Configure multiple security domains
We can customize the security configuration at the cell, sever, or cluster level by configuring multiple security domains.
Users assigned to the administrator role can configure security domains. Verify that we have the appropriate administrative role before configuring security domains. Also, enable global security in the environment before configuring multiple security domains.
We can create multiple security domains to customize your security configuration. Use multiple security domains to achieve the following goals:
- Configure different security attributes for administrative and user applications within a cell
- Consolidate server configurations by managing different security configurations within a cell
- Restrict access between applications with different user registries, or configure trust relationships between applications to support communication across registries
- Create a security domain.
Create multiple security domains in the configuration. By creating multiple security domains, we can configure different security attributes for administrative and user applications within a cell environment.
- Assign the security domain to one or a set of resources or scopes.
Assign management resources to security domains. Set management resources to the security domains to customize the security configuration for a cell, server, or cluster.
- Customize the security configuration by specifying attributes for the security domain.
See the following examples of security attributes:
- User registries to validate user credentials
- Authorization for validating access to resources
- Trust association interceptor (TAI) to authenticate a web user using a reverse proxy server
- Application and system JAAS login configurations
- LTPA timeout settings
- Application security enablement to provide application isolation and requirements for authenticating application users
- Java 2 Security to increase overall system integrity by checking for permissions before allowing access to certain protected system resources
- Remote Method Invocation over Internet Inter-ORB Protocol (RMI/IIOP) to invoke web services through remote procedure calls
- Custom properties
Subtopics
- Configure security domains
Use this topic to create multiple security domains in our configuration. By creating multiple security domains, we can configure different security attributes for administrative and user applications within a cell environment.
- Configure local operating system user registries
Use this topic to configure user registries for global security and security domain configurations . We can define user registries at the global level and for multiple security domains.
- Configure custom user registries
Use this topic to configure custom user registries for global security and security domain configurations . We can define custom user registries at the global level and for multiple security domains.
- Configure JAAS login modules
Use this topic to use wsadmin.sh to configure and manage Java Authentication and Authorization Service (JAAS) login entries to allow communication between realms in a multiple security domain environment.
- Configure Common Secure Interoperability authentication
Use this topic to use wsadmin.sh to configure inbound and outbound communications using the Common Secure Interoperability protocol. CSIv2 (CSIv2) supports increased vendor interoperability and additional features.
- Configure trust association
Use wsadmin.sh to configure and manage trust association configurations in a multiple security domain environment. Trust association enables the integration of the application server security and third-party security servers. More specifically, a reverse proxy server can act as a front-end authentication server while the product applies its own authorization policy onto the resulting credentials that are passed by the proxy server.
- Mapping resources to security domains
Use this topic to assign management resources to security domains. Set management resources to the security domains to customize your security configuration for a cell, server, or cluster.
- Remove resources from security domains
Use this topic to remove management resources from security domains. Remove all resources from a security domain before deleting the security domain from the configuration.
- Remove security domains
Use this topic to delete security domains from the configuration . Remove security domains that are not needed in our security configuration.
- Remove user registries
We can use wsadmin.sh to remove user registries from global security or security domain configurations. Use the steps in this topic to remove LDAP, local operating system, custom, or federated repository user registries from the global security or security domain configurations.
- SecurityDomainCommands (AdminTask)
We can use the Jython scripting language to configure and administer security domains with wsadmin.sh. Use commands in the SecurityDomainCommands group to create and manage security domains, assign servers and clusters to security domains as resources, and to query the security domain configuration.
- SecurityConfigurationCommands (AdminTask)
We can use the Jython scripting language to configure security with wsadmin.sh. Use commands in the SecurityConfigurationCommands group to configure and manage user registries, single sign-on, data entries, trust association, login modules, and interceptors.
- SecurityRealmInfoCommands (AdminTask)
We can use the Jython scripting language to manage security realm configurations with wsadmin.sh. Use commands in the SecurityRealmInfoCommands group to query and manage trusted realms.
- NamingAuthzCommands (AdminTask)
We can use the Jython scripting language to configure naming roles for groups and users with wsadmin.sh. Use commands in the NamingAuthzCommands group to assign, remove, and query naming role configuration. CosNaming security offers increased granularity of security control over CosNaming functions.
- Utility scripts
The scripting library provides multiple script procedures to automate the application configurations. See the usage information for scripts that set notification options, save configuration changes, and display scripting library information.