Become familiar with the three initial security options
and the configuration effects of each.
During installation you now have the option of enabling administrative
security during initial cell customization, this procedure is referred
to as "security out of the box". This protects the cell from unauthorized
modification, which can occur if security is not enabled.
When a new standalone application server or Network Deployment
cell is created, there are three initial security choices in WebSphere® Application Server for z/OS® Version
8.5:
- Use a z/OS security product to manage user identities
and authorization policy
- Use WebSphere Application Server to manage
user identities and the authorization policy
- Do not enable security
This article describes the three initial security options and the
configuration effects of each.
Remember that WebSphere Application Server for z/OS always
requires the presence of a SAF-compliant security system to provide
operating system security. Regardless of which security option is
chosen:
- SAF user IDs for WebSphere Application Server
started tasks are always created during customization.
- SAF groups are created for the configuration, servant and local
user groups are created during customization, and granted necessary
permissions
- SAF SERVER profiles are used to control servant access to controller
regions.
- If daemon SSL is selected during customization, a key ring and
digital certificate for the daemon are created in SAF.
Note: Each of the initial security configurations is basic, requiring
few choices during customization; after configuration is complete,
additional work is usually required to match cell security policies
to the needs of the enterprise. See the Security section of the InfoCenter
for more information.
Option 1: Use a z/OS security
product to manage user identities and authorization policy
If
this option is chosen during customization:
- Each WebSphere Application Server user and group
identity corresponds to a user ID or group in the z/OS system's
SAF-compliant security system (IBM'S RACF®,
or an equivalent product).
- Access to WebSphere Application Server roles is controlled
using the SAF EJBROLE profile.
- Digital certificates for SSL communication are stored in the z/OS security
product.
The z/OS system's security product is always used
to control WebSphere Application Server for z/OS started
task identities, and the location service daemon's digital certificate
(if daemon SSL is selected). However, when this security option
is selected, all WebSphere Application Server administrators
and administrative groups must be defined to SAF as well. Later,
if application security is enabled, the SAF security database holds
those user identities as well.
This option is appropriate when
servers or cells will reside entirely on z/OS systems,
with SAF as the user registry. Customers who plan to implement an
LDAP or custom user registry, but who will map WebSphere Application
Server identities to SAF identities and use EJBROLE profiles for authorization,
should also choose this option so that initial SAF EJBROLE setup is
performed.
When this option is chosen during customization,
the following SAF user IDs are created:
- An administrator user ID
- An unauthorized-user ID, to represent WebSphere Application
Server identities which have not been authenticated
SAF EJBROLE profiles for administrative roles (administrator,
configuration, deployer, monitor and operator) are created, and the
administrator user ID is granted the administrator role.
SAF
CBIND profiles are created, and granted to the configuration group.
Digital certificates are created in the SAF security system
for each server controller (deployment manager or application server
controller).
Digital key rings are created in the SAF security
system for the administrator, controller, controller region adjunct,
and server user IDs, and the appropriate certificates are attached
to these key rings.
A SAF profile prefix may be specified when
this option is chosen; the SAF profile prefix becomes part of the
APPL, CBIND and EJBROLE profile names used for authorization checking.
Option 2: Use WebSphere Application Server
to manage user identities and authorization policy
If this
option is chosen during customization:
- Each WebSphere Application Server user and group
identity corresponds to an entry in a WebSphere Application
Server user registry. The initial user registry is a simply file-based
user registry, created during customization, and residing in the configuration
file system.
- Access to WebSphere Application Server roles is controlled
using WebSphere Application Server role bindings.
In particular, administrative roles are controlled using the console
users and groups settings in the administrative console.
- Digital certificates for SSL communication are stored in the configuration
file system.
The z/OS system's security product is always used
to control WebSphere Application Server for z/OS started
task identities, and the location service daemon's digital certificate
(if daemon SSL is selected). However, when this security option
is selected, all WebSphere Application Server users and
groups for administrative access are defined in the WebSphere user
registry, rather than in SAF. Later, if application security is enabled,
the WebSphere Application Server user registry
holds those user identities as well.
This option is appropriate
when servers or cells will reside on a mix of z/OS and
non-z/OS systems, as well as for customers who plan to implement an
LDAP or custom user registry to replace the initial registry. (Customers
who plan to implement an LDAP or custom user registry with identity
mapping to SAF should select z/OS-managed security during customization;
see above.)
When this option is chosen during customization,
a file-based user registry is created in the configuration file system.
An
administrator user ID is added to the file-based user registry.
The
administrator user ID is added to the list of authorized console users.
Self-signed
digital certificates for servers are created in the configuration
file system automatically by WebSphere Application Server.
Option 3: Do not enable security
If this
option is chosen, no administrative security is configured. Anyone
with access to the administrative console port can make changes to
the server or cell configuration.
A post-customization security setup is recommended.
The
initial security setup options in WebSphere Application
Server are very basic, and are intended only to provide initial administrative
security. After your server or cell is up and running, you may wish
to:
- Switch to another user registry. You can use LDAP or a custom
user registry instead of the SAF security database or file-based registry.
- Define additional administrators, or distribute administrative
roles
- Implement application security