Security in your WebSphere® ESB environment
is controlled from the administrative console. A user with sufficient
privileges can turn on or off all application security from the administrative
console. It is therefore critical that you secure the environment
before deploying secured applications.
Before you begin
You should install
WebSphere ESB and
verify the installation before commencing these tasks.
About this task
Your
WebSphere ESB environment
is defined within a profile. Open the administrative console for the
profile that you want to secure. Log in to the console using any user
identity; until the profile is secure, any user name will be accepted.
The following steps provide a roadmap of the tasks
you perform to enable security. More specific details on these tasks
are provided in the topics that follow.
Procedure
- Ensure that administrative security is turned on. Enabling security.
- Ensure that application security is turned on. Securing applications in WebSphere ESB.
- Add users or groups to the administrative role. You
can give administrative rights to individual users or to a group of
users by following the Administrative User Roles or Administrative
Group Roles, respectively.
- Select the user account repository that you want to use.
The following table describes the choices of user registry
and the actions required to select and configure a user registry.
- Make sure you have set the selected registry
as your current registry.
If you have not already done
so, click Set as current at the bottom of the Secure
administration, applications, and infrastructure page.
- Make sure you have applied the changes
after you select the user registry
If you have not already
done so, click Apply at the bottom of the Secure
administration, applications, and infrastructure page.
- Go to the Business Integration Security panel. Expand Security and
click Business Integration Security.
- Supply appropriate user identities for the listed authentication
aliases. The credential you provide must exist in the user
account repository that you are employing. It is important for the
security of your system that you choose appropriate user identities
to act as authentication aliases.
- On the same panel, you can configure security for Business
Process Choreographer.
Set the business process choreographer
user role mappings for the business flow and human task manager:
- Administrator: User names or group names
(or both) for the business flow and human task administrator role.
Users assigned to this role have all privileges.
- Monitor: User names or group names (or
both) for the business flow and human task monitor role. Users assigned
to this role can view the properties of all the business process and
task objects.
The business process choreographer authentication aliases
can be configured for each deployment target where the business process
choreographer has been installed. The following authentication aliases
are listed:
- JMS API Authentication: Authentication
for the business flow manager message-driven bean to process asynchronous
API calls.
- Escalation User Authentication: Authentication
for the human task manager message-driven bean to process asynchronous
API calls.
- Apply these changes.
Click the Apply button
at the bottom of the panel.
- Save the changes to the local configuration.
Click Save in
the message pane.
- Ensure that the security information is propagated to the
nodes of the cell.
Expand System administration on
the administrative console and click Nodes.
Click Full Resynchronize.
- If necessary, stop and restart the server.
If
the server needs to be restarted, a message will appear in the administrative
console to this effect.
Results
The next time you log in to the administrative console, you
must provide a valid user name and password.
What to do next
Each profile that you create must be
secured in this way. The system administrator
user identity might have been used in multiple places during installation
and configuration of environment. It is advisable to replace this
identity with appropriate user credentials from the user account repository
for all but the core security functions. Use the
Business
Integration Security panel in the administrative console
to administer these identities and aliases.