Server-level security settings


To enable server-level security and specify other server-level security configurations.

Deprecated feature: Server level security has been deprecated in this release of WAS. Multiple security domain support has been added in its place. We can create different security configurations and assign them to different applications in WebSphere® Application Server processes. By creating multiple security domains, we can configure different security attributes for both administrative and user applications within a cell environment. You can configure different applications to use different security configurations by assigning the servers or clusters or SIBuses that host these applications to the security domains. Read about Multiple security domains for more detailed information.depfeat following steps:

  1. Click Servers > Server Types > WebSphere application servers > myserver.

  2. Click Security > Security domain.

Security settings for this server override cell settings

The settings on this panel override the settings on the Security > Security applications, administration, and infrastructure panel.

Enable application security

Specifies that server security is disabled, by default, when application security is enabled. Administrative (admin console and wsadmin) and naming security remain enabled while application security is enabled, regardless of the status of this flag.

Default Disabled

Use Java 2 security to restrict application access to local resources

The server enforces Java™ 2 security permission checking at the server level. When cleared, the Java 2 server-level security manager is not installed and all of the Java 2 security permission checking is disabled at the server level.

If the application policy file is not set up correctly, see Set the was.policy file for Java 2 security in the information center.

Default Disabled

Warn if applications are granted custom permissions

Whether a warning is issued during application installation when an application requires a Java 2 permission that is normally not granted to an application.

The appserver provides support for policy file management. A number of policy files are included in the appserver. Some of these policy files are static and some of them are dynamic. Dynamic policy is a template of permissions for a particular type of resource. In dynamic policy files, the code bases are evaluated at runtime using the configuration data. We can add or remove permissions, as needed, for each code base.

However, do not add, remove, or modify the existing code bases. The real code base is dynamically created from the configuration and run-time data. The filter.policy file contains a list of permissions that an application does not have, according to the J2EE 1.4 Specification.

See on permissions, see the documentation on the Java 2 security policy files.

Default Enabled

Restrict access to resource authentication data

Enable this option to restrict application access to sensitive Java Connector Architecture (JCA) mapping authentication data.

Default Disabled

Use domain-qualified user names

Whether user IDs that are returned by getUserPrincipal() are qualified with the server level security domain within which they reside.

Default Disabled

Note that WebSphere APIs such as WSSubject.getPrincipal( ) always return the unqualified user names irrespective of this property.

Authentication cache timeout

Time period during which the authenticated credential in the cache is valid. This time period must be less than the time period specified for the Timeout value for forwarded credentials between servers field.

Data type Integer
Units Minutes and seconds
Default 10 minutes and 0 seconds
Range Greater than 30 seconds. Avoid setting Authentication cache timeout value to 30 seconds or less.

Active protocol

Active server level security authentication protocol when server level security is enabled.

We can use an Object Management Group (OMG) protocol called CSIv2 (CSIv2) for more vendor interoperability and additional features. If all of the servers in the entire security domain are V5.0 servers, it is best to specify CSI as your protocol.

This field displays if a version 6.0.x server exists in the environment.

Data type String
Default CSI and SAS
Range CSI, CSI and SAS

RMI/IIOP security for this server overrides cell settings

The Remote Method Invocation over Internet InterORB Protocol (RMI/IIOP) settings on this panel override the settings on the Security > Security applications, administration, and infrastructure panel.

Default Enabled





 

Related tasks


Set the was.policy file for Java 2 security
Secure specific appservers