Explore the key concepts pertaining to securing applications and
their environment. WebSphere Application Server plays an integral part of
the multiple-tier enterprise computing framework. Based on open architecture,
WebSphere Application Server provides many plug-in points to integrate with
enterprise software components to provide end-to-end security. Security infrastructure
and mechanisms protect Java 2 Platform, Enterprise Edition (J2EE) resources
and administrative resources, addressing your enterprise security requirements.
- Global security
- Administrative security determines whether security is used at all, the
type of registry against which authentication takes place, and other values,
many of which act as defaults. Proper planning is required because incorrectly
enabling administrative security can lock you out of the administrative console
or cause the server to abend.
- Java 2 security
- Java 2 security provides a policy-based, fine-grain access control mechanism
that increases overall system integrity by checking for permissions before
allowing access to certain protected system resources. Java 2 security guards
access to system resources such as file I/O, sockets, and properties. Java
2 Platform, Enterprise Edition (J2EE) security guards access to Web resources
such as servlets, JavaServer Pages (JSP) files and Enterprise JavaBeans (EJB)
methods.
- User registries
- WebSphere Application Server provides implementations that support multiple
types of registries and repositories including the local operating system
registry, a standalone Lightweight Directory Access Protocol (LDAP) registry,
a standalone custom registry, and federated repositories.
- Local operating system user registries
- With the registry implementation for the local operating system, the WebSphere
Application Server authentication mechanism can use the user accounts database
of the local operating system.
- Authentication mechanisms
- An authentication mechanism defines rules about security information,
for example, whether a credential is forwardable to another Java process,
and the format of how security information is stored in both credentials and
tokens.
- Lightweight Directory Access Protocol user
registries
- WebSphere Application Server security provides and supports the implementation
of most major LDAP directory servers, which can act as the repository for
user and group information.
- Authentication protocol for EJB security
- You can choose from two authentication protocols: z/OS Secure Authentication
Service (z/SAS) and Common Secure Interoperability Version 2 (CSIv2).
- Authorization technology
- Authorization information determines whether a user or group has the necessary
privileges to access resources.
- Java Authentication and Authorization Service
- The Java Authentication and Authorization Service is a standard Java API
that supports the Java 2 security authorization to extend the code base on
the principal as well as the code base and users.
- Secure Sockets Layer
- The Secure Sockets Layer (SSL) protocol provides transport layer security
with authenticity, integrity, and confidentiality, for a secure connection
between a client and server in WebSphere Application Server. The protocol
runs above TCP/IP and below application protocols such as Hypertext Transfer
Protocol (HTTP), Lightweight Directory Access Protocol (LDAP), and Internet
Inter-ORB Protocol (IIOP), and provides trust and privacy for the transport
data.
- Authentication protocol for EJB security
- WebSphere Application Server Version 6.1 servers support the CSIv2 authentication
protocol only. SAS is only supported between Version 6.0.x and earlier version
servers that have been federated in a Version 6.1 cell. The option to select
between SAS, CSIv2, or both is only available in the administration console
when a Version 6.0.x or earlier release has been federated in a Version 6.1
cell.
- Identity mapping
- Identity mapping is a one-to-one mapping of a user identity between two
servers so that the proper authorization decisions are made by downstream
servers. Identity mapping is necessary when the integration of servers is
needed, but the user registries are different and not shared between the systems.
- Plug point for custom password encryption
- A plug point for custom password encryption can be created to encrypt
and decrypt all passwords in WebSphere Application Server that are currently
encoded or decoded using Base64-encoding.
- Secure transports with JSSE and JCE programming interfaces
- This topic provides detailed information about transport security using
Java Secure Socket Extension (JSSE) and Java Cryptography Extension (JCE)
programming interfaces. Within this topic, there is a description of the IBM
version of the Java Cryptography Extension Federal Information Processing
Standard (IBMJCEFIPS).
- Web component security
- You can develop a Web module and enforce security at the method level
of each Web resource.
- Security role references
- Web application developers or EJB providers that use the available programmatic
security J2EE APIs, isUserInRole(String roleName) or isCallerInRole(String
roleName), use a role-name in the code.
- UDDI registry security additional considerations
- In addition to the configuration of UDDI registry security, there a number
of other UDDI registry settings which may affect the behavior of the UDDI
registry. Some of these settings are security specific, others are points
to bear in mind when configuring security.
- J2EE connector security
- The J2EE connector architecture defines a standard architecture for connecting
the Java 2 Platform, Enterprise Edition (J2EE) to heterogeneous enterprise
information systems (EIS).
- Asynchronous messaging - security considerations
- This topic describes considerations that you should be aware of if you
want to use security for asynchronous messaging with WebSphere Application
Server.