You are previewing IBM WebSphere Application Server v7.0 Security.
O'Reilly logo
IBM WebSphere Application Server v7.0 Security

Book Description

For IBM WebSphere users, this is the complete guide to securing your applications with Java EE and JAAS security standards. From a far-ranging overview to the fundamentals of data encryption, all the essentials are here.

  • Discover the salient and new security features offered by WebSphere Application Server version 7.0 to create secure installations

  • Explore and learn how to secure Application Servers, Java Applications, and EJB Applications along with setting up user authentication and authorization

  • With the help of extensive hands-on exercises and mini-projects, explore the various aspects needed to produce secure IBM WebSphere Application Server Network Deployment v7.0 infrastructures

  • A practical reference with ready-to-implement best practices and tricks for configuring, hardening, tuning, and troubleshooting secure IBM WebSphere Application Server Network Deployment v7.0 environments

  • In Detail

    In these days of high-profile hacking, server security is no less important than securing your application or network. In addition many companies must comply with government security regulations. No matter how secure your application is, your business is still at risk if your server is vulnerable. Here is how you solve your WebSphere server security worries in the best possible way.

    This tutorial is focused towards ways in which you can avoid security loop holes. You will learn to solve issues that can cause bother when getting started with securing your IBM WebSphere Application Server v7.0 installation. Moreover, the author has documented details in an easy-to-read format, by providing engaging hands-on exercises and mini-projects.

    The book starts with an in-depth analysis of the global and administrative security features of WebSphere Application Server v7.0, followed by comprehensive coverage of user registries for user authentication and authorization information. Moving on you will build on the concepts introduced and get hands-on with a mini project. From the next chapter you work with the different front-end architectures of WAS along with the Secure Socket Layer protocol, which offer transport layer security through data encryption.

    You learn user authentication and data encryption, which demonstrate how a clear text channel can be made safer by using SSL transport to encrypt its data. The book will show you how to enable an enterprise application hosted in a WebSphere Application Server environment to interact with other applications, resources, and services available in a corporate infrastructure. Platform hardening, tuning parameters for tightening security, and troubleshooting are some of the aspects of WebSphere Application Server v7.0 security that are explored in the book. Every chapter builds strong security foundations, by demonstrating concepts and practicing them through the use of dynamic, web-based mini-projects.

    A practical approach to implementing secure Java EE Server infrastructures using WebSphere

