IBM WebSphere V5.0 Security - CGISecurity

More documents

Recommendations

Info

LDAP Server Policy/Authorization Server Protocol (Internet) Firewall Domain (Intranet) Firewall Client browser WebSEAL Reverse Proxy Web Server WebSphere Application Server Figure 12-11 WebSEAL Basic Infrastructure and request flow WebSEAL in the DMZ Region 1 between the Internet and Intranet firewalls receives client requests for resources of the Web server or WebSphere application server. There are five security options between WebSEAL and the Web and application servers. In each case WebSEAL authenticates users by querying the LDAP Server before connecting to any other resource. 1. WebSEAL authenticates the user, passing mapped credentials to WebSphere. WebSphere performs authorization with its own user registry. 2. WebSphere and WebSEAL, (Access Manager) use the same user registry here a common LDAP. 3. WebSEAL may also authorize the user’s access to protected resources based on running a CGI program (query_contents) that accesses directory contents to determine protected files, or specific ACL lists for URLs and servlets built with pdadmin or Web Portal Manager. Authorization decisions are made from the local copy of the policy store on the WebSEAL server. 4. WebSEAL authenticates the user passing mapped credentials to WebSphere, and WebSphere-hosted applications using the Access Manager Java PDPermission or Access Manager JAAS classes which ask Access Manager for authorization. 5. WebSEAL authenticates the user passing mapped credentials to WebSphere, and WebSphere Application Server containers can delegate authorization to Access Manager through the Access Manager for WebSphere module which relies on classes in Access Manager Java Runtime and communicates with the Access Manager authorization server using the Java API. Access Manager stores role-to-user mapping only as role-to-method mapping is not yet provided. 414 IBM WebSphere V5.0 Security Handbook
WebSEAL Junctions WebSEAL’s connections with the back-end Web servers have constantly been referred to as “junctions”. This Tivoli proprietary technology requires a further description in order to better understand the scenarios above. All WebSEAL junctions are TCP/IP connections between a front-end WebSEAL server and a back-end Web server which may be another WebSEAL server and may go via another proxy server. Only the HTTP and HTTPS protocols are supported and WebSEAL to WebSEAL must be over an SSL connection. A junction is where the back-end server Web space is connected to the WebSEAL server at a specially designated mount point in the Access Manager Web space created in the Policy Server database by appropriate use of the pdadmin command. In order to produce representations of resources on some third party back-end servers within the Access Manager object space, these junctions may require configuration such that the querry_contents.cgi program be loaded and accessible to be run by the Policy Server on the back-end servers, themselves. This utility ships with Access Manager. The junction is then a logical Web object space, normally on another Web server, rather than the physical file and directory structure of the proxied Web server. Junctions define an object space that reflects organizational structure rather than the physical machine and directory structure commonly encountered on standard Web servers. A browser client never knows the physical location of a Web resource as WebSEAL translates requested URL addresses into the physical addresses that a back-end server expects without ever exposing them to the client. Web objects can be moved from server to server without affecting the way the client accesses those objects. WebSEAL attempts to pass the request to the back-end server by referencing the object in Access Manager’s protected object space. If it encounters an ACL or Policy of Protection, POP on that object which requires authentication before the request can be authorized, then the client will be challenged. WebSEAL is configurable for several different challenge mechanism including the default of Basic Authentication, forms based logon from a junctioned application and comes with an Application Developers Kit with which to build customized Cross Domain Authentication Services. WebSEAL junctions can also be configured to enable the creation of Single Sign-On solutions allowing users to access resources, somewhat regardless of what security domain controls those resources, following their initial authentication logging on to through WebSEAL. The GSO, Global Sign On junction option allows for a third party user registry to be referenced to supply that junction with the appropriate user ID and password. Other options involve manipulation and perhaps additions to the underlying Access Manager schema Chapter 12. Tivoli Access Manager 415
Page 1:
Front cover IBM WebSphere V5.0 Secu
Page 4 and 5:
Take Note! Before using this inform
Page 6 and 7:
4.2.1 Configuring Web module securi
Page 8 and 9:
10.6 LTPA . . . . . . . . . . . . .
Page 10 and 11:
Lotus Domino . . . . . . . . . . .
