WebSphere Application Server V7.0: Concepts ... - IBM Redbooks

More documents

Recommendations

Info

The authentication mechanism in WebSphere Application Server typically collaborates closely with a user registry. When performing authentication, the user registry is consulted. A successful authentication results in the creation of a credential, which is the internal representation of a successfully authenticated client user. The abilities of the credential are determined by the configured authorization mechanism. Depending on the type of client, the authentication information is sent by using different protocols: ► Enterprise Beans clients use CSIv2. ► Web clients use HTTP or HTTPS. Although WebSphere Application Server provides support for multiple authentication mechanisms, you can configure only a single active authentication mechanism at a time. WebSphere Application Server supports the following authentication mechanisms: ► Lightweight Third Party Authentication (LTPA) ► Kerberos ► Rivest Shamir Adleman (RSA) token authentication Note: Simple WebSphere Authentication Mechanism (SWAM) is deprecated in WebSphere Application Server V7.0 and will be removed in a future release. Lightweight Third-Party Authentication (LTPA) LTPA is intended for distributed, multiple application server and machine environments. It supports forwardable credentials and single sign-on (SSO). LTPA can support security in a distributed environment through cryptography. This support permits LTPA to encrypt, digitally sign, and securely transmit authentication-related data, and later decrypt and verify the signature. When using LTPA, a token is created with the user information and an expiration time and is signed by the keys. The LTPA token is time sensitive. All product servers that participate in a protection domain must have their time, date, and time zone synchronized. If not, LTPA tokens appear prematurely expired and cause authentication or validation failures. When SSO is enabled, this token is passed to other servers through cookies for Web resources. If the receiving servers share the same keys as the originating server, the token can be decrypted to obtain the user information, which is then validated to make sure that it has not expired and that the user information in the token is valid in its registry. On successful validation, the resources in the receiving servers are accessible after the authorization check. All of the WebSphere Application Server processes in a cell (deployment manager, node agents, application servers) share the same set of keys. If key sharing is required between different cells, 386 WebSphere Application Server V7.0: Concepts, Planning, and Design
export them from one cell and import them to the other. For security purposes, the exported keys are encrypted with a user-defined password. This same password is needed when importing the keys into another cell. Note: When security is enabled during profile creation time, LTPA is configured by default. When security is enabled for the first time with LTPA, configuring LTPA is normally the initial step performed. LTPA requires that the configured user registry be a centrally shared repository, such as an LDAP or a Windows domain type registry, so that users and groups are the same regardless of the machine. LTPA keys are generated automatically during the first server startup and regenerated before they expire. You can disable automatic regeneration by WebSphere Application Server so you can generate them on a schedule. Kerberos Warning: At the time of writing, the Kerberos and LTPA option is not available. It has been included in this book because it will be supported in a future update. Although being new to WebSphere Application Server V7.0, Kerberos is a mature, standard authentication mechanism that enables interoperability with other applications that support Kerberos authentication. It provides single sign on (SSO) end-to-end interoperable solutions and preserves the original requester identity. Kerberos is composed of three parts: a client, a server, and a trusted third party known as the Kerberos Key Distribution Center (KDC). The KDC provides authentication and ticket granting services. The KDC maintains a database or repository of user accounts for all of the security principals in its realm. Many Kerberos distributions use file-based repositories for the Kerberos principal and policy database and others use Lightweight Directory Access Protocol (LDAP) as the repository. A long-term key for each principal 1 is maintained by the KDC in its accounts database. This long-term key is derived from the password of the principal. Only the KDC and the user that the principal represents should know the long-term key or password. 1 A principal is a unique identity which represents a user. Chapter 12. Security 387
Page 1:
WebSphere Application Server V7.0:
Page 4 and 5:
Note: Before using this information
Page 6 and 7:
2.2 Tivoli Directory Server . . . .
Page 8 and 9:
5.1.3 Security . . . . . . . . . .
Page 10 and 11:
7.9 WebSphere performance tools . .
Page 12 and 13:
