How do I secure applications and their environments?

 

How do I secure applications and their environments?

  Legend for "How do I?..." links

Documentation

Show me

Tell me

Guide me

Teach me

Refer to the detailed steps and reference Watch a brief multimedia demonstration View the presentation for an overview Be led through the console pages Perform the tutorial with sample code
Approximate time: Varies Approximate time: 3 to 5 minutes Approximate time: 10 minutes+ Approximate time: 1/2 hour+ Approximate time: 1 hour+


Develop and deploy secure applications

These tasks involve securing your applications during development (optional, programmatic security), assembly (declarative security), and after deploying them on the application server.

--------------------------------------------------------------------------

Check mark Secure Web applications: Authentication and authorization

Most of the security for an application is configured during the assembly stage. The security configured during the assembly stage is called declarative security because the security is declared or defined in the deployment descriptors. The declarative security is enforced by the security run time. For some applications, declarative security is not sufficient to express the security model of the application. For these applications, you can use programmatic security.

Documentation

 

Blank

Tell me

Documentation link

 

Blank

 

Blank

Related documentation topics:

--------------------------------------------------------------------------

Check mark Secure EJB applications: J2EE authorization

Most of the security for an application is configured during the assembly stage. The security configured during the assembly stage is called declarative security because the security is declared or defined in the deployment descriptors. The declarative security is enforced by the security run time. For some applications, declarative security is not sufficient to express the security model of the application. For these applications, you can use programmatic security.

Documentation

Documentation link

 

Blank

Tell me

Documentation link

 

Blank

 

Blank

--------------------------------------------------------------------------

Check mark Use Web services security (WS-Security)

Use any of many methods to integrate message-level security into an application serving environment. Web services security for WebSphere Application Server is based on standards included in the Web services security (WS-Security) specification. These standards address how to provide protection for messages exchanged in a Web service environment. The specification defines the core facilities for protecting the integrity and confidentiality of a message and provides mechanisms for associating security-related claims with the message.

Documentation

Documentation link

Show me

Show me demonstration link

Tell me

Documentation link

 

Blank

 

Blank

--------------------------------------------------------------------------

Check mark Enable Java 2 security

Java 2 security is disabled by default, but is enabled automatically when global security is enabled. Whether you use it is independent of your decision to use J2EE role-based authorization. It provides an extra level of access control protection on top of the J2EE role-based authorization. It particularly addresses the protection of system resources and APIs.

Documentation

Documentation link

 

Blank

Tell me

Documentation link

 

Blank

 

Blank

--------------------------------------------------------------------------

Check mark Develop
JAAS clients

If you write a login module that adds information to the Subject of a system login, refer to this topic for the main Java Authentication and Authorization Service (JAAS) plug in points for configuring system logins.

Documentation

Documentation link

 

Blank

 

Blank

 

Blank

 

Blank

--------------------------------------------------------------------------

Check mark Enable resource security (overview)

Applications access many resources for data access, messaging, mail, and other purposes.

 

Blank

 

Blank

Tell me

Documentation link

 

Blank

 

Blank

--------------------------------------------------------------------------

Check mark Enable resource security: J2C and JDBC data sources

Secure the Java DataBase Connectivity (JDBC) data sources and Java 2 Connector (J2C) resources used by applications to access data.

 

Blank

 

Blank

Tell me

Documentation link

 

Blank

 

Blank

Related documentation topics:

--------------------------------------------------------------------------

Check mark Enable resource security: JMS resources

Secure the Java Message Service (JMS) resources used by applications to obtain messaging support.

Documentation

Documentation link

 

Blank

Tell me

Documentation link

 

Blank

 

Blank

--------------------------------------------------------------------------

Secure the application hosting environment

The counterpart of secure your applications, before and after deployment, is to secure the server hosting environment into which the applications are deployed.

--------------------------------------------------------------------------

Check mark Secure the administrative environment

Use the administrative console to assign users to administrative roles.

Documentation

Documentation link

 

Blank

Tell me

Documentation link

Guide me

Cheat sheet link

 

Blank

--------------------------------------------------------------------------

Check mark Configure security with wsadmin scripting (overview)

Scripting is a non-graphical alternative that you can use to configure and manage WebSphere Application Server. The WebSphere Application Server wsadmin tool provides the ability to run scripts. The wsadmin tool supports a full range of product administrative activities.

