Security considerations
Consider the following when we configure Security for the Liberty profile.
LTPA
- Protect file access to the LTPA keys file because it contains the cryptographic material used to encrypt and decrypt the user data. Ensure that only the server and administrators have access to this file.
- Ensure that all servers use the same LTPA keys. In addition, make sure that the all the servers have their time and date synchronized.
- When we specify a password, ensure that it is the same password for all servers that use the same set of LTPA keys. The password is not used to generate the keys, but rather it is used to encrypt the LTPA keys file to prevent the keys from being read. If you copy the LTPA keys file to another Liberty profile server to achieve Single Sign-On (SSO), the password is required to gain access to the keys in the LTPA keys file. For more information about LTPA, see Configure LTPA topic.
Passwords
- Encrypt passwords using the securityUtility encode command.
- If you override the default encryption key with the wlp.password.encryption.key property, set the property in a separate configuration file that is stored outside the normal configuration directory for the server.
Authorization
- If we specify an auth-constraint with no roles in an application, then no one is allowed to access the resource.
- Be cautious when we specify the EVERYONE special subject, as this specification is equivalent to not protecting a resource.
Authentication
- The timeout value for the authentication cache specified in the <authCache> element must be smaller than the expiration value for the LTPA token specified in the <ltpa> element.
Parent topic: Secure the Liberty profile and its applicationsConcepts:
Authentication Tasks:
Secure the Liberty profile and its applications Configure LTPA Create a Liberty cluster with security considerations