Secure the environment after installation

WebSphere Application Server depends on several configuration files created during installation. These files contain password information and need protection. Although the files are protected to a limited degree during installation, this basic level of protection is probably not sufficient for our site. We should verify that these files are protected in compliance with the policies of our site.

A Kerberos keytab configuration file contains a list of keys that are analogous to user passwords. The default keytab file is krb5.keytab. It is important for hosts to protect their Kerberos keytab files by storing them on the local disk, which makes them readable only by authorized users.

The files in directories below need protection...

app_server_root/profiles/profile/config
app_server_root/profiles/profile/properties

For example, give permission to the user who logs onto the system for WAS primary administrative tasks. Other users or groups, such as WAS console users and console groups need permissions as well.

(ZOS) The files in the WAS_HOME/config and the WAS_HOME/properties directories need protection. For example, give permission to the user who logs onto the system for WAS primary administrative tasks. Other users or groups, such as WAS console users and console groups need permissions as well.

(ZOS) The files in the WAS_HOME/properties directory that must be readable by everybody are:

• TraceSettings.properties
• client.policy
• client_types.xml
• ipc.client.props
• sas.client.props
• sas.stdclient.properties
• sas.tools.properties
• soap.client.props
• wsadmin.properties
• wsjaas_client.conf

(ZOS) The value for WAS_HOME directory is specified in the WebSphere z/OS Profile Management Tool or the zpmt command when WAS for z/OS is installed, for both the base product and WAS ND.

Tasks

• (Windows) Secure files on a Windows system:

  1. Open the browser for a view of the files and directories on the machine.

  2. Locate and right-click the file or the directory to protect.

  3. Click Properties.

  4. Click the Security tab.

  5. Remove the Everyone entry and any other user or group that we do not want to have access to the file.

  6. Add the users who can access the files with the proper permission.

• (UNIX) Secure files on UNIX systems. This procedure applies only to the ordinary UNIX file system. If our site uses access-control lists, secure the files using that mechanism. Any site-specific requirements can affect the owner, group, and corresponding privileges; for example, on the AIX platform.

  1. Go to the install_root directory and change the ownership of the directory configuration and properties to the user who logs onto the system for WAS primary administrative tasks. Run the following command:
     chown -R logon_name directory_name

     Where:

     • login_name is a specified user or group
     • directory_name is the name of the directory containing the files

     IBM recommends that we assign ownership of the files that contain password information to the user who runs the application server. If more than one user runs the application server, provide permission to the group in which the users are assigned in the user registry.

  2. Set up the permission by running the following command:
     chmod -R 770 directory_name

  3. Go to...
     app_server_root/profiles/profile/properties

     ...and set the file permissions. Set the access permissions for the following files as it pertains to our security guidelines:

     • TraceSettings.properties
     • client.policy
     • client_types.xml
     • ipc.client.props
     • sas.client.props
     • sas.stdclient.properties
     • sas.tools.properties
     • soap.client.props
     • wsadmin.properties
     • wsjaas_client.conf

     For example, we might issue the following command: chmod 770 file_name where file_name is the name of the file listed previously in the install_root/profiles/profile/properties directory. These files contain sensitive information such as passwords.

     If we enabled Kerberos authentication or SPNEGO web authentication, set the access permissions for the following files as it pertains to our security guidelines: the Kerberos configuration file (krb5.conf or krb5.ini) and the Kerberos keytab file.

  4. Create a group for WAS and put the users who perform full or partial WAS administrative tasks in that group.

  5. To use IBM MQ as a Java Messaging Service (JMS) provider, restrict access to the /var/mqm directories and log files used. Give write access to the user ID mqm or members of the mqm user group only.

• Secure files on WAS for z/OS systems.

  1. Use the WebSphere z/OS Profile Management Tool or the zpmt command and follow the generated instructions to customize the system.

     The customization jobs generated perform the following functions:

     • Create System Authorization Facility (SAF) WAS user IDs needed for administrator and server processes.
     • Create a SAF WAS configuration group and add the SAF WAS user IDs.
     • Provide a mapping from a Java 2, Enterprise Edition (J2EE) principal to SAF user ID. We can generate a sample mapping module or we can specify one that we created ourself.
     • Associate WAS-started tasks with the SAF user IDs and groups defined previously.
     • Populate the file system with the system and property files needed to run WAS.
     • Change the ownership of these files to the WAS administrator.
     • Create the appropriate file permissions.

     All files in the WAS_HOME/config directory must have write and read access by all the members of the WAS configuration group, but must not be accessible by everyone (mode 770). All files in the WAS_HOME/properties directory must have write and read access by all the members of the WAS configuration group. Set the access permissions for the following files as it pertains to our security guidelines:

     • TraceSettings.properties
     • client.policy
     • client_types.xml
     • ipc.client.props
     • sas.client.props
     • sas.stdclient.properties
     • sas.tools.properties
     • soap.client.props
     • wsadmin.properties
     • wsjaas_client.conf

     For example, we might issue the following command: chmod 775 file_name. file_name is the name of the file listed previously. These files contain sensitive information such as passwords.

     If we enabled Kerberos authentication or SPNEGO web authentication, set the access permissions for the following files as it pertains to our security guidelines: the Kerberos configuration file (krb5.conf or krb5.ini) and the Kerberos keytab file.

  2. Add administrators who perform full or partial WAS administration tasks to the configuration group.

  3. Restrict access to the /var/mqm directories and the log files needed for WAS embedded messaging or IBM MQ as the JMS provider. Give write access only to the mqm user ID or members of the mqm user group.

After securing the environment, only the users with permission can access the files. Failure to adequately secure these files can lead to a breach of security in our WAS applications.

What to do next

If failures occur that are caused by file accessing permissions, check the permission settings.

Prepare for security at installation time