Enable global security for Network Deployment

This scenario is specifically for a Network Deployment setup where multiple nodes and or application servers are installed. You must install a deployment manager to manage all of the nodes. Lightweight Third Party Authentication (LTPA) is the configured authentication mechanism because distributed security tokens are required. The user registry is typically Lightweight Directory Access Protocol (LDAP) or Custom, as LocalOS only works for a single machine setup.

Note: You can also customize your security configuration at the application server level. For more information, see Configure server security (Network Deployment only).

After you have enabled global security for all your base application servers, enable global security for Network Deployment.

Note: As of Version 5.0.1, you can configure the Network Deployment file transfer service to use role-based authentication. For more information, see Enable authentication in the file transfer service. If you want to use file-transfer authentication, make sure you have configured it before you enable global security for your Network Deployment environment.

To enable global security for Network Deployment, perform the following steps:

  1. Verify that global security is enabled for WebSphere Application Server, the configuration has been saved, and your administrative ID and password has been validated. In the WebSphere administrative console, click Security --> Global Security, and ensure that Enabled is selected. Click OK. Verify that the validation occurs without error. If the validation is not successful, the server may not start.

  2. Synchronize the new configuration with all of the running node agents. If a node agent fails to receive the security-enabled configuration, communication with the deployment manager fails because the node agent lacks access to the deployment manager. To force a file synchronization at any specific node, complete the following steps from the administrative console:

    1. Click System Administration --> Nodes.
    2. Select all of the nodes except the deployment manager node.
    3. Click Full Resynchronize to verify that the file synchronization has occurred. A message may appear that indicates that the nodes already are synchronized. This message is acceptable.
    4. After synchronization is initiated, verify that the Synchronized status displays for all nodes.

  3. Stop the deployment manager. To stop the deployment manager, go to System Administration > deployment manager and click Stop. This action logs you out of the administrative console and stops the deployment manager process.

  4. Restart the deployment manager process with the startManager script. For more information, see The startManager script in the Administration topic.

    If the deployment manager does not start after enabling security, disable security through the wsadmin tool. Enter the following command:

    wsadmin -c securityoff

    For more information, see The wsadmin administrative tool in the Administration topic.

  5. After the deployment manager initialization is complete, start the WebSphere administrative console. (If you have enabled single signon, specify the fully qualified domain name of your system in the URL for the administrative console.)

  6. Log into the administrative console with your administrator user ID and password.

  7. Restart all node agents to make them security enabled. If the node agent is security-enabled before the deployment manager is security-enabled, then the deployment manager cannot query the node agent for status or give the node agent commands. To restart all of the node agents, complete the following steps:

    1. Click System Administration --> Node Agents.
    2. Select all of the node agents.
    3. Click Restart. A message similar to the following displays at the top of the panel: The node agent on node NODE was restarted successfully.
    4. If you previously did not stop your application servers, restart them. Click Servers --> Application Servers, and select the servers that you want to start. Click Start.

    If any node agent fails to restart, perform a manual resynchronization of the configuration. This step consists of going to the physical node and running the client syncNode command. This client logs into the deployment manager and copies all of the configuration files to the node agent. This action ensures that the configuration is security-enabled. To resynchronize, complete the following:

    1. If the node agent is started, but not communicating with the deployment manager, stop the node agent by issuing a stopServer command. If security is enabled on this node agent, run the stopNode command, as follows:

      stopNode -username adminuser -password adminpw

      where adminuser is your administrative user ID, and adminpw is the password. or more information, see The stopNode script in the Administration topic.

    2. Run the syncNode command as follows:

      syncNode cell_host port -username adminuser -password adminpw

      where cell_host is the host name of the cell, port is the SOAP or RMI port on which the deployment manager for the Network Deployment cell is listening, adminuser is your administrative user ID, and adminpw is the password. For more information, see The syncNode script in the Administration topic.

    3. Restart the node agent with the startNode script. For more information, see The startNode script in the Administration topic.

  8. Verify the status of the node agents. In the administrative console, click System Management --> Nodes. If the status of the node is Unknown, physically stop and restart the node agent with the node agent scripts.

