InfoCenter Home >
5: Securing applications -- special topics >
5.7: The Secure Association Service (SAS) >
5.7.7: Disabling security on specific application servers

5.7.7: Disabling security on specific application servers

When you enable WebSphere security, the administrative server and application server or servers on the node are protected by default. With WebSphere Application Server, Version 4 you can turn off security for selected application servers on a node. You can use this feature if the following is true:

  • You want to protect the administrative server, but do not want to impose the overhead of secure encryption on application server communications.
  • The affected application servers do not require WebSphere security protection.

How the procedure works

During initialization of the administrative server, the Interoperable object reference (IOR) for each enterprise bean hosted in an application server is registered with the name server. The IOR for each enterprise bean contains a security tag if any of the following properties are set to the default value of true:

  • com.ibm.CORBA.SSLTypeIClientAssociationEnabled
  • com.ibm.CORBA.LTPAClientAssociationEnabled
  • com.ibm.CORBA.DCEClientAssociationEnabled
When the client reads the IOR, the presence of the security tag indicates to the client that the server expects the client to use a secure connection for sending messages. As a result, the client must obtain authentication information from the user so that the server can authenticate the user.

If the property is set to false, the IOR does not contain a security tag and the client creates a TCP/IP connection to the server. Messages sent over a TCP/IP connection are not secured. The application server receives the request on the TCP/IP port and handles the request.

Authorization of requests is completely disabled when the SSLTypeIClientAssociationEnabled is set to false. This tells the application server not to enable security on inbound requests. This applies only when the application server uses a different set of configuration properties than the administrative server does. The technique for disabling security on selected application servers is to provide them with a different properties file.

Disabling security on selected application servers

This procedure shows you how to unprotect an application server. There are two parts to this procedure:

  • Global settings
  • Application server settings

This specific procedure unprotects the default application server and checks the behavior with the default_app Web module.

Global settings

  1. Verify that you have enabled global security and have restarted the administrative server at least once. This process ensures that you have the correct security settings in the sas.server.props file.

    The snoop servlet supplied with the default_app Web module has a security constraint allowing only authenticated users to access it. Access to the Web module is unrestricted without security enabled. If you enable security and attempt to access the snoop servlet at http://localhost/servlet/snoop , the basic authentication challenge login prompt appears.
  2. Stop the administrative server.
  3. Delete the <WAS_HOME>\properties\sas.server.props.future file. If this file is present when an application server restarts, information in the sas.server.props.future file is copied into the sas.server.props file, which overwrites your changes to the sas.server.props file.
  4. Make a backup copy of the current <WAS_HOME>\properties\sas.server.props file.
  5. Edit the sas.server.props file and modify the settings as described.

    Note   You must make these changes carefully. Incorrect settings can result in unwanted security behavior or prevent the administrative server from starting with security enabled. Do not change any values other than the ones listed here unless you are sure of the consequences.

    If the value of the com.ibm.CORBA.authenticationTarget property is LTPA, set the following properties:
    • Client-association properties:
      com.ibm.CORBA.SSLTypeIClientAssociationEnabled=true
      com.ibm.CORBA.LocalOSClientAssociationEnabled=false
      com.ibm.CORBA.LTPAClientAssociationEnabled=true
    • Server-association properties:
      com.ibm.CORBA.SSLTypeIServerAssociationEnabled=true
      com.ibm.CORBA.LocalOSServerAssociationEnabled=false
      com.ibm.CORBA.LTPAServerAssociationEnabled=true

    If the value of the com.ibm.CORBA.authenticationTarget property is localos , set the following properties:
    • Client-association properties:
      com.ibm.CORBA.SSLTypeIClientAssociationEnabled=true
      com.ibm.CORBA.LocalOSClientAssociationEnabled=true
      com.ibm.CORBA.LTPAClientAssociationEnabled=false
    • Server-association properties:
      com.ibm.CORBA.SSLTypeIServerAssociationEnabled=true
      com.ibm.CORBA.LocalOSServerAssociationEnabled=true
      com.ibm.CORBA.LTPAServerAssociationEnabled=false
  6. Restart the administrative server.
  7. When the server is "open for e-business", start the administrative console. A prompt appears for the administrative user ID and password, which confirms that the administrative server security is still enabled.

Global settings

  1. In the administrative console, right-click the application server you want unprotect, and then select Properties from the window that appears.
  2. In the Application Server Properties window, click the JVM Settings tab, set the following System Properties, and then click OK:
    If the value of the com.ibm.CORBA.authenticationTarget property in sas.server.props is LTPA, set the following properties:
    • Client-association properties:
      com.ibm.CORBA.SSLTypeIClientAssociationEnabled=false
      com.ibm.CORBA.LocalOSClientAssociationEnabled=false
      com.ibm.CORBA.LTPAClientAssociationEnabled=false
      com.ibm.CORBA.DCEClientAssociationEnabled=false
    • Server-association properties:
      com.ibm.CORBA.SSLTypeIServerAssociationEnabled=true
      com.ibm.CORBA.LocalOSServerAssociationEnabled=false
      com.ibm.CORBA.LTPAServerAssociationEnabled=true

    If the value of the com.ibm.CORBA.authenticationTarget property in sas.server.props is localos, set the following properties:
    • Client-association properties:
      com.ibm.CORBA.SSLTypeIClientAssociationEnabled=false
      com.ibm.CORBA.LocalOSClientAssociationEnabled=false
      com.ibm.CORBA.LTPAClientAssociationEnabled=false
      com.ibm.CORBA.DCEClientAssociationEnabled=false
    • Server-association properties:
      com.ibm.CORBA.SSLTypeIServerAssociationEnabled=true
      com.ibm.CORBA.LocalOSServerAssociationEnabled=true
      com.ibm.CORBA.LTPAServerAssociationEnabled=false
  3. Stop and then restart the application server to load the new properties.
  4. Verify that security is disabled for the application server. You should be able to access the snoop servlet at http://localhost/servlet/snoop without an authentication challenge when security is disabled.

Repeat these steps for any other application servers that you want to unprotect.

Go to previous article: Server-side programmatic login Go to next article: Administer applications

 

 
Go to previous article: Server-side programmatic login Go to next article: Administer applications