Securing specific application servers

You can customize security to some extent at the application server level. You can disable user security on an application server; administrative security remains enabled when global security is enabled. When global security is disabled, you cannot enable application server security.

Before you begin

Note: User Registry properties include System Authorization Facility (SAF) properties such as: com.ibm.security.SAF.authorization and com.ibm.security.SAF.unauthenticated identities.
Note: User Registry properties include System Authorization Facility (SAF) properties such as: com.ibm.security.SAF.authorization and com.ibm.security.SAF.unauthenticated identities.

By default, server security inherits all of the values that are configured for cell-level security. To override the cell-level security configuration at the server level, click Servers > Application Servers > server_name. Under Security, click Server Security > Additional properties and click any of the following panels:

After modifying the configuration in any of these panels and clicking OK or Apply, the security configuration for that panel or set of panels now overrides cell-level security. Other panels that are not overridden continue to be inherited at the cell-level. However, you can always revert back to the cell-level configuration at any time. On the Server Security panel, click to revert back to the global security configuration on these panels:
  • Use cell security
  • Use cell CSI
  • Use cell z/SAS
A number of additional Secure Authentication Services for z/OS (z/SAS) attributes can be considered for security at a server level, such as:
  • Local identity
  • Remote identity
  • Sync to thread allowed

For more information, see Server and global security.

Procedure

  1. Start the administrative console for the deployment manager. To get to the administrative console, go to http://host.domain:port_number/ibm/console. If security is disabled, you can enter any ID. If security is enabled, you must enter a valid user ID and password, which is either the administrative ID that is configured for the user registry or a user ID that is entered as an administrative user. To add a user ID as an administrative user, click System Administration > Console settings > Console users.
  2. Configure global security if you have not already done so. Go to Enabling security for all application servers for detailed steps. After global security is configured, configure server-level security.
    Attention: Server-level security is not enabled when you select the Enable global security option on the Server-level security settings of the administrative console. You also must enable cell-level security by selecting the Enable global security option on the Global security settings panel of the administrative console.
  3. To configure server-level security, click Servers > Application Servers > server name. Under Security, click Server security. The status of the security level that is in use for this application server is displayed.

    By default, you can see that global security, Common Secure Interoperability (CSI), and z/SAS have not been overridden at the server level. CSI and z/SAS are authentication protocols for RMI/IIOP requests. The Server Level Security panel lists attributes that are on the Global Security panel and that can be overridden at the server level. Not all of the attributes on the Global Security panel can be overridden at the server level, including Active Authentication Mechanism and Active User Registry.

  4. To disable security for this application server, go to the Server-level security panel, clear the Enable global security option and click OK or Apply. Click Save. By modifying the Server-level security panel, you can see that this flag overrides the cell-level security.
  5. To configure CSI at the server level, you can change any panel that starts with CSI. By doing so, all of the panels that start with CSI override the CSI settings that are specified at the cell level. This change includes all of the authentication and transport panels for CSI. See Configuring Common Secure Interoperability Version 2 (CSIV2) and Security Authentication Service (SAS) for more detailed steps regarding configuring the CSI authentication protocol.

What to do next

Typically, server-level security is used to disable user security for a specific application server. However, this can also be used to disable or enable the Java 2 security manager, and to configure the authentication requirements for RMI/IIOP requests both incoming and outgoing from this application server.

After you modify the configuration for a particular application server, you must restart the application server for the changes to become effective. To restart the application server, go to Servers > Application servers and click the server name that you recently modified. Click Stop and then Start.

If you disabled security for the application server, you can typically test a Web address that is protected when security is enabled.




In this information ...


IBM Redbooks, demos, education, and more

(Index)

Use IBM Suggests to retrieve related content from ibm.com and beyond, identified for your convenience.

This feature requires Internet access.

Task topic    

Terms of Use | Feedback

Last updated: Aug 29, 2010 8:25:23 PM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=vela&product=was-nd-zos&topic=tsecserversecurity
File name: tsec_serversecurity.html