By default, all administrative and user applications in WebSphere® Application Server
use the global security configuration. For example, a user registry
defined in global security is used to authenticate users for every
application in the cell. Out-of-the-box, this behavior is the same
as it was in previous releases of WebSphere Application
Server. You can create additional WebSphere security domains if you
want to specify different security attributes for some or all of your
user applications. This section describes how to configure a security
domain by using the administrative console.
Before you begin
Only users assigned to the administrator role can configure
or create new multiple security domains. Enable global security in
your environment before configuring multiple security domains.
Read about Multiple security domains for a
better understanding of what multiple security domains are and how
they are supported in this version of WebSphere Application Server.
About this task
Security domains enable you to define multiple security
configurations for use in your environment. For example, you can
define different security (such as a different user registry) for
user applications than for administrative applications. You can also
define separate security configurations for user applications deployed
to different servers and clusters.
Best practice: When
configuring an application domain with a realm name that is identical
to the realm name at the global domain, a lookup of users, groups
or other registry attributes returns that of the application domain.
You should configure unique realm names for each domain.
bprac
Perform
the following steps to configure a new security domain by using the
administrative console:
Procedure
- Click Security > Security domains.
- If you are creating a new multiple security domain, click New.
Supply a unique name and description for the domain and click Apply.
If you want to configure an existing multiple security domain, select
one to edit. Once you click Apply the domain name
and additional sections are displayed. One section enables you to
define the security attributes for the domain, and another section
enables you to select the scopes to which the domain applies.
- Under Assigned Scopes, select whether you want to assign
the security domain to the entire cell or if you want to select the
specific servers, clusters, and service integration buses to be included
in the security domain. The Assigned Scopes section has
two views. The default view is a cell topology. To assign the security
domain to the entire cell, click the check box for the cell and then
click Apply or OK.
The name of the security domain
appears next to the cell name, which indicates that the domain is
now assigned to the cell. You can expand the topology and assign the
domain to one or more servers and clusters. When an item in the topology
is already assigned to another security domain, the check box is disabled
and the name of the assigned domain is displayed to the right of the
scope name. If you want to assign one of these scopes to the domain,
you must first disassociate it with its current domain.
Select All
assigned scopes to view a list of only those resources that are
currently assigned to the security domain.
- Customize your security configuration by specifying security
attributes for your new domain. Attributes that are not
listed can not be customized at the domain level. Domains inherit
attributes from the global security configuration.
There are twelve
individually configurable security attribute sections. You can expand
and collapse each section. In the collapsed state, the name and a
summary value for the section are displayed. Additionally, the summary
value text indicates whether the attribute is defined in global security
and is reused by the domain (as indicated by gray text) or if it is
customized for the domain (as indicated by black text prefixed by
the word “Customized”).
Initially, each security attribute
is set to use the global security settings. When an attribute is
set to use global security, there is no domain-specific configuration
for that attribute. Applications that use the domain use the global
configuration for these security attributes.
Only configure
the security attributes that you want to change. To configure a security
attribute for a domain, expand the security attribute section. The
key properties of the global configuration display beneath the Use
global security option. These properties are provided for convenience.
To
customize the configuration for the domain, select
Customize for
this domain. Configure the property and then click
OK or
Apply.
Note: In general, when you select Customize for this domain,
you override all of the security configurations that are defined for
that section in global security. Application logins, system logins,
and J2C authentication data entries are some exceptions. When you
define entries for a domain, applications in the domain are able to
access the global entries in addition to the domain-specific entries.
For
example, you might want to use a different user registry for applications
that use the security domain but also want to use the global security
configuration for all of the other security properties. In this case,
expand the User Realm section and select Customize for this domain.
Select a user registry type, click Configure, and provide
the appropriate configuration details on the subsequent panel.
You
can change security attributes such as the following:
- Application Security
- Specifies the settings for application security and Java 2 security. You can use the global security
settings or customize the settings for a domain.
Select Enable
application security to enable or disable security this choice
for user applications. When this selection is disabled, all of the
EJBs and web applications in the security domain are no longer protected.
Access is granted to these resources without user authentication.
When you enable this selection, the J2EE security is enforced for
all of the EJBs and web applications in the security domain. The J2EE
security is only enforced when Global Security is enabled in the global
security configuration, (that is, you cannot enable application security
without first enabling Global Security at the global level).
- Java 2 Security
- Select Java 2 security to
enable or disable Java 2 security
at the domain level. This choice enables or disables Java 2 security at the process (JVM) level so
that all applications (both administrative and user) can enable or
disable Java 2 security.
- User realm
This section enables you to configure the user registry for
the security domain. You can separately configure any registry that
is used at the domain level. Read about Multiple security domains for more
information.
- Trust association
- When you configure the trust association interceptor (TAI) at
a domain level, the interceptors configured at the global level are
copied to the domain level for convenience. You can modify the interceptor
list at the domain level to fit your needs. Only configure those interceptors
that are to be used at the domain level.
