Testing security after enabling it
Basic tests are available that show whether the fundamental security components are working properly. Use this task to validate your security configuration.
Before you begin
After configuring administrative security and restarting all of your servers in a secure mode, validate that security is properly enabled.
![[AIX Solaris HP-UX Linux Windows]](../images/ngdist.svg)
![[IBM i]](../images/ngibmi.svg)
There are
a few techniques that you can use to test the various security login
types. For example, you can test the Web-based BasicAuth login,
Web-based form login, and the Java™ client BasicAuth login.
Basic tests are available that show whether the fundamental security components are working properly. Complete the following steps to validate your security configuration:
Procedure
- Test
the Web-based BasicAuth with Snoop,
by accessing the following URL: http://hostname.domain:9080/snoop.
A login panel is displayed. If a login panel
does not display, then a problem exists. If the panel appears, type
in any valid user ID and password in your configured user registry.Note: The Snoop servlet is only available in the domain if you included the DefaultApplication option when adding the application server to the cell. The -includeapps option for the addNode command migrates the DefaultApplication option to the cell. Otherwise, skip this step.
- Test the Web-based form login by starting the administrative
console: http://hostname.domain:port_number/ibm/console.
A form-based login page is displayed. If a login page does not appear, try accessing the administrative console by typing https://myhost.domain:9043/ibm/console.Type in the administrative user ID and password that are used for
configuring your user registry when configuring security.
- Test Java Client BasicAuth with dumpNameSpace.
Use the app_server_root/bin/dumpNameSpace.bat file.
A login panel appears. If a login panel does not appear, there is
a problem. Type in any valid user ID and password in your configured
user registry.
![[z/OS]](../images/ngzos.svg)
Use the app_server_root/bin/dumpNameSpace.sh file.
A login panel appears. If a login panel does not appear, there is
a problem. Type in any valid user ID and password (or password
phrase) in your configured user registry.Use
the app_server_root/bin/dumpNameSpace file.
A login panel appears. If a login panel does not appear, there is
a problem. Type in any valid user ID and password in your configured
user registry. - If all the tests pass, proceed with more rigorous testing
of your secured applications. If you have any problems, review the SYSOUT and SYSPRINT logs. For more information on common problems, see Troubleshooting security configurations.Note: Testing synchronizing of the node agent is a good test. To do so, make a small change to the
configuration and save and synchronize those changes. If there are no errors, proceed.
Results
Example
- Enable security while installing the Base Application Server.
- Log onto the administrative console with a wsadmin user ID and password.
- Navigate to Applications > Enterprise Applications > DefaultApplication > Security role to user/group mapping.
- Add a user. Select the role All Role, and click Lookup User.
- Map one of the users (for example, TESTER1) with the role All Role. For more information on mapping, see Look up users.
- Save the configuration.
- Run Resource Access Control Facility (RACF®)
commands for the role All Role to find those that are associated with
the TESTER1 user ID.Note: In the RACF command,
enter All Role as All#Role, as in the following example:
RDEFINE EJBROLE S30CSA1.All#Role UACC(NONE) APPLDATA('TESTER1') PERMIT S30CSA1.All#Role CLASS(EJBROLE) ID(TESTER1) ACCESS(READ) SETROPTS RACLIST(EJBROLE) REFRESH PE S30CSA1 CLASS(APPL) ID(TESTER1) ACCESS(READ) - Access the application with the user ID TESTER1 at http://localhost:port/snoop.