- Page 1: Security in WebSphere Application S
- Page 4 and 5: Note: Before using this information
- Page 6 and 7: 2.5.7 Scenario 7 - WMQ client authe
- Page 8 and 9: Chapter 7. Secure Sockets Layer (SS
- Page 10 and 11: 9.4.2 Vertical attribute propagatio
- Page 12 and 13: x Security in WebSphere Application
- Page 14 and 15: Trademarks The following terms are
- Page 16 and 17: Yukari Hanya is an IT Specialist wi
- Page 18 and 19: Ut V. Le WebSphere Security Develop
- Page 20 and 21: xviii Security in WebSphere Applica
- Page 22 and 23: 1.1 Securing WAS for z/OS simplifie
- Page 24 and 25: ► Non-repudiation means that in t
- Page 26 and 27: WebSphere Security WebSphere Applic
- Page 28 and 29: RACF CLASS This section describes t
- Page 30 and 31: Attention: Java 2 security is very
- Page 32 and 33: etrieve a principal object for the
- Page 34 and 35: Similarly, the back end connections
- Page 36 and 37: In this section, we describe the me
- Page 40 and 41: ► Securing connections between We
- Page 42 and 43: of security: identification, authen
- Page 44 and 45: 1.3.7 User registry application or
- Page 46 and 47: 26 Security in WebSphere Applicatio
- Page 48 and 49: 2.1 Chapter objectives This chapter
- Page 50 and 51: 2.3 SSL overview 2.3.1 SSL handshak
- Page 52 and 53: 7. The client then sends a client k
- Page 54 and 55: that, all security issues are discu
- Page 56 and 57: Logical flow The flow deals mostly
- Page 58 and 59: Description The scenario illustrate
- Page 60 and 61: 4. RACF verifies the validity of th
- Page 62 and 63: Figure 2-8 shows a flow of a J2EE c
- Page 64 and 65: Description Figure 2-9 shows what t
- Page 66 and 67: 6. The J2EE server passes the clien
- Page 68 and 69: As you can see, Web clients are fir
- Page 70 and 71: mapping user ID to the user ID and
- Page 72 and 73: Logical flow The high-level sequenc
- Page 74 and 75: Description The configuration descr
- Page 76 and 77: 5. WAS calls RACF to see whether th
- Page 78 and 79: References Refer to: ► IBM WebSph
- Page 80 and 81: ► The user’s credentials are se
- Page 82 and 83: References To learn more about LDAP
- Page 84 and 85: 3.1 Web authentication improvements
- Page 86 and 87: Web client to provide authenticatio
- Page 88 and 89:
Property name Value Description com
- Page 90 and 91:
70 Security in WebSphere Applicatio
- Page 92 and 93:
4.1 Administrative security enablem
- Page 94 and 95:
Figure 4-1 illustrates the applicat
- Page 96 and 97:
5.1 SOA, Web services, z/OS, and se
- Page 98 and 99:
5.3 Web services message and transp
- Page 100 and 101:
5.3.1 When to use message layer sec
- Page 102 and 103:
5.4.2 WS-Security standard SOAP mes
- Page 104 and 105:
Language (REL) Token Profile, Web S
- Page 106 and 107:
eceiver must match. For example, if
- Page 108 and 109:
A digital signature is a word attac
- Page 110 and 111:
Identity assertion Identity asserti
- Page 112 and 113:
Web services for J2EE specification
- Page 114 and 115:
► It is mature and similarly impl
- Page 116 and 117:
The steps in bold in Figure 5-6 on
- Page 118 and 119:
When invoking a Web service using S
- Page 120 and 121:
Web service requestor The design of
- Page 122 and 123:
If the external authorization provi
- Page 124 and 125:
Example 5-2 provides the sample com
- Page 126 and 127:
106 Security in WebSphere Applicati
- Page 128 and 129:
6.1 How to configure Web services m
- Page 130 and 131:
defined in IBM extension deployment
- Page 132 and 133:
► Server binding configuration fi
