InfoCenter Home >
5: Securing applications -- special topics >
5.7: The Secure Association Service (SAS) >
5.7.7: Disabling security on specific application servers
When you enable WebSphere security, the administrative
server and application server or servers
on the node are protected by default. With
WebSphere Application Server, Version 4 you
can turn off security for selected application
servers on a node. You can use this feature
if the following is true:
- You want to protect the administrative server,
but do not want to impose the overhead of
secure encryption on application server communications.
- The affected application servers do not require
WebSphere security protection.
How the procedure works
During initialization of the administrative
server, the Interoperable object reference
(IOR) for each enterprise bean hosted in
an application server is registered with
the name server. The IOR for each enterprise
bean contains a security tag if any of the
following properties are set to the default
value of true:
com.ibm.CORBA.SSLTypeIClientAssociationEnabled
com.ibm.CORBA.LTPAClientAssociationEnabled
com.ibm.CORBA.DCEClientAssociationEnabled
When the client reads the IOR, the presence
of the security tag indicates to the client
that the server expects the client to use
a secure connection for sending messages.
As a result, the client must obtain authentication
information from the user so that the server
can authenticate the user.
If the property is set to false, the IOR
does not contain a security tag and the client
creates a TCP/IP connection to the server.
Messages sent over a TCP/IP connection are
not secured. The application server receives
the request on the TCP/IP port and handles
the request.
Authorization of requests is completely disabled
when the SSLTypeIClientAssociationEnabled
is set to false. This tells the application
server not to enable security on inbound
requests. This applies only when the application
server uses a different set of configuration
properties than the administrative server
does. The technique for disabling security
on selected application servers is to provide
them with a different properties file.
Disabling security on selected application
servers
This procedure shows you how to unprotect
an application server. There are two parts
to this procedure:
- Global settings
- Application server settings
This specific procedure unprotects the default
application server and checks the behavior
with the default_app Web module.
Global settings
- Verify that you have enabled global security
and have restarted the administrative server
at least once. This process ensures that
you have the correct security settings in
the
sas.server.props file.
The snoop servlet supplied with the default_app Web module has a security constraint allowing
only authenticated users to access it. Access
to the Web module is unrestricted without
security enabled. If you enable security
and attempt to access the snoop servlet at
http://localhost/servlet/snoop , the basic authentication challenge login
prompt appears.
- Stop the administrative server.
- Delete the
<WAS_HOME>\properties\sas.server.props.future file. If this file is present when an application
server restarts, information in the sas.server.props.future file is copied into the sas.server.props file, which overwrites your changes to the
sas.server.props file.
- Make a backup copy of the current
<WAS_HOME>\properties\sas.server.props file.
- Edit the
sas.server.props file and modify the settings as described.
You must make these changes carefully. Incorrect
settings can result in unwanted security
behavior or prevent the administrative server
from starting with security enabled. Do not
change any values other than the ones listed
here unless you are sure of the consequences.
If the value of the com.ibm.CORBA.authenticationTarget
property is LTPA, set the following properties:
- Client-association properties:
com.ibm.CORBA.SSLTypeIClientAssociationEnabled=true
com.ibm.CORBA.LocalOSClientAssociationEnabled=false
com.ibm.CORBA.LTPAClientAssociationEnabled=true
- Server-association properties:
com.ibm.CORBA.SSLTypeIServerAssociationEnabled=true
com.ibm.CORBA.LocalOSServerAssociationEnabled=false
com.ibm.CORBA.LTPAServerAssociationEnabled=true
If the value of the com.ibm.CORBA.authenticationTarget
property is localos , set the following properties:
- Client-association properties:
com.ibm.CORBA.SSLTypeIClientAssociationEnabled=true
com.ibm.CORBA.LocalOSClientAssociationEnabled=true
com.ibm.CORBA.LTPAClientAssociationEnabled=false
- Server-association properties:
com.ibm.CORBA.SSLTypeIServerAssociationEnabled=true
com.ibm.CORBA.LocalOSServerAssociationEnabled=true
com.ibm.CORBA.LTPAServerAssociationEnabled=false
- Restart the administrative server.
- When the server is "open for e-business",
start the administrative console. A prompt
appears for the administrative user ID and
password, which confirms that the administrative
server security is still enabled.
Global settings
- In the administrative console, right-click
the application server you want unprotect,
and then select Properties from the window that appears.
- In the Application Server Properties window,
click the JVM Settings tab, set the following System Properties,
and then click OK:
If the value of the com.ibm.CORBA.authenticationTarget
property in sas.server.props is LTPA, set the following properties:
- Client-association properties:
com.ibm.CORBA.SSLTypeIClientAssociationEnabled=false
com.ibm.CORBA.LocalOSClientAssociationEnabled=false
com.ibm.CORBA.LTPAClientAssociationEnabled=false
com.ibm.CORBA.DCEClientAssociationEnabled=false
- Server-association properties:
com.ibm.CORBA.SSLTypeIServerAssociationEnabled=true
com.ibm.CORBA.LocalOSServerAssociationEnabled=false
com.ibm.CORBA.LTPAServerAssociationEnabled=true
If the value of the com.ibm.CORBA.authenticationTarget
property in sas.server.props is localos , set the following properties:
- Client-association properties:
com.ibm.CORBA.SSLTypeIClientAssociationEnabled=false
com.ibm.CORBA.LocalOSClientAssociationEnabled=false
com.ibm.CORBA.LTPAClientAssociationEnabled=false
com.ibm.CORBA.DCEClientAssociationEnabled=false
- Server-association properties:
com.ibm.CORBA.SSLTypeIServerAssociationEnabled=true
com.ibm.CORBA.LocalOSServerAssociationEnabled=true
com.ibm.CORBA.LTPAServerAssociationEnabled=false
- Stop and then restart the application server
to load the new properties.
- Verify that security is disabled for the
application server. You should be able to
access the snoop servlet at
http://localhost/servlet/snoop without an authentication challenge when
security is disabled.
Repeat these steps for any other application
servers that you want to unprotect.
|
|