example, the administrative console uses the isUserInrole method to determine the proper set of administrative functionality to expose to a user principal 2. The EJB security collaborator enforces role-based access control by using an access manager implementation. An access manager makes authorization decisions based on the security policy derived from the deployment descriptor. An authenticated user principal can access the requested EJB method if it has one of the required security roles. EJB code can use the EJBContext methods isCallerInRole and get Principal. EJB code also can use the JAAS programming model to perform JAAS login and WSSubject doAs and doAsPrivileged methods The code in the doAs and doAs Privileged PrivilegedAction block executes under the Subject identity. Otherwise, the EJB method executes under either the RunAs identity or the caller identity, depending on the RunAs configuration EJB security When security is enabled, the EJB container enforces access control on EJB method invocation. The authentication takes place regardless of whether a method permission is defined for the specific EJB A Java application client can provide the authentication data in several ways. Using the sas client.props file, a Java client can specify whether to use a user ID and password to authenticate or to use an SSL client certificate to authenticate. The client certificate is stored in the key file or in the hardware cryptographic card, as defined in a sas client. props file. The user ID and password can be optionally defined in the sas client. props file At run time, the Java client can either perform a programmatic login or perform a lazy authentication In lazy authentication when the Java client is accessing a protected enterprise bean for the first time, the security run time tries to obtain the required authentication data. Depending on the configuration setting in asclient. props file the security runtime either looks up the authentication data from this file or prompts the user. Alternatively, a Java client can use programmatic login. WebSphere Application Server supports the JAAS programming model and the JAAS login(Login Context)is the recommended way of programmatic login. The login_ helper request_login helper function is deprecated in Version 6.x and Version 7.0. Java clients programmed to the login_helper APT can run in this version The EJB security collaborator enforces role-based access control by using an access manager implementation An access manager makes authorization decisions based on the security policy derived from the deployment descriptor. An authenticated user principal can access the requested EJB method if it has one of the required security roles. EJB code can use the EJBContext methods is Callerin Role and getCaller Principal EJB code also can use the JAAS programming model to perform JAAS login and WSSubject doAs and doAs Privileged methods. The code in the doAs and doAsPrivileged PrivilegedAction block executes under the Subject identity. Otherwise, the EJB method executes under either the RunAs identity or the caller identity, depending on the RunAs configuration. The J2EE RunAs specification is at the enterprise bean level. When RunAs identity is specified, it applies to all bean methods. The method level IBM RunAs extension introduced in Version 4.0 is still supported in this version Federal Information Processing Standards-approved Federal Information Processing Standards(FIPS) are standards and guidelines issued by the National Institute of Standards and Technology(NIST) for federal computer systems. FIPS are developed when there are compelling federal government requirements for standards, such as for security and interoperability, but acceptable industry standards or solutions do not exist. ebSphere Application Server integrates cryptographic modules including Java Secure Socket Extension (JSSE)and Java Cryptography Extension (JCE), which have undergone FIPS 140-2 certification 14 Administering applications and their environment
example, the administrative console uses the isUserInRole method to determine the proper set of administrative functionality to expose to a user principal. 2. The EJB security collaborator enforces role-based access control by using an access manager implementation. An access manager makes authorization decisions based on the security policy derived from the deployment descriptor. An authenticated user principal can access the requested EJB method if it has one of the required security roles. EJB code can use the EJBContext methods isCallerInRole and getCallerPrincipal. EJB code also can use the JAAS programming model to perform JAAS login and WSSubject doAs and doAsPrivileged methods. The code in the doAs and doAsPrivileged PrivilegedAction block executes under the Subject identity. Otherwise, the EJB method executes under either the RunAs identity or the caller identity, depending on the RunAs configuration. EJB security When security is enabled, the EJB container enforces access control on EJB method invocation. The authentication takes place regardless of whether a method permission is defined for the specific EJB method. A Java application client can provide the authentication data in several ways. Using the sas.client.props file, a Java client can specify whether to use a user ID and password to authenticate or to use an SSL client certificate to authenticate. The client certificate is stored in the key file or in the hardware cryptographic card, as defined in a sas.client.props file. The user ID and password can be optionally defined in the sas.client.props file. At run time, the Java client can either perform a programmatic login or perform a lazy authentication. In lazy authentication when the Java client is accessing a protected enterprise bean for the first time, the security run time tries to obtain the required authentication data. Depending on the configuration setting in sas.client.props file the security runtime either looks up the authentication data from this file or prompts the user. Alternatively, a Java client can use programmatic login. WebSphere Application Server supports the JAAS programming model and the JAAS login (LoginContext) is the recommended way of programmatic login. The