You are previewing WebSphere Application Server for z/OS V5 and J2EE 1.3 Security Handbook.
O'Reilly logo
WebSphere Application Server for z/OS V5 and J2EE 1.3 Security Handbook

Book Description

What do you think of when someone mentions z/OS security? Probably of something that is trustworthy, or even impenetrable. Perhaps you also think of something that is a little complex and challenging to administer.

What comes to mind when someone mentions Internet security? Perhaps you think of prominent Web sites that have been maliciously "hacked" or credit card numbers that have been stolen.

Using working examples of code and configuration files, in this IBM Redbooks publication, we explain how you can run your Web-enabled applications with as high a level of security as other z/OS applications and subsystems, even if those applications were written or originally deployed on another platform, by using the Java 2 Platform Enterprise Edition (J2EE) programming model and IBM WebSphere Application Server for z/OS and OS/390.

This book will help architects, application programmers, WebSphere and security administrators, and application and network architects to understand and use these products.

Please note that the additional material referenced in the text is not available from IBM.

Table of Contents

  1. Notices
    1. Trademarks
  2. Preface
    1. The team that wrote this redbook
    2. Become a published author
    3. Who should read this book
    4. Comments welcome
  3. Summary of changes
    1. New and revised cryptographic information
    2. Securing the file system
    3. Security domains
    4. Java 2 security
    5. Enhanced support for Tivoli Access Manager
    6. Other enhancements
    7. Information removed or relocated
  4. Part 1: Introduction to WebSphere and J2EE security
    1. Chapter 1: WebSphere Application Server V5 security overview
      1. WebSphere Application Server for z/OS Version 5 infrastructure overview and terminology
      2. WebSphere Application Server V5 security features
      3. J2EE 1.3 compliance features
      4. WebSphere Network Deployment family compliance features at interface layer
      5. Support of WebSphere family security configurations
      6. J2EE 1.3-compliant security enhancements
        1. Java 2 security
        2. J2EE role-based authorization enhancements
        3. WebSphere Application Server V5 and JAAS
        4. Java 2 security, J2EE security, and JAAS feature comparison
        5. z/OS Java security components
        6. JSSE security
        7. CSIv2 security protocol
        8. Pluggable authentication security
        9. Security configuration in z/OS and OS/390
        10. Enabling global security
      7. Comparisons between WebSphere Application Server for z/OS and OS/390 V4.0.1 and V5
      8. Key differences between WebSphere Application Server for z/OS and distributed platforms
        1. Two types of SSL on z/OS
        2. “Deprecated” V4 Advanced interfaces
        3. z/OS security properties
      9. Summary
    2. Chapter 2: Security design
      1. Overview of security challenges
        1. Assessing and managing security risks
        2. Evolving with emerging technologies and trends
      2. Finding the right level of security for your enterprise
        1. Evaluate security elements in each layer
        2. Ask the key questions
      3. Making some key decisions
        1. Intranet or Internet?
        2. Where will authentication take place?
        3. How will authorization to resources be determined?
        4. What other resources need to be accessed?
      4. Finding the right balance for your application
        1. Container-managed security
        2. Application-managed security
      5. Topological view of security
        1. Base topological view
        2. Encryption
        3. User registries and authorization databases
        4. Identity flow
      6. Summary
    3. Chapter 3: J2EE 1.3 and WebSphere Application Server V5 security concepts
      1. Overview
        1. Security server topology
        2. Terminology used for J2EE security
        3. User registries
        4. Global security
      2. J2EE container-based security
        1. Role-based authorization
        2. Web container authentication and authorization
        3. EJB container authentication and authorization
        4. RunAs versus run-as: Identity propagation
      3. Resource authentication
      4. Security interoperability using IIOP
      5. Additional security capabilities
        1. Authentication mechanism and single sign-on (SSO)
        2. Java 2 security
        3. Java Authentication and Authorization Service (JAAS)
