- Page 1: Front coverIBM WebSphere V5.0Securi
- Page 5 and 6: ContentsNotices . . . . . . . . . .
- Page 7 and 8: 7.3 J2C security. . . . . . . . . .
- Page 9 and 10: 11.3.1 Runtime pattern for Self-Ser
- Page 11 and 12: NoticesThis information was develop
- Page 13 and 14: PrefaceThis IBM Redbook provides IT
- Page 15 and 16: Paul Creswick is an infrastructure
- Page 17 and 18: Comments welcomeYour comments are i
- Page 19 and 20: 1Chapter 1.IntroductionThis chapter
- Page 21 and 22: This icon represents the Deployer r
- Page 23 and 24: 2Chapter 2.Security fundamentalsThi
- Page 25 and 26: 2.1.2 Logical securityLogical secur
- Page 27 and 28: knowledgebaseduser name/passworddig
- Page 29 and 30: For example, in a bank account obje
- Page 31 and 32: Public key cryptography involves th
- Page 33 and 34: The logical elements of a PKI syste
- Page 35 and 36: ►►Issuing a list of revoked cer
- Page 37 and 38: Part 1Part 1 WebSpheresecurity© Co
- Page 39 and 40: 3Chapter 3.J2EE application securit
- Page 41 and 42: In another example, a servlet in th
- Page 43 and 44: 3.3 J2EE Container-based securityJ2
- Page 45 and 46: everyoneIn the ibm-application-bnd.
- Page 47 and 48: The next steps will describe how to
- Page 49 and 50: Important: It is not recommended to
- Page 51 and 52: Figure 3-6 Security role mapping in
- Page 53 and 54:
If you want to edit the security ro
- Page 55 and 56:
4Chapter 4.Securing Web componentsT
- Page 57 and 58:
4.1.1 Authentication with the Web s
- Page 59 and 60:
Note: If you have not set up an adm
- Page 61 and 62:
Note: Configuration changes you hav
- Page 63 and 64:
►►►►Running daemon as root:
- Page 65 and 66:
This method allows the developer to
- Page 67 and 68:
4. Fill out the fields according to
- Page 69 and 70:
Figure 4-6 Completed New Security C
- Page 71 and 72:
For servlets, WebSphere Application
- Page 73 and 74:
list-box; a new item appears in the
- Page 75 and 76:
Figure 4-10 Defining Security role
- Page 77 and 78:
For any type of authentication meth
- Page 79 and 80:
Example 4-4 Login-config section of
- Page 81 and 82:
Each object that will be used as a
- Page 83 and 84:
Any other Web component can access
- Page 85 and 86:
Testing the applicationFirst of all
- Page 87 and 88:
Note: The previously introduced log
- Page 89 and 90:
Struts supports multiple mechanisms
- Page 91 and 92:
5Chapter 5.Securing EJBsThis chapte
- Page 93 and 94:
►Session, entity, and message-dri
- Page 95 and 96:
Assigning method permissions in the
- Page 97 and 98:
Figure 5-4 Choosing security roles5
- Page 99 and 100:
When an EJB uses the IsCallerInRole
- Page 101 and 102:
Figure 5-7 Add Security Role Refere
- Page 103 and 104:
Figure 5-8 demonstrates EJB delegat
- Page 105 and 106:
7. Enter an optional Security ident
- Page 107 and 108:
Assigning method-level Run-as deleg
- Page 109 and 110:
Figure 5-12 Method-level run-as rol
- Page 111 and 112:
Run-as MappingA single user name an
- Page 113 and 114:
5.7 Where to find more informationF
- Page 115 and 116:
6Chapter 6.Securing Java clientsThi
- Page 117 and 118:
The pluggable application client pr
- Page 119 and 120:
The attribute layer also provides t
- Page 121 and 122:
4. Server ORB calls the request int
- Page 123 and 124:
properties. Requires com.ibm.CORBA.
