This topic describes how to enable security for WebSphere Application Server. Enabling WebSphere Application Server security prevents all Enterprise JavaBeans components from being exposed to remote invocation by anyone.
Important: WebSphere Application Server security and WebSphere Commerce Payments are configured to use the DummyServerKeyFile.jks and DummyServerTrustFile.jks files with the default self-signed certificate out-of-the-box. Using the dummy key and trust file certificates is not safe, consequently you should generate your own certificate to replace the dummy certificates immediately. Refer to the WebSphere Application Server Security Guide for more information on the dummy key and trust file certificates and how to replace them.
Before you begin to enable security, you will need to know how the WebSphere Application Server where you are enabling security validates user IDs. WebSphere Application Server can use either LDAP or the operating system's user registry as the WebSphere Application Server user registry.
If WebSphere Application Server global security is enabled as outlined in the steps in this topic, you will not be able to stop the WebSphere Application Server server (for example, server1) properly from the Windows 2000 Services panel. To stop the service when security is enabled, use the stopServer command from the WAS_installdir\bin directory in a command prompt as follows:
stopServer server -username user_id -password password
where server is the name of the WebSphere Application Server configuration directory of the server you want to stop (for example, server1), user_id is the user name for authentication, if security is enabled in the server, and password is the password for authentication, if security is enabled in the server.When you attempt to stop the server from the Services panel, the properties are such that the user ID and password are not included. With global security enabled, both the user ID and password are required for authentication when you stop the server. The service continues to run (despite the Services panel showing that it has stopped). Note that the user ID and password are not required to start the service from the Services panel.
- If you need to stop the application server when WebSphere Application Server security is enabled, use the stopServer command from the WAS_installdir/bin directory in a command prompt as follows:
stopServer.sh server -username user_id -password password
where server is the name of the WebSphere Application Server application server you want to stop (for example, server1), user_id is the user name for authentication, and password is the password for authentication.
stopServer -instance WAS_instance_name server -username user_id -password password
where WAS_instance_name is the name of the WebSphere Application Server instance, server is the name of the WebSphere Application Server application server you want to stop (for example, server1), user_id is the user name for authentication, and password is the password for authentication.
When enabling WebSphere Application Server security, it is strongly recommended that your machine meets the following requirements:
- A minimum machine memory of 1 GB.
- A minimum heap size of 384 MB, for the WebSphere Commerce application.
Also, with WebSphere Application Server security enabled, the stopNode (stopNode.sh on AIX, Linux, or Solaris) command for the node agent will also require that you specify a user name and password.
In a federated WebSphere Application Server environment, creating a WebSphere Commerce or WebSphere Commerce Payments instance will fail with the following message if you have WebSphere Application Server global security enabled because the WebSphere Commerce Configuration Manager does not support secure SOAP connection:"ConnectorException: ADMC0016E: Could not create SOAP Connector to connect to host <hostname> at port <port>". Thus, before creating an instance on a federated environment, disable WebSphere Application Server global security, and restart the Deployment Manager and Node Agent processes. You can enable WebSphere Application Server global security after you create the instance.
When enabling WebSphere Application Server security on the Windows 2003 platform, it is recommended that you enlarge the TCP Ports to 65534 on all nodes on your system that are running on Windows 2003. This includes the WebSphere Commerce node, the LDAP server node, and the Commerce-enabled Portals node. After enlarging the TCP Ports, you will need to restart the servers on the nodes that were changed. For more information see the following URL:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;196271If you do not enlarge the TCP Ports, you may receive the following error, or an error that is similar to:
Authentication failed for user uid=wpsbind,cn=users,dc=ibm,dc=com because of the following exception javax.naming.CommunicationException: svt4.cn.ibm.com:389. Root exception is java.net.BindException: Address in use: connect
WebSphere Commerce security deployment options
WebSphere Commerce supports various security deployment configurations. The following table illustrates the security deployment options available to you.
WebSphere Application Server security is enabled. |
|
|
|
|
|
WebSphere Application Server security is disabled, and your WebSphere Commerce site is located behind a firewall. |
|
|
WebSphere Application Server security is enabled. LDAP is always deployed. |
|
|
|
WebSphere Application Server security is disabled, and your WebSphere Commerce site is located behind a firewall. |
|
|
Note: If you operate your WebSphere Commerce site from behind a firewall, you can disable WebSphere Application Server security. You should only disable WebSphere Application Server security if you are sure that no malicious applications are running behind the firewall.