Configuring global security

1. Start the WebSphere Application Server administrative console by typing

http://yourhost.domain:9090/admin after the WebSphere Application Server
Deployment Manager has been started.

2. Open the Security link on the Navigation menu.

Configure the authentication mechanism, user registry, and so on. The
configuration order is not important. However, when you select the Enabled
flag in the Global Security panel, you should have completed all of these tasks.
When you first click Apply or OK and the Enabled flag is set, a verification
occurs to see if the administrative user ID and password can be authenticated
to the configured user registry. If you have not configured the user registry, the
validation fails.

3. Configure a user registry.

Configure LDAP user registries and then specify the details about that registry.
One of these details common to all user registries is the server user ID. This ID
is a member of the chosen user registry, but also has special privileges in
WebSphere Application Server.
The privileges for this ID and the privileges
associated with the administrative role ID are the same. The server user ID can
access all protected administrative methods. In LDAP user registries, verify that the server user
ID
is a member of the registry and not just the LDAP administrative role ID. The entry must be
searchable.
4. Configure the Authentication Mechanism.
In the WebSphere Application Server Network Deployment package, LTPA is
the only authentication mechanism supported.
LTPA credentials are forwardable to other machines and for
security reasons do expire. This expiration time is configurable.
For form-based login, you must configure SSO when using LTPA.
Password – Type in a password
Confirm Password - Confirm it.
Timeout - 1200
Key File name – leave it empty.
Additional Properties Single Signon
Enabled - Checked
Requires SSL – Checked
6. Change the default SSL keystore and truststore files that are packaged with the
product.
These files protect the integrity of the messages being sent across the Internet.
A single location is provided where you can specify SSL configurations that can
be used among the various WebSphere Application Server features that use
SSL, including the LDAP user registry, Web Container, and the Authentication
Protocol (CSIv2 and SAS). You can create different KeyStore and TrustStore files for
different uses or create one set for everything that involes the server use of SSL.
Once you create these new keystore and truststore files, specify them in the
SSL Configuration Repertoires.
To get to the SSL Configuration Repertoires,
click Security > SSL. You can either edit the DefaultSSLConfig or create a
new SSL configuration with a new alias.
If you do create a new alias for your new keystore and truststore files, change
every location that references the SSL configuration alias DefaultSSLConfig.
The following list provides these locations:
v Security > User Registries > LDAP (at the bottom of the panel)
v Security > Authentication Protocol > CSIv2 Inbound Transport
v Security > Authentication Protocol > CSIv2 Outbound Transport
v Security > Authentication Protocol > SAS Inbound Transport
v Security > Authentication Protocol > SAS Outbound Transport
v Servers > Application Servers > {app_server_name} -> Web Container ->
HTTP transports > {host_link}
v Servers > Application Servers > {app_server_name} -> Server Level Security
> CSIv2 Inbound Transport
v Servers > Application Servers > app_server_name > Server Security > CSIv2
OutboundTransport
v Servers > Application Servers > {app_server_name} > Server Security > SAS
Inbound Transport
v Servers > Application Servers > {app_server_name} > Server Security > SAS
Outbound Transport

7. Click Security > Global Security to configure the rest of the security settings
and enable security.
This panel performs a final validation of the security configuration. When you
click OK or Apply from this panel, the security validation routine is performed
and any problems are reported at the top of the page. When you complete all
of the fields, click OK or Apply to accept the selected settings. Click Save (at
the top of the panel) to persist these settings out to a file. If you see any
informational messages in red text color, then there is a problem with the
security validation. Typically, the message indicates the problem. So, review
your configuration to verify that the user registry settings are accurate and the
correct registry is selected. In some cases, the LTPA configuration may not be
fully specified.

Enabled - Checked
Enforce Java 2 Security – Not Checked
Use Domain Qualified User Ids - Not Checked
Cache Timeout – 600
Issue Permission Warning - Checked
Active Protocol - CSI and SAS
Active Authentication Mechanis - LTPA.
Active User Registry – LDAP
To save the configuration, click Save in the menu bar at
the top of the panel.

8. Verify that all node agents are up and running in the domain. It is
recommended that you stop all application servers during this process. If any
of the node agents are down, run a manual file synchronization utility from the
node agent machine to synchronize the security configuration from the
Deployment Manager. Otherwise, the malfunctioning node agent does not
communicate with the Deployment Manager after security is enabled on the
Deployment Manager.

9. Verify that the validation that occurs after you click OK in the Security > Global Security
panel is successful before continuing. If it is not successful and you continue
with these steps, you risk the server not starting. Reconfigure the security
settings until validation is successful.

10. Issue the force file sync command from the administrative console to push
a copy of the new configuration to all of the running node agents.
If a node agent fails to get the security-enabled configuration, communication
with the Deployment Manager fails due to lack of access (it will not be
security enabled). To force a file sync at any specific node, complete the
following steps from the administrative console:
a. Go to System Administration > Nodes and select the check box of all of
the nodes (you do not need to select the Deployment Manager Node).

b. Click Full Resynchronize to verify that the file sync has occurred.
The message might indicate that the nodes already are synchronized. This
message is OK. Once synchronization is initiated, verify that the
Synchronized status displays for all nodes.

11. Stop the Deployment Manager. Manually restart the Deployment Manager
from the command line or service.
Once the Deployment Manager initialization is complete, go back into the
administrative console to complete this task.
When you are prompted for a user ID and password, type the one you entered as the
administrator ID
in the configured user registry.

12. Go to System Administration > Node Agents and select the check box
beside all node agents. Click Restart all Servers on Node.
This action restarts the node agent and any started application servers.
If any node agent fails to restart, perform a manual resync of the
configuration.
Restart the node agent manually

13 Restart all application servers on each node agent.

14. If you go to System Management > Nodes and the status of the node is
Unknown, go to that node and physically stop and restart the node agent.

15. If you have any problems restarting the node agents or application servers,
review the output logs in the WAS/logs/nodeagent or WAS /logs/server_name.