WebSphere WebSphere Application Server Version 6.1.x Feature Pack for Web Services Operating Systems: AIX, HP-UX, i5/OS, Linux, Solaris, Windows, z/OS

Bus-enabled Web services default configuration for accessing a secure service integration bus

By default, the Web services enablement of the service integration bus works when WebSphere Application Server security is enabled and every installed service integration bus is secured. This topic describes the default configuration, and also the effect of modifying or overriding these defaults.

The default configuration that bus-enabled Web services use to access a secure bus is as follows:
  • Access to a bus is configured through the bus connector role. By default, every bus connector role includes a group called server. Members of this group are authorized to connect to the bus.
  • The service integration technologies resource adapter uses a J2C activation specification to communicate with the bus. By default, this activation specification has a boolean custom property useServerSubject that is set to "true". This property allows the service integration technologies resource adapter to connect to the bus as a subject (a member) of the server group.

The server group in the bus connector role

This group controls whether a user is authorized to connect to the bus. The server group can be added or removed using the administrative console:

Security > Bus Security > your_bus > [Additional Properties] Security > [Additional Properties] Users and groups in the bus connector role

This group can also be set using scripting commands:
$AdminTask addGroupToBusConnectorRole
$AdminTask removeGroupFromBusConnectorRole

The useServerSubject property

This boolean property is found in the custom properties panel of the J2C activation specification associated with the service integration technologies resource adapter:

Resources > Resource adapters > SIB_RA > J2C activation specification > SIBWS_OUTBOUND_MDB > [Additional Properties] J2C activation specification custom properties

This property can also be set using scripting commands.

Disabling and overriding the default configuration

To disable the default configuration, set the useServerSubject property to "false" rather than removing the server group, because the service integration technologies resource adapter is not the only system resource that uses the server subject. If you remove the server group from the bus connector role, then no system resources can use the server subject.

You can also override the default configuration by configuring SIBus Web services to use an authentication alias to access a secure service integration bus.Using an authentication alias does not make your configuration more secure. However, you might want to use an alias for consistency of approach if you have other application servers running under WebSphere Application Server Version 6.0, or to support your internal business controls for use of IDs and passwords.

If you configure an authentication alias you need not also disable the default configuration. If an authentication alias exists, it overrides the default configuration. However if you subsequently remove the authentication alias from the activation specification, the default configuration will again take control and (if not disabled) will allow the service integration technologies resource adapter to continue to access the bus.

The following chart shows whether the service integration technologies resource adapter can connect to the secured bus, depending on the state of the different properties:

Table 1. Summary of expected behavior for accessing a secure service integration bus
Valid authentication alias useServerSubject Server group on bus connector role resource adapter can connect?
Yes No No Yes
No Yes Yes Yes
No No Yes No
No No No No
No Yes No No
Yes Yes Yes Yes (using the authentication alias)

Reference topic

Terms of use | Feedback


Timestamp icon Last updated: 27 November 2008
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp?topic=/com.ibm.websphere.pmc.wsfep.multiplatform.doc/ref/rjw_security_defaults.html

Copyright IBM Corporation 2004, 2008. All Rights Reserved.
This information center is powered by Eclipse technology. (http://www.eclipse.org)