Enabling WebSphere Application Server security

This topic describes how to enable security for WebSphere Application Server. Enabling WebSphere Application Server security prevents all Enterprise JavaBeans components from being exposed to remote invocation by anyone.

Important: WebSphere Application Server security and WebSphere Commerce Payments are configured to use the DummyServerKeyFile.jks and DummyServerTrustFile.jks files with the default self-signed certificate out-of-the-box. Using the dummy key and trust file certificates is not safe, consequently you should generate your own certificate to replace the dummy certificates immediately. Refer to the WebSphere Application Server Security Guide for more information on the dummy key and trust file certificates and how to replace them.

Before you begin to enable security, you will need to know how the WebSphere Application Server where you are enabling security validates user IDs. WebSphere Application Server can use either LDAP or the operating system's user registry as the WebSphere Application Server user registry.

Notes:
  1. Windows If WebSphere Application Server global security is enabled as outlined in the steps in this topic, you will not be able to stop the WebSphere Application Server server (for example, server1) properly from the Windows 2000 Services panel. To stop the service when security is enabled, use the stopServer command from the WAS_installdir\bin directory in a command prompt as follows:
    stopServer server -username user_id -password password
    
    where server is the name of the WebSphere Application Server configuration directory of the server you want to stop (for example, server1), user_id is the user name for authentication, if security is enabled in the server, and password is the password for authentication, if security is enabled in the server.

    When you attempt to stop the server from the Services panel, the properties are such that the user ID and password are not included. With global security enabled, both the user ID and password are required for authentication when you stop the server. The service continues to run (despite the Services panel showing that it has stopped). Note that the user ID and password are not required to start the service from the Services panel.

  2. If you need to stop the application server when WebSphere Application Server security is enabled, use the stopServer command from the WAS_installdir/bin directory in a command prompt as follows:

    AIXLinuxSun Solaris Operating Environment

    stopServer.sh server -username user_id -password password
    

    where server is the name of the WebSphere Application Server application server you want to stop (for example, server1), user_id is the user name for authentication, and password is the password for authentication.

    i5/OSiSeries

    stopServer -instance WAS_instance_name server -username user_id 
       -password password
    

    where WAS_instance_name is the name of the WebSphere Application Server instance, server is the name of the WebSphere Application Server application server you want to stop (for example, server1), user_id is the user name for authentication, and password is the password for authentication.

  3. AIXLinuxSun Solaris Operating EnvironmentWindows When enabling WebSphere Application Server security, it is strongly recommended that your machine meets the following requirements:
    • A minimum machine memory of 1 GB.
    • A minimum heap size of 384 MB, for the WebSphere Commerce application.
  4. Also, with WebSphere Application Server security enabled, the stopNode (stopNode.sh on AIX, Linux, or Solaris) command for the node agent will also require that you specify a user name and password.

  5. In a federated WebSphere Application Server environment, creating a WebSphere Commerce or WebSphere Commerce Payments instance will fail with the following message if you have WebSphere Application Server global security enabled because the WebSphere Commerce Configuration Manager does not support secure SOAP connection:"ConnectorException: ADMC0016E: Could not create SOAP Connector to connect to host <hostname> at port <port>". Thus, before creating an instance on a federated environment, disable WebSphere Application Server global security, and restart the Deployment Manager and Node Agent processes. You can enable WebSphere Application Server global security after you create the instance.

  6. Windows When enabling WebSphere Application Server security on the Windows 2003 platform, it is recommended that you enlarge the TCP Ports to 65534 on all nodes on your system that are running on Windows 2003. This includes the WebSphere Commerce node, the LDAP server node, and the Commerce-enabled Portals node. After enlarging the TCP Ports, you will need to restart the servers on the nodes that were changed. For more information see the following URL:
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;196271

    If you do not enlarge the TCP Ports, you may receive the following error, or an error that is similar to:

    Authentication failed for user uid=wpsbind,cn=users,dc=ibm,dc=com because of the following exception javax.naming.CommunicationException: svt4.cn.ibm.com:389. Root exception is java.net.BindException: Address in use: connect

WebSphere Commerce security deployment options

WebSphere Commerce supports various security deployment configurations. The following table illustrates the security deployment options available to you.

Single machine security scenarios
WebSphere Application Server security is enabled.
  • Use the operating system as the WebSphere Application Server registry.
  • Use the database as the WebSphere Commerce registry.
  • Use LDAP as the WebSphere Application Server registry.
  • Use LDAP as the WebSphere Commerce registry.
  • Use LDAP as the WebSphere Application Server registry.
  • Use the database as the WebSphere Commerce registry.
WebSphere Application Server security is disabled, and your WebSphere Commerce site is located behind a firewall.
  • A WebSphere Application Server registry is not required.
  • Use the database as the WebSphere Commerce registry.
  • A WebSphere Application Server registry is not required.
  • Use LDAP the WebSphere Commerce registry.
Multiple machine security scenarios
WebSphere Application Server security is enabled. LDAP is always deployed.
  • Use LDAP as the WebSphere Application Server registry.
  • Use LDAP as the WebSphere Commerce registry.
  • Use LDAP as the WebSphere Application Server registry.
  • Use a database as the WebSphere Commerce registry.
  • You will need to set up LDAP, and place one administrative entry into the LDAP registry.
WebSphere Application Server security is disabled, and your WebSphere Commerce site is located behind a firewall.
  • Use a database as the WebSphere Commerce registry.
  • A WebSphere Application Server registry is not required.
  • Single sign-on is not supported.
  • Use LDAP as the WebSphere Application Server registry.
  • A WebSphere Application Server registry is not required.

Note: If you operate your WebSphere Commerce site from behind a firewall, you can disable WebSphere Application Server security. You should only disable WebSphere Application Server security if you are sure that no malicious applications are running behind the firewall.

Feedback