login_helper request_login helper function is deprecated in Version 6.x and Version 7.0. Java clients programmed to the login_helper APT can run in this version. The EJB security collaborator enforces role-based access control by using an access manager implementation. An access manager makes authorization decisions based on the security policy derived from the deployment descriptor. An authenticated user principal can access the requested EJB method if it has one of the required security roles. EJB code can use the EJBContext methods isCallerInRole and getCallerPrincipal. EJB code also can use the JAAS programming model to perform JAAS login and WSSubject doAs and doAsPrivileged methods. The code in the doAs and doAsPrivileged PrivilegedAction block executes under the Subject identity. Otherwise, the EJB method executes under either the RunAs identity or the caller identity, depending on the RunAs configuration. The J2EE RunAs specification is at the enterprise bean level. When RunAs identity is specified, it applies to all bean methods. The method level IBM RunAs extension introduced in Version 4.0 is still supported in this version. Federal Information Processing Standards-approved Federal Information Processing Standards (FIPS) are standards and guidelines issued by the National Institute of Standards and Technology (NIST) for federal computer systems. FIPS are developed when there are compelling federal government requirements for standards, such as for security and interoperability, but acceptable industry standards or solutions do not exist. WebSphere Application Server integrates cryptographic modules including Java Secure Socket Extension (JSSE) and Java Cryptography Extension (JCE), which have undergone FIPS 140-2 certification. 14 Administering applications and their environment
Throughout the documentation and the WebSphere Application Server, the IBM JSSE and JCE modules that have undergone FlPs certification are referred to as IBMJSSEFIPS and IBMJCEFIPS, which distinguishes the FIPS modules from the IBM JSSE and IBM JCE modules. For more information, refer to Configuring Federal Information Processing Standard Java Secure Socket Extension files The IBMJCEFIPS module supports the following symmetric cipher suites AES(FIPS 197) TripleDES(FIPS 46-3) SHA1 Message Digest algorithm(FIPS 180-1) The IBMJCEFIPS module supports the following algorithms Digital Signature DSA and RSA algorithms(FIPS 186-2 ANS|X9.31(FPs186-2) IBM Random Number generator The IBMJCEFIPS cryptographic module contains the algorithms that are approved by FIPS, which form a proper subset of those in the IBM JCE modules Chapter 1 Overview and new features: Administering 15
Throughout the documentation and the WebSphere Application Server, the IBM JSSE and JCE modules that have undergone FIPS certification are referred to as IBMJSSEFIPS and IBMJCEFIPS, which distinguishes the FIPS modules from the IBM JSSE and IBM JCE modules. For more information, refer to Configuring Federal Information Processing Standard Java Secure Socket Extension files. The IBMJCEFIPS module supports the following symmetric cipher suites: v AES (FIPS 197) v TripleDES (FIPS 46-3) v SHA1 Message Digest algorithm (FIPS 180-1) The IBMJCEFIPS module supports the following algorithms: v Digital Signature DSA and RSA algorithms (FIPS 186-2) v ANSI X 9.31 (FIPS 186-2) v IBM Random Number Generator The IBMJCEFIPS cryptographic module contains the algorithms that are approved by FIPS, which form a proper subset of those in the IBM JCE modules. Chapter 1. Overview and new features: Administering 15
Related concepts Access control exception The Java 2 security behavior is specified by its security policy. The security policy is an access-control matrix that specifies which system resources certain code bases can access and who must sign them.The Java 2 security policy is declarative and it is enforced by the java security AccessController checkPermission method Common Secure Interoperability Version 2 features The following Common Secure Interoperability Version 2(CSlv2)features are available in IBM Web Sphere Application Server: message layer authentication, identity assertion, and security attribute propagation Delegations Delegation is a process security identity propagation from a caller to a called object. As per the Java Platform, Enterprise Edition (Java EE) specification, a servlet and enterprise beans can propagate either the client or remote user identity when invoking enterprise beans, or they can use another specified identity as indicated in the corresponding deployment descriptor Administrative security Administrative security determines whether security is used at all, the type of registry against which authentication takes place, and other values, many of which act as defaults. Proper planning is required because incorrectly enabling administrative security can lock you out of the administrative console or cause the server to end abnormally Java Authentication and Authorization service The standard Java 2 security application programming interface(API) helps enforce access control based on the location of the code source or the author or packager of the code that signed the jar file. The current principal of the running thread is not considered in the Java 2 security authorization. Instances where authorization is based on the principal, as opposed to the code base, and the user exist. The Java Authentication and Authorization Service is a standard Java API that supports the Java 2 security authorization to extend the code base on the principal as well as the code base and users J2EE connector security The Java 2 Platform, Enterprise Edition(J2EE) connector architecture defines a standard architecture for connecting J2EE to heterogeneous enterprise information systems(EIS). Examples of EIS include Enterprise Resource Planning(ERP), mainframe transaction processing(TP)and database systems Standalone Lightweight Directory Access Protocol registries A Standalone Lightweight Directory Access Protocol( LDAP)registry performs authentication using an LDAP binding Local operating system registries With the registry implementation for the local operating system, the WebSphere Application Server authentication mechanism