WebSphere® Application Server, Network Deployment supports centralized management of distributed nodes and application servers. This support inherently brings complexity, especially when security is included. Because everything is distributed, security plays an even larger role in ensuring that communications are appropriately secure between application servers and node agents, and between node agents (a node-specific configuration manager) and the deployment manager (a domain-wide, centralized configuration manager).
Because
the processes are distributed, the authentication mechanism that must
be used is Lightweight Third Party Authentication (LTPA). The LTPA
tokens are encrypted, signed and forwardable to remote processes.
However, the tokens have expirations. The SOAP connector, which is
the default connector, is used for administrative security and does
not have retry logic for expired tokens. However, the protocol is
stateless so a new token is created for each request if there is not
sufficient time to run the request with the given time left in the
token. An alternative connector is the RMI connector, which is stateful,
and has some retry logic to correct expired tokens by resubmitting
the requests after the error is detected. Also, because tokens have
time-specific expiration, the synchronization of the system clocks
is crucial to the proper operation of token-based validation. If the
clocks are off by too much (approximately 10-15 minutes), you can
encounter unrecoverable validation failures that can be avoided by
having them in sync. Verify that the clock time, date, and time zones
are all the same between systems. It is acceptable for nodes to be
across time zones, provided that the times are correct within the
time zones (for example, 5 PM CST = 6 PM EST, and so on).
Because the processes
are distributed, an authentication mechanism must be selected that
supports an authentication token such as Lightweight Third Party Authentication
(LTPA). The tokens are encrypted, signed and forwardable to remote
processes. However, the tokens have expiration times which are set
on the WebSphere Application Server administrative
console. The SOAP connector which is the default connector, is used
for administrative security and does not have retry logic for expired
tokens. However, the protocol is stateless so a new token is created
for each request if there is not sufficient time to run the request
with the given time left in the token. An alternative connector is
the Remote Method Invocation (RMI) connector, which is stateful, and
has some retry logic to correct expired tokens by resubmitting the
requests after the error is detected. Also, because tokens have time-specific
expiration, the synchronization of the system clocks is crucial to
the proper operation of token-based validation. If the clocks are
off by too much (approximately 10-15 minutes), you can encounter unrecoverable
validation failures that can be avoided by having them in sync. Verify
that the clock time, date, and time zones are all the same between
systems. It is acceptable for nodes to be across time zones, provided
that the times are correct within the time zones (for example, 5 PM
CST = 6 PM EST, and so on).
The WebSphere z/OS Profile
Management Tool or the zpmt command uses the same certificate
authority to generate certificates for all servers within a given
cell, including those of the node agents and the deployment manager.
In this information ...Related concepts
Related tasks
| IBM Redbooks, demos, education, and more(Index) |