Documentation

Documentation link

 

Blank

 

Blank

 

Blank

 

Blank

--------------------------------------------------------------------------

Check mark Configure global security

Configure global security, which applies to all applications running in the environment and determines whether security is used at all, the type of registry against which authentication takes place, and other values, many of which act as defaults.

Documentation

Documentation link

 

Blank

Tell me

Documentation link

Guide me

Cheat sheet link

 

Blank

--------------------------------------------------------------------------

Check mark Authenticate users with the local operating system user registry

Configure the product to authenticate users against the local operating system user registry. The product provides and supports the implementation for Windows operating system registries, AIX, Solaris and multiple versions of Linux operating systems. The respective operating system APIs are called by the product processes (servers) for authenticating a user and other security-related tasks (for example, getting user or group information).

Documentation

Documentation link

Show me

Show me demonstration link

Tell me

Documentation link

Guide me

Cheat sheet link

 

Blank

--------------------------------------------------------------------------

Check mark Authenticate users with an LDAP user registry

Configure the product to authenticate users against a Lightweight Directory Access Protocol (LDAP) user registry. The product security provides and supports implementation of most major LDAP directory servers, which can act as the repository for user and group information. These LDAP servers are called by the product processes (servers) for authenticating a user and other security-related tasks (for example, getting user or group information). This support is provided by using different user and group filters to obtain the user and group information. These filters have default values that you can modify to fit your needs. The custom LDAP feature enables you to use any other LDAP server (which is not in the product supported list of LDAP servers) for its user registry by using the appropriate filters.

Documentation

Documentation link

Show me

Show me demonstration link

Tell me

Documentation link

Guide me

Cheat sheet link

 

Blank

--------------------------------------------------------------------------

Check mark Authenticate with a custom user registry

After you have implemented and built the UserRegistry interface, you can configure the product to use your custom user registry to authenticate users.

Documentation

Documentation link

Show me

Show me demonstration link

Tell me

Documentation link

Guide me

Cheat sheet link

 

Blank

--------------------------------------------------------------------------

Check mark Set up Single Sign On (SSO)

With single signon (SSO) support, Web users can authenticate once when accessing Web resources across multiple WebSphere Application Servers. Form login mechanisms for Web applications require that SSO is enabled.

Documentation

Documentation link

 

Blank

 

Blank

 

Blank

 

Blank

--------------------------------------------------------------------------

Check mark Set up
Secure Sockets Layer (SSL) between remote servers or clients and servers

Secure Sockets Layer (SSL) is used by multiple components within WebSphere Application Server to provide trust and privacy.

Documentation

Documentation link

Show me

Show me demonstration link

 

Blank

 

Blank

 

Blank

Related documentation topics:

--------------------------------------------------------------------------

Check mark Set up CSIv2

Configure Common Secure Interoperability Version 2 (CSIv2) features including SSL client certificate authentication, message layer authentication, identity assertion, and security attribute propagation.

Documentation

Documentation link

 

Blank

Tell me

Documentation link

 

Blank

 

Blank

--------------------------------------------------------------------------

Check mark Configure an authorization provider (JACC)

Configure the product to use an external security provider you have set up to work with WebSphere Application Server that can support Java 2 Platform,
Enterprise Edition (J2EE) authorization based on the JACC specification.

Documentation

Documentation link

 

Blank

Tell me

Documentation link

 

Blank

 

Blank

--------------------------------------------------------------------------

Troubleshoot security problems

Troubleshoot several types of problems related to enabling or configuring security.

--------------------------------------------------------------------------

Check mark Troubleshoot the security subsystem

Troubleshoot several types of problems related to enabling or configuring security.

Documentation

Documentation link

 

Blank

 

Blank

 

Blank

 

Blank

--------------------------------------------------------------------------




Related concepts
Overview of securing applications and their environments
Overview and new features for securing applications and their environment
Product overview and quick start



Searchable topic ID: welc_howdoi_tsec