    Table of Contents

    1. IBM WebSphere Application Server v7.0 Security
      1. IBM WebSphere Application Server v7.0 Security
      2. Credits
      3. About the Author
      4. About the Reviewers
        1. Support files, eBooks, discount offers and more
          1. Why Subscribe?
          2. Free Access for Packt account holders
          3. Instant Updates on New Packt Books
      6. Preface
        1. What this book covers
        2. What you need for this book
        3. Who this book is for
        4. Conventions
        5. Reader feedback
        6. Customer support
          1. Errata
          2. Piracy
          3. Questions
      7. 1. A Threefold View of WebSphere Application Server Security
        1. Enterprise Application-server infrastructure architecture view
          1. Simple infrastructure architecture characteristics
          2. Branded infrastructure elements
          3. Generic infrastructure components
          4. Using the infrastructure architecture view
        2. WebSphere architecture view
          1. WebSphere Application Server simplified architecture
          2. WebSphere node component
          3. WebSphere JVM component
          4. Using the WebSphere architecture view
        3. WebSphere technology stack view
          1. OS platform security
          2. Java technology security
          3. WebSphere security
          4. Using the technology stack view
        4. Summary
      8. 2. Securing the Administrative Interface
        1. Information needed: Planning for security
          1. The LDAP and security table
        2. Enabling security
          1. Setting the domain name
            1. Starting at the console
            2. Continuing with the global security page
            3. Onto the SSO page
            4. Setting the SSO domain name
            5. Applying and saving your changes
          2. Configuring the user registry
            1. Locating the user registry configuration area
            2. Registry type selection
              1. Federated repository
              2. Local operating system
              3. LDAP
              4. Standalone custom registry
            3. LDAP—the preferred choice
            4. Reviewing the resulting standalone LDAP registry page
            5. Defining the WebSphere administrative ID
            6. Setting the type of LDAP server
            7. Entering the LDAP server parameters
            8. Providing the LDAP bind identity parameters
            9. Confirming other miscellaneous LDAP server parameters
            10. Applying and saving the standalone LDAP configuration
            11. Confirming the configuration
          3. Enabling the administrative security
            1. Locating the administrative security section
            2. Performing the administrative security configuration steps
            3. Applying and saving your changes
            4. Propagating new configuration
            5. Logging off from the console
            6. Restarting the deployment manager
            7. Logging in to the deployment manager console
        3. Administrative roles
        4. Disabling security
        5. Summary
      9. 3. Configuring User Authentication and Access
        1. Security domains
          1. What is a security domain
          2. Scope of security domains
          3. Benefits of multiple security domains
          4. Limitations of security domains
        2. Administrative security domain
          1. Configuring security domains based on global security
            1. Creating a global security domain clone
            2. Creating a security domain using scripting
        3. User registry concepts
          1. What is a user registry
          2. WebSphere use of user repositories
            1. Authentication
            2. Authorization
        4. Supported user registry types
          1. Local operating system
          2. Standalone LDAP
          3. Standalone custom registry
          4. Federated repositories
        5. Protecting application servers
          1. WebSphere environment assumptions
          2. Prerequisites
            1. Creating an application server
            2. Creating a virtual host
            3. Creating application JDBC Provider and DataSource
            4. Configuring the global security to use the federated user registry
            5. Creating a security domain for the application server
          3. Configuring user authentication
            1. Creating groups
            2. Creating users
            3. Assigning users to groups
          4. Configuring access to resources
          5. Testing the secured application server environment
            1. Deploying and securing an enterprise application
            2. Accessing the secured enterprise application
        6. Summary
      10. 4. Front-End Communication Security
        1. Front-end enterprise application infrastructure architectures
          1. WebSphere horizontal cluster classic architecture
          2. WebSphere horizontal cluster using dual-zone architecture
          3. WebSphere horizontal cluster using multi-zone architecture
        2. SSL configuration and management
          1. What is SSL
          2. How SSL works
          3. Certificates and CAs
        3. Securing front-end components communication
          1. Securing the IBM HTTP Server
            1. Environment assumptions
            2. SSL configuration prerequisites
              1. Add SSL ports to WebSphere employees_vh virtual server
            3. Creating the SSL system components
              1. Create the IHS SSL keystore
              2. List built-in CA certificates included in keystore
              3. Create self-signed certificate
