of 26
8/8/2019 WF3815V14_Security2
1/26
Welcome to:
WebSphere Application Server Security
8/8/2019 WF3815V14_Security2
2/26
Objectives
Explain the WebSphere Application Server V5 Securityarchitecture and components
Describe Security standards supported by WebSphere
Application Server V5:
J2EE 1.3Java 2 Platform Security
JAAS Security
CSIv2 SecurityConfigure Global Security
Secure an Application
Configure Administrative Security
8/8/2019 WF3815V14_Security2
3/26
OS Security
JVM Security
Java2 Security
CORBA Security
J2EE SecurityAPI
WebSphere Security
*Html
*JSP/Servlet/EJBs,etc
Platform Security
Java Security
WebSphere
Security
WebSphere
Resources
!Security can be applied
at different levels
WebSphere Application Server Security Overview
8/8/2019 WF3815V14_Security2
4/26
CSIv2ProtectionDomain
security token oridentity assertionAppServer1
WebServer
Security Plugin
HTTP(S)
User ID
password
/client
certificate
authenticate()
mapCredential()
requests
User
Registry
SecurityServer
Permissions
Policy SecurityManagerAccessController
validate()
SecurityServer
AppServer2
Node Agent
Web Container
EJB Container
JAAS
Client
JAAS subject
SecurityServer
CSIv2
Java 2 Platform
EJB Container
SecurityServer
WebSphere Application v5 Security - Big Picture
8/8/2019 WF3815V14_Security2
5/26
Security Server runs locally in each process (Deployment
Manager, Node Agent, and Application Server)Security workload not bottlenecked to a single process
Security Server failure only affects a single process
Separation of authentication mechanismand user registry
Only one Authentication
Mechanism and Registry can
be enabled at a time
AppServer
XMLConfig
NodeAgent
App Server
AppServer
XMLConfig
AppServer
XML
Config
AppServer
XMLConfig
Deployment Manager
App Server
NodeAgent
Deployment Mgr
Administrator
Security
Security
Security
Security Security Security Security
Security Server - Big picture
8/8/2019 WF3815V14_Security2
6/26
Features of WAS 5.0 Security
J2EE 1.3 Security
Java 2 platform security
JAAS programming model supportProvides means for restricting running code based on authenticated
user
CSIv2 security protocol supportSecured communications between servers
Interoperability between different vendor's application servers
SAS protocol supported for backward compatibility (4.0.x and
before)
WebSphere Application Server Security Administration
Support multiple security roles (administrator, configurator, operator,
and monitor)
8/8/2019 WF3815V14_Security2
7/26
J2EE 1.3 Compliance
WebSphere Application Server supports J2EE-mandatedfunctionality:
EAR, WAR, and EJB file formats
Application Assembly Tool (AAT) for creating files with
deployment informationBasic, form-based login (with extensions) and Secure
Sockets Layer (SSL)
Roles mapped to registryApplication Programming Interfaces (APIs)
Single Sign-on (SSO)
Password-based authentication for Java clients
8/8/2019 WF3815V14_Security2
8/26
ROLE Customer
ROLE Teller
ROLE Manager
1. Security roles
ROLE METHODS
Customer getBalance()
Teller, Manager getBalance, setBalance
Manager create
METHOD PERMISSIONS
2. Assign method permissions Internal Name Application Role
Supervisor Manager
ROLE USERS/GROUPS
Customer Clients, JackTeller Mary, Bob
Manager Mary
ROLE BINDING
4. Security role binding
Bob MaryJack
Clients
getBalanceMethod
setBalanceMethod
createMethod
Bank Bean
public getBalance (...) {
...
if (isCallerinRole("Supervisor"))
Perform function...
