Download PDF - IBM Redbooks

More documents

Recommendations

Info

Similarly, the back end connections are: ► Connecting to DB2 via Java DataBase Connectivity (JDBC), either using a local connection (T2) or a remote connection (T4). ► Connecting to CICS and IMS via J2C connectors. Those connectors can also be used in local (cross-memory) or remote mode (over TCP/IP). ► Connecting to an MQ Queue Manager, again, either in local (cross-memory) mode or remote mode (TCP/IP). There are more possibilities, but for the purpose of this introduction we do not discuss all of the options. After identifying the various access points to WAS for z/OS, the next step is handling security issues at these entry points. WAS on z/OS, like any TCP/IP application, obtains sockets and binds them to several defined or defaulted ports and IP addresses. In fact, WAS uses the INADDR_ANY parameter for all its listening ports by default. This means that it can accept requests from any IP address used by any client. By doing that, the gate is wide open for a security attack. To WAS and its clients, TCP/IP is just an underlying transport protocol. The real communication occurs on the application layer protocols (HTTPs, IIOP) that run on top of the TCP layer. The HTTP protocol is very well known and is much easier to use than the IIOP. The IIOP is more complex than the HTTP since it deals with objects and inter-communication between programs. The details follow in later chapters, but let us see how security is handled when an end-to-end communication is established between two endpoints. The two endpoints are a Web client and CICS on z/OS in one case, and a J2EE client and CICS on the same z/OS in the other case. 14 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
J2EE Client 0 Web Client 0 In Figure 1-4, we show numbers for each stop the Web client and the J2EE client make as they go through the connection path to reach CICS. Web Server 1 Figure 1-4 Security checkpoint internal flow Web Container In each case the number zero (0) represents the initial point before doing anything, and WAS and CICS are local to each other, meaning that they are on the same LPAR on z/OS. For the Web client, authentication would be attempted at 1, 2, 4, and 5. Authorization would be attempted at 2, 3, 4, and 5. For the J2EE client, authentication would be attempted at 1, 2, 3, and similarly authorization would be attempted at 1, 2, and 3. To fully understand the security flow on the HTTP(s) and IIOP layers, it requires deep understanding of the specification and architecture of these protocols. Once TCP/IP delivers the data, the HTTP(s) and the IIOP code must parse and interpret the HTTP and GIOP (IIOP) headers in order to take an appropriate security action. We do not discuss the HTTP(s) and IIOP internal flow here in this book, but the security mechanisms implemented to secure HTTP and IIOP protocols are discussed later on. 1.3.2 Web client authentication overview 2 EJB Container Authentication is performed using user information stored in a user account repository and based on the protocol the user uses to access WAS. 3 1 4 2 J2C CICS Chapter 1. Introduction 15 3 5
Page 1: Security in WebSphere Application S
Page 4 and 5: Note: Before using this information
Page 6 and 7: 2.5.7 Scenario 7 - WMQ client authe
Page 8 and 9: Chapter 7. Secure Sockets Layer (SS
Page 10 and 11: 9.4.2 Vertical attribute propagatio
Page 12 and 13: x Security in WebSphere Application
Page 14 and 15: Trademarks The following terms are
Page 16 and 17: Yukari Hanya is an IT Specialist wi
Page 18 and 19: Ut V. Le WebSphere Security Develop
Page 20 and 21: xviii Security in WebSphere Applica
Page 22 and 23: 1.1 Securing WAS for z/OS simplifie
Page 24 and 25: ► Non-repudiation means that in t
Page 26 and 27: WebSphere Security WebSphere Applic
Page 28 and 29: RACF CLASS This section describes t
Page 30 and 31: Attention: Java 2 security is very
Page 32 and 33: etrieve a principal object for the
Page 36 and 37: In this section, we describe the me
Page 38 and 39: 1.3.3 EJB client authentication ove
Page 40 and 41: ► Securing connections between We
