IBM WebSphere Application Server Network Deployment is IBM's flagship J2EE application server platform. It implements the J2EE technology stack. This stack enables the WebSphere Application Server platform to execute the user's Java enterprise applications that perform business functions. There are several roles who use this platform such as architects, developers, and administrators, to mention a few. Within the administrator role, in turn, there are several functions such as installation, performance, security, and so on.
This book starts with an in-depth analysis of the global and administrative security features of WebSphere Application Server v7.0, followed by comprehensive coverage of user registries for user authentication and authorization information. Moving on you will build on the concepts introduced and get hands-on with a mini project. In the next chapter, you work with the different front-end architectures of WAS along with the Secure Socket Layer protocol, which offer transport layer security through data encryption.
You can learn user authentication and data encryption, which demonstrate how a clear text channel can be made safer, by using SSL transport to encrypt its data. This book will show you how to enable an enterprise application hosted in a WebSphere Application Server environment to interact with other applications, resources, and services available in a corporate infrastructure. Platform hardening, tuning parameters for tightening security, and troubleshooting are some of the aspects of WebSphere Application Server v7.0 security that are explored in the book. Every chapter builds strong security foundations, by demonstrating concepts and practicing them through the use of dynamic, web-based mini projects.
Chapter 1, A Threefold View of WebSphere Application Server Security, uses a novel approach to compare ways in which WebSphere security elements are perceived, usually according to the role of the individual working with the technology. These ways or views help you understand the foundations of WebSphere security, providing multiple angles from where to analyze this set of technologies and communicate in their language with different functional teams within your organization.
Chapter 2, Securing the Administrative Interface, walks you through the necessary steps to secure access to the WebSphere graphical interface, known as the ISC (Integrated Solutions Console). As a prerequisite to securing the ISC, you must first enable the WebSphere Application Server platform security, known as global security. During these processes, the chapter succinctly describes relevant security topics (for example, user registries) and highlights what parameters are required in order to perform each step.
Chapter 3, Configuring User Authentication and Access, provides concise technical background on the security topics related to setting up user authentication (validation of presented user credentials) and user access determining if an authenticated user has rights to access to the requests made. The chapter describes some important concepts such as WebSphere Security Domains (a new feature in version 7 of WAS), user registries (reviewed in more depth), as well as a review of popular user registries available to be used in a WebSphere environment. The chapter ends by binding all these concepts using a mini project that walks you through protecting application servers.
Chapter 4, Front-End Communication Security, describes and compares popular infrastructure architectures used to design front-end of a WebSphere environment. The chapter goes on explaining a major security used to secure communication channels, SSL, and describes several related aspects such as SSL certificates and CA (certificate authority). At the end, the chapter walks you through the process, in the way of a mini project, used to secure the front-end of a WebSphere environment from the HTTP server (IHS) to the actual Application Server.
Chapter 5, Securing Web Applications, briefly introduces concepts related to securing Java Web Applications (or more succinctly Web Applications). The chapter then uses an in-depth mini project where you will be walked through in the various stages to design, code, package, deploy, and configure a simple Web Application that offers access to employees of a fictional corporation. Each type of employee will have access only to sections of the Web Application. Therefore, you will configure WebSphere in order to implement this secure functionality.
Chapter 6, Securing Enterprise Java Beans Applications, introduces concepts related to Enterprise Java Beans (EJB) technologies such as declarative and programmatic security. The chapter then uses the mini-project approach to walk you through the stages needed to design, code, package, deploy, and configure a simple EJB application. The mini-project in this chapter reuses modules from the previous chapter to implement a very simple portal application that will offer a better user experience to the employees of our fictional corporation.
Chapter 7, Securing Back-end Communication, focuses on two major concepts: authentication and data encryption. Authentication is reviewed from the point of view of trust between two infrastructure components, for example, WebSphere and a back-end database. The chapter expands on the major topics by providing in detail two examples of their use. It explores how encryption is used in the communication between WebSphere and a popular type of user registry, LDAP. The chapter also examines the use of authentication during the exchanges between WebSphere and databases using the JDBC protocol.
Chapter 8, Secure Enterprise Infrastructure Architectures, describes areas that will enable an enterprise application hosted in a WebSphere environment interact with possibly other applications, resources, and services available in a corporation infrastructure. It covers central concepts such as LTPA and SSO. The chapter ends by showing you how to fine-tune authorization at the HTTP Server level as well as at the WebSphere level.
