Download PDF - IBM Redbooks

More documents

Recommendations

Info

for the specified security token type. For example, if you select Username as the token type, you have to select the UsernameTokenGenerator class as the token generator class. c. For the security token, expand the drop-down list and select the security token defined on the WS Extension page (BasicAuthToken). d. Select Use value type. Select the value type from the drop-down list that matches your selection. This selection fills the local name and callback handler. If you specify a token generator for a custom token, select Custom Token as the value type and enter the URI and local name manually. In our example, we select Username Token for basic authentication. e. Select the callback handler class or input your custom callback handler class name manually (for a custom token). Some provided callback handler classes can be selected from the list. The provided default callback handler classes are as follows: NonPromptCallbackHandler: Enter the user ID and password manually. GUIPromptCallbackHandler: Request the user ID and password by displaying a GUI prompt dialog box. This is useful for a J2EE application client. X590CallbackHandler: Get an X.509 certificate for a key store file. PkiPathCallbackHandler: Create an X.509 certificate and binary data without CRL using PKIPath encoding. PKCS7CallbackHandler: Create an X.509 certificate and binary data with or without CRL using PKCS#7 encoding. LTPATokenCallbackHandler: Get user credentials from the LTPA token. StdinPromptCallbackHandler: Prompt the user for a user ID and password on the command line. We select the NonPromptCallbackHandler for basic authentication. The user ID and password must be known in the server user registry. f. If the token generator is the NonPromptCallbackHandler, enter the user ID and password of the client. We use a user ID and password of WINSERV. g. If the selected callback handler requires a key store (for example, the X509CallbackHandler, PkiPathCallbackHandler, and PKCS7CallbackHandler), select Use key store and specify the key store-related information. You have to specify the key store storepass (password to access the key store), key store path, and key store type from the list. 122 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
If you specified a key store, add the key. You can specify which key is used. Enter the alias of the key, the key pass (password to get the key from key store file), and the key name. h. If you have to specify the properties of the callback handler or token generator, add a call back handler property or a property. If you specify a token generator for a list of X.509 certificates and CRLs in a PKCS#7, select Use certificate path settings and select the Certificate path reference. If you select Certificate path reference, you can select the certificate store from the drop down-list. Select one collection certificate store name from the list, which is packed in PKCS#7. i. Click OK and a token generator is created. 3. Save the configuration. 6.2.5 Configuring the z/OS Web service provider for security token To configure the Web service provider for security token: Attention: Administrative security and application security have to both be enabled on the Web service provider side for Web service authentication to operate. 1. Configure the required security token. Open the SecurityInfoEJB webservices.xml deployment descriptor. Select the Extensions tab. Expand the Request Consumer Service Configuration Details section. Select the port component, expand the Required Security Token, and click Add. Chapter 6. Web services message layer security 123
Page 1:
Security in WebSphere Application S
Page 4 and 5:
Note: Before using this information
Page 6 and 7:
2.5.7 Scenario 7 - WMQ client authe
Page 8 and 9:
Chapter 7. Secure Sockets Layer (SS
Page 10 and 11:
9.4.2 Vertical attribute propagatio
Page 12 and 13:
x Security in WebSphere Application
Page 14 and 15:
Trademarks The following terms are
Page 16 and 17:
Yukari Hanya is an IT Specialist wi
Page 18 and 19:
Ut V. Le WebSphere Security Develop
Page 20 and 21:
xviii Security in WebSphere Applica
Page 22 and 23:
1.1 Securing WAS for z/OS simplifie
Page 24 and 25:
► Non-repudiation means that in t
Page 26 and 27:
WebSphere Security WebSphere Applic
Page 28 and 29:
RACF CLASS This section describes t
Page 30 and 31:
Attention: Java 2 security is very
Page 32 and 33:
etrieve a principal object for the
Page 34 and 35:
Similarly, the back end connections
Page 36 and 37:
In this section, we describe the me
Page 38 and 39:
1.3.3 EJB client authentication ove
Page 40 and 41:
► Securing connections between We
Page 42 and 43:
of security: identification, authen
Page 44 and 45:
1.3.7 User registry application or
Page 46 and 47:
26 Security in WebSphere Applicatio
Page 48 and 49:
2.1 Chapter objectives This chapter
Page 50 and 51:
2.3 SSL overview 2.3.1 SSL handshak
Page 52 and 53:
7. The client then sends a client k
Page 54 and 55:
that, all security issues are discu
Page 56 and 57:
Logical flow The flow deals mostly
Page 58 and 59:
Description The scenario illustrate
Page 60 and 61:
4. RACF verifies the validity of th
Page 62 and 63:
Figure 2-8 shows a flow of a J2EE c
Page 64 and 65:
Description Figure 2-9 shows what t
Page 66 and 67:
6. The J2EE server passes the clien
Page 68 and 69:
As you can see, Web clients are fir
Page 70 and 71:
mapping user ID to the user ID and
Page 72 and 73:
Logical flow The high-level sequenc
Page 74 and 75:
Description The configuration descr
Page 76 and 77:
5. WAS calls RACF to see whether th
Page 78 and 79:
References Refer to: ► IBM WebSph
Page 80 and 81:
► The user’s credentials are se
Page 82 and 83:
References To learn more about LDAP
Page 84 and 85:
3.1 Web authentication improvements
Page 86 and 87:
Web client to provide authenticatio
Page 88 and 89:
Property name Value Description com
Page 90 and 91:
70 Security in WebSphere Applicatio
Page 92 and 93: 4.1 Administrative security enablem
Page 94 and 95: Figure 4-1 illustrates the applicat
Page 96 and 97: 5.1 SOA, Web services, z/OS, and se
Page 98 and 99: 5.3 Web services message and transp
Page 100 and 101: 5.3.1 When to use message layer sec
Page 102 and 103: 5.4.2 WS-Security standard SOAP mes
Page 104 and 105: Language (REL) Token Profile, Web S
Page 106 and 107: eceiver must match. For example, if
Page 108 and 109: A digital signature is a word attac
Page 110 and 111: Identity assertion Identity asserti
Page 112 and 113: Web services for J2EE specification
Page 114 and 115: ► It is mature and similarly impl
Page 116 and 117: The steps in bold in Figure 5-6 on
Page 118 and 119: When invoking a Web service using S
Page 120 and 121: Web service requestor The design of
Page 122 and 123: If the external authorization provi
Page 124 and 125: Example 5-2 provides the sample com
Page 126 and 127: 106 Security in WebSphere Applicati
Page 128 and 129: 6.1 How to configure Web services m
Page 130 and 131: defined in IBM extension deployment
Page 132 and 133: ► Server binding configuration fi
Page 134 and 135: equirements. This means that the re
Page 136 and 137: This section describes how WS-Secur
Page 138 and 139: EJB makes a Web service call. The W
Page 140 and 141: and four types of X509 certificates
Page 144 and 145: Configure the Required Security Tok
Page 146 and 147: c. If the client’s security token
Page 148 and 149: ii. Select a token consumer class o
Page 150 and 151: The Web service client log confirms
Page 152 and 153: provided by generating a signature
Page 154 and 155: X509TokenGenerator, is provided by
Page 156 and 157: Figure 6-12 Request generator Integ
Page 158 and 159: Figure 6-13 Request generator Token
Page 160 and 161: 3. Configure the key locator. Expan
Page 162 and 163: c. Select Use key locator and selec
Page 164 and 165: 6. Configure the part reference (Fi
Page 166 and 167: 6.3.5 Configuring the z/OS provider
Page 168 and 169: Figure 6-20 Request consumer Token
Page 170 and 171: 4. Configure the key information (F
Page 172 and 173: d. For the signing key information,
Page 174 and 175: 6.3.6 Configuring the z/OS provider
Page 176 and 177: For WebSphere Application Server fo
Page 178 and 179: 5. Configure signing information (F
Page 180 and 181: The application displays the princi
Page 182 and 183: xmlns:wsse="http://docs.oasis-open.
Page 184 and 185: tainSecurityInfoReturn> All this va
Page 186 and 187: This scenario illustrates the usage
Page 188 and 189: To do this: 1. Using the Web servic
Page 190 and 191: 2. Enter a path and file name to st
Page 192 and 193:
► If a server sends a response th
Page 194 and 195:
2. Configure the key locator (Figur
Page 196 and 197:
Configure the Key Information dialo
Page 198 and 199:
6.4.6 Configuring the z/OS provider
Page 200 and 201:
Tip: The WebSphere default trust st
Page 202 and 203:
c. Select Use key locator, and then
Page 204 and 205:
2. Configure the key locator (Figur
Page 206 and 207:
Open the SecurityCallerEJB ejb-jar.
