WebSphere software- Copyright IBM Corporation 2005. All rights reserved. IBM WebSphere Application Server Version 6 Lab 05 - Security What You should be able to do In this exercise, you will secure your Web Sphere Application Server environment. First, you will enable global security using Lightweight Third-Party Authentication(LTPA) component services by defining sphere Application Server. You will configure access to the Administrative console by defining a number of roles and mapping those roles to different users. To test your configuration, you will perform various administrative functions using different accounts and see if the security configuration correctly supports your ability to perform those functions. You wil also turn off security for the Default Application server, but leave security enabled for the administrative console. Finally, you will disable Global Security Lab requirement List of system and software required for the student to complete the lab Windows 2000 Professional Service Pack 4 is required for this lab exercise WebSphere Application Server v6.0 has been successfully installed. The lab source files(LabFiles60. zip)must be extracted to the root directory (i.e, C: l) What you should be able to do At the end of this lab you should be able to Configure global security for your Web Sphere Application Environment Configure role-based security for administration of WebSphere Application Server Proof of Technology Lab 05-Security Product Introduction Exploration(PI+E) Page 1 of 36
© Copyright IBM Corporation 2005. All rights reserved. Proof of Technology Lab 05 – Security Product Introduction + Exploration (PI+E) Page 1 of 36 IBM WebSphere Application Server Version 6 Lab 05 - Security What You Should Be Able to Do In this exercise, you will secure your WebSphere Application Server environment. First, you will enable global security using Lightweight Third-Party Authentication (LTPA) component services within WebSphere Application Server. You will configure access to the Administrative console by defining a number of roles and mapping those roles to different users. To test your configuration, you will perform various administrative functions using different accounts and see if the security configuration correctly supports your ability to perform those functions. You will also turn off security for the Default Application server, but leave security enabled for the administrative console. Finally, you will disable Global Security. Lab Requirements List of system and software required for the student to complete the lab. • Windows 2000 Professional Service Pack 4 is required for this lab exercise. • WebSphere Application Server v6.0 has been successfully installed. • The lab source files (LabFiles60.zip) must be extracted to the root directory (i.e., C:\). What you should be able to do At the end of this lab you should be able to: • Configure global security for your WebSphere Application Environment. • Configure role-based security for administration of WebSphere Application Server
Copyright IBM Corporation 2005. All rights reserved. Assumptions You must have completed the installation and profile configuration portion of the Network Deployment hands-on lab before attempting this exercise. The instructions for this exercise assume that the installation has been performed on a machine where the installation directory for Web Sphere Application Server is c: IWeb Sphere lAppServer. If you installed Web Sphere Application Server on another drive or directory, you will need to make appropriate allowances when following directions for this exercise You must be logged in as a user with Act as part of the operating system rights. The PoT lab machines have been pre-configured with the appropriate rights for User ID wsdemo. Make sure that you are logged in using the wsdemo account This exercise is divided into eight parts Part 1: Establish the Web Sphere Environment Part 2: Enable Global and Java 2 Security Part 3: Define Administrative Users and roles Part 4: Stop and Restart the Web Sphere Environment Part 5: Using Administrative Console Roles Part 6: Application Serving with Securi Part 7: Disable Application Server Security Part 8: Disable Global Security PartI: Establish the WebSphere environment 1. Ensure that all managed processes(dmgr, node agent, and server 1)are started a Open a command prompt and navigate to c: WebSphere\App Serverlprofilesldmgr\bin CA Command Prompt C: \WebSphere \AppServer\profiles \dmgr\bin>. 2. Check the status of the Deployment Manager(dmgr) process
