Configuring administrative and application security
The first step in securing your IBM® Business Process Manager environment and your applications is to make sure that administrative security is enabled.
Before you begin
- Install IBM Business Process Manager and verify the installation before performing these tasks.
- Open the administrative console for the profile that you want to secure. Log in to the console using an account that has administrator privileges, for example, the default administrator account that was specified during installation.
About this task
- Administrative security is enabled by default, and
applies to every server within the security domain.
Administrative security determines whether security is used at all, the type of registry against which authentication takes place, and other values, many of which act as defaults. Proper planning is required because incorrectly enabling administrative security can lock you out of the administrative console or cause the server to end abnormally.
Administrative security can be thought of as a "big switch" that activates a wide variety of security settings for IBM Business Process Manager. Values for these settings can be specified, but they will not take effect until administrative security is activated. The settings include the authentication of users, the use of Secure Sockets Layer (SSL), and the choice of user account repository. In particular, application security, including authentication and role-based authorization, is not enforced unless administrative security is active.
- Application security is also enabled by default,
and is in effect only when administrative security is enabled.
Application security enables security for the applications in your environment. This type of security provides application isolation and requirements for authenticating application users.
- Java 2 security is disabled by default.
Java 2 security provides a policy-based, fine-grained access control mechanism that increases overall system integrity by checking for permissions before allowing access to certain protected system resources. Java 2 security guards access to system resources such as file I/O, sockets, and properties. It also guards access to web resources such as servlets, JavaServer Pages (JSP) files, and Enterprise JavaBeans (EJB) methods.
Because Java 2 security is relatively new, many existing applications, or even new applications, might not be prepared for the fine-grained access control programming model that this form of security is capable of enforcing. Administrators need to understand the possible consequences of enabling Java 2 security if applications are not prepared for it. Java 2 Security places some new requirements on application developers and administrators.
Java 2 security will also have a performance impact on runtime components in IBM Business Process Manager as the fine grained access checkups require much more time than normal security configuration. In addition, enabling Java 2 security impacts both IBM Business Process Manager components and custom applications.
There are known problems with Business Space configurations when Java 2 security is activated. Refer to the dW Answers post Java 2 security warning.
Attention: Fix packs that include updates to the Software Development Kit (SDK) might overwrite unrestricted policy files. Back up unrestricted policy files before you apply a fix pack and reapply these files after the fix pack is applied.