Liberty:Security considerations

Consider the following when you configure Security for Liberty.

LTPA

  • Protect file access to the LTPA keys file because it contains the cryptographic material that is used to encrypt and decrypt the user data. Ensure that only the server and administrators have access to this file.
  • Ensure that all servers use the same LTPA keys. In addition, make sure that the all the servers have their time and date synchronized.
  • When you specify a password, ensure that it is the same password for all servers that use the same set of LTPA keys. The password is not used to generate the keys, but rather it is used to encrypt the LTPA keys file to prevent the keys from being read. If you copy the LTPA keys file to another Liberty server to achieve Single Sign-On (SSO), the password is required to gain access to the keys in the LTPA keys file. For more information about LTPA, see Configuring LTPA on Liberty topic.

Passwords

  • Encrypt passwords by using the securityUtility encode command.
  • If you override the default encryption key with the wlp.password.encryption.key property, set the property in a separate configuration file that is stored outside the normal configuration directory for the server.

Authorization

  • If you specify an auth-constraint with no roles in an application, then no one is allowed to access the resource.
  • Be cautious when you specify the EVERYONE special subject, as this specification is equivalent to not protecting a resource.

Authentication

  • The timeout value for the authentication cache that is specified in the <authCache> element must be smaller than the expiration value for the LTPA token that is specified in the <ltpa> element.

Icon that indicates the type of topic Reference topic



Timestamp icon Last updated: Monday, 5 December 2016
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=cord&product=was-nd-mp&topic=rwlp_sec_considerations
File name: rwlp_sec_considerations.html