During installation you now have the option of enabling administrative
security during initial cell customization, this procedure is referred to
as "security out of the box". This protects the cell from unauthorized modification,
which can occur if security is not enabled.
When a new stand-alone application server or Network Deployment cell is
created, there are three initial security choices in WebSphere Application
Server for z/OS Version 6.1:
- Use a z/OS security product to manage user identities and authorization
policy
- Use WebSphere Application Server to manage user identities and the authorization
policy
- Do not enable security
This article describes the three initial security options and the configuration
effects of each.
Remember that WebSphere Application Server for z/OS always requires the
presence of a SAF-compliant security system to provide operating system security.
Regardless of which security option is chosen:
- SAF user IDs for WebSphere Application Server started tasks are always
created during customization.
- SAF groups are created for the configuration, servant and local user groups
are created during customization, and granted necessary permissions
- SAF SERVER profiles are used to control servant access to controller
regions.
- If daemon SSL is selected during customization, a keyring and digital
certificate for the daemon are created in SAF.
Note: Each of the initial security configurations is basic, requiring few
choices during customization; after configuration is complete, additional
work is usually required to match cell security policies to the needs of the
enterprise. See the Security section of the InfoCenter for more information.
Option 1: Use a z/OS security product to manage user identities
and authorization policy
If this option is chosen during customization:
- Each WebSphere Application Server user and group identity corresponds
to a user ID or group in the z/OS system's SAF-compliant security system (IBM'S
RACF, or an equivalent product).
- Access to WebSphere Application Server roles is controlled using the SAF
EJBROLE profile.
- Digital certificates for SSL communication are stored in the z/OS security
product.
The z/OS system's security product is always used to control WebSphere
Application Server for z/OS started task identities, and the location service
daemon's digital certificate (if daemon SSL is selected). However, when
this security option is selected, all WebSphere Application Server administrators
and administrative groups must be defined to SAF as well. Later, if application
security is enabled, the SAF security database holds those user identities
as well.
This option is appropriate when servers or cells will reside
entirely on z/OS systems, with SAF as the user registry. Customers who plan
to implement an LDAP or custom user registry, but who will map WebSphere Application
Server identities to SAF identities and use EJBROLE profiles for authorization,
should also choose this option so that initial SAF EJBROLE setup is performed.
When
this option is chosen during customization, the following SAF user IDs are
created:
- An administrator user ID
- An "unauthorized user" ID, to represent WebSphere Application Server identities
which have not been authenticated
SAF EJBROLE profiles for administrative roles (administrator, configuration,
deployer, monitor and operator) are created, and the administrator user ID
is granted the administrator role.
SAF CBIND profiles are created,
and granted to the configuration group.
Digital certificates are created
in the SAF security system for each server controller (deployment manager
or application server controller).
Digital keyrings are created in the
SAF security system for the administrator, controller, controller region adjunct,
and server user IDs, and the appropriate certificates are attached to these
keyrings.
A security domain name may be specified when this option
is chosen; the security domain name becomes part of the APPL, CBIND and EJBROLE
profile names used for authorization checking.
Option 2: Use WebSphere Application Server to manage user
identities and authorization policy
If this option is chosen during
customization:
- Each WebSphere Application Server user and group identity corresponds
to an entry in a WebSphere Application Server user registry. The initial
user registry is a simply file-based user registry, created during customization,
and residing in the configuration file system.
- Access to WebSphere Application Server roles is controlled using WebSphere
Application Server role bindings. In particular, administrative roles are
controlled using the "Console users and groups" settings in the administrative
console.
- Digital certificates for SSL communication are stored in the configuration
file system.
The z/OS system's security product is always used to control WebSphere
Application Server for z/OS started task identities, and the location service
daemon's digital certificate (if daemon SSL is selected). However, when
this security option is selected, all WebSphere Application Server users and
groups for administrative access are defined in the WebSphere user registry,
rather than in SAF. Later, if application security is enabled, the WebSphere
Application Server user registry holds those user identities as well.
This
option is appropriate when servers or cells will reside on a mix of z/OS and
non-z/OS systems, as well as for customers who plan to implement an LDAP or
custom user registry to replace the initial registry. (Customers who plan
to implement an LDAP or custom user registry with identity mapping to SAF
should select z/OS-managed security during customization; see above.)
When
this option is chosen during customization, a file-based user registry is
created in the configuration file system.
An administrator user ID (and
an optional samples user ID and group) are added to the file-based user registry.
The
administrator user ID is added to the list of authorized console users.
Self-signed
digital certificates for servers are created in the configuration file system
automatically by WebSphere Application Server.
Option 3: Do not enable security
If this option
is chosen, no administrative security is configured. Anyone with access to
the administrative console port can make changes to the server or cell configuration.
A post-customization security setup is recommended.
The
initial security setup options in WebSphere Application Server are very basic,
and are intended only to provide initial administrative security. After your
server or cell is up and running, you may wish to:
- Switch to another user registry. You can use LDAP or a custom user registry
instead of the SAF security database or file-based registry.
- Define additional administrators, or distribute administrative roles
- Implement application security