prev
next
out of 9

715198882

Embed Size (px)

Citation preview

  • 8/11/2019 715198882

    1/9

    IBM WebSphereApplication

    Server v7.0 Security

    Secure your WebSphere applications with Java EE and

    JAAS security standards

    Omar Siliceo

    enterprise^"publishing

    birmingham - mumbai

  • 8/11/2019 715198882

    2/9

    Table of Contents

    Preface 1

    Chapter 1: AThreefold View of WebSphere Application Server

    Security 7

    Enterprise Application-server infrastructure architecture view 8

    Simple infrastructure architecture characteristics 9

    Branded infrastructure elements 10

    Generic infrastructure components 10

    Using the infrastructure architecture view 11

    WebSphere architecture view 11

    WebSphere Application Server simplified architecture 12

    WebSphere node component 13

    WebSphere JVM component 13

    Using the WebSphere architecture view 14WebSphere technology stack view 14

    OS platform security 14

    Java technology security 16

    WebSphere security 16

    Using the technology stack view 17

    Summary 17

    Chapter 2: Securing the Administrative Interface 19

    Information needed: Planning for security 20

    The LDAP and security table 21

    Enabling security 23

    Setting the domain name 24

    Starting atthe console 24

    Continuing with the global security page 24

    Onto the SSO page 25

    Setting the SSO domain name 26

    Apply ing and saving your changes 26

  • 8/11/2019 715198882

    3/9

    Table ofContents

    Configuring the user registry 27

    Locating the user registry configuration area 27

    Registry type selection 28

    LDAPthe preferred choice

    29Reviewing the resulting standalone LDAP registry page 29

    Defining the WebSphere administrative ID 30

    Setting the type of LDAP server 30

    Entering the LDAP server parameters 30

    Providing the LDAP bind identity parameters 31

    Confirming other miscellaneous LDAP server parameters 32

    Applying and saving the standalone LDAP configuration 32

    Confirming the configuration 33

    Enabling the administrative security 33Locating the administrative security section 34

    Performing the administrative security configuration steps 35

    Applying and saving yourchanges 36

    Propagating new configuration 36

    Logging off from the console 37

    Restarting the deployment manager 37

    Logging in to the deployment manager console 38

    Administrative roles 38

    Disabling security 39

    Summary 42

    Chapter 3: Configuring User Authentication and Access 43

    Security domains

    What is a security domain

    Scope of security domains

    Benefits of multiple security domains

    Limitations of security domainsAdministrative security domain

    Configuring security domains based on global securityCreating a global security domain clone

