Enabling security for the realm

Use this topic to enable IBM® WebSphere® Application Server security. You must enable administrative security for all other security settings to function.

About this task

WebSphere Application Server uses cryptography to protect sensitive data and to ensure confidentiality and integrity of communications between WebSphere Application Server and other components in the network. Cryptography is also used by Web Services Security when certain security constraints are configured for the web services application.

[AIX Solaris HP-UX Linux Windows]WebSphere Application Server uses Java™ Secure Sockets Extension (JSSE) and Java Cryptography Extension (JCE) libraries in the Software Development Kit (SDK) to perform this cryptography. The SDK provides strong but limited jurisdiction policy files. Unrestricted policy files provide the ability to perform full strength cryptography and to improve performance.

[AIX Solaris HP-UX Linux Windows]WebSphere Application Server provides an SDK 6 that contains strong, but limited jurisdiction policy files. You can download the unrestricted policy files from the following website: IBM developer kit: Security information.

Avoid trouble: Fix packs that include updates to the Software Development Kit (SDK) might overwrite unrestricted policy files and the cacerts file. Back up unrestricted policy files and the cacerts file before you apply a fix pack and reapply these files after the fix pack is applied. These files are located in the {was_install_directory}\java\jre\lib\security directory. For Java 8.0.5.10, Java 7.1.4.20, Java 7.0.10.20, Java 6.1.8.60, and onward, the restricted policy files are the default. From these releases onward, the unrestricted policy files are still overwritten, but they are overwritten with the same file. You do not need to recopy them after you apply the service.
Important: Your country of origin might have restrictions on the import, possession, use, or re-export to another country, of encryption software. Before downloading or using the unrestricted policy files, you must check the laws of your country, its regulations, and its policies concerning the import, possession, use, and re-export of encryption software, to determine if it is permitted.
Complete the following steps to download and install the new policy files:
  1. Click Java SE 6
  2. Scroll down the page then click IBM SDK Policy files.

    The Unrestricted JCE Policy files for SDK 6 website displays.

  3. Click Sign in and provide your IBM.com ID and password.
  4. Select Unrestricted JCE Policy files for SDK 6 and click Continue.
  5. View the license and click I Agree to continue.
  6. Click Download Now.
  7. Extract the unlimited jurisdiction policy files that are packaged in the compressed file. The compressed file contains a US_export_policy.jar file and a local_policy.jar file.
  8. [AIX Solaris HP-UX Linux Windows]In your WebSphere Application Server installation, go to the $JAVA_HOME/jre/lib/security directory and back up your US_export_policy.jar and local_policy.jar files.
  9. Replace your US_export_policy.jar and local_policy.jar files with the two files that you downloaded from the IBM.com website.

Complete the following steps to enable security for the realm:

Procedure

  1. Enable security in the WebSphere Application Server. Make sure that all node agents within the cell are active beforehand.

    For more information, see Enabling security. It is important to click Security > Global security. Select an available realm definition from the list, and then click Set as current so that security is enabled upon a server restart.

    Note: In previous releases of WebSphere Application Server, the Set as current option is known as the Enable global security option.
  2. Before restarting the server, log off the administrative console.
    You can log off by clicking Logout at the menu bar.
  3. Stop the server by going to the command line in the WebSphere Application Server app_server_root/bin directory and issue a stopServer server_name command.
  4. Restart the server in secure mode by issuing the command startServer server_name.
    Once the server is secure, you cannot stop the server again without specifying an administrative user name and password. To stop the server once security is enabled, issue the command, stopServer server_name -username user_id -password password. Alternatively, you can edit the soap.client.props file in the profile_root/properties directory, and edit the com.ibm.SOAP.loginUserid or com.ibm.SOAP.loginPassword properties to contain these administrative IDs.

    If you have any problems restarting the server, review the output logs in the profile_root/logs/server_name directory. Check the Troubleshooting security configurations article for any common problems.