Chapter 9, WebSphere Default Installation Hardening, deals with engineering the default WebSphere installation by changing its default parameters in order to harden the product's security side and customizing the files that hold the WebSphere environment security certificates and signers. The chapter focuses on two major aspects. While it points out what characteristics in the OS to review and modify, on the other hand, it discusses securing files related to certificates key and trust stores and files that hold passwords.
Chapter 10, Platform Hardening, looks at aspects of the platform where WebSphere is hosted that can be modified to increase the environment security. The chapter breaks down the OS into areas relevant to the WebSphere platform: generic operating system characteristics (for example, user accounts), file system features (for example, file permissions), and network system configuration.
Chapter 11, Security Tuning and Troubleshooting, overviews three major areas that can be improved by tuning key parameters as well as a couple of troubleshooting areas. The tuning section overviews general security, CSIv2 connectivity, and user directories and user permissions. Finally, the troubleshooting section reviews general security configuration exceptions and run time security exceptions.
The following is a list of software that you will need to download for this book:
IBM WebSphere Application Server Network Deployment version 7.0 (this is the specific software for which the book is written)
Software used to write example code and to package examples so they can be installed (deployed) into WebSphere
IBM Application Server Toolkit for WebSphere Application Server version 6.1
IBM Rational Application Developer Assembly and Deployment Features for WebSphere Software V7.5 for Multiplatforms
Eclipse Java EE IDE for Web Developers version 3.5.2 (Open source available at www.eclipse.org)
If you are a system administrator or an IT professional who wants to learn about the security side of the IBM WebSphere Application Server v7.0, this book will walk you through the key aspects of security and show you how to implement them. You do not need any previous experience in WebSphere Application Server, but some understanding of Java EE technologies will be helpful. In addition, Java EE application developers and architects who want to understand how the security of a WebSphere environment affects Java EE enterprise applications will find this book useful.
In this book, you will find a number of styles of text that distinguish between different kinds of information. Here are some examples of these styles, and an explanation of their meaning.
Code words in text are shown as follows: "Start the
A block of code is set as follows:
LoadModule ibm_ssl_module modules/mod_ibm_ssl.so Listen [Server_IP]:8444 <VirtualHost [Server_IP]:8444> SSLEnable SSLServerCert ihs1.wasmaster SSLProtocolDisable SSLv2 </VirtualHost> KeyFile /opt/IBM/HTTPServer/ihsserverkey.kdb SSLDisable
When we wish to draw your attention to a particular part of a code block, the relevant lines or items are set in bold:
Any command-line input or output is written as follows:
New terms and important words are shown in bold. Words that you see on the screen, in menus or dialog boxes for example, appear in the text like this: "From the list of links located at the bottom, on the right-hand side of the window, click the Open WebSphere Bindings link"
Tips and tricks appear like this.
Feedback from our readers is always welcome. Let us know what you think about this book what you liked or may have disliked. Reader feedback is important for us to develop titles that you really get the most out of.
To send us general feedback, simply send an e-mail to
<[email protected]>, and mention the book title via the subject of your message.
If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, see our author guide on www.packtpub.com/authors.
Now that you are the proud owner of a Packt book, we have a number of things to help you to get the most from your purchase.
Downloading the example code for this book
You can download the example code files for all Packt books you have purchased from your account at http://www.PacktPub.com. If you purchased this book elsewhere, you can visit http://www.PacktPub.com/support and register to have the files e-mailed directly to you.
Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you find a mistake in one of our books maybe a mistake in the text or the code we would be grateful if you would report this to us. By doing so, you can save other readers from frustration and help us improve subsequent versions of this book. If you find any errata, please report them by visiting http://www.packtpub.com/support, selecting your book, clicking on the errata submission form link, and entering the details of your errata. Once your errata are verified, your submission will be accepted and the errata will be uploaded on our website, or added to any list of existing errata, under the Errata section of that title. Any existing errata can be viewed by selecting your title from http://www.packtpub.com/support.
Piracy of copyright material on the Internet is an ongoing problem across all media. At Packt, we take the protection of our copyright and licenses very seriously. If you come across any illegal copies of our works, in any form, on the Internet, please provide us with the location address or website name immediately so that we can pursue a remedy.
Please contact us at
< [email protected]> with a link to the suspected pirated material.
We appreciate your help in protecting our authors, and our ability to bring you valuable content.
You can contact us at
< [email protected]> if you are having a problem with any aspect of the book, and we will do our best to address it.