Upload
gabriel6664622
View
221
Download
0
Embed Size (px)
Citation preview
8/11/2019 715198882
1/9
IBM WebSphereApplication
Server v7.0 Security
Secure your WebSphere applications with Java EE and
JAAS security standards
Omar Siliceo
enterprise^"publishing
birmingham - mumbai
8/11/2019 715198882
2/9
Table of Contents
Preface 1
Chapter 1: AThreefold View of WebSphere Application Server
Security 7
Enterprise Application-server infrastructure architecture view 8
Simple infrastructure architecture characteristics 9
Branded infrastructure elements 10
Generic infrastructure components 10
Using the infrastructure architecture view 11
WebSphere architecture view 11
WebSphere Application Server simplified architecture 12
WebSphere node component 13
WebSphere JVM component 13
Using the WebSphere architecture view 14WebSphere technology stack view 14
OS platform security 14
Java technology security 16
WebSphere security 16
Using the technology stack view 17
Summary 17
Chapter 2: Securing the Administrative Interface 19
Information needed: Planning for security 20
The LDAP and security table 21
Enabling security 23
Setting the domain name 24
Starting atthe console 24
Continuing with the global security page 24
Onto the SSO page 25
Setting the SSO domain name 26
Apply ing and saving your changes 26
8/11/2019 715198882
3/9
Table ofContents
Configuring the user registry 27
Locating the user registry configuration area 27
Registry type selection 28
LDAPthe preferred choice
29Reviewing the resulting standalone LDAP registry page 29
Defining the WebSphere administrative ID 30
Setting the type of LDAP server 30
Entering the LDAP server parameters 30
Providing the LDAP bind identity parameters 31
Confirming other miscellaneous LDAP server parameters 32
Applying and saving the standalone LDAP configuration 32
Confirming the configuration 33
Enabling the administrative security 33Locating the administrative security section 34
Performing the administrative security configuration steps 35
Applying and saving yourchanges 36
Propagating new configuration 36
Logging off from the console 37
Restarting the deployment manager 37
Logging in to the deployment manager console 38
Administrative roles 38
Disabling security 39
Summary 42
Chapter 3: Configuring User Authentication and Access 43
Security domains
What is a security domain
Scope of security domains
Benefits of multiple security domains
Limitations of security domainsAdministrative security domain
Configuring security domains based on global securityCreating a global security domain clone
Creating a security domain using scripting
User registry conceptsWhat is a u se r registry
WebSphere use of user repositories
Auth enti cati onAuthorization
Supported user registry typesLocal operating system
Standalone LDAP
Standalone custom registry
Federated repositories
Protecting application servers
44
45
46
48
48
49
50
50
51
53
53
53
54
56
57
58
59
60
60
62
8/11/2019 715198882
4/9
Table of Contents
WebSphere environment assumptions 62
Prerequisites 63
Creating an application server 63
Creating a virtual host 63
Creating application JDBC Provider and DataSource 63
Configuring the global security to use the federated user registry 64
Creating a security domain forthe application server 64
Configuring user authentication 64
Creating groups 65
Creating users 67
Assigning users to groups 68
Configuring access to resources 69
Testing the secured application server environment 70
Deploying and securing an enterprise application 70
Accessin g the secured enterprise application 72
Summary 73
Chapter 4: Front-End Communication Security 75
Front-end enterprise application infrastructure architectures 77
WebSphere horizontal cluster classic architecture 78
WebSphere horizontal cluster using dual-zone architecture 79
WebSphere horizontal cluster using multi-zone architecture 81
SSL configuration and management 82
What is SSL 83
How SSL works 83
Certificates and CAs 84
Securing front-end components communication 86
Securing the IBM HTTP Server 86
Environment assumptions 86
SSL configuration prerequisites 87
Creating the SSL system components 88
Configuring IHS for SSL 92
Summary 97
Chapter 5: Securing Web Applications 99
Securing web applications concepts 99
Developer view of web
application security 100Administrator view of web application security 100
Securing a web application 100
Project objectives 101
Assumptions 101
Prerequisites 102
Enterprise application architecture 102
Application groups 102
Application users 103
8/11/2019 715198882
5/9
Table of Contents
Application memberships 103
Dynamic web modules 106
Securing a J2EE web application 106
Creating the enterprise application project 106
Creating the dynamic web application projects 108
Configuring dynamic web applications 110
Configuring enterprise applications 116
Adding content to dynamic web applications 118
Packaging an enterprise application 125
Deploying the enterprise application 126
Testing the enterprise application 127
Summary 128
Chapter 6: Securing Enterprise Java Beans Applications 129
EJB application security concepts 130
Declarative security 130
Programmatic security 131
EJB project design 131
EJB application du jour 131
Objective-security 131
Objective-functional 131
Project design-UI aspect 132
Project design-programming component 134
Project design-implementation phase 137
EJB project prerequisites and assumptions 139
Project assumptions 139
Project prerequisites 140
Creating an Enterprise Application Project 141
Creating the projectworkspace 142
Enterprise application project requirements 142
EAR version 142
Target runtime 142
Creating the enterprise application project 142
Selecting the project EAR version 143
Creating a target runtime 143
Creating the deployment descriptor 143
Creating the portal Dynamic Web Project 144Creating the portal DWP 144
Defining the DWP context root 144
