Explore the key concepts pertaining to securing applications
and their environment. WebSphere Application Server plays an integral
part of the multiple-tier enterprise computing framework. Based on
open architecture, WebSphere Application Server provides many plug-in
points to integrate with enterprise software components to provide
end-to-end security. Security infrastructure and mechanisms protect
Java 2 Platform, Enterprise Edition (J2EE) resources and administrative
resources, addressing your enterprise security requirements.
- Administrative security
- Administrative security determines whether security is used at
all, the type of registry against which authentication takes place,
and other values, many of which act as defaults. Proper planning is
required because incorrectly enabling administrative security can
lock you out of the administrative console or cause the server to
abend.
- Application security
- Application security enables security for the applications in
your environment. This type of security provides application isolation
and requirements for authenticating application users.
- Java 2 security
- Java 2 security provides a policy-based, fine-grain access control
mechanism that increases overall system integrity by checking for
permissions before allowing access to certain protected system resources.
Java 2 security guards access to system resources such as file I/O,
sockets, and properties. Java 2 Platform, Enterprise Edition (J2EE)
security guards access to Web resources such as servlets, JavaServer
Pages (JSP) files and Enterprise JavaBeans (EJB) methods.
- User registries and repositories
- WebSphere Application Server provides implementations that support
multiple types of registries and repositories including the local
operating system registry, a standalone Lightweight Directory Access
Protocol (LDAP) registry, a standalone custom registry, and federated
repositories.
- Local operating system registries
- With the registry implementation for the local operating system,
the WebSphere Application Server authentication mechanism can use
the user accounts database of the local operating system.
- Authentication mechanisms
- An authentication mechanism defines rules about security information,
for example, whether a credential is forwardable to another Java process,
and the format of how security information is stored in both credentials
and tokens.
- Standalone Lightweight Directory Access Protocol registries
- WebSphere Application Server security provides and supports the
implementation of most major LDAP directory servers, which can act
as the repository for user and group information.
- Federated repositories
- Federated repositories enable you to use multiple repositories
with WebSphere Application Server. These repositories, which can be
file-based repositories, LDAP repositories, or a sub-tree of an LDAP
repository, are defined and theoretically combined under a single
realm.
- Authentication protocol for EJB security
- You can choose from two authentication protocols: z/OS Secure
Authentication Service (z/SAS) and Common Secure Interoperability
Version 2 (CSIv2).
- Authorization technology
- Authorization information determines whether a user or group has
the necessary privileges to access resources.
- Java Authentication and Authorization Service
- The Java Authentication and Authorization Service is a standard
Java API that supports the Java 2 security authorization to extend
the code base on the principal as well as the code base and users.
- Authentication protocol for EJB security
- WebSphere Application Server Version 6.1 servers
support the CSIv2 authentication protocol only. SAS is only supported
between Version 6.0.x and earlier version servers that have been federated
in a Version 6.1 cell. The option to select between SAS, CSIv2, or
both is only available in the administration console when a Version
6.0.x or earlier release has been federated in a Version 6.1 cell.
- Identity mapping
- Identity mapping is a one-to-one mapping of a user identity between
two servers so that the proper authorization decisions are made by
downstream servers. Identity mapping is necessary when the integration
of servers is needed, but the user registries are different and not
shared between the systems.
- Secure communications using Secure Sockets Layer
- The Secure Sockets Layer (SSL) protocol provides transport layer
security including authenticity, data signing, and data encryption
to ensure a secure connection between a client and server that uses
WebSphere Application Server. The foundation technology for SSL is
public key cryptography, which guarantees that when an entity encrypts
data using its private key, only entities with the corresponding public
key can decrypt that data.
- Key management for cryptographic uses
- WebSphere Application Server provides a framework for managing
keys (secret keys or key pairs) that applications use to perform cryptographic
operations on data. The key management framework provides an application
programming interface (API) for retrieving these keys. Keys are managed
in keystores so the keystore type can be supported by WebSphere Application
Server, provided that the keystores can store the referenced key type.
You can configure keys and scope keystores so that they are visible
only to particular processes, nodes, clusters, and so on.
- Plug point for custom password encryption
- A plug point for custom password encryption can be created to
encrypt and decrypt all passwords in WebSphere Application Server
that are currently encoded or decoded using Base64-encoding.
- Secure transports with JSSE and JCE programming interfaces
- This topic provides detailed information about transport security
using Java Secure Socket Extension (JSSE) and Java Cryptography Extension
(JCE) programming interfaces. Within this topic, there is a description
of the IBM version of the Java Cryptography Extension Federal Information
Processing Standard (IBMJCEFIPS).
- Web component security
- You can develop a Web module and enforce security at the method
level of each Web resource.
- Password encoding and encryption
- Password encoding deters the casual observation of passwords in
server configuration and property files.
- Security role references
- Web application developers or EJB providers that use the available
programmatic security J2EE APIs, isUserInRole(String roleName) or
isCallerInRole(String roleName), use a role-name in the code.
- Basic Security Profile compliance tips
- The Web Services Interoperability Organization (WS-I) Basic Security
Profile (BSP) 1.0 promotes interoperability by providing clarifications
and amplifications to a set of non-proprietary Web services specifications.
WebSphere Application Server Web Services Security provides configuration
options to ensure that the BSP recommendations and security considerations
can be enabled to ensure interoperability. The degree to which you
follow these recommendations is then a measure of how well the application
you are configuring complies with the Basic Security Profile (BSP).
- Web services security token propagation
- Web services security has the ability to send security tokens
in the security header of a SOAP message. These security tokens can
be used to sign, verify, encrypt or decrypt message parts. They can
also be sent as stand-alone security tokens and set as the caller
on the request consumer. Custom security token propagation is a feature
that is used to propagate these custom security tokens using Web services
security.
- UDDI registry security and UDDI registry settings
- In addition to the configuration of UDDI registry security, there
a number of other UDDI registry settings which may affect the behavior
of the UDDI registry. Some of these settings are security specific,
others are points to bear in mind when configuring security.
- J2EE connector security
- The J2EE connector architecture defines a standard architecture
for connecting the Java 2 Platform, Enterprise Edition (J2EE) to heterogeneous
enterprise information systems (EIS).
- Asynchronous messaging - security considerations
- This topic describes considerations that you should be aware of
if you want to use security for asynchronous messaging with WebSphere
Application Server.