Table of Contents

WEB DEPLOYMENT DESCRIPTOR...........................................................................1

PAGES TAB.......................................................................................................................2
SECURITY TAB.................................................................................................................3
APPLICATION DEPLOYMENT DESCRIPTOR.........................................................6
SECURITY.........................................................................................................................6
EJB DEPLOYMENT DESCRIPTOR.............................................................................7
ASSEMBLY........................................................................................................................7
ACCESS.............................................................................................................................8
REFERENCE......................................................................................................................8
ADMIN CONSOLE SETUP...........................................................................................10
LOGGING ON..................................................................................................................10
GLOBAL SECURITY TAB PART 1..................................................................................11
LTPA TAB......................................................................................................................12
Import Keys (Option 1)..............................................................................................12
Generate Keys (Option 2)..........................................................................................13
SINGLE SIGN ON SETUP.................................................................................................13
LDAP USER REGISTRY..................................................................................................15
LDAP ADVANCED SETTINGS..........................................................................................16
FIRST RESTART...............................................................................................................16
ADD CONSOLE USER......................................................................................................17
GLOBAL SECURITY TAB PART 2 (ENABLE).................................................................18
SECOND RESTART...........................................................................................................18

Web Deployment Descriptor

This section describes the process of modifying the web.xml file within Rational
Application Developer (version 6) to setup J2EE Security. The section is organized by
tab within RAD.

Click on deployment descriptor for webapp to get started

Pages Tab

1. Setup Form based authentication

a. Set Authentication Method to
FORM
b. Set Login Page to appropriate link: /TBD
(has to link to page within app to present login form)
c. Set Error Page to appropriate link: /TBD
(has to link to page within app to handle authentication errors)
2. Setup Error Page for authorization failure (403).
a. Error Code:
403
b. Location:
/TBD
(has to link to page within app to handle authorization errors)
Click Finish

Security Tab

1. Click on Add button under Security Roles to create each role within your
application.
a. Enter a name for the role. Bear in mind that this role will be used by
declaratively in the deployment descriptor to determine security
constraints on resources, and it will also be referenced in special cases by
the application
b. Enter a description that indicates what the role is allowed to do. Click
Finish.

2. Add a security Contraint for each module in the application

a. Enter a Constraint Name (Fully Articulated Module Name suffixed with
Constraint). Click Next.
b. Add Web Resource
i. Enter Resource Name (Module Name).
ii. Enter Description ( Describe methods being enabled-- i.e. get and
post allowed)
iii. Enter Http Methods (Check only the methods that are absolutely
necessary. Usually this is GET, or POST, or BOTH)
iv. Enter URL pattern in the form /<module name>/*
v. Click Finish

3. Add a User Data Constraint to ensure that SSL is required for accessing this web
resource. Any protected resource should require SSL, which a Confidential
constraint will ensure. Note: Integral also has the same affect as
confidential in HttpServlet based applications because the application server
uses SSL for both. SSL implies that the communication cannot be viewed by a
third party (Confidential) and that the data has not changed in transit (Integral).
In other forms of Servlet transport other than http, it is possible that the data can
be signed to prevent change in transit, and yet not be confidential. While this
makes sense from a servlet specification standpoint, it is not applicable in this
case.
4. Add the authorized role
a. Enter Rolename as description.
b. Check the rolename that is appropriate. Click Finish
5. Save descriptor file (Control-S).

Application Deployment Descriptor

Security

1. Hit the gather button to collect the roles that were already setup in the web.xml.
Do not click Add and reenter the role names. This will result in a new set of roles
with the same name, because there are unique ids for binding used in the xml
2. Click on User/Groups checkbox. There may be cases where Everyone or
All Authenticated Users makes sense, but this should be carefully considered
and needs architecture/security review.
3. Add the group. Note: Adding a user within the deployment descriptor should
never be done. Architecture/Security approval is required for any exceptions to
this rule.
a. Click Add
b. Enter group name (from LDAP server)
c. Click Finish

EJB Deployment Descriptor

Assembly

1. Click the Add button under Security Roles to add each of the roles that have
access to this application.
a. Enter a name for the role. Bear in mind that this role will be used by
declaratively in the deployment descriptor to determine security
constraints on resources, and it will also be referenced in special cases by
the application
b. Enter a description that indicates what the role is allowed to do. Click
Finish.
2. Click the Add button under Method Permissions to setup access rights for
each role.
a. Select the security role to setup permissions. Click Next.
b. Select all EJBs that this role has access to. Click Next
c. Select the methods that this role has access to. If the role has access to all
the methods, the preferred approach is to utilize the * to indicate all
methods.

Access

1. Click on Add to setup the security identity to utilize the identity of the caller
a. Click Use Identity of caller. Click Next.
b. Click on Select All to indicate that all EJBs should rely on the callers
identity. Note: If additional EJBs are added, this step needs to be
reexecuted.

