16 -

User ID lists the user ID defined for the file Realm user name.

Group List lists the user's group - multiple groups will be separated by a comma (',').

When New is clicked, the dialog box for creating the new file Realm window is displayed (for details, refer to "3.2.6 Definitionsusing the Eclipse plug-in" > "file Realm definitions"):

When a user ID is selected and Edit is clicked, the dialog box file used to change the file Realm will be displayed.

When the user ID is selected and Remove is clicked, the user ID will be removed. Multiple user IDs can also be selected.

SSL/TLS settings

Configure the HTTPS listener used by the application platform.

- 17 -

When Security > SSL/TLS is selected, the SSL/TLS settings window is displayed (for details, refer to "3.2.6 Definitions usingthe Eclipse plug-in" > "SSL/TLS definitions):

Note

- The SSL settings will be reflected in the public port number in this product (port number 443).

- In the initial state, SSL communication is possible using the pre-registered self-certificate (slas), however for security reasonsthis certificate should not be used for actual operations.

Java settings

Configure the Java runtime environment of the application platform (Java VM Options).

When Java Settings > Java VM Options is selected, the Java VM Options settings window is displayed (for details, refer to "3.2.6Definitions using the Eclipse plug-in" > "Java Settings"):

- 18 -

Determine the required Java heap size and Java stack size according to the characteristics and scale of the application operation.

Databases

Configure SQL Azure of the application platform.

When Databases > SQL Azure is selected, the SQL Azure settings window will be displayed (for details, refer to "3.2.6 Definitionsusing the Eclipse plug-in" > "Databases"):

- 19 -

3.2.6 Definitions using the Eclipse plug-inThe following items can be defined using the Eclipse plug-in.

Windows Azure Connection Settings

Subscription definitions

Field Value Description

Target Service Fujitsu/MicrosoftWindows Azure Platform

Select Microsoft Windows Azure Platform.

Subscription ID 36 characters String that will be notified when the subscription is purchased.

Certification File Certificate file name Name of the PKCS#12 format certificate created in "3.1 AdvancePreparation".

CertificationPassword

String Name of the PKCS#12 format certificate created in "3.1 AdvancePreparation".

Key Alias azurekeyalias (literal) Key Aliasはazurekeyalias(固定)です。

Test Connection - Uses the specified values to test whether connections to the Windows Azureenvironment are possible.

This can be used when all items have been entered.

Hosted Service definitions

Field Value Description

DNS Prefix String up to 63characters long

Enter the value specified for Enter a URL prefix for your service of theHosted Service created in "Create the Affinity Group and Hosted Service" of"3.1 Advance Preparation"

This can only be changed when a new one is created.

Deployment InterstageAPS (literal) Deployment name

Type Staging (literal) 本製品および本サービスではユーザアプリケーションをステージング環境(固定)へ配備します。

- 20 -

Field Value Description

Instance Size

(see Note below)

Small(default)/Medium/Large/ExtraLarge

Size of the instance to be created.

For details, refer to Windows Azure Computing

(http://www.microsoft.com/windowsazure/compute/)

Instance Num Integer(range:1-30,default: 2)

Number of Windows Azure Worker role instances that will run the createdapplication platform.

Storage Account String up to 24characters long

Account was specified in "Create the Windows Azure Storage Account" of"3.1 Advance Preparation".

Storage AccessKey

String Access key that will be required for inbound access to storage.

For details, refer to "Checking the Storage Access Key" in the Getting Startedguide.

Test Connection - Checks whether connection to the Hosted Service specified in DNS Prefix andto the Windows Azure storage environment is possible. This can be used onlyif all items have been specified.

Note

- When Instance Size is Large, the performance will match the role unit, however billing will occur in proportion to InstanceSize.

- When Instance Num is "1", the Windows Azure SLA guarantee will not be executed. Additionally, changing Instance Num from1 to 2 and higher, and vice-versa, is not supported.

