Securing your environment after installation
Overview
WebSphere Application Server depends on several configuration files created during installation. These files contain password information and need protection. Although the files are protected to a limited degree during installation, this basic level of protection is probably not sufficient for your site. Verify that these files are protected in compliance with the policies of your site.
The files in the install_root/config and install_root/properties, except for those in the following list, need protection. For example, give permission to the user who logs onto the system for WAS primary administrative tasks. Other users or groups, such as WAS console users and console groups, who perform partial WAS administrative tasks, like configuring, starting servers and stopping servers, need permissions as well. The files in the install_root/properties directory that should not be protected are:
- Secure files on a Windows system:
- Open the browser for a view of the files and directories on the machine.
- Locate and right-click the file or the directory to protect.
- Click "Properties | Security"
- Remove the Everyone entry and any other user or group that should not have access to the file.
- Add the users who should be allowed to access the files with the proper permission.
- Secure files on UNIX systems.
This procedure applies only to the ordinary UNIX file system. If your site uses access-control lists, secure the files by using that mechanism. Any site-specific requirements can affect the desired owner, group and corresponding privileges. For example, on AIX,
- Go to the install_root directory and change
the ownership of the directory configuration and properties to the user who
logs onto the system for WAS primary administrative
tasks.
Execute the following command:
chown -R logon_name directory_name
Where:
- login_name is a specified user or group.
- directory_name is the name of the directory that contains the files.
It is recommended that you assign ownership of the files containing password information to the user who runs the appserver. If more than one user runs the appserver, provide permission to the group in which the users are assigned in the user registry.
- login_name is a specified user or group.
- Set up the permission by executing the following command:
chmod -R 770 directory_name
- Go to the install_root/properties directory
and set the following file permission to everybody by executing the
following command...
chmod 777 file_names
...where file_names are the following files:
- TraceSettings.properties
- client.policy
- client_types.xml
- implfactory.properties
- sas.client.props
- sas.stdclient.properties
- sas.tools.properties
- soap.client.props
- wsadmin.properties
- wsjaas_client.conf
- Create a group for
WAS and put the users who perform full or partial
WAS administrative tasks in that group.
- Restrict access to the /var/mqm directories and log files needed for embedded messaging or WebSphere MQ as the JMS provider. Give write access only to the user ID mqm or members of the mqm user group.
- Go to the install_root directory and change
the ownership of the directory configuration and properties to the user who
logs onto the system for WAS primary administrative
tasks.
Results
After securing your environment, only the users given permission can access the files. Failure to adequately secure these files can lead to a breach of security in your WAS applications.
What to do next
If there are any failures caused by file accessing permissions, check the permission settings.
Implementing security considerations
Securing messaging directories and log files