Reference
A reference should only be added if programmatic access to roles is required. This
should be used sparingly, and requires architecture/security review.

1. Click Add to setup the security role reference.

a. Click on Security Role Reference and then click Next.
b. Enter the Name which is the role name that will be utilized by
application when calling IsCallerInRole method.
c. Choose the role to Link this to. Click Finish.

Admin Console Setup

Logging On

1. In the server properties(double click server), click on Enable administrative

console in the Configuration tab.
2. Start/Restart the server.
3. Enter a dummy user id. Note: At this point, security is disabled so the user id is
irrelevant.

Global Security Tab Part 1

1. Set the Active Authentication Mechanism to LTPA. Note: SWAM is supplied

for backwards compatibility, but is woefully insecure and should never be utilized
in a production environment.
2. Set the Active User Registry to LDAP.
3. Click Apply.

4. Click Save at the top of the screen to commit changes to the master
configuration
5. Click Save.

LTPA Tab
There are two ways to setup LTPA tokens.
1. Import Keys (Used when accessing remote EJBs in a different cell. This is the
case for most PFPC applications that utilize security frameworks)
2. Generate Keys (Used when all EJBs are local to the cell)
This section will cover both of these cases. If you are unsure of which of these options to
utilize, contact your Application Architect or CTAG.

Import Keys (Option 1)

1. Place key file on local disk.

2. Enter Password twice that is associated with key file.
3. Set timeout to the fixed timeout value wanted for the security token. If unsure, set
this to 120 minutes.
4. Enter the full path to the key file on disk.
5. Click Import Keys.
6. Click Save to apply to master configuration.
7. Click Save to confirm.

Generate Keys (Option 2)

1. Enter an arbitrarily random, long password; there is no need to keep the value.
2. Set timeout to the fixed timeout value wanted for the security token. If unsure, set
this to 120 minutes.
3. Click Generate Keys.
4. Click Save to apply to master configuration.
5. Click Save to confirm.

Single Sign On Setup

Click on the Single Signon (SSO) link at the bottom of the LTPA Tab.

1. Click on Enabled to enabled SSO cookie.

2. For development purposes, this step can be skipped as requiring SSL for the
cookie is not a necessity here. However, this should always be checked for QA
and Production environments.
3. Set the domain name to either pfpc.net or <your box name>.pfpc.net.
4. Click Apply.
5. Click Save to apply to master configuration.
6. Click Save to confirm.

LDAP User Registry

1. Enter the server User ID/Password that Websphere will use to authenticate
services/connections internally.
Example: (uid=WebSphere,ou=trustedSystems,dc=pfpc,dc=com)
2. Enter the host name of the directory server.
3. Enter the base distinguished name for ldap queries, in our case dc=pfpc,
dc=com.
4. Enter the bind dn and password that will be used to authenticate the connection to
the directory server. In development, this may be identical to the id used by
Websphere, but in production these will be different for security reasons.
5. For development purposes, this step can be skipped as SSL is not a requirement
here. However, for production/test SSL should be enabled. Indicate SSL by
checking the SSL box, and entering the SSL port.
6. Click Apply.
7. Click Save to apply to master configuration.
8. Click Save to confirm.

LDAP Advanced Settings

1.
2.
3.
4.
5.
6.

Modify User Filter to the following string: TBD

Modify the Group Filter to the following string: TBD
Validate that Group Member ID Map is set to the following: TBD
Click Apply.
Click Save to apply to master configuration.
Click Save to confirm changes.

First Restart
At this point, the server needs to be restarted to recognize new security/ldap setup.

Add Console User

1. Click on Console Users to begin creating a user with administrative access to the
websphere console.
2. Click Add.
3. Enter the User in the form uid=xxx,cn=users,dc=pfpc,dc=com where xxx is
replaced by the user in ldap you want to administer websphere. Click on
Administrator and hit Apply.
4. Verify there are no errors in the Messages Tab at the top of the screen as shown
above. If there are errors, validate that the proceeding steps were done correctly
and completely. If everything is ok, click Save to continue.
5. Click Save to confirm changes.

Global Security Tab Part 2 (Enable)

1. On the Global Security Tab, Click on Enabled

2. Uncheck the Enforce Java 2 Security box. Note: Our current stance is that the
benefit java 2 security provides is outweighed by the added complexity.
3. Click Apply.
4. Click Save to apply to master configuration.
5. Click Save to confirm changes.

Second Restart
At this point, the server needs to be restarted to recognize that global security is
enabled.

A login page should appear when trying to access the admin console, and you should
be able to login using the id that you registered from above.

If for some reason you cannot login, go into the server settings and uncheck Enable
security. Then restart server and verify all previous steps.