Enabling security with a WebSphere file-based user registry only

You can enable WebSphere global security by using only the WebSphere Application Server file based user registry.

Procedure

Optional: If you have WebSphere Commerce Payments instances, complete this step:
1. Open Configuration Manager.
2. Click WebSphere Commerce > node_name > Payments > Instance List > instance_name > Instance Properties > instance.
3. Clear the Password Required for startup check box.
4. Click Apply.
5. Close the Configuration Manager.
In the WebSphere Application Server Administration Console, modify the global security settings.
1. Log on as a user with administrative authority.
2. Start the WebSphere Application Server administration server.
3. Open the WebSphere Integrated Solutions Console.
4. Click Security and go to Global security. Under Available realm definitions, select Federated repositories and click Set as current. Click Configure.
  Note: The assumption is that the Federated Repositories realm contains one repository: the internal file-based repository.
5. Enter your primary administrative user name. This user is created in the internal file-based repository if it does not exist there.
6. Enter your server user identity:
  1. Select Automatically generated server identity.
  2. Click Apply and then Save.
7. Return to Global security.
  1. Confirm that Federated Repositories is set at current realm definition. Under Available realm definitions, select Federated repositories and click Set as current.
  2. Select Enable administrative security.
  3. Optional: Select Enable application security.
  4. Clear Use Java 2 security to restrict application access to local resources.
  5. Click Apply and then Save.
8. Complete the following steps if you selected Enable application security:
  - In the navigation pane, click Applications > Application Types > WebSphere enterprise applications
    1. Click Security role to user/group mapping.
    2. Select WCSecurity Role and click Look up users and locate the user whose role you want to map.
      Note: This user name is the primary administrative user name that you specified in step 6e.
    3. Click OK and then Save.
    4. Click User RunAs roles.
    5. Select WCSecurityRole and specify the user name and password.
    6. Click Apply.
    7. Click OK and then Save.
  - 1. Open WebSphere Commerce Developer.
    2. Open the META-INF\ibm-application-bnd.xmi file in the WebSphere Commerce EAR project, and click the Design view of the file.
    3. Expand and select Security Role (WCSecurityRole).
    4. Click Add, select User and click OK.
    5. Under the Details heading, enter the distinguished name of the RunAs ID user, for example: uid=configadmin,o=defaultWIMFileBasedRealm.
    6. Save your changes.
Enable security in the WebSphere Commerce application.
- On WebSphere Commerce:
  1. Open the Configuration Manager.
  2. Select WebSphere Commerce > node_name > Commerce > Instance List > instance_name > Instance Properties > Security.
  3. Select the Enable Administrative Security check box.
  4. Enter the Server user ID and password that you use to login to the WebSphere Application Server administrative console.
  5. Complete the following steps if you selected Enable application security:
    1. Select the Enable Application Security check box. Click Yes to any confirmation prompts that appear.
    2. Enter the user ID and password for the user with the WCSecurityRole that you previously specified.
  6. Click Apply.
  7. Close the Configuration Manager.
- On WebSphere Commerce Developer:
  1. Modify the wc-server.xml file by completing these steps:
    1. Open a command-line utility and go to the WCDE_installdir/bin directory.
    2. Use the wcs_encrypt command to generate an encrypted string of your password. Record the ASCII encrypted string.
    3. Open the file WCDE_installdir/workspace/WC/xml/config/wc-server.xml
    4. Update the Security section:
      <Security AdminPwd="WASAdminPassword" AdminUser="WASAdminUserName" AuthMode="" Realm="" RunAsID="" RunAsPwd="" enabled="false" enabledGlobal="true" passwordpolicy="true" />
      Where:
      
      WASAdminPassword
      
      The ASCII encrypted string that is generated by the wcs_encrypt command, for the primary WebSphere Application Server administrative security user's password.
      
      WASAdminUserName
      
      The distinguished name of the primary WebSphere Application Server administrative security user, for example uid=configadmin,o=defaultWIMFileBasedRealm.
    5. Optional: If application security is enabled, you must update the Security section with the following values, marked in bold:
      <Security AdminPwd="WASAdminPassword" AdminUser="WASAdminUserName" AuthMode="" Realm="" RunAsID="RunAsUserID" RunAsPwd="RunAsUserPassword" enabled="true" enabledGlobal="true" passwordpolicy="true" />
      Where:
      
      RunAsUserID
      
      The distinguished name of the user that has the WCSecurityRole, for example, uid=configadmin,o=defaultWIMFileBasedRealm.
      
      RunAsUserPassword
      
      The ASCII encrypted string that is generated by the wcs_encrypt command, for the RunAs user's password.
    6. Save your changes and close the file.
  2. Manually configure these additional WebSphere Application Server security properties:
    1. Configure the WebSphere Commerce Test Server properties.
      
      Right-click on the server and select Open.
      
      Go to the Security panel.
      
      Select Security is enabled on this server.
      
      Enter the user ID and plain-text password for the current active authentication settings.
      Note: Enter the same user ID and password as the WebSphere Application Server Primary Administrative User specified in the wc-server.xml file.
Restart your WebSphere Commerce instance.

What to do next

WebSphere Commerce Developer Introduced in Feature Pack 2 If you are working in your development environment and you enabled application security, you must also enable application security on your search server. For more information, see Securing the WebSphere Commerce search server.