Enable security for the realm


Overview

You must enable admin security for all other security settings to function.

 

Unrestricted policy files

WAS uses cryptography to protect sensitive data and to ensure confidentiality and integrity of communications between WAS and other components in the network. Cryptography is also used by WS-Security when certain security constraints are configured for the Web Services application.

WAS uses JSSE and JCE libraries in the SDK to perform this cryptography. The SDK provides strong, but limited, jurisdiction policy files.

Unrestricted policy files provide the ability to...

Fix packs that include updates to the SDK might overwrite unrestricted policy files. Back up unrestricted policy files before you apply a fix pack and reapply these files after the fix pack is applied. WAS provides an SDK 6 that contains strong, but limited jurisdiction policy files.


Download and install unrestricted policy files

  1. Go to...

  2. Click Java SE 6

  3. Scroll down the page then click IBM SDK Policy files.

    The Unrestricted JCE Policy files for SDK 6 Web site displays.

  4. Click Sign in and provide the ibm.com ID and password.

  5. Select Unrestricted JCE Policy files for SDK 6 and click Continue.

  6. View the license and click I Agree to continue.

  7. Click Download Now.

  8. Extract the unlimited jurisdiction policy files that are packaged in the ZIP file. The ZIP file contains...

    • US_export_policy.jar
    • local_policy.jar

  9. In the WAS installation, go to...

    $JAVA_HOME/jre/lib/security

    ...and back up US_export_policy.jar and local_policy.jar.

  10. Replace US_export_policy.jar and local_policy.jar with the two files downloadeded from ibm.com.

 

Enable Security

  1. Enable administrative security in WAS.

    Go to...

      Security | Global security

    Select an available realm definition from the list, and then click...

      Set as current

    Save the configuration to the repository. Validation should occur during the save. If the validation is not successful and you continue with these steps, you risk the server not starting. Re-configure the security settings until validation is successful.

  2. Send a copy of the new configuration to all of the running node agents using the admin console.

    If a node agent fails to get the security-enabled configuration, communication with the dmgr fails, due to a lack of access. The node agent is not security-enabled.

    To force synchronization of a specific node...

    1. Click...

      ...and select the option next to all the nodes. You do not need to select the deployment manager node.

    2. Click Full resynchronize to verify that the file synchronization has occurred. The message might indicate that the nodes already are synchronized. This message is OK. When synchronization is initiated, verify that the Synchronized status displays for all nodes.

  3. Stop the deployment manager and then manually restart the dmgr from the command line or service.

    To stop the dmgr, click...

    This action logs you out of the admin console and stops the dmgr process.

  4. Restart the deployment manager process.

      cd WAS_HOME/bin
      startManager.sh

    After the dmgr initialization is complete, go back into the admin console to complete this task. Remember that security now is enabled in only the dmgr. If SSO is enabled, specify the fully qualified domain name of the Web address, for example...

      http://myhost.domain:port_number/ibm/console

    When we are prompted for a user ID and password, type the one that you defined as the administrator ID in the configured user registry.

  5. If the deployment manager does not start after enabling security, disable security and restart.

    To disable security...

      cd DeploymentManager/bin
      ./wsadmin.sh -conntype NONE

    At the prompt, enter securityoff.

  6. Restart all node agents to make them security enabled. You must have restarted the dmgr in a previous step before completing this step. If the node agent is security-enabled before the dmgr is security-enabled, the dmgr cannot query the node agent for status or give the node agent commands.

    To stop all node agents...

    1. Go to...

      ...and select the option beside all node agents. Click Restart. A message similar to the following example is displayed at the top of the panel: The node agent on node NODE NAME was restarted successfully.

    2. Alternatively, if we previously did not stop the application servers, restart all of the servers within any given node by clicking...

      ...and by clicking the node agents where you want to restart all the servers. Click Restart all Servers on Node. This action restarts the node agent and any started application servers.

  7. If any node agent fails to restart, perform a manual resynchronization of the configuration.

    This step consists of going to the physical node and running the client syncNode command. This client logs into the deployment manager and copies all of the configuration files to the node agent. This action ensures that the configuration is security-enabled. If the node agent is started, but is not communicating with the deployment manager, stop the node agent by issuing the stopServer command.


Global security settings
Specify extent of protection wizard settings
Security custom properties
Security custom property collection
Security custom property settings

 

Related concepts

Server and admin security
Java 2 security

 

Related tasks

Select a registry or repository
Set the LTPA mechanism
Enable security

 

Related

Java 2 security policy files