Configure the UDDI Registry to use WAS security

 

Before you begin

Before starting this task complete the following two steps:

  • Enable WAS global security (see Configuring global security). This will allow the UDDI Registry to exploit the WebSphere Application Server security features.

  • Ensure that WAS is configured to use HTTPS (SSL); this will allow the use of secure access with the UDDI Registry. WAS is configured by default to accept SSL requests on port 9443, however to make any additional SSL configuration changes, please refer to Secure Sockets Layer settings for custom properties.

 

Overview

There are two aspects of WAS security which are exploited by the UDDI registry:

Authorization

Authorization determines whether users are allowed access to services. WebSphere Application Server uses Role Mappings to determine authorization. UDDI makes use of two special WAS roles: Everyone (all users are allowed access) and AllAuthenticatedUsers (only valid WAS registered users are allowed access).

Data confidentiality

Data confidentiality determines security at the transport level. Data confidentiality for WAS services can be either 'none' (HTTP is used as the transport protocol) or 'confidential' (requiring the use of SSL; HTTPS is used as the transport protocol).

When WAS security is enabled, the default settings in the UDDI V3 Application and Web deployment descriptors result in the following features:

  • Publish, Custody Transfer and Security services are mapped to the AllAuthenticatedUsers role, and data confidentiality is enforced (HTTPS is used). The services in question are as follows:

    • Versions 1 and 2 SOAP publish service (SOAP_Publish_User)

    • EJB publish service (EJB_Publish_Role)

    • V3 GUI publish service (GUI_Publish_User)

    • V3 publish service (V3SOAP_Publish_User_Role)

    • V3 custody transfer service (V3SOAP_CustodyTransfer_User_Role)

    • V3 security service (V3SOAP_Security_User_Role)

    Authentication uses the standard WebSphere security facilities and there is no separate registration function for the UDDI registry. You will need to supply your WebSphere user name and password for publish functions (unless you have modified the supplied publish role).

  • Inquiry services are mapped to the Everyone role, and data confidentiality is not enforced (HTTP is used). The UDDI inquiry services are as follows:

    • Versions 1 and 2 SOAP inquiry service (SOAP_Inquiry_User )

    • EJB inquiry service (EJB_Inquiry_Role)

    • V3 GUI inquiry service (GUI_Inquiry_User)

    • V3 SOAP inquiry service (V3SOAP_Inquiry_User_Role)

No further configuration is necessary. However, if you wish to change the default settings follow the steps below:

 

Procedure

  1. To change the role mappings, use the administrative console to complete the following steps:

    1. In the navigation pane, click Applications > Enterprise Applications.

    2. In the content pane, click the UDDI Registry application.

    3. Under Additional Properties on the right hand side, click Map security roles to users/groups.

    4. Make any changes you require and click OK.

  2. To change the data confidentiality settings, refer to Configuring SOAP API and GUI services.

 

Related Tasks


Configuring the UDDI Registry to use UDDI security