Global security settings

Use this page to configure security. When you enable security, you are enabling security settings on a global level.

To view this administrative console page, click Security > Global security.

If you are configuring security for the first time, complete the steps in "Custom registry class name" to avoid problems. When security is configured, validate any changes to the user registry or authentication mechanism panels. Click Apply to validate the user registry settings. An attempt is made to authenticate the server ID to the configured user registry. Validating the user registry settings after enabling global security can avoid problems when you restart the server for the first time.

Configuration tab

Enable global security

Specifies whether to enable global security for this WebSphere Application Server domain.

This flag is commonly referred to as the global security flag in WebSphere Application Server information. When enabling security, set the authentication mechanism configuration and specify a valid user ID and password in the selected user registry configuration.

If you have problems such as the server not starting after enabling security within the security domain, resynchronize all of the files from the cell to this node. To resynchronize files, run the following command from the node: syncNode -username your_userid -password your_password. This command connects to the deployment manager and resynchronizes all of the files.

If your server does not restart after you enable global security, you can disable security. Go to your $install_root/bin directory and run the wsadmin -conntype NONE command. At the wsadmin> prompt, enter securityoff and then type exit to return to a command prompt. Restart the server with security disabled to check any incorrect settings through the administrative console.

Local OS user registry users: When you select Local OS as the active user registry, you do not need to supply a password in the user registry configuration.

Default: Disable

Enforce Java 2 security

Specifies whether to enable or disable Java 2 security permission checking. By default, Java 2 security is disabled. However, enabling global security automatically enables Java 2 security. You can choose to disable Java 2 security, even when global security is enabled.

When the Enforce Java 2 security option is enabled and if an application requires more Java 2 security permissions than are granted in the default policy, then the application might fail to run properly until the required permissions are granted in either the app.policy file or the was.policy file of the application. AccessControl exceptions are generated by applications that do not have all the required permissions. Consult the WebSphere Application Server documentation and review the Java 2 security and dynamic policy sections if you are unfamiliar with Java 2 security.

Default: Disabled

Enforce fine-grained JCA security

Enable this option to restrict application access to sensitive Java Connector Architecture (JCA) mapping authentication data.

Consider enabling this option when both of the following conditions are true:
  • Java 2 security is enforced.
  • The application code is granted the accessRuntimeClasses WebSphereRuntimePermission permission in the was.policy file found within the application enterprise archive (EAR) file. For example, the application code is granted the permission when the following line is found in your was.policy file:

    permission com.ibm.websphere.security.WebSphereRuntimePermission "accessRuntimeClasses";

The Enforce fine-grained JCA security option adds fine-grained Java 2 security permission checking to the default principal mapping of the WSPrincipalMappingLoginModule implementation. You must grant explicit permission to Java 2 Platform, Enterprise Edition (J2EE) applications that use the WSPrincipalMappingLoginModule implementation directly in the Java Authentication and Authorization Service (JAAS) login when Enable Java 2 security and the Enforce fine-grained JCA security options are enabled.

Default: Disabled

Use domain-qualified user IDs

Specifies that user names that are returned by methods are qualified with the security domain in which they reside.

This field enables or disables qualifying user names with the security domain ID.

Default: Disabled

Cache timeout

Specifies the timeout value in seconds for security cache.

If WebSphere Application Server security is enabled, the security cache timeout can influence performance. The timeout setting specifies how often to refresh the security-related caches. When the cache timeout expires, all cached information loses its validity.

The default security cache timeout value is 10 minutes. If you have a small number of users, it should be set higher than that, or if a large number of users, it should be set lower.

The LTPA timeout value should not be set lower than the security cache timeout. It is also recommended that the LTPA timeout value should be set higher than the orb request timeout value. However, there is no relation between the security cache timeout value and the orb request timeout value.

Data type: Integer
Units: Seconds
Default: 600
Range: Greater than 30 seconds

Issue permission warning

Specifies that during application deployment and application start, the security runtime issues a warning if applications are granted any custom permissions. Custom permissions are permissions that are defined by the user applications, not Java API permissions. Java API permissions are permissions in the java.* and javax.* packages.

WebSphere Application Server provides support for policy file management. A number of policy files are available in this product, some of them are static and some of them are dynamic. Dynamic policy is a template of permissions for a particular type of resource. No code base is defined and no relative code base is used in the dynamic policy template. The real code base is dynamically created from the configuration and run-time data. The filter.policy file contains a list of permissions that you do not want an application to have according to the J2EE 1.3 specification.