- Page 125 and 126:
6.4 Identity AssertionDefinition: I
- Page 127 and 128:
3. On the back-end server, the Boun
- Page 129 and 130:
Configuring Client01Client01 requir
- Page 131 and 132:
After running the client, you shoul
- Page 133 and 134:
Note: An important concept to grasp
- Page 135 and 136:
Configuring Server02In the Web Cons
- Page 137 and 138:
. Select CSIv2 Outbound Transport.D
- Page 139 and 140:
Configuring Server02All previous re
- Page 141 and 142:
Once the client has been authentica
- Page 143 and 144:
7Chapter 7.Securing EnterpriseInteg
- Page 145 and 146:
We already have a ConsultationHelpe
- Page 147 and 148:
Figure 7-3 Selecting Web Service ty
- Page 149 and 150:
Figure 7-6 Web Service Java Bean id
- Page 151 and 152:
10.In the Web Service Binding Proxy
- Page 153 and 154:
File nameconf/sv-ver-config.xmlkey/
- Page 155 and 156:
Figure 7-12 XML-SOAP AdminThe servi
- Page 157 and 158:
Figure 7-13 TCP/IP Monitoring Serve
- Page 159 and 160:
zLc99nWY+GsSwG9iI64iU9XdSKzljLqGbGj
- Page 161 and 162:
MIIDQDCCAqmgAwIBAgICAQUwDQYJKoZIhvc
- Page 163 and 164:
Open the Web Service proxy client g
- Page 165 and 166:
WS-Security describes enhancements
- Page 167 and 168:
intermediaries to forward messages.
- Page 169 and 170:
RequesterWebServiceFigure 7-18 Dire
- Page 171 and 172:
SecurityTokenServiceRequesterWebSer
- Page 173 and 174:
This scenario would operate as foll
- Page 175 and 176:
Enable operation-level authorizatio
- Page 177 and 178:
iv. In the New EJB Reference window
- Page 179 and 180:
►►Data integrity service descri
- Page 181 and 182:
For example, integral-jms-authoriza
- Page 183 and 184:
Example 7-9 Topic default permissio
- Page 185 and 186:
WebSphere ApplicationServer V5EJB C
- Page 187 and 188:
Message channels and MQ channels ca
- Page 189 and 190:
►System exactly matches the princ
- Page 191 and 192:
Figure 7-28 Data Sources configurat
- Page 193 and 194:
J2EE 1.2 ApplicationEJB ContainerBe
- Page 195 and 196:
1. Request forconnectionApplication
- Page 197 and 198:
8Chapter 8.Programmatic securityPro
- Page 199 and 200:
►Boolean isCallerInRole(String ro
- Page 201 and 202:
if(request.isUserInRole(restrictedR
- Page 203 and 204:
This will generate some classes tha
- Page 205 and 206:
Table 8-2 WebSphere’s UserRegistr
- Page 207 and 208:
Method signatureResult getUsersForG
- Page 209 and 210:
Configuring the InterceptorIn order
- Page 211 and 212:
6. Provide the name for the class,
- Page 213 and 214:
[9/25/02 18:03:14:312 EDT] 41ab0df5
- Page 215 and 216:
Definition: A principal is an entit
- Page 217 and 218:
The list of permissions in Java V1.
- Page 219 and 220:
A grant entry can be defined accord
- Page 221 and 222:
For example: start with minimal sec
- Page 223 and 224:
8.6.1 Implementing security with JA
- Page 225 and 226:
Example 8-5 login.configWSLogin {co
- Page 227 and 228:
8.7.1 JAAS in WebSphereIn the previ
- Page 229 and 230:
Running the client-side login sampl
- Page 231 and 232:
the login process. The main differe
- Page 233 and 234:
9Chapter 9.WebSphere ApplicationSer
- Page 235 and 236:
►►►►►Operating system sec
- Page 237 and 238:
►purely an administration process
- Page 239 and 240:
Administrative Scripting Applicatio
- Page 241 and 242:
9.2.1 Extensible security architect
- Page 243 and 244:
An authentication mechanism in WebS
- Page 245 and 246:
Security serverSecurity server is a
- Page 247 and 248:
6. Upon subsequent requests, only a
- Page 249 and 250:
WebSphere Application ServerWeb con
- Page 251 and 252:
10Chapter 10.Administering WebSpher
- Page 253 and 254:
►Custom Tools developed by using
- Page 255 and 256:
Figure 10-1 Global Security configu
- Page 257 and 258:
►If the startServer and stopServe
- Page 259 and 260:
Figure 10-3 Mapping a user to an Ad
- Page 261 and 262:
RoleCos Naming CreateCos Naming Del
- Page 263 and 264:
►Custom User Registry10.4.1 Local
- Page 265 and 266:
Figure 10-9 LDAP settings for WebSp
- Page 267 and 268:
Figure 10-11 Custom Registry set fo
- Page 269 and 270:
10.6.1 Single Sign-OnSingle Sign-On
