Websphere Portal V6.1 Security Overview

© 2008 IBM

IBM WebSphere Portal Security Overview

Stefan SchmittWebSphere Portal Security Architect

STORY TITLE

2WebSphere Portal Technical Conference Europe 20082

Agenda

Part I: Introduction

Part II: Authentication and User Identity Authentication PUMA and VMM RememberMe and StepUp WAS Group Assertion Virtual Portal Security SSO – Credential Vault

Part III: Authorization and Security Infrastructure Portal Access Control & Membership WSRP Security Java 2 Platform Security Miscellaneous

Summary

STORY TITLE


Part I: Portal Security Introduction

WebSphere Portal (WP) Security is based on WebSphere Application Server (WAS) security

WP Security allows to leverage from WAS:J2EE Security Web Single-Sign-On (JAAS / TAI / LTPA)Java 2 SecurityJava Connector ArchitectureSSL / TLS SupportIBM JCE/JCE/JSSE libraries

WP Security provides additional features in the areas: Authorization Authentication CustomizationUser Profile and Group ManagementBack-end Single Sign On (Credential Vault)Security Audit

STORY TITLE


Portal Setup with Authentication Proxy

© 2008 IBM

Part II: Authentication and User Identities

© 2008 IBM

Portal Authentication

STORY TITLE


Authentication

WP is a custom Form Login application to WAS relies on WAS to

− intercept requests to protected portal area− do the authentication and provide the security context− Global Security in WAS is active

Portal picks up whatever user identity established by WAS All WAS authentication customization options also apply to portal: Authentication Proxies and Trust Association Interceptors (e.g.

TAM / WebSeal) Custom JAAS Login Modules

Portal supports public code plug points for intercepting the portal login and session validation flow

STORY TITLE


Portal and WAS Authentication “flow” (since version 6.1.x)

Login via UI,XMLAccess,

Scripting submitted

Portal login handler

WAS Security

WAS User Registry configuration

(e.g. via admin console)

LDAP

JAAS Login (Portal_LTPA)

Search, “bind” (validate id/pw), fetch DN, fetch group memberships

ID/PW

okay?

Retrieve User

Fetch attributes by DN (user profile)

Fetch nested group memberships

Independent of WAS lookup but based on DN from WAS

WAS SecurityContext

VMM

STORY TITLE


Portal and WAS Authentication “flow” (since version 6.1.x)


Scripting submitted

Portal login handler

WAS Security

WAS User Registry configuration

(e.g. via admin console)

LDAP

JAAS Login (Portal_LTPA)


ID/PW

okay?

Retrieve User VMM




WAS SecurityContext

Login Filter Chain Plug Point

Explicit Login Filter1

Explicit Login

Filter N...

STORY TITLE


End user identity flow from TAI to WAS to WP

User identity must be “mappable” from front end security and TAI (if present) to WAS and WP

Path of least resistance: Front end/TAI, WAS, and WP should all use the same user registry

Possible to map between different registries for front end .vs. WAS/WP

This is complex, leads to hard-to-debug problemsTAI can assert a security shortname that WAS will “look up”

using searchTAI++ can set end user identity, bypassing lookup

• Portal still needs to be able to look up profile info for that user

Except in VERY rare circumstances, WAS and WP should always use the same user registry

Portal lookup based on “DN” from WAS

STORY TITLE


Portal and External Security (authentication)

Anything “in front of” WAS that does the authentication

Login dialog conducted by front end security

May use Portal to serve up the login page, but Portal no longer handles the login form submission

Front end asserts already-authenticated end user identity to WAS

Trust Association Interceptor (TAI) architectureTAM has other options (LTPA junctions)

TAI is a WAS feature, not a Portal featureTAI is a WAS feature, not a Portal feature

Documented in the WAS InfoCenterPortal has no idea about presence or absence of TAI, or how

WAS gets the user identityIBM only provides one (1) TAI – that for TAM/WebSEAL. ALL

OTHER SECURITY VENDORS MUST PROVIDE THEIR OWN TAI.

