Configure
a user registry. For more information, see Configuring user registries. You can configure a local OS,
Lightweight Directory Access Protocol (LDAP), or custom user registry through
the links under User registry on the Global security panel.One of the details
common to all user registries is the server user ID. This ID is a member
of the chosen user registry, but also has special privileges in WebSphere
Application Server. The privileges for this ID and the privileges associated
with the administrative role ID are the same. The server user ID can access
all protected administrative methods. On Windows systems, the ID must not
be the same name as the machine name of your system, since the registry sometimes
returns machine-specific information when querying a user of the same name.
In LDAP user registries, verify that the server user ID is a member of the
registry and not just the LDAP administrative role ID. The entry must be searchable.
The
server user ID does not run WebSphere Application Server processes.
Rather, the process ID runs the WebSphere Application Server processes. The
process ID runs the WebSphere Application Server processes.
The process
ID is determined by the way the process starts. For example, if you use a
command line to start processes, the user ID that is logged into the system
is the process ID. If running as a service, the user ID that is logged into
the system is the user ID running the service. If you choose the Local OS
user registry, the process ID requires special privileges to call the operating
system APIs. Specifically, the process ID must have the Act as Part of
Operating System privileges on Windows systems or root privileges
on a UNIX system.
Modify
the default Secure Sockets Layer (SSL) keystore and truststore files that
are packaged with the product. This action protects the integrity
of the messages sent across the Internet. The product provides a single location
where you can specify SSL configurations that the various WebSphere Application
Server features that use SSL can utilize, including the LDAP user registry,
Web container and the authentication protocol (CSIv2 and SAS). Create a new
keystore and truststore, by referring to the Creating a keystore file and Creating truststore files articles. You can create different
keystore files and truststore files for different uses or you can create just
one set for everything that the server uses Secure Sockets Layer (SSL) for.
After you create these new keystore and truststore files, specify them in
the SSL Configuration Repertoires. To get to the SSL Configuration
Repertoires, click Security > SSL. See the article, Configuring Secure Sockets Layer for more information. To get to the SSL
Configuration Repertoire, click Security > SSL. You can either edit
the DefaultSSLConfig file or create a new SSL configuration with a new alias
name. If you create a new alias name for your new keystore and truststore
files, change every location that references the DefaultSSLConfig SSL configuration
alias. The following list specifies the locations of where the SSL configuration
repertoire aliases are used in the WebSphere Application Server configuration. For
any transports that use the new network input/output channel chains, including
HTTP and Java Message Service (JMS), you can modify the SSL configuration
repertoire aliases in the following locations for each server:
- Click Server > Application server > server_name. Under Communications,
click Ports. Locate a transport chain where SSL is enabled and click View
associated transports. Click transport_channel_name. Under Transport
Channels, click SSL Inbound Channel (SSL_2).
- Click System administration > Deployment manager.
Under Additional properties, click Ports. Locate a transport chain
where SSL is enabled and click View associated transports. Click transport_channel_name.
Under Transport Channels, click SSL Inbound Channel (SSL_2).
- Click System administration > Node agents > node_agent
_name. Under Additional properties, click Ports. Locate a transport
chain where SSL is enabled and click View associated transports. Click transport_channel_name.
Under Transport Channels, click SSL Inbound Channel (SSL_2).
For the Object Request Broker (ORB) SSL transports, you can modify
the SSL configuration repertoire aliases in the following locations. These
configurations are for the server-level for WebSphere Application Server and
WebSphere Application Server Express and the cell level for WebSphere Application
Server Network Deployment.
- Click Security > Global security. Under Authentication, click Authentication
protocol > CSIv2 Inbound Transport.
- Click Security > Global security. Under Authentication, click Authentication
protocol > CSIv2 Outbound Transport.
- Click Security > Global security. Under Authentication, click Authentication
protocol > SAS Inbound Transport.
- Click Security > Global security. Under Authentication, click Authentication
protocol > SAS Outbound Transport.
For the ORB SSL transports on the server level
for WebSphere Application Server Network Deployment, you can modify the SSL
configuration repertoire aliases in the following locations:
- Click Servers > Application servers > server_name. Under
Security, click Server security. Under Additional properties, click CSIv2
Inbound Transport.
- Click Servers > Application servers > server_name. Under
Security, click Server security. Under Additional properties, click CSIv2
Outbound Transport.
- Click Servers > Application servers > server_name. Under
Security, click Server security. Under Additional properties, click SAS
Inbound Transport.
- Click Servers > Application servers > server_name. Under
Security, click Server security. Under Additional properties, click SAS
Outbound Transport.
For the Simple Object Access Protocol (SOAP) Java Management Extensions
(JMX) administrative transports, you can modify the SSL configurations repertoire
aliases by clicking Servers > Application servers > server_name.
Under Server infrastructure, click Administration > Administration services.
Under Additional properties, click JMX connectors > SOAPConnector.
Under Additional properties, click Custom properties. If you want to
point the sslConfig property to a new alias, click sslConfig and select
an alias in the Value field.
For additional SOAP JMX
administrative transports for WebSphere Application Server Network Deployment,
you can modify the SSL configuration repertoire aliases in the following locations:
- Click System administration > Deployment manager. Under Additional
properties, click Administration services. Under Additional properties,
click JMX connectors > SOAPConnector. Under Additional properties,
click Custom properties. If you want to point the sslConfig property
to a new alias, click sslConfig and select an alias in the Value field.
- Click System administration > Node agents > node_agent_name.
Under Additional properties, Administration services. Under Additional
properties, click JMX connectors > SOAPConnector. Under Additional
properties, click Custom properties. If you want to point the sslConfig
property to a new alias, click sslConfig and select an alias in the
Value field.
For the Lightweight Directory Access Protocol (LDAP) SSL transport,
you can modify the SSL configuration repertoire aliases by clicking Security
> Global security. Under User registries, click LDAP.