              4. Confirm the creation of self-signed certificate
            4. Configuring IHS for SSL
              1. Modifications to httpd.conf
              2. Extract the WebSphere CA certificate
              3. Add WAS self-signed certificate to the plug-in
              4. Validation of the SSL configuration
        4. Summary
      11. 5. Securing Web Applications
        1. Securing web applications concepts
          1. Developer view of web application security
          2. Administrator view of web application security
        2. Securing a web application
          1. Project objectives
          2. Assumptions
          3. Prerequisites
          4. Enterprise application architecture
            1. Application groups
            2. Application users
            3. Application memberships
              1. ACLs based on user registry groups
              2. ACLs based on application roles
            4. Dynamic web modules
          5. Securing a J2EE web application
            1. Creating the enterprise application project
            2. Creating the dynamic web application projects
            3. Configuring dynamic web applications
              1. Defining welcome files
              2. Adding log in information
              3. Defining protected URI patterns and methods
              4. Creating application roles
              5. Assigning the application role
              6. Defining client-server transport type
              7. Mapping web modules to employees_vh
            4. Configuring enterprise applications
              1. Defining roles
              2. Mapping groups to roles
            5. Adding content to dynamic web applications
              1. Adding web files
              2. Adding Java components
              3. Completing the Java code
                1. Analysis of the initial servlet code
                2. Completing the servlet code
            6. Packaging an enterprise application
            7. Deploying the enterprise application
            8. Testing the enterprise application
        3. Summary
      12. 6. Securing Enterprise Java Beans Applications
        1. EJB application security concepts
          1. Declarative security
          2. Programmatic security
        2. EJB project design
          1. EJB application du jour
            1. Objective—security
            2. Objective—functional
          2. Project design—UI aspect
          3. Project design—programming component
          4. Project design—implementation phase
        3. EJB project prerequisites and assumptions
          1. Project assumptions
          2. Project prerequisites
        4. Creating an Enterprise Application Project
          1. Creating the project workspace
          2. Enterprise application project requirements
            1. EAR version
            2. Target runtime
          3. Creating the enterprise application project
            1. Selecting the project EAR version
            2. Creating a target runtime
            3. Creating the deployment descriptor
        5. Creating the portal Dynamic Web Project
          1. Creating the portal DWP
            1. Defining the DWP context root
            2. Creating the DWP deployment descriptor
          2. Configuring the portal DWP deployment descriptor
            1. Defining the welcome pages suite
            2. Adding login information
            3. Securing protected URI patterns and HTTP methods
              1. Defining security constraints
              2. Defining resource collections
            4. Defining application roles
            5. Defining the client-server transport type
            6. Mapping module to virtual host
        6. Creating content for the portal DWP
          1. Location of files within the project
          2. Logical file organization
          3. Creating the common HTML files
          4. Creating the custom HTML files
          5. Creating the JSP files
            1. Pagelet selector JSP files
            2. Portal home selector JSP files
          6. Creating the Servlet PortalHomeSelectorServlet
            1. Creating a Java package
            2. Creating the Servlet
          7. Creating the code for PortalHomeSelectorServlet
            1. Package definition and import statements
            2. Declaration of class constants and variables
            3. HTTP methods
            4. Getting parameters
            5. Communicating with EJB
            6. Forwarding control to another component
        7. Creating an EJB project
          1. Creating the initial project
          2. Creating the Java packages
          3. Creating the EJB interfaces
            1. Creating IPortalSelectorSessionBean interface
            2. Creating the local and remote EJB interfaces
          4. Creating the EJB
          5. Creating the code for PortalSelectorSessionBean
            1. Package definition and import statements
            2. Class definition
            3. Instance variables
            4. Linking to the user context
            5. Programmatic security
            6. Declarative security
        8. The grand finale
          1. Packaging the enterprise project as an EAR
          2. Deploying the EAR
          3. Testing the application
        9. Summary
      13. 7. Securing Back-end Communication
        1. LDAP: Uses of encryption
          1. Securing the LDAP channel
            1. Protocol: LDAP and the Internet Protocol Suite
            2. The importance of securing the LDAP channel
            3. Choices in securing the LDAP channel
          2. Enabling SSL for LDAP
            1. Creating a key ring for storing key stores
              1. JCE Policy files
            2. Creating a trust db for storing trust stores