}
Implementation
SECURITY ROLE REFERENCES
3. Security roles refs.
J2EE EJB Security
8/8/2019 WF3815V14_Security2
9/26
doPutMethod
doPostMethod
doGetMethod
public doGet (...) {
if (userInRole("Supervisor"))
Perform function...
elsethrow SECURITY-ERROR
}
Implementation
ROLE METHODS URI
Customer,
TellerPOST /servlet/Welcome/*
Teller POST, PUT /servlet/Account/*
ManagerPOST, DELETE,
PUT/jsp/*
SECURITY CONSTRAINTS
2. Security constraints
J2EE Servlet Security
ROLE Customer
ROLE Teller
ROLE Manager
ROLE USERS/GROUPS
Customer Clients, JackTeller Mary, Bob
Manager Mary
ROLE BINDING
4. Security role binding
Bob MaryJack
Clients
1. Security roles
Internal Name Application Role
Supervisor Manager
SECURITY ROLE REFERENCES
3. Security roles refs.
8/8/2019 WF3815V14_Security2
10/26
JVM Full Access toResources
Sandbox RestrictedAccess
Security Manager
System Resources (files, network
connections, etc.)
Local Code Remote Code
JVM Full Access toResources
Sandbox RestrictedAccess
Security Manager
System Resources (files, network
connections, etc.)
Local Code Remote CodeTrusted Signed
Code
Java Security Model
Java 1.0.x (Sandbox Model):
Downloaded code (untrusted)
runs in a Sandbox (restricted
environment)
Application code (local Java
classes) have full access toresources (trusted and no
protection)
Java 1.1.x (Signed Code):
Extends 1.0.x Sandbox Model,
introduce "signed code", Digitally
signed remote code is treated like
local code if public key used to
verify the signature is trusted.
8/8/2019 WF3815V14_Security2
11/26
Security Manager
System Resources (files, network connections, etc.)
Local or
Remote
Code
JVM Full
Access to
Resources
Sandbox Restricted
Access
Domain
Domain
Domain
Security
Policy
Java 2 Security Overview
Fine-Grained Access Control Mechanism
Provides protection for resources based on policy:Examples: File I/O, Network Connections, Property files, etc.
Policy defined by a set of permissions available for code
from various signers or locationSpecified in policy files
Organized code into individual protection domainsCode source - location and set of digital signatures
Each loaded class belongs to one protection domain (Same set ofpermissions)
8/8/2019 WF3815V14_Security2
12/26
8/8/2019 WF3815V14_Security2
13/26
Message ProtectionTarget-to-Client Authentication
Client Authentication
Client Authentication
Identity Assertion
Transport Layer
Supplemental Client
Authentication Layer
Security Attribute Layer
Service Context Layer
SSL/TLS
CSIv2 Security Architecture
CSIv2 Overview Replaces SAS
New OMG standard for the distributed security of CORBA basedsystems. Part of J2EE 1.3 requirements.Open secure interoperability framework to support secure interoperabilityservice layers.Transport Security: E.g. SSL/TLS used to provide message protection
(integrity or confidentiality), client to server, or server to client
authentication.Attribute Security: Such as delegation, identity assertion based on trustrelationship.
WAS5 CSIv2(Conformance Level 0) Features:Successor to SAS Protocol. SAS and CSIv2 both supported
simultaneouslyMost new features developed in CSIv2 only (client certificateauthentication, custom authentication mechanism, e.g. BasicAuth(validated), LTPA.
More flexible configuration (claim/perform, required/supported)
Identity Assertion, Authentication Retry, Better error handling,Stateful/Stateless Choice
8/8/2019 WF3815V14_Security2
14/26
Feature Comparison With WAS SAS
SAS FeaturesSSL requiredBasicAuth Client Login requiredStatefull required
CSIv2 FeaturesSSL/TCPIP ChoiceSSL Client AuthenticationBasicAuth (validated), LTPA, Kerberos Client Login
Identity AssertionAuthentication RetryBetter error handling
Use of CORBA minor codes and messages
Auto retry for errors which can be correctedStatefull/Stateless ChoiceMore flexible configuration (claim/perform,
required/supported)
Id i A i
8/8/2019 WF3815V14_Security2
15/26
Identity Assertion
A way for one server to trust another server without the need
to re-authenticate or revalidate the originating clientWhen Identity Assertion is enabled, it is the invocation
credential that is asserted to the downstream server.
Identity Assertion is only available using the CSIv2 protocol.
