Configure security domains using scripting
Use this topic to create multiple security domains in the configuration. By creating multiple security domains, we can configure different security attributes for administrative and user applications within a cell environment.
We must have the administrator role to configure security domains. Also, enable global security in the environment before configuring multiple security domains.
Create multiple security domains to customize the security configuration. Use multiple security domains to achieve the following goals:
- Configure different security attributes for administrative and user applications within a cell
- Consolidate server configurations by managing different security configurations within a cell
- Restrict access between applications with different user registries, or configure trust relationships between applications to support communication across registries
Use the following steps to create a new security domain with the wsadmin tool:
Tasks
- Launch the wsadmin scripting tool using the Jython scripting language. See the Starting the wsadmin scripting client article for more information.
- Create a security domain.
To create a security domain, we can create a new security domain, copy an existing security domain, or copy the existing global security configuration.
- Use the createSecurityDomain command to create the domain-security.xml and domain-security-map.xml security files in the profile_root/config/waspolicies/default/security_configuration_name directory. No configuration data is added to the domain-security.xml file. Use the following Jython command example to create a security domain:
AdminTask.createSecurityDomain('-securityDomainName securityDomain1 -securityDomainDescription "handles user applications"')The command returns the object name of the security domain created, as the following example output demonstrates:
'waspolicies/default/securitydomains/mydomain:domain-security.xml#AppSecurity_1183132319126'- Use the copySecurityDomain command to create a new security domain with the attributes of an existing security domain. If the security configuration of the existing domain has an active user registry defined, then a new realm name for that registry must be used in the new security configuration. If a realm name is not specified with the copySecurityDomain command, then the command assigns a name.
Parameter Description -securityDomainName Name of the new security domain to create (String, required) -copyFromSecurityDomainName Name of the existing security domain to copy (String, required) -realmName Name of the realm in the security domain to create. The system assigns the realm name to the active user registry in the security domain (String, optional) -securityDomainDescription Description for the security domain to create (String, optional) Use the following Jython command to copy an existing security domain:
AdminTask.copySecurityDomain('-securityDomainName copyOfDomain1 -copyFromSecurityDomainName securityDomain1')The command returns the object name of the new security domain, as the following example output demonstrates:
'waspolicies/default/securitydomains/copyOfDomain1:domain-security.xml#AppSecurity_1183132319186'- Use the copySecurityDomainFromGlobalSecurity command to create a security domain by copying the global security configuration. If the global security configuration has an active user registry defined, then a new realm name for that registry must be used for the security domain to create. If we do not specify a realm name, then the command assigns a name.
Parameter Description -securityDomainName Name of the new security domain to create (String, required) -realmName Name of the realm in the security domain to create. The system assigns the realm name to the active user registry in the security domain (String, optional) -securityDomainDescription Description for the security domain to create (String, optional) Use the following Jython command to copy the global security configuration:
AdminTask.copySecurityDomainFromGlobalSecurity('-securityDomainName GScopy')The command returns the object name of the new security domain, as the following example output demonstrates:
'waspolicies/default/securitydomains/copyOfDomain1:domain-security.xml#AppSecurity_1183132319186'
- Save the configuration changes.
AdminConfig.save()
What to do next
Use the wsadmin tool to map a scope to our security domain. Additionally, we can configure security artifacts in the newly created domain, by:
- configuring user registries.
- enabling application and Java EE security.
- setting LTPA timeout.
- configuring System and Application JAAS login.
- configuring Java 2 Connector (J2C) authorization data.
- configuring Remote Method Invocation over Internet Inter-ORB Protocol (RMI/IIOP) security.
Mapping resources to security domains using scripting Removing security domains using scripting Start the wsadmin scripting client