Network Deployment (Distributed operating systems), v8.0 > Secure applications and their environment > Set up, enabling and migrating security
Enable WAS v8 security
IBM recommends installing with security enabled.
- Start the dmgr
- Open the WAS administrative console.
...and go to...
Security > Global security
- Use the Security Configuration Wizard, or configure security manually.
Application security can be in effect only when administrative security is enabled.
WAS clients must know whether application security is disabled at the target server.
- On the Global security panel, configure the user account repository.
- Specify either...
- Server ID and password for interoperability
- Automatically generate an internal server ID
The Primary administrative user ID is a member of the chosen repository and can access all of the protected administrative methods.
On Windows, the ID must not be the same name as the machine name, as the repository can return machine-information when querying a user with the same name.
In stand-alone LDAP registries, verify the ID is a searchable member of the repository, and not just the LDAP administrative role ID.
If command line scripts are used to start processes, the user ID that issued the commands is the process ID.
- If running as a service, the user ID logged into the system is the user ID running the service.
For local operating system registries, the PID requires special privileges to call the operating system APIs:
Windows Act as Part of Operating System Unix "root"
- After configuring the user account repository select...
Set as current
- When you click Apply, and the Enable administrative security option is set, a verification occurs to see if an administrative user ID has been configured and is present in the active user registry.
The administrative user ID can be specified at the active User Registry panel or from the console users link. If you do not configure an administrative ID for the active user registry, the validation fails.
- If you switch user registries, clear admin-authz.xml of existing administrative ids and application names. Exceptions will occur in the logs for ids that exist in admin-authz.xml but do not exist in the current user registry.
- Under Authentication mechanisms and expiration, configure LTPA or Kerberos
If you want single sign-on (SSO) support, which provides the ability for browsers to visit different product servers without having to authenticate multiple times, see
For form-based login, configure SSO when using LTPA.
- For SSO between cells, import and export the LTPA keys between cells.
- If required, configure CSIv2 through links on the Global security panel.
- Links to the SAS protocol panels display on the Global security panel if the environment contains servers that use previous versions of WAS and support the SAS protocol.
- SSL is pre-configured by default with settings in the DefaultSSLConfig file. . Changes are not necessary unless we have custom SSL requirements.
We can modify or a create a new SSL configuration and then specify it on the SSL configurations.
Security | SSL certificate and key management | Configuration settings | Manage endpoint security configurations | SSL_configuration | Scope | Related items
If a new alias name is created for new keystore and truststore files, change every location that references the DefaultSSLConfig alias...
Server | Application server | server_name
| Communications Ports transport chain | View associated transports | transport_channel_name | Transport Channels SSL Inbound Channel (SSL_2)
System administration | Deployment manager | Additional properties | Ports | transport chain | View associated transports | transport_channel_name | Transport Channels | SSL Inbound Channel (SSL_2)
System administration | Node agents | node_agent _name | Additional properties | Ports | transport chain | View associated transports | transport_channel_name | Transport Channels | SSL Inbound Channel (SSL_2)
For the ORB SSL transports, you can modify the SSL configuration repertoire aliases in the following locations. These configurations are for the server-level for WAS and WAS, Express and the cell level for WAS ND.
Security | Global security | RMI/IIOP security | CSIv2 inbound communications
Security | Global security | RMI/IIOP security | CSIv2 outbound communications
For the LDAP SSL transport, you can modify the SSL configuration repertoire aliases...
Security | Global security | User account repository | Available realm definitions | Standalone LDAP registry
- Configure any other security settings
- Validate the completed security configuration by clicking OK or Apply.
Any exceptions thrown are displayed at the top of the console page in red type.
- If there are no validation problems, click Save.
If you do not click Apply or OK in the Global security panel before clicking Save, changes are not written to the repository.
- Stop all application servers and the dmgr
- Verify all node agents are up and running in the domain.
The configuration is stored temporarily in the dmgr until it is synchronized with all of the node agents.
If any of the node agents are down, execute syncNode.sh from the node agent machine. Otherwise, the malfunctioning node agent does not communicate with the dmgr after security is enabled on the dmgr.
- Start the dmgr
- Open the console and log on with your administrative ID
- Restart appservers
Java 2 security
Enable security for the realm
Test security after enabling it
Security Configuration Wizard
Security configuration report
Add a new custom property in a global security configuration or in a security domain configuration
Modify an existing custom property in a global security configuration or in a security domain configuration
Delete an existing custom property in a global security configuration or in a security domain configuration Java 2 security
Multiple security domains Select a registry or repository
Configure the LTPA mechanism
Configure multiple security domains
RelatedJava 2 security policy files
Global security settings
Specify extent of protection wizard settings