Enable global security
Overview
You must enable global security for all other security settings to function.
WAS uses cryptography to protect sensitive data and ensure confidentiality and integrity of communications between WAS and other components in the network. Cryptography is also used by Web Services security when certain security constraints have been configured for the Web Services application.
WebSphere uses JSSE and JCE libraries in the SDK to perform this cryptography. The SDK provides strong but limited jurisdiction policy files. Unrestricted policy files provide the ability to perform full strength cryptography and improve performance.
WAS V6 provides a SDK that contains strong, but limited jurisdiction policy files. We can download the unrestricted policy files for the Windows, Linux, HP-UX, Solaris, and AIX platforms from the following Web site:
IBM developer kit: Security informationComplete the following steps to download and install the new policy files:
- Click Java 1.4.2
- Click IBM SDK Policy files.
The Unrestricted JCE Policy files for SDK 1.4 Web site is displayed.
- Click Sign in and provide your IBM.com ID and password.
- Select Unrestricted JCE Policy files for SDK 1.4.2 and click Continue.
- View the license and click I Agree to continue.
- Click Download Now.
- Extract the unlimited jurisdiction policy files that are packaged in the ZIP file. The ZIP file contains a US_export_policy.jar file and a local_policy.jar file.
- In your WAS installation, go to...
$JAVA_HOME/jre/lib/security...and back up your US_export_policy.jar and local_policy.jar files.
- Replace your US_export_policy.jar and local_policy.jar files with the two files that you downloaded from the IBM.com Web site.
Procedure
- Enable global security in WAS.
It is important to click Security > Global security and select the Enable global security option and to save the configuration has been saved to the repository. Verify that the validation that occurs after you click OK in the Security > Global security panel is successful before continuing. If the validation is not successful and you continue with these steps, you risk the server not starting. Reconfigure the security settings until validation is successful.
- Push a copy of the new configuration to all of the running node agents using the administrative console.
If a node agent fails to get the security-enabled configuration, communication with the deployment manager fails due to a lack of access (the node agent will not be security enabled). To force synchronize a specific node, complete the following steps from the administrative console:
- Go to System administration > Nodes and select the option next to all the nodes (you do not need to select the deployment manager node).
- Click Full resynchronize to verify that the file synchronization has occurred.
The message might indicate that the nodes already are synchronized. This message is OK. When synchronization is initiated, verify that the Synchronized status displays for all nodes.
- Stop the deployment manager.
Manually restart the deployment manager from the command line or service.
- Click...
System administration | Deployment manager | StopThis action logs you out of the administrative console and stops the deployment manager process.
- Restart the deployment manager process.
cd install_root/bin
startManager.batAfter the deployment manager initialization is complete, go back into the administrative console to complete this task. Remember that security now is enabled in only the deployment manager. If you enabled single signon (SSO), specify the fully qualified domain name of your Web address, for example,...
http://myhost.domain:9060/ibm/consoleWhen you are prompted for a user ID and password, type the one that you defined as the administrator ID in the configured user registry.
- If the deployment manager does not start after enabling security, disable security by running...
cd DeploymentManager/bin
wsadmin.sh -conntype NONE...and then at the prompt enter...
securityoff- Restart all node agents to make them security enabled.
You must have restarted the deployment manager in a previous step before completing this step. If the node agent is security-enabled before the deployment manager is security-enabled, then the deployment manager cannot query the node agent for status or give the node agent commands.
To stop all node agents...
- Go to System administration > Node agents and select the option beside all node agents.
Click Restart. A message similar to the following example is displayed at the top of the panel: The node agent on node NODE NAME was restarted successfully.
- Alternatively, if you previously did not stop your application servers, restart all of the servers within any given node by clicking System administration > Node agents and by clicking the node agents where you want to restart all the servers. Then, click Restart all Servers on Node. This action restarts the node agent and any started application servers.
- If any node agent fails to restart, perform a manual resynchronization of the configuration.
This step consists of going to the physical node and running the client syncNode command. This client logs into the deployment manager and copies all of the configuration files to the node agent. This action ensures that the configuration is security-enabled.
To resynchronize...
- If the node agent is started, but is not communicating with the deployment manager, stop the node agent by issuing a stopServer
See also
Global security settings
See Also
Global security and server security
Java 2 security policy files
Related Tasks
Configuring user registries
Configuring Lightweight Third Party Authentication
See Also
Java 2 security