Enabling security for all application servers

After determining the security components that fit your needs, use these steps to configure global security in WebSphere Application Server.

Before you begin

It is helpful to understand security from an infrastructure perspective so that you know the advantages of different authentication mechanisms, user registries, authentication protocols, and so on. Picking the right security components to meet your needs is a part of configuring global security. The following sections help you make these decisions. Read the following articles before continuing with the security configuration. After you understand the security components, you can proceed to configure global security in WebSphere Application Server.
Attention: There are some security customization tasks that are required to enable security. There tasks require updates to the security server such as Resource Access Control Facility (RACF). You might need to include your security administrator in this process.

Procedure

  1. Start the WebSphere Application Server administrative console by typing http://yourhost.domain:port_number/ibm/console after the WebSphere Application Server deployment manager has been started. If security is currently disabled, log in with any user ID. If security is currently enabled, log in with a predefined administrative user ID and password.
  2. Click Security on the navigation menu. Configure the authentication mechanism, user registry, and so on. The configuration order is not important. However, select the Enable global security option in the Global Security panel after you complete all of these tasks. When you first click Apply or OK and the Enable global security option is set, a verification occurs to see if the administrative user ID and password can be authenticated to the configured user registry. If the user registry is not configured, the validation fails.
  3. Configure a user registry. For more information, see Selecting a user registry. Configure a Local OS, Lightweight Directory Access Protocol (LDAP), or custom user registry and then specify the details about that registry. One of these details common to all user registries is the user ID that is used for the server. This ID is a member of the chosen user registry, but also has special privileges in WebSphere Application Server. The privileges for this ID and the privileges that are associated with the administrative role ID are the same. The user ID that is used for the server can access all protected administrative methods. When you use the Local OS user registry on WebSphere Application Server for z/OS, the user ID for the server is not set using the administrative console, but is set through the STARTED class in the z/OS operating system.
  4. Configure the authentication mechanism. You can choose either Lightweight Third Party Authentication (LTPA), Integrated Cryptographic Services Facility (ICSF), or Simple WebSphere Authentication Mechanism (SWAM). To get details about configuring LTPA, refer to Configuring the Lightweight Third Party Authentication mechanism. To get details about configuring ICSF, refer to Configuring ICSF as the authentication mechanism. LTPA and ICSF credentials are forwardable to other machines and, for security reasons, these credentials do expire. This expiration time is configurable.

    Refer to Implementing single sign-on to minimize Web user authentications if you want single sign-on (SSO) support, which provides the ability for browsers to visit different product servers without having to authenticate multiple times. For form-based login, you must configure SSO when using LTPA or ICSF .

  5. Configure the authentication protocol for special security requirements for Remote Method Invocation over the Internet Inter-ORB Protocol (RMI/IIOP) method invocations from Java clients or from server to server. Choose the Common Secure Interoperability Version 2 (CSIv2) or Secure Authentication Service (SAS) protocol or the z/OS Secure Authentication Service (z/SAS) protocol on the z/OS platform.
    The SAS and z/SAS protocols still provide backward compatibility to previous product releases. For details on configuring CSIv2, SAS, or z/SAS protocols, refer to Configuring Common Secure Interoperability Version 2 (CSIV2) and Security Authentication Service (SAS).
    Attention: In future releases, IBM will no longer ship or support the z/OS Secure Authentication Service (z/SAS) IIOP security protocol. Use the Common Secure Interoperability version 2 (CSIv2) protocol instead. CSIv2 will interoperate with previous versions of WebSphere except for the Version 4 Client.
  6. Verify the Secure Sockets Layer (SSL) repertoires for WebSphere Application Server to use. The sample customization jobs that are generated by the WebSphere Application Server for z/OS customization dialogs generate sample jobs to create SSL key rings that are usable if RACF is your security server. These jobs create a unique RACF certificate authority certificate for your installation with a set of server certificates signed by this certificate authority. The Application Server controller-started task ID has a SAF key ring that includes these certificates. Similarly in a Network Deployment environment, RACF key rings that are owned by the deployment manager user ID and the node agent user IDs are created.

    A RACF key ring is uniquely identified by both the key ring name in the repertoire and the MVS user ID of the server controller process. If different WebSphere Application Server controller processes have unique MVS user IDs, you must be sure that a RACF key ring and a private key are generated, even if they share the same repertoire.

    Two kinds of configurable SSL repertoires exist:
    • The System SSL repertoire is used for HTTPS and Internet InterORB Protocol (IIOP) communication, and are used by the native transports. If you want to use the administrative console after security is enabled you must define and select a System SSL type repertoire for HTTP. You must define a System SSL repertoire and select if IIOP security requires or supports SSL transport, or if a secure Remote Method Invocation (RMI) connector is selected for administrative requests.
    • The Java Secure Socket Extension (JSSE) repertoire is for Java-based SSL communications.

    Users must configure a System SSL repertoire to use HTTP or IIOP protocols and a Java Management Extensions (JMX) connector must be configured to use SSL. If the SOAP HTTP connector is chosen, a JSSE repertoire must be selected for the administrative subsystem.

