Chapter 6. Administration consoles and commands 211
action from the appropriate list and select the corresponding check box. Click Submit.
You can submit multiple actions concurrently.
6.2 Securing the administrative console
WebSphere Application Server provides the ability to secure the administrative consoles so
that only authenticated users can use them by enabling administrative security. Administrative
security determines whether security is used at all, provides authentication of users using the
WebSphere administrative function, the type of registry against which authentication takes
place, and other values. Enabling administrative security activates the settings that protects
your server from unauthorized users. Note that enabling administrative security does not
enable application security.
Before enabling any type of security for a production system, familiarize yourself with
WebSphere security and have a plan for securing your WebSphere environment. Security
encompasses many components, including administrative security, application security,
infrastructure security, and specialized resource security options. This section only provides
an overview of administrative security.
The first decision you have to make is to select the user registry you will use. If you enable
security when you create a profile for distributed systems, a file-based registry is
automatically created and populated with one administrative user ID. On z/OS platforms, you
have the option of using the file-based registry or the z/OS system’s SAF-compliant security
database.
Though a file-based user registry is not a best practice for securing applications, you can
federate additional registries to the existing file-based registry to manage users and groups
for application security.
If you are using a registry other than the WebSphere Application Server federated user
registry, you must create at least one user ID to be used for the WebSphere administrator.
Although you might have heard about security domains that were introduced in WebSphere
Application Server V7, these domains are used for application security (not administrative
security).
Before implementing security in a production environment, be sure to consult WebSphere
Application Server V8 Security Guide, SG24-7971.
6.2.1 Enabling security after profile creation
You can enable administrative security after profile creation through the administrative
console by navigating to Security Global security. Performing this action allows you more
flexibility in specifying security options. You must complete the configuration items for
authentication, authorization, and realm (user registry). Populate the chosen user registry
with at least one user ID to be used as an administrator ID.
You can use the Security Configuration Wizard in the Security settings page that assists you
in securing your environment. To do this, click the Security Configuration Wizard button.
Click Next through the various windows of the wizard. The steps that you need to complete
are:
1. In the first step, select whether to enable application security or if you need to use Java2
security to restrict application access to local resources. Be aware that when you select to
enable administrative security, the application security check box is enabled automatically.
212 WebSphere Application Server V8.5 Administration and Configuration Guide for the Full Profile
If you are not prepared to use application security at this time, be sure to clear the box.
Java 2 security can be selected at this point or any time after enabling the administrative
security.
2. In the second step, select the type of user registry that you need for your environment:
– Federated repositories: Manage identities that are stored in multiple repositories in a
single, virtual realm.
– Standalone LDAP Server: Uses the Lightweight Directory Access Protocol (LDAP)
user registry settings. Select this option in case your users and groups reside in an
external LDAP registry
– Local operating system: Uses the local operating system user registry of the
application server.
– Standalone custom registry: Specifies a custom registry that implements the
UserRegistry interface in the com.ibm.websphere.security package.
3. In the third step, select the primary administrative user name and other options depending
on the previous optioned selected. In Figure 6-21 on page 213, we use federated
repositories, which requires the password for the primary administrative user to be
specified and confirmed.
4. The last step summarizes your selected options. Click Finish and the Save the changes.
Figure 6-21 on page 213 illustrates the security settings page that is displayed after
completing the steps.
Get WebSphere Application Server V8.5 Administration and Configuration Guide for the Full Profile now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
