This topic applies only on the z/OS operating system.

Enabling global security

Before you can enable global security for WebSphere Application Server, you must activate an authentication mehanism. You must start the administrative console and use it to activate the authentication mechanism and perform some tasks with the administrative console to ultimately enable global security.

Before you begin

Before you can enable global security for WebSphere Application Server, you must select both an authentication mechanism and a user registry.

About this task

You need to start the administrative console by specifying the following Web site:
http://server_hostname:port_number/ibm/console

Perform the following steps to enable global security.

Procedure

  1. Click Security > Global security.
  2. Select the Enable global security option. Global security is disabled by default.
  3. Optional: Select the Enforce Java 2 Security option to enable Java 2 Security permission checking. By default, Java 2 security is disabled. However, if you enable global security, Java 2 security is automatically enabled. You can choose to disable Java 2 security, even when global security is enabled.
    When Java 2 Security is enabled and if an application requires more Java 2 security permissions then are granted in the default policy, then the application might fail to run properly until the required permissions are granted in either the app.policy file or the was.policy file of the application. AccessControl exceptions are generated by applications that do not have all the required permissions. Review the Java 2 Security and Dynamic Policy documentation if you are unfamiliar with Java 2 security.
    Note: Updates to the app.policy file only apply to the enterprise applications on the node to which the app.policy file belongs.
  4. Select the Enforce fine-grained JCA security option if you need to restrict application access to sensitive Java Connector Architecture (JCA) mapping authentication data.

    For detailed information, see Global security settings.

  5. Select the Use domain-qualified user IDs option. If this option is enabled, user names appear with their fully qualified domain attribute when retrieved programmatically.
  6. Enter the cache timeout value for security cache in seconds in the Cache timeout field. When the timeout is reached, the Application Server clears the security cache and rebuilds the security data. Since this affects performance, this value should not be set too low. Default: 600 seconds.
  7. Select the Issue permission warning option. The filter.policy file contains a list of permissions that an application should not have according to the J2EE 1.3 Specification. If an application is installed with a permission specified in this policy file and this option is enabled, a warning is issued. The default is enabled.
  8. Select which security protocol is active when security is enabled from the Active Protocol menu. Specifies the active authentication protocol for RMI/IIOP requests when security is enabled.

    WebSphere Application Server includes the Object Management Group (OMG) protocol called CSIv2, which supports increased vendor interoperability and additional features. If all servers in your entire security domain are Version 5 (and above) servers, it is best to specify CSIv2 as your protocol. The default is both CSIv2 and z/SAS.

  9. Select which authentication mechanism is active which security is enabled from the Active Authentication Mechanism menu. The Active Authentication Mechanism menu specifies the authentication mechanism which is active when security is enabled. In WebSphere Application Server Version 6, Simple WebSphere Authentication Mechanism (SWAM) and Lightweight Third Party Authentication (LTPA) are the supported authentication mechanisms. Only LTPA is configurable on WebSphere Application Server Network Deployment. SWAM is not configurable on WebSphere Application Server Network Deployment.
  10. Use the Active user registry menu to specify the user registry that is active when security is enabled. You can configure settings for one of the following user registries:
    • Local operating system.

      [z/OS] The implementation is a System Authorization Facility (SAF) compliant registry such as the Resource Access Control Facility (RACF), which is shared in an MVS sysplex.

    • LDAP user registry. The LDAP user registry settings are used when users and groups reside in an external LDAP directory. When security is enabled and any of these properties are changed, go to the Global Security panel and click OK or Apply to validate the changes.
    • Custom user registry.
    The default user registry is local OS. However, you can configure the supported user registries under the User registries section of this administrative console panel.
  11. Optional: Click the Use the Federal Information Processing Standard (FIPS) option if you are using a FIPS-certified JSSE. WebSphere Application Server Version 6 and later supports a channel framework that uses IBMJSSE2. IBMJSSE2 uses IBMJCEFIPS for cryptographic support when you enable the Use the Federal Information Processing Standard (FIPS) option.
  12. Click OK.

    This panel performs a final validation of the security configuration. When you click OK or Apply from this panel, the security validation routine is performed and any problems are reported at the top of the page. When you complete all of the fields, click OK or Apply to accept the selected settings. Click Save (at the top of the panel) to persist these settings out to a file. If you see any informational messages in red text color, then there is a problem with the security validation. Typically, the message indicates the problem. So, review your configuration to verify that the user registry settings are accurate and the correct registry is selected. In some cases, the LTPA configuration might not be fully specified.

    For detailed information, see Global security settings.

  13. Optional: Configure for SAF authorization. For more information on these settings, see z/OS System Authorization Facility authorization.

Results

Configuration is successful when error messages do not display at the top of the panel.

What to do next

You can disable global security.



In this information ...


Related reference

IBM Redbooks, demos, education, and more

(Index)

Use IBM Suggests to retrieve related content from ibm.com and beyond, identified for your convenience.

This feature requires Internet access.

Task topic    

Terms of Use | Feedback

Last updated: Aug 29, 2010 9:31:45 PM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=vela&product=was-nd-mp&topic=tsecenablglobl
File name: tsec_enablglobl.html