Page 42 and 43: of security: identification, authen
Page 44 and 45: 1.3.7 User registry application or
Page 46 and 47: 26 Security in WebSphere Applicatio
Page 48 and 49: 2.1 Chapter objectives This chapter
Page 50 and 51: 2.3 SSL overview 2.3.1 SSL handshak
Page 52 and 53: 7. The client then sends a client k
Page 54 and 55: that, all security issues are discu
Page 56 and 57: Logical flow The flow deals mostly
Page 58 and 59: Description The scenario illustrate
Page 60 and 61: 4. RACF verifies the validity of th
Page 62 and 63: Figure 2-8 shows a flow of a J2EE c
Page 64 and 65: Description Figure 2-9 shows what t
Page 66 and 67: 6. The J2EE server passes the clien
Page 68 and 69: As you can see, Web clients are fir
Page 70 and 71: mapping user ID to the user ID and
Page 72 and 73: Logical flow The high-level sequenc
Page 74 and 75: Description The configuration descr
Page 76 and 77: 5. WAS calls RACF to see whether th
Page 78 and 79: References Refer to: ► IBM WebSph
Page 80 and 81: ► The user’s credentials are se
Page 82 and 83: References To learn more about LDAP
Page 84 and 85:
3.1 Web authentication improvements
Page 86 and 87:
Web client to provide authenticatio
Page 88 and 89:
Property name Value Description com
Page 90 and 91:
70 Security in WebSphere Applicatio
Page 92 and 93:
4.1 Administrative security enablem
Page 94 and 95:
Figure 4-1 illustrates the applicat
Page 96 and 97:
5.1 SOA, Web services, z/OS, and se
Page 98 and 99:
5.3 Web services message and transp
Page 100 and 101:
5.3.1 When to use message layer sec
Page 102 and 103:
5.4.2 WS-Security standard SOAP mes
Page 104 and 105:
Language (REL) Token Profile, Web S
Page 106 and 107:
eceiver must match. For example, if
Page 108 and 109:
A digital signature is a word attac
Page 110 and 111:
Identity assertion Identity asserti
Page 112 and 113:
Web services for J2EE specification
Page 114 and 115:
► It is mature and similarly impl
Page 116 and 117:
The steps in bold in Figure 5-6 on
Page 118 and 119:
When invoking a Web service using S
Page 120 and 121:
Web service requestor The design of
Page 122 and 123:
If the external authorization provi
Page 124 and 125:
Example 5-2 provides the sample com
Page 126 and 127:
106 Security in WebSphere Applicati
Page 128 and 129:
6.1 How to configure Web services m
Page 130 and 131:
defined in IBM extension deployment
Page 132 and 133:
► Server binding configuration fi
Page 134 and 135:
equirements. This means that the re
Page 136 and 137:
This section describes how WS-Secur
Page 138 and 139:
EJB makes a Web service call. The W
Page 140 and 141:
and four types of X509 certificates
Page 142 and 143:
for the specified security token ty
Page 144 and 145:
Configure the Required Security Tok
Page 146 and 147:
c. If the client’s security token
Page 148 and 149:
ii. Select a token consumer class o
Page 150 and 151:
The Web service client log confirms
Page 152 and 153:
provided by generating a signature
Page 154 and 155:
X509TokenGenerator, is provided by
Page 156 and 157:
Figure 6-12 Request generator Integ
Page 158 and 159:
Figure 6-13 Request generator Token
Page 160 and 161:
3. Configure the key locator. Expan
Page 162 and 163:
c. Select Use key locator and selec
Page 164 and 165:
6. Configure the part reference (Fi
Page 166 and 167:
6.3.5 Configuring the z/OS provider
Page 168 and 169:
Figure 6-20 Request consumer Token
Page 170 and 171:
4. Configure the key information (F
Page 172 and 173:
d. For the signing key information,
Page 174 and 175:
Page 176 and 177:
For WebSphere Application Server fo
Page 178 and 179:
5. Configure signing information (F
Page 180 and 181:
The application displays the princi
Page 182 and 183:
xmlns:wsse="http://docs.oasis-open.
Page 184 and 185:
tainSecurityInfoReturn> All this va
Page 186 and 187:
This scenario illustrates the usage
Page 188 and 189:
To do this: 1. Using the Web servic
Page 190 and 191:
2. Enter a path and file name to st
Page 192 and 193:
► If a server sends a response th
Page 194 and 195:
2. Configure the key locator (Figur
Page 196 and 197:
Configure the Key Information dialo
Page 198 and 199:
Page 200 and 201:
Tip: The WebSphere default trust st
