Security considerations when adding a base Application Server node to ND
The major security issue when adding a node to the cell is whether the user registries between the base appserver and the deployment manager are the same.
When adding a node to the cell, you automatically inherit both the user registry and the authentication mechanism of the cell.
For distributed security, all servers in the cell must use the same user registry and authentication mechanism. To recover from a user registry change, modify the applications so that the user and group-to-role mappings are correct for the new user registry.
Another important consideration is the SSL public-key infrastructure. Prior to performing the addNode command with the dmgr, verify that addNode.sh can communicate as an SSL client with the dmgr. This communication requires that the addNode truststore configured in sas.client.props contains the signer certificate of the dmgr personal certificate, as found in the keystore and specified in the admin console.
The following issues require consideration when running addNode.sh with security:
- When attempting to run system management commands such as addNode.sh, we need to explicitly specify admin credentials to perform the operation.
The addNode command accepts -username and -password parameters to specify the user ID and password, respectively. The user ID and password specified must be for an admin user; for example, a user that is a member of the console users with Administrator privileges or the administrative user ID configured in the user registry. An example of addNode.sh follows:
addNode CELL_HOST 8879 -includeapps -username user -password pass
The -includeapps parameter is optional, but this option attempts to include the server applications into the Deployment Manager.
The addNode command might fail if the user registries used by WAS and the dmgr are not the same. To correct this problem, either make the user registries the same or turn off security. If we change the user registries, remember to verify that the users-to-roles and groups-to-roles mappings are correct.
- Add a secured remote node through the admin console is not supported.
We can either disable security on the remote node before performing the operation or perform the operation from the command line using the addNode script.
- Before running addNode.sh, verify that the truststore files on the nodes can communicate with the keystore files from the deployment manager and vice versa. When using the default DummyServerKeyFile and DummyServerTrustFile, you should not see this problem as these are already able to communicate.
However, never use these dummy files in a production environment or anytime sensitive data is being transmitted.
- When a client from a previous release tries to use the add node command to federate to a 7.0 dmgr, the client must first obtain signers for a successful handshake.
- After running addNode.sh, the appserver is in a new SSL domain. It might contain SSL configurations that point to keystore and truststore files that are not prepared to interoperate with other servers in the same domain. Consider which servers are intercommunicating and verify the servers are trusted within the truststore files.
Proper understanding of the security interactions between distributed servers greatly reduces problems that are encountered with secure communications. Security adds complexity because additional function needs management. Security needs thorough consideration during the planning of the infrastructure. This document helps to reduce the problems that can occur because of inherent security interactions.
When we have security problems that are related to the WAS ND environment, see Troubleshooting security configurations to find additional information about the problem. When trace is needed to solve a problem because servers are distributed, it is often required to gather trace on all servers simultaneously while recreating the problem. This trace can be enabled dynamically or statically, depending on the type of problem that is occurring.
Related conceptsSecure installation for client signer retrieval
New features for securing applications and their environment
Related tasksTask overview: Securing resources