Securing your environment after installation

Before you begin

WebSphere Application Server depends on several configuration files created during installation. These files contain password information and need protection. Although the files are protected to a limited degree during installation, this basic level of protection is probably not sufficient for your site. Verify that these files are protected in compliance with the policies of your site.

For example, give permission to the user who logs onto the system for WebSphere Application Server primary administrative tasks. Other users or groups, such as WebSphere Application Server console users and console groups, who perform partial WebSphere Application Server administrative tasks, like configuring, starting servers and stopping servers, need permissions as well.

Steps for this task

  1. Secure files on z/OS systems.
    1. Set up the WebSphere Application server Base or Network Deployment run time

      The customization jobs that are generated provide the following functions:

      • Create SAF WebSphere Application Server user IDs needed for WebSphere administrator and WebSphere server processes
      • Create a SAF WebSphere Application Server Configuration Group and add the SAF WebSphere Application Server user IDs
      • Associate WebSphere Application Server started tasks with the SAF user IDs and groups defined previously
      • Populate the file system with the system and property files needed to run WebSphere Application Server
      • Change the ownership of these files to that of the WebSphere Application Server administrator
      • Create appropriate file permissions

      Note: All files in WAS_HOME/config directory must have write and read access by all members of the WebSphere Configuration group, but must not be accessible by everyone (mode 770). All files in WAS_HOME/properties must have write and read access by all members of the WebSphere Configuration group. Set the access permissions for the following files as it pertains to your security guidelines:

      • TraceSettings.properties
      • client.policy
      • client_types.xml
      • implfactory.properties
      • sas.client.props
      • sas.stdclient.properties
      • sas.tools.properties
      • soap.client.props
      • wsadmin.properties
      • wsjaas_client.conf

      For example, you might issue the following command: chmod 770 file_name where file_name is the name of the file listed previously. These files contain sensitive information such as passwords.

    2. Add WebSphere administrators who perform full or partial WebSphere Application Server administration tasks to the WebSphere Configuration group.
    3. Restrict access to the /var/mqm directories and log files needed for WebSphere embedded messaging (or WebSphere MQ as the JMS provider). Give write access only to the mqm user ID or members of the mqm user group.

Results

After securing your environment, only the users given permission can access the files. Failure to adequately secure these files can lead to a breach of security in your WebSphere Application Server applications.

What to do next

If there are any failures caused by file accessing permissions, check the permission settings.

Related tasks
Implementing security considerations



Searchable topic ID:   rsecpostinstall
Last updated: Jun 21, 2007 9:56:50 PM CDT    WebSphere Application Server for z/OS, Version 5.0.2
http://publib.boulder.ibm.com/infocenter/wasinfo/index.jsp?topic=/com.ibm.websphere.zseries.doc/info/zseries/ae/rsec_postinstall.html

Library | Support | Terms of Use | Feedback