Securing your environment after installation
WebSphere Application Server depends on several configuration files
that are created during installation. These files contain password information
and need protection. Although the files are protected to a limited degree
during installation, this basic level of protection is probably not sufficient
for your site. You should verify that these files are protected in compliance
with the policies of your site.
Before you begin
Note: A Kerberos keytab configuration file contains a list of keys
that are analogous to user passwords. The default keytab file is krb5.keytab.
It is important for hosts to protect their Kerberos keytab files by storing
them on the local disk, which makes them readable only by authorized users.
The
files in the app_server_root/profiles/profile_name/config and app_server_root/profiles/profile_name/properties need
protection. For example, give permission to the user who logs onto the system
for WebSphere Application Server primary administrative tasks. Other users
or groups, such as WebSphere Application Server console users and console
groups need permissions as well.
Procedure
Secure files on a Windows system:
- Open the browser for a view of the files and directories on
the machine.
- Locate and right-click the file or the directory that you want
to protect.
- Click Properties.
- Click the Security tab.
- Remove the Everyone entry and any other user or group
that you do not want to have access to the file.
- Add the users who can access the files with the proper permission.
Secure files on UNIX systems. This procedure applies only
to the ordinary UNIX file system. If your site uses access-control lists,
secure the files by using that mechanism. Any site-specific requirements can
affect the owner, group, and corresponding privileges; for example, on the
AIX platform.
- Go to the install_root directory and change
the ownership of the directory configuration and properties to the user who
logs onto the system for WebSphere Application Server primary administrative
tasks. Run the following command: chown -R logon_name directory_name
Where:
- login_name is a specified user or group
- directory_name is the name of the directory that contains the files
It is recommended that you assign ownership of the files that
contain password information to the user who runs the application server.
If more than one user runs the application server, provide permission to the
group in which the users are assigned in the user registry.
- Set up the permission by running the following command: chmod
-R 770 directory_name.
- Go to the app_server_root/profiles/profile_name/properties directory
and set the file permissions. Set the access permissions for the
following files as it pertains to your security guidelines:
- TraceSettings.properties
- client.policy
- client_types.xml
- sas.client.props
- sas.stdclient.properties
- sas.tools.properties
- soap.client.props
- wsadmin.properties
- wsjaas_client.conf
For example, you might issue the following command: chmod 770 file_name where file_name is
the name of the file listed previously in the install_root/profiles/profile_name/properties directory.
These files contain sensitive information such as passwords.
- Create a group for WebSphere Application Server and put the
users who perform full or partial WebSphere Application Server administrative
tasks in that group.
- If you want to use WebSphere MQ as a Java Messaging Service
(JMS) provider, restrict access to the /var/mqm directories and log
files used. Give write access to the user ID mqm or members of the mqm user
group only.
Results
After securing your environment, only the users with permission can
access the files. Failure to adequately secure these files can lead to a breach
of security in your WebSphere Application Server applications.
What to do next
If failures occur that are caused by file accessing permissions,
check the permission settings.
In this information ...
| IBM Redbooks, demos, education, and more(Index)
Most of the following links will take you to information that is not part of the formal product documentation and is provided "as is." Some of these links go to non-IBM Web sites and are provided for your convenience only and do not in any manner serve as an endorsement by IBM of those Web sites, the material thereon, or the owner thereof.
|
|