C S1 S2401 Challenge: bob/password
WebClient Servlet EJB
Cred: bob
IdentityAssertion: bob
transport: CN=S1, O=ibm
Cred: bobScenario 1: S1->S2 over SSL with
Identity Assertion (WebClient -> Servlet
-> EJB) using originating client
TCP/IP SSL
C S1 S2
GSSUP: tom/password
JavaClient EJB Server EJB Server
Cred: bill
IdentityAssertion: bill
client_auth: server1/password
Cred: bill
Cred: tomRun-As Specified: bill
TCP/IP w/VPN TCP/IP w/VPN
Scenario 2: S1->S2 over VPN with Identity
Assertion (WebClient -> Servlet -> EJB) using
specific identity
8/8/2019 WF3815V14_Security2
16/26
T i S it
8/8/2019 WF3815V14_Security2
17/26
Turning Security on
By default global security is turned off
Turning on global security:
Enables J2EE security
Enables CSIv2 between servers
Enables access control to the consoleConfigure authentication mechanism and registry
Secure the console
Map administrator roles to users/groups
WAS User Registries
8/8/2019 WF3815V14_Security2
18/26
Local OSUser Registry
Admin Server
Local OS
AuthenticationLayer
LTPAAuthentication
Layer
WebSphere Runtime
WebSphere Provided
LDAPUser Registry
Pluggable CustomAuthentication
Layer
Custom Provider
CustomUser Registry
AuthenticationCalls
WAS User Registries
Comparison of User Registries in WAS
8/8/2019 WF3815V14_Security2
19/26
Comparison of User Registries in WAS
Simple WebSphere Access Mechanism (SWAM)
Similar to Local OS, but without token being passed
Local OS has some limitations:
Not supported in multinode environment.
Large number of users require many accounts.LTPA helps relax many of the restrictions:
Uses common registry (LDAP or custom) as directory for
principals and groups shared among several WAS nodes.Obtains tokens that can be passed to other WAS instances.
Note that LDAP is a standard widely supported directory
and should be preferred.
Configure LTPA
8/8/2019 WF3815V14_Security2
20/26
Configure LTPA
Configure LDAP
8/8/2019 WF3815V14_Security2
21/26
Configure LDAP
How Pluggable Custom Registry Works
8/8/2019 WF3815V14_Security2
22/26
How Pluggable Custom Registry Works
Application developer
Implements the methods in the CustomRegistry interface.
com.ibm.ejs.security.registry package
This layer of code interacts with the custom user registry.
AdministratorSelects Custom-pluggable Registry option and specifies the
class.
Admin/Security ServerCalls CustomRegistry methods to perform authentication for
applications.
Securing Your Application
8/8/2019 WF3815V14_Security2
23/26
Securing Your Application
Secure your enterprise application using AAT or other tool
Secure EJBsCreate roles
Create method permissions
Map method permissions to roles and methods
Secure ServletsCreate roles
Create constraints
Map constraints to roles and servlets
Install your application
Map roles to users/groups
Administrative Security Authorization
8/8/2019 WF3815V14_Security2
24/26
configurator operator monitor
administrator
Administrative Security Authorization
WebSphere Application Server V5.0 has finer granularity of
access control.Defines 4 security roles:monitorrole can observe system state and configuration
data but cannot make changes
configuratorrole is a monitor who make changes to theWebSphere system configuration
operatorrole is a monitor who can change runtime state
(e.g. start, stop)administratorrole which is basically a configurator andalso an operator
Setting Administrative Security
8/8/2019 WF3815V14_Security2
25/26
1) Select Users
or Groups
!Changes must be saved when
finished
!Security must be enabled
!Restart of Deployment Manager,
Node Agents, and Application
Servers required for most security
operations
2a) Specify User
2b) Specify Role
2a) Specify Group
or subject
2a) Specify Role
Setting Administrative Security
Summary
8/8/2019 WF3815V14_Security2
26/26
Summary
Secure your Enterprise Application
Create roles
Create method permissions and constraints
Map roles to method permissions and constraints
Turn on Global SecurityConfigure Authentication Mechanism
Configure User Registry
Install your applicationConfigure additional security items
Java 2 security