Enable security
Overview
The following provides information on how to configure security when security was not enabled during the WebSphere Application Server profile creation.
IBM recommends installing WebSphere Application Server with security enabled. By design, this option ensures that everything has been properly configured. Enabling security protects the server from unauthorized users, provides application isolation and requirements for authenticating application users.
Enable security
- Start the WAS appservers administrative console.
- From a browser connect to dmgr...
http://your_host.your_domain:9060/ibm/console
If security is disabled, we are prompted for a user ID. Log in with any user ID. If security is enabled, we are prompted for both a user ID and a password. Log in with a predefined administrative user ID and password.
- Click Security | Global security.
Use the Security Configuration Wizard, or configure security manually. The configuration order is not important. We must separately enable administrative security, and application security. Because of this split, WAS clients must know whether application security is disabled at the target server. Administrative security is enabled, by default. Application security is disabled, by default. Before attempting to enable application security on the target server, verify that administrative security is enabled on that server. Application security can be in effect only when administrative security is enabled. See Authenticating users.
- Configure the user account repository.
On the Global security panel, we can configure user account repositories such as federated repositories, local operating system, stand-alone LDAP registry, and stand-alone custom registry. We can choose to specify either a server ID and password for interoperability or enable a WAS installation to automatically generate an internal server ID. For more information about automatically generating server IDs, see Local operating system settings.
One of the details common to all user registries or repositories is the Primary administrative user name. This ID is a member of the chosen repository, but also has special privileges in WAS. The privileges for this ID and the privileges associated with the administrative role ID are the same. The Primary administrative user name can access all of the protected administrative methods. On Windows the ID must not be the same name as the machine name of our system because the repository sometimes returns machine-specific information when querying a user of the same name. In stand-alone LDAP registries, verify that the Primary administrative user name is a member of the repository and not just the LDAP administrative role ID. The entry must be searchable.
The Primary administrative user name does not run WAS processes. Rather, the process ID runs the WAS processes. The process ID is determined by the way the process starts. For example, if we use a command line to start processes, the user ID that is logged into the system is the process ID. If running as a service, the user ID that is logged into the system is the user ID running the service. If we choose the local operating system registry, the process ID requires special privileges to call the operating system APIs. The process ID must have the following platform-specific privileges:
Windows Act as Part of Operating System privileges UNIX Root privileges
- Select the Set as current option after configuring the user account repository.
When we click Apply and the Enable administrative security option is set, a verification occurs to see if an administrative user ID has been configured and is present in the active user registry. The administrative user ID can be specified at the active user registry panel or from the console users link. If we do not configure an administrative ID for the active user registry, the validation fails.
When we switch user registries, the admin-authz.xml file should be cleared of existing administrative ids and application names. Exceptions will occur in the logs for ids that exist in the admin-authz.xml file but do not exist in the current user registry.
- Configure the authentication mechanism.
Configure LTPA or Kerberos, under Authentication mechanisms and expiration. LTPA credentials can be forwarded to other machines. For security reasons, credential expire; however, we can configure the expiration dates on the console. LTPA credentials enable browsers to visit different product servers, which means we do not have to authenticate multiple times.
For single sign-on (SSO) support, which provides the ability for browsers to visit different product servers without having to authenticate multiple times, see Implement single sign-on to minimize web user authentications. For form-based login, configure SSO when using LTPA.
- Optional: Import and export the LTPA keys for cross-cell single Sign-on (SSO) between cells...
If one of the cells we are connecting to resides on a v6.0.x system, see the topic Configuring LTPA keys in the Version 6.0.x Information Center for more information.
- Configure the authentication protocol for special security requirements from Java clients, if needed.
We can configure CSIv2 through links on the Global security panel. The SAS protocol is provided for backwards compatibility with previous product releases, but is deprecated. Links to the SAS protocol panels display on the Global security panel if the environment contains servers that use previous versions of WAS and support the SAS protocol.
We can modify or a create a new SSL configuration. This action protects the integrity of the messages sent across the Internet. The product provides a centralized location to configure SSL configurations that the various WAS features that use SSL can utilize, including the LDAP registry, web container and the RMI/IIOP authentication protocol (CSIv2).
After modifying a configuration or create a new configuration, specify it on the SSL configurations panel.
Security | SSL certificate and key management | Configuration settings | Manage endpoint security configurations | configuration_name
Under Related items for each scope (for example, node, cluster, server), select one of the configuration links that can be scoped to the resource we are visiting. We can either edit the DefaultSSLConfig file or create a new SSL configuration with a new alias name. If we create a new alias name for our new keystore and truststore files, change every location that references the DefaultSSLConfig SSL configuration alias. The following list specifies the locations of where the SSL configuration repertoire aliases are used in the WAS configuration. For any transports that use the new network input/output channel chains, including HTTP and JMS, we can modify the SSL configuration repertoire aliases in the following locations for each server:
- Click...
