Configuring security domains using scripting

Use this topic to create multiple security domains in your configuration. By creating multiple security domains, you can configure different security attributes for administrative and user applications within a cell environment.

Before you begin

You must have the administrator role to configure security domains. Also, enable global security in your environment before configuring multiple security domains.

About this task

You can create multiple security domains to customize your security configuration. Use multiple security domains to achieve the following goals:
  • Configure different security attributes for administrative and user applications within a cell
  • Consolidate server configurations by managing different security configurations within a cell
  • Restrict access between applications with different user registries, or configure trust relationships between applications to support communication across registries
Use the following steps to create a new security domain with the wsadmin tool:

Procedure

  1. Launch the wsadmin scripting tool using the Jython scripting language. See the Starting the wsadmin scripting client article for more information.
  2. Create a security domain.

    To create a security domain, you can create a new security domain, copy an existing security domain, or copy the existing global security configuration.

    • Use the createSecurityDomain command to create the domain-security.xml and domain-security-map.xml security files in the profile_root/config/waspolicies/default/security_configuration_name directory. No configuration data is added to the domain-security.xml file. Use the following Jython command example to create a security domain: 
      AdminTask.createSecurityDomain('-securityDomainName securityDomain1 -securityDomainDescription "handles user applications"')
      The command returns the object name of the security domain that was created, as the following example output demonstrates: 
      'waspolicies/default/securitydomains/mydomain:domain-security.xml#AppSecurity_1183132319126'
    • Use the copySecurityDomain command to create a new security domain with the attributes of an existing security domain. If the security configuration of the existing domain has an active user registry defined, then a new realm name for that registry must be used in the new security configuration. If a realm name is not specified with the copySecurityDomain command, then the command assigns a name.
      Table 1. copySecurityDomain command parameter descriptions . Specify the following parameters to copy an existing security domain:
      Parameter Description
      -securityDomainName Specifies the name of the new security domain to create (String, required)
      -copyFromSecurityDomainName Specifies the name of the existing security domain to copy (String, required)
      -realmName Specifies the name of the realm in the security domain to create. The system assigns the realm name to the active user registry in the security domain (String, optional)
      -securityDomainDescription Specifies a description for the security domain to create (String, optional)
      Use the following Jython command to copy an existing security domain:
      AdminTask.copySecurityDomain('-securityDomainName copyOfDomain1 -copyFromSecurityDomainName securityDomain1')
      The command returns the object name of the new security domain, as the following example output demonstrates:
      'waspolicies/default/securitydomains/copyOfDomain1:domain-security.xml#AppSecurity_1183132319186'
    • Use the copySecurityDomainFromGlobalSecurity command to create a security domain by copying the global security configuration. If the global security configuration has an active user registry defined, then a new realm name for that registry must be used for the security domain to create. If you do not specify a realm name, then the command assigns a name.
      Table 2. copySecurityDomainFromGlobalSecurity command parameter descriptions . Specify the following parameters to copy the global security configuration:
      Parameter Description
      -securityDomainName Specifies the name of the new security domain to create (String, required)
      -realmName Specifies the name of the realm in the security domain to create. The system assigns the realm name to the active user registry in the security domain (String, optional)
      -securityDomainDescription Specifies a description for the security domain to create (String, optional)
      Use the following Jython command to copy the global security configuration:
      AdminTask.copySecurityDomainFromGlobalSecurity('-securityDomainName GScopy')
      The command returns the object name of the new security domain, as the following example output demonstrates:
      'waspolicies/default/securitydomains/copyOfDomain1:domain-security.xml#AppSecurity_1183132319186'
  3. Save your configuration changes.
    Use the following command example to save your configuration changes:
    AdminConfig.save()

What to do next

Use the wsadmin tool to map a scope to your security domain. Additionally, you can configure security artifacts in the newly created domain, by:
  • configuring user registries.
  • enabling application and Java™ EE security.
  • setting Lightweight Third-Party Authentication (LTPA) timeout.
  • configuring System and Application Java™ Authentication and Authorization Service (JAAS) login.
  • configuring Java 2 Connector (J2C) authorization data.
  • configuring Remote Method Invocation over Internet Inter-ORB Protocol (RMI/IIOP) security.