Migrating, coexisting, and interoperating – Security considerations

Use this topic to migrate the security configuration of previous WebSphere® Application Server releases and its applications to the new installation of WebSphere Application Server.

Before you begin

This information addresses the need to migrate your security configurations from a previous release of IBM® WebSphere Application Server to WebSphere Application Server Version 7.0 or later. Complete the following steps to migrate your security configurations:

  • If security is enabled in the previous release, obtain the administrative server ID and password of the previous release. This information is needed in order to run certain migration jobs.
  • You can optionally disable security in the previous release before migrating the installation. No logon is required during the installation.
  • [z/OS] If scriptCompatibility is false when migrating to WebSphere Application Server Version 7.0 on z/OS®, any SSLConfig repertoire of type System SSL (SSSL) is converted to type JSSE. The exception is when the SSLConfig repertoire belongs to the daemon; the repertoire is not converted from type SSSL to type JSSE in this case.

Procedure

Results

The security configuration of previous WebSphere Application Server releases and its applications are migrated to the new installation of WebSphere Application Server Version 7.0.

What to do next

If a custom user registry is used in the previous version, the migration process does not migrate the class files that are used by the standalone custom registry in the previous app_server_root/classes directory. Therefore, after migration, copy your custom user registry implementation classes to the app_server_root/classes directory.

If you upgrade from WebSphere Application Server, Version 5.x to WebSphere Application Server Version 7.0, the data that is associated with Version 5.x trust associations is not automatically migrated. To migrate trust associations, see Migrating trust association interceptors.

[z/OS] If you are migrating a Version 6.1 environment or earlier with System Authorization Facility (SAF) authorization enabled, be aware that the term describing the string that is prepended to the EJBROLE profile names, which was previously referred to as the z/OS security domain, has been updated to "SAF profile prefix". Additionally, the corresponding property name in the security.xml file has been updated to com.ibm.security.SAF.profilePrefix The old property names are security.zOS.domainName and security.zOS.domainType. The term has changed to more accurately describe the purpose of this property and to avoid confusion with the WebSphere security domains feature that has been introduced in Version 7.0. If a SAF profile prefix is specified and scriptCompatiblity is a false value, further action is not necessary during migration; the old properties are converted to the new properties.

[z/OS] If you are migrating a Version 5.x or 6.0.x environment with Sync to OS Thread enabled to a Version 7.0 environment, you should be aware of the following migration considerations:
  • In addition to the application and configuration specifying the desire to use Sync to OS Thread that was required in earlier versions of WebSphere Application Server, the RACF® administrator must also define a resource role in order for Sync to OS Thread to operate in Version 6.1 and later. A FACILITY class profile must be defined to allow or disallow the use of Sync to OS Thread. Also, an optional SURROGAT class profile can be used to further refine the use of Sync to OS Thread to particular authenticated users.

    See System Authorization Facility classes and profiles.

  • In Version 6.1 and later, a FACILITY class profile must be defined to enable trusted applications. WebSphere Applications Server checks this FACILITY class profile during initialization to ensure that only authorized trusted applications are enabled. This FACILITY class profile expands the RACF administrator's role in ensuring that only authorized trusted applications are enabled.

    See System Authorization Facility classes and profiles.




In this information ...


IBM Redbooks, demos, education, and more

(Index)

Use IBM Suggests to retrieve related content from ibm.com and beyond, identified for your convenience.

This feature requires Internet access.

Task topic    

Terms of Use | Feedback

Last updated: Oct 21, 2010 7:37:48 AM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=v701sca&product=was-nd-mp&topic=tsecmigrate
File name: tsec_migrate.html