This topic discusses the various objects and files that contain sensitive information and need to be protected.
In addition to enterprise beans and servlets, WebSphere® Application Server accesses integrated file system stream files. The following files might contain sensitive information. It is recommended that you give these files close consideration to ensure that unauthorized access is not granted.
By default, the /properties subdirectory is located in the profile_root directory. Each of the previous files is shipped with *PUBLIC authority set to *EXCLUDE. The QEJBSVR user profile is granted *RW authority to these files. Additional protection is available through password encoding. For more information, see Password encoding and encryption.
For the JKS files, the QEJBSVR user profiles should have *R authority and *PUBLIC should have *EXCLUDE authority.
For the KDB files, the user profile that the Web server is running under should have *RX authority and *PUBLIC should have *EXCLUDE authority.
WebSphere Application Server uses tables to persist data for user applications such as enterprise beans persistence and servlet session data. You have several options for controlling which user profiles are allowed access to this user data. For more information, see Database access security.
When you enable WebSphere Application Server security, the server user profile and password are placed into server configuration files, which should be maintained in a secure way using operating system security. Additionally, you can password protect some WebSphere Application Server resources. These passwords are also placed in server configuration files. The server automatically encodes passwords to deter casual observation, but password encoding alone is not sufficient protection.