        4. Additional programmatic login/logout capabilities
        5. Cryptographic application and data security
    4. Chapter 4: WebSphere Application Server application security
      1. Programmatic security
        1. J2EE APIs
        2. Programmatic authentication to resources
      2. JAAS for application security
        1. JAAS login verification using SWIPE
        2. Your own JAAS application login configuration
    5. Chapter 5: WebSphere application migration security aspects
      1. Application migration security aspect checklist
      2. Application migration strategies
      3. Migrating IBM HTTP Server thread level-based security
        1. Affected environments
        2. What is causing this problem?
        3. How can you make it work again?
      4. Migrating WebSphere Application Server thread level-based security
      5. Security aspects when migrating Common Connector Framework (CCF) connectors
        1. Affected environments
        2. What is causing this problem?
        3. How can you make it work again?
      6. Security aspects when migrating J2CA connectors
        1. Affected environments
        2. What is causing this problem?
        3. How can you make it work again?
      7. Migrating SOMDOBJS to EJBROLE
        1. Using SOMDOBJS with WebSphere simple configuration option
        2. Migrating from SOMDOBJS to the Web container and the EJBROLE profiles
  5. Part 2: SWIPE and our testing infrastructure
    1. Chapter 6: The sandbox infrastructure
      1. Physical integration into the network infrastructure
      2. System setup and service levels
        1. Operating system and program products
        2. Distributed environments
        3. Development environment
      3. Naming conventions
        1. WebSphere cells
        2. Naming convention variables
        3. Data sets and files
        4. Component trace procedure names
        5. Configuration objects
        6. Development base servers started tasks and user IDs
        7. Deployment manager started tasks and user IDs
        8. Node agent started tasks and user IDs
        9. Managed servers started tasks and user IDs
        10. TCP/IP ports
        11. Common information
        12. Starting servers
    2. Chapter 7: The security investigation application
      1. The SWIPE application
        1. SWIPE application structure
        2. SWIPE application architecture and description
      2. SWIPE authentication features
      3. Authorization features
        1. Web container authentication and authorization
        2. EJB container authorization: EJBRoles
        3. EJB container: Declarative security
        4. EJB container: Programmatic security
        5. EJB: RunAs concept
        6. Servlet run-as example
        7. The “Sync to OS Thread” concept
      4. The downloadable SWIPE package
      5. Deploying SWIPE
        1. SWIPE: JVM property for location discovery
        2. SWIPE and Java 2 security
        3. Setting the IBMEBizEnv environment variable
      6. SWIPE: Running EJBCaller
        1. SWIPE: EJBCaller - Input Part A
        2. SWIPE: EJBCaller - Input Part B
        3. SWIPE: EJBCaller - Input Part C, JAAS
        4. SWIPE: RunAsServlet
        5. SWIPE: index.html
        6. Remote JNDI example
      7. RACF definitions
        1. Overview
        2. Define user IDs
        3. Define a group
        4. Define EJBRoles
        5. Define GEJBROLE
        6. Permit access
        7. Verify security using SWIPE
    3. Chapter 8: The security investigation applications for EIS
      1. The SWIPE application for CICS, IMS, and DB2
        1. How SWIPE for EIS works
        2. SWIPE EIS application structure
        3. Define security roles for SWIPE/EIS
        4. Prepare WebSphere security to run the samples
        5. Plan resource reference to connection factory bindings
      2. Define J2CA connection factories and data sources
        1. Suggested scenarios for security verification
        2. Set up JAAS authentication aliases
        3. Set up connection factories and data sources for SWIPE/EIS
      3. Install SWIPE for CICS, IMS, and DB2
      4. Install the CICS components of SWIPECICS
      5. Start SWIPE for CICS, IMS, and DB2
      6. Run SWIPE for CICS, IMS, and DB2
      7. Debug SWIPE for CICS, IMS, and DB2
      8. The SWIPE application for JMS
        1. Invoke the JMS sample
        2. SWIPE application for JMS contents
        3. Security roles in the samples
        4. WebSphere MQ
        5. Prepare WebSphere security to run the samples
        6. WebSphere MQ: Queue definitions
        7. WebSphere MQ: RACF resource profiles
        8. J2C authentication data entries
