[Version 5.0.2 and later]Steps for enabling global security for WebSphere Application Server

Before you begin

Before you can enable global security you must select both an authentication mechanism and a user registry.

Why and when to perform this task

You need to start the administrative console by specifying the following Web site: http://server_hostname:9090/admin.

Perform the following steps to enable global security

Steps for this task

  1. Click Security > Global Security in the Navigation tree on the left.
  2. On the Global Security Configuration tab, click the Enabled check box. The Enabled option allows you to enable global security.
    Global security is disabled by default.
  3. The Enforce Java 2 Security option enables you to enable or not enable Java 2 Security permission checking. By default, Java 2 security is disabled.
    However, if you enable global security, Java 2 security is automatically enabled. You can choose to disable Java 2 security, even when global security is enabled.

    When Java 2 Security is enabled and if an application requires more Java 2 security permissions than are granted in the default policy, then the application might fail to run properly until the required permissions are granted in either the app.policy file or the was.policy file of the application. AccessControl exceptions are generated by applications that do not have all the required permissions. Review the Java 2 Security and Dynamic Policy documentation if you are unfamiliar with Java 2 security.

  4. Select the Use Domain Qualified User IDs option.
    If this option is enabled, user names appear with their fully qualified domain attribute when retrieved programmatically.
  5. Enter the timeout value for security cache in seconds in the Cache Timeout field.
    When the timeout is reached, the Application Server clears the security cache and rebuilds the security data. Since this affects performance, this value should not be set too low. Default: 600 seconds.
  6. Select the Issue Permission Warning option.
    The filter.policy file contains a list of permissions that an application should not have according to the J2EE 1.3 Specification. If an application is installed with a permission specified in this policy file and this option is enabled, a warning is issued. The default is enabled.
  7. Select which security protocol is active when security is enabled from the Active Protocol menu.
    Specifies the active authentication protocol for RMI/IIOP requests when security is enabled. In previous releases the z/OS Secure Authentication Services (z/SAS) protocol was the only available protocol.

    This release includes an Object Management Group (OMG) protocol called CSIv2, which supports increased vendor interoperability and additional features. If all servers in your entire security domain are Version 5 servers, it is best to specify CSI as your protocol. If some servers are 3.x or 4.x servers, specify CSI and z/SAS. The default is both CSI and z/SAS.

  8. Select which authentication mechanism is active which security is enabled from the Active Authentication Mechanism menu. The Active Authentication Mechanism menu specifies the authentication mechanism which is active when security is enabled.
    In WebSphere Application Server, Version 5, Simple WebSphere Authentication Mechanism (SWAM), Lightweight Third Party Authentication (LTPA), and Integrated Cryptographic Services Facility (ICSF) are the supported authentication mechanisms. Only ICSF and LTPA are configurable on WebSphere Application Server Network Deployment, Version 5. SWAM is not configurable on WebSphere Application Server Network Deployment.
  9. Use Active User Registry menu to specify the user registry that is active when security is enabled.
    You can configure settings for one of the following user registries:
    • Local operating system. The implementation is a SAF compliant registry such as the Resource Access Control Facility (RACF), which is shared in an MVS sysplex.
    • LDAP user registry. The LDAP User Registry settings are used when users and groups reside in an external LDAP directory. When security is enabled and any of these properties are changed, go to the Global Security panel and click OK or Apply to validate the changes.
    • Custom user registry.
    Default: Local OS.
  10. Click OK.

    This panel performs a final validation of the security configuration. When you click OK or Apply from this panel, the security validation routine is performed and any problems are reported at the top of the page. When you complete all of the fields, click OK or Apply to accept the selected settings. Click Save (at the top of the panel) to persist these settings out to a file. If you see any informational messages in red text color, then there is a problem with the security validation. Typically, the message indicates the problem. So, review your configuration to verify that the user registry settings are accurate and the correct registry is selected. In some cases, the LTPA configuration may not be fully specified. See Global security settings for detailed information.

Results

Configuration is successful when error messages do not display at the top of the panel.

Enabling global security on a base application server node

Why and when to perform this task

Global security activates a number of WebSphere security settings. Most of the settings receive their default value from the installation scripts, run during server installation. The following is a checklist for enabling global security on a base application server node, using the SAF-based (LocalOS) user registry and LTPA authentication:

  1. Start the server if it is not already up.
  2. Access the administrative console. You can use any user ID. A password is not necessary.
  3. Click Security > Authentication Mechanisms > LTPA. Enter a password and confirm the password by entering it again. Click Apply and Save.
  4. Click Security > User Registries > Local OS. Click OK. This takes you to the Global Security page.
  5. On the Global Security page, scroll to the bottom and click Custom Properties. On the Custom Properties page, click EnableTrustedApplications and set its value to true. Click Apply and Save.
  6. Click Security > Global Security. Check the box that says Enabled. The Active Protocol should be CSI and zSAS. The Active Authentication Mechanism should be LTPA. The Active User Registry should be Local OS. Click Apply and Save.
  7. Restart the server and connect to the administrative console using your browser. The server should successfully redirect you to the SSL port, where you might receive certificate warnings from your browser. Then, you should see the login page where you can enter the valid administrative user ID and password.

Disabling global security

Why and when to perform this task

To disable global security, log on to the administrative console and select Security > Global Security. Uncheck the Enabled check box. Restart the server and global security is off.

If global security is not working properly, it can cause the server to not start, or start without providing you with the ability to log on. To disable global security in this case, Go to your $install_root/bin directory and execute the wsadmin -conntype NONE command. At the wsadmin> prompt, entersecurityoff and then type exit to return to a command prompt. Restart the server with security disabled to check any incorrect settings through the administrative console

An optional way to disable global security is to edit the server security.xml file. The security.xml file can be found in the <mountpoint>/AppServer/config/cells/ directory. The security.xml file must be translated to EBCDIC before editing and translated back to ASCII after editing.

To disable global security, edit the security.xml. Search for the line that begins with the following tag: <security:Security. In that line search for enabled. The word following enabled is true. Change it to false. Save the file. Restart the server. Global security is now disabled.


Related tasks
Setting up WebSphere Application Server for z/OS security
Related reference
Global security settings



Searchable topic ID:   tsecenablglobl
Last updated: Jun 21, 2007 9:56:50 PM CDT    WebSphere Application Server for z/OS, Version 5.0.2
http://publib.boulder.ibm.com/infocenter/wasinfo/index.jsp?topic=/com.ibm.websphere.zseries.doc/info/zseries/ae/tsec_enablglobl.html

Library | Support | Terms of Use | Feedback