Introduction: Security

Explore the key concepts pertaining to securing applications and their environment. WAS plays an integral part of the multiple-tier enterprise computing framework. Based on open architecture, WebSphere Application Server provides many plug-in points to integrate with enterprise software components to provide end-to-end security. Security infrastructure and mechanisms protect J2EE resources and administrative resources, addressing your enterprise security requirements.

Global security

Administrative security determines whether security is used at all, the type of registry against which authentication takes place, and other values, many of which act as defaults. Proper planning is required because incorrectly enabling administrative security can lock you out of the administrative console or cause the server to abend.

Java 2 security

Java 2 security provides a policy-based, fine-grain access control mechanism that increases overall system integrity by checking for permissions before allowing access to certain protected system resources. Java 2 security guards access to system resources such as file I/O, sockets, and properties. Java 2 Platform, Enterprise Edition (J2EE) security guards access to Web resources such as servlets, JSP files and EJB methods.

User registries

WebSphere Application Server provides implementations that support multiple types of registries and repositories including the local operating system registry, a standalone LDAP registry, a standalone custom registry, and federated repositories.

Local operating system user registries

With the registry implementation for the local operating system, the WAS authentication mechanism can use the user accounts database of the local operating system.

Authentication mechanisms

An authentication mechanism defines rules about security information, for example, whether a credential is forwardable to another Java process, and the format of how security information is stored in both credentials and tokens.

Lightweight Directory Access Protocol user registries

WebSphere Application Server security provides and supports the implementation of most major LDAP directory servers, which can act as the repository for user and group information.

Authentication protocol for EJB security

You can choose from two authentication protocols: z/OS Secure Authentication Service (z/SAS) and Common Secure Interoperability V2 (CSIv2).

Authorization technology

Authorization information determines whether a user or group has the necessary privileges to access resources.

Java Authentication and Authorization Service

The Java Authentication and Authorization Service is a standard Java API that supports the Java 2 security authorization to extend the code base on the principal as well as the code base and users.

Secure Sockets Layer

The SSL protocol provides transport layer security with authenticity, integrity, and confidentiality, for a secure connection between a client and server in WebSphere Application Server. The protocol runs above TCP/IP and below application protocols such as Hypertext Transfer Protocol (HTTP), LDAP, and Internet Inter-ORB Protocol (IIOP), and provides trust and privacy for the transport data.

Authentication protocol for EJB security

WebSphere Application Server V6.1 servers support the CSIv2 authentication protocol only. SAS is only supported between v6.x and earlier version servers that have been federated in a V6.1 cell. The option to select between SAS, CSIv2, or both is only available in the administration console when a v6.x or earlier release has been federated in a V6.1 cell.

Identity mapping

Identity mapping is a one-to-one mapping of a user identity between two servers so that the proper authorization decisions are made by downstream servers. Identity mapping is necessary when the integration of servers is needed, but the user registries are different and not shared between the systems.

Plug point for custom password encryption

A plug point for custom password encryption can be created to encrypt and decrypt all passwords in WAS that are currently encoded or decoded using Base64-encoding.

Secure transports with JSSE and JCE programming interfaces

This topic provides detailed information about transport security using Java Secure Socket Extension (JSSE) and Java Cryptography Extension (JCE) programming interfaces. Within this topic, there is a description of the IBM version of the Java Cryptography Extension Federal Information Processing Standard (IBMJCEFIPS).

Web component security

You can develop a Web module and enforce security at the method level of each Web resource.

Security role references

Web application developers or EJB providers that use the available programmatic security J2EE APIs, isUserInRole(String roleName) or isCallerInRole(String roleName), use a role-name in the code.

UDDI registry security additional considerations

In addition to the configuration of UDDI registry security, there a number of other UDDI registry settings which may affect the behavior of the UDDI registry. Some of these settings are security specific, others are points to bear in mind when configuring security.

J2EE connector security

The J2EE connector architecture defines a standard architecture for connecting the J2EE to heterogeneous enterprise information systems (EIS).

Asynchronous messaging - security considerations

This topic describes considerations that you should be aware of if you want to use security for asynchronous messaging with WebSphere Application Server.

Related information
Overview and new features for securing applications and their environment




WebSphere is a trademark of the IBM Corporation in the United States, other countries, or both.
IBM is a trademark of the IBM Corporation in the United States, other countries, or both.