Security Settings

file Realm definitions

Field Value Description

User ID String up to 255 characterslong

Name that will be used as the user name in the application.

This field cannot be changed if the user updates file Realm definitions.

The field can contain alphanumeric characters, underscores ('_'), dashes('-') and dots ('.').

Group List String up to 255 characterslong

(optional)

Groups to which the user belongs, separated by comma (',').

Group names can contain alphanumeric characters, underscores ('_'),dashes ('-') and dots ('.').

Password String up to 255 characterslong

(optional)

User's password.

If nothing is entered during a change, the password will not be updated.

ConfirmPassword

String up to 255 characterslong

Same as Password.

SSL/TLS definitions

Field Value Description

SSL3 True (default)/False

Determines whether to use the SSL3 protocol in SSL communication.

This field is enabled only if Restore Defaults is cleared.

- 21 -

Field Value Description

TLS True (default)/False

Determines whether to use the TLS protocol in SSL communication.

This field is enabled only if Restore Defaults is cleared.

ClientAuthentication

True/False Determines whether to use client authentication.

This can be used when SSL3 or TLS has been selected.

This field is enabled only if Restore Defaults is cleared.

Set Certificate andKey Store

True/False Enables/disables the fields Certificate Nickname, Key Store File, and Key StorePassword.

This field is enabled only if Restore Defaults is cleared.

CertificateNickname

String up to 511characters long

Nickname for the self site certificate stored in the keystore that will be used in SSLcommunication.

There will be no need to re-enter this nickname, unless it is necessary to change thespecified certificate.

The default value is "slas".

This field is enabled only if Set Certificate and Key Store is selected, and SSL3,TLS, Client Authentication and Restore Defaults are cleared.

Key Store File File name Name of the keystore file.

There will be no need to re-enter this file name, unless it is necessary to change thefile name that was uploaded.

This field is enabled only if Set Certificate and Key Store is selected, and SSL3,TLS, Client Authentication and Restore Defaults are cleared.

Key StorePassword

String Keystore file's password.

There will be no need to re-enter this password, unless it is necessary to change thepassword that was uploaded.

This field is enabled only if Set Certificate and Key Store is selected, and SSL3,TLS, Client Authentication and Restore Defaults are cleared.

Restore Defaults True/False Restores the SSL/TLS settings to their initial values.

Key Store File and Key Store Password will be deleted from the server.

Note

- If the settings are invalid, SSL communication will not be enabled - check the error content, change the appropriate configuration,then restart.

- When Key Store File is specified, or to reset a value to its default, set the following options of Java VM Options:

- Djavax.net.ssl.keyStore=${com.sun.aas.instanceRoot}/config/keystore.jks

- Djavax.net.ssl.trustStore=${com.sun.aas.instanceRoot}/config/cacerts.jks

Java Settings

Java VM Options definitions

Field Value Description

Java VMOptions

String Options that will be specified in the Java VM when the Web application is executed.

Specify each option in a different line.

- 22 -

Field Value Description

Enter new options on a separate line at the end of the field.

To change a default option, edit it in the existing line- do not add a separate line for that purpose.

Databases

SQL Azure definitions

Field Value Description

Server Name String up to 255 characterslong

Name of the SQL Azure server.

Use the format "server.database.windows.net".

Port Number 1433 (literal) Port number of the SQL Azure.

Database Name String up to 255 characterslong

Name of the database that will be used.

User Name String up to 255 characterslong

User that will access the database.

Use the format "username@server ".

Password String up to 255 characterslong

Password that will be used to access the database.

If this has not been entered when the SQL Azure settings are updated, thepassword will not be updated.

3.2.7 User Application DeploymentExecute the deployment of the Web application to the application platform.

From the Eclipse Project context menu, select Interstage Application Server > Deploy - the Deploy window will be displayed:

Note

This can only be set when a project has been selected.

The following fields can be set in the Deploy window:

- 23 -

Field Value Description

Specify an existing warfile

Full path of the war file that will bedeployed

This is selected by default

Determines that the specified war file will be deployed to theapplication platform.