can use the user accounts database of the local operating system Lightweight Third Party Authentication Lightweight Third Party Authentication( LTPA)is intended for distributed, multiple application server and machine environments. LTPA supports forwardable credentials and single sign-on(SSO). LTPA can support security in a distributed environment through cryptography. This support permits LTPA to encrypt, digitally sign, and securely transmit authentication-related data, and later decrypt and verify the signature Programmatic logir Programmatic login is a type of form login that supports application presentation site-specific login forms for the purpose of authentication Role-based authorization Use authorization information to determine whether a caller has the necessary privileges to request a service Java 2 security Java 2 security provides a policy-based, fine-grain access control mechanism that increases overall system integrity by checking for permissions before allowing access to certain protected system resources Java 2 security guards access to system resources such as file VO, sockets, and properties. Java 2 Platform, Enterprise Edition(J2EE) security guards access to Web resources such as servlets, JavaServer Pages (JSP)files and Enterprise JavaBeans(EJB)methods. 16 Administering applications and their environment
Related concepts Access control exception The Java 2 security behavior is specified by its security policy. The security policy is an access-control matrix that specifies which system resources certain code bases can access and who must sign them. The Java 2 security policy is declarative and it is enforced by the java.security.AccessController.checkPermission method. Common Secure Interoperability Version 2 features The following Common Secure Interoperability Version 2 (CSIv2) features are available in IBM WebSphere Application Server: message layer authentication, identity assertion, and security attribute propagation. Delegations Delegation is a process security identity propagation from a caller to a called object. As per the Java Platform, Enterprise Edition (Java EE) specification, a servlet and enterprise beans can propagate either the client or remote user identity when invoking enterprise beans, or they can use another specified identity as indicated in the corresponding deployment descriptor. Administrative security Administrative security determines whether security is used at all, the type of registry against which authentication takes place, and other values, many of which act as defaults. Proper planning is required because incorrectly enabling administrative security can lock you out of the administrative console or cause the server to end abnormally. Java Authentication and Authorization Service The standard Java 2 security application programming interface (API) helps enforce access control based on the location of the code source or the author or packager of the code that signed the jar file. The current principal of the running thread is not considered in the Java 2 security authorization. Instances where authorization is based on the principal, as opposed to the code base, and the user exist. The Java Authentication and Authorization Service is a standard Java API that supports the Java 2 security authorization to extend the code base on the principal as well as the code base and users. J2EE connector security The Java 2 Platform, Enterprise Edition (J2EE) connector architecture defines a standard architecture for connecting J2EE to heterogeneous enterprise information systems (EIS). Examples of EIS include Enterprise Resource Planning (ERP), mainframe transaction processing (TP) and database systems. Standalone Lightweight Directory Access Protocol registries A Standalone Lightweight Directory Access Protocol (LDAP) registry performs authentication using an LDAP binding. Local operating system registries With the registry implementation for the local operating system, the WebSphere Application Server authentication mechanism can use the user accounts database of the local operating system. Lightweight Third Party Authentication Lightweight Third Party Authentication (LTPA) is intended for distributed, multiple application server and machine environments. LTPA supports forwardable credentials and single sign-on (SSO). LTPA can support security in a distributed environment through cryptography. This support permits LTPA to encrypt, digitally sign, and securely transmit authentication-related data, and later decrypt and verify the signature. Programmatic login Programmatic login is a type of form login that supports application presentation site-specific login forms for the purpose of authentication. Role-based authorization Use authorization information to determine whether a caller has the necessary privileges to request a service. Java 2 security Java 2 security provides a policy-based, fine-grain access control mechanism that increases overall system integrity by checking for permissions before allowing access to certain protected system resources. Java 2 security guards access to system resources such as file I/O, sockets, and properties. Java 2 Platform, Enterprise Edition (J2EE) security guards access to Web resources such as servlets, JavaServer Pages (JSP) files and Enterprise JavaBeans (EJB) methods. 16 Administering applications and their environment
