You can customize security to some extent at the application server
level. You can disable administrative security on an application
server.
- Start the administrative console for the deployment manager.
To get to the administrative console, go to http://host.domain:port_number/ibm/console.
If security is disabled, you can enter any ID. If security is enabled, you
must enter a valid user ID and password, which is either the administrative
ID that is configured for the user registry or a user ID that is entered as
an administrative user. To add a user ID as an administrative user, click System
Administration > Console settings > Console users.
- Configure cell-level security if you have not
configured it previously. Go to Enabling security for detailed steps. After security is configured, configure
server-level security.
Attention: Server-level security is not
enabled when you select the Enable application security option on the Server-level
security settings panel of the administrative console. You also must enable
cell-level administrative security by selecting the Enable administrative
security option on the Secure administration, applications, and infrastructure
settings panel of the administrative console.
- To configure server-level security, click Servers > Application
Servers > server name. Under Security, click Server security.
The status of the security level that is in use for this application
server is displayed.
By default,
you can see that your cell-level security configuration, Common Secure Interoperability
(CSI), and SAS have not been overridden at the server level. CSI and SAS are
authentication protocols for RMI/IIOP security requests. The server-level
security panel lists attributes that are on the Secure administration, applications,
and infrastructure panel and can be overridden at the server level. Not all
of the attributes on the Secure administration, applications, and infrastructure
panel can be overridden at the server level, including the user account repository.
By default, you can see that your cell-level
security configuration, Common Secure Interoperability (CSI), and z/SAS have
not been overridden at the server level. CSI and z/SAS are authentication
protocols for RMI/IIOP security requests. The server-level security panel
lists attributes that are on the Secure administration, applications, and
infrastructure panel and can be overridden at the server level. Not all of
the attributes on the Secure administration, applications, and infrastructure
panel can be overridden at the server level, including the user account repository.
- To enable administrative security for this application
server, go to the Server-level security panel, select the Security settings
for this server override cell settings and the Enable application security options.
By modifying the Server-level security panel, these settings override
the settings for cell-level security.
- Click Apply and Save.
- To enable RMI/IIOP security for the application
server, go to the Server-level security panel, select the RMI/IIOP security
for this server overrides cell settings option and click Apply.
If you select the RMI/IIOP security for this server overrides cell
settings option, any changes that you make to the CSIv2 authentication
or transport settings override the same settings on the cell level.
What to do next
Typically, server-level security is used to disable user security
for a specific application server. However, this can also be used to disable
or enable the Java 2 security manager, and to configure the authentication
requirements for RMI/IIOP requests both incoming and outgoing from this application
server.
After you modify the configuration for a particular application
server, you must restart the application server for the changes to become
effective. To restart the application server, go to Servers > Application
servers and click the server name that you recently modified. Click Stop and
then Start.
If you disabled security for the application server,
you can typically test a Web address that is protected when security is enabled.
One URL that usually is installed when the DefaultApplication
during installation is the snoop application. If the DefaultApplication is
installed on the application server, test that security is disabled by going
to the following URL: http://host.domain:9080/snoop. If security
is disabled, a prompt does not display. This URL is just one method of validating
the configuration. Validate that the configuration is appropriate for your
applications.