InfoCenter Home > 6.6.18.5: Managing security IDs for the application server and administrative accounts
Choosing the process identityDuring installation, you must identify an existing user ID and password under which the WebSphere administrative server and application servers will run. It is the operating system identity associated with the process. The operating system uses the identity to determine access to resources such as files and sockets. It is not an ID that is typically used by a human user. If you are using the operating system registry as the authentication mechanism for checking the identity, then the identify must meet the following requirements:
If you are using an LDAP directory service for authentication, then the process identity does not need any special privileges. See the information about running as non-root on UNIX-based systems. Establishing the administrative identityWhen you enable WebSphere security by using the Configure Global Settings security administration task, you configure an initial administrative identity for WebSphere. This identity needs to be a valid user for the authentication mechanism you have chosen (an operating system user registry or LDAP directory service), but it does not need "root" or other special privileges. After configuring the administrative identity, when you restart the administrative server and try to administer the product, you must log in with the administrative identity when you are prompted for a user ID and password. You can also configure the product security to allow administrative access by other IDs, in addition to the initial ID you established. Setting up additional administrative accountsDuring the installation of WebSphere Application Server, you must identify an existing account that will act as the first administrative account for WebSphere. After enabling security, this account will be the only one authorized to administer WebSphere. You can, however, use the account to authorize other administrative users. To authorize other valid accounts defined in the operating system user registry or in your directory service product, use the Assign Permissions task on the Tasks tab of the WebSphere administrative console (in the Security task group). With this task, you can grant users access to the protected functions, which are listed in the format AdminApplication-function_namein the task. Access to the administrative functions of the IBM WebSphere Application Server product is controlled by the admin application, to which the functions belong. Steps
Giving NT users administrative privilegesDuring the installation of WebSphere Application Server, you must identify an existing account that will act as the first administrative account for WebSphere. On Windows NT, the account must be a member of the Administrators group and must have the rights to "Log on as a service" and to "Act as part of the operating system." To give an account these rights, follow this procedure:
If you then open the Services menu and modify the Log On As account for the service, the account you specify here will automatically be granted the "Log on as a service" right.
Changing passwords for administrative accountsGood security requires the periodic changing of passwords, and this includes those for your WebSphere administrative accounts. These passwords have to be changed in two places, in a particular order. If this is done incorrectly, it can create a situation in which the WebSphere administrative server cannot restart. This file describes the best way to change an administrative password. Steps
|
| ||
|