The term global security refers
to providing the authentication of users using the WebSphere administration
functions, the use of Secure Sockets Layer (SSL), and the choice of user account
repository.
When you configure a Local OS user registry, it uses the
Resource Access Control Facility (RACF), or System Authorization Facility
(SAF)-compliant, user database. Selecting the Local OS user registry as the
active registry enables you to take advantage of z/OS System Authorization
Facility functions directly using the WebSphere Application Server principals:
- Share identities with many other z/OS connector services
- Use SAF delegation, which minimizes the need to store user IDs and passwords
in many locations in the configuration
- Utilize additional audit capabilities
These functions are available using other registries, but require identity
mapping through modifications to the WebSphere Application Server system login
configuration and Java Authentication and Authorization Service (JAAS) login
modules. Refer to
Updating system login configurations to perform a System Authorization Facility identity user mapping for
more information.
Configuration of
global security for
a security domain consists of configuring the common user registry, the authentication
mechanism, and other security information that defines the behavior of a security
domain. The other security information that is configured includes the following
components:
- Java 2 Security Manager
- Java Authentication and Authorization Service (JAAS)
- Java 2 Connector authentication data entries
- Common Secure Interoperability Version
2 (CSIv2) and z/OS Secure Authentication Service (z/SAS) authentication protocol
(Remote Method Invocation over the Internet Inter-ORB Protocol (RMI/IIOP)
security)
- Other miscellaneous attributes.
Where multiple nodes and multiple servers within a node
are possible, you can configure certain attributes at a server level. The
attributes that are configurable at a server level include security enablement
for the server, Java 2 security manager enablement, and CSIv2 and z/SAS authentication
protocol (RMI/IIOP security). You can disable security on individual application
servers while global security is enabled,
however, you cannot enable security on an individual application server while global security is disabled.
While application server security is disabled for user requests, administrative
and naming security is still enabled for that application server so that the
administrative and naming infrastructure remains secure. If cell security
is enabled, but security for individual servers is disabled, J2EE applications
are not authenticated or authorized. However, naming and administrative security
is still enforced. Consequently, because naming services can be called from
user applications, grant Everyone access to the naming functions that are
required so that these functions accept unauthenticated requests. User code
does not directly access administrative security except through the supported
scripting tools.