WebSphere Application Server Network Deployment, Version 6.1
             Operating Systems: AIX, HP-UX, i5/OS, Linux, Solaris, Windows, z/OS

             Personalize the table of contents and search results

What is new for security specialists

This version contains many new and changed features for those who are responsible for securing applications and the application serving environment.

New in Version 6.1! indicates new features or changes implemented at the Version 6.1 level. Unmarked items are Version 6.0 improvements that apply also to Version 6.1, which should interest anyone migrating to Version 6.1 from Version 5.x.

Deprecated and removed features describes features that are being replaced or removed in this or future releases.

Ease of use

Administrative security enabled out of box

New in Version 6.1! Access to the administrative system and its data is now protected by default. When creating a profile, whether during or after installation, you will be prompted whether to keep the default. The default is for administrative security to be enabled with the file based user repository as the user registry. The file based repository is implemented using virtual member manager. For information about this option, see Managing the realm in a federated repository configuration.

Rest assured that if you are migrating from a prior product version, the existing security configuration will be preserved.

Simplified security configuration and administration
New in Version 6.1!
  • Simplified administrative console security panels
  • New security wizard
  • Security configuration reporting tool
Automatically generated server IDs

New in Version 6.1! This version distinguishes between the user identities for administrators who manage the environment and server identities for authenticating server to server communications. In most cases, server identities are automatically generated and are not stored in a repository. You can change the ID if you like.

You no longer need to specify a server user ID and password during security configuration, unless using a mixed cell environment. To maintain backwards compatibility, you must specify the server user ID.

See Local operating system settings.

Simplified WebSphere® key and certificate management
New in Version 6.1! Simplified WebSphere key and certificate management has been added to:
  • Allow you to use the key management tools from the console
  • Make it easier to configure Secure Sockets Layer (SSL) attributes
  • Manage Web server and plug-in certificates from the console
  • Use the TrustManager to automatically trust hosts or signers
  • Make it easier to refresh an expiring certificate
Federate various repositories, so you can manage them as one

New in Version 6.1! Inclusion of virtual member manager in this release provides a single model for managing organizational entities. You can configure a realm that consists of identities in the file-based repository that is built into the system, in one or more external repositories, or in both the built-in, file-based repository and in one or more external repositories.

Currently most WebSphere Application Server applications have their own models and components for managing organizational entities, and they provide different levels of security. Most applications are dependent on specific types and brands of repositories, assume a specific schema for the data in those repositories, and are not able to use repositories with existing data. Virtual member manager helps these applications by providing them a common model, secure access to various brands and types of repositories, and the ability to use repositories with existing data. The single model includes a set of organizational entity types and their properties, a repository-independent application programming interface (API) and a Service Provider Programming Interface (SPI) for plugging in repositories. XPath is chosen as the search language in the API and SPI.

For more information, see Federated repositories.

Standards support and interoperability

SPNEGO support for single sign-on authentication through Windows desktop

New in Version 6.1! The Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) protocol allows flowing Kerberos tokens from web browsers such as Mozilla FireFox or Microsoft Internet Explorer. This enables seamless single-sign-on experiences on Windows desktops with web browsers that support SPNEGO.

See Configuring WebSphere Application Server and enabling the SPNEGO TAI.

Interoperability with other vendors on WS-Security

New in Version 6.1! The product now supports the WS-I Basic Security Profile 1.0, which promotes interoperability by addressing the most common problems encountered from implementation experience to date.

See Web Services-Interoperability Basic Profile.

Common Criteria Assurance Level 4 security

The product has been enhanced to provide Common Criteria Assurance Level 4 security functionality, with full certification available in 2007. Common Criteria is a scheme for independent assessment, analysis, and testing of IT products to a set of security requirements. Certification gives customers the confidence that products will be effective in delivering security functions such as identification and authentication, user data protection, audit, and cryptographic support. Customers gain assurance that the security functions are correctly implemented and will be effective in satisfying their security objectives.

For more information, see Common Criteria (EAL4) support.

Full FIPS compliance

The product has been enhanced to support an implementation of the Federal Information Processing Standards (FIPS) 140-2 government standard. The IBM Java Secure Sockets Extension (JSSE) FIPS 140-2 Cryptographic Module for multi-platforms is a scalable, multipurpose Secure Sockets provider that supports cipher suites via the Java 2 application programming interfaces (APIs) for enhanced protection of sensitive data. It enables the product and other IBM products to run in FIPS mode and help fulfill end-to-end requirements for use of FIPS-certified cryptographic module.