STORY TITLE


Portal and WAS and TAI Authentication “flow”

WAS Security

WAS User Registry configuration (e.g. via admin

console)

LDAP

Login dialog

Search, fetch DN, fetch group memberships

Portal and VMM



Independent of WAS lookup but based on DN from WAS (from TAI)

TAI

Security Front-end

AssertsIdentity

All id/pw validation done by front end

WAS SecurityContext

WAS lookup okay

STORY TITLE


Portal and WAS and TAI Authentication “flow”

WAS Security

WAS User Registry configuration (e.g. via admin

console)

LDAP

Login dialog

Search, fetch DN, fetch group memberships

Portal and VMM


Fetch nested group membershipsIndependent of WAS lookup but based on DN from WAS (from TAI)

TAI

Security Front-end

AssertsIdentity

All id/pw validation done by front end

WAS SecurityContext

Implicit Login Filter Chain Plug Point

Implicit Login Filter1

Implicit Login

Filter N...

WAS lookup okay

STORY TITLE


Variation: New Federated Security Option in WAS 6.1 VMM can be used as Security Provider in WebSphere Application

Server (Federated)

Fully integrated in WebSphere Admin Console

Replaces former WMM-UR option

STORY TITLE


Portal and WAS Authentication “flow”

WAS Security

VMM ConfigurationIn WAS

LDAP


Scripting submitted

WAS Security API (JAAS)

Portal login handler Retrieve User VMM




ID/PW

okay?

(WMMUR)


LDAPLDAP

STORY TITLE


Portal and WAS Authentication “flow”

WAS Security

VMM ConfigurationIn WAS


Scripting submitted

WAS Security API (JAAS)

Portal login handler Retrieve User VMM




ID/PW

okay?

(WMMUR)


Login Filter Chain Plug Point

Explicit Login Filter1

Explicit Login

Filter N...

LDAPLDAPLDAP

STORY TITLE


New Portal Login and Session Validation Filter API

Filter chains forExplicit Portal Login

(i.e. Login is triggered by Portal)Implicit Portal Login

(i.e. Authentication has been performed by an external authentication provider)

Explicit Portal LogoutSession Validation

(to validate individual (autenticated) portal requests)

Session Validation Timeout handling (for custom session time out handling)

Custom filters implementations can be plugged by adding corresponding properties to the AuthenticationService.properties

STORY TITLE



STORY TITLE



FilterChainContext can be used to pass parameters between filters and to specify redirect URLs

STORY TITLE




STORY TITLE




STORY TITLE


HTTP Basic Auth TAI

Can be used to send HTTP Basic Auth challange for specific URLs and/or User Agents

STORY TITLE


Domain A

Portal AJAX Proxy

AJAXProxy

Server

Browser

HTML Page

HTTP GETDomain A

AJAXPortlet

HTTP GETDomain B

Trusted sites

Domain B

Server

Today's browsers prevent asynchronous requests to foreign domains because of security reasons.

Example: Your portlet is served from www.mycompany.com but your AJAX application tries to load a feed from cnn.com. This would be blocked by the browser

STORY TITLE


AJAX Proxy Server: Security Challenge

Car Rental Site

Travel Agency Site

Weather Service Site

AJAX Proxy

WAS

Dieter‘s TravelMashup Doc

your portal

Cross Domain AJAX Requests(restricted throughBrowser security model)

... an unsecured AJAX Proxy would exposes me to danger ...

STORY TITLE


Mash-up SecurityRisk

your portal

Car Rental Site

Travel Agency Site



Weather site is hacked or malicious Markup provided by the Weather site can serve active content at will, e.g. stealcookies / security tokensall information from the Mashup DOM (e.g. credit card

info entered in a field in the travel agency site)

3rd party content is now served from your portalCopyright issues (Weather service serves stolen weather

data) Infected data (e.g. containing a virus) Illegal Data (e.g. offensive content)

credit#

Same issue with: - malicious ATOM feeds- Including a portlet via WSRP- client side mash-up via AJAX

STORY TITLE


Portal AJAX Proxy Server guards my credit card number

Car Rental Site

Travel Agency Site


AJAX Proxy

WAS


your portal

SecurityPolicy

- Filtering based on-URL-HTTP Action-mime-type-Requesting user

- Maintained by Security Administrator

Weather Site is not on the trusted server list

admin controlled

STORY TITLE


AJAX Proxy Configuration

The AJAX proxy security policy is specified in XML

Request Filtering based on URL HTTP Action mime-type Requesting user

Cookie forwarding can be enabled

Planned for future version: Active Content Filtering Enforcement

STORY TITLE


AJAX Proxy: sample policy

© 2008 IBM

PUMA and VMM

STORY TITLE


PUMA and VMM

Now two Public API’s

PUMA within Portal, VMM within WAS

What is VMM?

