Before you begin
At some point, you might decide to centralize the configuration of your stand-alone base application servers by adding them into a Network Deployment cell. If your base application server is currently configured with security, there are some issues to be considered. The major issue when adding a node to the cell is whether the user registries between the base application server and the Deployment Manager are the same. When adding a node to the cell, you automatically inherit both the user registry and the authentication mechanism of the cell.For distributed security, all servers in the cell must use the same user registry and authentication mechanism. In order to recover from a user registry change, you will need to modify your applications so that the user and group to role mappings are correct for the new user registry. To do this, see the article on Assigning users and groups to roles.
Another major issue is the SSL public-key infrastructure. Prior to performing addNode with the Deployment Manager, verify that addNode can communicate as an SSL client with the Deployment Manager. This requires that the addNode truststore (configured in sas.client.props) contains the signer certificate of the Deployment Manager personal certificate as found in the keystore (specified in the administrative console).
See the article, Managing digital certificates.
Why and when to perform this task
The following are other issues to consider when running the addNode command with security:Steps for this task
Results
Proper understanding of the security interactions between distributed servers greatly reduces problems encountered with secure communications. Security adds complexity because additional function needs to be managed. For security to function, it needs thorough consideration during the planning of your infrastructure. This document helps to reduce the problems that could occur due to inherent security interactions.What to do next
When you have security problems related to the WebSphere Application Server Network Deployment environment, check the Troubleshooting security configurations section to see if you can get information about the problem. When trace is needed to solve a problem, because servers are distributed, quite often it is required to gather trace on all servers simultaneously while recreating the problem. This trace can be enabled dynamically or statically, depending on the type problem occurring.