[z/OS]

Enabling administrative security

Before you can enable administrative security for WebSphere Application Server, you must activate an authentication mehanism. You must start the administrative console and use it to activate the authentication mechanism and perform some tasks with the administrative console to ultimately enable administrative security.

Before you begin

Before you can enable security for WebSphere Application Server, you must configure a user registry. In previous releases of WebSphere Application Server, you also had to select an authentication mechanism. However, for WebSphere Application Server Version 6.1, Lightweight Third Party Authentication (LTPA) is the default authentication mechanism. You can specify Simple WebSphere Authentication Mechanism (SWAM), but the mechanism is deprecated. Because SWAM does not provide authenticated communication between different servers, it is recommended that you use LTPA.

About this task

You need to start the administrative console by specifying the following Web site:
http://server_hostname:port_number/ibm/console

Perform the following steps to enable security. The options on the Secure administration, applications, and infrastructure panel provide greater flexibility than previous releases of WebSphere Application Server in enforcing security in your environment.

Procedure

  1. Click Security > Secure administration, applications, and infrastructure.
  2. Select the Enable administrative security option. In previous releases of WebSphere Application Server, this option was called Enable global security. In WebSphere Application Server Version 6.1, the Enforce Java 2 Security option is called the Enable application security option. When you select the Enable administrative security option, the Enable application security and Use Java 2 security to restrict application access to local resources options are selected by default. However, you can clear the Enable application security and Use Java 2 security to restrict application access to local resources options so that they function independently from the Enable administrative security option.
  3. Optional: Clear the Enable application security option if you do not want to require WebSphere Application Server to authenticate application users.
  4. Optional: Clear the Use Java 2 security to restrict application access to local resources option if you do not want to enable Java 2 Security permission checking.
    When Java 2 Security is enabled and if an application requires more Java 2 security permissions than are granted in the default policy, then the application might fail to run properly until the required permissions are granted in either the app.policy file or the was.policy file of the application. AccessControl exceptions are generated by applications that do not have all the required permissions. Review the Java 2 Security and Dynamic Policy documentation if you are unfamiliar with Java 2 security.
    Note: Updates to the app.policy file only apply to the enterprise applications on the node to which the app.policy file belongs.
    1. Optional: Select the Warn if applications are granted custom permissions option. The filter.policy file contains a list of permissions that an application should not have according to the J2EE 1.3 Specification. If an application is installed with a permission specified in this policy file and this option is enabled, a warning is issued. The default is enabled.
    2. Optional: Select the Restrict access to resource authentication data option if you need to restrict application access to sensitive Java Connector Architecture (JCA) mapping authentication data.

      For detailed information, see Secure administration, applications, and infrastructure settings.

  5. Select the Use domain-qualified user names option. If this option is enabled, user names appear with their fully qualified domain attribute when they are retrieved programmatically.
  6. [This information applies to Version 6.0.x and previous servers only that are federated in a Version 6.1 cell.] Select which security protocol is active when security is enabled from the Active Protocol menu. Specifies the active authentication protocol for RMI/IIOP requests when security is enabled.
    WebSphere Application Server includes the Object Management Group (OMG) protocol called CSIv2, which supports increased vendor interoperability and additional features. If all servers in your entire security domain are Version 5 (and above) servers, it is best to specify CSIv2 as your protocol. The default is both CSIv2 and z/SAS.
    Important: z/SAS is supported only between Version 6.0.x and previous version servers that have been federated in a Version 6.1 cell.
  7. Use the User account repository menu to specify the repository that is active when security is enabled. You can configure settings for one of the following user repositories:
    Federated repositories
    The federated repositories functionality enables you to use multiple registries with WebSphere Application Server. These registries, which can be file-based registries, LDAP registries, or a sub-tree of an LDAP registry, are defined and theoretically combined under a single repository.
    Local operating system
    The implementation is a SAF compliant registry such as the Resource Access Control Facility (RACF), which is shared in an MVS sysplex.
    Standalone LDAP registry
    The standalone LDAP registry settings are used when users and groups reside in an external LDAP directory. When security is enabled and any of these properties are changed, go to the Secure administration, applications, and infrastructure panel and click OK or Apply to validate the changes.
    Standalone custom registry
    The standalone custom registry feature supports any user registry that is not implemented by WebSphere Application Server. You can use any user registry that is used in the product environment by implementing the UserRegistry interface.
  8. Optional: Select the Use the United States Federal Information Processing Standard (FIPS) algorithms option from the Security > SSL certificate and key management panel if you are using a FIPS-certified JSSE. WebSphere Application Server supports a channel framework that uses IBMJSSE2. IBMJSSE2 uses IBMJCEFIPS for cryptographic support when you enable the Use the United States Federal Information Processing Standard (FIPS) algorithms option.
  9. Click OK.

    This panel performs a final validation of the security configuration. When you click OK or Apply from this panel, the security validation routine is performed and any problems are reported at the top of the page. When you complete all of the fields, click OK or Apply to accept the selected settings. Click Save (at the top of the panel) to persist these settings out to a file. If you see any informational messages in red text color, then there is a problem with the security validation. Typically, the message indicates the problem. So, review your configuration to verify that the user registry settings are accurate and the correct registry is selected. In some cases, the LTPA configuration might not be fully specified.

    For detailed information, see Secure administration, applications, and infrastructure settings.

  10. Optional: Configure for SAF authorization. For more information on these settings, see z/OS System Authorization Facility authorization.

Results

Configuration is successful when error messages do not display at the top of the panel.

What to do next

You can disable administrative security.



In this information ...


IBM Redbooks, demos, education, and more

(Index)

Use IBM Suggests to retrieve related content from ibm.com and beyond, identified for your convenience.

This feature requires Internet access.

Task topic Task topic    

Terms and conditions for information centers | Feedback

Last updatedLast updated: Aug 31, 2013 1:23:07 AM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=pix&product=was-nd-dist&topic=tsecenablglobl
File name: tsec_enablglobl.html