- Page 271 and 272:
Figure 10-15 SSO configuration pane
- Page 273 and 274:
In the previous steps, we assumed t
- Page 275 and 276:
WSLogin {com.ibm.ws.security.common
- Page 277 and 278:
plug-in and application server and
- Page 279 and 280:
order to support client authenticat
- Page 281 and 282:
Table 10-3 WebSphere default key st
- Page 283 and 284:
Figure 10-21 ikeyman key management
- Page 285 and 286:
Figure 10-24 The detault list of si
- Page 287 and 288:
Figure 10-26 The new self-signed ce
- Page 289 and 290:
There should now be the four key st
- Page 291 and 292:
Figure 10-29 Certificate request co
- Page 293 and 294:
Example 10-3 Certificate reply from
- Page 295 and 296:
10.Ensure the Client Authentication
- Page 297 and 298:
10.10.1 Generating a digital certif
- Page 299 and 300:
10.Click OK to confirm that the pas
- Page 301 and 302:
Figure 10-34 Administrative Console
- Page 303 and 304:
Administrative Server's main window
- Page 305 and 306:
Configuring the IBM HTTP Server to
- Page 307 and 308:
Note: If the Web browser has SSL an
- Page 309 and 310:
Figure 10-40 The certificate chainT
- Page 311 and 312:
In the following sample, we will us
- Page 313 and 314:
Figure 10-42 Setting the uniqueIden
- Page 315 and 316:
Figure 10-43 Response from Snoop us
- Page 317 and 318:
Using the exact Distinguished NameU
- Page 319 and 320:
[10/14/02 19:39:38:348 EDT] 7a37602
- Page 321 and 322:
Web server plug-inWeb ContainerKeyr
- Page 323 and 324:
3. Set the following settings, then
- Page 325 and 326:
4. Select Signer Certificates in th
- Page 327 and 328:
Testing the secure connectionTo tes
- Page 329 and 330:
►►Client certificate label: Cli
- Page 331 and 332:
Figure 10-46 CSIv2 authentication c
- Page 333 and 334:
15.The changes should be saved and
- Page 335 and 336:
Table 10-7 IBM SAS-specific sas.cli
- Page 337 and 338:
dc=itso,dc=ral,dc=ibm,dc=comTo add
- Page 339 and 340:
Figure 10-51 New organization in th
- Page 341 and 342:
Figure 10-54 Adding a new group3. T
- Page 343 and 344:
ayIfX+qeEFcWEpDWEHEWCEGc0sRADuWtbzl
- Page 345 and 346:
Figure 10-58 LDAP Advanced settings
- Page 347 and 348:
Data type: Base64-encoded ASCII dat
- Page 349 and 350:
4. You must complete the following
- Page 351 and 352:
Figure 10-61 Configuring SSL Certif
- Page 353 and 354:
Figure 10-62 LDAP User Registry con
- Page 355 and 356:
Table 10-8 Administrative rolesRole
- Page 357 and 358:
►Configuration files for the Cell
- Page 359 and 360:
Configuring the SSL settings and ad
- Page 361 and 362:
3. Click the link Server Security a
- Page 363 and 364:
Figure 10-65 Server level security
- Page 365 and 366:
Part 2Part 2 End-to-endsecurity© C
- Page 367 and 368:
11Chapter 11.Security in Patterns f
- Page 369 and 370:
In this category we may identify th
- Page 371 and 372:
Basic business driversA few busines
- Page 373 and 374:
ClientTierSingleSign-OnApplication
- Page 375 and 376:
Outside WorldDemilitarized Zone(DMZ
- Page 377 and 378:
Outside WorldDemilitarized Zone(DMZ
- Page 379 and 380:
information to the security service
- Page 381 and 382:
The products depicted on the pictur
- Page 383 and 384:
11.5 Security guidelines in Pattern
- Page 385 and 386:
Applications have to be in sync wit
- Page 387 and 388:
12Chapter 12.Tivoli Access ManagerT
- Page 389 and 390:
12.1 End-to-end securityThis part o
- Page 391 and 392:
There is a business wide change in
- Page 393 and 394:
ManagementServerAccess Manager DMZP
- Page 395 and 396:
Table 12-1 Access Manager component
- Page 397 and 398:
secclient01WebSphere Application Se
- Page 399 and 400:
Tip from a battle scarred veteran:W
- Page 401 and 402:
Figure 12-3 Edit an LDAP ACL window
- Page 403 and 404:
and WebSphere” on page 302, and t
- Page 405 and 406:
LTPA does not necessarily require t
- Page 407 and 408:
com.ibm.Websphere.ltpa.PrivateKey=5
- Page 409 and 410:
WebSphere server’s IP address is
- Page 411 and 412:
Configuring a TAI-enabled WebSEAL J
- Page 413 and 414:
It follows that there are three way
- Page 415 and 416:
9. Now we can create the junction.
- Page 417 and 418:
Table 12-4 Trust Association Interc
- Page 419 and 420:
Now that we have configured WebSphe
- Page 421 and 422:
[8/22/02 7:41:32:036 CDT] 7822e45 W
- Page 423 and 424:
[8/22/02 7:42:46:397 CDT] 277a2e5c
- Page 425 and 426:
user request. If for some reason th
- Page 427 and 428:
►►A pattern which WebSEAL can u
- Page 429 and 430:
The Edge Server Caching Proxy compo
- Page 431 and 432:
A reverse proxy server is placed in
- Page 433 and 434:
WebSEAL JunctionsWebSEAL’s connec
- Page 435 and 436:
Figure 12-12 Web Portal Manager Log
- Page 437 and 438:
Figure 12-14 Group creationCreation
- Page 439 and 440:
Figure 12-16 Create user3. Click Cr
- Page 441 and 442:
Figure 12-17 Junctions shown in Obj
- Page 443 and 444:
Figure 12-19 ACL Properties3. On th
- Page 445 and 446:
Figure 12-21 ITSOBANK ACL Propertie
- Page 447 and 448:
4. Modify the ACL to add the accoun
- Page 449 and 450:
It is possible to set up a hierachy
- Page 451 and 452:
Without an Access Manager authentic
- Page 453 and 454:
6. The next step is to run the PDWA
- Page 455 and 456:
set PDWAS_HOME=C:\Tivoli\pdwasset W
- Page 457 and 458:
WebAppServer/deployedResources/moni
- Page 459 and 460:
The aznAPI can be used together wit
- Page 461 and 462:
Part 3Part 3 Appendixes© Copyright
- Page 463 and 464:
AAppendix A.Sample applicationThis
- Page 465 and 466:
html::index1html::customertransfer2
- Page 467 and 468:
3. The transfer servlet is the cont
- Page 469 and 470:
Set up the database serverThe ITSOB
- Page 471 and 472:
Note:► is the name of the client
- Page 473 and 474:
6. To have the embedded messaging r
- Page 475 and 476:
Name: itsobankTransferQJNDI Name: j
- Page 477 and 478:
7. On the last panel, click Finish
- Page 479 and 480:
BAppendix B.LDAP configurationsThis
- Page 481 and 482:
Figure B-1 WebSphere Administration
- Page 483 and 484:
Note: Leaving this field empty in o
- Page 485 and 486:
7. Enable global security, select L
- Page 487 and 488:
Figure B-5 Creating a self-certifie
- Page 489 and 490:
Figure B-6 Domino LDAP SSL configur
- Page 491 and 492:
- Base Distinguished Name: enter th
- Page 493 and 494:
To request and generate a server ce
- Page 495 and 496:
Figure B-11 iPlanet Certificate Req
- Page 497 and 498:
Figure B-14 Certificate Install Wiz
- Page 499 and 500:
shown below, will then be redisplay
- Page 501 and 502:
Figure B-20 Cipher Preference panel
- Page 503 and 504:
2. Select Security -> User Registri
- Page 505 and 506:
WebSphere administrator’s ID to A
- Page 507 and 508:
Figure B-25 New WebSphere administr
- Page 509 and 510:
CAppendix C.Single Sign-On with Lot
- Page 511 and 512:
SSO Domino - WebSphereSSO WebSphere
- Page 513 and 514:
4. To enable LTPA authentication fo
- Page 515 and 516:
14.When the Directory Assistance do
- Page 517 and 518:
LDAP tab settings from the scenario
- Page 519 and 520:
The LDAP realm is read from the Web
- Page 521 and 522:
Using LDAP Directory for authentica
- Page 523 and 524:
Figure C-9 ITSOBankComments applica
- Page 525 and 526:
Figure C-12 ITSOBank Domino applica
- Page 527 and 528:
Figure C-14 ITSOBank login page2. T
- Page 529 and 530:
user’s browser and serves the req
- Page 531 and 532:
DAppendix D.Using wsadmin scripting
- Page 533 and 534:
The JACL language that is used in s
- Page 535 and 536:
# initialize the value variableset
- Page 537 and 538:
# creating the new entry$AdminConfi
- Page 539 and 540:
EAppendix E.Additional materialThis
- Page 541 and 542:
Abbreviations and acronymsAATApplic
- Page 543 and 544:
Related publicationsThe publication
- Page 545 and 546:
►►http://www-106.ibm.com/develo
- Page 547 and 548:
IndexAAccess Control 18List 10Acces
- Page 549 and 550:
WebSEAL form based authentication 4
- Page 551 and 552:
Interoperable Object Reference 523i
- Page 553 and 554:
Layered asset model 350Product mapp
- Page 555 and 556:
LDAP 490SSL 309TAI 401TAI with WebS
- Page 557 and 558:
Server Configurations 143Web Servic
- Page 559:
IBM WebSphere V5.0 SecurityWebSpher
Change language