Virtual Member Manager supersedes WMMFull integrated in WebSphere Application Server

Why PUMA?

Fine grain Access Control on Users and GroupsPortal Virtual Principals (Anonymous, All Authenticated, ...)VP and Realm awarenessREST API

STORY TITLE


WAS

Portal

User Registry Integration – From WMM to VMM

PUMA

(public since v5101)

WMM

LDAP

LDAP

DB

DB+

or

or

UR

URAdaptor

Non-public plug-pointused with AECI

STORY TITLE


WAS

VMM Integration in WP V6.1

LDAP

WAS Security

Portal

PUMA SPI(public since v5101)

VMM

URAdaptor

DBCustom

Federated WAS LDAP LDAP

RES

T AP

I

Public plug-point

STORY TITLE


Multiple LDAP support (since 6.0)

Requires Federated Security

VMM can dispatch calls to multiple user registries

Realms can point to a (subset of a) specific user registry or to (subsets of) multiple user registries

User IDs need to be unique across all registries

realm

= porta

l

Acme Supplier Customer

Portal Server

LDAP forACME

LDAP forCustomer

LDAP forSupplier

realm = customerreal

m =

supp

lier

VMM

STORY TITLE


External Id (extId) Mapping in VMM

Starting with WP 6.0 roles are no longer tied to the DN of the user but to another unique ID (ExtID)

VMM ExtID is an opaque, unique, static, and never-to-be-reused attribute of each user and group

Portal administrator can map the VMM ExtID to an attribute of his choice (e.g. objectGUID, DN, email address, …)

Portal default configuration Portal does by default use the standard unique id defined by our common LDAP

vendors. All supported LDAP vendor do have such an attribute (as objectGUID for MSAD)

ExtID changes now possible through XMLAccess Extended Cleanup User task to rebind uniqueId’s

STORY TITLE


New in 6.1.: User Profile REST Service

Provides ATOM feeds for Defined user/group attributes User/group profiles User/group searches Group membership

Supports CRUD operation through ATOM Publishing Protocol (APP) Create user/group Delete user/group Update user/group profile Add user to group Remove user from group

Supprts virtual portal realms

STORY TITLE


Sample: Feed of defined user attributeshttp://<portal_host>:<portal port>/<portal context root>/um/secure/attributes/users

STORY TITLE


Sample: User search result feed

http://<portal_host>:<portal port>/<portal context root>/um/secure/users/profiles?searchAttributes=uid%3DA*

STORY TITLE


Sample: User profile

http://<portal_host>:<portal port>/<portal context root>/um/secure/users/profiles/<user id>

© 2008 IBM

Group Assertion

STORY TITLE


New in 6.1: Reuse Group information from WebSphere(aka. Group Assertion) WebSphere TAI++ plug allows external security manager to assert

the user’s group membership information to the WAS Security runtime

Same thing can be done using custom JAAS login modules

Portal 6.1 can be configured to use the asserted group information for access control checks instead of always retrieving group information from VMM

Consistent group-based authoritation through-out the whole WAS security domain

STORY TITLE


Reuse Group information from WebSphere (aka. Group Assertion)

AuthenticationProxy(WebSeal, Siteminder)

LDAP

WAS

WP WAS Security

Retrieve user/group profile information(but no group membership)

Get user id andgroup membership

?

TAI

JAAS

VMMRetrieve groups

© 2008 IBM

StepUp Authentication and Remember Me

STORY TITLE


StepUp and RememberMe

RememberMe CookiePersistent cookie allows portal to recognize user without login

• Portal can show a personalized welcome pageIf RememberMe support is activated, the portal login portlet shows a checkbox

for setting the the cookieIf cookie is present, portal treats the user as „identified“ but not yet

„authenticated“• User can only see resources available for the anonymous user

Access to protected resources requires the user to authenticate.