11.4 Web services architecture . .
Page 14 and 15:
14.9.7 Java Command Language (JACL)
Page 16 and 17:
xiv WebSphere Application Server V7
Page 18 and 19:
Trademarks IBM, the IBM logo, and i
Page 20 and 21:
xviii WebSphere Application Server
Page 22 and 23:
Tze Puah is an Application Infrastr
Page 24 and 25:
Become a published author Join us f
Page 26 and 27:
1.1 Java Platform Enterprise Editio
Page 28 and 29:
1.2 WebSphere Application Server ov
Page 30 and 31:
1.2.2 Evolving Java application dev
Page 32 and 33:
Runtime provisioning WebSphere Appl
Page 34 and 35:
WebSphere Application Server suppor
Page 36 and 37:
Installation Factory WebSphere Appl
Page 38 and 39:
WebSphere Application Server for z/
Page 40 and 41:
These features become more importan
Page 42 and 43:
1.4 Supported hardware, platforms,
Page 44 and 45:
Operating systems Versions Linux®
Page 46 and 47:
1.4.5 Directory servers Databases V
Page 48 and 49:
► Product binaries and source cod
Page 50 and 51:
Some of the features of Rational Ap
Page 52 and 53:
Groovy and PHP. It also includes ap
Page 54 and 55:
2.1 Tivoli Access Manager IBM Tivol
Page 56 and 57:
All communication between the Tivol
Page 58 and 59:
LDAP is a fast and simple way of lo
Page 60 and 61:
For WebSphere Application Server Ve
Page 62 and 63:
WebSphere MQ applications can send
Page 64 and 65:
► Technology Adapters These adapt
Page 66 and 67:
The IBM WebSphere DataPower SOA App
Page 68 and 69:
Client or Server Internet IP Firewa
Page 70 and 71:
2.6 DB2 IBM DB2 is an open-standard
Page 72 and 73:
2.7.1 Integration with WebSphere Ap
Page 74 and 75:
50 WebSphere Application Server V7.
Page 76 and 77:
3.1 WebSphere Application Server co
Page 78 and 79:
Administration is greatly enhanced
Page 80 and 81:
About Figure 3-2 : This figure only
Page 82 and 83:
It is also possible to replicate se
Page 84 and 85:
DMgr Node Deployment Manager Node A
Page 86 and 87:
3.1.6 Deployment manager Local conf
Page 88 and 89:
3.1.8 Job manager The administrativ
Page 90 and 91:
Web server plug-ins A Web server ca
Page 92 and 93:
SIP proxy The SIP proxy design is b
Page 94 and 95:
3.1.11 Generic servers A generic se
Page 96 and 97:
► Aligns WebSphere applications c
Page 98 and 99:
3.2.1 Single cell configurations Yo
Page 100 and 101:
Node Agent Application Server Deplo
Page 102 and 103:
Node Agent V5.1 Application Server
Page 104 and 105:
Administrative Agent WebSphere Appl
Page 106 and 107:
Cluster workload management Workloa
Page 108 and 109:
groups enables WebSphere Applicatio
Page 110 and 111:
Mixed topologies Figure 3-23 shows
Page 112 and 113:
3.4 Runtime processes In this secti
Page 114 and 115:
Node Agent Application Server Deplo
Page 116 and 117:
3.5.3 IBM HTTP Server as an unmanag
Page 118 and 119:
4.1 Infrastructure planning This se
Page 120 and 121:
4.2.1 Scalability Scalability, as u
Page 122 and 123:
4.2.2 Caching 6. Reevaluate. Recogn
Page 124 and 125:
- Consider regular maintenance. In
Page 126 and 127:
4.2.6 Security Disaster recovery co
Page 128 and 129:
► Plan for certificates and their
Page 130 and 131:
4.3 Sizing the infrastructure After
Page 132 and 133:
When using a service such as those
Page 134 and 135:
4.5.4 Load factors ► Monitor reso
Page 136 and 137:
4.5.5 Production system tuning This
Page 138 and 139:
4.6 Planning for monitoring As most
Page 140 and 141:
products, like the IBM Tivoli Compo
Page 142 and 143:
4.7.3 Backup plan 4.7.4 Recovery pl
Page 144 and 145:
120 WebSphere Application Server V7
Page 146 and 147:
5.1 Topology selection criteria 5.1
