Before you can enable administrative security for WebSphere Application Server,
you must activate an authentication mehanism. You must start the administrative
console and use it to activate the authentication mechanism and perform some
tasks with the administrative console to ultimately enable administrative security.
Before you begin
Before you can enable security
for WebSphere Application Server, you must configure a user registry. In previous
releases of WebSphere Application Server, you also had to select an authentication
mechanism. However, for WebSphere Application Server Version 6.1,
Lightweight Third Party Authentication (LTPA) is the default authentication
mechanism. You can specify Simple WebSphere Authentication Mechanism (SWAM),
but the mechanism is deprecated. Because SWAM does not provide authenticated
communication between different servers, it is recommended that you use LTPA.
About this task
You need to start the administrative console by specifying the
following Web site:
http://server_hostname:port_number/ibm/console
Perform the following steps to enable security. The options
on the Secure administration, applications, and infrastructure panel provide
greater flexibility than previous releases of WebSphere Application Server
in enforcing security in your environment.
Procedure
- Click Security > Secure administration, applications,
and infrastructure.
- Select the Enable administrative security option.
In previous releases of WebSphere Application Server, this option was
called Enable global security. In WebSphere Application Server Version 6.1, the Enforce Java 2 Security option
is called the Enable application security option. When you select the Enable
administrative security option, the Enable application security and Use
Java 2 security to restrict application access to local resources options
are selected by default. However, you can clear the Enable application
security and Use Java 2 security to restrict application access to
local resources options so that they function independently from the Enable
administrative security option.
- Optional: Clear the Enable application
security option if you do not want to require WebSphere Application Server
to authenticate application users.
- Optional: Clear the Use Java 2
security to restrict application access to local resources option if you
do not want to enable Java 2 Security permission checking.
When
Java 2 Security is enabled and if an application requires more Java 2 security
permissions than are granted in the default policy, then the application might
fail to run properly until the required permissions are granted in either
the
app.policy file or the
was.policy file of the application.
AccessControl exceptions are generated by applications that do not have all
the required permissions. Review the Java 2 Security and Dynamic Policy documentation
if you are unfamiliar with Java 2 security.
Note: Updates to the app.policy file
only apply to the enterprise applications on the node to which the app.policy file
belongs.
- Optional: Select the Warn if applications are
granted custom permissions option. The filter.policy file
contains a list of permissions that an application should not have according
to the J2EE 1.3 Specification. If an application is installed with a permission
specified in this policy file and this option is enabled, a warning is issued.
The default is enabled.
- Optional: Select the Restrict access to resource
authentication data option if you need to restrict application access
to sensitive Java Connector Architecture (JCA) mapping authentication data.
For detailed information, see Secure administration, applications, and infrastructure settings.
- Select the Use domain-qualified user names option.
If this option is enabled, user names appear with their fully qualified
domain attribute when they are retrieved programmatically.
Select which security protocol is active
when security is enabled from the Active Protocol menu. Specifies
the active authentication protocol for RMI/IIOP requests when security is
enabled. WebSphere Application Server includes the Object Management Group
(OMG) protocol called CSIv2, which supports increased vendor interoperability
and additional features. If all servers in your entire security domain are
Version 5 (and above) servers, it is best to specify CSIv2 as your protocol.
The default is both CSIv2 and z/SAS.
Important: z/SAS is supported only between Version 6.0.x and previous version servers that have been federated in a Version 6.1 cell.
- Use the User account repository menu to specify
the repository that is active when security is enabled. You can
configure settings for one of the following user repositories:
- Federated repositories
- The federated repositories functionality enables you to use multiple registries
with WebSphere Application Server. These registries, which can be file-based
registries, LDAP registries, or a sub-tree of an LDAP registry, are defined
and theoretically combined under a single repository.
- Local operating system
- The implementation is a SAF compliant registry such as the Resource Access
Control Facility (RACF), which is shared in an MVS sysplex.
- Standalone LDAP registry
- The standalone LDAP registry settings are used when users and groups reside
in an external LDAP directory. When security is enabled and any of these properties
are changed, go to the Secure administration, applications, and infrastructure
panel and click OK or Apply to validate the changes.
- Standalone custom registry
- The standalone custom registry feature supports any user registry that
is not implemented by WebSphere Application Server. You can use any user registry
that is used in the product environment by implementing the UserRegistry interface.
- Optional: Select the Use the United
States Federal Information Processing Standard (FIPS) algorithms option
from the Security > SSL certificate and key management panel if you
are using a FIPS-certified JSSE. WebSphere Application Server supports
a channel framework that uses IBMJSSE2. IBMJSSE2 uses IBMJCEFIPS for cryptographic
support when you enable the Use the United States Federal Information Processing
Standard (FIPS) algorithms option.
- Click OK.
This panel performs a final validation
of the security configuration. When you click OK or Apply from
this panel, the security validation routine is performed and any problems
are reported at the top of the page. When you complete all of the fields,
click OK or Apply to accept the selected settings. Click Save (at
the top of the panel) to persist these settings out to a file. If you see
any informational messages in red text color, then there is a problem with
the security validation. Typically, the message indicates the problem. So,
review your configuration to verify that the user registry settings are accurate
and the correct registry is selected. In some cases, the LTPA configuration
might not be fully specified.
For detailed information, see Secure administration, applications, and infrastructure settings.
- Optional: Configure for SAF authorization.
For more information on these settings, see z/OS System Authorization Facility authorization.
Results
Configuration is successful when error messages do not display at
the top of the panel.
What to do next
You can disable administrative security.