StepUp Software FrameworkEnables you to plug custom code for enforcing additional authentication levels

for specific resources• E.g. enforce SSL for specific services, or client side certificates,…

Available for Pages and Portlets

AdministrationRequired authentication strength can be managed using the Resource

Permission Portlet and XmlAccess

STORY TITLE


My Bookmarks page reconginzes the remember-me cookieof an unauthenticated user

Remember-me cookie can be configured to establish a WAS security context, or not

in RememberMeConfigService.properties

Portal access control is agnostic of the current authentication level

wps/portal/mybookmarks

STORY TITLE


Remember-me cookie can be configured to create aWAS security context

Access control enforces access control based on remembered user identity

wps/myportal/mybookmarks

STORY TITLE


Custom Authentication Level SampleCustom Authentication Level is assigned to “Feeds” page

Custom Authentication Challenge

Pages is served on successful authentication only

1

2

3

STORY TITLE


StepUp and RememberMe Admin

Define Authentication Levels on Portlets and Pages via

Via XMLAccess

your auth levelappears here ...

your auth lev

el

appears he

re ..

.

STORY TITLE


StepUp and RememberMe Framework

STORY TITLE



STORY TITLE



STORY TITLE


StepUp and RememberMe Framework - Configuration

© 2008 IBM

Virtual Portal Security

STORY TITLE


Virtual Portals

A virtual portal is a “separate” portal within a portal

Separate base URL, separate anonymous pages and login facility

Some portal resources are scoped to individual VPs (e.g. Pages)

Each individual virtual portal can be assigned a specific VMM realm

Navigation

www.ibm.com/wps/portal/green

www.ibm.com/wps/portal/blue

www.ibm.com/wps/portal/ yellow

Root page

URL Mappings

Root page

Virtual Portal 1

Root page

Virtual Portal 2

Virtual Portal 3

realm green realm blue realm yellow

STORY TITLE


VMM Realm-based Virtual Portal Security

Each virtual portal is assigned a VMM user realm

The realm defines a subset of the entries in the user registries

Portal only allows members of the associated realm to access resources within the corresponding VP (e.g. Pages)

Multiple realm support requires Federated Security

From a WAS perspective there is SSO between all VPsAuthenticated users get redirected to the VP-specific login page

if they try to access a VP ‚from outside the associated realm (i.e. if they are not part of the real associated to that VP)

STORY TITLE


URL-prefix based Virtual Portal Security

Each virtual portal can be assigned a unique URL prefix (e.g. “/wps/portal/yellow”)

Portal can be configured to guarantee that pages contained in a specific VP can only be accessed by URLs that contain the corresponding VP URL prefix

Those URLs can be used to do URL pattern based access control in reverse proxy servers (e.g. TAM/WebSeal)Remark: this allows e.g. to leverage TAM POPs for VP specific

pages

© 2008 IBM

Portal Backend SSO(The Credential Vault)

STORY TITLE


Portal Single Sign-On Realms

AuthenticationProxy

Web SSOLTPA, TAI, JAAS

Portal-Server

Back-EndApplication 1



Cliente.g. Web-Browser

Portlet

PortletPortlet

Web-Application 1

Web-Application 2

Back-End SSO

John Doe

john.doe

john.doe

john.doe

DoeJ

John

john.doe

PN:1234567

STORY TITLE


Overview: Portal Single Sign-On

Client-to-Web Application SSO Application server built-in SSO support (LTPA) Authentication proxy SSO support (WAS Trust Association Interceptors) WAS (therefore Portal) support for Federated Identity (Liberty/SAML)

via WebSEAL or other front-end security service, brought in to WAS via TAI or other mechanism

