This section discusses all aspects of security.
Part of your security framework WebSphere Application Server plays an integral part of the multiple-tier
enterprise computing framework. Based on open architecture, WebSphere Application Server provides
many plug-in points to integrate with
enterprise software components to provide end-to-end security.
Product security Security
infrastructure and mechanisms protect Java 2 Platform, Enterprise Edition (J2EE) resources
and administrative resources, addressing your enterprise security
requirements.
- Securing applications and their environments
- WebSphere Application Server supports the J2EE model for creating, assembling, securing, and
deploying applications. This article provides a high-level description of what is involved in
securing resources in a J2EE environment. Applications are often created, assembled and deployed
in different phases and by different teams.
- Integrating IBM WebSphere Application Server security with existing
security systems
- WebSphere Application Server plays an integral part of the multiple-tier enterprise computing
framework. WebSphere Application Server adopts the open architecture paradigm and provides many
plug-in points to integrate with enterprise software components to provide end-to-end security.
WebSphere Application Server plug-in points are based on standard J2EE specifications wherever
applicable. The WebSphere Application Server development team is actively involved in various
standard bodies to externalize and to standardize plug-in interfaces.
- Planning to secure your environment
- There are several communication links from a browser on the Internet, through Web servers
and product servers, to the enterprise data at the back-end. This section examines some typical
configurations and common security practices. WebSphere Application Server security is built on
a layered security architecture as showed in the following figure. This section also examines
the security protection that is offered by each security layer and common security practice for
good quality of protection in end-to-end security.
- Implementing security considerations at installation time
- Complete these tasks to implement security before, during, and after installing WebSphere Application Server.
- Migrating security configurations from previous releases
- This article addresses the need to migration your security configurations from a previous release of
IBM WebSphere Application Server to WebSphere Application Server, Version 6.
- Developing secured applications
- IBM WebSphere Application Server provides security components that provide or collaborate
with other services to provide authentication, authorization, delegation, and data protection.
WebSphere Application Server also supports the security features described in the Java 2 Platform,
Enterprise Edition (J2EE) specification.
- Assembling secured applications
- There are several assembly tools that are graphical user interfaces for assembling
enterprise (J2EE) applications. You can use these tools to assemble an application and
secure EJB and Web modules in that application. An EJB module consists of one or more beans.
You can enforce security at the EJB method level. A Web module consists of one or more Web
resources (an HTML page, a JSP file or a servlet). You can also enforce security for each
Web resource. You can use an assembly tool to secure an EJB module (Java archive (JAR) file)
or a Web module (Web archive (WAR) file) or an application (enterprise archive (EAR) file).
You can create an application, an EJB module, or a Web Module and secure them using an
assembly tool or development tools like the IBM Rational Application Developer.
- Deploying secured applications
- Deploying applications that have security constraints (secured applications) is not much
different than deploying applications any security constraints. The only difference is that
you might need to assign users and groups to roles for a secured application, which requires
that you have the correct active registry. To deploy a newly secured application click
Applications > Install New Application in the navigation panel on the left
and follow the prompts. If you are installing a secured application, roles would have
been defined in the application. If delegation was required in the application,
RunAs roles also are defined.
- Testing security
- After configuring global security and restarting all of your servers in a secure mode,
it is best to validate that security is properly enabled. There are a few techniques that
you can use to test the various security login types. For example, you can test the Web-based
BasicAuth login, Web-based form login, and the Java client BasicAuth login. There are basic
tests that show that the fundamental security components are working properly.
- Administering security
- This section describes how to configure and administer security features
with the administrative console, including:
- Global security
- Authentication mechanisms (directories and user registries)
- Authorization policies and providers, including Java Authentication and
Authorization Service (JAAS)
- Trust association interceptors
- Single signon
- Common Secure Interoperability Version 2 (CSIv2)
- Secure Sockets Layer (SSL)
- Java 2 Security manager
- Security attribute propagation
- Configuring security with scripting
- This section describes security using administrative scripting, an alternative
to using the administrative console.
- Securing WebSphere applications
- This section provides security instructions that are specific to the various
types of applications, such as Web applications or Web services.
- Tuning security configurations
- Performance issues typically involve trade-offs between function and speed. Usually, the
more function and the more processing involved, the slower the performance. Consider what
type of security is necessary and what you can disable in your environment. For example,
if your application servers are running in a Virtual Private Network (VPN), consider whether
you must disable Secure Sockets Layer (SSL). If you have a lot of users, can they be mapped
to groups and then associated to your J2EE roles? These questions are things to consider when
designing your security infrastructure.
- Troubleshooting security configurations
- This section describes how to troubleshoot errors related to security.