Initial security configurations

During installation you now have the option of enabling administrative security during initial cell customization, this procedure is referred to as "security out of the box". This protects the cell from unauthorized modification, which can occur if security is not enabled.

When a new standalone application server or Network Deployment cell is created, there are three initial security choices in WebSphere® Application Server for z/OS® Version 7.0:

This article describes the three initial security options and the configuration effects of each.

Remember that WebSphere Application Server for z/OS always requires the presence of a SAF-compliant security system to provide operating system security. Regardless of which security option is chosen:
Note: Each of the initial security configurations is basic, requiring few choices during customization; after configuration is complete, additional work is usually required to match cell security policies to the needs of the enterprise. See the Security section of the InfoCenter for more information.

Option 1: Use a z/OS security product to manage user identities and authorization policy

If this option is chosen during customization:
  1. Each WebSphere Application Server user and group identity corresponds to a user ID or group in the z/OS system's SAF-compliant security system (IBM'S RACF®, or an equivalent product).
  2. Access to WebSphere Application Server roles is controlled using the SAF EJBROLE profile.
  3. Digital certificates for SSL communication are stored in the z/OS security product.

The z/OS system's security product is always used to control WebSphere Application Server for z/OS started task identities, and the location service daemon's digital certificate (if daemon SSL is selected). However, when this security option is selected, all WebSphere Application Server administrators and administrative groups must be defined to SAF as well. Later, if application security is enabled, the SAF security database holds those user identities as well.

This option is appropriate when servers or cells will reside entirely on z/OS systems, with SAF as the user registry. Customers who plan to implement an LDAP or custom user registry, but who will map WebSphere Application Server identities to SAF identities and use EJBROLE profiles for authorization, should also choose this option so that initial SAF EJBROLE setup is performed.

When this option is chosen during customization, the following SAF user IDs are created:
  • An administrator user ID
  • An "unauthorized user" ID, to represent WebSphere Application Server identities which have not been authenticated
SAF EJBROLE profiles for administrative roles (administrator, configuration, deployer, monitor and operator) are created, and the administrator user ID is granted the administrator role.

SAF CBIND profiles are created, and granted to the configuration group.

Digital certificates are created in the SAF security system for each server controller (deployment manager or application server controller).

Digital key rings are created in the SAF security system for the administrator, controller, controller region adjunct, and server user IDs, and the appropriate certificates are attached to these key rings.

A SAF profile prefix may be specified when this option is chosen; the SAF profile prefix becomes part of the APPL, CBIND and EJBROLE profile names used for authorization checking.

Option 2: Use WebSphere Application Server to manage user identities and authorization policy

If this option is chosen during customization:
  1. Each WebSphere Application Server user and group identity corresponds to an entry in a WebSphere Application Server user registry. The initial user registry is a simply file-based user registry, created during customization, and residing in the configuration file system.
  2. Access to WebSphere Application Server roles is controlled using WebSphere Application Server role bindings. In particular, administrative roles are controlled using the "Console users and groups" settings in the administrative console.
  3. Digital certificates for SSL communication are stored in the configuration file system.

The z/OS system's security product is always used to control WebSphere Application Server for z/OS started task identities, and the location service daemon's digital certificate (if daemon SSL is selected). However, when this security option is selected, all WebSphere Application Server users and groups for administrative access are defined in the WebSphere user registry, rather than in SAF. Later, if application security is enabled, the WebSphere Application Server user registry holds those user identities as well.

This option is appropriate when servers or cells will reside on a mix of z/OS and non-z/OS systems, as well as for customers who plan to implement an LDAP or custom user registry to replace the initial registry. (Customers who plan to implement an LDAP or custom user registry with identity mapping to SAF should select z/OS-managed security during customization; see above.)

When this option is chosen during customization, a file-based user registry is created in the configuration file system.

An administrator user ID (and an optional samples user ID and group) are added to the file-based user registry.

The administrator user ID is added to the list of authorized console users.

Self-signed digital certificates for servers are created in the configuration file system automatically by WebSphere Application Server.

Option 3: Do not enable security

If this option is chosen, no administrative security is configured. Anyone with access to the administrative console port can make changes to the server or cell configuration.

A post-customization security setup is recommended.

The initial security setup options in WebSphere Application Server are very basic, and are intended only to provide initial administrative security. After your server or cell is up and running, you may wish to:
  • Switch to another user registry. You can use LDAP or a custom user registry instead of the SAF security database or file-based registry.
  • Define additional administrators, or distribute administrative roles
  • Implement application security
Reference topic Reference topic    

Terms and conditions for information centers | Feedback

Last updatedLast updated: May 16, 2013 11:33:12 AM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=v701sca&product=was-nd-mp&topic=rins_initsec
File name: rins_initsec.html