© Copyright IBM Corporation 2005. All rights reserved. Lab 05 - Security Page 2 of 36 Assumptions You must have completed the installation and profile configuration portion of the Network Deployment hands-on lab before attempting this exercise. The instructions for this exercise assume that the installation has been performed on a machine where the installation directory for WebSphere Application Server is c:\WebSphere\AppServer. If you installed WebSphere Application Server on another drive or directory, you will need to make appropriate allowances when following directions for this exercise. You must be logged in as a user with Act as part of the operating system rights. The PoT lab machines have been pre-configured with the appropriate rights for User ID wsdemo. Make sure that you are logged in using the wsdemo account. This exercise is divided into eight parts: Part 1: Establish the WebSphere Environment Part 2: Enable Global and Java 2 Security Part 3: Define Administrative Users and Roles Part 4: Stop and Restart the WebSphere Environment Part 5: Using Administrative Console Roles Part 6: Application Serving with Security Part 7: Disable Application Server Security Part 8: Disable Global Security Part1: Establish the WebSphere Environment ____ 1. Ensure that all managed processes (dmgr, node agent, and server1) are started. __ a. Open a command prompt and navigate to c:\WebSphere\AppServer\profiles\dmgr\bin ____ 2. Check the status of the Deployment Manager (dmgr) process
WebSphere software- Copyright IBM Corporation 2005. All rights reserved. a issue the command serverStatus -all A Command Prompt x C:\WebSphere\AppServerprofiles\dmgr\bin >serverstatus -all ADMU0116I: Tool information is being g、logs、 serverStatus.1 DMU0128I: Startin ADMUg503I: Retri status f lI servers rve onfiguration: ADMU0509I: The Deployment Manager "dmgr"cannot be reached. It appears G: \We sPhere \AppServer\profiles\dmgr\bin> 3. Start the Deployment Manager if it has a stopped status. Otherwise, skip this step a Issue the command startManager Command Prompt ADMU0509I: The Deployment Manager " dmgr"cannot be reached. It appears C: \We bSphere \AppServer\profiles\dmgr\bin>startmanager ADMU0116I information is be ing n file gr\logs\dmgr\start server ADMU01281: Starting tool with the dmgr pro g01: Reading configura ADMU32001: Server launched. Waiting for initialization status ADMU3000I: Server dmgr for e-business; process id is 2060 G: \e bSphere \AppServer\profiles\dmgr\bin 4. Navigate to the profile 1 \bin directory a Issue the command cd: /eb Sphere/AppServer/profiles/profile/bin COmmand Prompt C: \WebSphere\AppServer\profiles\profile\bin> 5. Check the status of managed processes for profile 1 Proof of Technology Lab 05-Security Product Introduction+ Exploration(PI+E Page 3 of 36
© Copyright IBM Corporation 2005. All rights reserved. Proof of Technology Lab 05 – Security Product Introduction + Exploration (PI+E) Page 3 of 36 __ a. Issue the command serverStatus –all. ____ 3. Start the Deployment Manager if it has a stopped status. Otherwise, skip this step. __ a. Issue the command startManager. ____ 4. Navigate to the profile1\bin directory. __ a. Issue the command cd:/WebSphere/AppServer/profiles/profile1/bin ____ 5. Check the status of managed processes for profile1
Copyright IBM Corporation 2005. All rights reserved. a issue the command serverStatus -all G: \We bPh ofiles、 profile1\bin> tatus ADU1161: rofiles\profile\logs\serverStatul ADMU0128I: Starting tool wit le ADMU0503I: Retrieving server status for all servers ervers found in configuration ADMU0506I: Ser nodeagent name: server1 ADMU0509I: TH de Agent "nodeagent cannot be reac hed. It appears pplication Server "serverl cannot be reached. It aj stopped C: \WebSphere\AppServer\profiles\profile\bin) 6. Start the Node Agent, if it has a status of stopped. Otherwise, skip this step a issue the command startNode ai Command Prompt C: \We bSphere\AppServer\profiles\profile\bin >startnode ADMU0116I: Tool information is being logged in fil \WebSphere \AppServer\profiles \profile\logs \nodeagent\s ADMU0128I: Starting tool with the profile profile ading con odeagent ADMU32001: Server launched. Wa iting for initialization status DMU3000I: Server nodeagent open for e-bus iness; process id is 2080 C: \We sPhere \AppServer\profiles\profile\bin> 7. Start the server1 process, if it has a status of stopped. Otherwise, skip this step. a issue the command startserver server1 ca Command Prompt C:\WebSphere\AppServer\profiles\profile\bin>startserver server1 ADMU0116I: Tool information is being logged in file c: We bS phere \Appserver、 profiles、 profile1logs、 server1st Starting tool with the profiled profile Reading configuration for server: ADMU Server serverl open for e-business; process id is 2136 C:\WebSphere\AppServer\profiles\profile\bin> Page 4 of 36
© Copyright IBM Corporation 2005. All rights reserved. Lab 05 - Security Page 4 of 36 __ a. Issue the command serverStatus –all. ____ 6. Start the Node Agent, if it has a status of stopped. Otherwise, skip this step. __ a. Issue the command startNode. ____ 7. Start the server1 process, if it has a status of stopped. Otherwise, skip this step. __ a. Issue the command startServer server1
