Date post: | 05-Jul-2018 |
Category: |
Documents |
Upload: | lavakumark |
View: | 226 times |
Download: | 0 times |
of 20
8/16/2019 Session 7 Lab
1/20
Lab – Websphere Application Server Session 8WebSphere Security
Table of Contents
Security configuration – Tivoli Directory Server 6.1 with Websphere 6.1.....................................................1.1 !onfigure "e#erate# $epository in Websphere %etwor& Deploy'ent (anager..........................1. !reate #efinition for the LDA) $epository...................................................................................1.* A##ing $epository to $eal'........................................................................................................+1.+ Assign A#'inistrative role............................................................................................................61., $estart the server........................................................................................................................-1.6 Test the !onfiguration..................................................................................................................
. Sa'ple LD/" file................................................................................................................................ 10*. SSL #igital certificates an# WebSphere Application server................................................................1+
*.1 rowser
Web Server............................................................................................................. 1+
*. WebSphere WebSphere 2between %o#es3............................................................................1+
*.* Web Server WebSphere 2through )lug4in3................................................................... .........1
y
Ayyanar 5eya&rishnan
8/16/2019 Session 7 Lab
2/20
Lab – Websphere Application Server Session 8WebSphere Security
Security configuration – Tivoli Directory Server 6.1 withWebsphere 6.1
1. Security !onfiguration in Websphere Application Server.
Websphere 6.1 supports Federated Repositories7 wherein7 'ultiple repositories can beconfigure# un#er a single real'. The #efault file base# repository can also be part of the list ofrepositories. /n this sa'ple7 we shall configure the fe#erate# repository in Websphere toinclu#e an a##itional LDA) TDS9 registry apart fro' the #efault file base# registry.
1.1 !onfigure "e#erate# $epository in Websphere %etwor&Deploy'ent (anager
1. Start the Websphere %etwor& Deploy'ent if the server not starte#.. Login to Websphere a#'in console with a#'inistrative privilege# user. Default :serna'e ;a#'in<
an# passwor# ;a#'in< is create# #uring the installation on WAS.*. "ro' a#'in console navigate to Security > Secured administration, application and
infrastructure.
1. !reate #efinition for the LDA) $epositoryThis tas& shows how to create an# configure a repository that lin&s to LDA) registry.
1. /n :ser account repository option select Federated repositories an# clic& on Configure.
8/16/2019 Session 7 Lab
3/20
Lab – Websphere Application Server Session 8WebSphere Security
. /n the configuration win#ow clic& on ‘Manage Repositories’ lin&. This is use# to list the alrea#yconfigure# repositories for that server. This lin& also has options for creating an# #eleting therepositories. As per our re=uire'ent7 we nee# to create a repository for the LDA) registrystructure available TDS9.
*. !lic& on ADD button. >nter the following #etails highlighte# in the i'age below4a. Repository Identifier ? Any uni=ue i#entifier which is use# to i#entify the repository7 say7
DS!b. Directory type? !hoose the appropriate LDA) server to be use#. /n our case7 it woul# be
I"M i#oli Directory Ser#er $ersion !
c. %rimary &ost 'ame? LDA) server hostna'e or /) a##ress will wor&.#. "ind distinguis(ed name? The D% use# to bin# with the LDA) server7 say7 cn)root.e. "ind %ass*ord? Appropriate passwor# for the bin# D% use#.f. +ogin %roperties The property which the users use to login to )rocess server. /n this
case7 the value woul# be uidNote:
I. In the below screen shot, we have used the Bind Name as the LDAP admin user. It ismandatory to state in the format ‘ cn=root’ . e are usin! this to connect "bind# to the LDAP server.
II. In Lo!in $ro$erties, we are usin! ‘ uid’ which says that the users at the LDAP re!istry arereco!ni%ed with this $ro$erty at lo!in to server. &he admin has the choice of usin! ' ormore $ro$erties while confi!urin!.
III. (est of the fields are left as default.
8/16/2019 Session 7 Lab
4/20
Lab – Websphere Application Server Session 8WebSphere Security
+. !lic& Apply. This operation gets bac& to Manage Repository. @ere verify for the entry you ustcreate#. Sa#e the changes to the repository
1.* A##ing $epository to $eal'This Tas& a##s the repository create# in the previous tas& to the ;$eal'
8/16/2019 Session 7 Lab
5/20
Lab – Websphere Application Server Session 8WebSphere Security
2. !hoose the repository DS!9 you want to a## to the real'. This lists the repository /#entity.3. A## the D% for base entry as dc)im,dc)com
Note: &his refers to the uni)ue re!istry tree with in the LDAP server which you want to connect to!et the user and*or !rou$s details.
