Preparing for security at installation time

Complete the following tasks to implement security before, during, and after installing WebSphere Application Server.

1. (dist) Secure the environment before installation. This step describes how to perform WebSphere Application Server installation with proper authority on different platforms. For more information, refer to Secure the environment before installation.

2. (dist) Prepare the operating system for installation of WAS. This step describes how to prepare the different operating systems for installation of WAS. For more information, see "Preparing the operating system for product installation" .

3. (zos) Install WebSphere Application Server. This step describes how to install WAS on the z/OS platform. For more information, see "Installing the product and additional software" .

4. Migrate security configurations from previous releases during installation, when we are prompted to do so. This step describes how to migrate security configurations from a previous release of WAS to WebSphere Application Server v8.5.

   For more information, see "Migrating product configurations" in the InfoCenter.

5. (dist) Optional: We can create a profile during install time. If we elect to do so, administrative security is enabled for that profile by default. A panel is displayed during profile creation time and enabling administrative security is selected by default. If we elect to keep this as the default, supply an admin ID and password. This user ID is created in a federated repository, which is the default user registry when enabling administrative security at profile creation time.

6. If we go into the advanced profile creation, a panel is available for changing the default settings for the certificate, a root certificate (used to sign the personal certificate) and a personal certificate (used to sign/encrypt data over the network). Ensure that the root certificate has a long lifetime and the personal certificate a shorter one. Import our own personal certificate and or root certificate. If the personal certificate is signed by the certificate authority (CA), it is not important to change the root certificate. You should also change the default keystore password to something more secure.

7. (zos) Optional: During customization of a stand-alone application server or WebSphere Application Server Network Deployment cell, we can enable administrative security by using either a z/OS security product or WebSphere Application Server to manage users, groups, and the security policy.

8. Secure the environment after installation. This step provides information on how to protect password information after you install WebSphere Application Server. For more information, see Secure the environment after installation.

9. (zos) For information about enabling security after customization is complete, see Enable security.

Subtopics

• Secure the environment before installation
  The following instructions explain how to perform a product installation with proper authority.

• (dist)(zos) Secure the environment after installation
  WebSphere Application Server depends on several configuration files created during installation. These files contain password information and need protection. Although the files are protected to a limited degree during installation, this basic level of protection is probably not sufficient for the site. You should verify that these files are protected in compliance with the policies of the site.

• (zos) WAS security for z/OS
  WebSphere Application Server for z/OS supports access to resources by clients and servers in a distributed environment. Determine how to control access to these resources and prevent inadvertent or malicious destruction of the system or data.

• (zos) Define SSL security for servers
  Complete these steps for RACF to authorize the server to use digital certificates. SSL uses digital certificates and public and private keys.

• (zos) Create Secure Sockets Layer digital certificates and System Authorization Facility keyrings that applications can use to initiate HTTPS requests
  We can create SSL digital certificates and System Authorization Facility (SAF) keyrings that applications can use to initiate HTTPS requests.

• (zos) Create a new System SSL repertoire alias
  With SSL configuration repertoire, administrators can define any number of SSL settings that can be used to make HyperText Transport Protocol SSL (HTTPS), Internet Inter-ORB Protocol SSL (IIOPS) or Lightweight Directory Access Protocol SSL (LDAPS) connections. We can reuse many of these SSL configurations by simply specifying an alias in multiple places.

• (zos) Create a new Java Secure Socket Extension repertoire alias
  The following steps describe how to generate a new Java Secure Socket Extension (JSSE) repertoire alias. Using the JSSE repertoire, we can pick one of the JSSE repertoire settings defined here from any location within the console.

• (zos) Set up SSL connections for Java clients
  Follow these steps to configure SSL for use between Java clients running on a workstation and the WAS for z/OS Java EE server.

(zos) z/OS Profile Management Tool security settings