Page 148 and 149:
Load balancing Use load balancing t
Page 150 and 151:
5.1.3 Security 5.1.4 Maintainabilit
Page 152 and 153:
Scaling Scaling represents the abil
Page 154 and 155:
Both of these options are valid app
Page 156 and 157:
- You will more likely have to call
Page 158 and 159:
5.2 Terminology 5.2.1 Load balancer
Page 160 and 161:
WebSphere Application Server Proxy
Page 162 and 163:
WebSphere Application Server V7.0 s
Page 164 and 165:
5.3.1 Stand-alone server topology T
Page 166 and 167:
► Increased security by using a D
Page 168 and 169:
User Outside World DMZ Internal Net
Page 170 and 171:
Installation and configuration The
Page 172 and 173:
The Web server plug-in distributes
Page 174 and 175:
System D Perform the following step
Page 176 and 177:
primary Load Balancer through heart
Page 178 and 179:
5.3.4 Reverse proxy topology User R
Page 180 and 181:
Installation and configuration: Edg
Page 182 and 183:
System B Perform the following step
Page 184 and 185:
System A 1. Copy the file targetTre
Page 186 and 187:
Note: Each Load Balancer installati
Page 188 and 189:
Disadvantages The major disadvantag
Page 190 and 191:
5.3.6 Heterogeneous cell z/OS DMGR
Page 192 and 193:
Disadvantages The disadvantages of
Page 194 and 195:
Advantages This topology provides t
Page 196 and 197:
The topology in Figure 5-11 shows a
Page 198 and 199:
3. Create an application server pro
Page 200 and 201:
Disadvantages There are no real dis
Page 202 and 203:
Page 204 and 205:
This document does not describe the
Page 206 and 207:
When you choose the platform or pla
Page 208 and 209:
6.5 Naming conventions Naming conve
Page 210 and 211:
Forwarding method Each of the avail
Page 212 and 213:
The following examples outline the
Page 214 and 215:
What is next? You can start the Web
Page 216 and 217:
Assume that the application server
Page 218 and 219:
6.8.2 Distributed server environmen
Page 220 and 221:
Assume that the application server
Page 222 and 223:
► Slip install Slip install means
Page 224 and 225:
Deployment Manager . . . Deployment
Page 226 and 227:
Installation factory The Installati
Page 228 and 229:
Note: The IBM Update Installer for
Page 230 and 231:
Profile types The types of profiles
Page 232 and 233:
► Secure proxy profile A secure p
Page 234 and 235:
Deployment manager profile options
Page 236 and 237:
Typical settings Advanced options D
Page 238 and 239:
Application server profile options
Page 240 and 241:
Typical settings Advanced options Y
Page 242 and 243:
Typical settings Advanced options D
Page 244 and 245:
6.9.6 Naming convention The purpose
Page 246 and 247:
If each application server will hos
Page 248 and 249:
There are some specific considerati
Page 250 and 251:
6.10 IBM Support Assistant IBM Supp
Page 252 and 253:
Page 254 and 255:
7.1 What is new in V7.0 IBM WebSphe
Page 256 and 257:
7.2.1 Scaling overview Note: In ord
Page 258 and 259:
Note: IBM HTTP Server for z/OS offe
Page 260 and 261:
7.3.2 System tuning To measure the
Page 262 and 263:
For the DMZ secure proxy, there are
Page 264 and 265:
Messaging connection pool When usin
Page 266 and 267:
Workload management is a WebSphere
Page 268 and 269:
For more details about Web server p
Page 270 and 271:
7.5 High availability 7.5.1 Overvie
Page 272 and 273:
7.5.4 Data availability In a WebSph
Page 274 and 275:
7.5.6 Maintainability Software-base
Page 276 and 277:
This time-out can be configured in
Page 278 and 279:
High availability groups High avail
Page 280 and 281:
7.6.1 Edge caching In this section
Page 282 and 283:
7.6.3 Data caching Dynamic caching
Page 284 and 285:
7.7 Session management 7.7.1 Overvi
Page 286 and 287:
The following sections outline the
Page 288 and 289:
Local sessions (non-persistent) If
Page 290 and 291:
► Application Configuration at th
Page 292 and 293:
7.9 WebSphere performance tools Whe
Page 294 and 295:
Monitoring a system naturally chang
Page 296 and 297:
for tuning and performance. The adv
Page 298 and 299:
synthetic transactions or to track
Page 300 and 301:
For more information about ARM, rev
Page 302 and 303:
Planning item Plan for clustering:
Page 304 and 305:
8.1 What is new in V7.0 The followi
Page 306 and 307:
► Enterprise JavaBeans (EJB) thin
Page 308 and 309:
Disciplines Business Modeling Requi
Page 310 and 311:
► Support for WebSphere Applicati
Page 312 and 313:
The WebSphere rapid deployment set
Page 314 and 315:
To group and sort resources in the
Page 316 and 317:
8.5.3 Subversion CVS has the follow
Page 318 and 319:
8.6 Automated build process The maj
Page 320 and 321:
8.8 Automated functional tests Auto
Page 322 and 323:
Development environment Usually, ea
Page 324 and 325:
The system test environment can als
Page 326 and 327:
► Environment-specific This categ
Page 328 and 329:
A lesser known, but better, approac
Page 330 and 331:
Developers need to consider the fol
Page 332 and 333:
► You can use the WebSphere Appli
Page 334 and 335:
Page 336 and 337:
9.1 What is new in V7.0 The followi
Page 338 and 339:
9.2 Administrative security We sugg
Page 340 and 341:
9.3.1 Integrated Solutions Console
Page 342 and 343:
JMX, a Java specification part of J
Page 344 and 345:
9.4 Automation planning To emphasiz
Page 346 and 347:
Consider whether to use automatic s
Page 348 and 349:
Some thought needs to be put toward
Page 350 and 351:
Note: A common source of confusion
Page 352 and 353:
File synchronization File synchroni
Page 354 and 355:
9.7.1 Log and traces ► Check the
Page 356 and 357:
9.7.3 Backing up and restoring the
Page 358 and 359:
9.8 Planning checklist for system m
Page 360 and 361: 10.1 Messaging overview: What is me
Page 362 and 363: 10.3.1 Messaging provider standards
Page 364 and 365: ► WebSphere Application Server V5
Page 366 and 367: If the bus member is a cluster of a
Page 368 and 369: 10.4.2 Choosing a messaging topolog
Page 370 and 371: With some additional configuration,
Page 372 and 373: Figure 10-6 illustrates how a servi
Page 374 and 375: WebSphere MQ server provides the fo
Page 376 and 377: Other roles that affect permissions
Page 378 and 379: There is a trade-off between reliab
Page 380 and 381: 356 WebSphere Application Server V7
Page 382 and 383: 11.1 Introduction to Web services W
Page 384 and 385: 11.2.1 What was in Feature Pack for
Page 386 and 387: ► Do you need to promote your bus
Page 388 and 389: Before we look at the architecture
Page 390 and 391: Message exchange patterns Some tran
Page 392 and 393: Workflow-oriented A workflow messag
Page 394 and 395: Service Consumer Figure 11-8 Compos
Page 396 and 397: 11.5.1 Supported standards WebSpher
Page 398 and 399: In this type of situation, companie
Page 400 and 401: Note: Dynamic Caching is only inclu
Page 404 and 405: 12.1 What is new in V7.0 This secti
Page 406 and 407: Security policy A security policy i
Page 408 and 409: These components consist of the fol
Page 412 and 413: There are some benefits in using Ke
Page 414 and 415: Lightweight Directory Access Protoc
Page 416 and 417: 12.2.2 Authorization Trust associat
Page 418 and 419: Fine-grained administrative securit