- SPNEGO Web Authentication
- The SPNEGO web authentication, which enables you to configure
SPNEGO for web resource authentication, can be configured at the domain
level.
Note: In WebSphere Application
Server Version 6.1, a TAI that uses the Simple and Protected GSS-API
Negotiation Mechanism (SPNEGO) to securely negotiate and authenticate
HTTP requests for secured resources was introduced. This function
was deprecated in WebSphere Application
Server 7.0. SPNEGO web authentication has taken its place to provide
dynamic reload of the SPNEGO filters and to enable fallback to the
application login method.
- RMI/IIOP Security
The RMI/IIOP security attribute refers to the CSIv2 (Common
Secure Interoperability version 2) protocol properties. When you configure
these attributes at the domain level, the RMI/IIOP security configuration
at the global level is copied for convenience.
You can change
the attributes that need to be different at the domain level. The
Transport layer settings for CSIv2 inbound communications should be
the same for both the global and the domain levels. If they are different,
the domain level attributes are applied to all of the application
in the process.
- JAAS application logins
- Specifies the configuration settings for the Java Authentication and Authorization Service
(JAAS) application logins. You can use the global security settings
or customize the settings for a domain.
Note: The JAAS application
logins, the JAAS system logins, and the JAAS J2C authentication data
aliases can all be configured at the domain level. By default, all
of the applications in the system have access to the JAAS logins configured
at the global level. The security runtime first checks for the JAAS
logins at the domain level. If it does not find them, it then checks
for them in the global security configuration. Configure any of these
JAAS logins at a domain only when you need to specify a login that
is used exclusively by the applications in the security domain.
- JAAS system logins
- Specifies the configuration settings for the JAAS system logins.
You can use the global security settings or customize the configuration
settings for a domain.
- JAAS J2C authentication
- Specifies the configuration settings for the JAAS J2C authentication
data. You can use the global security settings or customize the settings
for a domain.
- Java Authentication SPI
(JASPI)
Specifies the configuration settings for a Java Authentication SPI (JASPI) authentication
provider and associated authentication modules. You can use the global
security settings or customize the settings for a domain. To configure
JASPI authentication providers for a domain, select Customize for
this domain and then enable JASPI. Select Providers to
define providers for the domain.
Note: The JASPI authentication
provider can be enabled with providers configured at the domain level.
By default, all of the applications in the system have access to the
JASPI authentication providers configured at the global level. The
security runtime first checks for the JASPI authentication providers
at the domain level. If it does not find them, it then checks for
them in the global security configuration. Configure JASPI authentication
providers at a domain only when the provider is to be used exclusively
by the applications in that security domain.
- Authentication Mechanism Attributes
Specifies the various cache settings that need to applied at
the domain level.
Select Authentication cache settings to
specify your authentication cache settings. The configuration specified
on this panel is applied only to this domain.
Select LTPA
Timeout to configure a different LTPA timeout value at the domain
level. The default timeout value is 120 minutes, which is set at the
global level. If the LTPA timeout is set at the domain level, any
token that is created in the security domain when accessing user applications
is created with this expiration time.
When Use realm-qualified
user names is enabled, user names returned by methods such as getUserPrincipal(
) are qualified with the security realm (user registry) used
by applications in the security domain.
- Authorization Provider
You can configure an external third party JACC (Java Authorization Contract for Containers)
provider at the domain level. Tivoli® Access
Manager's JACC provider can only be configured at the global level.
Security domains can still use it if they do not override the authorization
provider with another JACC provider or with the built-in native authorization.
![[z/OS]](../images/ngzos.gif)
You can additionally
configure the SAF authorization options at the security domain level,
which are the following:
- The unauthenticated user id
- The SAF profile mapper
- Whether to enable SAF delegation
- Whether to use the APPL profile to restrict access to WebSphere
Application Server
- Whether to suppress authorization failed messages
- The SMF audit record strategy
- The SAF profile prefix
For more information on the SAF authorization
options, read about z/OS System Authorization Facility authorization.
- z/OS® security options
You can set z/OS specific
security options at the process (JVM) level so that all applications
(both administrative and user) can enable or disable these options.
These properties are:
- Enabling application server and z/OS thread
identity synchronization
- Enabling the connection manager RunAs thread identity.
For more information on the z/OS security
options, read about z/OS security options
- Custom properties
- Set custom properties at the domain level that are either new
or different from those at the global level. By default, all of the
custom properties at the global security configuration can be accessed
by all of the applications in the cell. The security runtime code
first checks for the custom property at the domain level. If it does
not find it, it then attempts to obtain the custom property from the
global security configuration.
- Once you have configured the security attributes and assigned
the domain to one or more scopes, click Apply or OK.
- Restart all servers and clusters for your changes to take
effect.