(iSeries)
Object and file security
This topic discusses the various objects and files that contain sensitive information and need to be protected.
Secure integrated file system files
In addition to enterprise beans and servlets, WebSphere Application Server accesses integrated file system stream files. The following files might contain sensitive information. IBM recommends that you give these files close consideration to ensure that unauthorized access is not granted.
- In the /properties subdirectory of our profile, the following files can contain user IDs and passwords:
- sas.client.props
- soap.client.props
- sas.stdclient.properties
- sas.tools.properties
- wsserver.key
By default, the /properties subdirectory is located in the profile_root directory. Each of the previous files is shipped with *PUBLIC authority set to *EXCLUDE. The QEJBSVR user profile is granted *RW authority to these files. Additional protection is available through password encoding. See Password encoding and encryption.
- In the /etc subdirectory if your profile, protect all of the key (KDB) files and trust (JKS) files that we create for our WAS profile.
For the JKS files, the QEJBSVR user profiles should have *R authority and *PUBLIC should have *EXCLUDE authority.
For the KDB files, the user profile that the web server is running under should have *RX authority and *PUBLIC should have *EXCLUDE authority.
Secure database resources for WAS
WAS uses tables to persist data for user applications such as enterprise beans persistence and servlet session data. We have several options for controlling which user profiles are allowed access to this user data. See Database access security.
Secure WAS files
When we enable WAS security, the server user profile and password are placed into server configuration files, which should be maintained in a secure way using operating system security. Additionally, we can password protect some WAS resources. These passwords are also placed in server configuration files. The server automatically encodes passwords to deter casual observation, but password encoding alone is not sufficient protection.
The following files are located in the /config subdirectory of our profile and they can contain user identifiers and passwords:
- cells/cell/security.xml
- cells/cell/nodes/node/resources.xml
- cells/cell/nodes/node/servers/server/server.xml
For example, for the default profile, the server is server1.
The server user profile and password are used for authenticating the server when it initializes. This authentication is required for the following reasons:
- The user ID and password are used as the system identity for the server when an enterprise bean security is deployed to use SYSTEM_IDENTITY for method delegation. In this case, the user ID and password are used when method calls are made from one enterprise bean to another.
- The user ID and password are used to authenticate servers for inter-server communication. Because security for these files can be compromised, use a non-default user profile for the server identity and password. The default user profile is QEJBSVR. If we use the local OS user registry, we might choose to create and use a user profile with no special authorities. See Running application servers under specific user profiles.
Secure user profiles for WAS
When WAS is first installed, by default, it uses the following user profiles:
- QEJB
- This profile provides access to some administrative data, including passwords.
- QEJBSVR
- This profile provides the context in which our WAS runs. For security or administrative purposes, we might want to create other user profiles under which to run various parts of WAS. See Running application servers under specific user profiles.
Related:
Password encoding and encryption Troubleshoot security configurations