Enable security

 

+

Search Tips   |   Advanced Search

 

For WAS V6.1, administrative security is enabled by default whenever a new profile is created, either during...

You can decide not to enable administrative security during profile creation time by instead enabling security post-profile creation using the console.

 

Procedure

  1. Start the WAS console.

    Start the deployment manager and, in your browser, type in the address of your WAS ND server. By default, the console is located at...

    http://your_host.your_domain:9060/ibm/console

    If security is currently disabled, you are prompted for a user ID. Log in with any user ID. However, if security is currently enabled, you are prompted for both a user ID and a password. Log in with a predefined administrative user ID and password.

  2. Click...

    Security | Secure administration, applications, and infrastructure

    Use the Security Configuration Wizard available in version 6.1 to configure security, or do it manually. The configuration order is not important.

  3. Configure the user account repository.

    On the Secure administration, applications, and infrastructure panel, you can configure user account repositories such as federated repositories, local operating system, standalone LDAP registry, and standalone custom registry.

    You can choose to specify either a server ID and password for interoperability or enable a WAS 6.1 installation to automatically generate an internal server ID. For more information about automatically generating server IDs, see Local operating system settings.

    One of the details common to all user registries or repositories is the Primary administrative user name. This ID is a member of the chosen repository, but also has special privileges in WAS. The privileges for this ID and the privileges that are associated with the administrative role ID are the same. The Primary administrative user name can access all of the protected administrative methods.

    [Windows] The ID must not be the same name as the machine name of your system because the repository sometimes returns machine-specific information when querying a user of the same name.

    In standalone LDAP registries, verify that the Primary administrative user name is a member of the repository and not just the LDAP administrative role ID. The entry must be searchable.

    The Primary administrative user name does not run WAS processes. Rather, the process ID runs the WAS processes.

    The process ID is determined by the way the process starts. For example, if you use a command line to start processes, the user ID that is logged into the system is the process ID. If running as a service, the user ID that is logged into the system is the user ID running the service. If you choose the local operating system registry, the process ID requires special privileges to call the operating system APIs. The process ID must have the following platform-specific privileges:

    • [Windows] Act as Part of Operating System privileges

    • [AIX HP-UX Solaris] Root privileges

  4. Select the Set as current option after you configure the user account repository. When you click Apply and the Enable administrative security option is set, a verification occurs to see if an administrative user ID has been configured and is present in the active user registry. The administrative user ID can be specified at the active user registry panel or from the console users link. If you do not configure an administrative ID for the active user registry, the validation fails.

    When you switch user registries, the admin-authz.xml file should be cleared of existing administrative ids and application names. Exceptions will occur in the logs for ids that exist in the admin-authz.xml file but do not exist in the current user registry.

  5. Configure the authentication mechanism.

    Configure Lightweight Third-Party Authentication (LTPA), which is the default authentication mechanism, on the Authentication mechanisms and expiration panel. LTPA credentials can be forwarded to other machines. For security reasons, credential expire; however, you can configure the expiration dates on the console. LTPA credentials enable browsers to visit different product servers, which means you do not have to authenticate multiple times. For more information, see Configure the LTPA mechanism

    If you want SSO support, which provides the ability for browsers to visit different product servers without having to authenticate multiple times, see Implementing single sign-on to minimize Web user authentications. For form-based login, configure SSO when using LTPA.

  6. Optional: Import and export the LTPA keys for cross-cell single Sign-on (SSO) between cells. For more information, see the following articles:

  7. Configure the authentication protocol for special security requirements from Java clients, if needed. You can configure Common Secure Interoperability V2 (CSIv2) through links on the Secure administration, applications, and infrastructure panel. The Security Authentication Service (SAS) protocol is provided for backwards compatibility with previous product releases, but is deprecated. Links to the SAS protocol panels display on the Secure administration, applications, and infrastructure panel if your environment contains servers that use previous versions of WAS and support the SAS protocol. For details on configuring CSIv2 or SAS, see the article, Configure RMI over IIOP.

    SAS is supported only between V6.0.x and previous version servers federated in a V6.1 cell.

    [This information applies to V6.0.x and previous servers only that are federated in a V6.1 cell.]

    IBM no longer ships or supports the Secure Authentication Service (SAS) IIOP security protocol. IBM recommends that you use the Common Secure Interoperability version 2 (CSIv2) protocol.

    Modify or a create a default SSL configuration. This action protects the integrity of the messages sent across the Internet. WAS provides a single location where you can specify SSL configurations that the various WAS features that use SSL can utilize, including the LDAP registry, Web container and the authentication protocol (CSIv2 and SAS). For more information, see Creating a Secure Sockets Layer configuration. After you modify a configuration or create a new configuration, specify it on the SSL configurations panel. To get to the SSL configurations panel...

