Securing iSeries objects and files

This topic discusses the various iSeries objects and files that contain sensitive information and need to be protected.

Secure integrated file system files

In addition to enterprise beans and servlets, the WebSphere administrative server and application servers access integrated file system stream files. The following files may contain sensitive information and should be given close consideration to ensure no unauthorized access is granted:

• In the properties subdirectory of your instance (for example, /QIBM/UserData/WebAS5/Base/default/properties) these files can contain user IDs and passwords:

  • sas.client.props
  • soap.client.props
  • sas.stdclient.properties
  • sas.tools.properties
  • wsserver.key

  By default, each of these files is shipped with *PUBLIC authority set to *EXCLUDE. The QEJBSVR user profile is granted *RX authority to these files. Additional protection is available through password encoding. For more information, see Password encoding.

• In the etc subdirectory if your instance, all key (KDB) files and trust (JKS) files that you create for your WebSphere Application Server instance should be protected:

  • For the JKS files, the QEJBSVR user profiles should have *R authority and *PUBLIC should have *EXCLUDE authority.
  • For the KDB files, the user profile that the Web server is running under should have *RX authority and *PUBLIC should have *EXCLUDE authority.

Secure WebSphere database resources

WebSphere Application Server uses tables to persist data for user applications such as enterprise beans persistence and servlet session data. You have several options for controlling which iSeries user profiles are allowed access to this user data. See Database access security for more information.

Secure the WebSphere server

When you enable WebSphere security, the server's user profile and password are placed into server configuration files which should be maintained in a secure way using OS/400 system security. Additionally, some WebSphere resources can be password-protected, and these passwords are also placed in server configuration files. The server automatically encodes passwords to deter casual observation, but password encoding alone is not sufficient protection.

These files are located in the config subdirectory of your instance, and they can contain user identifiers and passwords:

• config/cells/cell_name/security.xml
• config/cells/cell_name/nodes/node_name/resources.xml
• config/cells/cell_name/nodes/node_name/servers/server_name/server.xml

where cell_name is the name of the cell, node_name is the name of the node, and server_name is the name of the application server. For example, for the default instance, the server_name is server1.

The server's user profile and password are used for authenticating the server when it initializes. This authentication is required for these reasons:

• The user ID and password are used as the System Identity for the server when a bean's security has been deployed to use SYSTEM_IDENTITY for method delegation. In this case, the user ID and password are used when method calls are are made from one enterprise bean to another.
• The user ID and password are used to authenticate servers for inter server communication. Because security for these files may be compromised, use a non-default user profile for the server identity and password. The default user profile is QEJBSVR. If you use the Local Operating System (LocalOS) user registry (OS/400), you may choose to create and use an iSeries user profile that has no special authorities. For more information, see Run application servers under specific user profiles.

WebSphere user profiles

When it is first installed, by default WebSphere Application Server uses the following iSeries user profiles:

• QEJB
  This profile provides access to some administrative data, including passwords.

• QEJBSVR
  This profile provides the context in which your WebSphere application server runs. For security or administrative purposes, you may want to create other user profiles under which to run various parts of WebSphere Application Server. For more information, see Run application servers under specific user profiles.