InfoCenter Home >
6: Administer applications >
6.6: Tools and resources quick reference >
6.6.0: About user assistance >
6.6.0.2: Command line administration >
6.6.0.2.2: WebSphere Control Program (wscp) >
6.6.0.2.2.3: Advanced usage of wscp >
6.6.0.2.2.3.11: Setting global security defaults

6.6.0.2.2.3.11: Setting global security defaults

The wscp SecurityConfig operations can be used to do the following:

  • Enable and disable WebSphere security on a global basis.
  • Specify the default authentication mechanism.
  • Configure secure sockets layer (SSL) communication.

They cannot be used to configure security for individual applications or components.


Modifying security properties

Before enabling security, you must make the following modifications to the product_installation_root/properties/sas.client.props file:

com.ibm.CORBA.loginSource=properties
com.ibm.CORBA.loginUserId=userID
com.ibm.CORBA.loginPassword=password

where userID is a valid userID and password is the corresponding password.

The sas.client.props file specifies login information for both the administrative console and wscp. However, you can set up wscp to use a different login mechanism than the administrative console --for instance, you can set up wscp for a programmatic login and the console for an interactive login. Do the following:

  1. Copy the sas.client.props file to another file name, such as wscpsas.client.props.
  2. Change the security properties for wscp that were described earlier in this article.
  3. In the file setupCmdLine.bat (Windows) or setupCmdLine.sh (Unix), set the value of the WSCPCLIENTSAS variable to the location of the copied file. For example:
    WSCPCLIENTSAS=product_installation_root/properties/wscpsas.client.props
    

See 6.6.0.2.2.2.3: Authenticating to the administrative server for more information about enabling security.


Security configuration examples

The following example command checks whether security is enabled:

wscp> SecurityConfig isSecurityEnabled

Return values are:

  • 1 (true)--Security is enabled.
  • 0 (false)--Security is disabled.

The following example command enables security for all applications:

wscp> SecurityConfig enableSecurity

The following example command disables security for all applications:

wscp> SecurityConfig disableSecurity

The following example command returns the current authentication mechanism for security:

wscp> SecurityConfig getAuthenticationMechanism

Possible return values are:

  • LOCALOS -- The underlying operating system's authentication mechanism. The local operating system supports basic authentication such as checking a user ID and password.
  • LTPA -- Lightweight Third Party Authentication (LTPA). LTPA authenticates users with a Lightweight Directory Access Protocol (LDAP) directory service and supports certificate-based authentication.
Note:
LTPA cannot be directly configured from the wscp command line because the configuration settings are too complex. However, you can use the wscp XMLConfig operation to import LTPA configurations that have been stored in XML files. See 6.6.0.2.2.4.6: Importing and exporting a configuration by using XMLConfig for instructions on how to use this command.

The following example command returns the user ID that can be used in local operating system (LOCALOS) authentication:

wscp> SecurityConfig  getUserid
{tym}

The following example command sets the authentication method to that of the local operating system and authenticates to the user tym:

wscp> SecurityConfig  setAuthenticationMechanism  LOCALOS -userid {tym tympwd}

The system uses the operating system's existing security repository. The administrative server must be restarted for the change to take effect.

The following example command displays information about how SSL is configured in WebSphere Application Server:

wscp> SecurityConfig getSSLConfig
{{TrustFileName ${WAS_HOME}/etc/ServerTrustFile.jks}
{TrustFilePassword WebAS} {KeyFileName
${WAS_HOME}/etc/ServerKeyFile.jks} {KeyFilePassword WebAS}
{KeyFileFormat 0} {TrustFileFormat 0} {ClientAuthentication false}
{UseGlobalDefaults true} {SecurityLevel 0} {CryptoHardwareEnabled
false} {CryptoTokenType {}} {CryptoLibraryFile {}} {CryptoPassword {}}
{SSLProperties {}}}

The following example command sets various SSL configuration parameters:

wscp> SecurityConfig setSSLConfig {{ClientAuthentication true} {KeyFileName
${WAS_HOME}/etc/NewKey.jks} {KeyFilePassword serverAS}}
Go to previous article: 6.6.0.2.2.3.10: Monitoring performance Go to next article: 6.6.0.2.2.3.12: Managing security roles

 

 
Go to previous article: 6.6.0.2.2.3.10: Monitoring performance Go to next article: 6.6.0.2.2.3.12: Managing security roles