Secure specific application servers
We can customize security to some extent at the application server level. We can disable administrative security on an application server.
Deprecated feature: Server level security has been deprecated in this release of WebSphere Application Server. ultiple security domain support has been added in its place. Create different security configurations and assign them to different applications in WAS processes. By creating multiple security domains, we can configure different security attributes for both administrative and user applications within a cell environment. We can configure different applications to use different security configurations by assigning the servers or clusters or SIBuses that host these applications to the security domains. Read about Multiple security domains for more detailed information.depfeat
We can also modify Java 2 Security and some of the other security attributes that are found on the Global security panel. This panel provides access to the cell-level security settings. We cannot configure a different authentication mechanism or user registry on an individual server basis. This feature is limited to cell-level configuration only.
By default, server security inherits all of the values configured for cell-level security. To override the cell-level security configuration at the server level, click Servers > Application Servers > server. Under Security, click Server Security and click any of the following links:
- CSIv2 inbound authentication
- CSIv2 outbound authentication
- CSIv2 inbound transport
- CSIv2 outbound transport
- (iSeries) SAS inbound transport
- (iSeries) SAS outbound transport
- z/SAS authentication
- Server-level security
Note: SAS is supported only between v6.0.x and previous version servers that have been federated in a v6.1 cell.
(ZOS) Note: z/SAS is supported only between v6.0.x and previous version servers that have been federated in a v6.1 cell.
After modifying the configuration in any of these panels and clicking OK or Apply, the security configuration for that panel or set of panels now overrides cell-level security. Other panels that are not overridden continue to be inherited at the cell-level. However, we can always revert to the cell-level configuration at any time. We can revert to the cell-level security configuration by clearing the check box next to any of the following options on the Server security panel:
- Security settings for this server override cell setting
- RMI/IIOP security for this server overrides cell settings
- SAS security for this server overrides cell settings
(ZOS) A number of additional Secure Authentication Services for z/OS (z/SAS) attributes can be considered for security at a server level, such as:
- Local identity
- Remote identity
- Sync to thread allowed
For more information, see Server and administrative security.
Tasks
- Start the administrative console for the deployment manager. To get to the administrative console, go to http://host.domain:port_number/ibm/console. If security is disabled, we can enter any ID. If security is enabled, enter a valid user ID and password, which is either the administrative ID configured for the user registry or a user ID that is entered as an administrative user. To add a user ID as an administrative user, click System Administration > Console settings > Console users.
- Configure cell-level security if we have not configured it previously. Go to Enable security for detailed steps. After security is configured, configure server-level security.
Server-level security is not enabled when we select the Enable application security option on the Server-level security settings of the administrative console. We also must enable cell-level security by selecting the Enable administrative security option on the Global security settings panel of the administrative console.
- To configure server-level security, click Servers > Application Servers > server name. Under Security, click Server security. The status of the security level that is in use for this application server is displayed.
By default, we can see that the cell-level security configuration, Common Secure Interoperability (CSI), and SAS has not been overridden at the server level. CSI and SAS are authentication protocols for RMI/IIOP security requests. The server-level security panel lists attributes that are on the Global security panel and can be overridden at the server level. Not all of the attributes on the Global security panel can be overridden at the server level, including the user account repository.
(ZOS) By default, we can see that the cell-level security configuration, Common Secure Interoperability (CSI), and z/SAS has not been overridden at the server level. CSI and z/SAS are authentication protocols for RMI/IIOP security requests. The server-level security panel lists attributes that are on the Global security panel and can be overridden at the server level. Not all of the attributes on the Global security panel can be overridden at the server level, including the user account repository.
- To enable administrative security for this application server, go to the Server-level security panel, select the Security settings for this server override cell setting and the Enable application security options. By modifying the Server-level security panel, these settings override the settings for cell-level security.
- Click Apply and Save.
- To enable RMI/IIOP security for the application server, go to the Server-level security panel, select the RMI/IIOP security for this server overrides cell settings option and click Apply. If we select the RMI/IIOP security for this server overrides cell settings option, any changes that we make to the CSIv2 authentication or transport settings override the same settings on the cell level.
What to do next
Typically, server-level security is used to disable user security for a specific application server. However, this can also be used to disable or enable the Java 2 security manager, and to configure the authentication requirements for RMI/IIOP requests both incoming and outgoing from this application server.After modifying the configuration for a particular application server, we must restart the application server for the changes to become effective. To restart the application server, go to Servers > Application servers and click the server name that you recently modified. Click Stop and then Start.
If we disabled security for the application server, we can typically test a web address that is protected when security is enabled.
One URL that usually is installed when the DefaultApplication during installation is the snoop application. If the DefaultApplication is installed on the application server, test that security is disabled by going to the following URL: http://host.domain:9080/snoop. If security is disabled, a prompt does not display. This URL is just one method of validating the configuration. Validate that the configuration is appropriate for the applications.
Subtopics
- Server-level security settings
Use this page to enable server-level security and specify other server-level security configurations.- Control application environments with RACF server class profiles
The Resource Access Control Facility (RACF ) server class profiles are used to control dynamic application environments. Dynamic application environments are displayed and controlled separately from static application environments.- Resource Access Control Facility Tools
- RACF keyring setup
Related:
Multiple security domains Set up, enabling and migrating security