Configure server security (Network Deployment only)

Security can be customized to some extent at the application server level. You can disable user security in an application server (administrative security remains enabled when global security is enabled). You can also modify such features as Java 2 Security Manager, CSIv2 or SAS, and some of the other security attributes found on the global security (also called cell-level security) panel. You cannot configure a different authentication mechanism or user registry on a by-server basis. This is one of a few features limited to cell-level configuration only. Also, when global security is disabled, you cannot enable application server security.

By default, server security inherits all values configured in global security (cell-level security). To override the security configuration at the server-level with the WebSphere administrative console, go to Servers --> Application Servers --> server --> Server Security (under Additional Properties), where server is the name of your application server instance, and into any of the following panels:

• Server Level Security
• CSI Authentication --> Inbound
• CSI Authentication --> Outbound
• CSI Transport --> Inbound
• CSI Transport --> Outbound
• SAS Transport --> Inbound
• SAS Transport --> Outbound

After you modify the configuration in any of these panels and click OK or Apply, the security configuration for that panel or set of panels now overrides cell-level security. Other panels which are not overridden continue to be inherited at the cell level. However, you can always revert back to the cell-level configuration at any time. The Server Security panel displays the Use Cell Security, Use Cell CSI, and Use Cell SAS buttons. These buttons allow you to revert back to the global security configuration of these panels.

For more information about the differences between global security and server-specific security, see Security: global and server.

1. Start the WebSphere administrative console for the deployment manager. If security is disabled, you can enter any user ID. If security is enabled, enter a valid user ID and password, which is either the administrative ID (configured for the user registry) or a user ID that is configured as an adminstrative user. For more information, see Assign users to administrative roles.

2. Configure global security if you have not already done so. See Configure global security for more information. After global security is configured, you can now configure server-level security.

3. In the navigation menu, click Servers --> Application Servers --> server --> Server Security (under Additional Properties), where server is the name of your application server instance. The Server Security panel displays the status of which level of security that is in use for this application server. By default, Global Security and the authentication protocols for RMI/IIOP requests (CSI and SAS) are not overridden at the server level. The Server Level Security panel lists attributes from the Global Security panel that can be overridden at the Server Level. Not all attributes on the Global Security panel can be overridden at the Server Level, including Active Authentication Mechanism and Active User Registry.

4. To disable security for this application server, go to the Server Level Security panel, clear the Enabled checkbox and click OK or Apply. Finally, click Save to save your configuration. The Server Level Security panel shows that this setting is overriding cell-level security.

5. To configure CSI at the server level, see Configure the authentication protocol.

6. After you have modified the configuration for a particular application server, restart the application server for the changes to become effective. To restart the application server, go to Servers --> Application Servers and click on the server name that you modified. Click Stop to stop the application server. After the application server has stopped, click Start to start the server.

7. If you disabled security for the application server, test a URL that is protected when security is enabled. If your application server instance contains the default application (DefaultApplication), test the snoop servlet. Enter the following URL in your browser:

   http://your.server.name:port/snoop

   where your.server.name is the hostname of your server, and port is the port number.

   When security is disabled, not be prompted for a user ID and password to access the resource. Additionally, test any applications you have installed in the instance.