For more information, see Federal Information Processing Standard support.

JCA 1.5 support

WebSphere Application Server Version 6.0.x supports the J2EE Connector architecture (JCA) Version 1.5 specification, which provides new features such as the inbound resource adapter. For more information, see Resource adapters.

From a security perspective, WebSphere Application Server Version 6.0.x provides an enhanced custom principal and credential mapping programming interface and custom mapping properties at the resource reference level. The custom Java Authentication and Authorization Service (JAAS) login module, which was developed for JCA principal and credential mapping for WebSphere Application Server Version 5.x, is still supported.

Web services security

A pluggable architecture increases the extensibility of Web services security. The implementation includes many of the features that are described in the Organization for the Advancement of Structured Information Standards (OASIS) Web Services Security Version 1 standard. As part of this standard, WebSphere Application Server supports custom, pluggable tokens that are used for signing and encryption, pluggable signing and encryption algorithms, pluggable key locators for locating a key that is used for digital signature or encryption, signing or encrypting elements in a SOAP message, and specifying the order of the signing or encryption processes.

See What is new for securing Web services.

Messaging security

For security changes pertaining to service integration, search the information center for the key word: cjr0420.

When administrative security is enabled, the default behavior is for a secure bus to use secure transport protocols. To connect to a secure bus, a user must explicitly be granted the bus connector role. The default bootstrap endpoint is enhanced to use BootstrapSecureMessaging rather than BootstrapBasicMessaging.

Web authentication improvements

Separate Web authentication and authorization

New in Version 6.1! Now, Web authentication can be performed with or without Web authorization, and Web client’s authenticated identity is available whether or not Web authorization is required. An authenticated identity is persisted both for protected and unprotected resources. Without the separation of Web authentication and Web authorization, a Web authenticated identity is not available when Web authorization is not required, and programmatic security can not work independently without container declarative security.

Enhanced control over Web authentication behavior

New in Version 6.1! WebSphere Application Server provides enhanced control over the authentication behavior for a Web client. Depending upon the option that you select, WebSphere Application Server can retain the authentication data for future use. Also, when you use certificate authentication and authentication fails, you can enable the Application Server to challenge the Web client for a user ID and password.

For more information, see Authentication mechanisms.

Portlet URL security

New in Version 6.1! The product enables direct access to portlet Uniform Resource Locators (URLs), just like servlets. For security purposes, portlets are treated similar to servlets. Most portlet security uses the underlying servlet security mechanism. However, portlet security information resides in the portlet.xml file, while the servlet and JavaServer Pages files reside in the web.xml file. Also, when you make access decisions for portlets, the security information, if any, in the web.xml file is combined with the security information in the portlet.xml file. Portlet security must support both programmatic security, that is isUserInRole, and declarative security

For more information, see Portlet URL security.

Web authentication using the Java Authentication and Authorization Service programming model

WebSphere Application Server Version 6.0.x enables you to use the Java Authentication and Authorization Service (JAAS) programming model to perform Web authentication in your application code. To use this function, you must create your own JAAS login configuration by cloning the WEB_INBOUND login configuration and define a cookie=true login option. After a successful login using your login configuration, the Web login session is tracked by single sign-on (SSO) token cookies. This option replaces the SSOAuthenticator interface, which was deprecated in WebSphere Application Server Version 4.

For more information, see Java Authentication and Authorization Service authorization.

Expanded capabilities

Larger variety of administrative roles

New in Version 6.1! Even more administrative roles are defined to provide degrees of authority that are needed to perform certain administrative functions from either the Web-based administrative console or the system management scripting interface. The newest roles are deployer and adminsecuritymanager, available through administrative scripting (wsadmin).

For more information, see Administrative roles.

Fine grained administrative role authorization

New in Version 6.1! In prior releases, users granted administrative roles could administer all of the resource instances under the cell. Now the product is more fine-grained, meaning that access can be granted to each user per resource instance.

For more information, see Fine-grained administrative security.

Hardware cryptographic device support for Web services security

New in Version 6.1! Web services security now supports the use of cryptographic hardware devices in two different ways. The hardware cryptographic device can be used to accelerate the cryptographic operations. Also, cryptographic keys can be stored on the hardware cryptographic device and never leave the device.