Page 208 and 209:
4. Configure key information (Figur
Page 210 and 211:
The Web service provider log confir
Page 212 and 213:
A4rAxe3jWkLuFZwqgPCbRWXYZeCJBB5vp0L
Page 214 and 215:
When asserting an identity, the alr
Page 216 and 217:
Server side To receive the asserted
Page 218 and 219:
2. Configure the token generator (F
Page 220 and 221:
1. Configure the required security
Page 222 and 223:
Click OK and a caller part is creat
Page 224 and 225:
► Digital signature The asserted
Page 226 and 227:
The application displays the princi
Page 228 and 229:
Content-Language: en-US Content-Len
Page 230 and 231:
7.1 Introduction This section intro
Page 232 and 233:
Figure 7-2 shows an example of how
Page 234 and 235:
Table 7-2 shows the WebSphere V6.1
Page 236 and 237:
The following path can be used to l
Page 238 and 239:
The following RACF commands are pro
Page 240 and 241:
7.4.3 Importing certificates The im
Page 242 and 243:
► Delete a CA signer certificate:
Page 244 and 245:
Example 7-1 shows a list of provide
Page 246 and 247:
Upon restarting the application ser
Page 248 and 249:
Note: To use hardware cryptography,
Page 250 and 251:
5. Connect the personal certificate
Page 252 and 253:
Figure 7-10 shows the output of the
Page 254 and 255:
7.8.1 Keyring and certificate setup
Page 256 and 257:
CN=HDwtsc58.itso.ibm.com.OU=IBM< Su
Page 258 and 259:
Figure 7-12 shows the options chose
Page 260 and 261:
7.9.1 Diagnostic steps When attempt
Page 262 and 263:
7.9.3 Common errors The WebSphere t
Page 264 and 265:
244 Security in WebSphere Applicati
Page 266 and 267:
8.1 Authentication with HTTP Basic
Page 268 and 269:
NONE BASIC SecurityInfo Realm
Page 270 and 271:
To configure the user ID and passwo
Page 272 and 273:
Content-Type: text/xml; charset=utf
Page 274 and 275:
Extracting the server signer certif
Page 276 and 277:
Network ports can be shared among a
Page 278 and 279:
Be sure to select the WebContainer-
Page 280 and 281:
It is necessary to expand the tree
Page 282 and 283:
Click Get certificate Aliases and t
Page 284 and 285:
Configuring the Web service request
Page 286 and 287:
Looking at the output in the TCP/IP
Page 288 and 289:
Re-deploy the application to WAS fo
Page 290 and 291:
Figure 8-16 illustrates changing th
Page 292 and 293:
8.4 Confidentiality with SSL using
Page 294 and 295:
The private key type should be ICSF
Page 296 and 297:
Example 8-8 illustrates the additio
Page 298 and 299:
Verify that you can see the HDCA si
Page 300 and 301:
Under Specific SSL configuration fo
Page 302 and 303:
Note: It is also possible to invoke
Page 304 and 305:
Creating certificate authority and
Page 306 and 307:
Important: WebSphere for z/OS uses
Page 308 and 309:
8.6.4 Configuring the Web service r
Page 310 and 311:
Deploy the SecurityInfo ear file in
Page 312 and 313:
Page 314 and 315:
9.1 Introduction, logins, and token
Page 316 and 317:
WebSphere Application Server for z/
Page 318 and 319:
This allows servers in the invocati
Page 320 and 321:
and with propagation disabled to de
Page 322 and 323:
not understand. The interoperabilit
Page 324 and 325:
In order to have all cells share th
Page 326 and 327:
The following Common Secure Interop
Page 328 and 329:
CSIv2 allows a client identity to b
Page 330 and 331:
9.3.4 CSIv2 standard identity asser
Page 332 and 333:
For identity assertion, depending o
Page 334 and 335:
Figure 9-9 CSIv2 outbound authentic
Page 336 and 337:
Consider the following options: ►
Page 338 and 339:
Consider how to create the trust re
Page 340 and 341:
Login configuration specifies the t
Page 342 and 343:
transport and at the message-layer
Page 344 and 345:
In the z/OS additional settings for
Page 346 and 347:
After authenticating, the EJBMagic
Page 348 and 349:
Figure 9-21 shows that the remote E
Page 350 and 351:
9.4.3 Vertical attribute propagatio
Page 352 and 353:
3. Check the option for Security at
Page 354 and 355:
9.4.5 Cross-cell considerations Sec
Page 356 and 357:
10.1 Introduction to user registrie
Page 358 and 359:
Standalone custom registry A standa
Page 360 and 361:
This LDAP tree common root organiza