Default: Disabled

Active protocol

Specifies the active authentication protocol for Remote Method Invocation over the Internet Inter-ORB Protocol (RMI IIOP) requests, when security is enabled.

Prior to Version 5.x, the z/OS Security Authentication Service (z/SAS) protocol on z/OS was the only available protocol.

An Object Management Group (OMG) protocol called Common Secure Interoperability Version 2 (CSIv2) supports increased vendor interoperability and additional features. If all of the servers in your security domain are Version 5.x and later servers, specify CSI as your protocol.

If some servers are Version 4.x servers, specify CSI and zSAS.

Default: BOTH
Range:
Range: CSI and zSAS, CSI

Active authentication mechanism

Specifies the active authentication mechanism when security is enabled.

The active authentication mechanism is not configurable. Also, this version of the product only supports Lightweight Third Party authentication (LTPA).

WebSphere Application Server for z/OS, Version 5.x and later supports the following authentication mechanisms: Simple WebSphere Authentication Mechanism (SWAM), Lightweight Third Party Authentication (LTPA), and Integrated Cryptographic Services Facility (ICSF). Only ICSF and LTPA are configurable on WebSphere Application Server for z/OS, Version 5.x and later. SWAM is not configurable.

Default: SWAM
Range: SWAM, LTPA, ICSF

Active User Registry

Specifies the active user registry when security is enabled.

You can configure settings for one of the following user registries:
  • Local OS

    Specify this setting if you want your configured Resource Access Control Facility (RACF) or Security Authorization Facility (SAF)-compliant security server used as the WebSphere Application Server user registry.

  • LDAP user registry

    The LDAP user registry settings are utilized when users and groups reside in an external LDAP directory. When security is enabled and any of these properties change, go to the Global Security panel and click Apply or OK to validate the changes.

  • Custom user registry
Default: Local OS (single, stand-alone server or sysplex and root administrator only)
Range: Local OS (single, stand-alone server or sysplex and root administrator only), LDAP user registry, Custom user registry

Use the Federal Information Processing Standard (FIPS)

Enables the Federal Information Processing Standard (FIPS)-compliant Java cryptography engine.

When you select the Use the Federal Information Processing Standard (FIPS) option, the Lightweight Third Party Authentication (LTPA) implementation uses IBMJCEFIPS. IBMJCEFIPS supports the Federal Information Processing Standard (FIPS)-approved cryptographic algorithms for Data Encryption Standard (DES), Triple DES, and Advanced Encryption Standard (AES). Although the LTPA keys are backwards compatible with prior releases of WebSphere Application Server, the LTPA token is not compatible with prior releases. In prior releases, WebSphere Application Server did not generate the LTPA token using a FIPS-approved algorithm.

WebSphere Application Server provides a FIPS-approved Java Secure Socket Extension (JSSE) provider called IBMJSSEFIPS. A FIPS-approved JSSE requires the Transport Layer Security (TLS) protocol because it is not compatible with the Secure Sockets Layer (SSL) protocol.

Default: Disabled

Custom Properties - Session Control

For an existing configuration, you can add or modify the following custom properties to control how caller lists are processed so as to ensure that multiple session entries are not created. Go into the administrative console and click Security > Global security. Under Additional Properties, click Custom properties.
  • com.ibm.CSI.propogateFirstCallerOnly
    This property does not allow the caller list to change and thus prevents the creation of multiple session entries. This property specifically limits the caller list to the first caller only.
    Note: If this property is set to true as well as com.ibm.CSI.disablePropogationCallerList, then com.ibm.CSI.disablePropogationCallerList takes precedence.
    Default: false
  • com.ibm.CSI.disablePropogationCallerList
    This property completely disables the caller list, and does not allow the caller list to change. This property prevents the creation of multiple sessions.
    Note: If this property is set to true as well as com.ibm.CSI.propogateFirstCallerOnly, then com.ibm.CSI.disablePropogationCallerList takes precedence.
    Default: false

Custom Properties - Forwarding the LTPAToken

In this release, the actual LTPA token data is not available from a WSCredential.getCredentialToken() call when called from an asynchronous bean. For an existing configuration, you can add the custom property com.ibm.ws.security.createTokenSubjectForAsynchLogin to allow the LTPAToken to be forwarded to asynchronous beans.

