The term administrative security refers
to providing the authentication of users using the WebSphere administration
functions, the use of Secure Sockets Layer (SSL), and the choice of
user account repository.
When you configure a Local OS user registry, it
uses the Resource Access Control Facility (RACF), or System Authorization
Facility (SAF)-compliant, user database. Selecting the Local OS user
registry as the active registry enables you to take advantage of z/OS
System Authorization Facility functions directly using the WebSphere
Application Server principals:
- Share identities with many other z/OS connector services
- Use SAF delegation, which minimizes the need to store user IDs
and passwords in many locations in the configuration
- Utilize additional audit capabilities
These functions are available using other registries, but require
identity mapping through modifications to the WebSphere Application
Server system login configuration and Java Authentication and Authorization
Service (JAAS) login modules. Refer to the topic
Updating system
login configurations to perform a System Authorization Facility identity for
more information.
Configuration of
administrative security for
a security domain consists of configuring the common user registry,
the authentication mechanism, and other security information that
defines the behavior of a security domain. The other security information
that is configured includes the following components:
- Java 2 Security Manager
- Java Authentication and Authorization Service (JAAS)
- Java 2 Connector authentication data entries
Common Secure Interoperability
Version 2 (CSIv2) and z/OS Secure Authentication Service (z/SAS) authentication
protocol (Remote Method Invocation over the Internet Inter-ORB Protocol
(RMI/IIOP) security)
- Other miscellaneous attributes.
Where multiple nodes and multiple servers within
a node are possible, you can configure certain attributes at a server
level. The attributes that are configurable at a server level include
security enablement for the server, Java 2 security manager enablement,
and CSIv2 and z/SAS authentication protocol (RMI/IIOP security). You
can disable security on individual application servers while administrative security is enabled, however,
you cannot enable security on an individual application server while administrative security is disabled.
While application server security is disabled for user requests,
administrative and naming security is still enabled for that application
server so that the administrative and naming infrastructure remains
secure. If cell security is enabled, but security for individual servers
is disabled, J2EE applications are not authenticated or authorized.
However, naming and administrative security is still enforced. Consequently,
because naming services can be called from user applications, grant
Everyone access to the naming functions that are required so that
these functions accept unauthenticated requests. User code does not
directly access administrative security except through the supported
scripting tools.