Enable global security
Overview
You can decide whether to enable IBM WebSphere Application Server security. You must enable security for all other security settings to function.
- Enable global security in the WebSphere
Application Server.
For more information, see Configuring global security. It is important to click Security > Global Security and set the Enabled flag to on and to save the configuration has been saved to the repository. Verify that the validation that occurs after you click OK in the Security > Global Security panel is successful before continuing. If the validation is not successful and you continue with these steps, you risk the server not starting. Reconfigure the security settings until validation is successful.
- Push a copy of the new configuration
to all of the running node agents using the administrative console.
If a node agent fails to get the security-enabled configuration, communication with the deployment manager fails due to a lack of access (the node agent will not be security enabled). To force synchronize a specific node, complete the following steps from the administrative console:
- Go to System Administration > Nodes and select the option
next to all the nodes (you do not need to select the deployment manager node).
- Click Full Resynchronize to verify that the file synchronization
has occurred.
The message might indicate that the nodes already are synchronized. This message is OK. When synchronization is initiated, verify that the Synchronized status displays for all nodes.
- Go to System Administration > Nodes and select the option
next to all the nodes (you do not need to select the deployment manager node).
- Stop the deployment manager. Manually
restart the deployment manager from the command line or service.
To stop the deployment manager, complete the following step:
- Go to System Administration > Deployment Manager and click Stop. This action logs you out of the administrative console and stops the deployment manager process.
- Restart the deployment manager process. To restart
the deployment manager process, locate the install_root/bin directory
and type startManager.bat or startManager.sh
After the deployment manager initialization is complete, go back into the administrative console to complete this task. Remember that security now is enabled in only the deployment manager. If you enabled single signon (SSO), specify the fully qualified domain name of your Web address, for example, http://myhost.domain:9090/admin. When you are prompted for a user ID and password, type the one that you entered as the administrator ID in the configured user registry.
- If the deployment manager does not start
after enabling security, disable security using a script and restart. Disable
security by issuing the following command from the DeploymentManager/bin directory: wsadmin
-c NONE.
- Restart all node agents to make them
security enabled.
You must have restarted the deployment manager in a previous step before completing this step. If the node agent is security-enabled before the deployment manager is security-enabled, then the deployment manager cannot query the node agent for status or give the node agent commands. To stop all node agents, complete the following steps:
- Go to System Administration > Node Agents and select
the option beside all node agents. Click Restart. A message similar
to the following example is displayed at the top of the panel: The node
agent on node NODE NAME was restarted successfully.
- Alternatively, if you previously did not stop your application servers, restart all of the servers within any given node by clicking System Administration > Node Agents and by clicking the node agents where you want to restart all the servers. Then, click Restart all Servers on Node. This action restarts the node agent and any started appservers.
- Go to System Administration > Node Agents and select
the option beside all node agents. Click Restart. A message similar
to the following example is displayed at the top of the panel: The node
agent on node NODE NAME was restarted successfully.
- If any node agent fails to restart,
perform a manual resynchronization of the configuration.
This step consists of going to the physical node and running the client syncNode command. This client logs into the deployment manager and copies all of the configuration files to the node agent. This action ensures that the configuration is security-enabled. To resynchronize, complete the following steps:
- If the node agent is started, but is not communicating with
the deployment manager, stop the node agent by issuing a stopServer command.
If security is enabled on this node agent, issue the stopNode -username administrative_user_name -password administrative_password command. The administrative user is the administrative user configured
for the user registry.
- Issue the command: syncNode CELL_HOST 8879 -username adminuser
-password adminpw. The CELL_HOST is the host name where the
deployment manager resides. The 8879 port is the default SOAP connector
port. If that port number has changed, specify the changed port.
The administrative user is the administrative user configured for the user
registry.
- Restart the node agent by issuing the following command:
startNode
- If the node agent is started, but is not communicating with
the deployment manager, stop the node agent by issuing a stopServer command.
If security is enabled on this node agent, issue the stopNode -username administrative_user_name -password administrative_password command. The administrative user is the administrative user configured
for the user registry.
- Restart all of the appservers
on each node agent.
If you have not already stopped your application servers before performing these steps, restart them now. To restart application servers on a node agent (they must already be started), go to System Administration > Node Agents. Click a node agent and select Restart all Servers on Node. If all servers are already stopped, start the servers by going to Servers > Application Servers and selecting the servers that you want to start. Click Start.
- If you click System Management >
Nodes and the status of the node is Unknown, go to that node
and physically stop and restart the node agent. To stop the node agent, issue
the following command:
stopNode -username administrative_user_name -password administrative_password
To start the node agent, issue the following command:
startNode
- If you have any problems restarting the node agents or appservers, review the output logs in the WAS/logs/nodeagent or WAS /logs/server_name directory, respectively. Then, check the security troubleshooting section to see if any common problems are referenced.
Global security and server security
Java 2 security policy files
Configuring global security
Configuring user registries
Configuring Lightweight Third Party Authentication
Global security settings
Java 2 security