Introduction: Security

Explore the key concepts pertaining to securing applications and their environment. WebSphere Application Server plays an integral part of the multiple-tier enterprise computing framework. Based on open architecture, WebSphere Application Server provides many plug-in points to integrate with enterprise software components to provide end-to-end security. Security infrastructure and mechanisms protect J2EE resources and administrative resources, addressing your enterprise security requirements.

Administrative security

Administrative security determines whether security is used at all, the type of registry against which authentication takes place, and other values, many of which act as defaults. Proper planning is required because incorrectly enabling administrative security can lock you out of the administrative console or cause the server to abend.

Application security

Application security enables security for the applications in your environment. This type of security provides application isolation and requirements for authenticating application users.

Java 2 security

Java 2 security provides a policy-based, fine-grain access control mechanism that increases overall system integrity by checking for permissions before allowing access to certain protected system resources. Java 2 security guards access to system resources such as file I/O, sockets, and properties. Java 2 Platform, Enterprise Edition (J2EE) security guards access to Web resources such as servlets, JavaServer Pages files and Enterprise JavaBeans (EJB) methods.

User registries and repositories

WebSphere Application Server provides implementations that support multiple types of registries and repositories including the local operating system registry, a standalone Lightweight Directory Access Protocol (LDAP) registry, a standalone custom registry, and federated repositories.

Local operating system registries

With the registry implementation for the local operating system, the WebSphere Application Server authentication mechanism can use the user accounts database of the local operating system.

Authentication mechanisms

An authentication mechanism defines rules about security information, for example, whether a credential is forwardable to another Java process, and the format of how security information is stored in both credentials and tokens.

Standalone Lightweight Directory Access Protocol registries

WebSphere Application Server security provides and supports the implementation of most major LDAP directory servers, which can act as the repository for user and group information.

Federated repositories

Federated repositories enable you to use multiple repositories with WebSphere Application Server. These repositories, which can be file-based repositories, LDAP repositories, or a sub-tree of an LDAP repository, are defined and theoretically combined under a single realm.

Authentication protocol for EJB security

You can choose from two authentication protocols: z/OS Secure Authentication Service (z/SAS) and Common Secure Interoperability V2 (CSIv2).

Authorization technology

Authorization information determines whether a user or group has the necessary privileges to access resources.

Java Authentication and Authorization Service

The Java Authentication and Authorization Service is a standard Java API that supports the Java 2 security authorization to extend the code base on the principal as well as the code base and users.

WebSphere Application Server V6.1 servers support the CSIv2 authentication protocol only. SAS is only supported between V6.0.x and earlier version servers that have been federated in a V6.1 cell. The option to select between SAS, CSIv2, or both is only available in the administration console when a V6.0.x or earlier release has been federated in a V6.1 cell.

Identity mapping

Identity mapping is a one-to-one mapping of a user identity between two servers so that the proper authorization decisions are made by downstream servers. Identity mapping is necessary when the integration of servers is needed, but the user registries are different and not shared between the systems.

Secure communications using Secure Sockets Layer

The Secure Sockets Layer (SSL) protocol provides transport layer security including authenticity, data signing, and data encryption to ensure a secure connection between a client and server that uses WebSphere Application Server. The foundation technology for SSL is public key cryptography, which guarantees that when an entity encrypts data using its private key, only entities with the corresponding public key can decrypt that data.

Key management for cryptographic uses

WebSphere Application Server provides a framework for managing keys (secret keys or key pairs) that applications use to perform cryptographic operations on data. The key management framework provides an application programming interface (API) for retrieving these keys. Keys are managed in keystores so the keystore type can be supported by WebSphere Application Server, provided that the keystores can store the referenced key type. You can configure keys and scope keystores so that they are visible only to particular processes, nodes, clusters, and so on.

Plug point for custom password encryption

A plug point for custom password encryption can be created to encrypt and decrypt all passwords in WebSphere Application Server that are currently encoded or decoded using Base64-encoding.

Secure transports with JSSE and JCE programming interfaces

This topic provides detailed information about transport security using Java Secure Socket Extension (JSSE) and Java Cryptography Extension (JCE) programming interfaces. Within this topic, there is a description of the IBM version of the Java Cryptography Extension Federal Information Processing Standard (IBMJCEFIPS).

Web component security

You can develop a Web module and enforce security at the method level of each Web resource.

Password encoding and encryption

Password encoding deters the casual observation of passwords in server configuration and property files.

Security role references

Web application developers or EJB providers that use the available programmatic security J2EE APIs, isUserInRole(String roleName) or isCallerInRole(String roleName), use a role-name in the code.

Basic Security Profile compliance tips

The Web Services Interoperability Organization (WS-I) Basic Security Profile (BSP) 1.0 promotes interoperability by providing clarifications and amplifications to a set of non-proprietary Web services specifications. WebSphere Application Server Web Services Security provides configuration options to ensure that the BSP recommendations and security considerations can be enabled to ensure interoperability. The degree to which you follow these recommendations is then a measure of how well the application you are configuring complies with the Basic Security Profile (BSP).

Custom security token propagation

Web services security has the ability to send security tokens in the security header of a SOAP message. These security tokens can be used to sign, verify, encrypt or decrypt message parts. They can also be sent as stand-alone security tokens and set as the caller on the request consumer. Custom security token propagation is a feature that is used to propagate these custom security tokens using Web services security.

UDDI registry security additional considerations

In addition to the configuration of UDDI registry security, there a number of other UDDI registry settings which may affect the behavior of the UDDI registry. Some of these settings are security specific, others are points to bear in mind when configuring security.

J2EE connector security

The J2EE connector architecture defines a standard architecture for connecting the J2EE to heterogeneous enterprise information systems (EIS).

Asynchronous messaging - security considerations

This topic describes considerations that you should be aware of if you want to use security for asynchronous messaging with WebSphere Application Server.

Related information