Before you can enable global security for WebSphere Application Server,
you must activate an authentication mehanism. You must start the administrative
console and use it to activate the authentication mechanism and perform some
tasks with the administrative console to ultimately enable global
security.
Before you begin
Before you can enable global security for
WebSphere Application Server, you must select both an authentication mechanism
and a user registry.
About this task
You need to start the administrative console by specifying the
following Web site:
http://server_hostname:port_number/ibm/console
Perform the following steps to enable global security.
Procedure
- Click Security > Global security.
- Select the Enable global security option.
Global security is disabled by default.
- Optional: Select the Enforce
Java 2 Security option to enable Java 2 Security permission checking.
By default, Java 2 security is disabled. However, if you enable global
security, Java 2 security is automatically enabled. You can choose to disable
Java 2 security, even when global security is enabled.
When Java 2 Security
is enabled and if an application requires more Java 2 security permissions
then are granted in the default policy, then the application might fail to
run properly until the required permissions are granted in either the
app.policy file
or the
was.policy file of the application. AccessControl exceptions
are generated by applications that do not have all the required permissions.
Review the Java 2 Security and Dynamic Policy documentation if you are unfamiliar
with Java 2 security.
Note: Updates to the app.policy file only apply
to the enterprise applications on the node to which the app.policy file
belongs.
- Select the Enforce fine-grained JCA security option
if you need to restrict application access to sensitive Java Connector Architecture
(JCA) mapping authentication data.
For detailed information,
see Global security settings.
- Select the Use domain-qualified user
IDs option. If this option is enabled, user names appear with
their fully qualified domain attribute when retrieved programmatically.
- Enter the cache timeout value for security
cache in seconds in the Cache timeout field. When the timeout
is reached, the Application Server clears the security cache and rebuilds
the security data. Since this affects performance, this value should not be
set too low. Default: 600 seconds.
- Select the Issue permission warning option.
The filter.policy file contains a list of permissions that
an application should not have according to the J2EE 1.3 Specification. If
an application is installed with a permission specified in this policy file
and this option is enabled, a warning is issued. The default is enabled.
- Select which security protocol is active
when security is enabled from the Active Protocol menu. Specifies
the active authentication protocol for RMI/IIOP requests when security is
enabled.
WebSphere Application Server includes the Object Management Group
(OMG) protocol called CSIv2, which supports increased vendor interoperability
and additional features. If all servers in your entire security domain are
Version 5 (and above) servers, it is best to specify CSIv2 as your protocol.
The default is both CSIv2 and z/SAS.
Select which security protocol is active
when security is enabled from the Active Protocol menu. Specifies
the active authentication protocol for RMI/IIOP requests when security is
enabled. WebSphere Application Server includes the Object Management Group
(OMG) protocol called CSIv2, which supports increased vendor interoperability
and additional features. If all servers in your entire security domain are
Version 5 (and above) servers, it is best to specify CSIv2 as your protocol.
The default is both CSIv2 and z/SAS.
Important: z/SAS is supported only between Version 6.0.x and previous version servers that have been federated in a Version 6.1 cell.
- Select which authentication mechanism is
active which security is enabled from the Active Authentication Mechanism
menu. The Active Authentication Mechanism menu specifies the authentication
mechanism which is active when security is enabled. In WebSphere Application
Server Version 6, Simple WebSphere Authentication Mechanism (SWAM) and Lightweight
Third Party Authentication (LTPA) are the supported authentication mechanisms.
Only LTPA is configurable on WebSphere Application Server Network Deployment.
SWAM is not configurable on WebSphere Application Server Network Deployment.
- Use the Active user registry menu to specify
the user registry that is active when security is enabled. You
can configure settings for one of the following user registries:
The default user registry is local OS. However, you can configure the
supported user registries under the User registries section of this administrative
console panel.
- Optional: Click the Use the
Federal Information Processing Standard (FIPS) option if you are using
a FIPS-certified JSSE. WebSphere Application Server Version 6 and
later supports a channel framework that uses IBMJSSE2. IBMJSSE2 uses IBMJCEFIPS
for cryptographic support when you enable the Use the Federal Information
Processing Standard (FIPS) option.
- Click OK.
This panel performs a final validation
of the security configuration. When you click OK or Apply from
this panel, the security validation routine is performed and any problems
are reported at the top of the page. When you complete all of the fields,
click OK or Apply to accept the selected settings. Click Save (at
the top of the panel) to persist these settings out to a file. If you see
any informational messages in red text color, then there is a problem with
the security validation. Typically, the message indicates the problem. So,
review your configuration to verify that the user registry settings are accurate
and the correct registry is selected. In some cases, the LTPA configuration
might not be fully specified.
For detailed information,
see Global security settings.
- Optional: Configure for SAF authorization.
For more information on these settings, see z/OS System Authorization Facility authorization.
Results
Configuration is successful when error messages do not display at
the top of the panel.
What to do next
You can disable global security.