Presentation is loading. Please wait.

Presentation is loading. Please wait.

IBM Certified WAS 8.5 Administrator

Published by정성 성 Modified over 6 years ago

Similar presentations

Presentation on theme: "IBM Certified WAS 8.5 Administrator"— Presentation transcript:

1 IBM Certified WAS 8.5 Administrator
Section 5 - Security

2 Security Overview Three types: Administrative Security
Application Security Java 2 Security Security Service, a part of WAS runs in each WAS process (dmgr, Application Server, Node Agent etc)

3 Administrative Security
Controls access to Admin functions (such as logging on to Admin Console and wsadmin) Administrative roles for defining access level Fine grained access possible (you can configure to have access only to certain application servers) Administrative security must be enabled to enable Application Security Enabling Administrative Security enables usage of SSL By Default Administrative Security is enabled

4 Various Administrative roles
Monitor: View state of the environment Configurator: Monitor + config changes Operator: Monitor + start/stop processes Administrator: Everything iscadmins: Admin rights for managing users/groups in admin console ONLY Deployer: Configure,start/stop applications Admin Security Manager: Manage user/group/roles Auditor: Configure Auditing subsystem

5 Application Security and Java 2 Security
Controls Application Level Security such as accessing certain parts of the application Developer develops with ‘roles’ in mind At deploy time, roles get mapped to groups or users by the Deployer Security constraints in deployment descriptors control access to servlets Method permissions in deployment descriptor control access to EJBs Java 2 security restrict access to local resources such as files and Sockets using policy files Developer, at development time does not necessarily know all the users/groups that will be using the application. So, he develops with ‘roles’ in mind such as ‘operator’, ‘administrator’,’webmaster’ etc. At deploy time, deployer (typically WAS Administrator) maps the roles to the users. This can also be done post deployment Java comes with set of security policy files WAS has its own policy files

6 Authentication Authentication is the first step in the security flow (followed by authorization) Authentication mechanism defined in the Application deployment descriptor Basic, Form based and certificate based Basic authentication forces the user to enter username/password. Weak encoding For WAS, default is ‘Basic Authentication’

7 User Registries Authentication process requires a user registry to validate username and password Supported: Local OS (including Domain in Windows),Standalone LDAP, Custom, Federated Federated repositories can have more than one backed repository. Not only that, they can be of various types. VMM (Virtual Member Manager) handles the authentication with Federated repositories.

8 Configuring Security You can use Security Configuration Wizard from Admin console or do it manually You will need username/password for most types of repositories (ex: Standalone LDAP bind credentials) Custom registries required the custom classes to be available to WAS when configuring WAS provides com.ibm.websphere.security.FileRegistrySample

9 Configuring Security Cont..

10 LTPA Is the mechanism used to handle authentication
Token can be forwarded (LTPA delegation)

11 LTPA Cont… For Single Sign on across cell, the keyfile needs to be exported in one cell and imported in another LTPA token is encrypted while forwarding LTPA tokens have expiry time (120 minutes default)

12 Authorization After authentication, WAS needs to authorize a user for the requested operation/resource Authorization is done using roles Developers define the roles in Deployment descriptors Administrator binds the roles to users/groups at deploy time or after deploy

13 SSL Basics SSL (Secure Sockets Layer) provides Data protection and Integrity) between Server and Client Uses Asymmetric cryptography (Public and Private key). Shared secret key is established and is unique for each session (short lived) Various Cipher Suites supported (highest version common to Client and Server is always chosen) Modern systems use TLS (Transport Layer Security) which is an evolved version of SSL. The Server (WAS) has the public and private key pair. Public key can be sent to the client by means of Security Certificate which is signed by a certificate authority (CA) Data encrypted using the public key can ONLY be decrypted using the private key Private key is NEVER shared

14 SSL Basics Cont... Asymmetric key cryptography is also known as public key cryptography Public key can be 1024 bit, 2048 bit or even higher in size is most common is becoming popular. Bigger the size, more secure the data Most modern browsers have standard Certificate Authorities (such as Verisign) pre installed. In IE 9, you can see the list of certificates by going to Tools -> Internet Options -> Content -> Certificates

