Hi,

What is the difference between running WPSConfig.sh to enable Security,

-Versus-

following the below steps from Administration Console in achieving the same?


WILL BOTH TAKE CARE OF ONE AND THE SAME THING..........?


(If not) which one is better approach?


 ========================================
====================================

Enabling security in WebSphere Application Server

1. Open WebSphere Administrative Console.
In a browser, use the following address: http://host_name:9060/admin

2. In the left pane, click Security > Global Security.
In the right pane under User Registries, click Local OS

3. Enter values for the Server User ID and Server User Password fields.
You must use a valid local administrator account.

The server user ID is only used for WebSphere Application Server security. T
he server user ID is not associated with the system process that runs the ap
plication server.

The application server calls the local operating system registry to authenti
cate and obtain privilege information about users. Access to this informatio
n is normally restricted to users having the following special privileges:

o For Windows systems:

The user must be a member of the Administrators group and have "Act as part 
of operating system" as the local security policy enabled.

The domain-level policy settings override the local policy settings.

To enable the local security policy:

A. Click Start > Settings > Control Panel > Administrative Tools > Local Sec
urity Policy to open the Local Security Settings window.

B. Expand Local Policies, then click User Rights Assignments.

C. Double-click Act as part of the operating system to open the Local Securi
ty Policy Setting window.

D. Click Add, then select a user name from the list.

E. Click Add, then click OK.

F. Click OK to close the Local Security Policy Setting window.

o For UNIX systems:

The user must have root authority.

To use security in the application server, the process ID (PID) on which Web
Sphere Application Server runs requires the same special privileges as liste
d above. If the process ID does not have the same special privileges, a "Val
idation failed for user" er
ror occurs. (Note: The process ID is different from the security server ID u
sed for WebSphere Application Server security.)

4. Click OK.

The Global Security pane is displayed.

5. On the Configuration tab, click the Enable Global Security check box unde
r General Properties so a check mark appears.

By default, when WebSphere Application Server Global Security is enabled, th
e Enforce Java 2 Security check box is also enabled.

Java 2 Security relies on policy files to specify permissions for an applica
tion, such as the Device Manager server, and code that it calls, such as the
 DB2 or Oracle JDBC driver.

6. Click the Enforce Java 2 Security check box to clear the check mark for t
he Enforce Java 2 Security check box.

If you leave Enforce Java 2 Security checked, then ensure the policy files i
nclude the permission statements so the Device Manager server can call the D
B2 or Oracle JDBC driver.

When Enforce Java 2 Security is checked and there are no permission statemen
ts, the application server for Device Manager will not start. The Device Man
ager server servlet gets an AccessControlException upon start-up because the
 Device Manager server serv
let calls the JDBC driver which is attempting to access a system resource fo
r which it does not have permission.

7. Scroll down and click Apply.

8. Click the Save text in the Message(s) pane to save the configuration chan
ges.

9. Click the Save button in the Save to Master Configuration pane to update 
the master repository.

10. The IBM WebSphere Application Server - node_name (such as host_nameNode0
1) and the WebSphere Application Server - DMS_AppServer services must be sto
pped and restarted for these changes to take effect.

To stop and start these services, click Start > Settings > Control Panel > A
dministrative Tools > Services. In the services list, highlight the service,
 then use the Action menu to stop and start each service.

If you are using the Device Manager Care applications, you will need to conf
igure the Care applications to work with the WebSphere Application Server se
curity.

 ========================================
====================================


Thanks,

-Jaideep

[ Post a follow-up to this message ]

I think these steps enables security on WAS, not related to portal in any wa
ys.
running WPSCpnfig to enable security is used to enable portal security, even
 if WAS security is enabled and you already installed websphere portal on a 
secured WAS you still need to run this config task (ex. WPSConfig enable_sec
urity_ldap) to enable porta
l security.
but if u run the task and both WAS and portal are not secured then the task 
will enable security on them both

[ Post a follow-up to this message ]

Thanks, mmatouk, for your comments.

Apparently, I am not using LDAP Server here, but only the Group Autheticatio
n Service [GAS].

Hence how can I run WPSConfig.sh - what will be the argument?

Thanks,

-Jaideep

[ Post a follow-up to this message ]

actually running the enable security task is needed only when you plan to us
e a diffrent user registry system e.g. ldap or db.
Any way all the available arguments related to enabling security are
WPSConfig enable-security-ldap : for ldap without realm support
WPSConfig enable-security-db : for db without realm support
WPSConfig enable-security-wmmur-ldap : for ldap with realm support
WPSConfig enable-security-wmmur-db : for db with realm support

not sure if this will help you or not, but you may send a specefic scenario 
you want to have so we can discuess what security options you need for your 
portal

Good Luck

[ Post a follow-up to this message ]

Also,

I tried test running WPSConfig.sh with argument enable-security, but noticed
 it goes ahead and alters the content, format, etc of WMM.XML, WPSattributes
.XML, and so on..

Hence, curious to know, when would be good time to run the script?  It is at
 beginning, i.e., when Portal is configured?

Thanks,

-Jaideep

[ Post a follow-up to this message ]

Hi mmatouk,

Yeah.. GAS is the different User Registry System in our case.

Our scenario is -

1> doPreLogin() of LoginUserAuth calls GAS and performs Authentication.

2> doPostogin() of LoginUserAuth calls Mainframes DB2 database (through WebS
ervices) and fetches Roles and permissions of the user.  Depending on whethe
r user has Roles & Permissions, they are are granted access (Authorization).

So, only once both Authntication and Authorization pass, user gets access to
 the Protected Page.  Else they get back Invalid Login Message.

We already have the above implementation working.

Now, how do we enable security here?

Thanks,

-Jaideep

[ Post a follow-up to this message ]

[vbcol=seagreen] 


Which of the below fit in best here.......?


WPSConfig enable-security-ldap : for ldap without realm support
WPSConfig enable-security-db : for db without realm support
WPSConfig enable-security-wmmur-ldap : for ldap with realm support
WPSConfig enable-security-wmmur-db : for db with realm support


thanks,

-Jaideep

[ Post a follow-up to this message ]

I think enabling security won't mess with your content, for me it just moved
 the storage of portal users and groups to a secured storage equipment contr
olled by a directory server.
As you don't use LDAP then the one to use is enable-security-db, but I didn'
t enable security on db before I just used LDAP.
enabling security will change WMM.xml and most of the files in wmm directory
 so if you made changes to them try to backup them before going in the proce
ss.

good luck

[ Post a follow-up to this message ]

Thanks once again mmatouk

When WPSconfig.sh is run use enable-security-db as argument, what are the as
sociated parameters that will have to be set in WPSConfig.properties?

Also, what all files will get modified when this script is run, so that I ca
n back them up before running the script?

thanks,
-Jaideep

[ Post a follow-up to this message ]

Hello,

Can someome send me the exact intructions on HOW TO RUN wpsconfig.sh -

Questions I have are the following:

* As "Mainframes DB2 database" and "GAS server" are our repositories, what p
rior settings to be made in Wsconfig.properties?

* What should be the Argument for wpsconfig.sh for the above configuration?

* What all files in its current condition will be altered when the script is
 run?

* Are there any Documentation available on this?


Thanks,
-Jaideep

[ Post a follow-up to this message ]