- Page 134 and 135:
equirements. This means that the re
- Page 136 and 137:
This section describes how WS-Secur
- Page 138 and 139:
EJB makes a Web service call. The W
- Page 140 and 141:
and four types of X509 certificates
- Page 142 and 143:
for the specified security token ty
- Page 144 and 145:
Configure the Required Security Tok
- Page 146 and 147:
c. If the client’s security token
- Page 148 and 149:
ii. Select a token consumer class o
- Page 150 and 151:
The Web service client log confirms
- Page 152 and 153:
provided by generating a signature
- Page 154 and 155:
X509TokenGenerator, is provided by
- Page 156 and 157:
Figure 6-12 Request generator Integ
- Page 158 and 159:
Figure 6-13 Request generator Token
- Page 160 and 161:
3. Configure the key locator. Expan
- Page 162 and 163:
c. Select Use key locator and selec
- Page 164 and 165:
6. Configure the part reference (Fi
- Page 166 and 167:
6.3.5 Configuring the z/OS provider
- Page 168 and 169:
Figure 6-20 Request consumer Token
- Page 170 and 171:
4. Configure the key information (F
- Page 172 and 173:
d. For the signing key information,
- Page 174 and 175:
6.3.6 Configuring the z/OS provider
- Page 176 and 177:
For WebSphere Application Server fo
- Page 178 and 179:
5. Configure signing information (F
- Page 180 and 181:
The application displays the princi
- Page 182 and 183:
xmlns:wsse="http://docs.oasis-open.
- Page 184 and 185:
tainSecurityInfoReturn> All this va
- Page 186 and 187:
This scenario illustrates the usage
- Page 188 and 189:
To do this: 1. Using the Web servic
- Page 190 and 191:
2. Enter a path and file name to st
- Page 192 and 193:
► If a server sends a response th
- Page 194 and 195:
2. Configure the key locator (Figur
- Page 196 and 197:
Configure the Key Information dialo
- Page 198 and 199:
6.4.6 Configuring the z/OS provider
- Page 200 and 201:
Tip: The WebSphere default trust st
- Page 202 and 203:
c. Select Use key locator, and then
- Page 204 and 205:
2. Configure the key locator (Figur
- Page 206 and 207:
Open the SecurityCallerEJB ejb-jar.
- Page 208 and 209:
4. Configure key information (Figur
- Page 210 and 211:
The Web service provider log confir
- Page 212 and 213:
A4rAxe3jWkLuFZwqgPCbRWXYZeCJBB5vp0L
- Page 214 and 215:
When asserting an identity, the alr
- Page 216 and 217:
Server side To receive the asserted
- Page 218 and 219:
2. Configure the token generator (F
- Page 220 and 221:
1. Configure the required security
- Page 222 and 223:
Click OK and a caller part is creat
- Page 224 and 225:
► Digital signature The asserted
- Page 226 and 227:
The application displays the princi
- Page 228 and 229:
Content-Language: en-US Content-Len
- Page 230 and 231:
7.1 Introduction This section intro
- Page 232 and 233:
Figure 7-2 shows an example of how
- Page 234 and 235:
Table 7-2 shows the WebSphere V6.1
- Page 236 and 237:
The following path can be used to l
- Page 238 and 239:
The following RACF commands are pro
- Page 240 and 241:
7.4.3 Importing certificates The im
- Page 242 and 243:
► Delete a CA signer certificate:
- Page 244 and 245:
Example 7-1 shows a list of provide
- Page 246 and 247:
Upon restarting the application ser
- Page 248 and 249:
Note: To use hardware cryptography,
- Page 250 and 251:
5. Connect the personal certificate
- Page 252 and 253:
Figure 7-10 shows the output of the
- Page 254 and 255:
7.8.1 Keyring and certificate setup
- Page 256 and 257:
CN=HDwtsc58.itso.ibm.com.OU=IBM< Su
- Page 258 and 259:
Figure 7-12 shows the options chose