4. !lic& Apply. An# Sa#e the changes to the 'aster configuration. Cerify that the entry is 'a#e atthe !onfiguration in "e#erate# repositories section.
8/16/2019 Session 7 Lab
6/20
Lab – Websphere Application Server Session 8WebSphere Security
5. >nter the ;Realm name’. This can be any na'e that woul# represent the security real'.6. >nter the ;%rimary administrati#e user name’. This is the admin user for WAS.7. !lic& Apply. An# Sa#e the changes to the 'aster configuration. This brings us bac& to the 'ain
page ‘Secure administration, applications, and infrastructure’8. @ere 'a&e sure that ‘Federated repositories’ is chosen un#er ‘A#ailale realm definitions’
an# then clic& on ‘Set as Current’ button.We have now co'plete# the tas& of a##ing the LDA) registry into the fe#erate# repository configurationfor WAS security.
1.+ Assign A#'inistrative roleThis tas& is use# to assign the a#'inistrative role to the users9 in LDA).
1. (a&e sure that A#'inistrative security is enable#.. !lic& on ;Administrati#e user roles’. This lin& is assigne# to assign privileges to users
*. >nter an eisting userna'e E assign appropriate role.+. !lic& Apply E Save the changes to the 'aster configuration.,. /n this ea'ple7 we have assigne# 1 user ;*psadmin’ fro' LDA) as an a#'inistrator.
8/16/2019 Session 7 Lab
7/20
Lab – Websphere Application Server Session 8WebSphere Security
Note: It+s ‘Not Active+ as that user is not lo!!ed in.
1., $estart the server 1. "or the new security configuration to ta&e effect7 the WAS #eploy'ent (anager an# no#eagents
an# !luster server nee#s to be restarte#. $efer the below steps for restarting the server.
1. Log into the A#'inistrative !onsole.
a. >nter the following :$L in a Web browser?
(ttp//local(ost01!1/im/console/
>nter admin for user /D an# admin for the passwor#
. Stop the cluster 4(y!luster.
a. !lic& Ser#ers > Clusters.
b. !hec& MyCluster 7 an# then clic& Stop.
http://localhost:9060/ibm/console/http://localhost:9060/ibm/console/
8/16/2019 Session 7 Lab
8/20
Lab – Websphere Application Server Session 8WebSphere Security
Wait for the Status to change to soli# re#. !ontinually refresh the Status an# verify that the (y!luster status is soli# re#7 in#icating FStoppe#G.
*. Stopping the #eploy'ent (anager an# two no#eagents a. $eturn to the DHS co''an# shell on syste' that you use# to start an# stop the
Application Server if you close# the shell the #irectory is!?I/(IWebSphereIAppServerIprofilesIAppSrv0Ibin9
b. >nter the co''an#
stop%o#e.bat
(a&e sure that no#e is stoppe#
c. $eturn to the DHS co''an# shell on syste' A that you use# to start an# stop the Application Server if you close# the shell the #irectory is!?I/(IWebSphereIAppServerIprofilesIAppSrv01Ibin9
#. >nter the co''an#
stop%o#e.bat
(a&e sure that no#e is stoppe#
e. $eturn to the DHS co''an# shell on syste' A that you use# to start an# stop the Application Server if you close# the shell the #irectory is!?I/(IWebSphereIAppServerIprofilesID(gr01Ibin9
f. >nter the co''an#
stop(anager.bat –userna'e a#'in –passwor# a#'in
(a&e sure that #eploy'ent 'anager is stoppe#
1. Start the Deploy'ent (anager an# two no#eagents
a. "ro' a DHS co''an# pro'pt on Syste' A7 eecute the following?
cd c2I"M23eSp(ere2AppSer#er2profiles2Dmgr142instartManager.atWait until the Deploy'ent (anager has been starte#7
b. Start the %o#e Agent on Syste' A
"ro' a DHS co''an# pro'pt on Syste' A7 eecute the following?
cd c2I"M23eSp(ere2AppSer#er2profiles2AppSr#142instart'ode.at
c. Start the %o#e Agent on Syste'
"ro' a DHS co''an# pro'pt on Syste' A7 eecute the following?
cd c2I"M23eSp(ere2AppSer#er2profiles2AppSr#152instart'ode.at
. After the server restarts7 you shoul# be able to login to the a#'in console with the *psadmin user passwor# ? wpsa#'in9
8/16/2019 Session 7 Lab
9/20
Lab – Websphere Application Server Session 8WebSphere Security
1.6 Test the !onfiguration1. To verify the list of users fro' LDA)7 clic& on 6ser and 7roups > Manage 6sers. !lic& on
Searc(. All the users7 inclu#ing *psadmin user fro' the LDA) registry woul# be liste#.