Portal-to-Back End SSO Portal Credential Vault

• Credential Vault Portlet Service and Active and Passive Credential Objects

• Credential Vault Adapter SPI• Default simple DB storage vault implementation

ConnectionFactories provided via JCA / WAS

STORY TITLE


Windows Desktop to Portal Front-End SSO

Supported out-of-the-box by WAS 6.1 through SPENEGO TAI

Supported by Portal 6.1

Also supported out-of-the-box by Tivoli Access Manager

WebSEAL supports SPNEGO, id passed to WAS via standard TAI SiteMinder can do this too

WebSphere Portal Technical Conference Europe 2007 60WebSphere Portal Technical Conference Europe 200860

+

A vault adapter interface to integrate vault implementations like the Tivoli Access Manager Global Sign-On Lockbox

Vault Adapter Interface

Portlet Portlet Portlet

TAM GSOLockbox

TAM

Adap

ter

Cust

omAd

apte

r

Custom Vault

Credential Portlet Service

Portal to Backend SSO: WP Credential Vault

Defa

ult

Adap

ter

DefaultVault Impl.

A Portlet Service for storing and retrieving SSO Credentials including the user‘s JAAS Subject that was built during login.

+

A vault adapter interface to integrate vault implementations like the Tivoli Access Manager Global Sign-On Lockbox

+

A basic default vault implementation - base64 encoding- public encryption exit- migration challenge

crypto exit

© 2008 IBM

Part III: Authorization and Security Infrastructure

STORY TITLE


What is Access Control (aka. Authorization)?

Authentication Unique User ID

Examples:

view, edit, delete

Portal Resources

examples: page, portlet

Who is allowed to perform which action on which resource?

STORY TITLE


Anonymous Access

Anonymous User is allowed access to

the Welcome Page

Anonymous User is allowed access to the Login Portlet

Anonymous User is allowed access to an

Information Portlet

STORY TITLE


Anonymous Access

User Logs in ...

STORY TITLE


Personalized Access

Bob sees additional pages

Bob is allowed to create and

personalize private pages

Bob sees other portlets on the welcome page

STORY TITLE


Personalized Access

Now a more privileged user logs

in ...

STORY TITLE


Personalized Access

Alice is allowed to do more things with the Welcome page

Alice sees other portlets on the page

STORY TITLE


Role Concept

RolePermission

Editor

Manager

User Subsystem (WMM)

User Group

User

Role AssignmentAction + Resource(e.g.: Delete

StocksPortlet)

STORY TITLE


Portal Role Types

Users are allowed to view portal resources Privileged Users are allowed to create and

personalize private resources Contributors are allowed to create new shared resources Editors are allowed to create and edit shared resources Managers are allowed to create, edit, and delete shared resources Delegators are allowed to grant access to other principals Security Administrators are allowed to grant access on a resource to other principals Administrators are allowed to do everything

Administrator

User

Editor

PrivilegedUser

Delegator

ManagerSecurityAdministrator

Contributor

STORY TITLE


Protected Resource Hierarchy

Teller page

page 4 page 5

page 6

page 3

page root External AZN

page 1 app 2Teller app

app root

portlet 1 portlet 2

root


Virtual Resource

Virtual root resource of the protected resource hierarchy

Protected Resource

STORY TITLE


Role Instances

Teller page

page 4 page 5

page 6

Editor

page 3Editor

page root External AZN

page 1Manager app 2Teller app

app root

portlet 1 portlet 2Editor

User

root Administrator

Editor

Administrator


WP role instance:Manager@page1

Virtual Resource

Domain Root Resourcefor Editor@Teller page

Inheritance Block forroles of type Editor

Virtual root resource of the protected resource hierarchy

Protected Resource

STORY TITLE


Creation of Shared Resources

o1

o2

o3 o4 o5

Explicit role assignment

Manager

Inherited role extension

ManagerManager Manager

createSharedResource(o5)

Relationship

User creates a shared resource

The user that created the resources becomes the ownerof the resource

This owner relationship grants specific permissions on the corresponding resource

Ownership can be transferred

Owner permissions are never subject to inheritance

Managero6

Owner

STORY TITLE


Private Resources

Users can be granted privileges to create private Pages

The user that created the private becomes the owner of the new page

Private resources are visible only for the owner of the resource

Private resources do not inherit any roles from their ancestor nodes

Private Resources are deleted explicitly by the owner or automatically when the creator is removed from the portal

page1

page2

page3 page4 page5

Explicit role assignment

Privileged User

Inherited role extension

Privileged UserPrivileged User Privileged User

createPrivatePage(page5)

Private Resource

page6 Owner

STORY TITLE


Access Control Administration

Portal Scripting

AdministrationPortlets

XmlAccess

© 2008 IBM

Portal Membership Model

STORY TITLE


Composite ApplicationApplicationContext

What are Composite Applications?

