Security

Security is an important part of any application server configuration. In this

chapter, we will cover securing the WebSphere Application Server's
administrative console and how to configure different types of repositories
containing the users and groups of authorized users who are given different
levels of access to administer a WebSphere server.
Global Security
During the installation process of WebSphere Application Server, we opted
not to turn on global security and thus we did not have to supply a password
to log in to the Administrative console. We logged in using the username
wasadmin and we were not prompted for a password. The truth of the
matter is that we could have actually used any name as the console was not
authenticating us at all. To protect our WAS from unauthorized access, we
need to turn on global security.
1) Local os user registry.
2) Custom user registry.
(WAS 6.0 version)
3) LDAP user registry.
4) Federated repository.
(WAS 6.1 onwards)
Steps to configure global security by using local os registry:
1) Create user accounts in your local os.
2) Assign passwords for that account.
3) Login to the admin console and expand security.
4) Select secure administration, applications and infrastructure option.
5) Select security configuration wizard.
6) Select local os option to configure with local os registry.
7) Provide user id and password.
8) Under LTPA authentication mechanism, confirm the password once
again.
9) Enable administrative security check box.
10)
Select local operating system under available realm definitions.
11)
Save the changes and restart the server.
12)
Now access the admin console using http://<hostname>:9045/ibm/console(We have to check in dmgr01 server
index.xml for secure port).
13)
Provide user name and password to login admin console.
Process:
For first two steps go to Administrative tools select Computer management

Select local users and computers

Select Users

Go to Actions menu and select New User

Provide user name: test123
Password: test123

Click create and closes.

Select test123 right click and select properties from the user list.

Select Member of, select users and click Add

Type Administrators in the names to select box or click Advanced and

select Find Now and select Administrators, click ok.

Click Check names.

It will show below box.

Click ok
Click apply
Click ok
-----Log off current user and log in with test123 login (Just for check whether
working correctly or not)
----- Do same for the admin, config, operator, and monitor.
----- Login to dmgr admin console.
Go to security
Select global security

Select Local OS under user registries in right pane.

Provide server user id: test123
Provide server password: test123

Click Apply. Click ok.

Select and collapse Authentication in that select Authentication Mechanism in right
pane.

Select LTPA
Confirm the password: test123

Click save changes.

Click ok.

Click save changes.

Then security.xml will updated with new changes.
Checks synchronize changes with node.
Click save.
------- Enable Global Security check box.
Select Local OS (single, stand-alone server or sysplex and root administrator only)
unser Active User Registry.

Click Apply. Click OK.

And save the changes.

Click Save
Check the Synchronize changes with Nodes.

------ Log out the Admin console

------ Stop dmgr using below command.

Start dmgr using below command

By using the stop/startmanager.bat we can stop/start the dmgr server when the
security.xml will update under dmgr profile.
------Login to Admin Console using the blow url.
https://localhost:9045/ibm/console/logon.jsp

By default test123 is having Administrator role.

------There are 4 types of roles.
1) Administrator.
2) Configurator.
3) Operator.
(In WAS 6.0)
4) Monitor.

----- Earlier we have created 4 types of user accounts with names respect to admin,
config, operator and monitor.
----- We have to add those users to test123 administrator for assigning roles to each
of the created user accounts.
----- Log in to dmgr admin console.
----- Select System Administration under that collapse Console settings in that
select console users in left pane.

In the above box click Add button.

Here we have to give User Name: admin
Role: Administrator
Click Apply. Click OK.

Click Save changes.

Check Synchronize changes with Nodes.

Click save.
----- Do same for the config, operator and monitor user accounts.

----- TO get effect, whatever the changes had done before we have to stop the dmgr
profile. Directly we cant stop the dmgr profile, for that we have to provide the user

id and password. At the timing of stopping dmgr profile only we have to give user
name and password (Higher Admin of the dmgr consoles user name and password).

----- For the error log we can see in below path.

C:\IBM_ND_6.0\WebSphere\AppServer\profiles\Dmgr01\logs\dmgr\stopserv
er.log
Below observe the screenshot. Here we had given the user name and password of
higher authority of the dmgr profile. Then only it will stop.

---- Again we have to start the dmgr server profile.

---- Now we have to login to each user account through dmgr console.

This admin user canany thing.

----- Config User

He is responsible to configure server and applications but not having the authority
to stop and start servers.

----Operator User Account

He can do only start/stop the servers.

----Monitor User Account

These users will only monitor the applications & servers are up and running. He
cant do anything.
Export: Backup the application. No need to stop the server.
Export DDL: It will backup only queries of the application.

Enable Security by using Custom User Registry:

Steps to follow to create custom user registry:
1)
2)
3)
4)
5)

Create two files a) users. Registry and b) groups.registry.

Add user accounts information under users.registry file.
Add groups information under groups.registry.
Login to dmgr console and expand Security.
Select the secure administration, applications and infrastructure
option.
6) Select security configuration wizard and select custom user registry
option.
7) Create two variables usersFile and groupsFile.
8) Provide the absolute path of users.registry and groups.registry as a
value for those variables.
9) Enable administrative security check box and select custom registry
under available realm definitions.
10)
Save the changes and restart server.
11)
Login to the admin dmgr admin console by using
http://rajasekhar-pc:9045/ibm/console
Process:
---- Open notepad and save it as users.registry and groups.registry
---- In users.registry we have to type below content
#<userid>:<password>:<uid>:<groupIDs>:<dispplayname>
Wasadmin: password: 101:200: wasadmin
---- In groups.registry file we have to type below content.
#<groupID>:<gid>:<members>:<dispplayname>
----- Login to dmgr console expand Security and select Global Security option.

---- Select User Registries under that select Custom User Registry.

Click Custom.
Provide Sever User ID: wasadmin
Sever User Password: password

Click Ok.

Click Save.

Check Synchronize changes with Nodes.

Click Save. (Security.xml file will update under dmgr).
---- Go to Global Security.
Select User Registry under that select Custom and select Custom
Properties.

Click Custom

Select Custom Properties under Additional Properties.

Click New.
Provide Name: usersFile

UsersFile path:C:\Documents and

Settings\Administrator\Desktop\Registries\users.registry

Click Ok.

Do the same for groups.registry

Click Ok.

Click save changes.

Click Save
---- Go to Global Security

Under Authentication collapse Authentication Mechanisms under this select

LTPA.

Provide Password and conform password: password

Click Ok.

Click Save

Click save.
-----Under Active User Registry select Custom Registry.

Click Apply. Click Ok.

Click Save.

Click Save.
---- Logout from dmgr admin console.
---- Restart the dmgr server.
------ Log out the Admin console
------ Stop dmgr using below command.

Start dmgr using below command

By using the stop/startmanager.bat we can stop/start the dmgr server when the
security.xml will update under dmgr profile.
------Login to Admin Console using the blow url.
https://localhost:9045/ibm/console/logon.jsp

Click Log in.

Disable Global Security

--- Login to dmgr console
User id: was admin
Pwd: password
--- Go to Security and select Global security.

Uncheck the Enable global security.

Click apply. Click Ok.

Click Save changes.

Check Synchronize changes with Nodes. Click save.

---- Stop dmgr by using below command.

---- Start the dmgr server.