WebSphere Enterprise Service Bus for z/OS, Version 6.2.0 Operating Systems: z/OS


Securing a deployment environment of WebSphere ESB

Security in your WebSphere® ESB environment is controlled from the administrative console. A user with sufficient privileges can turn on or off all application security from the administrative console. It is therefore critical that you secure the environment before deploying secured applications.

Before you begin

You should install WebSphere ESB and verify the installation before commencing these tasks.

About this task

Your WebSphere ESB environment is defined within a profile. Open the administrative console for the profile that you want to secure. Log in to the console using any user identity; until the profile is secure, any user name will be accepted.

The following steps provide a roadmap of the tasks you perform to enable security. More specific details on these tasks are provided in the topics that follow.

Procedure
  1. Ensure that administrative security is turned on. Enabling security.
  2. Ensure that application security is turned on. Securing applications in WebSphere ESB.
  3. Add users or groups to the administrative role. You can give administrative rights to individual users or to a group of users by following the Administrative User Roles or Administrative Group Roles, respectively.
  4. Select the user account repository that you want to use.

    The following table describes the choices of user registry and the actions required to select and configure a user registry.

    User registry Action
    Federated repositories Specify this setting to manage profiles in multiple repositories under a single realm. The realm can consist of identities in:
    • The file-based repository that is built into the system
    • One or more external repositories
    • Both the built-in, file-based repository and in one or more external repositories
    Note: Only a user with administrator privileges can view the federated repositories configuration.
    See Managing the realm in a federated repository configuration for more information.
    Local Operating System The default user registry. See Configuring the local operating system or standalone custom user account repository for details of how to configure the user account registry.
    Standalone LDAP registry Follow the instructions in Configuring Lightweight Directory Access Protocol (LDAP) as the user registry to configure LDAP as your user registry.
    Standalone custom registry See Configuring the local operating system or standalone custom user account repository for details of how to configure the user account registry.
  5. Make sure you have set the selected registry as your current registry.

    If you have not already done so, click Set as current at the bottom of the Secure administration, applications, and infrastructure page.

  6. Make sure you have applied the changes after you select the user registry

    If you have not already done so, click Apply at the bottom of the Secure administration, applications, and infrastructure page.

  7. Go to the Business Integration Security panel. Expand Security and click Business Integration Security.
  8. Supply appropriate user identities for the listed authentication aliases. The credential you provide must exist in the user account repository that you are employing. It is important for the security of your system that you choose appropriate user identities to act as authentication aliases.
  9. On the same panel, you can configure security for Business Process Choreographer.
    Set the business process choreographer user role mappings for the business flow and human task manager:
    • Administrator: User names or group names (or both) for the business flow and human task administrator role. Users assigned to this role have all privileges.
    • Monitor: User names or group names (or both) for the business flow and human task monitor role. Users assigned to this role can view the properties of all the business process and task objects.
    The business process choreographer authentication aliases can be configured for each deployment target where the business process choreographer has been installed. The following authentication aliases are listed:
    • JMS API Authentication: Authentication for the business flow manager message-driven bean to process asynchronous API calls.
    • Escalation User Authentication: Authentication for the human task manager message-driven bean to process asynchronous API calls.
  10. Apply these changes.

    Click the Apply button at the bottom of the panel.

  11. Save the changes to the local configuration.

    Click Save in the message pane.

  12. Ensure that the security information is propagated to the nodes of the cell.

    Expand System administration on the administrative console and click Nodes. Click Full Resynchronize.

  13. If necessary, stop and restart the server.

    If the server needs to be restarted, a message will appear in the administrative console to this effect.

Results

The next time you log in to the administrative console, you must provide a valid user name and password.

What to do next

Each profile that you create must be secured in this way. The system administrator user identity might have been used in multiple places during installation and configuration of environment. It is advisable to replace this identity with appropriate user credentials from the user account repository for all but the core security functions. Use the Business Integration Security panel in the administrative console to administer these identities and aliases.

task Task topic

Terms of use | Feedback


Timestamp icon Last updated: 21 June 2010


http://publib.boulder.ibm.com/infocenter/dmndhelp/v6r2mx/topic//com.ibm.websphere.wesb620.zseries.doc/doc/tsec_adminroadmapnd.html
Copyright IBM Corporation 2005, 2010. All Rights Reserved.
This information center is powered by Eclipse technology (http://www.eclipse.org).