15 Keystores WAS manages SSL certificates in keystores
ikeyman tool or WAS Admin Console can be used to manage keystores Personal Certificates (Server certificates) are stored in KeyStore. CA Certificates are stored in TrustStore. By default, each Node gets a System generated Node personal certificate and Node Signer certificate. All Node Signer certificates are stored in CellDefaultTrustStore and distributed to all Nodes ikeyman tool comes with IBM HTTP Server, WAS, and HTTP Plugin. It is mainly used for managing certificates for Web Server Since cell-wide truststore stores the signer certificate for all nodes, each node will trust other nodes in a cell. System generated certificates are automatically renewed

16 Keystores Cont... In practice you will install a CA signed personal certificate Application Servers, by default will use the certificates from NodeDefaultKeystores Keystores are organized using ‘SSL Configurations’ CellDefaultSSLSettings and NodeDefaultSSLSettings are the default WebServers use CMS keystores and Application Servers use IBMJCE based PKCS12 keystores CMS Keystores have extension .kdb. IBMJCK based PKCS12 keystores have extension .p12 The CMS keystore must be propagated to the WebServer (just like plugin-cfg.xml) whenever a configuration change occurs (such as addition of a new node)

17 Requesting and installing SSL Personal Certificate
First create CSR (Certificate Signing Request) providing the ‘Common Name’ and other information Submit CSR to a CA (certificate authority) and receive the personal certificate and signer certificate ‘Receive certificate from a certificate authority’ Ensure the singer certificate is added to the ‘trust store’

18 Managing Certificate expiry
WAS can monitor and notify certificate expiry. It can also renew all System generated SSL certificates.

19 Security Auditing Reports auditable events to ensure integrity
Authentication Authorization Principal/Credential Mapping Audit policy management Delegation Enabled using the check box ‘Enable Auditing’ under ‘Security -> Security Auditing’ in WAS Admin Console New event filters in addition to the default ones can be configured at Security -> Security Auditing -> Event type filters

20 Security Auditing Cont...
Audit records can be encrypted and/or digitally signed for protection Audit Reader utility reads the binary audit log and produces HTML report Audit reader utility can ONLY be invoked via wsadmin AdminTask.binaryAuditLogReader You can also view the Audit log file via a text editor, but can be difficult to read By default audit logs go into profile logs directory of the Application Server. The name of the file will start with ‘BinaryAudit’

21 Security Domains Security configuration at multiple levels (i.e Cell, Application Server etc) Cell level Security domain is the default New security domains can be created with attributes such as ‘User registry’, ‘Java 2 security’ with different values The new security domain can be assigned to Cluster, Server or Service Integration Bus

22 Security Domains Cont...

Download ppt "IBM Certified WAS 8.5 Administrator"

Similar presentations

MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.

Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.
Deploying and Managing Active Directory Certificate Services

Deploying and Managing Active Directory Certificate Services
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
Lesson 17: Configuring Security Policies

Lesson 17: Configuring Security Policies
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Apache Web Server Quick and Dirty Steve Gibbard for SANOG 16 (Originally by Joel Jaeggli for AfNOG 2007) ‏

Apache Web Server Quick and Dirty Steve Gibbard for SANOG 16 (Originally by Joel Jaeggli for AfNOG 2007) ‏
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
SSL (Secure Socket Layer) and Secure Web Pages Rob Sodders, University of Florida CIS4930 “Advanced Web Design” Spring 2004

SSL (Secure Socket Layer) and Secure Web Pages Rob Sodders, University of Florida CIS4930 “Advanced Web Design” Spring 2004
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Configuring Active Directory Certificate Services Lesson 13.

Configuring Active Directory Certificate Services Lesson 13.
CSCI 6962: Server-side Design and Programming

CSCI 6962: Server-side Design and Programming
TAM STE Series 2008 © 2008 IBM Corporation WebSEAL SSO, Session 108/2008 TAM STE Series 2008 - WebSEAL SSO, Session 1 Presented by: Andrew Quap.

TAM STE Series 2008 © 2008 IBM Corporation WebSEAL SSO, Session 108/2008 TAM STE Series WebSEAL SSO, Session 1 Presented by: Andrew Quap.
Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.

Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory Chapter 9: Active Directory Authentication and Security.

70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory Chapter 9: Active Directory Authentication and Security.
Session 11: Security with ASP.NET

Session 11: Security with ASP.NET

Similar presentations

Ads by Google