You can customize security to some extent at the application server
level. You can disable user security on an application
server; administrative security remains enabled when global security is enabled.
When global security is disabled, you cannot enable application server security.
Before you begin
You can also modify Java 2 Security Manager, Authentication
Mechanism, and some of the other security attributes that are found on the
Global security panel. Global security is also called cell-level security.
You cannot configure a different authentication mechanism or user registry
on an individual server basis. This feature is limited to cell-level configuration
only.
By
default, server security inherits all of the values that are configured for
cell-level security. To override the cell-level security configuration at
the server level, click Servers > Application Servers > server_name.
Under Security, click Server Security > Additional properties and click
any of the following panels:
- CSIv2 inbound authentication
- CSIv2 outbound authentication
- CSIv2 inbound transport
- CSIv2 outbound transport
- SAS inbound transport
- SAS outbound transport
- Server-level security
After modifying the configuration in any of these
panels and clicking
OK or
Apply, the security configuration
for that panel or set of panels now overrides cell-level security. Other
panels that are not overridden continue to be inherited at the cell-level.
However, you can always revert back to the cell-level configuration at any
time. On the Server Security panel, click to revert back to the global security
configuration on these panels:
- Use cell security
- Use cell CSI
- Use cell z/SAS
For more information, see Server and global security.
Procedure
- Start the administrative console for the deployment manager.
To get to the administrative console, go to http://host.domain:port_number/ibm/console.
If security is disabled, you can enter any ID. If security is enabled, you
must enter a valid user ID and password, which is either the administrative
ID that is configured for the user registry or a user ID that is entered as
an administrative user. To add a user ID as an administrative user, click System
Administration > Console settings > Console users.
- Configure global security if you have not
already done so. Go to Enabling security for all application servers for detailed steps. After global security is configured,
configure server-level security.
Attention: Server-level
security is not enabled when you select the Enable global security option
on the Server-level security settings of the administrative console. You also
must enable cell-level security by selecting the Enable global security option
on the Global security settings panel of the administrative console.
- To configure server-level security, click Servers > Application
Servers > server name. Under Security, click Server security.
The status of the security level that is in use for this application
server is displayed.
By
default, you can see that global security, Common Secure Interoperability
(CSI), and SAS have not been overridden at the server level. CSI and SAS are
authentication protocols for RMI/IIOP requests. The Server Level Security
panel lists attributes that are on the Global Security panel and can be overridden
at the server level. Not all of the attributes on the Global Security panel
can be overridden at the server level, including Active Authentication Mechanism
and Active User Registry.
- To disable security for this application
server, go to the Server-level security panel, clear the Enable global
security option and click OK or Apply. Click Save.
By modifying the Server-level security panel, you can see that this
flag overrides the cell-level security.
- To configure CSI at the server level, you
can change any panel that starts with CSI. By doing so, all of
the panels that start with CSI override the CSI settings that are specified
at the cell level. This change includes all of the authentication and transport
panels for CSI. See Configuring Common Secure Interoperability Version 2 (CSIV2) and Security Authentication Service (SAS) for more detailed steps regarding configuring the CSI
authentication protocol.
What to do next
Typically, server-level security is used to disable user security
for a specific application server. However, this can also be used to disable
or enable the Java 2 security manager, and to configure the authentication
requirements for RMI/IIOP requests both incoming and outgoing from this application
server.
After you modify the configuration for a particular application
server, you must restart the application server for the changes to become
effective. To restart the application server, go to Servers > Application
servers and click the server name that you recently modified. Click Stop and
then Start.
If you disabled security for the application server,
you can typically test a Web address that is protected when security is enabled.
One URL that usually is installed when the DefaultApplication
during installation is the snoop application. If the DefaultApplication is
installed on the application server, test that security is disabled by going
to the following URL: http://host.domain:9080/snoop. If security
is disabled, a prompt does not display. This URL is just one method of validating
the configuration. Validate that the configuration is appropriate for your
applications.