(zos)

Enable administrative security and the default application security policy

Use this panel to configure administration and the default application security policy. This security configuration applies to the security policy for all administrative functions and is used as a default security policy for user applications. Security domains can be defined to override and customize the security policies for user applications.

Start the administrative console by specifying the following website:

http://server_hostname:port_number/ibm/console

Perform the following steps to enable administrative security. The options on the Global security panel provide greater flexibility than previous releases of WAS in enforcing security in the environment.

1. Click Security > Global security.

2. Select the Enable administrative security option.

3. Optional: Clear the Enable application security option if we do not want to require WebSphere Application Server to authenticate application users.

4. Optional: Clear the Use Java 2 security to restrict application access to local resources option if we do not want to enable Java 2 Security permission checking.

   When Java 2 Security is enabled and if an application requires more Java 2 security permissions than are granted in the default policy, then the application might fail to run properly until the required permissions are granted in either the app.policy file or the was.policy file of the application. AccessControl exceptions are generated by applications that do not have all the required permissions. Review the Java 2 Security and Dynamic Policy documentation if you are unfamiliar with Java 2 security.

   Updates to the app.policy file only apply to the enterprise applications on the node to which the app.policy file belongs.

   1. Optional: Select the Warn if applications are granted custom permissions option. The filter.policy file contains a list of permissions that an application should not have according to the J2EE 1.3 Specification. If an application is installed with a permission specified in this policy file and this option is enabled, a warning is issued. The default is enabled.

   2. Optional: Select the Restrict access to resource authentication data option if you must restrict application access to sensitive Java EE Connector Architecture (JCA) mapping authentication data.

      For detailed information, see Global security settings.

5. Select which authentication mechanism is active when security is enabled from the Authentication mechanisms and expiration menu. In this release of WAS, the authentication mechanism choices include LTPA and Kerberos.

   SWAM was deprecated in WebSphere Application Server Version v8.5 and will be removed in a future release.

6. Use the User account repository menu to specify the repository that is active when security is enabled. We can configure settings for one of the following user repositories:

   Federated repositories

   The federated repositories functionality enables you to use multiple registries with WebSphere Application Server. These registries, which can be file-based registries, LDAP registries, or a subtree of an LDAP registry, are defined and theoretically combined under a single repository.

   Local operating system

   The implementation is a System Authorization Facility (SAF) compliant registry such as the Resource Access Control Facility (RACF ), which is shared in an MVS™ sysplex.

   Standalone LDAP registry

   The stand-alone LDAP registry settings are used when users and groups reside in an external LDAP directory. When security is enabled and any of these properties are changed, go to the Global security panel and click OK or Apply to validate the changes.

   Stand-alone custom registry

   The stand-alone custom registry feature supports any user registry that is not implemented by WebSphere Application Server. We can use any user registry used in the product environment by implementing the UserRegistry interface.

7. Optional: Select the Use the United States FIPS algorithms option from the Security > SSL certificate and key management panel if you are using a FIPS-certified JSSE. WebSphere Application Server supports a channel framework that uses IBMJSSE2. IBMJSSE2 uses IBMJCEFIPS for cryptographic support when you enable the Use the United States FIPS algorithms option.

8. Click OK.

   This panel performs a final validation of the security configuration. When you click OK or Apply from this panel, the security validation routine is performed and any problems are reported. When you complete all of the fields, click OK or Apply to accept the selected settings. Click Save to persist these settings out to a file. If we see any informational messages in red text color, then there is a problem with the security validation. Typically, the message indicates the problem. So, review the configuration to verify that the user registry settings are accurate and the correct registry is selected. In some cases, the LTPA configuration might not be fully specified.

   For detailed information, see Global security settings.

9. Optional: Configure for SAF Authorization. For more information on these settings, see z/OS System Authorization Facility authorization.

Results

Configuration is successful when error messages are not displayed.

Subtopics

• (zos) Disable administrative security
  We can disable administrative security through the administrative console. If administrative security is not working properly, it can cause the server to not start, or to start without providing you with the ability to log into the administrative console.

Global security settings