Initial security configurations
Become familiar with the three initial security options and the configuration effects of each.
During installation you now have the option of enabling administrative security during initial cell customization, this procedure is referred to as "security out of the box". This protects the cell from unauthorized modification, which can occur if security is not enabled.
This article describes the three initial security options and the configuration effects of each.
Option 1: Use a z/OS security product to manage user identities and authorization policy
The z/OS system's security product is always used to control WebSphere Application Server for z/OS started task identities, and the location service daemon's digital certificate (if daemon SSL is selected). However, when this security option is selected, all WebSphere Application Server administrators and administrative groups must be defined to SAF as well. Later, if application security is enabled, the SAF security database holds those user identities as well.
This option is appropriate when servers or cells will reside entirely on z/OS systems, with SAF as the user registry. Customers who plan to implement an LDAP or custom user registry, but who will map WebSphere Application Server identities to SAF identities and use EJBROLE profiles for authorization, should also choose this option so that initial SAF EJBROLE setup is performed.
SAF CBIND profiles are created, and granted to the configuration group.
Digital certificates are created in the SAF security system for each server controller (deployment manager or application server controller).
Digital key rings are created in the SAF security system for the administrator, controller, controller region adjunct, and server user IDs, and the appropriate certificates are attached to these key rings.
A SAF profile prefix may be specified when this option is chosen; the SAF profile prefix becomes part of the APPL, CBIND and EJBROLE profile names used for authorization checking.
Option 2: Use WebSphere Application Server to manage user identities and authorization policy
The z/OS system's security product is always used to control WebSphere Application Server for z/OS started task identities, and the location service daemon's digital certificate (if daemon SSL is selected). However, when this security option is selected, all WebSphere Application Server users and groups for administrative access are defined in the WebSphere user registry, rather than in SAF. Later, if application security is enabled, the WebSphere Application Server user registry holds those user identities as well.
This option is appropriate when servers or cells will reside on a mix of z/OS and non-z/OS systems, as well as for customers who plan to implement an LDAP or custom user registry to replace the initial registry. (Customers who plan to implement an LDAP or custom user registry with identity mapping to SAF should select z/OS-managed security during customization; see above.)
When this option is chosen during customization, a file-based user registry is created in the configuration file system.
An administrator user ID is added to the file-based user registry.
The administrator user ID is added to the list of authorized console users.
Self-signed digital certificates for servers are created in the configuration file system automatically by WebSphere Application Server.
Option 3: Do not enable security
If this option is chosen, no administrative security is configured. Anyone with access to the administrative console port can make changes to the server or cell configuration.