Page 12 and 13:
Trademarks The following terms are
Page 14 and 15:
The team that wrote this redbook Th
Page 16 and 17:
Stephen Pipes is a WebSphere consul
Page 18 and 19:
xvi IBM WebSphere V5.0 Security Han
Page 20 and 21:
1.1 How to read this book There are
Page 22 and 23:
4 IBM WebSphere V5.0 Security Handb
Page 24 and 25:
2.1 Security As new business practi
Page 26 and 27:
2.2 Security fundamentals 2.2.1 Aut
Page 28 and 29:
For example, in a distributed objec
Page 30 and 31:
► ► ► Users are mapped direct
Page 32 and 33:
If Bob wants to answer, he should u
Page 34 and 35:
identifies the client before issuin
Page 36 and 37:
2.3 Security in use Since security
Page 38 and 39:
20 IBM WebSphere V5.0 Security Hand
Page 40 and 41:
3.1 J2EE application The Java 2 Ent
Page 42 and 43:
Principals and Groups Security Role
Page 44 and 45:
3.4 Application deployment descript
Page 46 and 47:
3.5 J2EE application security
Page 48 and 49:
Figure 3-4 Application-level Securi
Page 50 and 51:
Security role mapping in the Admini
Page 52 and 53:
Figure 3-7 Searching for the manage
Page 54 and 55:
Page 56 and 57:
4.1 Static components WebSphere App
Page 58 and 59:
1. ldap.prop is an LDAP configurati
Page 60 and 61:
Figure 4-2 Defining authentication
Page 62 and 63:
A .htaccess file placed in one dire
Page 64 and 65:
4.2 Web module security In a J2EE a
Page 66 and 67:
Figure 4-4 Login Method Configurati
Page 68 and 69:
higher level of protection. User Da
Page 70 and 71:
8. Next to HTTP Methods click Add.
Page 72 and 73:
8. Add the GET and POST HTTP method
Page 74 and 75:
4.4 Security role reference During
Page 76 and 77:
7. Save and close the web.xml file.
Page 78 and 79:
Form login configuration The follow
Page 80 and 81:
4.5.2 Custom login There are situat
Page 82 and 83:
employeeType will be stored as a se
Page 84 and 85:
3. From the Filter Type Selection w
Page 86 and 87:
As a next step, you have to make su
Page 88 and 89:
If the user in role 'A' accesses /h
Page 90 and 91:
As a universal solution for the pro
Page 92 and 93:
5.1 Securing EJBs EJBs, or Enterpri
Page 94 and 95:
5.3 Assigning EJB method permission
Page 96 and 97:
defined in the EJB module. For info
Page 98 and 99:
These unprotected methods can have
Page 100 and 101:
Figure 5-6 New Security Role Refere
Page 102 and 103:
Important: Although this feature is
Page 104 and 105:
4. The Role Name option menu will c
Page 106 and 107:
5.5.2 Method level delegation In ad
Page 108 and 109:
Figure 5-11 Method-level Run-as rol
Page 110 and 111:
Figure 5-13 Selecting methods for t
Page 112 and 113:
If one or more method-level delegat
Page 114 and 115:
Page 116 and 117:
6.1 Java clients A client is a gene
Page 118 and 119:
Available functions ActiveX client
Page 120 and 121:
Upon receiving the message, the ser
Page 122 and 123:
The sas.client.props file The CORBA
Page 124 and 125:
The CSIv2 configuration properties
Page 126 and 127:
server. For example, if the client
Page 128 and 129:
Client01 Java client J Server01 EJB
Page 130 and 131:
2. Configure Server01 for outgoing
Page 132 and 133:
Configuring Client02 Client02 requi
Page 134 and 135:
3. Enable SSL for the connection, i
Page 136 and 137:
Configuring Client01 Client01 requi
Page 138 and 139:
WebSphere V4 SAS only WebSphere V5
Page 140 and 141:
The ITSOBank application provided w
Page 142 and 143:
► ► ► sas.jar ecutils.jar dir
Page 144 and 145:
7.1 Web Services security Web Servi
Page 146 and 147:
Figure 7-2 Creating a new Web Servi
Page 148 and 149:
Figure 7-4 Web Service Deployment S
Page 150 and 151:
Figure 7-7 Web Service Java Bean Me
Page 152 and 153:
12.As shown in Figure 7-10 on page
Page 154 and 155:
Follow the steps below to use the g
Page 156 and 157:
Using the ITSOBank Web Service clie
Page 158 and 159:
Example 7-1 SOAP request with certi
Page 160 and 161:
oVD/QxRYXFg02v6rK53DZKntq
Page 162 and 163:
3. In that window, under Security -
Page 164 and 165:
Example 7-4 Secured and non-secured
Page 166 and 167:
WS-Policy will be fully extensible
Page 168 and 169:
Policy Requester Security Token Ser
Page 170 and 171:
Direct Trust using Security Tokens
Page 172 and 173:
6. The service fetches the certific
Page 174 and 175:
Security can be applied at two leve
Page 176 and 177:
ii. Browse to select the file /scri
Page 178 and 179:
► Messages sent and received can
Page 180 and 181:
Important: Message Driven Bean is a
Page 182 and 183:
quser01 read write
Page 184 and 185:
- Container-managed Authentication
Page 186 and 187:
The authority service component pro
Page 188 and 189:
J2EE Connector architecture establi
Page 190 and 191:
As a next step, the following list
Page 192 and 193:
CMP EJB 2.0 Persistence Manager Dat
Page 194 and 195:
J2EE 1.3 Application EJB Container
Page 196 and 197:
2. Configure each resource adapter
Page 198 and 199:
8.1 Programmatic security J2EE secu
Page 200 and 201:
8.2.2 Servlet security methods The
Page 202 and 203:
There is one point worth noting in
Page 204 and 205:
Figure 8-3 Custom Registry properti
Page 206 and 207:
Method signature String getUserSecu
Page 208 and 209:
also ask for a X.509 certificate fi
Page 210 and 211:
Required libraries from WebSphere f
Page 212 and 213:
Testing the custom Trust Associatio
Page 214 and 215:
local or remote code (signed or not
Page 216 and 217:
To call a piece of trusted code to
Page 218 and 219:
► ► ► ► ► java.net.NetPer
Page 220 and 221:
► It is also possible to specify
Page 222 and 223:
Java 2 security can be enabled on t
Page 224 and 225:
► The following callbacks are pro
Page 226 and 227:
application LoginContext LoginModul
Page 228 and 229:
lc=new LoginContext("ClientContaine
Page 230 and 231:
Note: Without initializing the ORB,
Page 232 and 233:
8.8 Where to find more information
Page 234 and 235:
9.1 WebSphere security model The IB
Page 236 and 237:
Deployment Manager Cell-wide config
Page 238 and 239:
From a security point of view, each
Page 240 and 241:
► Application Security determines
Page 242 and 243:
9.2.2 WebSphere Application Server
Page 244 and 245:
LTPA requires that the configured U
Page 246 and 247:
HTTP / HTTPS HTTP Server WebSphere
Page 248 and 249:
9.3 Performance considerations From
Page 250 and 251:
232 IBM WebSphere V5.0 Security Han
Page 252 and 253:
10.1 Administration tools WebSphere
Page 254 and 255:
A Web browser, for instance, must b
Page 256 and 257:
the two types of registry provided
Page 258 and 259:
Role configurator operator administ
Page 260 and 261:
Figure 10-4 Mapping a group to an A
Page 262 and 263:
Mapping a group to a CosNaming role
Page 264 and 265:
1. In the Admin Console, select Sec
Page 266 and 267:
6. In the Configuration tab provide
Page 268 and 269:
8. The changes will need to be save
Page 270 and 271:
In a scenario presented in this cha
Page 272 and 273:
2. Save the configuration for WebSp
Page 274 and 275:
Figure 10-16 Application Login Conf
Page 276 and 277:
Figure 10-18 J2C Authentication ent
Page 278 and 279:
Figure 10-19 An SSL configuration w
Page 280 and 281:
WebSphere supports the concept of t
Page 282 and 283:
The file used by a Java client to r
Page 284 and 285:
Figure 10-22 Saving the new key sto
Page 286 and 287:
Figure 10-25 Provide details for th
Page 288 and 289:
24.From the menu bar, select Key Da
Page 290 and 291:
10.Enter a Key Label which will ide
Page 292 and 293:
Figure 10-30 A personal certificate
Page 294 and 295:
10.9.3 Using the Java keytool Anoth
Page 296 and 297:
SSL connection #1 SSL connection #2
Page 298 and 299:
Figure 10-33 The IBM HTTP Server ik
Page 300 and 301:
The IBM HTTP Server Administration
Page 302 and 303:
15.Select Basic Settings -> Module
Page 304 and 305:
In the case of a self-signed certif
Page 306 and 307:
Note: If the Cipher Specification l
Page 308 and 309:
Make sure that the certificate is i
Page 310 and 311:
Figure 10-41 Certificate details Th
Page 312 and 313:
Configuring WebSphere to use certif
Page 314 and 315:
3. If you decide the use the IBM HT
Page 316 and 317:
Example 10-5 trace.log ... [10/14/0
Page 318 and 319:
Configuring WebSphere to use exact
Page 320 and 321:
[10/14/02 19:39:38:358 EDT] 7a37602
Page 322 and 323:
publicly circulating root certifica
Page 324 and 325:
Exchanging public certificates The
Page 326 and 327:
Modifying the Web Container to supp
Page 328 and 329:
The new certificate should appear u
Page 330 and 331:
3. Client Certificate Authenticatio
Page 332 and 333:
Figure 10-47 CSIv2 transport config
Page 334 and 335:
Table 10-5 sas.client.props configu
Page 336 and 337:
10.13.1 IBM SecureWay Directory Ser
Page 338 and 339:
2. Click the Add Server button. The
Page 340 and 341:
8. Click OK; a new window appears f
Page 342 and 343:
Figure 10-56 LDAP directory with us
Page 344 and 345:
Figure 10-57 WebSphere LDAP Configu
Page 346 and 347:
Configuring the secure LDAP (LDAPS)
Page 348 and 349:
Figure 10-59 Configuring SSL for Se
Page 350 and 351:
Figure 10-60 SSL encryption setting
Page 352 and 353:
choose not to differentiate between
Page 354 and 355:
- Port: specify 636 which correspon
Page 356 and 357:
A sample scenario is depicted next.
Page 358 and 359:
Item Cell Node Server Appl. CosNami
Page 360 and 361:
JAAS configuration The JAAS configu
Page 362 and 363:
Individual CSI and SAS settings The
Page 364 and 365:
The server security settings availa
Page 366 and 367:
Page 368 and 369:
11.1 Patterns for e-business Patter
Page 370 and 371:
► ► ► Buy-Side Hub Sell-Side
Page 372 and 373:
Client Tier Synchronous Application
Page 374 and 375:
► Application tier: may represent
Page 376 and 377:
► certificates, access groups, et
Page 378 and 379:
Figure 11-6 presents the Runtime pa
Page 380 and 381:
11.4 Product mappings This section
Page 382 and 383: - Authorization Server The Authoriz
Page 384 and 385: The following secure communications
Page 386 and 387: 368 IBM WebSphere V5.0 Security Han
Page 388 and 389: This chapter covers four different
Page 390 and 391: andwidth to and from the server unt
Page 392 and 393: All of these benefits contribute to
Page 394 and 395: The Policy Server replicates this d
Page 396 and 397: Server Tivoli Access Manager WebSEA
Page 398 and 399: Server Name appsrv01, appsrv02 Appl
Page 400 and 401: 1. First, log in with your favorite
Page 402 and 403: 1. In the Administrative Console, n
Page 404 and 405: 12.4.1 Single Sign-On with WebSEAL
Page 406 and 407: correct. Then it trusts that the id
Page 408 and 409: 8. In the Single Sign-On (SSO) pane
Page 410 and 411: User Registry Client 1. Request 2.
