WebSphere Application Server Network Deployment, Version 6.0.x     Operating Systems: AIX, HP-UX, Linux, Solaris, Windows

Global security settings

Use this page to configure security. When you enable security, you are enabling security settings on a global level.

To view this administrative console page, click Security > Global security.

When security is disabled, WebSphere Application Server performance is increased between 10-20%. Therefore, consider disabling security when it is not needed.

If you are configuring security for the first time, complete the steps in the "Configuring server security" article in the documentation to avoid problems. When security is configured, validate any changes to the registry or authentication mechanism panels. Click Apply to validate the user registry settings. An attempt is made to authenticate the server ID to the configured user registry. Validating the user registry settings after enabling global security can avoid problems when you restart the server for the first time.

Configuration tab

Enable global security

Specifies whether to enable global security for this WebSphere Application Server domain.

This flag is commonly referred to as the global security flag in WebSphere Application Server information. When enabling security, set the authentication mechanism configuration and specify a valid user ID and password in the selected user registry configuration.

Default: Disable
Enforce Java 2 Security

Specifies whether to enable or disable Java 2 security permission checking. By default, Java 2 security is disabled. However, enabling global security automatically enables Java 2 security. You can choose to disable Java 2 security, even when global security is enabled.

When the Enforce Java 2 security option is enabled and if an application requires more Java 2 security permissions than are granted in the default policy, then the application might fail to run properly until the required permissions are granted in either the app.policy file or the was.policy file of the application. AccessControl exceptions are generated by applications that do have all the required permissions. Consult the WebSphere Application Server documentation and review the Java 2 Security and Dynamic Policy sections if you are unfamiliar with Java 2 security.

If your server does not restart after you enable global security, you can disable security. Go to your $install_root/bin directory and execute the wsadmin -conntype NONE command. At the wsadmin> prompt, enter securityoff and then type exit to return to a command prompt. Restart the server with security disabled to check any incorrect settings through the administrative console.

Default: Disabled
Enforce fine-grained JCA security

Enable this option to restrict application access to sensitive Java Connector Architecture (JCA) mapping authentication data.

Consider enabling this option when both of the following conditions are true:
  • Java 2 Security is enforced.
  • The application code is granted the accessRuntimeClasses WebSphereRuntimePermission in the was.policy file found within the application enterprise archive (EAR) file. For example, the application code is granted the permission when the following line is found in your was.policy file:

    permission com.ibm.websphere.security.WebSphereRuntimePermission "accessRuntimeClasses";

The Enforce fine-grained JCA security option adds fine-grained Java 2 Security permission checking to the default principal mapping of the WSPrincipalMappingLoginModule implementation. You must grant explicit permission to Java 2 Platform, Enterprise Edition (J2EE) applications that use the WSPrincipalMappingLoginModule implementation directly in the Java Authentication and Authorization Service (JAAS) login when Java 2 Security and the Enforce fine-grained JCA security option is enabled.

Default: Disabled
Use domain-qualified user IDs

Specifies that user names returned by methods are qualified with the security domain in which they reside.

Default: Disabled
Cache timeout

Specifies the timeout value in seconds for security cache. This value is a relative timeout.

If WebSphere Application Server security is enabled, the security cache timeout can influence performance. The timeout setting specifies how often to refresh the security-related caches. Security information pertaining to beans, permissions, and credentials is cached. When the cache timeout expires, all cached information becomes invalid. Subsequent requests for the information result in a database lookup. Sometimes, acquiring the information requires invoking a Lightweight Directory Access Protocol (LDAP)-bind or native authentication. Both invocations are relatively costly operations for performance. Determine the best trade off for the application, by looking at usage patterns and security needs for the site.

The default security cache timeout value is 10 minutes. If you have a small number of users, it should be set higher than that, or if a large number of users, it should be set lower.

The LTPA timeout value should not be set lower than the security cache timeout. It is also recommended that the LTPA timeout value should be set higher than the orb request timeout value. However, there is no relation between the security cache timeout value and the orb request timeout value.

In a 20-minute performance test, setting the cache timeout so that a timeout does not occur yields a 40% performance improvement.

Data type: Integer
Units: Seconds
Default: 600
Range: Greater than 30 seconds
Issue permission warning

Specifies that during application deployment and application start, the security run time issues a warning if applications are granted any custom permissions. Custom permissions are permissions defined by the user applications, not Java API permissions. Java API permissions are permissions in package java.* and javax.*.

