This topic discusses the various objects and files that
contain sensitive information and need to be protected.
Secure integrated file system files
In addition
to enterprise beans and servlets, WebSphere® Application
Server accesses integrated file system stream files. The following
files might contain sensitive information. It is recommended that
you give these files close consideration to ensure that unauthorized
access is not granted.
- In the /properties subdirectory of your profile,
the following files can contain user IDs and passwords:
- sas.client.props
- soap.client.props
- sas.stdclient.properties
- sas.tools.properties
- wsserver.key
By default, the /properties subdirectory
is located in the profile_root directory.
Each of the previous files is shipped with *PUBLIC authority set to
*EXCLUDE. The QEJBSVR user profile is granted *RW authority to these
files. Additional protection is available through password encoding.
For more information, see Password encoding and encryption.
- In the /etc subdirectory if your profile,
protect all of the key (KDB) files and trust (JKS) files that you
create for your WebSphere Application Server profile.
For
the JKS files, the QEJBSVR user profiles should have *R authority
and *PUBLIC should have *EXCLUDE authority.
For the KDB files,
the user profile that the web server is running under should have
*RX authority and *PUBLIC should have *EXCLUDE authority.
Secure database resources for WebSphere Application
Server
WebSphere Application Server uses tables
to persist data for user applications such as enterprise beans persistence
and servlet session data. You have several options for controlling
which user profiles are allowed access to this user data. For more
information, see Database
access security.
Secure WebSphere Application Server
files
When you enable WebSphere Application
Server security, the server user profile and password are placed into
server configuration files, which should be maintained in a secure
way using operating system security. Additionally, you can password
protect some WebSphere Application Server resources.
These passwords are also placed in server configuration files. The
server automatically encodes passwords to deter casual observation,
but password encoding alone is not sufficient protection.
The
following files are located in the
/config subdirectory
of your profile and they can contain user identifiers and passwords:
- cells/cell_name/security.xml
- cells/cell_name/nodes/node_name/resources.xml
- cells/cell_name/nodes/node_name/servers/server_name/server.xml
For example, for the default profile, the
server_name is
server1.
The
server user profile and password are used for authenticating the server
when it initializes. This authentication is required for the following
reasons:
- The user ID and password are used as the system identity for the
server when an enterprise bean security is deployed to use SYSTEM_IDENTITY
for method delegation. In this case, the user ID and password are
used when method calls are made from one enterprise bean to another.
- The user ID and password are used to authenticate servers for
inter-server communication. Because security for these files can be
compromised, use a non-default user profile for the server identity
and password. The default user profile is QEJBSVR. If you use the
local OS user registry, you might choose to create and use a user
profile that has no special authorities. For more information, see Running application
servers under specific user profiles.
Secure user profiles for WebSphere Application
Server
When WebSphere Application Server
is first installed, by default, it uses the following user profiles:
- QEJB
- This profile provides access to some administrative data, including
passwords.
- QEJBSVR
- This profile provides the context in which your WebSphere Application
Server runs. For security or administrative purposes, you might want
to create other user profiles under which to run various parts of WebSphere Application Server. For more
information, see Running application servers under specific user profiles.