+

Search Tips   |   Advanced Search

Security considerations when adding a base Application Server node to WebSphere Application Server Network Deployment

We might decide to centralize the configuration of your stand-alone base application servers by adding them into a WAS Network Deployment cell. If wer base application server is currently configured with security, some issues require consideration. The major issue when adding a node to the cell is whether the user registries between the base application server and the deployment manager are the same.

(iseries)(dist) When adding a node to the cell, you automatically inherit both the user registry and the authentication mechanism of the cell.

(zos) When adding a node to a cell, the newly federated node automatically inherits the user registry (Local OS, LDAP or Custom), authentication mechanism (LTPA ), and authorization setting (WebSphere bindings or System Authorization Facility (SAF) EJBROLE profiles) of the existing WebSphere Application Server Network Deployment cell.

For distributed security, all servers in the cell must use the same user registry and authentication mechanism. To recover from a user registry change, modify the applications so that the user and group-to-role mappings are correct for the new user registry. See the article on Assigning users and groups to roles.

Another important consideration is the SSL public-key infrastructure. Prior to performing the addNode command with the deployment manager, verify that the addNode command can communicate as an SSL client with the deployment manager. This communication requires that the addNode truststore configured in the sas.client.props file contains the signer certificate of the deployment manager personal certificate, as found in the keystore and specified in the console.

The following issues require consideration when running the addNode command with security:

Proper understanding of the security interactions between distributed servers greatly reduces problems that are encountered with secure communications. Security adds complexity because additional function needs management. Security needs thorough consideration during the planning of the infrastructure. This document helps to reduce the problems that can occur because of inherent security interactions.

When we have security problems related to the WAS Network Deployment environment, see Troubleshooting security configurations to find additional information about the problem. When trace is needed to solve a problem because servers are distributed, it is often required to gather trace on all servers simultaneously while recreating the problem. This trace can be enabled dynamically or statically, depending on the type of problem that is occurring.


Related concepts

  • Overview: Securing
  • Secure installation for client signer retrieval in SSL


    Related tasks

  • Task overview: Securing resources