Deploy the war filecreated by the project

Full path of the war file that will becreated

Determines whether to build the project for which the war filewill be deployed to the application platform.

Note

If the Worker role and application platform do not exist in the target Hosted Service during the user application deployment, then theywill be installed and automatically started once the installation is complete.

3.3 Application operationThe diagram below illustrates how to use Management Portal to start/stop the application:

3.3.1 StartUse one of the following methods to start the application:

- Execute the application deployment using the Eclipse plug-in.

- Start a stopped application using Management Portal.

3.3.2 StopA running application can be stopped by stopping the target Deployment from Management Portal.

If the service does not stop within 30 seconds, then the application will be forcefully stopped by Windows Azure. If the application platformdoes not stop within 25 seconds, then a message will be sent to the event log (refer to the custom error log and check whether an erroroccurred on exit).

- 24 -

Note

- A service cannot be stopped from the Eclipse plug-in.

- When the deployment is stopped, the user application and application platform will also stop.

- If the deployment is stopped, back up the custom error log before restarting it (for details on the custom error log, refer to "3.6 Customerror log"

3.3.3 DeployTo execute the application, deploy the application platform.

Specify the resources that will be required for the deployment, such as the application that will be deployed and the subscription levelcertificate, and the configuration information about the application and the application platform.

For details, refer to "3.2.7 User Application Deployment".

The application is deployed to the staging environment - for details on switching the operating environment, refer to "3.3.5 Operation".

3.3.4 RedeployIf a new application is deployed from Eclipse while a previous application has already been deployed, the existing previous applicationwill be deleted and the new application will be deployed instead.

Note

Only user application cannot be deleted.

3.3.5 OperationSwitch the application that was deployed to the staging environment to the operating environment according to the following procedure

1. Login to Windows Azure Management Portal.

2. Click Hosted Services, Storage Accounts.

3. Click Hosted Services.

4. Select the target application

5. Make sure that Environment is Staging, then click Swap VIP - the Swap VIPs window will be displayed.

6. Click OK.

Note

If Swap VIPs is clicked to switch the staging environment to the production environment, Servlet sessions which existed before the switchwas executed cannot be used.

- 25 -

3.3.6 Deleting the Hosted ServiceIf an application or this product is no longer required, the Hosted Service can be deleted using Management Portal.

Before deleting the Hosted Service, back up required resources.

When the Hosted Service is deleted, some resources will remain in the containers below in the Windows Azure storage - delete theseresources using a storage access tool (for details on each container, refer to "3.5 Resources that are stored in Windows Azure storage").

Container name Resource name

wad-iaps-pkg-container Resource starting with the URL prefix specified during creation of the Hosted Service.

wad-iaps-conf-container

wad-iaps-appl-container

3.4 MonitoringThis section explains the items that can be monitored in this product.

3.4.1 LogsIn this product, the following logs can be stored in the Windows Azure storage service and can be referenced later.

Additionally, the Windows Azure logs below can be collected and monitored in Systemwalker Centric Manager.

Log type Collected by Systemwalker Centric Manage

Trace log Yes

Infrastructure log Yes

Event log Yes

Performance counter log Yes

Crash dump No

Custom error log No

3.4.2 Operational StatusThe operational status of this product can be monitored using the following tools:

- Service Dashboard

- Systemwalker Centric Manager

Service Dashboard

Allows the user to check the operational status of each Data Center and of each of its services (such as Compute, Storage, and SQLAzure).

- 26 -

Note

The operation status of applications deployed by each user cannot be checked.

Systemwalker Centric Manager

In Systemwalker Centric Manager allows the user to monitor the operational status of Deployment on Windows Azure.

3.4.3 PerformanceWhen Systemwalker Centric Manager is used, the performance counter values of this product can be collected. Additionally, the log ismonitored, and the administrator will be notified by way of an 'event' whenever a threshold value is exceeded.

