Securing your environment after installation
WebSphere Application Server depends on several configuration files
that are created during installation. These files contain password information
and need protection. Although the files are protected to a limited degree
during installation, this basic level of protection is probably not sufficient
for your site. You should verify that these files are protected in compliance
with the policies of your site.
Before you begin
Note: A Kerberos keytab configuration file contains a list of keys
that are analogous to user passwords. The default keytab file is krb5.keytab.
It is important for hosts to protect their Kerberos keytab files by storing
them on the local disk, which makes them readable only by authorized users.
The
files in the WAS_HOME/config and the WAS_HOME/properties directories
need protection. For example, give permission to the user who logs onto the
system for WebSphere Application Server primary administrative tasks. Other
users or groups, such as WebSphere Application Server console users and console
groups need permissions as well.
The
files in the
WAS_HOME/properties directory that must be readable
by everybody are:
- TraceSettings.properties
- client.policy
- client_types.xml
- sas.client.props
- sas.stdclient.properties
- sas.tools.properties
- soap.client.props
- wsadmin.properties
- wsjaas_client.conf
The value
for WAS_HOME directory is specified in the customization dialogs when
WebSphere Application Server for z/OS is installed, for both the base product
and Network Deployment.
Procedure
Secure
files on WebSphere Application Server for z/OS systems.
- Use the z/OS Customization Dialog and follow the generated instructions
to customize your system.
The customization jobs that are generated
perform the following functions:
- Create System Authorization Facility (SAF) WebSphere Application Server
user IDs that are needed for administrator and server processes.
- Create a SAF WebSphere Application Server configuration group and add
the SAF WebSphere Application Server user IDs.
- Provide a mapping from a Java 2, Enterprise Edition (J2EE) principal to
SAF user ID. You can generate a sample mapping module or you can specify one
that you created yourself.
- Associate WebSphere Application Server-started tasks with the SAF user
IDs and groups that are defined previously.
- Populate the file system with the system and property files that are needed
to run WebSphere Application Server.
- Change the ownership of these files to the WebSphere Application Server
administrator.
- Create the appropriate file permissions.
All files in the
WAS_HOME/config directory must
have write and read access by all the members of the WebSphere Application
Server configuration group, but must not be accessible by everyone (mode 770).
All files in the
WAS_HOME/properties directory must have
write and read access by all the members of the WebSphere Application Server
configuration group. Set the access permissions for the following files as
it pertains to your security guidelines:
- TraceSettings.properties
- client.policy
- client_types.xml
- sas.client.props
- sas.stdclient.properties
- sas.tools.properties
- soap.client.props
- wsadmin.properties
- wsjaas_client.conf
For example, you might issue the following command:
chmod 775 file_name.
file_name is
the name of the file listed previously. These files contain sensitive information
such as passwords.
- Add administrators who perform full or partial WebSphere Application
Server administration tasks to the configuration group.
- Restrict access to the /var/mqm directories and the
log files that are needed for WebSphere Application Server embedded messaging
or WebSphere MQ as the JMS provider. Give write access only to the mqm user
ID or members of the mqm user group.
Results
After securing your environment, only the users with permission can
access the files. Failure to adequately secure these files can lead to a breach
of security in your WebSphere Application Server applications.
What to do next
If failures occur that are caused by file accessing permissions,
check the permission settings.
In this information ...
| IBM Redbooks, demos, education, and more(Index)
Most of the following links will take you to information that is not part of the formal product documentation and is provided "as is." Some of these links go to non-IBM Web sites and are provided for your convenience only and do not in any manner serve as an endorsement by IBM of those Web sites, the material thereon, or the owner thereof.
|
|
