You can customize security to some extent at the application server level. You can
disable administrative security on an application server.
Before you begin
Deprecated feature: Server level security has been deprecated in this
release of
WebSphere® Application Server. Multiple security domain support has
been added in its place. You can create different security configurations and assign them to
different applications in
WebSphere Application Server processes. By creating
multiple security domains, you can configure different security attributes for both administrative
and user applications within a cell environment. You can configure different applications to use
different security configurations by assigning the servers or clusters or SIBuses that host these
applications to the security domains. Read about
Multiple security domains for
more detailed information.
You
can also modify Java™ 2 Security and some of the
other security attributes that are found on the Global security panel.
This panel provides access to the cell-level security settings. You
cannot configure a different authentication mechanism or user registry
on an individual server basis. This feature is limited to cell-level
configuration only.
By default,
server security inherits all of the values that are configured for
cell-level security. To override the cell-level security configuration
at the server level, click Servers > Application Servers > server_name.
Under Security, click Server Security and click any of the
following links:
- CSIv2 inbound authentication
- CSIv2 outbound authentication
- CSIv2 inbound transport
- CSIv2 outbound transport
- SAS inbound transport
- SAS outbound transport
- z/SAS authentication
- Server-level security
SAS is supported only between Version 6.0.x and previous version servers that have been federated in a Version 6.1 cell.
z/SAS is supported only between Version 6.0.x and previous version servers that have been federated in a Version 6.1 cell.
After
modifying the configuration in any of these panels and clicking
OK or
Apply,
the security configuration for that panel or set of panels now overrides
cell-level security. Other panels that are not overridden continue
to be inherited at the cell-level. However, you can always revert
to the cell-level configuration at any time. You can revert to the
cell-level security configuration by clearing the check box next to
any of the following options on the Server security panel:
- Security settings for this server override cell setting
- RMI/IIOP security for this server overrides cell settings
- SAS security for this server overrides cell settings
A
number of additional Secure Authentication Services for z/OS® (z/SAS)
attributes can be considered for security at a server level, such
as:
- Local identity
- Remote identity
- Sync to thread allowed
For more information,
see Server and administrative security.
Procedure
- Start the administrative console for the deployment manager.
To get to the administrative console, go to http://host.domain:port_number/ibm/console.
If security is disabled, you can enter any ID. If security is enabled,
you must enter a valid user ID and password, which is either the administrative
ID that is configured for the user registry or a user ID that is entered
as an administrative user. To add a user ID as an administrative user,
click System Administration > Console settings > Console
users.
- Configure cell-level security if you have not configured
it previously.
Go to
Enabling security for
detailed steps. After security is configured, configure server-level
security.
Attention: Server-level security is not enabled
when you select the Enable application security option on the Server-level
security settings of the administrative console. You also must enable
cell-level security by selecting the Enable administrative security
option on the Global security settings panel of the administrative
console.
- To configure server-level security, click Servers > Application Servers >
server name. Under Security, click Server security.
The status of the
security level that is in use for this application server is displayed.
By default, you can see that your cell-level security configuration, Common Secure Interoperability
(CSI), and SAS has not been overridden at the server level. CSI and SAS are authentication protocols
for RMI/IIOP security requests. The server-level security panel lists attributes that are on the
Global security panel and can be overridden at the server level. Not all of the attributes on the
Global security panel can be overridden at the server level, including the user account
repository.
By default, you can see that your cell-level security
configuration, Common Secure Interoperability (CSI), and z/SAS has not been overridden at the server
level. CSI and z/SAS are authentication protocols for RMI/IIOP security requests. The server-level
security panel lists attributes that are on the Global security panel and can be overridden at the
server level. Not all of the attributes on the Global security panel can be overridden at the server
level, including the user account repository.
- To enable administrative security for this application
server, go to the Server-level security panel, select the Security
settings for this server override cell setting and the Enable
application security options.
By modifying the Server-level
security panel, these settings override the settings for cell-level
security.
- Click Apply and Save.
- To enable RMI/IIOP security for the application server,
go to the Server-level security panel, select the RMI/IIOP security
for this server overrides cell settings option and click Apply.
If you select the RMI/IIOP security for this server overrides
cell settings option, any changes that you make to the CSIv2 authentication
or transport settings override the same settings on the cell level.
What to do next
Typically, server-level security is used to disable user
security for a specific application server. However, this can also
be used to disable or enable the Java 2
security manager, and to configure the authentication requirements
for RMI/IIOP requests both incoming and outgoing from this application
server. After you modify the configuration for a particular application
server, you must restart the application server for the changes to
become effective. To restart the application server, go to Servers >
Application servers and click the server name that you recently
modified. Click Stop and then Start.
If you disabled
security for the application server, you can typically test a web
address that is protected when security is enabled.
One URL that usually is installed when the
DefaultApplication during installation is the snoop application. If
the DefaultApplication is installed on the application server, test
that security is disabled by going to the following URL: http://host.domain:9080/snoop.
If security is disabled, a prompt does not display. This URL is just
one method of validating the configuration. Validate that the configuration
is appropriate for your applications.