Creating the DWP deployment descriptor 144
Configuring the portal DWP deployment descriptor 145
Defining the welcome pages suite 145
Adding login information 145
Securing protected URI patterns and HTTP methods 145
Defining application roles 146
Defining the client-server transport type 146
8/11/2019 715198882
6/9
Table ofContents
Mapping module to virtual host 146
Creating content for the portal DWP 146
Location of files within the project 147
Logical file organization 148
Creating the common HTML files 148
Creating the custom HTML files 150
Creating the JSP files 152Pagelet selector JSP files 152
Portal home selector JSP files 156
Creating the Servlet PortalHomeSelectorServlet 157
Creating a Java package 157
Creating the Servlet 157
Creating the code for PortalHomeSelectorServlet 157
Package definition andimport statements 158
Declaration of class constants and variables 158
HTTP methods 158
Getting parameters 159
Communicating with EJB 159
Forwarding control to another component 160
Creating an EJB
project 161Creating the initial project 161
Creating the Java packages 161
Creating the EJB interfaces 161Creating IPortalSelectorSessionBean interface 161
Creating the local and remote EJB interfaces 162
Creating the EJB 163
Creating the code for PortalSelectorSessionBean 163
Package definition and
import statements 163Class definition 163
Instance variables 163
Linking to the user context 164
Programmatic security 164Declarative security 165
The grand finale 166
Packaging the enterprise project as an EAR 166
Deploying the EAR 166
Testing the application 167
Summary 167
Chapter 7: Securing Back-end Communication 169
LDAP: Uses of encryption 171
Securing the LDAP channel 171Protocol: LDAP and the Internet Protocol Suite 171
The importance of securing the LDAP channel 172
Choices in
securing the LDAP channel 173
8/11/2019 715198882
7/9
Table of Contents
Enabling SSL for LDAP 173
Creating a key ring for storing key stores 174
Creating a trust db for storing trust stores 176
Creating a key store for use
with LDAP 176Creating a trust store to use with LDAP 177
Creating an SSL configuration for LDAP 178
Obtaining the LDAP server SSL certificate 178
Configuring LDAP for SSL 179
JDBC: WebSphere-managed authentication 180
Protocol(s) 180The JDBC API 181
Connection/Driver Manager and Data Source/JDBC provider 181
The JDBC Application Layer 181
Choices to secure the database channel 182
Examples ofsecuring the JDBC connection 182
Defining a new JDBC provider 184
Defining a new Data Source 185
Summary 186
Chapter 8: Secure Enterprise Infrastructure Architectures 187
The enterprise infrastructure 188
An Enterprise Application in relation to an Application Server 188
WAS infrastructure and EA's application server interactions 190
Securing the enterprise infrastructure using LTPA 192
Why use the LTPAmechanism 193How the LTPA authentication mechanism works 194
The main use for LTPA in a WebSphere environment 195
Securely enhancing the user experience with SSO 196
Required conditions to implement SSO 197
Implementing SSO in WebSphere 198
Fine-tuning authorization at the HTTP server level 199
Why use an external access management solution 201How it works 202
What tool to use 203
Configuring the HTTP server to use an external access
management solution 207
Fine-tuning authorization at the WAS level 208When to use TAI 208
Configuring SiteMinder ASA for WebSphere (TAI) 209
Summary 211
Chapter 9: WebSphere Default Installation Hardening 213
Engineering the how and where of an installation 216
Appreciating the importance of location, location, location! 217
8/11/2019 715198882
8/9
Table of Contents
Customizing the executable files location 217
Customizing the configuration files location 218
Camouflaging the entrance points 221
Understanding why it's important 222
Methodology choices 222
Identifying what needs to be configured 224
Getting started 226
Picking a good attorney 227
Ensuring good housekeeping of an installation 228
Keeping your secrets safe 228
Using key stores and trust stores 228
Storing passwords in configuration files 229Adding passwords to properties files 230
Summary 232
Chapter 10: Platform Hardening 235
Identifying where to focus 235
Exploring the operating system 237
Appreciating OS interfaces 237
Understanding user accounts 238
Understanding service accounts 239
Using kernel modules 240
Creating the file system 240
Influencing permission and ownership using process execution 241
Running single execution mode 242
Using executables 242
Configuring 243
Setting ownerships and permissions on log files 244
Running multiple execution mode 244
Safeguarding the network system 246
Establishing network connections 247
Communicating from process to process 248
Summary 248
Chapter 11: Security Tuning and Troubleshooting 251
Tuning WebSphere security 251
Tuning general security 252Tightening security using the administrative connector 252
Disabling security attribute propagation 253
Using unrestricted Java Cryptographic Extensions 254
Tuning CSIv2 connectivity 256
Using Active Authentication Protocol: Set it only to CSI 256
Enforcing client certificates using SSL 256
Enabling stateful sessions 259
Tuning user directories and user
permissions 261Configuring LDAP 261
8/11/2019 715198882
9/9
Table ofContents
Tuning user authentication 262
Troubleshooting WebSphere security-related issues 267
Troubleshooting general security configuration exceptions 267
Identifying problemswith the Deployment
Managernode agent communication blues 267
Troubleshooting runtime security exceptions 270
Troubleshooting HTTPS communication between WebSphere Plug-in
andApplication Server 270
Receiving the message WSVR0009E / ORBX0390E: JVM does notstart due to
org.omg.CORBA.INTERNAL error 275
Concluding WebSphere security-related tips 277
Using a TAI such as SiteMinder: remove existing interceptors 278
Summary 279
Index 281