. To verify the user groups7 clic& on Manage groups an# clic& on Searc(. Broups fro' the file
base# repository as well as the LDA) repository are liste# in the results.
*. To Cerify the users in the groups clic& the group na'e lin&s in the above i'age an# then clic& onMemers.
8/16/2019 Session 7 Lab
10/20
Lab – Websphere Application Server Session 8WebSphere Security
. Sa'ple LD/" fileSave below lines in a file with an etension of .l#if for ea'ple7 wpsusers.l#if9 so it can be i'porte# intoan LDA) server. efore you i'port the file7 re'e'ber to create a suffi in the LDA) server of dc)im,dc)com.version: 1
dn: cn=crypto,cn=localhost
cn: crypto
objectclass: ibm-cryptoConfig
objectclass: ibm-slapdConfigEntry
objectclass: top
ibm-slapdCryptoSync: 40!"#$g!%&p$%y0'==
ibm-slapdCryptoSalt: '()b*C#$+m
ibm-entry..id: ced0a/c-022-4//-b$1$-44ce4ea2/f
dn: dc=ibm,dc=com
dc: ibm
objectclass: domain
objectclass: top
ibm-entry..id: dffabac-aca-40$-240-12f$0a4d
dn: cn=3ohn,dc=ibm,dc=com
objectclass: inetrg!erson
objectclass: person
objectclass: top
objectclass: organi&ational!erson
sn: !lay
cn: 3ohn
.id: 3ohn
8/16/2019 Session 7 Lab
11/20
Lab – Websphere Application Server Session 8WebSphere Security
.serpass5ord: 6'ES/74ho38pm9;fbmb/$a4-c/ae-44>-2a01-ecf>11/$ce40
dn: cn=#ice!resident,dc=ibm,dc=com
objectclass: gro.pf?ames
objectclass: top
member: C?=?"@@
cn: #ice!resident
ibm-entry..id: f$f4f-ae1c-400/-add4-4/d2d00/
member: cn=3ohn,dc=ibm,dc=com
dn: cn='shish,dc=ibm,dc=com
objectclass: inetrg!erson
objectclass: top
objectclass: person
objectclass: organi&ational!erson
sn: #
cn: 'shish
.serpass5ord: 6'ES/7vAt(0/i%vB@jDE%s9"'==
.id: 'shish
ibm-entry..id: 1c>dfd1-144-4$>-2f>-e1$0a0d$2
dn: cn=Samay,dc=ibm,dc=com
objectclass: inetrg!erson
objectclass: person
objectclass: top
objectclass: organi&ational!erson
sn: +
cn: Samay
ibm-entry..id: a>a4f0de-a>cf-4fc-a4$4-f2$0ed>10$
dn: cn=Senior"nder5riters,dc=ibm,dc=com
objectclass: gro.pf?ames
objectclass: top
cn: Senior"nder5riters
DEDBE: C?=?"@@
ibm-entry..id: 2bb>b0$-4$$1-4$a->fdd-a>20ca4b0>0c
member: cn='shish,dc=ibm,dc=com
member: cn=Samay,dc=ibm,dc=ibm
dn: cn=!a5an,dc=ibm,dc=com
objectclass: inetrg!erson
objectclass: top
objectclass: person
objectclass: organi&ational!erson
sn: ?egi
cn: !a5an
.id: !a5an
.serpass5ord: 6'ES/7d9@lDj'#FGS%2r99(9==
ibm-entry..id: 4be100-c$4-44bb-2b1f-f>/a2becfb
dn: cn=ohit,dc=ibm,dc=com
objectclass: inetrg!erson
objectclass: person
objectclass: top
objectclass: organi&ational!erson
sn: %arg
8/16/2019 Session 7 Lab
12/20
Lab – Websphere Application Server Session 8WebSphere Security
cn: ohit
ibm-entry..id: a$c>/d0-100c-4$-bac-$0e0cf414
dn: cn='stha,dc=ibm,dc=com
objectclass: inetrg!erson
objectclass: top
objectclass: person
objectclass: organi&ational!erson
sn: <
cn: 'stha
.id: 'stha
.serpass5ord: 6'ES/7!%v%S9sHH8s0bI(4G5==
ibm-entry..id: 4fac$>c-d2//-4/0-abd-4>e004a04c
