Security in WebSphere Application Server V6.1 and J2EE 1.4 on z/OS

Security in WebSphere Application Server V6.1 and J2EE 1.4 on z/OS

by Alex Louwe Kooijmans, Foulques de Valence, Yukari Hanya, Keith Jabcuga, Marc van der Meer, Gabriel Mogos, Eran Yona
Released December 2007
Publisher(s): IBM Redbooks
ISBN: None

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

This IBM® Redbooks® publication was written with the objective to provide a technical description of some of the most important security scenarios available with WebSphere® Application Server Version 6.1 for z/OS®. We chose scenarios that are not really documented elsewhere and that have had significant changes in Version 6.1.

In the first two chapters we provide an overview of security with WAS on z/OS for those readers who are unfamiliar with the security landscape on z/OS. From Chapter 3, "Web container security" on page 63, onwards we go into more technical depth.

Table of contents

  1. Notices
    1. Trademarks
  2. Preface
    1. The team that wrote this book
    2. Become a published author
    3. Comments welcome
  3. Chapter 1: Introduction
    1. Securing WAS for z/OS simplified
    2. WAS and security layers
      1. Security terms
      2. Security layering overview
      3. z/OS security overview
      4. Java security overview
      5. WebSphere security overview
    3. Securing WAS and applications
      1. WAS and security checkpoints
      2. Web client authentication overview
      3. EJB client authentication overview
      4. MQ client authentication overview
      5. Web services security overview
      6. Backend connectivity security overview
      7. User registry
      8. Authorization
  4. Chapter 2: WebSphere security design
    1. Chapter objectives
    2. Network protocol architecture overview
    3. SSL overview
      1. SSL handshake
    4. Authorization and EJB roles
    5. Our scenarios
      1. Scenario 1 - authentication in HTTP server
      2. Scenario 2 - authentication in reverse proxy security server
      3. Scenario 3 - J2EE client authentication using CSIv2
      4. Scenario 4 - J2EE server authentication using CSIv2
      5. Scenario 5 - JCA custom principal mapping
      6. Scenario 6 - Web services authentication
      7. Scenario 7 - WMQ client authentication
      8. Scenario 8 - authorization using external authorization server
      9. Scenario 9 - bridged security between z/OS and distributed using JAAS
      10. Scenario 10 - centralized user registry using LDAP on z/OS
  5. Chapter 3: Web container security
    1. Web authentication improvements
      1. Separate Web authentication and authorization
      2. Web authentication enhanced control
    2. Implementation with the admin console
      1. General settings at the cell level
      2. Control server level Web authentication behavior
    3. Why you should use these options
  6. Chapter 4: Application security
    1. Administrative security enablement
    2. Application security enablement
  7. Chapter 5: Web services security introduction
    1. SOA, Web services, z/OS, and security
    2. Web services security exposures
    3. Web services message and transport security
      1. When to use message layer security
      2. When to use transport layer security
    4. Web services message layer security with WS-Security
      1. End-to-end security
      2. WS-Security standard
      3. WS-Security support in WebSphere
      4. WS-I basic security profile support
      5. WS-Security high-level architecture
      6. Message authentication, integrity, confidentiality, ID assertion
    5. Web services transport layer security
      1. Web services transports introduction
      2. Point-to-point security
      3. The HTTP(S) transport protocol
      4. JMS transport security
      5. RMI-IIOP security
      6. Enterprise Service Bus security
    6. Our SecurityInfo Web service application and environment
      1. SecurityInfo J2EE architecture in our environment
      2. Our test environment
      3. SecurityInfo Web service implementation
      4. SecurityInfo deployment
      5. SecurityInfo in action
  8. Chapter 6: Web services message layer security
    1. How to configure Web services message layer security
      1. Web services message layer security and WS-Security
      2. Web services message layer security configuration tools
      3. Web services message layer security configuration files
      4. Web services message-layer security configuration components
    2. Authentication with a security token
      1. Authentication support with WS-Security
      2. Authentication scenario description
      3. Authentication configuration overview
      4. Configuring the Web service requestor for security token
      5. Configuring the z/OS Web service provider for security token (1/2)
      6. Configuring the z/OS Web service provider for security token (2/2)
      7. Validating authentication with a security token
    3. Integrity with XML digital signature