WebSphere software- Copyright IBM Corporation 2005. All rights reserved. Part 2: Enable Global and Java 2 Security bdp s try. the combination of LTPA authentication and local operating system user reg o You will now enable security for your entire cell using LTPa and the local operating system u security configuration for WebSphere Application Server Version 6. In a more robust environment, a combination of LTPA and Lightweight Directory Access Protocol(LDAP)should be used for implementation of security 1. Login to the Administrative Console a Open a browser instance b. Launch the administrative console 1)enter:http://llocalhost:9060/ibm/console 2) Login to the Administrative Console a)Enter User ID wsdemo 3)The Administrative Console Welcome page is displayed 2. Enable Global Security Access the Administrative Console Navigation tree 2)Click the link for Global Security ome Global secu Global security 日 日 Messages Changes have been made to your lo a Install New Application ch d The server may need to be restarted 图 Resources Global security lobal securi SSL Specifies the glob al security configuration for a managed de rity:1.Configure the desired user registry listed und Web services global security option on this panel. 3. Select the configure H Environment 3)The Workspace area contains the Global security page b Access the Workspace area. 1)Before you can enable Global Security, you need to set the Active user registry. You will be using the Local OS (Operating System) as the user registry a)Ensure that the Active user registry is set to Local OS Proof of Technology Lab 05-Security Product Introduction+ Exploration(PI+E Page 5 of 36
© Copyright IBM Corporation 2005. All rights reserved. Proof of Technology Lab 05 – Security Product Introduction + Exploration (PI+E) Page 5 of 36 Part 2: Enable Global and Java 2 Security. You will now enable security for your entire cell using LTPA and the local operating system user registry. The combination of LTPA authentication and local operating system user registry is a basic security configuration for WebSphere Application Server Version 6. In a more robust environment, a combination of LTPA and Lightweight Directory Access Protocol (LDAP) should be used for implementation of security. ____ 1. Login to the Administrative Console. __ a. Open a browser instance. __ b. Launch the Administrative Console. 1) Enter: http://llocalhost:9060/ibm/console 2) Login to the Administrative Console: a) Enter User ID: wsdemo 3) The Administrative Console Welcome page is displayed. ____ 2. Enable Global Security. __ a. Access the Administrative Console Navigation tree. 1) Click to expand [+] Security 2) Click the link for Global Security. 3) The Workspace area contains the Global security page. __ b. Access the Workspace area. 1) Before you can enable Global Security, you need to set the Active user registry. You will be using the Local OS (Operating System) as the user registry. a) Ensure that the Active user registry is set to Local OS
Copyright IBM Corporation 2005. All rights reserved. Active user regist Local os(single, stand-alone server x and root adm ninistrator only)- Use the Federal Information Processing Standard (FIPS)] 2)Click the link for Local Os General Properties User registries Enable global security ity Local os Enforce fine-grained JCA security Authentication I Use domain-qualified user IDs 田 Authentication v Issue permission warning H JAAS C. The Workspace area has General Properties that enable you to specify a Server user ID and server user password 1)Enter a valid Operating System User ID and Password a)Server user ID wsdemo b)Server user password wsdemo1 General Properties Additional Propertie 幸 Server user ID medemo a Custom properties i Server user password ****** Apply ok Reset Cancel 2)Click the Apply button 3)Click the OK button a) The main Global Security Workspace area is displayed Lab 05-Security
© Copyright IBM Corporation 2005. All rights reserved. Lab 05 - Security Page 6 of 36 2) Click the link for Local OS. __ c. The Workspace area has General Properties that enable you to specify a Server user ID and Server user password. 1) Enter a valid Operating System User ID and Password: a) Server user ID: wsdemo b) Server user password: wsdemo1 2) Click the Apply button. 3) Click the OK button. a) The main Global Security Workspace area is displayed
WebSphere software- Copyright IBM Corporation 2005. All rights reserved. 4)Click to expand Authentication mechanisms er registries 厂 Enforce Java 2 security LDAp Local os Enforce fine-grained JCA security Use domain-qualified user IDs 团 Authentication ** Cache timeout mechanisms 团 Authentication v Issue permission warning 日JAAs Active protocol Configuration 5)Click the link for LTPA a)You will be using LTPa as the authentication mechanism b) The Workspace area has information for you to generate the ltPa keys 6)Specify properties for Password and Confirm password For convention, specify: a)Password wsdemo1 b)Confirm password: wsdemo1 Generate Keys Import keys Export Keys Additional Proper 米* a Single signon(sso) n Trust association t Confirm password 120 Key file name Apply oK ResetCancel 7) Click the Apply button 8)Click OK. Proof of Technology Lab 05-Security Product Introduction+ Exploration(PI+E Page 7 of 36
