By enabling security, you protect your server from unauthorized
users and are then able to provide application isolation and requirements
for authenticating application users.
Before you begin
It is helpful to understand security from an infrastructure
perspective so that you know the advantages of different authentication
mechanisms, user registries, authentication protocols, and so on.
Picking the right security components to meet your needs is a part
of configuring security. The following sections help you make these
decisions.
After you understand the security components, you can
proceed to configure security in WebSphere® Application Server.
- Start the WebSphere Application Server
administrative console.
If
security is currently disabled, you are prompted for a user ID.
Log in with any user ID. However, if security is currently enabled,
you are prompted for both a user ID and a password. Log in with
a predefined administrative user ID and password.
- Click Security > Global security.
Use
the Security Configuration Wizard, or configure security manually.
The configuration order is not important.
Avoid trouble: You must separately enable administrative security, and
application security. Because of this split,
WebSphere Application Server clients must know
whether application security is disabled at the target server. Administrative
security is enabled, by default. Application security is disabled,
by default. Before you attempt to enable application security on the
target server, verify that administrative security is enabled on that
server. Application security can be in effect only when administrative
security is enabled.
gotcha
For more information on manual configuration,
see Authenticating users.
- Configure the user account repository. For more
information, see Selecting a registry or repository.
On the Global security panel, you can configure user account repositories
such as federated repositories, local operating system, standalone
Lightweight Directory Access Protocol (LDAP) registry, and standalone
custom registry.
Note: You can choose to specify either a server ID
and password for interoperability or enable a
WebSphere Application Server installation to
automatically generate an internal server ID. For more information
about automatically generating server IDs, see
Local operating system settings.
One
of the details common to all user registries or repositories is the Primary
administrative user name. This ID is a member of the chosen repository,
but also has special privileges in WebSphere Application Server. The privileges
for this ID and the privileges that are associated with the administrative
role ID are the same. The Primary administrative user name can access
all of the protected administrative methods.
In standalone LDAP registries,
verify that the Primary administrative user name is a member of the
repository and not just the LDAP administrative role ID. The entry
must be searchable.
The Primary administrative
user name does not run WebSphere Application Server processes. Rather,
the process ID runs the WebSphere Application Server processes.
In the default configuration, WebSphere Application Server processes run
under the QEJBSVR system-provided user profile.
- Select the Set as current option after you configure
the user account repository. When you click Apply and
the Enable administrative security option is set, a verification occurs
to see if an administrative user ID has been configured and is present
in the active user registry. The administrative user ID can be specified
at the active user registry panel or from the console users link.
If you do not configure an administrative ID for the active user
registry, the validation fails.
Note: When you switch user registries,
the admin-authz.xml file should be cleared of existing administrative
ids and application names. Exceptions will occur in the logs for ids
that exist in the admin-authz.xml file but do not exist in
the current user registry.
- Configure the authentication mechanism.
Configure
Lightweight Third-Party Authentication (LTPA) or Kerberos, which is
new to this release of WebSphere Application Server,
under Authentication mechanisms and expiration. LTPA credentials can
be forwarded to other machines. For security reasons, credential expire;
however, you can configure the expiration dates on the console. LTPA
credentials enable browsers to visit different product servers, which
means you do not have to authenticate multiple times.
Note: You can configure Simple WebSphere Authentication
Mechanism (SWAM) as your authentication mechanism. However, SWAM was
deprecated in WebSphere Application Server Version 7.0 and will be removed
in a future release. SWAM credentials are not forwardable to other
machines and for that reason do not expire.
- Secure Socket Layers
(SSL) is pre-configured by default, changes are not necessary unless
you have custom SSL requirements. You can modify or a create
a new SSL configuration. This action protects the integrity of the
messages sent across the Internet. The product provides a centralized
location to configure SSL configurations that the various WebSphere Application Server features that
use SSL can utilize, including the LDAP registry, Web container and
the RMI/IIOP authentication protocol (CSIv2). For more information,
see Creating a Secure Sockets Layer configuration. After
you modify a configuration or create a new configuration, specify
it on the SSL configurations panel. To get to the SSL configurations
panel, complete the following steps:
- Click Security > SSL certificate and key management.
- Under Configuration settings, click Manage endpoint security
configurations > configuration_name.
- Under Related items for each scope (for example, node, cluster,
server), select one of the many configuration links that can be scoped
to the resource you are visiting.
You can either edit the DefaultSSLConfig file or create a
new SSL configuration with a new alias name. If you create a new alias
name for your new keystore and truststore files, change every location
that references the DefaultSSLConfig SSL configuration alias. The
following list specifies the locations of where the SSL configuration
repertoire aliases are used in the WebSphere Application Server configuration.
For
any transports that use the new network input/output channel chains,
including HTTP and Java™ Message Service (JMS), you
can modify the SSL configuration repertoire aliases in the following
locations for each server:
- Click Server > Application server > server_name.
Under Communications, click Ports. Locate a transport chain
where SSL is enabled and click View associated transports.
Click transport_channel_name. Under Transport Channels, click SSL
Inbound Channel (SSL_2).
For the Object Request Broker (ORB) SSL transports, you
can modify the SSL configuration repertoire aliases in the following
locations. These configurations are for the server-level for
WebSphere Application Server and
WebSphere Application Server, Express and the cell
level for
WebSphere Application Server, Network Deployment.
- Click Security > Global security. Under RMI/IIOP security,
click CSIv2 inbound communications.
- Click Security > Global security. Under RMI/IIOP security,
click CSIv2 outbound communications.
For the Lightweight Directory Access Protocol (LDAP) SSL
transport, you can modify the SSL configuration repertoire aliases
by clicking Security > Global security. Under User account
repository, click the Available realm definitions drop-down
list, and select Standalone LDAP registry.
- Click Security > Global security to configure
the rest of the security settings and enable security. For
information about these settings, see Global security settings.
- Validate the completed security configuration by clicking OK or Apply.
If problems occur, they display at the top of the console page in
red type.
- If there are no validation problems, click Save to
save the settings to a file that the server uses when it restarts.
Saving writes the settings to the configuration repository.
Important: If you do not click Apply or OK in
the Global security panel before you click Save, your changes
are not written to the repository. The server must be restarted for
any changes to take effect when you start the administrative console.
- Start the WebSphere Application Server
administrative console.
If
security is currently disabled, log in with any user ID. If security
is currently enabled, log in with a predefined administrative ID and
password. This ID is typically the server user ID that is specified
when you configured the user registry.