        9. JMS queue connection factory definitions
        10. Queue destination definitions
        11. SWIPE JMS: Logical resources
        12. Install the SWIPE JMS application
        13. Run the SWIPE JMS application
        14. RACF messages
        15. Check the user ID that flows to WebSphere MQ
  6. Part 3: Cryptography
    1. Chapter 9: Using cryptographic services
      1. Cryptographic support
      2. How WebSphere fits in z/OS and zSeries cryptographic infrastructure
        1. Supported J2EE APIs
        2. SSL overview
      3. Hardware cryptography support for zSeries 2084 or 2086 engines
      4. Activation of hardware cryptography support for zSeries 2084, 2086, 9672, 2064, 2066, or 7060 engines
        1. Verify that your processor has Cryptographic Coprocessor
        2. Obtain the correct configuration enablement diskette or diskettes for your processor
        3. Load the configuration enablement diskette(s)
        4. Assign Cryptographic Coprocessors to LPARs
        5. Additional instruction for assigning the PCI crypto features to LPARs with a 2084 or 2086 engine
        6. Install and initialize Integrated Cryptographic Service Facility
        7. Initialize the CKDS and PKDS and load your master key
      5. Configure WebSphere to use hardware cryptographic services
        1. Configure WebSphere to use hardware cryptography for SSL
        2. Configure WebSphere to use hardware cryptography in support of the ICSF authentication mechanism
      6. Securing and maintaining cryptography
        1. RACF protection for ICSF
        2. RACF setup to secure OCSF and OCEP
      7. Create RACF keyrings and certificates
      8. Set up Secure Sockets Layer (SSL) for WebSphere for z/OS
        1. Certificates in WebSphere and RACF
        2. SSL client certificate security for your WebSphere Application Server and clients
        3. Define SSL security for servers and clients
        4. Use certificates to set up HTTPS internal transport connections
        5. Set up secure HTTPS internal transport connections using a server certificate signed by an internal CA
        6. Set up secure HTTPS internal transport connections using client certificates signed by an internal CA
        7. Set up secure HTTPS internal transport connections using server certificates signed by an external CA
        8. Set up secure HTTPS internal transport connections using client certificates signed by an external CA
  7. Part 4: WebSphere Application Server for z/OS security infrastructure
    1. Chapter 10: WebSphere Application Server runtime security
      1. WebSphere address space concepts
      2. WebSphere Application Server SAF integration
      3. Basic RACF setup for z/OS
      4. SAF naming standards and conventions
        1. RACF group structure
        2. Creating machine user IDs
        3. System data set profiles
        4. Ownership
      5. Setting up RACF controls for products related to WebSphere
        1. z/OS UNIX level security
      6. RACF protection for LDAP servers on z/OS
      7. RACF protection for DB2
      8. RACF protection for IBM HTTP Server for z/OS
      9. Summary of RACF general resource classes used by WebSphere
      10. The WebSphere ISPF installation security dialog
        1. Security Customization panel settings
        2. ISPF customization dialogs for RACF command generation
        3. RACF definitions, naming conventions, and considerations for WebSphere environments on z/OS
        4. Define RACF groups for WebSphere
        5. Define RACF user IDs for the WebSphere infrastructure
        6. Protect WebSphere-related data sets with RACF
        7. Profiles for WebSphere in class STARTED
        8. Profiles for WebSphere in class LOGSTRM
        9. Profiles for WebSphere in class CBIND
        10. Profiles for WebSphere in class SERVER
        11. Profiles in class REALM
      11. HFS security
      12. HFS ACLs
        1. The problem: Use of ACLs
        2. Details of HFS ACL functionality
        3. ACL inheritance
        4. Enabling and disabling ACL checking
        5. ACL creation: setfacl and getfacl
        6. The solution: An ACL example
      13. zFS security
    2. Chapter 11: Registries
      1. User registry overview
        1. User registry authentication data
        2. User registry authorization data
        3. Local versus remote registries
        4. Choosing a registry
      2. Authentication overview
      3. WebSphere authentication mechanisms
      4. Authorization overview
    3. Chapter 12: Local operating system registries
      1. Authentication with a local registry
      2. Authorization with a local registry