dn: cn=!ar.l,dc=ibm,dc=com
objectclass: inetrg!erson
objectclass: person
objectclass: top
objectclass: organi&ational!erson
sn: +hanna
cn: !ar.libm-entry..id: 0ddf4>2-edcc-4$df-a$/->aebfadd//a
dn: cn=@oanfficers,dc=ibm,dc=com
objectclass: gro.pf?ames
objectclass: top
cn: @oanfficers
member: C?=?"@@
ibm-entry..id: /e1a122-fc-4>ae-2c4c-eb/2ca$/440
member: cn='stha,dc=ibm,dc=com
member: cn=ohit,dc=ibm,dc=com
dn: cn="nder5riters,dc=ibm,dc=com
objectclass: gro.pf?ames
objectclass: top
cn: "nder5riters
member: C?=?"@@
ibm-entry..id: 020de$/>->4bb-4>>-b/2c-$c/2//ec1
member: cn=!ar.l,dc=ibm,dc=com
member: cn=!a5an,dc=ibm,dc=com
dn: cn=5psadmin,dc=ibm,dc=com
.serpass5ord: 6'ES/7>28#Jdclcs8SC.Drel55==
objectclass: inetrg!erson
objectclass: person
objectclass: top
objectclass: organi&ational!erson
cn: 5psadminsn: 5psadmin
.id: 5psadmin
ibm-entry..id: f/f4a-cdca-44e/-a>/-/de$a0cf/0
dn: cn=ldapadmin,dc=ibm,dc=com
objectclass: inetrg!erson
objectclass: top
objectclass: person
objectclass: organi&ational!erson
8/16/2019 Session 7 Lab
13/20
Lab – Websphere Application Server Session 8WebSphere Security
cn: ldapadmin
sn: ldapadmin
.id: ldapadmin
.serpass5ord: 6'ES/7J0or3?%HmBnCo;C3jmg==
ibm-entry..id: b0af>e-$/>/-4e>e-b$40-/01f102/0
dn: cn=admingro.p,dc=ibm,dc=com
objectclass: gro.pf?ames
objectclass: top
cn: admingro.p
DEDBE: C?=?"@@
ibm-entry..id: /f00140d-ee$-4f10-20$-$dcbaef0dd4
member: cn=5psadmin,dc=ibm,dc=com
member: cn=ldapadmin,dc=ibm,dc=com
'e'ber? cnJ5ohn7#cJib'7#cJco'
8/16/2019 Session 7 Lab
14/20
Lab – Websphere Application Server Session 8WebSphere Security
*. SSL #igital certificates an# WebSphere Applicationserver
*.1 rowser Web Server
!overe# in Session + Lab
*. WebSphere WebSphere 2between %o#es3
For WAS 6.x
"irst let
8/16/2019 Session 7 Lab
15/20
Lab – Websphere Application Server Session 8WebSphere Security
!lic& HK an# Save the changes
• Bo bac& to Security SSL certificate an# &ey 'anage'ent Key stores an#
certificates !ellDefaultKeyStore )ersonal certificates
• Select the ol# D(B$ certificate an# clic& $eplace.
• Hn the net screen7 you are able to choose which certificate will replace the ol# certificate.
Accept your new certificate. Do not select either Delete ol# certificate after replace'ent or Delete ol# signers. Accept your new certificate an# any browser pro'pts.
• Hn the net screen7 select the ol# certificate an# clic& Delete. !lic& HK an# Save the changes.
The certs nee# to be echange# for establishing secure co''unication. So a## the D(B$cert to Default!ellTrustStore
• Bo to SSL certificate an# &ey 'anage'ent Key stores an# certificates.
• Select !ellDefaultKeyStore an# !ellDefaultTrustStore an# clic& >change signers
8/16/2019 Session 7 Lab
16/20
Lab – Websphere Application Server Session 8WebSphere Security
• Select the certificate in !ellDefaultKeyStore personal certificates create# in previous
step an# clic& A##.
