Enabling WebSphere global security
Global security represents the security configuration that is effective for the entire security domain. It includes the configuration of the common user registry, authentication mechanism, Java 2 Platform, Enterprise Edition (J2EE) role-based authorization, the Common Secure Interoperability Version 2 (CSIv2) authentication protocol, and the Secure Sockets Layer (SSL) configuration. In particular, J2EE role-based authorization guards access to Web resources such as servlets, JavaServer Pages (JSP) files, and Enterprise JavaBeans (EJB) methods.
- Websphere administrative security
Enabling WebSphere administrative security protects the system environment including administrative console from unauthorized users. Administrative security is enabled by default in production environment. If you plan to have application security enabled, administrative security must be enabled.
- WebSphere application security
Enabling WebSphere application security prevents all Enterprise JavaBeans components from being exposed to remote invocation by anyone. If you operate your WebSphere Commerce site from behind a firewall, you can disable WebSphere application security. However, you should disable it only if you are sure that no malicious applications are running behind the firewall.
Before you begin
- When enabling WebSphere
global security, it is strongly recommended that your machine meets
the following requirements:
- A minimum machine memory of 1 GB.
- A minimum heap size of 384 MB, for the WebSphere Commerce application.
- When enabling WebSphere global security on
Windows 2003 platform, it is recommended that you enlarge the TCP
Ports to 65534 on all nodes on your system that are running on Windows
2003. This includes the WebSphere Commerce node, the LDAP server node,
and the Commerce-enabled Portals node. After enlarging the TCP Ports,
you will need to restart the servers on the nodes that were changed.
For more information, see the following topic in Microsoft support: When you try to connect from TCP ports greater than 5000 you receive the error 'WSAENOBUFS(10055)'If you do not enlarge the TCP Ports, you might receive an error similar to the following:
Authentication failed for user uid=wpsbind,cn=users,dc=ibm,dc=com because of the following exception javax.naming.CommunicationException: svt4.cn.ibm.com:389. Root exception is java.net.BindException: Address in use: connect
- After WebSphere global security
is enabled for a WebSphere Commerce instance or payment instance,
you must provide a username and password when starting and stopping
the WebSphere Commerce instance or payment instance. For example:
stopServer server1 -username administrator -password passw0rd
.
Before you begin to enable security, you will need to know how the WebSphere Application Server, where you are enabling security, validates user IDs. WebSphere Application Server can use the operating system user registry or federated repositories as the WebSphere Application Server user registry. See one of the following pages for instructions on enabling security using one of the user registries:
About this task
Enabling WebSphere application security prevents all Enterprise JavaBeans components from being exposed to remote invocation by anyone. If you operate your WebSphere Commerce site from behind a firewall, you can disable WebSphere application security. However, you should disable it only if you are sure that no malicious applications are running behind the firewall.
The WebSphere Commerce instance has global security enabled by default during the instance creation process. That is, WebSphere Application Server administrative security is enabled, with application security disabled by default. Disabling application security has the advantage of better performance when compared to running with application security enabled. The primary administrative user is a user from the built-in file registry. The instance creation process creates the user by initially taking the credentials used to login to the WebSphere Commerce Configuration Manager. You can change the primary administrative user using the WebSphere Application Server Administrative Console.
Global security controls both administrative security and application security. Due to the fact that WebSphere Commerce has its own authentication and authorization structure, you may disable application security if WebSphere Commerce is deployed in a trusted zone behind a firewall. This configuration will allow you to enable the single sign-on capability and secure WebSphere Application Server administrative functions without exercising any J2EE security checks on the application.
For more information, see theAdministrative security topic in the WebSphere Application Server Information documentation.