|
Home > Archive > WebSphere Portal Server > March 2006 > Enabling Security on WS Application Server!
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Enabling Security on WS Application Server!
|
|
|
|
Hi,
What is the difference between running WPSConfig.sh to enable Security,
-Versus-
following the below steps from Administration Console in achieving the same?
WILL BOTH TAKE CARE OF ONE AND THE SAME THING..........?
(If not) which one is better approach?
========================================
====================================
Enabling security in WebSphere Application Server
1. Open WebSphere Administrative Console.
In a browser, use the following address: http://host_name:9060/admin
2. In the left pane, click Security > Global Security.
In the right pane under User Registries, click Local OS
3. Enter values for the Server User ID and Server User Password fields.
You must use a valid local administrator account.
The server user ID is only used for WebSphere Application Server security. The server user ID is not associated with the system process that runs the application server.
The application server calls the local operating system registry to authenticate and obtain privilege information about users. Access to this information is normally restricted to users having the following special privileges:
o For Windows systems:
The user must be a member of the Administrators group and have "Act as part of operating system" as the local security policy enabled.
The domain-level policy settings override the local policy settings.
To enable the local security policy:
A. Click Start > Settings > Control Panel > Administrative Tools > Local Security Policy to open the Local Security Settings window.
B. Expand Local Policies, then click User Rights Assignments.
C. Double-click Act as part of the operating system to open the Local Security Policy Setting window.
D. Click Add, then select a user name from the list.
E. Click Add, then click OK.
F. Click OK to close the Local Security Policy Setting window.
o For UNIX systems:
The user must have root authority.
To use security in the application server, the process ID (PID) on which WebSphere Application Server runs requires the same special privileges as listed above. If the process ID does not have the same special privileges, a "Validation failed for user" er
ror occurs. (Note: The process ID is different from the security server ID used for WebSphere Application Server security.)
4. Click OK.
The Global Security pane is displayed.
5. On the Configuration tab, click the Enable Global Security check box under General Properties so a check mark appears.
By default, when WebSphere Application Server Global Security is enabled, the Enforce Java 2 Security check box is also enabled.
Java 2 Security relies on policy files to specify permissions for an application, such as the Device Manager server, and code that it calls, such as the DB2 or Oracle JDBC driver.
6. Click the Enforce Java 2 Security check box to clear the check mark for the Enforce Java 2 Security check box.
If you leave Enforce Java 2 Security checked, then ensure the policy files include the permission statements so the Device Manager server can call the DB2 or Oracle JDBC driver.
When Enforce Java 2 Security is checked and there are no permission statements, the application server for Device Manager will not start. The Device Manager server servlet gets an AccessControlException upon start-up because the Device Manager server serv
let calls the JDBC driver which is attempting to access a system resource for which it does not have permission.
7. Scroll down and click Apply.
8. Click the Save text in the Message(s) pane to save the configuration changes.
9. Click the Save button in the Save to Master Configuration pane to update the master repository.
10. The IBM WebSphere Application Server - node_name (such as host_nameNode01) and the WebSphere Application Server - DMS_AppServer services must be stopped and restarted for these changes to take effect.
To stop and start these services, click Start > Settings > Control Panel > Administrative Tools > Services. In the services list, highlight the service, then use the Action menu to stop and start each service.
If you are using the Device Manager Care applications, you will need to configure the Care applications to work with the WebSphere Application Server security.
========================================
====================================
Thanks,
-Jaideep
| |
|
| I think these steps enables security on WAS, not related to portal in any ways.
running WPSCpnfig to enable security is used to enable portal security, even if WAS security is enabled and you already installed websphere portal on a secured WAS you still need to run this config task (ex. WPSConfig enable_security_ldap) to enable porta
l security.
but if u run the task and both WAS and portal are not secured then the task will enable security on them both
| |
|
|
Thanks, mmatouk, for your comments.
Apparently, I am not using LDAP Server here, but only the Group Authetication Service [GAS].
Hence how can I run WPSConfig.sh - what will be the argument?
Thanks,
-Jaideep
| |
|
| actually running the enable security task is needed only when you plan to use a diffrent user registry system e.g. ldap or db.
Any way all the available arguments related to enabling security are
WPSConfig enable-security-ldap : for ldap without realm support
WPSConfig enable-security-db : for db without realm support
WPSConfig enable-security-wmmur-ldap : for ldap with realm support
WPSConfig enable-security-wmmur-db : for db with realm support
not sure if this will help you or not, but you may send a specefic scenario you want to have so we can discuess what security options you need for your portal
Good Luck
| |
|
|
Also,
I tried test running WPSConfig.sh with argument enable-security, but noticed it goes ahead and alters the content, format, etc of WMM.XML, WPSattributes.XML, and so on..
Hence, curious to know, when would be good time to run the script? It is at beginning, i.e., when Portal is configured?
Thanks,
-Jaideep
| |
|
|
Hi mmatouk,
Yeah.. GAS is the different User Registry System in our case.
Our scenario is -
1> doPreLogin() of LoginUserAuth calls GAS and performs Authentication.
2> doPostogin() of LoginUserAuth calls Mainframes DB2 database (through WebServices) and fetches Roles and permissions of the user. Depending on whether user has Roles & Permissions, they are are granted access (Authorization).
So, only once both Authntication and Authorization pass, user gets access to the Protected Page. Else they get back Invalid Login Message.
We already have the above implementation working.
Now, how do we enable security here?
Thanks,
-Jaideep
| |
|
| [vbcol=seagreen]
Which of the below fit in best here.......?
WPSConfig enable-security-ldap : for ldap without realm support
WPSConfig enable-security-db : for db without realm support
WPSConfig enable-security-wmmur-ldap : for ldap with realm support
WPSConfig enable-security-wmmur-db : for db with realm support
thanks,
-Jaideep
| |
|
| I think enabling security won't mess with your content, for me it just moved the storage of portal users and groups to a secured storage equipment controlled by a directory server.
As you don't use LDAP then the one to use is enable-security-db, but I didn't enable security on db before I just used LDAP.
enabling security will change WMM.xml and most of the files in wmm directory so if you made changes to them try to backup them before going in the process.
good luck
| |
|
|
Thanks once again mmatouk
When WPSconfig.sh is run use enable-security-db as argument, what are the associated parameters that will have to be set in WPSConfig.properties?
Also, what all files will get modified when this script is run, so that I can back them up before running the script?
thanks,
-Jaideep
| |
|
|
Hello,
Can someome send me the exact intructions on HOW TO RUN wpsconfig.sh -
Questions I have are the following:
* As "Mainframes DB2 database" and "GAS server" are our repositories, what prior settings to be made in Wsconfig.properties?
* What should be the Argument for wpsconfig.sh for the above configuration?
* What all files in its current condition will be altered when the script is run?
* Are there any Documentation available on this?
Thanks,
-Jaideep
|
|
|
|
|