        1. Operating system resource authorization
        2. WebSphere resource authorization
        3. SAF-based WebSphere authorization concepts
        4. How to interact with a local registry
    4. Chapter 13: Remote registries
      1. Remote or pluggable registries for WebSphere
        1. Authentication with a remote registry
        2. Authorization with a remote registry
      2. The concept of identity mapping
        1. Overview
        2. Implementations and available products
      3. Trust association interceptor
      4. How to interact with a remote registry
        1. Tivoli Access Manager for e-business AMWAS module
        2. Custom user registry
      5. Sample scenario: Using LDAP native authentication
        1. Enablement
        2. Verification
      6. Sample scenario: Authentication with Tivoli Access Manager for e-business WebSEAL
        1. Enablement
        2. Verification
      7. Sample scenario: Implementing file-based custom user registry
        1. Implementation
        2. Verification
      8. Sample scenario: Off-platform authentication with WebSEAL on Linux for zSeries using TAI
        1. Implementation
        2. Verification
      9. Sample scenario: Implementing a custom TAI
      10. Registry choices summary table
    5. Chapter 14: IBM Tivoli Access Manager and WebSphere Application Server integration
      1. Introducing IBM Tivoli Access Manager for WebSphere
        1. Tivoli Access Manager features and components
        2. Why use Tivoli Access Manager with WebSphere?
        3. Scenario 1: Tivoli Access Manager authentication and LocalOS authorization for WebSphere
        4. Scenario 2: Tivoli Access Manager authentication and authorization for WebSphere
        5. Scenario 3: Tivoli Access Manager authentication, authorization, and native authentication for WebSphere
      2. Configuring Tivoli Access Manager and WebSphere Application Server integration
        1. Tivoli Access Manager setup in our environment
        2. Configure Tivoli Access Manager for WebSphere
        3. Configure WebSphere for Tivoli Access Manager
        4. Enable WebSphere Application Server security to use Tivoli Access Manager
        5. Migrate WebSphere Application Server security settings
        6. Configure single sign-on between WebSEAL and WebSphere
      3. Using Tivoli Access Manager for WebSphere
        1. Create users or groups with Tivoli Access Manager
        2. Create and secure roles with Tivoli Access Manager
        3. Grant user access to J2EE roles with Tivoli Access Manager
        4. Deploy an application: SWIPE
    6. Chapter 15: WebSphere administration and administrative security
      1. WebSphere administration approaches
      2. Securing the administrative tasks
        1. Securing deployment manager and node agent
        2. Securing configuration files
      3. Securing JMX and MBeans
        1. JMX architecture in WebSphere
        2. JMX and MBean security
      4. WebSphere administration authentication
      5. Role-based administrative security
        1. Four administrative roles
        2. Map a user to an administrative role
      6. Fencing servers, nodes, and cells in a sysplex
        1. Fencing base servers
        2. Fencing cells
        3. Fencing nodes and servers in a cell
        4. Security concerns of the federation process
      7. Enabling global security
        1. Global security
        2. Why turn on global security?
        3. What global security protects
        4. Enabling global security on a base Application Server node
        5. Disabling global security
        6. Using wsadmin scripting to enable global security
        7. Disable server-level application security in a cell
      8. Securing the CosNaming service
        1. Associate users and groups to CosNaming roles
        2. SAF EJBROLE authorization for naming
    7. Chapter 16: Web container security
      1. Introduction
      2. Web container authentication
        1. Configure authentication for Web components
        2. Basic authentication
        3. Form-based authentication
        4. Enhanced form-based login
        5. Certificate-based authentication
        6. Password management
        7. WebSphere authentication mechanisms
        8. HTTP-based single sign-on
      3. Web container authorization
        1. Web resource protection
        2. Web component protection with role references
      4. Web container identity delegation and propagation
        1. WebSphere role to user implementation
    8. Chapter 17: Security integration with the WebSphere HTTP plug-in
      1. Multi-tier topologies and DMZ
        1. Network security