• !lic& HK an# Save the changes.
B. Node Certificates
• Bo to Security SSL certificate an# &ey 'anage'ent (anage en#point
security configurations.
• :n#er /nboun#7 clic& the lin& for the no#e7 no#ena'e%o#eDefaultSSLSettings7null9.
8/16/2019 Session 7 Lab
17/20
Lab – Websphere Application Server Session 8WebSphere Security
• !lic& the (anage certificates button.
!lic& on create a self4signe# certificate an# >nter the re=uire# attributes.• !lic& HK an# Save the changes
• Bo bac& to Security SSL certificate an# &ey 'anage'ent (anage en#point
security configurations7 clic& no#ena'e%o#eDefaultSSLSettings7null97 clic& (anagecertificates.
• Select the ol# certificate an# clic& $eplace.
• Hn the net screen7 you are able to choose which certificate will replace the ol# certificate.
Accept your new certificate. Do not select either Delete ol# certificate after replace'ent or Delete ol# signers.
• Hn the net screen7 select the ol# certificate an# clic& Delete. !lic& HK an# save the changes.
%ow >change the %o#e Signer cert with Default!ellTrustStore
• Bo to Security SSL certificate an# &ey 'anage'ent (anage en#point
security configurations.
• :n#er /nboun#7 clic& the lin& for the no#e7 no#ena'e%o#eDefaultSSLSettings7null9 an#
selectKey stores an# certificates.
• Select %o#eDefaultKeyStore an# !ellDefaultTrustStore an# then !lic& >change signers.
8/16/2019 Session 7 Lab
18/20
Lab – Websphere Application Server Session 8WebSphere Security
• Select the certificate in %o#eDefaultKeyStore personal certificates create# in previous
step an# clic& A##.
• !lic& HK an# Save the changes.
• Delete the ol# signer certificates an# etract
8/16/2019 Session 7 Lab
19/20
Lab – Websphere Application Server Session 8WebSphere Security
the newones.
• Bo to SSL certificate an# &ey 'anage'ent Key stores an# certificates
!ellDefaultTrustStore Signer certificates
• Select all of the ol# signer certificates an# clic& Delete. /f you are not sure7 you can co'pare
the "ingerprint an#Mor the >piration #ates with the personal certificate in the &eystores.
•
Select one of the new certificates. !lic& >tract.
• >nter a "ile %a'e that correspon#s to the certificate. "or ea'ple7 no#e1.ar'. !lic& H&.
• "or each of the new certificates 'a&ing sure you have #one this for the cell signer an# all
of the no#e signers. These files are save# to the profilerootMD'grMetc #irectory
(anually copy the trust store to each of the Metc #irectories.
• ac&up the trust.p1 in profilerootID'grIetc
• !opy the profilerootID'grIconfigIcellsIcell4na'eItrust.p1 to profilerootID'grIetc
• ac&up the trust.p1 on each of the no#es profilerootIAppsrvIetc #irectories.
•
!opy the profilerootID'grIconfigIcellsIcell4na'eItrust.p1 to profilerootIAppsrvIetc
' o te? /f you have 'ultiple no#esN Oou nee# to #o the %o#e !ertificate section for all no#es separately.
%ow7 $estart the D(B$ an# sync the no#es using ;syncno#e< co''an#. Then start %o#e Agents an#
Application Servers.
*.* Web Server WebSphere 2through )lug4in3
• Bo to Servers Web servers. !lic& webserverna'e7 an# then un#er A##itional )roperties
clic& )lug4in properties.
• !lic& (anage &eys an# certificates un#er A##itional )roperties7 clic& Signer certificates
an# then clic& A##7 >nter a uni=ue Alias %a'e an# then specify the "ile %a'e that youeporte# as .ar' file.
8/16/2019 Session 7 Lab
20/20
Lab – Websphere Application Server Session 8WebSphere Security
$epeat this for each of the new certificates 'a&ing sure you have #one this for the cellsigner an# all of the no#e signers.
• (anually copy the plugin4&ey.b fro' the local configuration to the Web server. 2
#efault locations? profilerootID'grIconfigIcellsIcell4na'eIno#esIno#e4
na'eIserversIweb4server4 na'eIplugin4&ey.b to Web4server4rootI)luginsIconfigIweb4server4na'eIplugin4&ey.b3
• Start the Web server