    Creating a security domain using scripting

    User registry conceptsWhat is a u se r registry

    WebSphere use of user repositories

    Auth enti cati onAuthorization

    Supported user registry typesLocal operating system

    Standalone LDAP

    Standalone custom registry

    Federated repositories

    Protecting application servers

    44

    45

    46

    48

    48

    49

    50

    50

    51

    53

    53

    53

    54

    56

    57

    58

    59

    60

    60

    62

  • 8/11/2019 715198882

    4/9

    Table of Contents

    WebSphere environment assumptions 62

    Prerequisites 63

    Creating an application server 63

    Creating a virtual host 63

    Creating application JDBC Provider and DataSource 63

    Configuring the global security to use the federated user registry 64

    Creating a security domain forthe application server 64

    Configuring user authentication 64

    Creating groups 65

    Creating users 67

    Assigning users to groups 68

    Configuring access to resources 69

    Testing the secured application server environment 70

    Deploying and securing an enterprise application 70

    Accessin g the secured enterprise application 72

    Summary 73

    Chapter 4: Front-End Communication Security 75

    Front-end enterprise application infrastructure architectures 77

    WebSphere horizontal cluster classic architecture 78

    WebSphere horizontal cluster using dual-zone architecture 79

    WebSphere horizontal cluster using multi-zone architecture 81

    SSL configuration and management 82

    What is SSL 83

    How SSL works 83

    Certificates and CAs 84

    Securing front-end components communication 86

    Securing the IBM HTTP Server 86

    Environment assumptions 86

    SSL configuration prerequisites 87

    Creating the SSL system components 88

    Configuring IHS for SSL 92

    Summary 97

    Chapter 5: Securing Web Applications 99

    Securing web applications concepts 99

    Developer view of web

    application security 100Administrator view of web application security 100

    Securing a web application 100

    Project objectives 101

    Assumptions 101

    Prerequisites 102

    Enterprise application architecture 102

    Application groups 102

    Application users 103

  • 8/11/2019 715198882

    5/9

    Table of Contents

    Application memberships 103

    Dynamic web modules 106

    Securing a J2EE web application 106

    Creating the enterprise application project 106

    Creating the dynamic web application projects 108

    Configuring dynamic web applications 110

    Configuring enterprise applications 116

    Adding content to dynamic web applications 118

    Packaging an enterprise application 125

    Deploying the enterprise application 126

    Testing the enterprise application 127

    Summary 128

    Chapter 6: Securing Enterprise Java Beans Applications 129

    EJB application security concepts 130

    Declarative security 130

    Programmatic security 131

    EJB project design 131

    EJB application du jour 131

    Objective-security 131

    Objective-functional 131

    Project design-UI aspect 132

    Project design-programming component 134

    Project design-implementation phase 137

    EJB project prerequisites and assumptions 139

    Project assumptions 139

    Project prerequisites 140

    Creating an Enterprise Application Project 141

    Creating the projectworkspace 142

    Enterprise application project requirements 142

    EAR version 142

    Target runtime 142

    Creating the enterprise application project 142

    Selecting the project EAR version 143

    Creating a target runtime 143

    Creating the deployment descriptor 143

    Creating the portal Dynamic Web Project 144Creating the portal DWP 144

    Defining the DWP context root 144

    Creating the DWP deployment descriptor 144

    Configuring the portal DWP deployment descriptor 145

    Defining the welcome pages suite 145

    Adding login information 145

    Securing protected URI patterns and HTTP methods 145

    Defining application roles 146

    Defining the client-server transport type 146

  • 8/11/2019 715198882

    6/9

    Table ofContents

    Mapping module to virtual host 146

    Creating content for the portal DWP 146

    Location of files within the project 147

    Logical file organization 148

    Creating the common HTML files 148

    Creating the custom HTML files 150

    Creating the JSP files 152Pagelet selector JSP files 152

    Portal home selector JSP files 156

    Creating the Servlet PortalHomeSelectorServlet 157

    Creating a Java package 157

    Creating the Servlet 157

    Creating the code for PortalHomeSelectorServlet 157

    Package definition andimport statements 158

    Declaration of class constants and variables 158

    HTTP methods 158

    Getting parameters 159

    Communicating with EJB 159

    Forwarding control to another component 160

    Creating an EJB

    project 161Creating the initial project 161

    Creating the Java packages 161

    Creating the EJB interfaces 161Creating IPortalSelectorSessionBean interface 161

    Creating the local and remote EJB interfaces 162