        2. Putting the pieces together
        3. Basic network security setup
        4. Basic reverse proxy setup
        5. A business-to-business variation
      2. WebSphere and HTTP server plug-ins
        1. z/OS local redirector plug-in
        2. WebSphere HTTP plug-in
      3. WebSphere HTTP plug-in description
        1. WebSphere HTTP plug-in configuration
        2. WebSphere HTTP plug-in execution flow
        3. Defining virtual hosts and HTTP transports
        4. WebSphere HTTP plug-in configuration file generation
        5. IBM HTTP Server for WebSphere Application Server for z/OS HTTP plug-in configuration
        6. Distributed HTTP server WebSphere HTTP plug-in configuration
        7. Protection setups in the IBM HTTP Server and security credential forwarding
      4. SSL authentication with the WebSphere HTTP plug-in
        1. WebSphere HTTP plug-in client certificate forwarding
        2. Enabling mutual authentication with IBM HTTP Server for z/OS
      5. Validation tests for IBM HTTP Server for z/OS
        1. Test case PG1: Authentication through WebSphere HTTP plug-in for z/OS with HTTP and HTTPS transport
        2. Test case PG2: Authentication through WebSphere HTTP plug-in for z/OS using HTTP transport and authentication mechanisms
      6. WebSphere HTTP plug-in on distributed platforms
        1. Enabling mutual authentication with a non-z/OS HTTP server
        2. SSL certificate generation
        3. Key ring generation
        4. IBM HTTP Server configuration file
        5. WebSphere configuration
      7. Security validation for the WebSphere HTTP plug-in on distributed platforms: Test cases
        1. Test case WN1: Authentication through WebSphere HTTP plug-in on Windows using HTTP transport
        2. Test case WN2: Authentication through distributed HTTP server with mutual SSL authentication
    9. Chapter 18: EJB container security
      1. EJB container authentication protocols
        1. WebSphere Application Server for z/OS V4 versus V5
      2. Common Secure Interoperability Version 2 (CSIv2)
        1. Overview
        2. CSIv2 authentication in WebSphere Application Server
        3. Enabling CSIv2
      3. CSIv2 solution scenarios
        1. Scenario 1: Basic authentication and identity assertion
        2. Scenario 2: SSL and identity assertion
        3. Scenario 3: Client certificates
      4. zSAS authentication protocol
        1. zSAS overview
        2. zSAS authentication methods
        3. zSAS authentication in a single system environment
        4. Authentication in a sysplex
        5. Authentication between z/OS systems outside a sysplex
        6. Authentication with EJB applications on non-z/OS platforms
      5. EJB container authorization
        1. Overview
        2. Resource authorization at the application level
      6. Security propagation
      7. EJB container security verification using SWIPE
        1. Java 2 security
        2. IBMEBizEnv
        3. SWIPE input fields
        4. Test Case 1: Both servers on the same z/OS image
        5. Test Case 2: Windows to z/OS
      8. CSIv2 security verification using SWIPE
        1. SWIPE to SWIPE
        2. WebSphere on Windows 2000 to WebSphere on z/OS: No SSL, asserted identity
        3. WebSphere Application Server to WebSphere Application Server on the same LPAR
    10. Chapter 19: WebSphere Application Server logging and auditing
      1. Sources of WebSphere Application Server for z/OS log data
        1. WebSphere SMF data
        2. RACF SMF data
    11. Chapter 20: Web services security
      1. Web services security
        1. Security aspects
        2. Security terminology
        3. Security standards
        4. Other standards
        5. Best practices
  8. Part 5: Appendixes
    1. Appendix A: Setup and debugging guides
      1. Configuring SSL between WebSphere Application Server and a CICS Transaction Gateway daemon
      2. Detailed steps for using gsskyman
      3. Using keytool to drive iKeyman
      4. Using iKeyman on Windows
      5. Importing WebSphere’s certificate in CICS Transaction Gateway KDB
      6. Creating a connection factory to support SSL
      7. Certificate generation hints for network deployment cells
      8. Troubleshooting ICSF Pass Phrase initialization problems
      9. LDAP activity logging
      10. Tracing System SSL
    2. Appendix B: Additional material
      1. Locating the Web material
      2. Using the Web material
      3. How to use the Web material
  9. Related publications
    1. IBM Redbooks
    2. Other publications
    3. Online resources
    4. How to get IBM Redbooks
    5. Help from IBM
  10. Index
  11. Back cover