    On the system on which the node agent is running, run the stopNode command as follows:

    stopNode -username adminuser -password adminpw

    where adminuser is your administrative user ID and adminpw is the password.

    Start the node with the startNode script.

  9. If you have any problems restarting the node agents or application servers, review the output logs in the /QIBM/UserData/WebAS5/ND/instance/logs/nodeagent directory of the /QIBM/UserData/WebAS5/Base/instance/logs/server directory (where instance is the name of your instance, nodeagent is the name of your node agent, and server is the server name).

  10. After restarting all node agents and application servers in secure mode, complete the following steps to verify that WebSphere security is functioning:

    1. Test basic authorization with snoop by accessing a secured URL. You should be prompted for a user ID and password. Enter any valid user ID and password from your configured user registry.

    2. Test Java client access with the dumpNameSpace script. The dumpNameSpace script is located in the /QIBM/ProdData/WebAS5/product/bin directory, where product is either Base or ND. For more information, see JNDI namespace dump utility. Again, the login prompt should appear.

    3. Test form login by starting the WebSphere administrative console. (If your configured authentication mechanism is set to LTPA, use a fully qualified host name to access the console.) A form-based login page should appears. Enter your administrative user ID and password that you used when configuring your user registry.

Disabling global security for Network Deployment

To disable Network Deployment global security, perform the following steps:

  1. In the WebSphere administrative console, click Security --> Global Security.

  2. Clear the Enabled checkbox so that security gets disabled upon a server restart. Click OK.

  3. Click Save to save your configuration.

  4. Synchronize the new configuration with all of the running node agents. If a node agent fails to receive the security-enabled configuration, communication with the deployment manager fails because the node agent lacks access to the deployment manager. To force a file synchronization at any specific node, complete the following steps from the administrative console:

    1. Click System Administration --> Nodes.
    2. Select all of the nodes except the deployment manager node.
    3. Click Full Resynchronize to verify that the file synchronization has occurred. A message may appear that indicates that the nodes already are synchronized. This message is acceptable.
    4. After synchronization is initiated, verify that the Synchronized status displays for all nodes.

  5. Stop all processes including the deployment manager, node agents, and application servers:

    1. Stop the application servers. Click Servers --> Application Servers, click each application server process, and click Stop.
    2. Stop the node agents. Click System Administration --> Node Agents, click each node agent process, and click Stop.
    3. Stop the deployment manager. Click System Administration --> Deployment Manager, and click Stop.

  6. After all processes have stopped, manually restart the deployment manager and all node agents from the command line. Restart the deployment manager process with the startManager command. Restart all node agent processes with the startNode command.

    If any node agent fails to restart, perform a manual resynchronization of the configuration. This step consists of going to the physical node and running the client syncNode command. This client logs into the deployment manager and copies all of the configuration files to the node agent. This action ensures that the configuration is security-disenabled. To resynchronize, complete the following:

    1. If the node agent is started, but not communicating with the deployment manager, stop the node agent by issuing a stopServer command. If security is enabled on this node agent, run the stopNode command, as follows:

      stopNode -username adminuser -password adminpw

      where adminuser is your administrative user ID, and adminpw is the password. or more information, see The stopNode script in the Administration topic.

    2. Run the syncNode command as follows:

      syncNode cell_host port -username adminuser -password adminpw

      where cell_host is the host name of the cell, port is the SOAP or RMI port on which the deployment manager for the Network Deployment cell is listening, adminuser is your administrative user ID, and adminpw is the password. For more information, see The syncNode script in the Administration topic.

    3. Restart the node agent with the startNode script. For more information, see The startNode script in the Administration topic.

  7. Start the WebSphere administrative console.

  8. Restart all application servers on each node agent. Click Servers --> Application Servers, and select the servers that you want to start. Click Start.

  9. Verify the configuration. Click System Management --> Nodes. If the status of a node is Unknown, go to that node, manually stop the node agent, perform a manual configuration synchronization, and restart the node agent.

  10. If you have any problems restarting the node agents or application servers, review the output logs in the /QIBM/UserData/WebAS5/ND/instance/logs/nodeagent directory of the /QIBM/UserData/WebAS5/Base/instance/logs/server directory (where instance is the name of your instance, nodeagent is the name of your node agent, and server is the server name).