DMZ Secure Proxy Server for IBM WebSphere Application Server start up user permissions

The overall security level of the DMZ Secure Proxy Server for IBM® WebSphere® Application Server can be hardened by reverting the server process to run as an unprivileged user after startup. Although the DMZ Secure Proxy Server for IBM WebSphere Application Server must be started as a privileged user, changing the server process to run as an unprivileged user provides additional protection for local operating resources.

Like the proxy server, the DMZ Secure Proxy Server for IBM WebSphere Application Server must start under a privileged user because it requires authorization to initialize privileged ports. Ports lower than 1024 are considered privileged ports. After these ports are initialized and access to the protected ports is no longer required, it is possible to change the user association of the DMZ Secure Proxy Server for IBM WebSphere Application Server process. Altering the server process to run using the privileges of a user or a group that does not have authority to access the local operation system resources adds a layer of protection to those resources. The firewall helps protect local operating system resources for the proxy server, but as the DMZ Secure Proxy Server for IBM WebSphere Application Server is installed in the DMZ, this type of protection becomes a higher priority. Although changing the user association of the server process for the DMZ Secure Proxy Server for IBM WebSphere Application Server is not required, continuing to run as a privileged user does not use the extra layer of protection for local operation resources that is provided when the server process is changed to run as an unprivileged user.

Table 1. Start up options. This table describes the proxy server start up options.
Start up option Definition
Run as unprivileged user This is considered a high and medium security level setting.
Run as privileged user This is considered a low security level setting.



Related concepts
WebSphere DMZ Secure Proxy Server for IBM WebSphere Application Server
DMZ Secure Proxy Server for IBM WebSphere Application Server routing considerations
DMZ Secure Proxy Server for IBM WebSphere Application Server administration options
Error handling security considerations for the DMZ Secure Proxy Server for IBM WebSphere Application Server
Related tasks
Tuning the security properties for the DMZ Secure Proxy Server for IBM WebSphere Application Server
Related reference
ProxyManagement command group for the AdminTask object
Concept topic Concept topic    

Terms and conditions for information centers | Feedback

Last updatedLast updated: Jan 30, 2014 9:17:32 AM CST
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=matt&product=was-nd-iseries&topic=csec_spxy_userperm
File name: csec_spxy_userperm.html