Secure your environment after installation
WAS depends on several configuration files that are created during installation. These files contain password information and need protection. Although the files are protected to a limited degree during installation, this basic level of protection is probably not sufficient for your site. You should verify that these files are protected in compliance with the policies of your site.
a Kerberos keytab configuration file contains a list of keys that are analogous to user passwords. It is important for hosts to protect their Kerberos keytab files by storing them on the local disk, which makes them readable only by authorized users.
The files in...
app_server_root/profiles/profile/config
app_server_root/profiles/profile/properties
...except for those in the following list, need protection.
For example, give permission to the user who logs onto the system for WAS primary administrative tasks. Other users or groups, such as WAS console users and console groups need permissions as well.
The files in...
app_server_root/profiles/profile/properties
...that should not be protected are...
- TraceSettings.properties
- client.policy
- client_types.xml
- sas.client.props
- sas.stdclient.properties
- sas.tools.properties
- soap.client.props
- wsadmin.properties
- wsjaas_client.conf
- sas.server.props
- server.policy
- ssl.client.props
- was.policy
Procedure
-
![[Windows]](../../windows.gif)
Secure files on a Windows system:
- Open the browser for a view of the files and directories on the machine.
- Locate and right-click the file or the directory to protect.
- Click Properties.
- Click the Security tab.
- Remove the Everyone entry and any other user or group that you do not want to have access to the file.
- Add the users who can access the files with the proper permission.
- Open the browser for a view of the files and directories on the machine.
-
![[AIX HP-UX Solaris]](../../unix.gif)
Secure files on UNIX systems. This procedure applies only to the ordinary
UNIX file system. If your site uses access-control lists, secure the files by using that mechanism. Any site-specific requirements can affect the owner, group, and corresponding privileges; for example, on the AIX platform.
- Go to the install_root directory and change the ownership of the directory configuration and properties to the user who logs onto the system for WAS primary administrative tasks. Run the following command:
chown -R logon_name directory_name
...Where:
- login_name is a specified user or group
- directory_name is the name of the directory that contains the files
IBM recommends that you assign ownership of the files that contain password information to the user who runs the appserver. If more than one user runs the appserver, provide permission to the group in which the users are assigned in the user registry.
- Set up the permission...
chmod -R 770 directory_name
- Go to the app_server_root/profiles/profile/properties directory and set the file permissions. Set the access permissions for the following files as it pertains to your security guidelines:
- TraceSettings.properties
- client.policy
- client_types.xml
- sas.client.props
- sas.stdclient.properties
- sas.tools.properties
- soap.client.props
- wsadmin.properties
- wsjaas_client.conf
For example, you might...
chmod 770 file_name
...where file_name is the name of the file listed previously in...
install_root/profiles/profile_name/properties
These files contain sensitive information such as passwords.
- Create a group for WAS and put the users who perform full or partial WAS administrative tasks in that group.
- To use WebSphere MQ as a Java Messaging Service (JMS) provider, restrict access to the /var/mqm directories and log files used. Give write access to the user ID mqm or members of the mqm user group only.
- Go to the install_root directory and change the ownership of the directory configuration and properties to the user who logs onto the system for WAS primary administrative tasks. Run the following command:
Results
After securing your environment, only the users with permission can access the files. Failure to adequately secure these files can lead to a breach of security in your WAS applications.
What to do next
If failures occur that are caused by file accessing permissions, check the permission settings.
Related tasks
Preparing for security at installation time