Control Center

Authentication

Authentication verifies that a user enters a valid user ID and password when they log in to the Control Center. The Control Center does not do authentication. WebSphere® Application Server does the verification based on its configuration for authentication.

When the automated deployment utility (ADU) is used, it configures authentication to use the WebSphere Application Server internal federated repository. For a production environment, you likely need to change the configuration to use the repository for your company. If single sign-on is being used for authentication, it also needs to be configured in Control Center.

After a user is authenticated, the authorization step occurs.

Authorization

Authorization is done after a user is authenticated. Authorization determines which pages, and which actions on those pages, a user is allowed to use. You can configure authorization by using the groups and permissions that are provided by Control Center. Groups are like roles, and the permissions define what users with that role can do. Configure a group to contain a set of permissions, and then associate a user with one or more groups. The groups are internal to Payment Feature Services.

Payment Feature Services provides a default set of groups and users that you can either modify or replace to meet your authorization requirements. For example, you might need a general group for your remediation users and a general group for your operations users.

Users

When Payment Feature Services is installed, a default set of user IDs for the various user interface components is provided. The default user IDs are also associated to the default groups. You probably need to modify the default set of user IDs supplied with Payment Feature Services to match your own requirements and users.

Administrator user IDs are not needed to run the components of Payment Feature Services. Ensure that only user IDs with limited access are used.

You can monitor for users that did not access their accounts for a specified amount of time. For those users, you can lock their accounts so they cannot use Control Center. Also, an account for a user that is not active can be automatically removed. For more information about using a Services Framework task to monitor users, see Inactive users task.

Web browser

The Control Center user interface is displayed within a browser session that communicates with the application that is deployed in WebSphere Application Server. When a user logs in to the Control Center, they get a session identifier that maintains the state while the user is logged in. Ensure that the browser sessions are secure.

Some of the request URLs can include query parameters, such as IDs. The information from these query parameters can be logged by any server that receives the request. If you do not want this information to be logged, ensure that all the servers that receive the request are configured to suppress the logging of URL query parameters. For example, see the NCSA access log setting information in the WebSphere Application Server documentation.

Viewing Java SE component configuration

The Control Center can be used to view the configuration from the properties file of a Java™ SE component without having to access the property file itself. You can use the execute diagnostic command page, which is accessed from the manage servers page, to run the list actualcfg command. In addition to displaying the properties in the configuration file, this command also displays the properties that are in an encrypted property file. The user must be authorized to run the command.

Additional information

The following topics contain more information about Control Center security.