InfoCenter Home >
6: Administer applications >
6.6: Tools and resources quick reference >
6.6.18: Securing applications >
6.6.18.5: Managing security IDs for the application server and administrative accounts

6.6.18.5: Managing security IDs for the application server and administrative accounts

Choosing the process identity

During installation, you must identify an existing user ID and password under which the WebSphere administrative server and application servers will run. It is the operating system identity associated with the process. The operating system uses the identity to determine access to resources such as files and sockets. It is not an ID that is typically used by a human user.

If you are using the operating system registry as the authentication mechanism for checking the identity, then the identify must meet the following requirements:

  • On UNIX platforms, you must use the root account.
  • On Windows NT, the account must be a member of the Administrators group and must have the rights to "Log on as a service" and to "Act as part of the operating system."
    Note   Do not use an account whose name matches the name of your machine or Windows Domain. The WebSphere administrative server will not work in such a case.
    Note   WebSphere requires the NT Browser Service to be active because WebSphere uses this service to contact the NT Primary Domain Controller (PDC). Also, be aware that, although WebSphere uses the NT PDC, it does not make use of the NT Backup Domain Controller (BDC). If the PDC is not available, WebSphere does not default to the BDC.

If you are using an LDAP directory service for authentication, then the process identity does not need any special privileges. See the information about running as non-root on UNIX-based systems.

Establishing the administrative identity

When you enable WebSphere security by using the Configure Global Settings security administration task, you configure an initial administrative identity for WebSphere. This identity needs to be a valid user for the authentication mechanism you have chosen (an operating system user registry or LDAP directory service), but it does not need "root" or other special privileges.

After configuring the administrative identity, when you restart the administrative server and try to administer the product, you must log in with the administrative identity when you are prompted for a user ID and password.

You can also configure the product security to allow administrative access by other IDs, in addition to the initial ID you established.

Setting up additional administrative accounts

During the installation of WebSphere Application Server, you must identify an existing account that will act as the first administrative account for WebSphere. After enabling security, this account will be the only one authorized to administer WebSphere. You can, however, use the account to authorize other administrative users.

To authorize other valid accounts defined in the operating system user registry or in your directory service product, use the Assign Permissions task on the Tasks tab of the WebSphere administrative console (in the Security task group). With this task, you can grant users access to the protected functions, which are listed in the format AdminApplication-function_namein the task.

Access to the administrative functions of the IBM WebSphere Application Server product is controlled by the admin application, to which the functions belong.

Steps

  1. Click the Tasks tab to display the Tasks tree.
  2. Click Security --> Assign Permissions.
  3. Click an AdminApplication-function_namefunction.
  4. Click the Add button to produce a search dialog.
  5. Use the search dialog to give permission to everyone or selected users or groups. You can search for a user or group in your local operating system user registry or directory service product.
  6. Click the OK button when you are finished with the search dialog.
  7. Back in the main console window, verify that the user or group is listed under the permission you granted to the user or group.
  8. Exit this task by choosing another task on the Tasks tab.

Giving NT users administrative privileges

During the installation of WebSphere Application Server, you must identify an existing account that will act as the first administrative account for WebSphere. On Windows NT, the account must be a member of the Administrators group and must have the rights to "Log on as a service" and to "Act as part of the operating system."

To give an account these rights, follow this procedure:

  1. Start the user manager for Windows NT or Domains and click Start --> Programs --> Administrative Tools (Common) --> User Manager.
  2. Select Policies --> User Rights from the menu bar on the dialog box.
  3. Check the Show Advanced User Rights check box in the dialog box.
  4. From the list labeled Right:, select Log on as a service.
  5. If the administrative account is not listed in the Grant To: list:
    • Click Add.
    • Click the Show Users button in the resulting dialog box.
    • Select the individual User or Group.
    • Click Add to include the account in the Add Names list.
    • Click OK to exit the dialog box.
  6. Click OK in the User Rights Policy dialog box.
  7. Return to the second step and repeat the procedure, specifying the "Act as part of the operating system" right instead of the "Log on as a service" right.
  8. Close the User Manager window.

If you then open the Services menu and modify the Log On As account for the service, the account you specify here will automatically be granted the "Log on as a service" right.

Note   Do not use an account whose name matches the name of your machine or Windows Domain as the administrative account. The WebSphere administrative server will not work in such a case.

Changing passwords for administrative accounts

Good security requires the periodic changing of passwords, and this includes those for your WebSphere administrative accounts. These passwords have to be changed in two places, in a particular order. If this is done incorrectly, it can create a situation in which the WebSphere administrative server cannot restart. This file describes the best way to change an administrative password.

Steps

  1. Make sure the WebSphere administrative server is running. This is crucial. Do not change an administrative password unless the server is running.
  2. Change the password in the user registry by using the utility for your operating system or LDAP service.
  3. Login to the WebSphere administrative console using the new password. Attempts to use the old password will fail.
  4. Click Security --> Specify Global Settings --> User Registry in the administrative console.
  5. Change the password for the administrative user to the new password.
  6. Stop and restart the administrative server.
Go to previous article: Administering security with the Web console Go to next article: Avoiding known security risks in the runtime environment

 

 
Go to previous article: Administering security with the Web console Go to next article: Avoiding known security risks in the runtime environment