- Page 260 and 261:
7.9.1 Diagnostic steps When attempt
- Page 262 and 263:
7.9.3 Common errors The WebSphere t
- Page 264 and 265:
244 Security in WebSphere Applicati
- Page 266 and 267:
8.1 Authentication with HTTP Basic
- Page 268 and 269:
NONE BASIC SecurityInfo Realm
- Page 270 and 271:
To configure the user ID and passwo
- Page 272 and 273:
Content-Type: text/xml; charset=utf
- Page 274 and 275:
Extracting the server signer certif
- Page 276 and 277:
Network ports can be shared among a
- Page 278 and 279:
Be sure to select the WebContainer-
- Page 280 and 281:
It is necessary to expand the tree
- Page 282 and 283:
Click Get certificate Aliases and t
- Page 284 and 285:
Configuring the Web service request
- Page 286 and 287:
Looking at the output in the TCP/IP
- Page 288 and 289:
Re-deploy the application to WAS fo
- Page 290 and 291:
Figure 8-16 illustrates changing th
- Page 292 and 293:
8.4 Confidentiality with SSL using
- Page 294 and 295:
The private key type should be ICSF
- Page 296 and 297:
Example 8-8 illustrates the additio
- Page 298 and 299:
Verify that you can see the HDCA si
- Page 300 and 301:
Under Specific SSL configuration fo
- Page 302 and 303:
Note: It is also possible to invoke
- Page 304 and 305:
Creating certificate authority and
- Page 306 and 307:
Important: WebSphere for z/OS uses
- Page 308 and 309:
8.6.4 Configuring the Web service r
- Page 310 and 311:
Deploy the SecurityInfo ear file in
- Page 312 and 313:
292 Security in WebSphere Applicati
- Page 314 and 315:
9.1 Introduction, logins, and token
- Page 316 and 317:
WebSphere Application Server for z/
- Page 318 and 319:
This allows servers in the invocati
- Page 320 and 321:
and with propagation disabled to de
- Page 322 and 323:
not understand. The interoperabilit
- Page 324 and 325:
In order to have all cells share th
- Page 326 and 327:
The following Common Secure Interop
- Page 328 and 329:
CSIv2 allows a client identity to b
- Page 330 and 331:
9.3.4 CSIv2 standard identity asser
- Page 332 and 333:
For identity assertion, depending o
- Page 334 and 335:
Figure 9-9 CSIv2 outbound authentic
- Page 336 and 337:
Consider the following options: ►
- Page 338 and 339:
Consider how to create the trust re
- Page 340 and 341:
Login configuration specifies the t
- Page 342 and 343:
transport and at the message-layer
- Page 344 and 345:
In the z/OS additional settings for
- Page 346 and 347:
After authenticating, the EJBMagic
- Page 348 and 349:
Figure 9-21 shows that the remote E
- Page 350 and 351:
9.4.3 Vertical attribute propagatio
- Page 352 and 353:
3. Check the option for Security at
- Page 354 and 355:
9.4.5 Cross-cell considerations Sec
- Page 356 and 357:
10.1 Introduction to user registrie
- Page 358 and 359:
Standalone custom registry A standa
- Page 360 and 361:
This LDAP tree common root organiza
- Page 362 and 363:
2. Restart the z/OS LDAP server fro
- Page 364 and 365:
WebSphere z/OS configuration for z/
- Page 366 and 367:
3. In the same window, under Additi
- Page 368 and 369:
WebSphere, LDAP SDBM, and SAF autho
- Page 370 and 371:
SampleSAFMappingModule is in search
- Page 372 and 373:
2. Restart the z/OS LDAP server fro
- Page 374 and 375:
Use a command similar to the follow
- Page 376 and 377:
cn=UserTdbm,ou=itsotdbm,o=itso in o
- Page 378 and 379:
WebSphere and z/OS LDAP TDBM back-e
- Page 380 and 381:
Why should you enable native authen
- Page 382 and 383:
Using the z/OS LDAP TDBM connection
- Page 384 and 385:
Currently, most WebSphere applicati
