Use this panel to configure administration and the default
application security policy. This security configuration applies to
the security policy for all administrative functions and is used as
a default security policy for user applications. Security domains
can be defined to override and customize the security policies for
user applications.
About this task
Start the administrative console by specifying the following
website:
http://server_hostname:port_number/ibm/console
Perform
the following steps to enable administrative security. The options
on the Global security panel provide greater flexibility than previous
releases of WebSphere® Application Server in enforcing
security in your environment.
Procedure
- Click Security > Global security.
- Select the Enable administrative security option.
- Optional: Clear the Enable application security option
if you do not want to require WebSphere Application Server
to authenticate application users.
- Optional: Clear the Use Java™ 2
security to restrict application access to local resources option
if you do not want to enable Java 2
Security permission checking.
When Java 2
Security is enabled and if an application requires more Java 2 security permissions than are granted
in the default policy, then the application might fail to run properly
until the required permissions are granted in either the
app.policy file
or the
was.policy file of the application. AccessControl
exceptions are generated by applications that do not have all the
required permissions. Review the Java 2
Security and Dynamic Policy documentation if you are unfamiliar with Java 2 security.
Note: Updates to the app.policy file
only apply to the enterprise applications on the node to which the app.policy file
belongs.
- Optional: Select the Warn if applications
are granted custom permissions option.
The filter.policy file
contains a list of permissions that an application should not have
according to the J2EE 1.3 Specification. If an application is installed
with a permission specified in this policy file and this option is
enabled, a warning is issued. The default is enabled.
- Optional: Select the Restrict access
to resource authentication data option if you must restrict application
access to sensitive Java EE
Connector Architecture (JCA) mapping authentication data.
- Select which authentication mechanism is active when security
is enabled from the Authentication mechanisms and expiration menu.
In this release of WebSphere Application Server,
the authentication mechanism choices include LTPA and Kerberos.
Note: SWAM
was deprecated in WebSphere Application Server
Version Version 8.5 and will
be removed in a future release.
- Use the User account repository menu
to specify the repository that is active when security is enabled.
You can configure settings for one of the following user repositories:
- Federated repositories
- The federated repositories functionality enables you to use multiple
registries with WebSphere Application Server. These registries,
which can be file-based registries, LDAP registries, or a subtree
of an LDAP registry, are defined and theoretically combined under
a single repository.
- Local operating system
- The implementation is a System Authorization Facility (SAF) compliant
registry such as the Resource Access Control Facility (RACF®),
which is shared in an MVS™ sysplex.
- Standalone LDAP registry
- The stand-alone LDAP registry settings are used when users and
groups reside in an external LDAP directory. When security is enabled
and any of these properties are changed, go to the Global security
panel and click OK or Apply to validate the changes.
- Stand-alone custom registry
- The stand-alone custom registry feature supports any user registry
that is not implemented by WebSphere Application Server.
You can use any user registry that is used in the product environment
by implementing the UserRegistry interface.
- Optional: Select the Use the United States
Federal Information Processing Standard (FIPS) algorithms option
from the Security > SSL certificate and key management panel
if you are using a FIPS-certified JSSE.
WebSphere Application
Server supports a channel framework that uses IBMJSSE2. IBMJSSE2 uses
IBMJCEFIPS for cryptographic support when you enable the Use the
United States Federal Information Processing Standard (FIPS) algorithms option.
- Click OK.
This panel performs a final
validation of the security configuration. When you click OK or Apply from
this panel, the security validation routine is performed and any problems
are reported. When you complete all of the fields, click OK or Apply to
accept the selected settings. Click Save to persist these settings
out to a file. If you see any informational messages in red text color,
then there is a problem with the security validation. Typically, the
message indicates the problem. So, review your configuration to verify
that the user registry settings are accurate and the correct registry
is selected. In some cases, the LTPA configuration might not be fully
specified.
For detailed information, see Global security settings.
- Optional: Configure for SAF Authorization.
For more information on these settings, see z/OS System Authorization Facility authorization.
Results
Configuration is successful when error messages are not displayed.