      1. Integrity support with WS-Security
      2. Integrity scenario description
      3. Integrity configuration overview
      4. Configuring the requestor for request XML digital signature (1/3)
      5. Configuring the requestor for request XML digital signature (2/3)
      6. Configuring the requestor for request XML digital signature (3/3)
      7. Configuring the z/OS provider for request XML digital signature (1/2)
      8. Configuring the z/OS provider for request XML digital signature (2/2)
      9. Configuring the z/OS provider for response XML digital signature
      10. Configuring the requestor for response XML digital signature
      11. Validating integrity with XML digital signature
    4. Confidentiality with XML encryption
      1. Confidentiality support with WS-Security
      2. Confidentiality scenario description
      3. Confidentiality scenario key prerequisites
      4. Confidentiality configuration overview
      5. Configuring the requestor for request XML encryption (1/2)
      6. Configuring the requestor for request XML encryption (2/2)
      7. Configuring the z/OS provider for request XML encryption
      8. Configuring the z/OS provider for response XML encryption
      9. Configuring the z/OS requestor for response XML encryption
      10. Validating confidentiality with XML encryption
      11. Confidentiality using hardware cryptography
    5. Identity assertion
      1. Identity assertion support with WS-Security
      2. Identity assertion scenario description
      3. Identity assertion configuration overview
      4. Configuring the Web service requestor for identity assertion
      5. Configuring the z/OS Web service provider for identity assertion
      6. Configuring the trust relationship for identity assertion
      7. Validating identity assertion
  9. Chapter 7: Secure Sockets Layer (SSL)
    1. Introduction
    2. Centrally managed SSL
    3. WebSphere V6.1 for z/OS SSSL to JSSE changes
    4. SSL RACF certificate management
      1. Viewing certificates
      2. Monitoring certificate expiration
      3. Importing certificates
      4. Exporting certificates
      5. Deleting certificates
      6. Deleting keystores and truststores
    5. Hardware crypto and Java crypto providers
      1. Choosing a JCE provider
      2. Admin console keystore types
      3. Keystores and truststores
    6. IBMJCECCA and IBMJCE characteristics
    7. SSL and JCERACFKS keystore
      1. Keyring and certificate setup
      2. WebSphere admin console setup
    8. Hardware crypto using a JCECCARACFKS keystore
      1. Keyring and certificate setup with keys in hardware
      2. Installing the unrestricted Java policy jars
      3. Update the java.security file with the IBMJCECCA provider
      4. Admin console setup
    9. SSL troubleshooting and traces
      1. Diagnostic steps
      2. SSL traces
      3. Common errors
  10. Chapter 8: Web services transport security
    1. Authentication with HTTP
      1. HTTP basic authentication scenario description
      2. Configuring the z/OS Web service provider with authentication
      3. Configuring the Web service requestor to authenticate
      4. Validating transport security using HTTP basic authentication
    2. Integrity with SSL
      1. Integrity with SSL scenario description
      2. Integrity scenario prerequisites
      3. Configuring the z/OS Web service provider SSL configuration (1/2)
      4. Configuring the z/OS Web service provider SSL configuration (2/2)
      5. Configuring the Web service requestor SSL configuration
      6. Configuring the z/OS Web service provider for integrity
      7. Configuring the Web service requestor for integrity
      8. Validating integrity with SSL
    3. Confidentiality with SSL
      1. Confidentiality with SSL scenario description
      2. Configuring the z/OS Web service provider SSL configuration
      3. Configuring the Web service requestor SSL configuration
      4. Configuring the z/OS Web service provider for confidentiality
      5. Configuring the Web service requestor for confidentiality
      6. Validating confidentiality with SSL
    4. Confidentiality with SSL using hardware crypto
      1. Confidentiality with SSL using hardware crypto prerequisites
      2. Installing the unrestricted Java policy jars
      3. Updating the JVM to use the IBMJCECCA provider
      4. Configuring the z/OS Web service provider SSL configuration
      5. Configuring the Web service requestor SSL configuration
      6. Configuring the z/OS Web service provider for confidentiality
      7. Configuring the Web service requestor for confidentiality
      8. Validating confidentiality with SSL using hardware crypto
    5. Confidentiality and basic authentication
    6. Confidentiality and client certificate authentication
      1. Confidentiality and client certificate scenario description
      2. Confidentiality and client certificate prerequisites