© Copyright IBM Corporation 2005. All rights reserved. Proof of Technology Lab 05 – Security Product Introduction + Exploration (PI+E) Page 7 of 36 4) Click to expand Authentication mechanisms. 5) Click the link for LTPA. a) You will be using LTPA as the Authentication mechanism. b) The Workspace area has information for you to generate the LTPA keys. 6) Specify properties for Password and Confirm password. For convention, specify: a) Password: wsdemo1 b) Confirm password: wsdemo1 7) Click the Apply button. 8) Click OK
Copyright IBM Corporation 2005. All rights reserved. a)This action will return you to the main Global Security Workspace area d. Click the checkbox for Enable global security 1)This action will enable the checkbox for Enforce Java 2 security as well 厂 Authentication 厂 团 Authentication 2) Click the Apply butte 日M B Th eed to be restarted for these changes to take effect. 4)Check Synchronize changes with Nodes, and then click Save
© Copyright IBM Corporation 2005. All rights reserved. Lab 05 - Security Page 8 of 36 a) This action will return you to the main Global Security Workspace area. __ d. Click the checkbox for Enable global security. 1) This action will enable the checkbox for Enforce Java 2 security as well. 2) Click the Apply button. 3) Click Save. 4) Check Synchronize changes with Nodes, and then click Save
Copyright IBM Corporation 2005. All rights reserved. Global security> Save Save your workspace changes to the master configuration click Save to update the master repository with your changes, Click Discard to discard your changes and begin work again using the master repository configuration, clic cel to contin E] Total changed documents: 1 y Synchronize changes with Nodes Cancel Global Security has been enabled with LTPA as the authentication mechanism Part 3: Define administrative users and roles In this part, you will create several security accounts(User Ids and Passwords), then grant access to the administrative console for users. Each user will have a different set of privileges for performing administrative activities 1. Create four user accounts a Access a Windows command prompt. Issue the net user command to create four accounts (e.g, User IDs and passwords) for testing 1)Create the admin account with user id admin and Password Note: The asterisk(*)will cause Windows to prompt you for the password and for you to retype the password to confirm a)Enter: net user admin*ladd b)Enter: password c)Er Proof of Technology Lab 05-Security Product Introduction+ Exploration(PI+E Page 9 of 36
© Copyright IBM Corporation 2005. All rights reserved. Proof of Technology Lab 05 – Security Product Introduction + Exploration (PI+E) Page 9 of 36 Global Security has been enabled with LTPA as the authentication mechanism. Part 3: Define Administrative Users and Roles In this part, you will create several security accounts (User Ids and Passwords), then grant access to the administrative console for users. Each user will have a different set of privileges for performing administrative activities. ____ 1. Create four user accounts. __ a. Access a Windows command prompt. Issue the net user command to create four accounts (e.g., User IDs and passwords) for testing. 1) Create the admin account with user ID admin and Password: Note: The asterisk (*) will cause Windows to prompt you for the password and for you to retype the password to confirm. a) Enter: net user admin * /add b) Enter: password c) Enter: password
Copyright IBM Corporation 2005. All rights reserved. A Command Prompl C:\>net user admin */add password to confirm The command completed successfully 2)Create the config account with user ID config and Password a)Enter: net user config *ladd b)Enter: password c)Enter: password 3)Create the operator account with user Id operator and Password a)Enter: net user operator *ladd b)Enter: password c)Enter: password 4) Create the monitor account with user ID monitor and Password a)Enter: net user monitor * ladd b)Enter: password c)Enter: password 2. Access the System Administration Workarea for Console Users a Access the Administrative Console, Navigation tree and click to expand the [ System Administration tasks ab 05 -Security
© Copyright IBM Corporation 2005. All rights reserved. Lab 05 - Security Page 10 of 36 2) Create the config account with user ID config and Password *: a) Enter: net user config * /add b) Enter: password c) Enter: password 3) Create the operator account with user ID operator and Password *: a) Enter: net user operator * /add b) Enter: password c) Enter: password 4) Create the monitor account with user ID monitor and Password *: a) Enter: net user monitor * /add b) Enter: password c) Enter: password ____ 2. Access the System Administration Workarea for Console Users. __ a. Access the Administrative Console, Navigation tree and click to expand the [+] System Administration tasks