Sie sind auf Seite 1von 1194
IBM WebSphere Application Server for z/OS, Version 8.5 Securing applications and their environment SA32-1073-00

IBM WebSphere Application Server for z/OS, Version 8.5

Securing applications and their environment

SA32-1073-00

Note Before using this information, be sure to read the general information under “Notices” on

Note Before using this information, be sure to read the general information under “Notices” on page 1167.

Note Before using this information, be sure to read the general information under “Notices” on page

Compilation date: June 1, 2012

© Copyright IBM Corporation 2012. US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

Contents How to send your comments xiii Using this PDF . . . . .

Contents

How to send your comments

xiii

Using this PDF .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

xv

Chapter 1. Overview and new features for securing applications and their environment .

 

.

.

.

.1

Security planning overview

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.1

Chapter 2. Securing the Liberty profile and its applications

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

13

Getting started with security in the Liberty profile .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

13

Liberty profile: Quick overview of

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

15

Setting up BasicRegistry and role mapping on the Liberty profile .

.

.

.

.

.

.

.

.

.

.

.

.

.

16

Securing communications with the Liberty profile

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

17

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

17

Enabling SSL communication for the Liberty profile . Creating SSL certificates from the command prompt

. Configuring your web application and server for client certificate authentication .

.

. Configuring the authentication cache on the Liberty profile

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Authenticating users in the Liberty profile

. Configuring a user registry for the Liberty profile .

.

.

.

.

.

.

 

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

22

24

25

25

30

. Configuring a JAAS custom login module for the Liberty profile.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

31

. Customizing SSO configuration using LTPA cookies for the Liberty profile .

Configuring LTPA on the Liberty profile

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

32

32

Configuring RunAs authentication in the Liberty profile .

.

.

Configuring TAI for the Liberty profile

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

33

34

Authorizing access to resources in the Liberty profile

.

.

.

.

.

.

.

.

.

35

Configuring authorization for applications on the Liberty profile .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

35

Configuring security authorization for users on z/OS.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

38

. Configuring web security related properties for the Liberty profile .

Accessing JMX connectors on the Liberty profile .

.

. Customizing SSO configuration using LTPA cookies for the Liberty profile .

.

. Configuring your web application and server for client certificate authentication .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Configuring JCA security for the Liberty profile .

.

.

.

.

.

.

.

.

.

.

.

.

 

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

42

43

43

44

45

. Developing extensions to the Liberty profile security infrastructure

.

.

.

.

.

.

.

.

.

.

.

.

.

.

46

. Developing JAAS custom login modules for a system login configuration .

Developing a custom TAI for the Liberty

.

. Customizing an application login to perform an identity assertion using JAAS

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

46

47

52

Chapter 3. How do I secure applications and their environments? .

.

.

.

.

.

.

.

.

.

.

.

.

55

Chapter 4. Task overview: Securing resources

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

57

. Migrating, coexisting, and interoperating – Security considerations

Chapter 5. Setting up, enabling and migrating security .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

59

59

Interoperating with previous product versions

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

61

Interoperating with a C++ common object request broker architecture client

.

.

.

.

.

.

.

.

.

.

62

Migrating trust association interceptors

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

63

Migrating Common Object Request Broker Architecture programmatic login to Java Authentication

 

and Authorization Service (CORBA and JAAS) .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

66

Migrating from the CustomLoginServlet class to servlet filters

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

68

. Migrating with Tivoli Access Manager for authentication enabled on a single node.

Migrating Java 2 security policy

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

 

.

.

.

.

.

.

.

.

.

.

.

.

.

.

69

72

Migrating with Tivoli Access Manager for authentication enabled on multiple nodes

.

.

.

.

.

.

.

73

Migrating unrestricted jurisdiction policy files, local_policy.jar and US_export_policy.jar .

 

.

.

.

.

.

75

Preparing for security at installation time .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

75

. WebSphere Application Server security for z/OS .

Securing your environment after installation .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

76

77

Defining Secure Sockets Layer security for servers

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

101

Creating Secure Sockets Layer digital certificates and System Authorization Facility keyrings that

 

applications can use to initiate HTTPS requests .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

104

. Creating a new Java Secure Socket Extension repertoire alias

Creating a new System SSL repertoire alias .

.

.

.

.

.

 

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

106

107

Setting up SSL connections for Java clients

. Enabling administrative security and the default application security policy .

.

.

.

.

.

.

.

.

.

.

 

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

108

108

Disabling administrative security

Enabling security .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

110

110

Administrative security .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

114

Security considerations when in a multi-node WebSphere Application Server WebSphere

 

Application Server, Network Deployment environment .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

123

Application security

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

124

. Enabling security for the realm .

Java 2 security .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

125

134

Testing security after enabling it.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

170

Security Configuration Wizard

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

171

Security configuration report .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

172

Adding a new custom property in a global security configuration or in a security domain

 

configuration .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

174

Modifying an existing custom property in a global security configuration or in a security domain

 

configuration .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

175

Deleting an existing custom property in a global security configuration or in a security domain

 

configuration .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

176

Securing specific application servers .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

177

Server-level security settings .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

178

Controlling application environments with RACF server class profiles .

 

.

.

.

.

.

.

.

.

.

.

.

181

Resource Access Control Facility Tools .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

182

RACF keyring setup .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

186

Controlling access to console users when using a Local OS Registry .

 

.

.

.

.

.

.

.

.

.

.

.

.

187

Using CBIND to control access to clusters .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

189

Chapter 6. Configuring multiple security domains .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

191

Multiple security domains .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

194

Creating new multiple security domains .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

211

Deleting multiple security domains .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

215

Copying multiple security domains .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

215

Configuring inbound trusted realms for multiple security domains

 

.

.

.

.

.

.

.

.

.

.

.

.

.

.

219

Configure security domains

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

220

Name .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

220

Description .

. Application Security: .

.

. Assigned Scopes .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

220

220

220

Enable application security

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

220

. Use global security settings

Java 2 security:.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

221

221

Customize for this domain .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

221

Use Java 2 security to restrict application access to local resources

 

.

.

.

.

.

.

.

.

.

.

.

.

221

Warn if applications are granted custom permissions .

 

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

221

Restrict access to resource authentication data .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

222

User Realm: .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

222

Trust Association: .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

222

. Enable trust association

Interceptors .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.