IBM BPM, V8.0.1, All platforms > Securing IBM BPM and applications

Configure administrative and application security

The first step in securing your IBM BPM environment and your applications is to make sure that administrative security is enabled. In WebSphere Application Server version 7.0, administrative security is enabled by default. If you have disabled administrative security, use the following instructions to enable it again.

• Install IBM BPM and verify the installation before performing these tasks.
• Open the administrative console for the profile that you want to secure. Log in to the console using an account that has administrator privileges, for example, the default administrator account that was specified during installation.

Important: Application security is required by IBM BPM and must not be turned off in the administrative console. Using the administrative console, you can enable administrative security, application security, and Java™ 2 security.

• Administrative security is enabled by default, and applies to every server within the security domain.

  Administrative security determines whether security is used at all, the type of registry against which authentication takes place, and other values, many of which act as defaults. Proper planning is required because incorrectly enabling administrative security can lock you out of the administrative console or cause the server to end abnormally.

  Administrative security can be thought of as a "big switch" that activates a wide variety of security settings for IBM BPM. Values for these settings can be specified, but they will not take effect until administrative security is activated. The settings include the authentication of users, the use of SSL, and the choice of user account repository. In particular, application security, including authentication and role-based authorization, is not enforced unless administrative security is active.

• Application security is also enabled by default, and is in effect only when administrative security is enabled.

  Application security enables security for the applications in your environment. This type of security provides application isolation and requirements for authenticating application users.

• Java 2 security is disabled by default.

  Java 2 security provides a policy-based, fine-grained access control mechanism that increases overall system integrity by checking for permissions before allowing access to certain protected system resources. Java 2 security guards access to system resources such as file I/O, sockets, and properties. It also guards access to web resources such as servlets, JavaServer Pages (JSP) files, and Enterprise JavaBeans (EJB) methods.

  Because Java 2 security is relatively new, many existing applications, or even new applications, might not be prepared for the fine-grained access control programming model that this form of security is capable of enforcing. Administrators need to understand the possible consequences of enabling Java 2 security if applications are not prepared for it. Java 2 Security places some new requirements on application developers and administrators.

  Java 2 security will also have a performance impact on runtime components in IBM BPM as the fine grained access checkups require much more time than normal security configuration. In addition, enabling Java 2 security also have an impact on custom applications.

  There are known problems with Business Space configurations when Java 2 security is activated. Refer to http://www-01.ibm.com/support/docview.wss?uid=swg21383334.

  Attention: Fix packs that include updates to the Software Development Kit (SDK) might overwrite unrestricted policy files. Back up unrestricted policy files before you apply a fix pack and reapply these files after the fix pack is applied.

Procedure

1. Open the administrative security page in the administrative console.

   Expand Security and click Global security.

2. Confirm that Enable administrative security is selected. If not, select this option.
3. Confirm that Enable application security is selected. If not, select this option.

4. Optional: Enable Java 2 security, if required.

   Although Java 2 security is supported, it is disabled by default. Select Use Java 2 security to restrict application access to local resources to enforce Java 2 security permission checking.

   When you enable Java 2 security, an application that requires more Java 2 security permissions than are granted in the default policy might fail to run properly until the required permissions are granted in either the app.policy file or the was.policy file of the application. Access Control exceptions are generated by applications that do not have all the required permissions. For more information about Java 2 security, see the topic on Configuring Java 2 security policy files in the WebSphere Application Server Information Center. A related link is provided.

   Updates to the app.policy file apply only to the enterprise applications on the node to which the app.policy file belongs.

   1. Select Warn if applications are granted custom permissions. The filter.policy file contains a list of permissions that an application should not have according to the Java 2 Platform, Enterprise Edition 1.4 Specification.

      If an application is installed with a permission specified in this policy file and this option is enabled, a warning is issued. The default is enabled.

   2. Select Restrict access to resource authentication data. Enable this option if you need to restrict application access to sensitive Java Connector Architecture (JCA) mapping authentication data.

5. If you made changes to the security settings, perform these additional steps.

   1. Click Apply.

   2. Click Save.

   3. If necessary, stop and restart the server.

What to do next

You must confirm that administrative security is enabled for each profile created.

• Configure administrative security
  During installation, all components default to the primary administrative credentials that you provide. These default values provide basic security, but to enhance the security of your installation, configure the various components of IBM BPM with appropriate security identities.
• Configure application security
  Applications deployed to your IBM BPM instance require security to be built into them which will later be applied at run time.

Securing IBM BPM and applications

Related concepts:
Get started with security

Related tasks:
Configure application security

Related information:

Java 2 security
Configure Java 2 security policy files