- Page 386 and 387:
Also, federated repositories provid
- Page 388 and 389:
end of this federation configuratio
- Page 390 and 391:
it is necessary to define a differe
- Page 392 and 393:
c. Then click Apply and save to the
- Page 394 and 395:
WebSphere z/OS configuration for LD
- Page 396 and 397:
The LDAP administrator is cn=LDAP A
- Page 398 and 399:
Using this configuration we access
- Page 400 and 401:
c. Specify the distinguished name o
- Page 402 and 403:
(cn=UserTdbm,ou=itsotdbm,o=itso) or
- Page 404 and 405:
Defining EJBROLES belongs to the ap
- Page 406 and 407:
class profiles are restricted to 24
- Page 408 and 409:
Connection manager RunAs identity C
- Page 410 and 411:
Connectors Thread identity support
- Page 412 and 413:
11.1 Introducing the SPNEGO TAI Sin
- Page 414 and 415:
Although the Kerberos protocol cons
- Page 416 and 417:
Administrative Console in Secure ad
- Page 418 and 419:
owsers such as Microsoft Internet E
- Page 420 and 421:
With such a configuration, a cross-
- Page 422 and 423:
Figure 11-4 shows the detailed step
- Page 424 and 425:
11.3.2 Configuring the Microsoft Wi
- Page 426 and 427:
3. Create a user account for WebSph
- Page 428 and 429:
4. Right-click this new user accoun
- Page 430 and 431:
List SPNs defined for the user acco
- Page 432 and 433:
11.3.3 Configuring WebSphere Applic
- Page 434 and 435:
The /etc/skrb/krb5.conf is now crea
- Page 436 and 437:
Tip: The complete list of available
- Page 438 and 439:
Verifying security in WebSphere The
- Page 440 and 441:
4. In the Local intranet window, fi
- Page 442 and 443:
5. Double-click network.negotiate-a
- Page 444 and 445:
11.4 Validating single sign-on usin
- Page 446 and 447:
The same behavior happens with anot
- Page 448 and 449:
We use Ethereal software to sniff t
- Page 450 and 451:
12.1 Out-of-the-box administrative
- Page 452 and 453:
Add a new HFS owner user ID: ADDUSE
- Page 454 and 455:
It is common practice to define the
- Page 456 and 457:
► Access to WebSphere Application
- Page 458 and 459:
12.1.3 Security customization jobs
- Page 460 and 461:
12.1.4 Comparison of security setti
- Page 462 and 463:
enabled and no console users or gro
- Page 464 and 465:
PASSWORD PROCESSING OPTIONS: PASSWO
- Page 466 and 467:
Create the Sync-to-OS thread profil
- Page 468 and 469:
13.1 Security configuration and adm
- Page 470 and 471:
disabled security may be required,
- Page 472 and 473:
. Select user repository (see Figur
- Page 474 and 475:
EJBROLE class profiles are case sen
- Page 476 and 477:
d. Click Finish. 4. Select an autho
- Page 478 and 479:
3. Go to the profile_root/bin direc
- Page 480 and 481:
13.2 Role-based administrative secu
- Page 482 and 483:
management of users and groups in f
- Page 484 and 485:
These are the values used in the fo
- Page 486 and 487:
5. Save the changes: AdminConfig.sa
- Page 488 and 489:
You can access and manipulate the n
- Page 490 and 491:
PERMIT CosNamingCreate CLASS(EJBROL
- Page 492 and 493:
Using the Web material The addition
- Page 494 and 495:
Other publications Online resources
- Page 496 and 497:
Help from IBM IBM Support and downl
- Page 498 and 499:
callbackhandler 114 caller part 114
- Page 500 and 501:
J2EE 9 Security 5 J2EE client 13 J2
- Page 502 and 503:
Protocol (RMI-IIOP) 91 Repositories
- Page 504 and 505:
JMX calls 305 LTPA key, sharing 303
- Page 506 and 507:
configuring provider 178 configurin
- Page 508 and 509:
488 Security in WebSphere Applicati
- Page 510:
Security in WebSphere Application S