    1. Click...

      Security | SSL certificate and key management | Configuration settings | Manage endpoint security configurations | configuration_name | Related items | SSL configurations

    You can either edit the DefaultSSLConfig file or create a new SSL configuration with a new alias name. If you create a new alias name for your new keystore and truststore files, change every location that references the DefaultSSLConfig SSL configuration alias. The following list specifies the locations of where the SSL configuration repertoire aliases are used in the WAS configuration.

    For any transports that use the new network input/output channel chains, including HTTP and JMS, you can modify the SSL configuration repertoire aliases in the following locations for each server:

    • Click...

      Server | Application server | server | Communications | Ports

      Locate a transport chain where SSL is enabled and click...

      View associated transports | transport_channel_name | Transport Channels | SSL Inbound Channel (SSL_2)

    • Click...

      System administration | Deployment manager | Additional properties | Ports

      Locate a transport chain where SSL is enabled and click...

      View associated transports | transport_channel_name | Transport Channels | SSL Inbound Channel (SSL_2)

    • Click...

      System administration | Node agents | node_agent _name | Additional properties | Ports

      Locate a transport chain where SSL is enabled and click...

      View associated transports | transport_channel_name | Transport Channels | SSL Inbound Channel (SSL_2)

    For the Object Request Broker (ORB) SSL transports, you can modify the SSL configuration repertoire aliases in the following locations. These configurations are for the server-level for WAS and WAS Express and the cell level for WAS ND.

    For the ORB SSL transports on the server level for WAS ND, you can modify the SSL configuration repertoire aliases in the following locations:

    • Click...

      Servers | Application servers | server | Security | Server security | CSIv2 inbound transport

    • Click...

      Servers | Application servers | server | Security | Server security | CSIv2 outbound transport

    • [This information applies to V6.0.x and previous servers only that are federated in a V6.1 cell.] Click...

      Servers | Application servers | server | Security | Server security | SAS inbound transport

    • Click...

      Servers | Application servers | server | Security | Server security | SAS outbound transport

    For the SOAP JMX administrative transports, you can modify the SSL configurations repertoire aliases by clicking...

    Servers | Application servers | server | Server infrastructure | Administration | Administration services | Additional properties | JMX connectors | SOAPConnector | Additional properties | Custom properties

    To point the sslConfig property to a new alias, click New and type sslConfig in the name field, and its value in the Value field.

    For additional SOAP JMX administrative transports for WAS ND, you can modify the SSL configuration repertoire aliases in the following locations:

    • Click...

      System administration | Deployment manager | Additional properties | Administration services | Additional properties | JMX connectors | SOAPConnector | Additional properties | Custom properties

      To point the sslConfig property to a new alias, click sslConfig and select an alias in the Value field.

    • Click...

      System administration | Node agents | node_agent_name | Additional properties | Administration services | Additional properties | JMX connectors | SOAPConnector | Additional properties | Custom properties

      To point the sslConfig property to a new alias, click New and type sslConfig in the name field, and its value in the Value field.

    For the LDAP SSL transport, you can modify the SSL configuration repertoire aliases by clicking...

    Security | Secure administration, applications, and infrastructure | User account repository | Available realm definitions drop-down list | Standalone LDAP registry

  8. Click...

    Security | Secure administration, applications, and infrastructure

    ...to configure the rest of the security settings and enable security.

    For additional information, see Server and administrative security.

  9. Validate the completed security configuration by clicking OK or Apply. If problems occur, they display at the top of the console page in red type.

  10. If there are no validation problems, click Save to save the settings to a file that the server uses when it restarts. Saving writes the settings to the configuration repository.

    If you do not click Apply or OK in the Secure administration, applications, and infrastructure panel before you click Save, your changes are not written to the repository. The server must be restarted for any changes to take effect when you start the console.

    The save action enables the deployment manager to use the changed settings after WAS is restarted. For more information, see Enabling security for the realm. A Deployment manager configuration differs from a stand-alone base appserver. The configuration is stored temporarily in the deployment manager until it is synchronized with all of the node agents.

    Also, verify that all of the node agents are up and running in the domain. Stop all appservers during this process. If any of the node agents are down, run a manual file synchronization utility from the node agent machine to synchronize the security configuration from the deployment manager. Otherwise, the malfunctioning node agent does not communicate with the deployment manager after security is enabled on the deployment manager.

  11. Start the WAS console.

    Start the deployment manager and, in your browser, type in the address of your WAS ND server. By default, the console is located at...

    http://your_host.your_domain:9060/ibm/console

    If security is currently disabled, log in with any user ID. If security is currently enabled, log in with a predefined administrative ID and password. This ID is typically the server user ID that is specified when you configured the user registry.



Administrative security
Application security
Java 2 security
Enabling security for the realm
Testing security after enabling it
The Security Configuration Wizard

 

Related concepts

Java 2 security

 

Related tasks

Selecting a registry or repository
Configure the LTPA mechanism

 

Related Reference

Java 2 security policy files
Secure administration, applications, and infrastructure settings