Object and file security

This topic discusses the various objects and files that contain sensitive information and need to be protected.

Secure integrated file system files

In addition to enterprise beans and servlets, WebSphere® Application Server accesses integrated file system stream files. The following files might contain sensitive information. It is recommended that you give these files close consideration to ensure that unauthorized access is not granted.

Secure database resources for WebSphere Application Server

WebSphere Application Server uses tables to persist data for user applications such as enterprise beans persistence and servlet session data. You have several options for controlling which user profiles are allowed access to this user data. For more information, see Database access security.

Secure WebSphere Application Server files

When you enable WebSphere Application Server security, the server user profile and password are placed into server configuration files, which should be maintained in a secure way using operating system security. Additionally, you can password protect some WebSphere Application Server resources. These passwords are also placed in server configuration files. The server automatically encodes passwords to deter casual observation, but password encoding alone is not sufficient protection.

The following files are located in the /config subdirectory of your profile and they can contain user identifiers and passwords:
  • cells/cell_name/security.xml
  • cells/cell_name/nodes/node_name/resources.xml
  • cells/cell_name/nodes/node_name/servers/server_name/server.xml
For example, for the default profile, the server_name is server1.
The server user profile and password are used for authenticating the server when it initializes. This authentication is required for the following reasons:
  • The user ID and password are used as the system identity for the server when an enterprise bean security is deployed to use SYSTEM_IDENTITY for method delegation. In this case, the user ID and password are used when method calls are made from one enterprise bean to another.
  • The user ID and password are used to authenticate servers for inter-server communication. Because security for these files can be compromised, use a non-default user profile for the server identity and password. The default user profile is QEJBSVR. If you use the local OS user registry, you might choose to create and use a user profile that has no special authorities. For more information, see Running application servers under specific user profiles.

Secure user profiles for WebSphere Application Server

When WebSphere Application Server is first installed, by default, it uses the following user profiles:
QEJB
This profile provides access to some administrative data, including passwords.
QEJBSVR
This profile provides the context in which your WebSphere Application Server runs. For security or administrative purposes, you might want to create other user profiles under which to run various parts of WebSphere Application Server. For more information, see Running application servers under specific user profiles.



Related concepts
Password encoding and encryption
Related tasks
Troubleshooting security configurations
Reference topic    

Terms of Use | Feedback

Last updated: Oct 21, 2010 5:30:17 AM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=compass&product=was-nd-iseries&topic=rsec_secisobj
File name: rsec_secisobj.html