Server and global security

The term global security refers to providing the authentication of users using the WebSphere administration functions, the use of Secure Sockets Layer (SSL), and the choice of user account repository.

When you configure a Local OS user registry, it uses the Resource Access Control Facility (RACF), or System Authorization Facility (SAF)-compliant, user database. Selecting the Local OS user registry as the active registry enables you to take advantage of z/OS System Authorization Facility functions directly using the WebSphere Application Server principals: These functions are available using other registries, but require identity mapping through modifications to the WebSphere Application Server system login configuration and Java Authentication and Authorization Service (JAAS) login modules. Refer to Updating system login configurations to perform a System Authorization Facility identity user mapping for more information.
Configuration of global security for a security domain consists of configuring the common user registry, the authentication mechanism, and other security information that defines the behavior of a security domain. The other security information that is configured includes the following components:

Where multiple nodes and multiple servers within a node are possible, you can configure certain attributes at a server level. The attributes that are configurable at a server level include security enablement for the server, Java 2 security manager enablement, and CSIv2 and z/SAS authentication protocol (RMI/IIOP security). You can disable security on individual application servers while global security is enabled, however, you cannot enable security on an individual application server while global security is disabled.

While application server security is disabled for user requests, administrative and naming security is still enabled for that application server so that the administrative and naming infrastructure remains secure. If cell security is enabled, but security for individual servers is disabled, J2EE applications are not authenticated or authorized. However, naming and administrative security is still enforced. Consequently, because naming services can be called from user applications, grant Everyone access to the naming functions that are required so that these functions accept unauthenticated requests. User code does not directly access administrative security except through the supported scripting tools.




Related concepts
Global security
Related tasks
Updating system login configurations to perform a System Authorization Facility identity user mapping
Concept topic    

Terms of Use | Feedback

Last updated: Sep 20, 2010 10:03:57 PM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=vela&product=was-nd-zos&topic=csecglobalserver
File name: csec_globalserver.html