Page 202 and 203:
c. Select Use key locator, and then
Page 204 and 205:
2. Configure the key locator (Figur
Page 206 and 207:
Open the SecurityCallerEJB ejb-jar.
Page 208 and 209:
4. Configure key information (Figur
Page 210 and 211:
The Web service provider log confir
Page 212 and 213:
A4rAxe3jWkLuFZwqgPCbRWXYZeCJBB5vp0L
Page 214 and 215:
When asserting an identity, the alr
Page 216 and 217:
Server side To receive the asserted
Page 218 and 219:
2. Configure the token generator (F
Page 220 and 221:
1. Configure the required security
Page 222 and 223:
Click OK and a caller part is creat
Page 224 and 225:
► Digital signature The asserted
Page 226 and 227:
The application displays the princi
Page 228 and 229:
Content-Language: en-US Content-Len
Page 230 and 231:
7.1 Introduction This section intro
Page 232 and 233:
Figure 7-2 shows an example of how
Page 234 and 235:
Table 7-2 shows the WebSphere V6.1
Page 236 and 237:
The following path can be used to l
Page 238 and 239:
The following RACF commands are pro
Page 240 and 241:
7.4.3 Importing certificates The im
Page 242 and 243:
► Delete a CA signer certificate:
Page 244 and 245:
Example 7-1 shows a list of provide
Page 246 and 247:
Upon restarting the application ser
Page 248 and 249:
Note: To use hardware cryptography,
Page 250 and 251:
5. Connect the personal certificate
Page 252 and 253:
Figure 7-10 shows the output of the
Page 254 and 255:
7.8.1 Keyring and certificate setup
Page 256 and 257:
CN=HDwtsc58.itso.ibm.com.OU=IBM< Su
Page 258 and 259:
Figure 7-12 shows the options chose
Page 260 and 261:
7.9.1 Diagnostic steps When attempt
Page 262 and 263:
7.9.3 Common errors The WebSphere t
Page 264 and 265:
Page 266 and 267:
8.1 Authentication with HTTP Basic
Page 268 and 269:
NONE BASIC SecurityInfo Realm
Page 270 and 271:
To configure the user ID and passwo
Page 272 and 273:
Content-Type: text/xml; charset=utf
Page 274 and 275:
Extracting the server signer certif
Page 276 and 277:
Network ports can be shared among a
Page 278 and 279:
Be sure to select the WebContainer-
Page 280 and 281:
It is necessary to expand the tree
Page 282 and 283:
Click Get certificate Aliases and t
Page 284 and 285:
Configuring the Web service request
Page 286 and 287:
Looking at the output in the TCP/IP
Page 288 and 289:
Re-deploy the application to WAS fo
Page 290 and 291:
Figure 8-16 illustrates changing th
Page 292 and 293:
8.4 Confidentiality with SSL using
Page 294 and 295:
The private key type should be ICSF
Page 296 and 297:
Example 8-8 illustrates the additio
Page 298 and 299:
Verify that you can see the HDCA si
Page 300 and 301:
Under Specific SSL configuration fo
Page 302 and 303:
Note: It is also possible to invoke
Page 304 and 305:
Creating certificate authority and
Page 306 and 307:
Important: WebSphere for z/OS uses
Page 308 and 309:
8.6.4 Configuring the Web service r
Page 310 and 311:
Deploy the SecurityInfo ear file in
Page 312 and 313:
Page 314 and 315:
9.1 Introduction, logins, and token
Page 316 and 317:
WebSphere Application Server for z/
Page 318 and 319:
This allows servers in the invocati
Page 320 and 321:
and with propagation disabled to de
Page 322 and 323:
not understand. The interoperabilit
Page 324 and 325:
In order to have all cells share th
Page 326 and 327:
The following Common Secure Interop
Page 328 and 329:
CSIv2 allows a client identity to b
Page 330 and 331:
9.3.4 CSIv2 standard identity asser
Page 332 and 333:
For identity assertion, depending o
Page 334 and 335:
Figure 9-9 CSIv2 outbound authentic
Page 336 and 337:
Consider the following options: ►
Page 338 and 339:
Consider how to create the trust re
Page 340 and 341:
Login configuration specifies the t
Page 342 and 343:
transport and at the message-layer
Page 344 and 345:
In the z/OS additional settings for
Page 346 and 347:
After authenticating, the EJBMagic
Page 348 and 349:
Figure 9-21 shows that the remote E
Page 350 and 351:
9.4.3 Vertical attribute propagatio
Page 352 and 353:
3. Check the option for Security at
Page 354 and 355:
9.4.5 Cross-cell considerations Sec
Page 356 and 357:
10.1 Introduction to user registrie
Page 358 and 359:
Standalone custom registry A standa
