Network Deployment (Distributed operating systems), v8.0 > Secure applications and their environment
Configure multiple security domains
A default user registry authenticates users for every application in the cell. We can add additional registries to specify different security attributes for some or all applications. For example, we can define a different user registry for user applications than for administrative applications, or define separate security configurations for applications deployed to different servers and clusters.
Enable global security in the environment before configuring multiple security domains.
Security domains define multiple security configurations.
Configure a new security domain
- Go to...
Security | Security domains | New
...and enter a name for the security domain.
- Under Assigned Scopes, assign the security domain to the entire cell or to specific servers, clusters, and service integration buses.
To assign the security domain to the entire cell, click the check box for the cell and then click Apply or OK.
The name of the security domain appears next to the cell name. We can expand the topology and assign the domain to one or more servers and clusters. When an item is already assigned to another security domain, the check box is disabled with the assigned domain displayed to the right. To assign one of these scopes to the domain, first disassociate it with its current domain.
Select All assigned scopes to view a list of only those resources that are currently assigned to the security domain.
- Customize the security configuration.
Attributes not listed cannot be customized at the domain level. Domains inherit attributes from the global security configuration. For attributes set to use global security, there is no domain-specific configuration and apps that use the domain use the global configuration.
To customize the configuration for the domain, select Customize for this domain.
To override security configurations defined for a section in global security, select...
Customize for this domain
Applications in the domain will be able to access global entries in addition to domain-specific entries.
For example, you might want to use a different user registry for applications that use the security domain but also want to use the global security configuration for all of the other security properties. In this case, expand...
User Realm | Customize for this domain | user_registry_type | Configure
...and provide the appropriate configuration details on the subsequent panel.
Sections that contain configuration settings include...
Application Security To enable for this security domain, select: Enable application security. If disabled, EJBs and web applications in the security domain are not protected, and J2EE security is only enforced if Global Security is enabled in the global security configuration. Java 2 Security To enable for this security domain, select: Java 2 security. Enabled at the JVM level. User realm User registry for this security domain. We can separately configure any registry used at the domain level. Trust association TAIs at the global level are copied to the domain level. We can modify the interceptor list. Only configure those interceptors that are to be used at the domain level. SPNEGO Web Authentication Use SPNEGO to authenticate HTTP requests for secured resources at the domain level. RMI/IIOP Security CSIv2 protocol properties configured at the domain level. The RMI/IIOP security configuration at the global level is copied. Transport layer settings for inbound communications should be the same for both global and domain levels. JAAS application logins Configure JAAS application logins, system logins, and J2C authentication data aliases at the domain level. The security runtime first checks for JAAS logins at the domain level. If not found, it then checks in the global security configuration. Configure at domain level to specify a login used exclusively by an application. JAAS system logins We can use the global security settings or customize this domain. JAAS J2C authentication We can use the global security settings or customize this domain. JASPI By default, applications in the cell have access to JASPI authentication providers configured at the global level. The security runtime first checks for JASPI at the domain level. If not found, it then checks in the global security configuration. Configure at a domain level only when the provider is to be used exclusively by the applications in that security domain. To configure JASPI authentication providers for a domain, select: Customize for this domain, and then enable JASPI. Select Providers to define providers. Authentication Mechanism Attributes To set authentication cache, select: Authentication cache settings. The configuration specified is applied only to this domain. To configure a different LTPA timeout value at the domain level, select: LTPA Timeout. The default is 120 minutes, set at the global level. To have user names qualified with the security realm (user registry), select: Use realm-qualified user names". Authorization Provider Configure an external third party JACC provider. TAM's JACC provider can only be configured at the global level. Custom properties Custom properties at the global security level can still be accessed by all of the applications in the cell. The security runtime first checks for the custom property at the domain level, then attempts at the global security level.
We cannot override...
- Application logins
- System logins
- J2C authentication data entries
- Click Apply or OK.
- Restart all servers and clusters.
RelatedMultiple security domains
Create new multiple security domains
Delete multiple security domains
Copy multiple security domains
Inbound trusted realms for multiple security domains
Configure security domains
External realm name
Trust all realms
Security domains collection
Authentication cache settings
Task overview: Secure resources
Configure security domains via wsadmin.sh
Configure multiple security domains via wsadmin.sh
Remove security domains via wsadmin.sh
Map resources to security domains via wsadmin.sh