Server | Application server > server > Communications > Ports
Locate a transport chain where SSL is enabled and click View associated transports. Click...
transport_channel_name | Transport Channels > SSL Inbound Channel (SSL_2)
- Click...
System administration | Deployment manager > Additional properties > Ports
Locate a transport chain where SSL is enabled and click View associated transports.
Click...
transport_channel_name | Transport Channels SSL Inbound Channel (SSL_2)
- Click...
System administration | Node agents > node_agent_name > Additional properties > Ports
Locate a transport chain where SSL is enabled and click View associated transports. Click...
transport_channel_name | Transport Channels | SSL Inbound Channel (SSL_2)
For the Object Request Broker (ORB) SSL transports, we can modify the SSL configuration repertoire aliases in the following locations. These configurations are for the server-level for WAS and the cell level for WAS ND.
- Security | Global security | RMI/IIOP security | CSIv2 inbound communications.
- Security | Global security | RMI/IIOP security | CSIv2 outbound communications.
For the LDAP SSL transport, we can modify the SSL configuration repertoire aliases by clicking Security | Global security. Under User account repository, click the Available realm definitions drop-down list, and select Standalone LDAP registry.
Two kinds of configurable SSL repertoires exist:
- The System SSL repertoire is used for HTTPS and Internet InterORB Protocol (IIOP) communication, and are used by the native transports. To use the administrative console after security is enabled define and select a System SSL type repertoire for HTTP. We must define a System SSL repertoire and select if IIOP security requires or supports SSL transport, or if a secure Remote Method Invocation (RMI) connector is selected for administrative requests.
- The JSSE repertoire is for Java-based SSL communications.
Users must configure a System SSL repertoire to use HTTP or IIOP protocols and a JMX connector must be configured to use SSL. If the SOAP HTTP connector is chosen, a JSSE repertoire must be selected for the administrative subsystem. In a WAS ND environment...
System Administration | Deployment Manager > Administration Services | JMX Connectors > SOAP Connector > Custom Properties > sslConfig
A set of SSL repertoires are set up by the z/OS installation dialogs. These dialogs are configured to refer to SAF key rings and to files that are populated by the customization process, when generating RACF commands.
Repertoire name Type Default use (ZOS) NodeDefaultSSLSettings (ZOS) JSSE (ZOS) (Base only) configuration for SOAP JMX connector, SOAP client, web container HTTP transport (ZOS) CellDefaultSSLSettings (ZOS) JSSE (ZOS) (Network deployment only) configuration for SOAP JMX connector, SOAP client, web container HTTP transport (ZOS) DefaultIIOPSSL (ZOS) SSSL (ZOS) Used only if DAEMON SSL is enabled No additional action is required if these settings are sufficient for our needs. To create or modify these settings, ensure that the keystore files to which they refer are created.
- To configure the rest of the security settings and enable security, click...
Security | Global security
For additional information, see Server and administrative security.
- Validate the completed security configuration by clicking OK or Apply.
If problems occur, they display in red type.
- If there are no validation problems, click Save to save the settings to a file that the server uses when it restarts. Saving writes the settings to the configuration repository.
If we do not click Apply or OK in the Global security panel before you click Save, our changes are not written to the repository. The server must be restarted for any changes to take effect when we start the administrative console.
The save action enables the deployment manager to use the changed settings after WAS is restarted.
A Deployment manager configuration differs from a stand-alone base application server. The configuration is stored temporarily in the deployment manager until it is synchronized with all of the node agents.
Verify that all of the node agents are up and running in the domain. Stop all application servers during this process. If any of the node agents are down, run a manual file synchronization utility from the node agent machine to synchronize the security configuration from the deployment manager. Otherwise, the malfunctioning node agent does not communicate with the deployment manager after security is enabled on the deployment manager.
- Start the WAS appservers administrative console.
- From a browser, type in the address of the WAS ND server. By default, the console is located at http://your_host.your_domain:9060/ibm/console.
If security is currently disabled, log in with any user ID. If security is currently enabled, log in with a predefined administrative ID and password. This ID is typically the server user ID specified when we configured the user registry.
Subtopics
- Administrative security
- Security considerations when in a multi-node WAS WAS ND environment
- Application security
- Java 2 security
- Enable WebSphere Application Server security
- Configure Java Servlet 3.1 support for security
- Testing security after enabling it
- Security Configuration Wizard
- Security configuration report
- Add a new custom property in a global security configuration or in a security domain configuration
- Modify an existing custom property in a global security configuration or in a security domain configuration
- Delete an existing custom property in a global security configuration or in a security domain configuration
Related:
Java 2 security Multiple security domains Server and administrative security (ZOS) System Authorization Facility considerations for the operating system and application levels Select a registry or repository Configure the LTPA mechanism Configure multiple security domains Java 2 security policy files Global security settings Specify extent of protection wizard settings Develop message-level security for JAX-WS web services (ZOS) Server-level security settings