Security

Consider the following topics when you are planning for security.

WebSphere Application Server security

Configure WebSphere® Application Server security for the Payment Feature Services base component. For more information, see Setting up security for WebSphere.

File permissions

During installation, the default file permissions for the Payment Feature Services components are set to the values that they need to run. For security purposes, users can further restrict the file permissions for the runtime execution of the Payment Feature Services components.
Note: Setting up and configuring the components requires more write permissions than when the component is running.
The scope for this planning information for file permissions is shown in the following list:
  • The permissions that are described are for the basic file permission groups and permission types and not for some other permission method.
  • The permissions apply only to files and directories that are located within the directory structure that was created when the components were installed.
  • The permissions do not apply to any of the WebSphere Application Server subdirectories or profile files that were created for the components. Permissions for those files and directories are controlled by using WebSphere Application Server.
  • An administrator who understands file permissions and knows how to set them is available.
The file permissions are described in a format that can be used with the Linux® chmod command. The basic file permission groups are shown in the following list:
owner
The permissions assigned to this group determine which actions the owner of the file is allowed to do.
group
The permissions assigned to this group determine which actions users that are a member of a group are allowed to do.
other
The permissions assigned to this group determine which actions all other users are allowed to do.
The basic permission types are shown in the following list:
read
The user is allowed to read the contents of a file or a directory.
write
The user is allowed to write the contents of a file or write to a directory.
execute
The user is allowed to run a file or view a directory.
All of the combinations of the basic permission types can be represented as a single integer as shown in the following table. In the permission types column, r stands for read, w stands for write, and x stands for execute.
Table 1. Integers used to specify the basic permission types
Integer Permissions Permission types
0 None. ---
1 Execute only. --x
2 Write only. -w-
3 Write and execute. -wx
4 Read only. r--
5 Read and execute. r-x
6 Read and write. rw-
7 All. rwx
The permissions for the basic file permissions groups are represented as a three-digit integer, 775 for example. The first integer is the permissions for the file owner, the second is for the group, and the third is for all others. In the example of 775, the owner and group have the read, write, and execute permissions while all others have only the read and execute permissions.
Note: The system administrator needs to define the permissions for the basic file permission group called other. This group can be used to define permissions for a third-party application. It can also be used for someone that normally doesn't have any permanent permissions but requires access to specific files or folders for some reason. The Payment Feature Services components do not require that specific permissions be set for the permission group called other.
The following table describes the file permission settings that were tested for the Payment Feature Services components. Other file permission settings can also work. The file permissions that are shown in this table have equivalents in the Windows operating system.
Note: This table shows all of the path names in an AIX® directory format. Use the appropriate path delimiters for the operating system that is being used.
Table 2. File permissions suggestions for the Payment Feature Services components
Types of files or directories File permissions Example directory or directories
Do not change the file permissions for the Java™ Runtime Environment that is located in the example directories. Do not change.
  • install_directory/shared/v3213/pfs/_jvm
  • install_directory/shared/v3213/pfs/DSU/importexport/cmd64/_jvm
The directories for the components that are installed. By default, the components are installed in one of the example directories. 555
  • install_directory/shared/v3213/pfs/
  • install_directory/cps/v3213/
  • install_directory/digitalpayments/v3213/
Subdirectories of the installed components. Examples are shown in the following list:
  • Gateway inbound and outbound file processing directories
  • Business Rules Server user data directory
  • Business Rules Manager intermediate directory
  • Internal working directory space for Distribution
  • Working directories for Services Framework task files
  • Directory for the sorter image components
Consider setting the permissions to 775 because these directories are used for things such as writing, load commands, and exception recording. This information includes the following subdirectories in a component directory:
  • /cmd
  • /logs
  • /ser
  • /timings
An example of the Gateway outgoing directory is install_directory/shared/v3213/pfs/Gateway/outgoing.
Subdirectories of the installed components 755 or 555. Consider changing the permissions to 555 when the files no longer need to be altered. This information includes the following subdirectories in a component directory:
  • /bin
  • /lib
  • /profiles
  • /properties
  • /xml
Directories used for processing files Read and write permissions. Gateway intermediate paths, for example
Encrypted configuration files that are used to store passwords or special IDs. These files need to have the execute permission since they are read by utilities or by a component when it starts. 555 For example, the file specified in the newConfigurationFile property for Gateway. For more information about using this property for encrypted properties files, see General properties.