Page 420 and 421: that is involved in an Internet tra
Page 422 and 423: Users Fred Sally Mike Figure 12-4 U
Page 424 and 425: Note: Be aware that some configurat
Page 426 and 427: WebSphere Application Server provid
Page 428 and 429: Scenario 3: Using a z/OS security p
Page 430 and 431: Resources For a good overall refere
Page 432 and 433: 13.1 Available feature packs The cu
Page 434 and 435: The included extensions to Ajax are
Page 436 and 437: Another good source of information
Page 438 and 439: Figure 13-2 Key SCA concepts ► Pr
Page 440 and 441: ► SCA Web Services Binding V1.0 T
Page 444 and 445: 14.1 WebSphere Application Server s
Page 446 and 447: 14.1.3 Cell component—daemon WebS
Page 448 and 449: While WebSphere Application Server
Page 450 and 451: Cell Deployment Manager Control reg
Page 452 and 453: 14.1.6 Workload management for WebS
Page 454 and 455: Request Platinum customer Request G
Page 456 and 457: Availability The concept of a separ
Page 458 and 459: Note: While the 31-bit mode can sti
Page 460 and 461:
► MEMLIMIT setting in the JCL or
Page 462 and 463:
14.4.3 HFS structure The HFS struct
Page 464 and 465:
Cell01 Core Group Node01 Deployment
Page 466 and 467:
14.5.4 XCF—alternative protocol o
Page 468 and 469:
Member notification To notify the o
Page 470 and 471:
14.6 z/OS Fast Response Cache Accel
Page 472 and 473:
Perform the following steps to conf
Page 474 and 475:
Note: By default the FRCA cache is
Page 476 and 477:
14.6.4 Resource Access Control Faci
Page 478 and 479:
The results of this can be as follo
Page 480 and 481:
Note: If the request exceeds the sp
Page 482 and 483:
garbage collection. The garbage col
Page 484 and 485:
14.8.3 Function Modification Identi
Page 486 and 487:
Note: For detailed information abou
Page 488 and 489:
The set of tools is available for W
Page 490 and 491:
14.9 System programmer consideratio
Page 492 and 493:
Intelligent runtime provisioning Th
Page 494 and 495:
Shared class cache This section con
Page 496 and 497:
Because this is a JVM technique tha
Page 498 and 499:
The REUSASID parameter is automatic
Page 500 and 501:
14.10.1 Planning considerations Tab
Page 502 and 503:
Various tools are available to ease
Page 504 and 505:
15.1 Infrastructure migration consi
Page 506 and 507:
15.1.1 Scripting migration Since We
Page 508 and 509:
15.1.6 Mixed cell support To ease t
Page 510 and 511:
Automated migration with mixed vers
Page 512 and 513:
15.4 Messaging migration considerat
Page 514 and 515:
15.7 WebSphere Application Server f
Page 516 and 517:
MMT is intended for use by a system
Page 518 and 519:
5. When you have successfully enter
Page 520 and 521:
Example 15-1 Migration management c
Page 522 and 523:
Tip: The BBOWMG3x job is long runni
Page 524 and 525:
For more information about how to c
Page 526 and 527:
Topology review Client Network (10.
Page 528 and 529:
Advantages Disadvantages Sample top
Page 530 and 531:
► In order to show the new securi
Page 532 and 533:
Installing HTTP Servers (servers B
Page 534 and 535:
Creating Job manager (server E) The
Page 536 and 537:
d. On the Integrated Solutions Cons
Page 538 and 539:
After clicking OK, we got the answe
Page 540 and 541:
One WebSphere Application Server no
Page 542 and 543:
Figure A-10 Additional parameters F
Page 544 and 545:
Figure A-14 Job finished Summary We
Page 546 and 547:
Online resources ► WebSphere Appl
Page 550:
WebSphere Application Server V7.0:
show all

WebSphere Application Server V7.0: Concepts ... - IBM Redbooks

Create successful ePaper yourself

Delete template?

Save as template?