Community

User Interface

Business Objects

Business ComponentsContent Documents (JCR)

DominoERP…

STORY TITLE


Templates and Applications

Application Instance

Business Objects

Community

Portal Objects

ApplicationContext

TemplateTemplate

Serialization InstantiationBusiness Objects

Community

Portal Objects

ApplicationContext

Application Instance(s)

Template XML

• contains the blue print to easily create another instance of that application

• describes visual and non-visual business components and their relationships

• allows for points of variability to be filled out during instantiation

PoVsPoVs

Business Objects

Community

Portal Objects

ApplicationContext

Business Objects

Community

Portal Objects

ApplicationContext

STORY TITLE


Membership Management

Business User: Application Owner

STORY TITLE



STORY TITLE



STORY TITLE


Application Role Mappings

E.g.: Custom Debug Application

Admin

Application Roles

Users / Groups

ComponentRoles

Business Components

Insight Portlet

Admin User

XML ImportPortlet

Admin User

ExternalTrace Analyzer

Operator

Analyst

Role Mapping

MembershipDeveloper

...

STORY TITLE


Manage Application Roles

Business User: Template Editor or Application Owner

STORY TITLE


E.g.: Create an additional „Manager“ Role

Application Role name ...

... and description

this role shall contain delegation

privileges

this role shall contain Manager privileges for the

Insight portlet component

Component roles exposed by the Enable Tracing

component

STORY TITLE


New application role has been created ...

STORY TITLE


Business Users can use the new role …

Business User: Application Owner

STORY TITLE


Application Roles & Membership

WebSphere Portal 6.0 features an infrastructure for composite applications Each application consists of a set of business components Business components expose component roles as appropriate for the

corresponding business domain Component roles exposed by one or more business components can be

aggregated into application roles Application roles can be assigned to user and groups A user being assigned a specific application role is considered being a

member of the corresponding application instance

There are administration portlets for application role management (i.e. create, modify, delete, update application roles) and membership management

Application instances can be serialized into templatesApplication roles are part of the template

STORY TITLE


The 4 Data Domains

JCR Domain

CustomizationDomain

Community Domain

Release DomainData: „MyPortal“ & „Admin“ ResourcesModel: Authorization Roles

Data: Application/Templating DataModel: Membership Model

Data: User private data (e.g. private pages)Model: private resources only

Data: Content (WCM/PDM) + Templates, Policies, PZN RulesUI: Authorization Roles

No Inheritance Across Domain Boundaries

consistentbackup/restore




© 2008 IBM

WSRP Security

STORY TITLE


Web Services for Remote Portals (WSRP)

Industry standard for presentation oriented Web Services

Producer Side: Portlets can be provided as WSRP Services

Consumer Side:

Setup Producer entityIntegrate WSRP Services in

form of Portlets from a Producer

Internet/ Intranet

Portal

Portl

et A

PI

WSR

P

GenericPortletProxy

LocalPortlets

WSRPServices

Publish/Find Web Services (SOAP)

UDDI Registry

WSR

P

LocalPortlets

LocalPortlets(JSR 168WPS 4.x)

WSRPServices

WSRPServices

Application and Content Providers

WebSphere Portal

3rd Party Content/ Application Provider

STORY TITLE


WSRP Identity Propagation

User Profile Propagation (no security) User profile data submitted in SOAP message Used for generating personalized content Not intended for access control decisions

SSL client certificate authentication Certificate based client authentication with User ID in certificate One identity per consumer portal

WS-Security WSRP client/producer run in JSR 109 compliant container

allows full exploitation of WAS WS-Security runtime Allows end user identity propagation / mapping

• e.g. LTPA token forwarding• public plug points in WAS for custom tokens

Tivoli Federated Identity Manager (TFIM) provides multiple ways of doing web services based federated SSO (e.g. via SAML)

© 2008 IBM

Java 2 Platform Security

STORY TITLE



“Is this piece of code allowed to read httpd.conf?”