Page 362 and 363:
2. Restart the z/OS LDAP server fro
Page 364 and 365:
WebSphere z/OS configuration for z/
Page 366 and 367:
3. In the same window, under Additi
Page 368 and 369:
WebSphere, LDAP SDBM, and SAF autho
Page 370 and 371:
SampleSAFMappingModule is in search
Page 372 and 373:
2. Restart the z/OS LDAP server fro
Page 374 and 375:
Use a command similar to the follow
Page 376 and 377:
cn=UserTdbm,ou=itsotdbm,o=itso in o
Page 378 and 379:
WebSphere and z/OS LDAP TDBM back-e
Page 380 and 381:
Why should you enable native authen
Page 382 and 383:
Using the z/OS LDAP TDBM connection
Page 384 and 385:
Currently, most WebSphere applicati
Page 386 and 387:
Also, federated repositories provid
Page 388 and 389:
end of this federation configuratio
Page 390 and 391:
it is necessary to define a differe
Page 392 and 393:
c. Then click Apply and save to the
Page 394 and 395:
WebSphere z/OS configuration for LD
Page 396 and 397:
The LDAP administrator is cn=LDAP A
Page 398 and 399:
Using this configuration we access
Page 400 and 401:
c. Specify the distinguished name o
Page 402 and 403:
(cn=UserTdbm,ou=itsotdbm,o=itso) or
Page 404 and 405:
Defining EJBROLES belongs to the ap
Page 406 and 407:
class profiles are restricted to 24
Page 408 and 409:
Connection manager RunAs identity C
Page 410 and 411:
Connectors Thread identity support
Page 412 and 413:
11.1 Introducing the SPNEGO TAI Sin
Page 414 and 415:
Although the Kerberos protocol cons
Page 416 and 417:
Administrative Console in Secure ad
Page 418 and 419:
owsers such as Microsoft Internet E
Page 420 and 421:
With such a configuration, a cross-
Page 422 and 423:
Figure 11-4 shows the detailed step
Page 424 and 425:
11.3.2 Configuring the Microsoft Wi
Page 426 and 427:
3. Create a user account for WebSph
Page 428 and 429:
4. Right-click this new user accoun
Page 430 and 431:
List SPNs defined for the user acco
Page 432 and 433:
11.3.3 Configuring WebSphere Applic
Page 434 and 435:
The /etc/skrb/krb5.conf is now crea
Page 436 and 437:
Tip: The complete list of available
Page 438 and 439:
Verifying security in WebSphere The
Page 440 and 441:
4. In the Local intranet window, fi
Page 442 and 443:
5. Double-click network.negotiate-a
Page 444 and 445:
11.4 Validating single sign-on usin
Page 446 and 447:
The same behavior happens with anot
Page 448 and 449:
We use Ethereal software to sniff t
Page 450 and 451:
12.1 Out-of-the-box administrative
Page 452 and 453:
Add a new HFS owner user ID: ADDUSE
Page 454 and 455:
It is common practice to define the
Page 456 and 457:
► Access to WebSphere Application
Page 458 and 459:
12.1.3 Security customization jobs
Page 460 and 461:
12.1.4 Comparison of security setti
Page 462 and 463:
enabled and no console users or gro
Page 464 and 465:
PASSWORD PROCESSING OPTIONS: PASSWO
Page 466 and 467:
Create the Sync-to-OS thread profil
Page 468 and 469:
13.1 Security configuration and adm
Page 470 and 471:
disabled security may be required,
Page 472 and 473:
. Select user repository (see Figur
Page 474 and 475:
EJBROLE class profiles are case sen
Page 476 and 477:
d. Click Finish. 4. Select an autho
Page 478 and 479:
3. Go to the profile_root/bin direc
Page 480 and 481:
13.2 Role-based administrative secu
Page 482 and 483:
management of users and groups in f
Page 484 and 485:
These are the values used in the fo
Page 486 and 487:
5. Save the changes: AdminConfig.sa
Page 488 and 489:
You can access and manipulate the n
Page 490 and 491:
PERMIT CosNamingCreate CLASS(EJBROL
Page 492 and 493:
Using the Web material The addition
Page 494 and 495:
Other publications Online resources
Page 496 and 497:
Help from IBM IBM Support and downl
Page 498 and 499:
callbackhandler 114 caller part 114
Page 500 and 501:
J2EE 9 Security 5 J2EE client 13 J2
Page 502 and 503:
Protocol (RMI-IIOP) 91 Repositories
Page 504 and 505:
JMX calls 305 LTPA key, sharing 303
Page 506 and 507:
configuring provider 178 configurin
Page 508 and 509:
Page 510:
Security in WebSphere Application S
show all

Download PDF - IBM Redbooks

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?