Administrative security

Administrative security determines whether security is used at all, the type of registry
against which authentication takes place, and other values, many of which act as defaults.
Proper planning is required because incorrectly enabling administrative security can lock
you out of the administrative console or cause the server to end abnormally.

Administrative security can be thought of as a "big switch" that activates a wide variety of
security settings for WebSphere® Application Server. Values for these settings can be specified,
but they will not take effect until administrative security is activated. The settings include the
authentication of users, the use of Secure Sockets Layer (SSL), and the choice of user account
repository. In particular, application security, including authentication and role-based
authorization, is not enforced unless administrative security is active.

Administrative security represents the security configuration that is effective for the
entire security domain. A security domain consists of all of the servers that are configured
with the same user registry realm name. In some cases, the realm can be the machine
name of a local operating system registry. In this case, all of the application servers must
reside on the same physical machine. In other cases, the realm can be the machine name
of a stand-alone Lightweight Directory Access Protocol (LDAP) registry.

A multiple node configuration is supported because you can access remotely user
registries that support the LDAP protocol. Therefore, you can enable authentication from
anywhere.

The basic requirement for a security domain is that the access ID that is returned by the
registry or repository from one server within the security domain is the same access ID
as that returned from the registry or repository on any other server within the same
security domain. The access ID is the unique identification of a user and is used during
authorization to determine if access is permitted to the resource.

The administrative security configuration applies to every server within the security
domain.

Why turn on administrative security?

Turning on administrative security activates the settings that protect your server from
unauthorized users. Administrative security is enabled by default during the profile
creation time. There might be some environments where no security is needed such as a
development system. On these systems you can elect to disable administrative security.
However, in most environments you should keep unauthorized users from accessing the
administrative console and your business applications. Administrative security must be
enabled to restrict access.