Part of the Java Language Specification

Policy files define the privileges of the code to be executed

Protection of system resources and APIs via policy-based, fine-grain access control mechanism

Activated via Global Setting in WebSphere Application Server (independent of “Global Security”)

STORY TITLE



WebSphere Portal runs with Java 2 Security enabled Portal core libraries and administration Portlets are supposed

to be trusted and get the java.security.AllPermission Portlet specific permissions can be assigned to individual

portlets by adding a corresponding was.policy file to the WAR archivePortlet deployment copies the was.policy file to the

EAR level as required by WAS security runtime

Individual portlet can be prevented from accessing arbitrary system resources …

© 2008 IBM

Misc

STORY TITLE


Misc

Security Audit Service

Can be activated to tracks administrative actionsWrites a dedicated log file (plain text) Includes information on executing user, execution time, involved

resources

new with 6.1:

SSL configuration in WAS Admin Console

STORY TITLE


WebSphere Portal Security Strategy

Security is part of the Portal Design Process Design documents detail on security implications and are reviewed by

dedicated portal security team Security is part of the Portal Testing Strategy

WebSphere Portal does dedicated security vulnerability (aka. penetration) testing on selected portal releases

Security Certifications WebSphere Portal access control is Common Criteria certified WebSphere Portal uses FIPS 140-2 compliant crypto libraries provided by

WebSphere Application Server Portal Security is aligned with IBM Security Strategy

IBM invests in security research, e.g. teams in Zurich and Tokyo investigate Web20 security implications

WebSphere portal security architect aligns portal security with IBM security strategy and research results

Security fixes are published on the portal Security Bulletin Web Site

http://www-128.ibm.com/developerworks/websphere/zones/portal/security/



STORY TITLE


Additional Information and Resources

WebSphere Portal Security White Paper

http://www-128.ibm.com/developerworks/websphere/library/techarticles/0611_buehler/0611_buehler.html

Exploiting the WebSphere Portal V5.1.0.1 programming model, Part 3: Integrating WebSphere Portal into your security environmenthttp://www.ibm.com/developerworks/websphere/library/techarticles/0606_buehler/0606_buehler.html

WebSphere Portal Product Information:

http://www-306.ibm.com/software/genservers/portal/enable/

WebSphere Portal Information Center documentationhttp://www-106.ibm.com/developerworks/websphere/zones/portal/proddoc.html

WebSphere Portal Security Zone





http://www.ibm.com/developerworks/websphere/library/techarticles/0606_buehler/0606_buehler.html

http://www-306.ibm.com/software/genservers/portal/enable/

http://www-106.ibm.com/developerworks/websphere/zones/portal/proddoc.html


STORY TITLE


Session ID: B07

Session: IBM WebSphere Portal Security Overview

Presenter: Dr. Dieter Buehler

Please take a few minutes to fill out the session survey.

Thank you

WebSphere Portal Technical Conference Europe 2008

STORY TITLE


© IBM Corporation 2008 All Rights Reserved.

The information contained in this publication is provided for informational purposes only. While efforts were made to verify the completeness and accuracy of the information contained in this publication, it is provided AS IS without warranty of any kind, express or implied. In addition, this information is based on IBM’s current product plans and strategy, which are subject to change by IBM without notice. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this publication or any other materials. Nothing contained in this publication is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software.

References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in this presentation may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or other results.

All customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics may vary by customer.

IBM, the IBM logo, WebSphere, Lotus, Lotus Notes, Domino, Quickplace, Sametime, Workplace and Quickr are trademarks of International Business Machines Corporation in the United States, other countries, or both.

Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.

Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other countries, or both.

Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.

Other company, product, or service names may be trademarks or service marks of others.

All references to Renovations Inc. refer to a fictitious company and are used for illustration purposes only.

Technology

Websphere Portal V6.1 Security Overview