Security
Consider the following topics when you are planning for security.
WebSphere Application Server security
Configure WebSphere® Application Server security for the Payment Feature Services base component. For more information, see Setting up security for WebSphere.
File permissions
During installation, the default file permissions for the Payment Feature Services components are
set to the values that they need to run. For security purposes, users can further restrict the file
permissions for the runtime execution of the Payment Feature Services components.
Note: Setting up and
configuring the components requires more write permissions than when the component is running.
The scope for this planning information for file permissions is shown in the following list:
- The permissions that are described are for the basic file permission groups and permission types and not for some other permission method.
- The permissions apply only to files and directories that are located within the directory structure that was created when the components were installed.
- The permissions do not apply to any of the WebSphere Application Server subdirectories or profile files that were created for the components. Permissions for those files and directories are controlled by using WebSphere Application Server.
- An administrator who understands file permissions and knows how to set them is available.
The file permissions are described in a format that can be used with the Linux®
chmod command. The basic file permission groups are shown in the following list:
The permissions for the basic file permissions groups are represented as a three-digit integer, 775
for example. The first integer is the permissions for the file owner, the second is for the group, and the
third is for all others. In the example of 775, the owner and group have the read, write, and execute
permissions while all others have only the read and execute permissions.
- owner
- The permissions assigned to this group determine which actions the owner of the file is allowed to do.
- group
- The permissions assigned to this group determine which actions users that are a member of a group are allowed to do.
- other
- The permissions assigned to this group determine which actions all other users are allowed to do.
- read
- The user is allowed to read the contents of a file or a directory.
- write
- The user is allowed to write the contents of a file or write to a directory.
- execute
- The user is allowed to run a file or view a directory.
r
stands for read, w
stands for write, and x
stands for execute.
Integer | Permissions | Permission types |
---|---|---|
0 | None. | --- |
1 | Execute only. | --x |
2 | Write only. | -w- |
3 | Write and execute. | -wx |
4 | Read only. | r-- |
5 | Read and execute. | r-x |
6 | Read and write. | rw- |
7 | All. | rwx |
Note: The system administrator needs
to define the permissions for the basic file permission group called other. This group can be used to define
permissions for a third-party application. It can also be used for someone that normally doesn't have any
permanent permissions but requires access to specific files or folders for some reason. The Payment Feature Services components do not require that specific permissions be set for the permission group
called other.
The following table describes the file permission settings that were tested for the Payment Feature Services components. Other file permission settings can also work. The file permissions that are shown in this table have equivalents in the Windows operating system.
Note: This table shows all of the path names in an AIX® directory format.
Use the appropriate path delimiters for the operating system that is being used.
Types of files or directories | File permissions | Example directory or directories |
---|---|---|
Do not change the file permissions for the Java™ Runtime Environment that is located in the example directories. | Do not change. |
|
The directories for the components that are installed. By default, the components are installed in one of the example directories. | 555 |
|
Subdirectories of the installed components. Examples are shown in the following list:
|
Consider setting the permissions to 775 because these directories are used for things such as writing, load commands, and exception recording. | This information includes the following subdirectories in a component directory:
|
Subdirectories of the installed components | 755 or 555. Consider changing the permissions to 555 when the files no longer need to be altered. | This information includes the following subdirectories in a component directory:
|
Directories used for processing files | Read and write permissions. | Gateway intermediate paths, for example |
Encrypted configuration files that are used to store passwords or special IDs. These files need to have the execute permission since they are read by utilities or by a component when it starts. | 555 | For example, the file specified in the newConfigurationFile property for Gateway. For more information about using this property for encrypted properties files, see General properties. |