Documente Academic
Documente Profesional
Documente Cultură
WAS V6.1
Agenda
2
IBM Software Group
4
IBM Software Group
Enables administrative
security only (protects
System applications).
Application security
must still be enabled
post-install.
5
IBM Software Group
Must enable
administrative
security before
application security
or Java 2 Security
can be enabled.
Configuration of
New Federated Repositories LTPA or SWAM
selection which allows multiple (deprecated).
File-Based and LDAP registries to
be searched.
6
IBM Software Group
7
IBM Software Group
Agenda
8
IBM Software Group
9
IBM Software Group
10
IBM Software Group
11
IBM Software Group
Cell-scoped
configurations.
Show
topology view
for
finer-grained
Periodic task configuration
monitoring for scopes.
certificate
expiration.
Careful: Dynamically
updates the runtime
after changes saved
and sync'd.
12
IBM Software Group
Outbound endpoints
are configured by
"protocol name".
13
IBM Software Group
Select two
keystores and
exchange signers.
Default keystores
are managed in the
configuration
repository and
synchronized to
Nodes.
14
IBM Software Group
Exchange Signers
Extract personal
certificate and
move over to the
other keystore as a
signer.
15
IBM Software Group
Certificate
Keystore management
type. links.
Remotely managed
indicates the keystore
physically resides on a
Hardware devices used Node. An MBean request
for acceleration would is sent for the certificate
benefit from immediate management updates.
initialization.
16
IBM Software Group
Same IKeyMan-like function except for the advanced “Replace” function. This will allow the
selection of certificate to replace with a new one. It replaces all old signers. This is the same
function used by the certificate expiration monitor to replace an expiring certificate.
17
IBM Software Group
18
IBM Software Group
19
IBM Software Group
20
IBM Software Group
22
IBM Software Group
23
IBM Software Group
Agenda
24
IBM Software Group
With SPNEGO TAI support, after a user login to the MS domain controller, the Web
browser client does not have to provide a user ID and password again to access
protected resources in WebSphere Application Server.
A JAAS custom login module is used to map the client Kerberos principal name to
the WebSphere user name.
Support for all User Registries and platforms that are supported by WebSphere
Application Server.
Support one or more Microsoft (MS) domain controllers within the same forest.
25
IBM Software Group
26
IBM Software Group
Windows 2000/3
Server
27
IBM Software Group
28
IBM Software Group
-Dcom.ibm.ws.security.spnego.isEnabled=true
29
IBM Software Group
Agenda
30
IBM Software Group
31
IBM Software Group
32
IBM Software Group
Administrator
Monitor
33
IBM Software Group
Deployer Role
Operation Required Role(s)
34
IBM Software Group
AdministrativeSecurityManager
Separates fine-grained administrative security and application
administration
When fine-grained administrative security is used, only users granted this
role can manage the authorization groups
Only users granted this role can map users to administrative roles
Note that the administrator role does not correlate to the
adminsecuritymanager role
By default, the serverId(SystemId) is assigned to this role in the cell level
authorization table
35
IBM Software Group
Agenda
36
IBM Software Group
37
IBM Software Group
Agenda
38
IBM Software Group
39
IBM Software Group
40
IBM Software Group
41
IBM Software Group
Backup
43
IBM Software Group
44
IBM Software Group
45
IBM Software Group
Create a Kerberos key tab file from the Active Directory (AD) machine
Create a user name w2003secdev in AD and check the option Use DES
encryptions types for this account.
Use MS setspn tool to map the user name to the SPN format HTTP/<hostname>
C:\MS SDK>setspn -a HTTP/w2003secdev.austin.ibm.com w2003secdev
Use MS ktpass tool to generate the Kerberos keytab file krb5.keytab for the SPN
ktpass -out c:\temp\krb5.keytab -princ
HTTP/w2003secdev.austin.ibm.com@WSSEC.AUSTIN.IBM.COM
-mapUser w2003secdev -mapOp set -pass security -crypto DES-CBC-MD5
+DesOnly
Copy the krb5.keytab file to the WebSphere Application Server machine at the
location which specify in the Kerberos configuration file (krb5.ini or
krb5.conf).
Note: The Windows 2003 server ktpass support both DES and RC4-HMAC
46
IBM Software Group
Make sure the client machine is part of a domain for which SSO has been defined. In the
following example, the machine w2003secdev.austin.ibm.com is a member of the domain
controller wssec.austin.ibm.com. Log on to the Windows Desktop with a user name from the
domain.
47
IBM Software Group
48
IBM Software Group
50
IBM Software Group
51