Using the administrative console, create this custom property as follows:
  1. Click Security > Secure administration, applications, and infrastructure.
  2. Under Additional property, click Custom properties.
  3. Click New.
  4. In the Name field, type com.ibm.ws.security.createTokenSubjectForAsynchLogin
    Important: This custom property name is case sensitive.
  5. In the Value field, type true
  6. Click Apply and Save, then restart the WebSphere Application Server.
Note: This custom property applies only to system conditions where Server A makes EJB calls from asynchronous beans to Server B. This property does not apply for JAAS login situations.
Default not applicable

Custom Properties

For an existing configuration, you must modify a number of profiles. To modify the profiles, go into the administrative console and click Security > Global security. Under Additional Properties, click Custom properties.

"security.zOS.domainName" value="TESTSYS"
You can modify the following domain-related global security custom properties:
  • The security.zOS.domainType property specifies whether a security domain is used to qualify security definitions. In WebSphere Application Server for z/OS, the values can be specified as none, which indicates that Service Access Facility (SAF) security definitions are of the global sysplex scope or cellQualified . This value indicates that the WebSphere Application Server runtime uses the domain name that is specified in the security.zOS.domainName property to qualify SAF security definitions. If the property is not defined, or a value is not set, none is assumed. For example: "security.zOS.domainType" value="cellQualified".
  • security.zOS.domainName is specified if "security.zOS.domainType" value="cellQualified". The value for security.zOS.domainName must be an upper case string from 1 to 8 characters in length, which is used to qualify SAF profiles checked for authorization for the server. If a value is specified here and cellQualified is selected, the name is also used to identify the application name used in the APPL and Passticket profiles. If a value for security.zOS.domainName is not specified, the default value is CBS390.
The following profiles are affected by this definition are:
  • EJBROLE (if SAF authorization)
  • CBIND
  • APPL
The customization dialog sets up appropriate SAF profiles during customization if the security domain is defined there. Changing the value of the domainType of domainName requires the customer to make appropriate changes in their SAF profile setup, otherwise runtime errors occur. Refer to Summary of controls for more information on the specific profile updates required for security domainName related customization and the security domain customization panels.

Custom properties: Overriding the default TSO session type

An application might connect to an Enterprise Information System (EIS) and use the thread identity support. The thread identity support is provided by the connection management component of WebSphere Application Server for z/OS. In this situation, a security credential that is based on the current thread identity encapsulates the security information for the user that is associated with the connection. By default, the session type associated with the user is TSO. If you have WebSphere Application Server for z/OS users that use the thread identity support, you must define the users as TSO users. If you prefer not to define the users as TSO users, you can use the security.zOS.session.OMVSSRV custom property, which changes the session type for the user identity in the security credential from TSO to OMVSSRV. However, if you use the user information for authentication at the target EIS, such as IMS, the user must be an authorized OMVSSRV user. To specify the custom property, complete the following steps:
  1. Click Security > Global security.
  2. Under Additional property, click Custom properties.
  3. Click New.
  4. In the Name field, type security.zOS.session.OMVSSRV
    Important: This custom property name is case sensitive.
  5. In the Value field, type true
  6. Click Apply and Save.

Custom properties: Trusted applications

The custom_region_security_enable_trusted_applications property enables WebSphere Application Server to build native credentials without authenticators on behalf of the problem state callers. You can use this property to meet the MVS integrity rules so that unauthorized callers are not allowed to perform authorized functions. If you are using Lightweight Third Party Authentication (LTPA) with a local operating system registry or System Authorization Facility (SAF) authorization, set this property to true. To set the property, complete the following steps:
  1. Click Custom properties.
  2. Click the control_region_security_enable_trusted_applications property.
  3. Change the Value field from false to true and click Apply.



Related tasks
Securing specific application servers
Enabling security for all application servers
Related reference
Lightweight Third Party Authentication settings
Integrated Cryptographic Services Facility settings
Local operating system user registry settings
Lightweight Directory Access Protocol settings
Summary of controls
Custom user registry settings
Reference topic    

Terms of Use | Feedback

Last updated: Sep 20, 2010 10:03:57 PM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=vela&product=was-nd-zos&topic=usecrgsp
File name: usec_rgsp.html