Page 360 and 361:
This LDAP tree common root organiza
Page 362 and 363:
2. Restart the z/OS LDAP server fro
Page 364 and 365:
WebSphere z/OS configuration for z/
Page 366 and 367:
3. In the same window, under Additi
Page 368 and 369:
WebSphere, LDAP SDBM, and SAF autho
Page 370 and 371:
SampleSAFMappingModule is in search
Page 372 and 373:
2. Restart the z/OS LDAP server fro
Page 374 and 375:
Use a command similar to the follow
Page 376 and 377:
cn=UserTdbm,ou=itsotdbm,o=itso in o
Page 378 and 379:
WebSphere and z/OS LDAP TDBM back-e
Page 380 and 381:
Why should you enable native authen
Page 382 and 383:
Using the z/OS LDAP TDBM connection
Page 384 and 385:
Currently, most WebSphere applicati
Page 386 and 387:
Also, federated repositories provid
Page 388 and 389:
end of this federation configuratio
Page 390 and 391:
it is necessary to define a differe
Page 392 and 393:
c. Then click Apply and save to the
Page 394 and 395:
WebSphere z/OS configuration for LD
Page 396 and 397:
The LDAP administrator is cn=LDAP A
Page 398 and 399:
Using this configuration we access
Page 400 and 401:
c. Specify the distinguished name o
Page 402 and 403:
(cn=UserTdbm,ou=itsotdbm,o=itso) or
Page 404 and 405:
Defining EJBROLES belongs to the ap
Page 406 and 407:
class profiles are restricted to 24
Page 408 and 409:
Connection manager RunAs identity C
Page 410 and 411:
Connectors Thread identity support
Page 412 and 413:
11.1 Introducing the SPNEGO TAI Sin
Page 414 and 415:
Although the Kerberos protocol cons
Page 416 and 417:
Administrative Console in Secure ad
Page 418 and 419:
owsers such as Microsoft Internet E
Page 420 and 421:
With such a configuration, a cross-
Page 422 and 423:
Figure 11-4 shows the detailed step
Page 424 and 425:
11.3.2 Configuring the Microsoft Wi
Page 426 and 427:
3. Create a user account for WebSph
Page 428 and 429:
4. Right-click this new user accoun
Page 430 and 431:
List SPNs defined for the user acco
Page 432 and 433:
11.3.3 Configuring WebSphere Applic
Page 434 and 435:
The /etc/skrb/krb5.conf is now crea
Page 436 and 437:
Tip: The complete list of available
Page 438 and 439:
Verifying security in WebSphere The
Page 440 and 441:
4. In the Local intranet window, fi
Page 442 and 443:
5. Double-click network.negotiate-a
Page 444 and 445:
11.4 Validating single sign-on usin
Page 446 and 447:
The same behavior happens with anot
Page 448 and 449:
We use Ethereal software to sniff t
Page 450 and 451:
12.1 Out-of-the-box administrative
Page 452 and 453:
Add a new HFS owner user ID: ADDUSE
Page 454 and 455:
It is common practice to define the
Page 456 and 457:
► Access to WebSphere Application
Page 458 and 459:
12.1.3 Security customization jobs
Page 460 and 461:
12.1.4 Comparison of security setti
Page 462 and 463:
enabled and no console users or gro
Page 464 and 465:
PASSWORD PROCESSING OPTIONS: PASSWO
Page 466 and 467:
Create the Sync-to-OS thread profil
Page 468 and 469:
13.1 Security configuration and adm
Page 470 and 471:
disabled security may be required,
Page 472 and 473:
. Select user repository (see Figur
Page 474 and 475:
EJBROLE class profiles are case sen
Page 476 and 477:
d. Click Finish. 4. Select an autho
Page 478 and 479:
3. Go to the profile_root/bin direc
Page 480 and 481:
13.2 Role-based administrative secu
Page 482 and 483:
management of users and groups in f
Page 484 and 485:
These are the values used in the fo
Page 486 and 487:
5. Save the changes: AdminConfig.sa
Page 488 and 489:
You can access and manipulate the n
Page 490 and 491:
PERMIT CosNamingCreate CLASS(EJBROL
Page 492 and 493:
Using the Web material The addition
Page 494 and 495:
Other publications Online resources
Page 496 and 497:
Help from IBM IBM Support and downl
Page 498 and 499:
callbackhandler 114 caller part 114
Page 500 and 501:
J2EE 9 Security 5 J2EE client 13 J2
Page 502 and 503:
Protocol (RMI-IIOP) 91 Repositories
Page 504 and 505:
JMX calls 305 LTPA key, sharing 303
Page 506 and 507:
configuring provider 178 configurin
Page 508 and 509:
Page 510:
Security in WebSphere Application S
show all

Download PDF - IBM Redbooks

Create successful ePaper yourself

Delete template?

Save as template?