[Version 5.0.2 and later]Global security settings

Use this page to configure security. When you enable security, you are enabling security settings on a global level.

To view this administrative console page, click Security > Global Security.

If you are configuring security for the first time, complete the steps in Configuring server security to avoid problems. When security is configured, validate any changes to the registry or authentication mechanism panels. Click Apply to validate the user registry settings. An attempt is made to authenticate the server ID to the configured user registry. Validating the user registry settings after enabling global security can avoid problems when you restart the server for the first time.

Custom Properties   [Version 5.0.2 and later]

For an existing configuration, there are a number of profiles that you must modify. To modify the profiles, go into the administrative console and click Security > Global Security > Custom Properties:

"security.zOS.domainName" value="TESTSYS"

You can modify the following domain-related custom properties for global security:

The following profiles affected by this definition are: The customization dialog sets up appropriate SAF profiles during customization if the security domain is defined there. Changing the value of the domainType of domainName requires the customer to make appropriate changes in their SAF profile setup, otherwise runtime errors occur. Refer to Summary of controls for more information on the specific profile updates required for security domainName related customization and the security domain customization panels.

Custom properties: Overriding the default TSO session type[Version 5.0.2 and later]

An application might connect to an Enterprise Information System (EIS) and use the thread identity support. The thread identity support is provided by the connection management component of WebSphere Application Server for z/OS. In this situation, a security credential that is based on the current thread identity encapsulates the security information for the user that is associated with the connection. By default, the session type associated with the user is TSO. If you have WebSphere Application Server for z/OS users that use the thread identity support, you must define the users as TSO users. If you prefer not to define the users as TSO users, you can use the security.zOS.session.OMVSSRV custom property, which changes the session type for the user identity in the security credential from TSO to OMVSSRV. However, if you use the user information for authentication at the target EIS, such as IMS, the user must be an authorized OMVSSRV user. To specify the custom property, complete the following steps:

  1. Click Security > Global Security > Custom Properties.
  2. Click New.
  3. In the Name field, type security.zOS.session.OMVSSRV

    Note: This custom property name is case sensitive.

  4. In the value field, type true
  5. Click Apply and Save.

Configuration tab

Enabled
Specifies for the server to enable security subsystems.

This flag is commonly referred to as the global security flag in WebSphere Application Server information. When enabling security, set the authentication mechanism configuration and specify a valid user ID and password in the selected user registry configuration.

If you have problems such as the server not starting after enabling security within the security domain, then you should resynchronize all of the files from the cell to this node. To resynchronize files, run the following command from the node: syncNode -username your_userid -password your_password. This command connects to the deployment manager and resynchronize all of the files.

If your server does not restart after you enable global security, you can disable security. Go to your $install_root\bin directory and run the wsadmin -conntype NONE command. At the wsadmin> prompt, enter securityoff and then type exit to return to a command prompt. Restart the server with security disabled to check any incorrect settings through the administrative console.

Local OS user registry users: When you select Local OS as the active local operating system user registry, you do not need to supply a password in the user registry configuration.

Data type: Boolean
Default: Disable
Enforce Java 2 Security
Specifies whether to enable or disable Java 2 security permission checking. By default, Java 2 security is disabled. However, enabling global security, automatically enables Java 2 security. You can choose to disable Java 2 security, even when global security is enabled.

When Java 2 security is enabled and if an application requires more Java 2 security permissions than are granted in the default policy, then the application might fail to run properly until the required permissions are granted in either the app.policy file or the was.policy file of the application. AccessControl exceptions are generated by applications that do have all the required permissions. Consult the WebSphere Application Server documentation and review the Java 2 Security and Dynamic Policy sections if you are unfamiliar with Java 2 security.

Data type: Boolean
Default: Disabled
Range: Enabled or Disabled
Use Domain Qualified User Names
Enable or disable qualifying user names with the security domain ID.
Data type: Boolean
Default: Disabled
Range: Enable or Disable

[5.0 only][Version 5.0.1]When you specify Use Domain Qualified User Names from the Security > Global Security configuration panel, the run-time call to the getCallerPrincipal() API from an enterprise bean returns the qualified name with the realm prepended twice. For example, the format return is realm/realm/user. You can strip the first realm from the returned value when making API calls. The servlet API getUserPrincipal() works correctly.

Cache Timeout
Specifies the timeout value, in seconds, for the security cache. This cache timeout specifies how long an inactive security credential stays in the security cache. The timeout value is relative to the last active time of the credential.

