Configuring WebSphere Application Server for distributed network security credentials

You can enable IMS to audit the network security credentials that are passed to and from a Java™ EE application that runs on WebSphere® Application Server.

Before you begin

Before you enable support for distributed network security credentials that are passed from your Java EE application, ensure that the following items are enabled:
  • Container-managed security for your application. If your application does not have container-managed security, you might have to modify your application’s web.xml file.
  • An external user account registry, such as an LDAP server, that contains authorized users.

About this task

The following procedure makes the following assumptions:
  • That you are use an LDAP server as the external user registry. However, you can use any other user registry that is supported by WebSphere Application Server.
  • That you use IMS_Login as the alias name for the login module that you create.
  • That a login module is linked to a simple imsicoivp.ear application, which sends a /STA OTMA command.

Procedure

  1. Set up the user registry.
    1. On the left menu, click Security and then Global Security. Then, in the User account repository area, select Standalone LDAP Registry from the Available realm definitions list. Click Configure.
    2. In the configuration menu for your LDAP server, specify the primary administrative user name. This user name must be defined in the LDAP server.
      The administrative user name consists of a unique user ID, an organization unit, and one or more domains. In the following example administrative user name, the unique user ID is admin, the organization unit is users, and the domains are security and com:
      uid=admin,ou=users,dc=security,dc=com
    3. Specify the host and port address of your LDAP server.
    4. Specify the base distinguished name of your LDAP server.
      The base distinguished name is the directory that holds authorized users. For example, the following base distinguished name might be used:
      ou=users,dc=security,dc=com
      If the preceding base distinguished name is used, the following example users are authorized :
      uid=admin,ou=users,dc=security,dc=com
cn=Bob,ou=users,dc=security,dc=com
    5. Click Test connection to test the connection to the LDAP server. Then, click Apply.
    6. On the Global Security page, select Standalone LDAP registry from the Available realm definitions list, and then click Set as current. Then, click Apply.
      Your user account registry is set up. The login module uses this user account registryto authenticate distributed network security credentials that are entered.
  2. Enable security for WebSphere Application Server and install the custom JAAS login module.
    1. Ensure that your server has Administrative and Application Security enabled. On the left side of the WebSphere Application Server window, click Security > Global Security, and then select Enable administrative security and Enable application security.
    2. In the right panel, click Authentication and expand Java Authentication and Authorization Service. Click Application logins and then click New.
    3. Create an alias name for the login module. The following steps in this procedure assume that you create an alias name of IMS_Login. Then, in the JAAS login modules table, click New.
    4. Specify the module class name com.ibm.ims.login.IMSLoginModule. This is the login module that is bundled with the IMS TM resource adapter.
    5. From the Authentication strategy list, select REQUIRED.
    6. In the Custom properties section, add a new custom property. Enter propIdentity as the name and Caller as the value.
    7. If you have a web application and the URI is unprotected, you must allow WebSphere Application Server to prompt for authentication with unprotected URIs. To enable WebSphere Application Server to prompt for authentication, on the Global Security page, click Web and SIP Security. Select General Settings.
    8. In the Web authentication behavior area, select Authenticate when any URI is accessed.
  3. Map the login module to your application.
    1. On the left menu, click Applications. Then, click Application Types and click the imsicoivp.ear application.
    2. Click Resource References, select your application, and click Modify Resource Authentication Method.
    3. Select Use custom login configuration, and then select IMS_Login from the Application login configuration list. Click Apply > OK.

Results

After you map the login module to your application, you are prompted to enter a user name and password when you start and open your application in your web browser. Enter your distinguished name as the user name. The following example of a log file snippet shows that the IMS TM resource adapter successfully received the distributed network security credentials:
********************
TMRA has received the following credentials:
Security Realm: '0.0.0.0:10389'
Distinguished Name: 'uid=admin,ou=users,dc=security,dc=com'
Authenticated?: 'true'
********************
If the credentials are valid and exist in the LDAP registry, the distinguished name and realm are propagated to IMS.