Based on the notified event, the administrator can take the required action (for example, adding instances or changing the Instance size).For details, refer to the "Systemwalker Centric Manager" manuals.

3.5 Resources that are stored in Windows Azure storageIn this product, resources that belong to the customer are stored in Windows Azure storage.

Blob storage

The following resources are stored in Blob storage:

Container name Stored resource

wad-iaps-pkg-container Package of boot program

wad-iaps-conf-container Various application platform definition files

wad-iaps-appl-container Java EE 6 application created by the customer (war file)

wad-crash-dumps Crash dump

wad-iaps-log-container Custom error log

Note

This contains sensitive information, therefore the container access privileges must not be changed.

Table storage

The following resources are stored in Table storage:

Table name Resource that is stored

WADIAPSControlTable Communication information between the Eclipse plug-in and the boot program

WADLogsTable Trace log

WADDiagnosticInfrastructureLogsTable Windows diagnostic infrastructure log

WADWindowsEventLogsTable Windows event log

WADPerformanceCountersTable Performance counter (if they are collected in Systemwalker Centric Manager)

- 27 -

Note

- Storage space might be insufficient, depending on the size and log output of the Java application created by the customer.

- Logs collected by this product and that exceed the restricted size will be deleted from the old information.

- Do not delete resources stored in Windows Azure storage.

3.6 Custom error logOn the application platform, the following logs are collected as custom error logs:

- JDK/JRE log

- Application platform log

- User application platform log

Log transfer destination

The custom error log is transferred to “wad-iaps-log-container”, and is stored in Blob using the following virtual folder structure:

<Deployment ID>

+-<Role name>

+-<Instance ID>

|-hs_err_pid<pid>.log(JDK/JRE log)

|-(User application log)

|-server.log_<yyyy-MM-ddThh-mm-ss>

+-http

+-server_access_log*

Note

- Use a third-party tool to access log files stored in Windows Azure storage.

- To control the Windows Azure storage usage, logs transferred to Windows Azure storage will be deleted periodically by the bootprogram. Logs not modified within the last seven days will be target of deletion, therefore any required logs should be backed upwithin this retention period.

- The interval for transfer to Windows Azure storage is one minute - only the diff from the previously transferred log will be transferred.

3.6.1 JDK/JRE logThe application platform runs on the Java SE 6. Java. If the Java process terminates abnormally, the following log is collected:

Fatal error log

File name

hs_err_pid<pid>.log

Content

Output when Fatal Error occurs in Java.

- 28 -

3.6.2 Application platform logThe following logs are collected by the application platform:

Server log

File name

server.log

Content

Information output by the application platform, and information output by deployed applications output to the standard output orstandard error output.

Specifications

Content will be output to the same file as the server log using the following processing:

- Using logger initial processing, the domain.xml definition information is obtained, and the output destination switches to theserver log.

- For standard output and standard error output, the output destination is switched to the server log by the handler.

The backup file server.log_<yyyy-MM-ddThh-mm-ss> is created during rotation.

Format

[#|datetime|log_level|product_ID|logger name|thread_info|method_info|rec_num|msg|#]

Possible values for log_level are:

- ERROR

- WARNING

- INFO

Example

[#|2010-10-22T18:26:27.177+0900|INFO|

glassfish3.1|javax.enterprise.system.container.web.com.sun.enterprise.web|_ThreadID=15;

_ThreadName=Thread-1;| | | WEB0169: Created HTTP listener [http-listener-1] on host/port

[0.0.0.0:8080]|#]

HTTP access log

File name

server_access_log

Content

Communication (request/response) information between the load balancer and application platform.

Specifications

When the settings have been configured to output HTTP access logs, the HTTP access log file is created.

"request_line" contains the value as submitted from the client (that is, the % character will not be decoded).

The backup file access\server_access_log.<yyyy-MM-dd>.txt is created during rotation.