            3. Creating a key store for use with LDAP
            4. Creating a trust store to use with LDAP
            5. Creating an SSL configuration for LDAP
            6. Obtaining the LDAP server SSL certificate
            7. Configuring LDAP for SSL
        2. JDBC: WebSphere-managed authentication
          1. Protocol(s)
            1. The JDBC API
            2. Connection/Driver Manager and Data Source/JDBC provider
            3. The JDBC Application Layer
          2. Choices to secure the database channel
          3. Examples of securing the JDBC connection
            1. Defining a new JDBC provider
            2. Defining a new Data Source
        3. Summary
      14. 8. Secure Enterprise Infrastructure Architectures
        1. The enterprise infrastructure
          1. An Enterprise Application in relation to an Application Server
          2. WAS infrastructure and EA's application server interactions
        2. Securing the enterprise infrastructure using LTPA
          1. Why use the LTPA mechanism
          2. How the LTPA authentication mechanism works
          3. The main use for LTPA in a WebSphere environment
        3. Securely enhancing the user experience with SSO
          1. Required conditions to implement SSO
          2. Implementing SSO in WebSphere
        4. Fine-tuning authorization at the HTTP server level
          1. Why use an external access management solution
          2. How it works
          3. What tool to use
          4. Configuring the HTTP server to use an external access management solution
        5. Fine-tuning authorization at the WAS level
          1. When to use TAI
          2. Configuring SiteMinder ASA for WebSphere (TAI)
        6. Summary
      15. 9. WebSphere Default Installation Hardening
        1. Engineering the how and where of an installation
          1. Appreciating the importance of location, location, location!
            1. Customizing the executable files location
            2. Customizing the configuration files location
              1. Customizing the log files location
          2. Camouflaging the entrance points
            1. Understanding why it's important
            2. Methodology choices
            3. Identifying what needs to be configured
            4. Getting started
          3. Picking a good attorney
        2. Ensuring good housekeeping of an installation
          1. Keeping your secrets safe
            1. Using key stores and trust stores
            2. Storing passwords in configuration files
            3. Adding passwords to properties files
              1. Manually adding a password - a bonus tip
        3. Summary
      16. 10. Platform Hardening
        1. Identifying where to focus
        2. Exploring the operating system
          1. Appreciating OS interfaces
          2. Understanding user accounts
          3. Understanding service accounts
          4. Using kernel modules
        3. Creating the file system
          1. Influencing permission and ownership using process execution
          2. Running single execution mode
            1. Using executables
            2. Configuring
            3. Setting ownerships and permissions on log files
          3. Running multiple execution mode
        4. Safeguarding the network system
          1. Establishing network connections
          2. Communicating from process to process
        5. Summary
      17. 11. Security Tuning and Troubleshooting
        1. Tuning WebSphere security
          1. Tuning general security
            1. Tightening security using the administrative connector
            2. Disabling security attribute propagation
            3. Using unrestricted Java Cryptographic Extensions
              1. Obtaining the Unrestricted JCE policy files
              2. Installing the Unrestricted JCE policy files
          2. Tuning CSIv2 connectivity
            1. Using Active Authentication Protocol: Set it only to CSI
            2. Enforcing client certificates using SSL
            3. Enabling stateful sessions
              1. Configuring the server
              2. Configuring the client
          3. Tuning user directories and user permissions
            1. Configuring LDAP
              1. Reusing the established connection
              2. Ignoring case during authorization
            2. Tuning user authentication
              1. Increasing authentication cache timeout
              2. Enabling SSO
        2. Troubleshooting WebSphere security-related issues
          1. Troubleshooting general security configuration exceptions
            1. Identifying problems with the Deployment Manager—node agent communication blues
              1. Receiving the message HMGR0149E: node agent rejected
              2. Receiving the message ADMS0005E: node agent unable to synchronize
          2. Troubleshooting runtime security exceptions
            1. Troubleshooting HTTPS communication between WebSphere Plug-in and Application Server
              1. Receiving the message SSL0227E: SSL handshake fails
              2. Receiving ws_config_parser errors while loading the plug-in configuration file
              3. Receiving the message GSK_ERROR_BAD_CERT: No suitable certificate found
              4. Receiving the message GSK_KEYFILE_IO_ERROR: No access to key file
            2. Receiving the message WSVR0009E / ORBX0390E: JVM does not start due to org.omg.CORBA.INTERNAL error
        3. Concluding WebSphere security-related tips
          1. Using wildcards in virtual hosts: never do it!
          2. Ensuring best practice: set tracing from wide to specific search pattern
          3. Using a TAI such as SiteMinder: remove existing interceptors
        4. Summary