Trust associations Trust association enables the integration of IBM Web Sphere Application Server security and third-party security servers. More specifically, a reverse proxy server can act as a front-end authentication server while the product applies its own authorization policy onto the resulting credentials that are passed by the proxy server. Related tasks Selecting an authentication mechanism An authentication mechanism defines rules about security information, such as whether a credential is forwardable to another Java process, and the format of how security information is stored in both credentials and tokens. You can select and configure an authentication mechanism by using the administrative console Selecting a registry or repository Information about users and groups reside in a user registry. In WebSphere Application Server, a user registry authenticates a user and retrieves information about users and groups to perform security-related functions, including authentication and authorization Configuring Federal Information Processing Standard Java Secure Socket Extension files Use this topic to configure Federal Information Processing Standard Java Secure Socket Extension files Securing Web services applications using message level security Web services security standards and profiles describe how to provide security and protection for SOAP messages that are exchanged in a Web services environment Securing Web services for Version 5.x applications based on WS-Security Web services security for WebSphere Application Server is based on standards included in the Web Services Security(WS-Security)specification. These standards address how to provide protection for messages exchanged in a Web service environment Related reference Java 2 security policy files The Java 2 Platform, Enterprise Edition(J2EE)Version 1.3 and later specifications have a well-defined programming model of responsibilities between the container providers and the application code. Using Java 2 security manager to help enforce this programming model is recommended. Certain operations are not supported in the application code because such operations interfere with the behavior and operation of the containers. The Java 2 security manager is used in the product to enforce responsibilities of the container and the application code Related information Cryptographic Module Validation Program FIPS 140-1 and FIPS 140-2 Pre-validation List Introduction: System administration You can administer your WebSphere Application Server through scripts, command line tools, the administrative console, or the Java programming interface. You administer server processes, topological units referenced as nodes and cells, and the configuration repository where configuration information is stored in Extensible Markup Language(XML) files Note: 2 If you would prefer to browse PDF versions of this documentation using your Adobe@ Reade seetheSystemAdministrationPdffilesavailablefromwww.ibm.com/software/webservers, appserv/infocenter. html A variety of tools, processes, and configuration files are provided for administering the WebSphere Application Server product Console The administrative console is a graphical interface that provides many features to guide you through deployment and systems administration tasks. Use it to explore available management options For more information, refer to "Introduction: Administrative console"on page 18 Chapter 1 Overview and new features: Administering 17
Trust associations Trust association enables the integration of IBM WebSphere Application Server security and third-party security servers. More specifically, a reverse proxy server can act as a front-end authentication server while the product applies its own authorization policy onto the resulting credentials that are passed by the proxy server. Related tasks Selecting an authentication mechanism An authentication mechanism defines rules about security information, such as whether a credential is forwardable to another Java process, and the format of how security information is stored in both credentials and tokens. You can select and configure an authentication mechanism by using the administrative console. Selecting a registry or repository Information about users and groups reside in a user registry. In WebSphere Application Server, a user registry authenticates a user and retrieves information about users and groups to perform security-related functions, including authentication and authorization. Configuring Federal Information Processing Standard Java Secure Socket Extension files Use this topic to configure Federal Information Processing Standard Java Secure Socket Extension files. Securing Web services applications using message level security Web services security standards and profiles describe how to provide security and protection for SOAP messages that are exchanged in a Web services environment. Securing Web services for Version 5.x applications based on WS-Security Web services security for WebSphere Application Server is based on standards included in the Web Services Security (WS-Security) specification. These standards address how to provide protection for messages exchanged in a Web service environment. Related reference Java 2 security policy files The Java 2 Platform, Enterprise Edition (J2EE) Version 1.3 and later specifications have a well-defined programming model of responsibilities between the container providers and the application code. Using Java 2 security manager to help enforce this programming model is recommended. Certain operations are not supported in the application code because such operations interfere with the behavior and operation of the containers. The Java 2 security manager is used in the product to enforce responsibilities of the container and the application code. Related information Cryptographic Module Validation Program FIPS 140-1 and FIPS 140-2 Pre-validation List Introduction: System administration You can administer your WebSphere Application Server through scripts, command line tools, the administrative console, or the Java programming interface. You administer server processes, topological units referenced as nodes and cells, and the configuration repository where configuration information is stored in Extensible Markup Language (XML) files. Note: If you would prefer to browse PDF versions of this documentation using your Adobe® Reader, see the System Administration PDF files available from www.ibm.com/software/webservers/ appserv/infocenter.html. A variety of tools, processes, and configuration files are provided for administering the WebSphere Application Server product: v Console The administrative console is a graphical interface that provides many features to guide you through deployment and systems administration tasks. Use it to explore available management options. For more information, refer to “Introduction: Administrative console” on page 18. Chapter 1. Overview and new features: Administering 17
