Enable WebSphere global security

Enabling WebSphere global security prevents all Enterprise JavaBeans components from being exposed to remote invocation by anyone. If you operate your WebSphere Commerce site from behind a firewall, you can disable WebSphere global security. However, you should disable it only if you are sure that no malicious applications are running behind the firewall.

The application server where WebSphere Commerce and WebSphere Commerce Payments are deployed is configured to use the DummyServerKeyFile.jks and DummyServerTrustFile.jks files with the default self-signed certificate out-of-the-box. Using the dummy key and trust file certificates is not safe; consequently, you should generate your own certificate to replace the dummy certificates immediately. Refer to the WAS Security Guide for more information about the dummy key and trust file certificates and how to replace them. For information on encoding passwords in files refer to Encoding password in files.

Before you begin to enable security, know how the WebSphere Application Server, where you are enabling security, validates user IDs. WebSphere Application Server can use an LDAP user registry or the operating system user registry as the WAS user registry. See one of the following pages for instructions on enabling security using one of the user registries:

WebSphere Commerce security deployment options

WebSphere Commerce supports various security deployment configurations. The following table illustrates the security deployment options available to you:

Single machine security scenarios

WebSphere global security is enabled.

  • Use the operating system as the WAS registry.

  • Use the database as the WebSphere Commerce registry.


  • Use LDAP as the WAS registry.

  • Use LDAP as the WebSphere Commerce registry.


  • Use LDAP as the WAS registry.

  • Use the database as the WebSphere Commerce registry.

WebSphere global security is disabled, and your WebSphere Commerce site is located behind a firewall.

  • A WAS registry is not required.

  • Use the database as the WebSphere Commerce registry.


  • A WAS registry is not required.

  • Use LDAP the WebSphere Commerce registry.


Multiple machine security scenarios

WebSphere global security is enabled. LDAP is always deployed.

  • Use LDAP as the WAS registry.

  • Use LDAP as the WebSphere Commerce registry.


  • Use LDAP as the WAS registry.

  • Use a database as the WebSphere Commerce registry.

  • You will need to set up LDAP, and place one administrative entry into the LDAP registry.

WebSphere global security is disabled, and your WebSphere Commerce site is located behind a firewall.

  • Use a database as the WebSphere Commerce registry.

  • A WAS registry is not required.

  • Single sign-on is not supported.


  • Use LDAP as the WebSphere Commerce registry.

  • A WAS registry is not required.

WebSphere Commerce Payments security deployment options

As WebSphere Commerce Payments does not have Enterprise JavaBeans components and it has Payments instance password to protect the application, in most cases there is no need to enable security for WebSphere Commerce Payments. However, if both a WebSphere Commerce node and a WebSphere Commerce Payments node are federated into a ND (ND) cell, and global security is to be enabled to secure WebSphere Commerce, there isn't any option not to enable global security for WebSphere Commerce Payments as the global security is global setting. WebSphere Commerce Payments supports various security deployment configurations. The following table illustrates the security deployment options available to you. Note that as it uses WebSphere Commerce registry, WebSphere Commerce Payments does not have its own registry.

Single machine security scenarios

WebSphere global security is enabled.

  • Use the operating system as the WAS registry.


  • Use LDAP as the WAS registry.

WebSphere global security is disabled, and your WebSphere Commerce site is located behind a firewall.

  • A WAS registry is not required.


Multiple machine security scenarios

WebSphere global security is enabled. LDAP is always deployed.

  • Use LDAP as the WAS registry.

WebSphere global security is disabled, and your WebSphere Commerce site is located behind a firewall.

  • A WAS registry is not required.

Notes:

  1. AIX|Linux|Solaris|Windows:

    When enabling WebSphere global security, it is strongly recommended that your machine meets the following requirements:

  2. Windows: When enabling WebSphere global security on Windows 2003 platform, IBM recommends that you enlarge the TCP Ports to 65534 on all nodes on your system that are running on Windows 2003. This includes the WebSphere Commerce node, the LDAP server node, and the Commerce-enabled Portals node. After enlarging the TCP Ports, restart the servers on the nodes that were changed. For more information, see the following URL: http://support.microsoft.com/default.aspx?scid=kb;EN-US;196271 If you do not enlarge the TCP Ports, you might receive an error similar to the following: 
    Authentication failed for user
uid=wpsbind,cn=users,dc=ibm,dc=com because of the following
exception javax.naming.CommunicationException: svt4.cn.ibm.com:389.
Root exception is java.net.BindException: Address in use:
connect

  3. AIX|Linux|Solaris|Windows:

    After WebSphere global security is enabled for a payment instance, provide a username and password when starting and stopping the payment instance. For example: stopServer server1 -username administrator -password passw0rd.

 

Related Concepts


WebSphere Commerce security model
WebSphere Commerce authentication model

 

Related tasks


Enabling security with an LDAP user registry
Enabling only global security with an LDAP user registry
Enabling security with an operating system user registry
Enabling only global security with an operating system user registry
Enabling Java 2 security
Disable WAS security
Configure security for the Dynamic Cache Monitor