      3. Configuring the z/OS Web service provider SSL configuration
      4. Configuring the Web service requestor SSL configuration
      5. Configuring z/OS Web service provider for authentication
      6. Validating client certificate authentication
  11. Chapter 9: Security attribute propagation and CSIv2
    1. Introduction, logins, and tokens
      1. Security attribute propagation
      2. Initial login versus propagation login
      3. Token framework
    2. Horizontal attribute propagation
      1. Horizontal attribute propagation description
      2. Horizontal attribute propagation in action
      3. Horizontal attribute propagation implementation
      4. Cross-cell considerations
    3. CSIv2 standard identity assertion
      1. CSIv2
      2. CSIv2 standard identity assertion description
      3. CSIv2 standard identity assertion in action
      4. CSIv2 standard identity assertion implementation (1/3)
      5. CSIv2 standard identity assertion implementation (2/3)
      6. CSIv2 standard identity assertion implementation (3/3)
      7. Our CSIv2 identity assertion scenario (1/2)
      8. Our CSIv2 identity assertion scenario (2/2)
    4. Vertical attribute propagation with CSIv2
      1. Vertical attribute propagation with CSIv2 description
      2. Vertical attribute propagation versus CSIv2 identity assertion
      3. Vertical attribute propagation with CSIv2 in action
      4. Vertical attribute propagation with CSIv2 implementation
      5. Cross-cell considerations
  12. Chapter 10: User registries
    1. Introduction to user registries
    2. Our scenario and our environment
    3. Standalone LDAP registry
      1. WebSphere and z/OS LDAP SDBM back end (RACF) (1/2)
      2. WebSphere and z/OS LDAP SDBM back end (RACF) (2/2)
      3. WebSphere and z/OS LDAP TDBM back end (DB2) (1/2)
      4. WebSphere and z/OS LDAP TDBM back end (DB2) (2/2)
      5. WebSphere and z/OS LDAP TDBM native authentication
    4. Federated repositories
      1. What federated repositories are
      2. Our federated repositories scenario
      3. Federated z/OS LDAP with TDBM back end (DB2)
      4. Federated z/OS LDAP TDBM native authentication
      5. Federated IBM Tivoli Directory Server (1/2)
      6. Federated IBM Tivoli Directory Server (2/2)
    5. z/OS local operating system registry
      1. System Authorization Facility (SAF) authorization
      2. OS thread security support
      3. Thread identity support
  13. Chapter 11: SPNEGO and Windows single sign-on
    1. Introducing the SPNEGO TAI
      1. An introduction to Kerberos
      2. An introduction to trust association interceptor (TAI)
      3. An introduction to SPNEGO
      4. The WebSphere SPNEGO TAI
    2. Designing single sign-on with Microsoft Windows domain
      1. Single sign-on with Microsoft Windows KDC only
      2. Single sign-on with z/OS KDC and Microsoft Windows KDC
    3. Implementing single sign-on using SPNEGO TAI
      1. Our environment and our scenario
      2. Configuring the Microsoft Windows server (1/2)
      3. Configuring the Microsoft Windows server (2/2)
      4. Configuring WebSphere Application Server for z/OS (1/2)
      5. Configuring WebSphere Application Server for z/OS (2/2)
      6. Configuring the Web browser
      7. Tips for troubleshooting the SPNEGO TAI configuration
    4. Validating single sign-on using the SPNEGO TAI
  14. Chapter 12: Operating system security
    1. Out-of-the-box administrative security
      1. Cell-wide common user groups and IDs
      2. Security configuration options (1/2)
      3. Security configuration options (2/2)
      4. Security customization jobs
      5. Comparison of security settings
    2. Automatically generated server IDs
    3. RACF - mixed-case password support
    4. Sync-to-OS thread update
  15. Chapter 13: WAS administrative security
    1. Security configuration and administration
      1. Simplified security administration
      2. Administrative security implementation
      3. Administrative security with SAF authorization
      4. Administrative security with default authorization provider
    2. Role-based administrative security
      1. Administrative roles
      2. Fine-grained administrative security
    3. Naming service security
      1. CosNaming roles description
      2. Mapping users or groups to CosNaming roles
  16. Appendix A: Additional material
    1. Locating the Web material
    2. Using the Web material
      1. How to use the Web material
  17. Related publications
    1. IBM Redbooks
    2. Other publications
    3. Online resources
    4. How to get IBM Redbooks
    5. Help from IBM
  18. Index (1/3)
  19. Index (2/3)
  20. Index (3/3)
  21. Back cover

Product information

  • Title: Security in WebSphere Application Server V6.1 and J2EE 1.4 on z/OS
  • Author(s): Alex Louwe Kooijmans, Foulques de Valence, Yukari Hanya, Keith Jabcuga, Marc van der Meer, Gabriel Mogos, Eran Yona
  • Release date: December 2007
  • Publisher(s): IBM Redbooks
  • ISBN: None