Security: global and server

The term global security implies the security configuration which is effective for the entire security domain. A security domain consists of all servers that are configured with the same user registry realm name. In some cases, the realm could be the machine name of a LocalOS user registry. In this case, all application servers must reside on the same physical machine. In other cases, the realm could be the machine name of an LDAP user registry. Because LDAP is a distributed user registry, this allows for a multiple node configuration, such as the case for a Network Deployment environment.

The basic requirement for a security domain is that the access ID that is returned by the registry from one server within the security domain is the same access ID as that is returned from the registry on any other server within the same security domain. The access ID is the unique identitification of a user and is used during authorization to determine if access is permitted to the resource.

Configuration of global security for a security domain consists of configuring the common user registry, the authentication mechanism, and other security information which defines the behavior of a security domain. The other security information which can be configured includes Java 2 Security Manager, Java Authentication and Authorization Service (JAAS), Java 2 Connector authentication data entries, CSIv2 or SAS authentication protocol (RMI/IIOP security), and other miscellaneous attributes. The global security configuration usually applies to every server within the security domain. Some portions of the configuration can be overridden at the server level.

In a Network Deployment environment, where multiple nodes and multiple servers within a node can exist, you have the ability to configure some of these attributes at a server level. Those attributes which are configurable at a server level include security enablement for the server, Java 2 Security Manager enablement, and CSIv2 or SAS authentication protocol (RMI/IIOP security). You can disable security on individual application servers while global security is enabled; however, you cannot enable security on an individual application server while global security is disabled.

While application server security is disabled for user requests, administrative and naming security is still enabled for that application server so that the administrative and naming infrastructure remains secure. Therefore, you might want to ensure that the Naming security has "Everyone" access to the Naming function that you are using within your user code so that access problems are not encountered. You need not be concerned with Administrative security because user code should not be directly accessing this except through the supported scripting tools.