WebSphere Application Server provides support for policy file management. A number of policy files are available in this product, some of them are static and some of them are dynamic. Dynamic policy is a template of permissions for a particular type of resource. There is no code base defined or relative code base used in the dynamic policy template. The real code base is dynamically created from the configuration and run-time data. The filter.policy file contains a list of permissions that an application should not have according to the J2EE 1.3 specification. For more information on permissions, see the "Java 2 security policy files" article in the documentation.

Default: Disabled
Active protocol

Specifies the active authentication protocol for Remote Method Invocation over the Internet Inter-ORB Protocol (RMI IIOP) requests when security is enabled.

In previous releases the Security Authentication Service (SAS) protocol was the only available protocol.

An Object Management Group (OMG) protocol called Common Secure Interoperability Version 2 (CSIv2) supports increased vendor interoperability and additional features. If all of the servers in your security domain are Version 5.x and later servers, specify CSI as your protocol.

If some servers are version 3.x or version 4.x servers, specify CSI and SAS.

Default: BOTH
Range: CSI and SAS, CSI
Range:
Active authentication mechanism

Specifies the active authentication mechanism when security is enabled.

In WebSphere Application Server Network Deployment, Version 6.0.x, the active authentication mechanism is not configurable. Also, this version of the product only supports LTPA authentication.

Default:
Default: LTPA (WebSphere Application Server Network Deployment)
Range:
Default:
Range:
Active User Registry

Specifies the active user registry, when security is enabled.

You can configure settings for one of the following user registries:
  • Local OS

    When you enable global security on a UNIX platform and the user registry is the local OS, you must run the server as root. The local OS user registry is not supported for non-root users on a UNIX platform.

    The local OS user registry is valid only when you use a domain controller or the Network Deployment cell resides on a single machine. In the later case, you cannot spread multiple nodes in a cell across multiple machines as this configuration, using the local OS user registry, is not valid.

  • LDAP user registry

    The LDAP user registry settings are used when users and groups reside in an external LDAP directory. When security is enabled and any of these properties change, go to the Global Security panel and click Apply or OK to validate the changes

    .
  • Custom user registry
Default: Local OS (single, stand-alone server or sysplex and root administrator only)
Range: Local OS (single, stand-alone server or sysplex and root administrator only), LDAP user registry, Custom user registry
Use the Federal Information Processing Standard (FIPS)

Enables the Federal Information Processing Standard (FIPS)-compliant Java cryptography engine.

  • Does not affect the Secure Sockets Layer cryptography that is performed by WebSphere Application Server for z/OS System Secure Sockets Layer (SSSL).
  • Does not change the JSSE provider if this cell includes any Application Server versions before WebSphere Application Server for z/OS Version 6.0.x.

When you select the Use the Federal Information Processing Standard (FIPS) option, the Lightweight Third Party Authentication (LTPA) implementation uses IBMJCEFIPS. IBMJCEFIPS supports the Federal Information Processing Standard (FIPS)-approved cryptographic algorithms for Data Encryption Standard (DES), Triple DES, and Advanced Encryption Standard (AES). Although the LTPA keys are backwards compatible with prior releases of WebSphere Application Server, the LTPA token is not compatible with prior releases. In prior releases, WebSphere Application Server did not generate the LTPA token using a FIPS-approved algorithm.

WebSphere Application Server provides a FIPS-approved Java Secure Socket Extension (JSSE) provider called IBMJSSEFIPS. A FIPS-approved JSSE requires the Transport Layer Security (TLS) protocol because it is not compatible with the Secure Sockets Layer (SSL) protocol.

Important: [HP-UX]The IBMJSSEFIPS provider is not supported on the HP-UX platform. However, the IBMJSSE2 provider, which uses IBMJCEFIPS, is supported on the HP-UX platform.
Default: Disabled



Related tasks
Configuring global security
Configuring Federal Information Processing Standard Java Secure Socket Extension files

Related information
Cryptographic Module Validation Program FIPS 140-1 and FIPS 140-2 Pre-validation List

Reference topic    

Terms of Use | Feedback

Last updated: Mar 17, 2005 4:28:29 AM CST
http://publib.boulder.ibm.com/infocenter/ws60help/index.jsp?topic=/com.ibm.websphere.nd.doc/info/ae/ae/usec_rgsp.html

© Copyright IBM Corporation 2002, 2005. All Rights Reserved.
This information center is powered by Eclipse technology. (http://www.eclipse.org)