    A set of SSL repertoires are set up by the z/OS installation dialogs. These dialogs are configured to refer to SAF key rings and to files that are populated by the customization process, when generating RACF commands.
    Repertoire name Type Default use
    DefaultSSLSettings JSSE SOAP JMX connector, SOAP client
    DefaultHTTPS SSSL Web container HTTP transport
    DefaultIIOPSSL SSSL z/SAS and CSIV2
    RACFJSSESettings SSSL None
    RACFJSSESettings JSSE None

    No additional action is required if these settings are sufficient for your needs. If you want to create or modify these settings, you must ensure that the keystore files to which they refer are created.

    If you do create a new alias for your new keystore and truststore files, change every location that references the SSL configuration alias. The following list provides these locations:
    • Security > Global security. Under Authentication, click Authentication protocol > CSIv2 inbound transport.
    • Security > Global security. Under Authentication, click Authentication protocol > CSIv2 outbound transport.
    • Security > Global security. Under Authentication, click Authentication protocol > zSAS authentication.
    • Servers > Application servers > server_name. Under Web container settings, click Web Container. Under Additional properties, click HTTP transports > host_name.
    • Servers > Application servers > server_name. Under Security, click Server security. Under Additional properties, click CSIv2 inbound transport.
    • Servers > Application servers > server_name. Under Security, click Server security. Under Additional properties, click CSIv2 outbound transport.
    • Servers > Application servers > server_name. Under Security, click Server security. Under Additional properties, click z/SAS authentication. Select the appropriate SSL configuration from the SSL settings menu.
  7. Click Security > Global security to configure the rest of the security settings and to enable security.

    This panel performs a final validation of the security configuration. When you click OK or Apply from this panel, the security validation routine is performed and any problems are reported at the top of the page. When you complete all of the fields, click OK or Apply to accept the selected settings. Click Save, at the top of the panel, to persist these settings out to a file.

    If you see any informational messages in red text, a problem exists with the security validation. Typically, the message indicates the problem. Review your configuration to verify that the user registry settings are accurate and that the correct user registry is selected. In some cases, the Lightweight Third Party Authentication (LTPA) configuration might not be fully specified. See Server and global security for detailed information.

    Enable global security
    This option enables or disables global security. See Server and global security to learn more about global security. When enabled, security for the entire product domain is enabled. You can change some security attributes at a server-specific level.
    Enforce Java 2 Security
    This option enables or disables Java 2 security access control. See Protecting system resources and APIs (Java 2 security) for details on Java 2 security in WebSphere Application Server.
    Use Domain Qualified User IDs
    This option determines if user IDs that are returned by the J2EE APIs such as getUserPrincipal and getCallerPrincipal are qualified within the security domain in which they reside.
    Cache Timeout
    The field is the timeout value of the WebSphere Application Server authentication and validation cache. This value is used to determine when to flush a credential from the cache. Any time that the credential is reused, the cache timeout for that credential is reset to this value. Currently, no way is available to flush the cache or purge specific users from the cache.
    Issue Permission Warning
    When you enable this option, a warning is issued during application installation if an application requires a Java 2 security permission that normally is not granted to an application. WebSphere Application Server provides support for policy file management. A number of policy files exist in WebSphere Application Server; some of the policy files are static and some of them are dynamic. Dynamic policy is a template of permissions for a particular type of resource.

    No code base is defined and no related code base is used in the dynamic policy template. The real code base is dynamically created from the configuration and run-time data. The filter.policy file contains a list of permissions that an application does not have according to the J2EE 1.3 specification. For more information on permissions, see Java 2 security policy files.

    Active Protocol
    This selection is the active authentication protocol for the Object Request Broker (ORB). RMI/IIOP requests use this protocol to gather security information in a format that both the client and the server understand. In step 5, you might have already configured one or both of these authentication protocols. Select BOTH, if you need to communicate with versions of WebSphere Application Server prior to Version 5. Select CSI, if you need to communicate with WebSphere Application Server Version 5.x or Version 6.0.x servers only.
    Active Authentication Mechanism
    This selection determines which authentication mechanism WebSphere Application Server for z/OS uses. WebSphere Application Server for z/OS Version 6.0.x supports the following authentication mechanisms: Simple WebSphere Authentication Mechanism (SWAM) or Lightweight Third Party Authentication (LTPA), which is the preferred.
    Active User Registry
    This option indicates the user registry that you chose in step 3. The Selecting a user registry article provides the necessary steps to configure the user registry.
    Use the Federal Information Processing Standard (FIPS)
    This option enables the FIPS-compliant Java cryptography engine.
  8. Save the configuration for the deployment manager to use after WebSphere Application Server is restarted, if you have selected OK or Apply on the Security > Global security panel, and no validation problems occurred.



In this information ...


IBM Redbooks, demos, education, and more

(Index)

Use IBM Suggests to retrieve related content from ibm.com and beyond, identified for your convenience.

This feature requires Internet access.

Task topic    

Terms of Use | Feedback

Last updated: Sep 20, 2010 10:03:57 PM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=vela&product=was-nd-zos&topic=tseccsec
File name: tsec_csec.html