Server and administrative security

The term administrative security refers to providing the authentication of users that use the WebSphere administration functions, the use of SSL, and the choice of user account repository.

(zos) When you configure a Local OS user registry, it uses the Resource Access Control Facility (RACF ), or System Authorization Facility (SAF)-compliant, user database. Selecting the Local OS user registry as the active registry enables you to take advantage of z/OS System Authorization Facility functions directly using the WAS principals:

• Share identities with many other z/OS connector services

• Use SAF delegation, which minimizes the need to store user IDs and passwords in many locations in the configuration

• Use more audit capabilities

These functions are available using other registries, but require identity mapping through modifications to the WAS system login configuration and Java Authentication and Authorization Service (JAAS) login modules. For more information, see the documentation on Update system login configurations to perform a System Authorization Facility identity user mapping.

In some cases, the realm can be the machine name of a Local OS user registry. In this case, all application servers must reside on the same physical machine. In other cases, the realm can be the machine name of a LDAP user registry. Because LDAP is a distributed user registry, this allows for a multiple node configuration in a WAS Network Deployment environment. The basic requirement for a security domain is that the access ID returned by the registry from one server within the security domain is the same access ID returned from the registry on any other server within the same security domain. The access ID is the unique identification of a user and is used during authorization to determine if access is permitted to the resource.

Configuration of administrative security for a security domain consists of configuring the common user registry, the authentication mechanism, and other security information that defines the behavior of a security domain. The other security information configured includes the following components:

• Java 2 Security Manager

• Java Authentication and Authorization Service (JAAS)

• Java 2 Connector authentication data entries

• CSIv2 (CSIv2) and Secure Authentication Service (SAS) authentication protocol (Remote Method Invocation over the Internet Inter-ORB Protocol (RMI/IIOP) security)

• (zos) CSIv2 (CSIv2) and z/OS Secure Authentication Service (z/SAS) authentication protocol (Remote Method Invocation over the Internet Inter-ORB Protocol (RMI/IIOP) security)

• Other miscellaneous attributes.

We can override some portions of the configuration at the server level.

Where multiple nodes and multiple servers within a node are possible, we can configure certain attributes at a server level. The attributes that are configurable at a server level include security enablement for the server, Java 2 security manager enablement, and CSIv2/SAS authentication protocol (RMI/IIOP security). We can disable security on individual application servers while administrative security is enabled, however, we cannot enable security on an individual application server while administrative security is disabled.

(zos) Where multiple nodes and multiple servers within a node are possible, we can configure certain attributes at a server level. The attributes that are configurable at a server level include security enablement for the server, Java 2 security manager enablement, and CSIv2 and z/SAS authentication protocol (RMI/IIOP security). We can disable security on individual application servers while administrative security is enabled, however, we cannot enable security on an individual application server while administrative security is disabled.

While application server security is disabled for user requests, administrative and naming security is still enabled for that application server so that the administrative and naming infrastructure remains secure. If cell security is enabled, but security for individual servers is disabled, JEE applications are not authenticated or authorized. However, naming and administrative security is still enforced. Consequently, because naming services can be called from user applications, grant Everyone access to the naming functions required so that these functions accept unauthenticated requests. User code does not directly access administrative security except through the supported scripting tools.

(zos) If we are using System Authorization Facility (SAF) authorization, then we need to ensure that the UACC field for the EJBROLE profile of CosNamingRead is set to READ, and that the unauthenticated id has READ access to this profile.

Related concepts

Administrative security

Related tasks

(zos) Update system login configurations to perform a System Authorization Facility identity user mapping