    Creating the EJB 163

    Creating the code for PortalSelectorSessionBean 163

    Package definition and

    import statements 163Class definition 163

    Instance variables 163

    Linking to the user context 164

    Programmatic security 164Declarative security 165

    The grand finale 166

    Packaging the enterprise project as an EAR 166

    Deploying the EAR 166

    Testing the application 167

    Summary 167

    Chapter 7: Securing Back-end Communication 169

    LDAP: Uses of encryption 171

    Securing the LDAP channel 171Protocol: LDAP and the Internet Protocol Suite 171

    The importance of securing the LDAP channel 172

    Choices in

    securing the LDAP channel 173

  • 8/11/2019 715198882

    7/9

    Table of Contents

    Enabling SSL for LDAP 173

    Creating a key ring for storing key stores 174

    Creating a trust db for storing trust stores 176

    Creating a key store for use

    with LDAP 176Creating a trust store to use with LDAP 177

    Creating an SSL configuration for LDAP 178

    Obtaining the LDAP server SSL certificate 178

    Configuring LDAP for SSL 179

    JDBC: WebSphere-managed authentication 180

    Protocol(s) 180The JDBC API 181

    Connection/Driver Manager and Data Source/JDBC provider 181

    The JDBC Application Layer 181

    Choices to secure the database channel 182

    Examples ofsecuring the JDBC connection 182

    Defining a new JDBC provider 184

    Defining a new Data Source 185

    Summary 186

    Chapter 8: Secure Enterprise Infrastructure Architectures 187

    The enterprise infrastructure 188

    An Enterprise Application in relation to an Application Server 188

    WAS infrastructure and EA's application server interactions 190

    Securing the enterprise infrastructure using LTPA 192

    Why use the LTPAmechanism 193How the LTPA authentication mechanism works 194

    The main use for LTPA in a WebSphere environment 195

    Securely enhancing the user experience with SSO 196

    Required conditions to implement SSO 197

    Implementing SSO in WebSphere 198

    Fine-tuning authorization at the HTTP server level 199

    Why use an external access management solution 201How it works 202

    What tool to use 203

    Configuring the HTTP server to use an external access

    management solution 207

    Fine-tuning authorization at the WAS level 208When to use TAI 208

    Configuring SiteMinder ASA for WebSphere (TAI) 209

    Summary 211

    Chapter 9: WebSphere Default Installation Hardening 213

    Engineering the how and where of an installation 216

    Appreciating the importance of location, location, location! 217

  • 8/11/2019 715198882

    8/9

    Table of Contents

    Customizing the executable files location 217

    Customizing the configuration files location 218

    Camouflaging the entrance points 221

    Understanding why it's important 222

    Methodology choices 222

    Identifying what needs to be configured 224

    Getting started 226

    Picking a good attorney 227

    Ensuring good housekeeping of an installation 228

    Keeping your secrets safe 228

    Using key stores and trust stores 228

    Storing passwords in configuration files 229Adding passwords to properties files 230

    Summary 232

    Chapter 10: Platform Hardening 235

    Identifying where to focus 235

    Exploring the operating system 237

    Appreciating OS interfaces 237

    Understanding user accounts 238

    Understanding service accounts 239

    Using kernel modules 240

    Creating the file system 240

    Influencing permission and ownership using process execution 241

    Running single execution mode 242

    Using executables 242

    Configuring 243

    Setting ownerships and permissions on log files 244

    Running multiple execution mode 244

    Safeguarding the network system 246

    Establishing network connections 247

    Communicating from process to process 248

    Summary 248

    Chapter 11: Security Tuning and Troubleshooting 251

    Tuning WebSphere security 251

    Tuning general security 252Tightening security using the administrative connector 252

    Disabling security attribute propagation 253

    Using unrestricted Java Cryptographic Extensions 254

    Tuning CSIv2 connectivity 256

    Using Active Authentication Protocol: Set it only to CSI 256

    Enforcing client certificates using SSL 256

    Enabling stateful sessions 259

    Tuning user directories and user

    permissions 261Configuring LDAP 261

  • 8/11/2019 715198882

    9/9

    Table ofContents

    Tuning user authentication 262

    Troubleshooting WebSphere security-related issues 267

    Troubleshooting general security configuration exceptions 267

    Identifying problemswith the Deployment

    Managernode agent communication blues 267

    Troubleshooting runtime security exceptions 270

    Troubleshooting HTTPS communication between WebSphere Plug-in

    andApplication Server 270

    Receiving the message WSVR0009E / ORBX0390E: JVM does notstart due to

    org.omg.CORBA.INTERNAL error 275

    Concluding WebSphere security-related tips 277

    Using a TAI such as SiteMinder: remove existing interceptors 278

    Summary 279

    Index 281