Scripting The Web Sphere administrative(wsadmin) scripting program is a powerful, non-graphical command interpreter environment enabling you to run administrative operations in a scripting language. You can also submit scripting language programs to run in batch mode. The wsadmin tool is intended for production environments and unattended operations. For more information, refer to "Introduction: Administrative scripting(wsadmin) Command line tools Command-line tools are simple programs that you run from an operating system command-line prompt to perform specific tasks, as opposed to general purpose administration. Using the tools, you can start and stop application servers, check server status, add or remove nodes, and complete similar tasks For more information, refer to"Introduction: Administrative commands"on page 19 g The product supports a Java programming interface for developing administrative programs. All of the administrative tools supplied with the product are written according to the APl, which is based on the industry standard Java Management Extensions(JMX) specification For more information, refer to "Introduction: Administrative programs"on page 19 Data Product configuration data resides in XML files that are manipulated by the previously-mentioned administrative tools For more information, refer to "Introduction: Administrative configuration data"on page 20 Introduction Administrative console The administrative console is a graphical interface that allows you to manage your applications and perform system administration tasks for your WebSphere Application Server environment. The administrative console runs in your Web browser Your actions in the console modify a set of XML configuration files You can use the administrative console to perform tasks such as: Add, delete, start, and stop application servers Deploy new applications to a ser Start and stop existing applications, and modify certain configurations Add and delete Java Platform, Enterprise Edition (Java EE) resource providers for applications that require data access, mail, URLS, and so or Configure product security, including access to the administrative console Collect data for performance and troubleshooting purposes Find the product version information. It is located on the front page of the console Starting and logging off the administrative console"on page 30 helps you begin using the console so that you can explore the available options. See also the Reference Administrator>Settings section of the information center navigation. It lists the settings or properties you can configure Introduction: Administrative scripting(wsadmin) About this task The WebSphere administrative(wsadmin) scripting program is a powerful, non-graphical command interpreter environment enabling you to run administrative operations in a scripting language. The wsadmin tool is intended for production environments and unattended operations. You can use the wsadmin tool perform the same tasks that you can perform using the administrative console The following list highlights the topics and tasks available with scripting 18 Administering applications and their environment
v Scripting The WebSphere administrative (wsadmin) scripting program is a powerful, non-graphical command interpreter environment enabling you to run administrative operations in a scripting language. You can also submit scripting language programs to run in batch mode. The wsadmin tool is intended for production environments and unattended operations. For more information, refer to “Introduction: Administrative scripting (wsadmin).” v Command line tools Command-line tools are simple programs that you run from an operating system command-line prompt to perform specific tasks, as opposed to general purpose administration. Using the tools, you can start and stop application servers, check server status, add or remove nodes, and complete similar tasks. For more information, refer to “Introduction: Administrative commands” on page 19. v Programming The product supports a Java programming interface for developing administrative programs. All of the administrative tools supplied with the product are written according to the API, which is based on the industry standard Java Management Extensions (JMX) specification. For more information, refer to “Introduction: Administrative programs” on page 19. v Data Product configuration data resides in XML files that are manipulated by the previously-mentioned administrative tools. For more information, refer to “Introduction: Administrative configuration data” on page 20. Introduction: Administrative console The administrative console is a graphical interface that allows you to manage your applications and perform system administration tasks for your WebSphere Application Server environment. The administrative console runs in your Web browser. Your actions in the console modify a set of XML configuration files. You can use the administrative console to perform tasks such as: v Add, delete, start, and stop application servers v Deploy new applications to a server v Start and stop existing applications, and modify certain configurations v Add and delete Java Platform, Enterprise Edition (Java EE) resource providers for applications that require data access, mail, URLs, and so on v Configure product security, including access to the administrative console v Collect data for performance and troubleshooting purposes v Find the product version information. It is located on the front page of the console. “Starting and logging off the administrative console” on page 30 helps you begin using the console so that you can explore the available options. See also the Reference > Administrator > Settings section of the information center navigation. It lists the settings or properties you can configure. Introduction: Administrative scripting (wsadmin) About this task The WebSphere administrative (wsadmin) scripting program is a powerful, non-graphical command interpreter environment enabling you to run administrative operations in a scripting language. The wsadmin tool is intended for production environments and unattended operations. You can use the wsadmin tool to perform the same tasks that you can perform using the administrative console. The following list highlights the topics and tasks available with scripting: 18 Administering applications and their environment