Format

"<client_IP_address>" "-" "<auth_username>" "<datetime>" "<req_line>" "<stat_code>"

"<resp_len>" "<host_head_cont>" "<sess_ID>" "<proc_intrvl>" "<thrd_ID>" "<thrd_nam>" "-"

- 29 -

Example

"127.0.0.1" "-" "-" "16/Jun/2011:14:18:55 +0900" "GET /sample/sample.html HTTP/1.1"

"200" "1494" "localhost:8080" "6e2a7289be9600cf82a7218fa2c1" "0" "ThreadID=67"

"ThreadName=http-thread-pool-8080(1)" "-"

Log Rotation

The log file is rotated according to file size. If the log output exceeds the file size, the log is saved with a name that contains the timeat which the rotation was executed. The file name used at the time of the rotation, file size, and number of generations saved aredisplayed below:

Log File name after rotation File size Number of

generations

Server.log server.log_<yyyy-MM-ddThh-mm-ss> 1MB 9

HTTP access log server_access_log_<yyyy_MM_dd-hh_mm_ss>.<sequence>Note: <sequence> starts from 0 - it will be added if rotation is executed withinone second of the previous rotation.

1MB 9

Note

The capacity for each server log and HTTP access log can be estimated using the formula below:

1MB x 10 (number of generations) x 7 days (retention period) x numberOfInstances

A thread can be traced using these log files, as in the example below containing the same value for ThreadID:

Server log:

"127.0.0.1" "-" "-" "29/Jun/2011:11:19:38 +0000" "GET /sample/ HTTP/1.1" "200" "0" "localhost" "-"

"219"

"ThreadID=104" "ThreadName=http-thread-pool-8080(3)" "-"

HTTP access log

[#|2011-06-29T11:19:38.709+0000|INFO|glassfish3.1|

javax.enterprise.system.std.com.sun.enterprise.server.logging|

_ThreadID=104;_ThreadName=Thread-1;|This is log output from sample web application.|#]

The server log and HTTP access log formats may change in the next version.

3.6.3 User application logThis log is output by the user application.

In the application platform, the standard output and standard error output will be output to the same file as the server log. To output thelog to a file using a logger such as Log4j, output the log to the current folder.

Additionally, set the following attribute to false.

- Interstage Web application deployment descriptor(glassfish-web.xml)/class-loader/delegate

For details on " Interstage Web application deployment descriptor(glassfish-web.xml)/class-loader/", refer to "2.2.1 ApplicationDefinition".

- 30 -

3.7 TuningThis section explains how to tune the application.

3.7.1 Changing the Instance sizeThe user can change the Instance size using the Eclipse plug-in's field Hosted Service > Instance Size - for details, refer to "3.2.4 WindowsAzure Connection Settings" > "Hosted Services.

Note

When the instance size is changed, the Worker role and application platform will be installed and automatically started once the installationis complete. User applications already deployed will be automatically deployed again.

3.7.2 Concurrency levelThe instance number is the number of Worker role instances that the application platform is operating.

One application platform exists on one Worker role instance. For this reason, to increase/decrease the application concurrency level,increase/decrease the number of Worker role instances.

The user can change the concurrency level using the Eclipse plug-in's field Hosted Service > Instance Num - for details, refer to "3.2.4Windows Azure Connection Settings" > "Hosted Services".

Note

Only deployment configurations which used the Eclipse plug-in can be changed.

3.7.3 Changing a Java VM optionThe user can change a Java VM option using the Eclipse plug-in field Java Settings > Java VM Options (from the Eclipse Project contextmenu, click Interstage Application Server > Settings) - for details, refer to "3.2.5 Application Platform Settings" > "Java settings".