Page 412 and 413: Property key com.ibm.Websphere.secu
Page 414 and 415: Figure 12-8 Trust Association Panel
Page 416 and 417: 2. We will first configure LTPA aut
Page 418 and 419: e prompted for the keyfile password
Page 420 and 421: Example 12-2 WebSphere Security ini
Page 422 and 423: [8/22/02 7:42:44:163 CDT] 277a2e5c
Page 424 and 425: [8/22/02 7:42:47:449 CDT] 277a2e5c
Page 426 and 427: [8/22/02 7:42:51:655 CDT] 277a2e5c
Page 428 and 429: In this example, we have configured
Page 430 and 431: ► ► ► WebSEAL can forward mod
Page 434 and 435: of inetOrg.Person as each junction
Page 436 and 437: Figure 12-13 Web Portal Manager Men
Page 438 and 439: Select the boxes Is Account Valid,
Page 440 and 441: Creating Access Manager Junctions A
Page 442 and 443: Figure 12-18 Protected Object Prope
Page 444 and 445: Figure 12-20 Create an ACL Entry 4.
Page 446 and 447: Testing the junctions The following
Page 448 and 449: Figure 12-22 Successful access to i
Page 450 and 451: WebSEAL Authenticated Users before
Page 452 and 453: At the same time, the tool creates
Page 454 and 455: - pdacld_port: the port number of t
Page 456 and 457: 8. The next application migrated wa
Page 458 and 459: Do not make changes to the deployme
Page 464 and 465: Sample application The purpose of t
Page 466 and 467: 5. The Transfer EJB uses two entity
Page 468 and 469: The process flows as described belo
Page 470 and 471: You can download the clients from h
Page 472 and 473: Configuring WebSphere Application S
Page 474 and 475: Use this DataSource in container ma
Page 476 and 477: e. On the Map RunAs roles to users
Page 480 and 481: SecureWay Directory Server The conf
Page 482 and 483:
Ensure that Domino is using the LDA
Page 484 and 485:
Figure B-3 Domino LDAP settings in
Page 486 and 487:
Figure B-4 Domino CA application 2.
Page 488 and 489:
Enable SSL on Domino Server Enable
Page 490 and 491:
1. Open the ikeyman tool that comes
Page 492 and 493:
3. WebSphere will validate your ent
Page 494 and 495:
Figure B-9 iPlanet Directory Server
Page 496 and 497:
Figure B-13 iPlanet Certificate Req
Page 498 and 499:
Figure B-16 Certificate Install Wiz
Page 500 and 501:
Figure B-19 iPlanet Encryption sett
Page 502 and 503:
Tip from a battle scarred veteran p
Page 504 and 505:
Figure B-21 Active Directory Users
Page 506 and 507:
Figure B-24 New User password panel
Page 508 and 509:
group membership, and other group a
Page 510 and 511:
WebSphere-Domino SSO scenarios In t
Page 512 and 513:
7. Once the user is authenticated a
Page 514 and 515:
6. Click OK to create a database. 7
Page 516 and 517:
- On the Rules tab, specify the fol
Page 518 and 519:
3. A new Document will be displayed
Page 520 and 521:
Figure C-7 TCP/IP port status setti
Page 522 and 523:
1. To add new user names or groups
Page 524 and 525:
Figure C-10 Default Domino server l
Page 526 and 527:
Figure C-13 Successful submission o
Page 528 and 529:
Using Domino LDAP for user registry
Page 530 and 531:
Enabling Single Sign-On for WebSphe
Page 532 and 533:
wsadmin scripting WebSphere Applica
Page 534 and 535:
3. In the line com.ibm.SOAP.loginUs
Page 536 and 537:
You can also set the user registry
Page 538 and 539:
Page 540 and 541:
Using the Web material The addition
Page 542 and 543:
SPI SSL SSO SWAM UDDI URI URL VPN W
Page 544 and 545:
Referenced Web sites These Web site
Page 546 and 547:
Page 548 and 549:
Application pattern Directly Integr
Page 550 and 551:
EJB permissions Exclude 80 Role 80
Page 552 and 553:
L launchclient 122 LDAP Advanced se
Page 554 and 555:
ORB 102 System 366 Unprotected meth
Page 556 and 557:
Gateway Security 155 Gateway-level
Page 558 and 559:
Page 562:
Back cover IBM WebSphere V5.0 Secur
show all

IBM WebSphere V5.0 Security - CGISecurity

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?