Configuring IBM WebSphere DataPower XC10 Appliance user interface security

Much of the security functionality offered by WebSphere® DataPower® XC10 Appliance is built into the construction of the appliance. Additional security settings are included to provide additional security options for your environment.

1. Navigate to the Settings panel. To manage your security options, navigate to the Settings panel using one of the following methods:
   • From the menu bar at the top of the WebSphere DataPower XC10 Appliance user interface, navigate to Appliance > Settings.
   • From the Welcome page, click the Customize settings link in the Step 1: Set up the appliance section.
2. Expand Security.
3. Set your security permissions.
   1. Set the Allow new users to create their own accounts field. The default value for this field is Disabled. This field specifies if a user is able to create their own account. In WebSphere DataPower XC10 Appliance, self-registered users have appliance monitoring permission by default. Enable this option only if you want to allow anyone that has access to the user interface to also have appliance monitoring permission. When this field is Enabled, a Register button displays on the login screen. See Self-registering a new user account for more details on self user registration.
      Important: When you enable Lightweight Directory Access Protocol (LDAP) authentication, then the option to self register new users is disabled. If you want to self register, then you must disable LDAP and enable the option to Allow new users to create their own accounts. Remember, you automatically enroll with your own account when LDAP is enabled, if you can authenticate with the LDAP server. Therefore, you create your account just by logging into the appliance.
   2. Set the Allow password reset from the serial console field. The default value for this field is Disabled.

      Disabled: Make sure that you configure an SMTP server and an email address for the xcadmin user. These configurations ensure that if the xcadmin password is lost, then there is a way to reset the password. If this field is disabled and these configurations are not made, then it is impossible to reset a lost xcadmin password and the appliance must be returned to IBM for remanufacturing.

      Enabled: You can reset the password for the xcadmin user using a serial connection without any other credentials required and without an SMTP message. If this option is selected, the physical access to your WebSphere DataPower XC10 Appliance is even more important than typical. With physical access to the machine, any user is able to gain administrator access to the appliance.

   3. Set the Allow administrative users to access grid data field. The default value for this field is Enabled.

      This field specifies whether an administrative user can access data in the grid. Previously, if you had the appliance administration permission, then you had permission to run administrative tasks on the data grid. When you disable this field, you restrict administrative access from appliance administrators.

      When this field is disabled, only the creator of the data grid has access to the data. Administrators can still monitor data grids; however, they cannot actually see data in the data grid. For example, in the monitoring console, click Data Management > Query Data Grid Contents. If you are not the creator for a data grid, then you can no longer query data in the data grid when this field is disabled. Administrative users can still view data for grids that they have created.

      Note: If administrative access is disabled, the administrator can still view data from data grids that do not have authorization enabled. However, if you want to restrict administrative access to the data grid, then disable administrative access and select Enable authorization for individual data grids from the Security settings.
4. Configure your appliance to authenticate users with a Lightweight Directory Access Protocol (LDAP) directory. For more information about configuring your appliance to authenticate using with an LDAP directory, see Configuring your appliance to authenticate users with an LDAP directory.