Configure security domains
Use this topic to create multiple security domains in our configuration. By creating multiple security domains, we can configure different security attributes for administrative and user applications within a cell environment.
We must have the administrator role to configure security domains. Also, enable global security in the environment before configuring multiple security domains.
We can create multiple security domains to customize your security configuration. Use multiple security domains to achieve the following goals:
- Configure different security attributes for administrative and user applications within a cell
- Consolidate server configurations by managing different security configurations within a cell
- Restrict access between applications with different user registries, or configure trust relationships between applications to support communication across registries
Use the following steps to create a new security domain with wsadmin.sh:
- Launch the wsadmin scripting tool using the Jython scripting language. See the Starting the wsadmin scripting client article for more information.
- Create a security domain.
To create a security domain, we can create a new security domain, copy an existing security domain, or copy the existing global security configuration.
- Use the createSecurityDomain command to create the domain-security.xml and domain-security-map.xml security files in the profile_root/config/waspolicies/defasecurity_configuration_name directory. No configuration data is added to the domain-security.xml file. Use the following Jython command example to create a security domain:
AdminTask.createSecurityDomain('-securityDomainName securityDomain1 -securityDomainDescription "handles user applications"')
The command returns the object name of the security domain that was created, as the following example output demonstrates:
'waspolicies/default/securitydomains/mydomain:domain-security.xml#AppSecurity_1183132319126'
- Use the copySecurityDomain command to create a new security domain with the attributes of an existing security domain. If the security configuration of the existing domain has an active user registry defined, then a new realm name for that registry must be used in the new security configuration. If a realm name is not specified with the copySecurityDomain command, then the command assigns a name.
descriptions. Specify the following parameters to copy
Parameter Description -securityDomainName Name of the new security domain to create (String, required) -copyFromSecurityDomainName Name of the existing security domain to copy (String, required) -realmName Name of the realm in the security domain to create. The system assigns the realm name to the active user registry in the security domain (String, optional) -securityDomainDescription Specifies a description for the security domain to create (String, optional) Use the following Jython command to copy an existing security domain:
AdminTask.copySecurityDomain('-securityDomainName copyOfDomain1 -copyFromSecurityDomainName securityDomain1')
The command returns the object name of the new security domain, as the following example output demonstrates:
'waspolicies/default/securitydomains/copyOfDomain1:domain-security.xml#AppSecurity_1183132319186'
- Use the copySecurityDomainFromGlobalSecurity command to create a security domain by copying the global security configuration. If the global security configuration has an active user registry defined, then a new realm name for that registry must be used for the security domain to create. If we do not specify a realm name, then the command assigns a name.
command parameter descriptions. Specify the following
Parameter Description -securityDomainName Name of the new security domain to create (String, required) -realmName Name of the realm in the security domain to create. The system assigns the realm name to the active user registry in the security domain (String, optional) -securityDomainDescription Specifies a description for the security domain to create (String, optional) Use the following Jython command to copy the global security configuration:
AdminTask.copySecurityDomainFromGlobalSecurity('-securityDomainName GScopy')
The command returns the object name of the new security domain, as the following example output demonstrates:
'waspolicies/default/securitydomains/copyOfDomain1:domain-security.xml#AppSecurity_1183132319186'
- Save the configuration changes.
Use the following command example to save the configuration changes:
AdminConfig.save()
What to do next
Use wsadmin.sh to map a scope to the security domain. Additionally, we can configure security artifacts in the newly created domain, by:
- configuring user registries.
- enabling application and Java EE security.
- setting LTPA timeout.
- configuring System and Application Java™ Authentication and Authorization Service (JAAS) login.
- configuring Java 2 Connector (J2C) authorization data.
- configuring Remote Method Invocation over Internet Inter-ORB Protocol (RMI/IIOP) security.
Related tasks
Mapping resources to security domains Remove security domains Start the wsadmin scripting client