Server and 管理安全
The term 管理安全 refers to providing the authentication of users that use the WebSphere® administration functions, the use of Secure Sockets Layer (SSL), and the choice of user account repository.
![[z/OS]](../images/ngzos.gif)
- Share identities with many other z/OS connector services
- Use SAF delegation, which minimizes the need to store user IDs and passwords in many locations in the configuration
- Use more audit capabilities
In some cases,
the realm can be the machine name of a Local OS user registry. In
this case, all application servers must reside on the same physical machine.
In other cases, the realm can be the machine name of a Lightweight
Directory Access Protocol (LDAP) user registry. Because LDAP is a
distributed user registry, this allows for a multiple node configuration
in a WebSphere Application Server, Network Deployment environment. The
basic requirement for a security domain is that the access ID returned
by the registry from one server within the security domain is the
same access ID that is returned from the registry on any other server
within the same security domain. The access ID is the unique identification
of a user and is used during authorization to determine if access
is permitted to the resource.
- Java 2 Security Manager
- Java Authentication and Authorization Service (JAAS)
- Java 2 Connector authentication data entries
Common Secure Interoperability Version 2 (CSIv2) and Secure Authentication Service (SAS) authentication protocol (Remote Method Invocation over the Internet Inter-ORB Protocol (RMI/IIOP) security)
Common Secure Interoperability Version 2 (CSIv2) and z/OS Secure Authentication Service (z/SAS) authentication protocol (Remote Method Invocation over the Internet Inter-ORB Protocol (RMI/IIOP) security)
- Other miscellaneous attributes.
You can override some portions of the configuration
at the server level.
Where multiple nodes and multiple servers
within a node are possible, you can configure certain attributes at
a server level. The attributes that are configurable at a server level
include security enablement for the server, Java 2
security manager enablement, and CSIv2/SAS authentication protocol
(RMI/IIOP security). You can disable security on individual application
servers while 管理安全 is
enabled, however, you cannot enable security on an individual application
server while 管理安全 is
disabled.
Where multiple nodes and multiple servers within
a node are possible, you can configure certain attributes at a server
level. The attributes that are configurable at a server level include
security enablement for the server, Java 2
security manager enablement, and CSIv2 and z/SAS authentication protocol
(RMI/IIOP security). You can disable security on individual application
servers while 管理安全 is
enabled, however, you cannot enable security on an individual application
server while 管理安全 is
disabled.
While application server security is disabled for user requests, administrative and naming security is still enabled for that application server so that the administrative and naming infrastructure remains secure. If cell security is enabled, but security for individual servers is disabled, Java Platform, Enterprise Edition applications are not authenticated or authorized. However, naming and administrative security is still enforced. Consequently, because naming services can be called from user applications, grant Everyone access to the naming functions that are required so that these functions accept unauthenticated requests. User code does not directly access administrative security except through the supported scripting tools.
If you are using System Authorization Facility (SAF)
authorization, then you need to ensure that the UACC field for the
EJBROLE profile of CosNamingRead is set to READ, and that the unauthenticated
id has READ access to this profile.