See Hardware cryptographic device support for Web Services Security.

Mixed case password support for RACF

New in Version 6.1! WebSphere Application Server exploits the new mixed case password option for the Resource Access Control Facility (RACF). To use mixed case passwords in WebSphere Application Server, you must use z/OS Version 1.7 or higher, use the local operating system registry, and turn on mixed case by using the SETROPTS PASSWORD(MIXEDCASE) command. Otherwise, WebSphere Application Server will not be sensitive to password case for a local registry configuration. If you use an LDAP configuration, you can take advantage of mixed case passwords. For more information on the mixed case password feature in z/OS Version 1.7, see Z/OS V1R7.0 Security Server RACF Security Administrator's Guide. This guide is available under "Security Server and Integrated Security Services. Within the guide, see section 5.2.1.

z/OS LDAP with a SDBM (RACF) back end

New in Version 6.1! Now you can secure the application server by configuring Lightweight Access Directory Protocol (LDAP) on z/OS with an existing Remote Access Control Facility (RACF) back end.

Sync to OS Thread Control Enhancements

Sync to OS Thread allows for the Authenticated User's Java thread identity (or JAAS subject) to be synchronized with the OS thread identity when calling outside of the J2EE container such as a Database Connection. In order to use Sync to OS Thread, both the application and the WebSphere configuration must specify the desire to use Sync to OS Thread.

New in Version 6.1! In addition to the application and the configuration specifying the desire to use Sync to OS Thread, the RACF administrator must also define a resource rule in order for Sync to OS Thread to operate. A new FACILITY class profile must be defined to allow or disallow the use of Sync to OS Thread. Also, an optional, SURROGAT class profile can be used to further refine the use of Sync to OS Thread to particular Authenticated Users.

See Application Synch to OS Thread Allowed.

Enabling Trusted Applications

New in Version 6.1! A new FACILITY class profile must be defined to enable trust applications. WebSphere Applications Server checks this FACILITY class profile during initialization to ensure that only authorized trusted applications are enabled. This new FACILITY class profile expands the RACF administrator role in ensuring that only authorized trusted applications are enabled.

See System Authorization Facility classes and profiles.

Custom password encryption

A plug point for custom password encryption must be created to encrypt and decrypt all passwords in WebSphere Application Server that are currently encoded or decoded using Base64-encoding. The implementation class of this plug point has the responsibility for managing keys, determining the encryption algorithm to use, and for protecting the master secret.

For more information, see the Technote http://www.ibm.com/support/docview.wss?rs=180&uid=swg21210244.

Enhanced LDAP support

In addition to support for multiple Lightweight Directory Access Protocol (LDAP) directory services binding and failover, you can dynamically update LDAP binding information without first stopping and restarting application servers.

For more information, see http://www.ibm.com/support/docview.wss?rs=180&uid=swg21210243.

Programming interfaces for implementing identity assertion with trust validation

If you want an application or system provider to perform an identity assertion with trust validation, it can be accomplished by use of the Java Authentication and Authorization Service (JAAS) login framework, where trust validation is performed in one login module and credential creation in another. These two custom login modules are used to create a JAAS login configuration that performs a login to an identity assertion.

For more information, see Identity assertions with trust validation.

Java 2 security manager

WebSphere Application Server Version 6.0.x provides you with greater control over the permissions granted to applications for manipulating non-system threads. You can permit applications to manipulate non-system threads using the was.policy file. However, these thread control permissions are disabled by default.

For more information, see Configuring the was.policy file.

SSL channel framework

The Secure Sockets Layer channel framework incorporates the new IBMJSSE2 implementation and separates the security function of Java Secure Sockets Extension (JSSE) from the network communication function.

See Transport chains.

   



Subtopics
[AIX HP-UX Linux Solaris Windows] [z/OS] Common Criteria (EAL4) support
[AIX HP-UX Linux Solaris Windows] [z/OS] Federal Information Processing Standard support
Identity management capabilities
Related concepts
Overview and new features for securing applications and their environment
Concept topic    

Terms of Use | Feedback

Last updated: Feb 25, 2009 9:32:38 AM CST
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp?topic=/com.ibm.websphere.nd.multiplatform.doc/info/ae/ae/welc_newsecurity.html