Websphere Application Server V7.0 Security Guide

Websphere Application Server V7.0 Security Guide

Front cover WebSphere Application Server V7.0 Security Guide Secure WebSphere administration processes Ensure secure WebSphere applications Secure communication with SSL Carla Sadtler Fabio Albertoni Leonard Blunt Shu Guang Chen Elisa Ferracane Grzegorz Smolko Joerg-Ulrich Veser Sean Zhu ibm.com/redbooks International Technical Support Organization WebSphere Application Server V7.0 Security Guide June 2009 SG24-7660-00 Note: Before using this information and the product it supports, read the information in “Notices” on page xiii. First Edition (June 2009) This edition applies to WebSphere Application Server V7. © Copyright International Business Machines Corporation 2009. All rights reserved. Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contact an IBM Software Services Sales Specialist Start SMALL, Start BIG, ... JUST START architectural knowledge, skills, research and development . that's IBM Software Services for WebSphere. Our highly skilled consultants make it easy for you to design, build, test and deploy solutions, helping you build a smarter and more efficient business. Our worldwide network of services specialists wants you to have it all! Implementation, migration, architecture and design services: IBM Software Services has the right fit for you. We also deliver just-in-time, customized workshops and education tailored for your business needs. You have the knowledge, now reach out to the experts who can help you extend and realize the value. For a WebSphere services solution that fits your needs, contact an IBM Software Services Sales Specialist: ibm.com/developerworks/websphere/services/contacts.html Contact an IBM Software Services Sales Specialist iii iv WebSphere Application Server V7.0 Security Guide Contents Contact an IBM Software Services Sales Specialist . iii Notices . xiii Trademarks . xiv Preface . xv The team that wrote this book . xv Become a published author . xviii Comments welcome. xviii Part 1. Administrative and infrastructure security . 1 Chapter 1. Introduction. 3 1.1 Core concepts and technologies . 4 1.1.1 Global security and security domains . 4 1.1.2 Securing the administrative environment . 5 1.1.3 Defining user registries to WebSphere . 6 1.1.4 Authenticating clients . 7 1.1.5 Authorizing access to applications . 9 1.1.6 Authorization providers . 10 1.1.7 Protecting file systems with Java 2 security . 10 1.1.8 Single sign-on . 10 1.1.9 Web services security . 11 1.1.10 Messaging security . 12 1.2 Summary of new V7 security features and changes . 13 Chapter 2. Administrative security . 17 2.1 Administrative security overview . 18 2.2 Enabling administrative security . 18 2.2.1 Enabling security at profile creation . 19 2.2.2 Enabling security after profile creation . 19 2.2.3 Stopping the application server. 25 2.3 Disabling administrative security . 26 2.4 Administrative roles . 27 2.4.1 Mapping users and groups to administrative roles . 29 2.4.2 Mapping a group to an administrative role . 31 2.4.3 Mapping a user to an administrative role . 33 2.5 Fine-grained administrative security . 35 2.5.1 Authorization group . 35 © Copyright IBM Corp. 2009. All rights reserved. v 2.5.2 Granting fine-grained access . 36 2.5.3 Using fine-grained security: An example. 38 2.6 Job manager security . 41 2.7 Naming service security: CosNaming roles. 46 2.7.1 Mapping a user or a group to a CosNaming role . 47 2.7.2 Applying CosNaming security: An example . 47 Chapter 3. Using security domains . 51 3.1 Global security compared to security domains . 52 3.1.1 Attributes that can be configured in a security domain . 52 3.1.2 Configuration files . 53 3.1.3 Security domain scope . 54 3.2 Application security domain scenarios . 54 3.2.1 Scenario: Application security at the global security level. 54 3.2.2 Scenario: Security domains that override global security . 55 Chapter 4. Configuring the user registry and authentication settings . 65 4.1 User registry basics. 66 4.1.1 User registry types . 66 4.1.2 User registry content . 67 4.1.3 Using multiple registries with domains . 68 4.2 Configuring a stand-alone LDAP registry . 69 4.2.1 Configuration checklist . 70 4.2.2 Understanding the directory structure . 71 4.2.3 Configuring a stand-alone LDAP using the console . 73 4.2.4 Configuring a stand-alone LDAP using wsadmin commands . 81 4.2.5 Stand-alone LDAP dynamic and nested group configuration . 85 4.2.6 Stand-alone LDAP configuration defaults . 92 4.3 Federated repositories . 95 4.3.1 Configuration checklist . 98 4.3.2 Understanding user realms when using federated repositories . 100 4.3.3 VMM entity types. 100 4.3.4 Configuring an LDAP federated repository using the console . 101 4.3.5 Configuring VMM database base adapter features. 121 4.3.6 Configuring elements of federated repositories using wsadmin . 127 4.3.7 Configuring a database repository in VMM . 130 4.4 Authentication and authorization settings . 133 4.4.1 Identifying key authentication and authorization defaults . 137 4.4.2 Custom authentication choices . 146 Chapter 5. Secure Sockets Layer administration. 151 5.1 Secure communications using SSL. 152 5.1.1 Certificates . 153 5.1.2 Keystores and truststores . 155 vi WebSphere Application Server V7.0 Security Guide 5.1.3 SSL configurations . 156 5.2 Basic usage scenarios . 158 5.2.1 Securing administrative communication . 158 5.2.2 Securing LDAP communication . 158 5.2.3 Securing Web inbound and outbound communication . 159 5.2.4 Securing EJB inbound and outbound communication . 161 5.2.5 Securing communication with WebSphere MQ. 162 5.3 Basic SSL administration . 163 5.3.1 Creating keystores . 163 5.3.2 Managing personal certificates . 165 5.3.3 Managing signer certificates . 169 5.3.4 Recovering deleted certificates . 170 5.3.5 Certificate expiration monitoring . 172 5.3.6 Managing SSL configurations . 175 5.3.7 Creating SSL configurations . 177 5.4 Advanced concepts . 184 5.4.1 Changing default chained certificates . 184 5.4.2 Creating and defining a CA client . 186 5.4.3 SSL isolation . 191 5.5 SSL troubleshooting and traces . 191 5.5.1 Diagnostic steps . 192 5.5.2 SSL traces. 192 5.6 Implementation examples . 193 5.6.1 Securing LDAP communication . ..

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    578 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us