The options supported in this product are listed below:

Java heap tuning options

- -Xms

- -Xmx

- -XX:NewSize

- -XX:MaxNewSize

- -XX:NewRatio

- -XX:SurvivorRatio

- -XX:TargetSurvivorRatio

- -XX:PermSize

- -XX:MaxPermSize

- 31 -

Stack size tuning options

- -Xss

- -XX:CompilerThreadStackSize

Garbage Collection processing selection options

- -XX:+UseSerialGC

- -XX:+UseParallelGC

- -XX:+UseConcMarkSweepGC

Garbage Collection processing tuning options

Parallel GC

- -XX:ParallelGCThreads

- -XX:GCTimeLimit

- -XX:GCHeapFreeLimit

- -XX:+UseGCOverheadLimit

Parallel GC with CMS

- -XX:ParallelGCThreads

- -XX:ConcGCThreads

Common

- -XX:+UseCompressedOops

Debug options used for tuning, such as log output

Garbage Collection log output

- -verbose:gc

- -XX:+PrintGCDetails

Other

- -XX:-OmitStackTraceInFastThrow

- -XX:+PrintClassHistogram

- -Xcheck:jni

- -XX:-UseOSErrorReporting

The default options of this product are listed below (do not delete these options):

-XX:MaxPermSize=192m

-Djavax.management.builder.initial=com.sun.enterprise.v3.admin.AppServerMBeanServerBuilder

-Djava.endorsed.dirs=${com.sun.aas.installRoot}/modules/endorsed${path.separator}$

{com.sun.aas.installRoot}/lib/endorsed

-Djava.security.policy=${com.sun.aas.instanceRoot}/config/server.policy

-Djava.security.auth.login.config=${com.sun.aas.instanceRoot}/config/login.conf

-Dcom.sun.enterprise.security.httpsOutboundKeyAlias=s1as

-Xmx512m

-Djavax.net.ssl.keyStore=${com.sun.aas.instanceRoot}/config/keystore.jks

-Djavax.net.ssl.trustStore=${com.sun.aas.instanceRoot}/config/cacerts.jks

- 32 -

-Djava.ext.dirs=${com.sun.aas.javaRoot}/lib/ext${path.separator}${com.sun.aas.javaRoot}/jre/lib/ext$

{path.separator}${com.sun.aas.instanceRoot}/lib/ext

-Djdbc.drivers=org.apache.derby.jdbc.ClientDriver

-DANTLR_USE_DIRECT_CLASS_LOADING=true

-

Dcom.sun.enterprise.config.config_environment_factory_class=com.sun.enterprise.config.serverbeans.Ap

pserverConfigEnvironmentFactory

-

Dorg.glassfish.additionalOSGiBundlesToStart=org.apache.felix.shell,org.apache.felix.gogo.runtime,or

g.apache.felix.gogo.shell,org.apache.felix.gogo.command

-Dosgi.shell.telnet.port=6666

-Dosgi.shell.telnet.maxconn=1

-Dosgi.shell.telnet.ip=127.0.0.1

-Dgosh.args=--nointeractive

-Dfelix.fileinstall.dir=${com.sun.aas.installRoot}/modules/autostart/B25

-Dfelix.fileinstall.poll=5000

-Dfelix.fileinstall.log.level=2

-Dfelix.fileinstall.bundles.new.start=true

-Dfelix.fileinstall.bundles.startTransient=true

-Dfelix.fileinstall.disableConfigSave=false

-Dproduct.name=

-XX:CompilerThreadStackSize=4096

-XX:-UseGCOverheadLimit

-XX:+UseOSErrorReporting

-Xrs

3.7.4 Environment variablesYou should exercise caution when changing environment variables, since the environment variables on Windows Azure are different fromthose in the existing Windows operating system.

- 33 -

Chapter 4 Security FeatureThis chapter explains the following aspects of the security feature provided in this product:

- Authentication

- Authorization

- User/Group/Role

- Realm

- Encryption communication using SSL

- Transmission of authentication information to the EJB container

4.1 Java EE Application Security FeatureThis section explains the Java EE application security feature.

4.1.1 AuthenticationIt is possible to check whether the user is valid by checking the user ID and password. Accordingly, access by invalid users is prevented.

The authentication methods are as follows.

