Administrative user roles

The WAS Administration console application uses the J2EE role-based authorization concept. It has following roles

• Monitor: Least privileged. Allows a user to view the WebSphere
  configuration and current application server state.A monitor can complete the following tasks:
  
  
  
  • View the WebSphere Application Server configuration.
  
  
  • View the current state of the Application Server.
  
  
  
  
• Configurator: An individual or group that uses the configurator role has the monitor privilege plus the ability to change the WebSphere Application Server configuration. The configurator can perform all the day-to-day configuration tasks. For example, a configurator can complete the following tasks:
  
  
  
  
  • Create a resource.
  
  
  • Map an application server
  
  
  • Install and uninstall an application.
  
  
  • Deploy an application.
  
  
  • Assign users and groups-to-role mapping for applications.
  
  
  • Set up Java 2 security permissions for applications.
  
  
  • Customize the Common Secure Interoperability Version 2 (CSIv2), Secure Authentication Service (SAS), and Secure Sockets Layer (SSL) configurations..
    
  
  


• Operator: Monitor privilege in addition to the ability to change runtime state, such as starting or stopping server, also check server status.


• Deployer: Only available for wsadmin users (not administration console). Allows a user to change configuration and runtime state on applications using wsadmin.


• Admin Security Manager: Allows a user to map users and groups to administrative roles through the administrative console, or through wsadmin for fine-grained security. Also, when fine grained administrative security is used, users granted this role can manage authorization groups


• iscadmins: Only available for administration console users. Allows a user to manage users and groups in the Federated repositories.


• Administrator: Operator, configurator, and iscadmins privilege, in addition to additional privileges granted solely to the administrator role, such as:
  
  
  
  1. Modifying the primary administrative user and password
  
  
  2. Create, update, and delete users and groups
  
  
  3. Enabling or disabling administrative and Java 2 security
  
  
  
  

The primary administrative user specified when enabling administrative security is automatically mapped to the Administrator and AdminSecurityManager roles. Therefore, it is not necessary to manually add this identity to either of these administrative roles.

Disabling admin security

You might want to disable administrative security in few situations, such as

• You forgo the WAS Admin User


• There is some problem with the security configuration and your not able to start server

You can disable security using wsadmin command line tool like this. Start the wsadmin tool with wsadmin -conntype NONE, once the wsadmin prompt is displayed execute securityoff command and restart the server.

Or you can open the WebSphere\AppServer\profiles\Dmgr01\config\cells\dmgrCell01\security.xml and search for enable word, change value of the enabled attribute to false


<security:Security xmi:version="2.0" xmlns:xmi="http://www.omg.org/XMI" xmlns:orb.securityprotocol="http://www.ibm.com/websphere/appserver/schemas/5.0/orb.securityprotocol.xmi" xmlns:security="http://www.ibm.com/websphere/appserver/schemas/5.0/security.xmi" xmi:id="Security_1" useLocalSecurityServer="true" useDomainQualifiedUserNames="false" enabled="false" cacheTimeout="600" issuePermissionWarning="false" activeProtocol="BOTH" enforceJava2Security="false" enforceFineGrainedJCASecurity="false" appEnabled="true" dynamicallyUpdateSSLConfig="true" activeAuthMechanism="LTPA_1" activeUserRegistry="WIMUserRegistry_1" defaultSSLSettings="SSLConfig_1">


Easiest way of disabling security if you know the admin user id and password is using the WAS Admin Console

What is Server User Identity

WebSphere Application Server V6.1 separates the server user identity from the primary administrative user. The primary administrative user is any valid user in the user account repository that you choose to give default administrative privileges. The server user identity is used for server to server communication. By selecting the automatically generated server identity, WebSphere creates an identity for internal communications that is not stored in the repository and does not have a password. LDAP directories still require a bind DN for successful communications.

WAS will ask you for the sever user identity while configuring user repository

Main components of WebSphere security

WAS 6.1 Security has three main components

• Authentication protocol: The authentication protocol is used for Remote Method Invocation (RMI) over the Internet InterORB Protocol (IIOP) requests when security is enabled. WebSphere Application Server is configured to use Common Secure Interoperability Version 2 (CSIV2) by default. Secure Authentication Service has been deprecated and will be removed from future WebSphere releases. The CSIV2 is defined by the Object Management Group (OMG) as a standard authentication protocol for vendors to interoperate securely.


• Authentication mechanism: The WebSphere Application Server uses Lightweight Third Party Authentication (LTPA) as the default authentication mechanism.LTPA supports forwardable credentials and, for security reasons, a configurable expiration time is set on the credentials. The use of LTPA allows you to enable single sign-on (SSO) for your security domain


• User account repository: The WAS 6.1 server supports 4 different types of user repository

Enablign administrative security

When your installing WebSphere Application Server 6.1, the installation process will ask you if you want to enable the administrative security, if you say yes it will let you specify the username password for the admin user. When you enable security during the Installation process, the WAS server will be configured to use file based federated repository


If you dont enable the administrative security at the time of installation, or if you have to disable it for some other reason, then you can re-enable the admin security from WAS Admin console by going to Security - Secure administration, applications, and infrastructure, page and then checking "Enable administrative security" checkbox saving your changes, synchronizing those changes to all the nodes and then restarting all the servers, node agents and DMGR

What does admin security protect

The configuration of administrative security for a security domain involves configuring the following technologies:

• Authentication of HTTP clients


• Authentication of IIOP clients


• Administrative console security


• Naming security


• Use of SSL transports


• Role-based authorization checks of servlets, enterprise beans, and mbeans


• Propagation of identities (RunAs)


• The common user registry


• The authentication mechanism


• Other security information that defines the behavior of a security domain includes:
  
  
  
  1. The authentication protocol (Remote Method Invocation over the Internet Inter-ORB Protocol (RMI/IIOP) security)
  
  
  2. Other miscellaneous attributes
  
  
  
  

What is administrative security

Administrative security represents the security configuration that is effective for the entire security domain. A security domain consists of all of the servers that are configured with the same user registry realm name. In some cases, the realm can be the machine name of a local operating system registry. In this case, all of the application servers must reside on the same physical machine. In other cases, the realm can be the machine name of a standalone Lightweight Directory Access Protocol (LDAP) registry.

A multiple node configuration is supported because you can access remotely user registries that support the LDAP protocol. Therefore, you can enable authentication from anywhere.

The basic requirement for a security domain is that the access ID that is returned by the registry or repository from one server within the security domain is the same access ID as that returned from the registry or repository on any other server within the same security domain. The access ID is the unique identification of a user and is used during authorization to determine if access is permitted to the resource. The administrative security configuration applies to every server within the security domain.

Enabling administrative security activates a wide variety of security settings for WebSphere Application Server. While the values of these settings can be specified they take effect only when administrative security is activated. These settings include authentication of users, the use of Secured Socket Layer(SSL), the choice of user account repository and application security

In WAS 6.1, the global security has been split into administrative and application security, each of which can be enabled separately. However, in order for application security to take effect administrative security must be enabled.