First, when a user logs in to WebSphere Application Server, authentication data of the user is validated against the credential in the security cache. Then the credential timeout in cache for the user is reset, based on the current time, if the credential is validated.

Note: If the authentication is done against the security cache, any changes that are made in the user registry since the credential was first created will be ignored.

If WebSphere Application Server security is enabled, the security cache timeout can influence performance. The timeout setting specifies how often to refresh the security-related caches.

When the cache timeout expires, all cached information becomes invalid.

The default security cache timeout value is 10 minutes. If you have a small number of users, it should be set higher than that or, if a large number of users, it should be set lower.

The LTPA timeout value should not be set lower than the security cache timeout. It is also recommended that the LTPA timeout value should be set higher than the orb request timeout value. However, there is no relation between the security cache timeout value and the orb request timeout value.

In a 20-minute performance test, setting the cache timeout so that a timeout does not occur yields a 40% performance improvement.

Data type: Integer
Units: Seconds
Default: 600
Range: Greater than 30 seconds
Issue Permission Warning
Specifies that when the Issue permission warning option is enabled, during application deployment and application start, the security run time emits a warning if applications are granted any custom permissions. Custom permissions are permissions defined by the user applications, not Java API permissions. Java API permissions are permissions in package java.* and javax.*.

The WebSphere product provides support for policy file management. A number of policy files are available in this product, some of them are static and some of them are dynamic. Dynamic policy is a template of permissions for a particular type of resource. There is no code base defined or relative code base used in the dynamic policy template. The real code base is dynamically created from the configuration and run-time data. The filter.policy file contains a list of permissions that an application should not have according to the J2EE 1.3 specification. For more information on permissions, see Java 2 security policy files.

Data type: Boolean
Default: Disabled
Range: Enable or Disable
Active Protocol
Specifies the active authentication protocol for Remote Method Invocation over the Internet Inter-ORB Protocol (RMI IIOP) requests when security is enabled. In previous releases the Security Authentication Service (SAS) platform (or z/OS Security Authentication Service on the z/OS platform) was the only available protocol.

An Object Management Group (OMG) protocol called Common Secure Interoperability Version 2 (CSIv2) supports increased vendor interoperability and additional features. If all of the servers in your security domain are Version 5 servers, specify CSI as your protocol.

If some servers are 4.x servers, specify CSI and z/SAS

Data type: String
Default: BOTH
Range: CSI and zSAS, CSI
Active Authentication Mechanism
Specifies the active authentication mechanism when security is enabled.

WebSphere Application Server for z/OS, Version 5 supports the following authentication mechanisms: Simple WebSphere Authentication Mechanism (SWAM), Lightweight Third Party Authentication (LTPA), and Integrated Cryptographic Services Facility (ICSF). Only ICSF and LTPA are configurable on WebSphere Application Server for z/OS, Version 5. SWAM is not configurable.

Data type: String
Default: SWAM
Range: SWAM, LTPA, ICSF
Active User Registry
Specifies the active user registry, when security is enabled. LDAP or a custom user registry is required when running as a UNIX non-root user or in a multi-node environment.

You can configure settings for one of the following user registries:

  • Local operating system.

    Specify this setting if you want your configured Resource Access Control Facility (RACF) (or Security Authorization Facility (SAF)-compliant) security server to be used as the WebSphere registry.

  • LDAP user registry. The LDAP user registry settings are used when users and groups reside in an external LDAP directory. When security is enabled and any of these properties change, go to the Global Security panel and click Apply or OK to validate the changes.
  • Custom user registry

Data type: String
Default: Local OS
Range: Local OS, LDAP, Custom

Related tasks
Configuring global security
Related reference
Administrative console buttons
Administrative console page features
Administrative console scope settings
Administrative console filter settings
Administrative console preference settings
Lightweight Third Party Authentication settings
Integrated Cryptographic Services Facility settings
Local operating system user registry settings
Lightweight Directory Access Protocol settings
Summary of controls
Custom user registry settings



Searchable topic ID:   usecrgsp
Last updated: Jun 21, 2007 9:56:50 PM CDT    WebSphere Application Server for z/OS, Version 5.0.2
http://publib.boulder.ibm.com/infocenter/wasinfo/index.jsp?topic=/com.ibm.websphere.zseries.doc/info/zseries/ae/usec_rgsp.html

Library | Support | Terms of Use | Feedback