Authentication using Servlet

Authentication of the client that connects to the Web container is executed using the following authentication methods:

- BASIC authentication

- FORM authentication

To enable the authentication method, specify the following value to the <auth-method> tag in the deployment descriptor (web.xml orweb-fragment.xml).

- BASIC

BASIC authentication

- FORM

FORM authentication

If the <auth-method> tag is not specified, "BASIC" is used as the default value. The value cannot be omitted.

For details, refer to the Java EE 6 WebProfile terms and subterms.

Point

- When using FORM authentication, authentication information is stored in sessions. For this reason, <distributable> tag needs to bespecified in web.xml. For details on <distributable> tag, refer to “2.2.1 Application Definition”.

- To associate the configuration with “file Realms settings”, the following values need to be the same.

- /web-app/security-role/role-name element in web.xml

- /glassfish-web-app/security-role-mapping/role-name element in glassfish-web.xml

- 34 -

When authentication fails

- BASIC authentication

The com.sun.enterprise.security.auth.login.common.LoginException exception is output to the sever log, and status code 401 isreturned.

- FORM authentication

The com.sun.enterprise.security.auth.login.common.LoginException exception is output to the sever log, and the page set for<form-error-page> is displayed.

4.1.2 AuthorizationThe operations available to an authenticated user will be restricted by an authorization level, which is based on the user role.

There are two possible methods to grant authorization:

- Control by program

The code to grant the authorization to authenticated users or roles is implemented in the application using the Servlet/EJB API (fordetails, refer to the Java EE 6 Web Profile terms and subterms).

Note

If the system does not allow the authentication procedure to be changed, the application in which the authentication is implementedwill need to be updated.

- Control by container

The container grants authorization according to the content implemented in the deployment descriptor or annotation.

There are two deployment descriptor or annotation restriction targets (for details, refer to the Java EE 6 Web Profile terms andsubterms):

- Web application resources

- EJB application methods

When authorization fails

- When authorization fails for the Web application resources - status code 403 is returned.

- When EJB application method authorization fails - the javax.ejb.EJBAccessException exception is notified to the client.

4.1.3 User/Group/RoleThis section explains the user, group and role.

User

ID that identifies a person or application program. A user will be required in order to use Java EE security.

Group

A group of users. Groups are used to allocate the same authorization level for members belonging to a particular department.

Role

Authorization level that comes with a name defined by the application. The application executes access control based on the role.

- 35 -

The user and group are associated with the role defined by specifying security role mapping in the Interstage deployment descriptor.

4.1.4 RealmA realm is the repository used by the server to store user and group information. The following realm is used in this product.

file Realm

This manages user credentials that are registered in the realm as a key file.

For details on registering users to the file Realm and the settings, refer to "3.2.5 Application Platform Settings" > "Security" > "fileRealms settings".

4.1.5 Encryption communication using SSLIn this product, the following communication can be executed using SSL.

- Communication between the Web browser (HTTP/HTTPS client) and the HTTP listener

By using SSL to execute communication between the application platform HTTP listener and the Web browser that

run on the Windows Azure platform worker role, security risks such as eavesdropping, tampering, and spoofing are avoided, andinformation privacy is maintained.

To use SSL, create a keystore file in which the required server certificates and trusted certificates are stored, and transfer the file toWindows Azure storage via the Eclipse plug-in.

The SSL settings operations are executed using the Eclipse plug-in.

For details on the SSL settings, refer to "3.2.5 Application Platform Settings" > "Security" > " SSL/TLS settings".

4.1.6 Transmission of authentication information to the EJB containerEJB authorization is executed using the authentication information (group or user) transmitted to the EJB container.

There are two possible methods to send authentication information to the EJB container:

- Transmission of the Web application authentication information to the EJB container

The information authenticated in the Web application is sent to the EJB container.

- Transmission from a RunAs specified application to the EJB container.

The role can be specified using the EJB caller deployment descriptor file <run-as> tag, or the @RunAs annotation set in the callerapplication. In this case, the authentication information mapped to the specified role will be sent to the EJB container.

There are two possible authorization methods:

- Control by program

Create an application using the EJB API (the API that will obtain, or validate, the authentication information sent) to grant theauthorization.

- 36 -

- Control by EJB container

The EJB container will grant authorization according to the authentication information sent. If the authentication information is mappedto the role that was set using the method permissions feature, then authorization will be granted.

For details, refer to "4.1.2 Authorization".

Role and authentication information mapping is defined in the Interstage Web application deployment descriptor (glassfish-web.xml)<security-role-mapping> tag.

4.2 Operations that Run using the Security FeatureThis section explains how to execute operations that use the security feature.

4.2.1 Mapping a user/group to a roleDuring application development, edit the Interstage deployment descriptor by mapping the user or group to the role (for details, refer to"2.2.1 Application Definition").

4.2.2 Creating the realmFor details on creating the realm, refer to "3.2.5 Application Platform Settings" > "Security" > " file Realms settings".

4.2.3 Using SSL

SSL/TLS Settings window

From the Eclipse Project context menu, click Interstage Application Server, Settings or Open, then configure the security featuresettings.

For details on creating the realm, refer to "3.2.5 Application Platform Settings" > "Security" > "SSL/TLS settings".

Procedure for using SSL

To use SSL communication in a public service in this product, configure the settings according to the following procedure.

Note

When SSL communication is used, an electronic certificate and corresponding private key will be required.

1. Create the keystore file.

Create the keystore file used to store the electronic certificate and private key used for SSL communication (for details, refer to"Keystore").

2. Configure SSL communication using the SSL/TSL Settings window.

From the Eclipse Project pop-up menu, click Interstage Application Server, Settings or Open, then configure the various securityfeature settings (for details, refer to "Security").

Keystore

The keystore file used to store the electronic certificate and private key used for SSL must be created.

Upload the keystore file prepared for Windows Azure user storage from the SSL/TLS Settings window.

- 37 -

The certificates issued by the Public Certificate Authorities supported in this product are stored in the keystore file contained in the Eclipseplug-in. To create the keystore file, follow the steps below:

1. Copy the keystore file.

Copy the keystore file bundled in the Eclipse plug-in to any folder.

2. Change the password.

Change the copied keystore password.

Note

The password specified here will be required to access the keystore.

This will be required to change the keystore-related settings. Additionally, do not forget to keep the password a closely-guardedsecret, so that the data in the keystore will be protected.

3. Store the private key and certificate.

Use keytool to create or import user private keys and electronic certificates in the keystore.

Trusted certificates

Specify the keystore file for the trusted certificate.

The certificates issued by the Public Certificate Authorities supported in this product are stored in the keystore file bundled in the Eclipseplug-in, and also in the initial state keystore file. The supported Public Certificate Authorities are listed below:

- VeriSign, Inc.

- Secure Server ID

- Secure Server ID EV(EV SSL certificates)

- Cybertrust, Inc.

- SureServer for SSL certificates

- GlobalSign & GMO Internet Inc.

- Quick authentication SSL

- Enterprise authentication SSL

Protocol versions and encryption ciphers that can be used in SSL communication

The protocol versions and encryption ciphers that can be used in SSL communication are listed below:

- Protocols

- SSL 3.0

- TLS 1.0

- Encryption ciphers

- TLS_RSA_WITH_AES_128_CBC_SHA

- SSL_RSA_WITH_3DES_EDE_CBC_SHA

- SSL_RSA_WITH_RC4_128_SHA

- SSL_RSA_WITH_RC4_128_MD5

- 38 -

- SSL_RSA_WITH_DES_CBC_SHA

- SSL_RSA_EXPORT_WITH_RC4_40_MD5

- 39 -

Appendix A PortsThe ports used by this product are listed below:

Port Load Balancer

HTTP Listener Port 80

HTTPS Listener Port 443

- 40 -

Appendix B Time SettingsIn Windows Azure, time zones are set to UTC.

- 41 -