Z/OS WebSphere and J2EE security handbook / [Holger Wunderlich ... et al.].

Format:

Book

Contributor:

International Business Machines Corporation. International Technical Support Organization.

Wunderlich, Holger.

Series:

IBM redbooks.

Redbooks

Language:

English

Subjects (All):

Computer networks--Security measures.

Computer networks.

Internet--Security measures.

Internet.

Java (Computer program language).

z/OS.

Physical Description:

xxvi, 780 p. : ill.

Edition:

2nd ed.

Place of Publication:

Poughkeepsie, N.Y. : IBM International Technical Support Organization, 2003.

Language Note:

English

Contents:

Front cover

Contents

Notices

Trademarks

Preface

The team that wrote this redbook

Become a published author

Who should read this book

Notice

Comments welcome

Summary of changes

August 2003, Second Edition

Part 1 Getting started

Chapter 1. Security design

1.1 Overview of security concerns

1.2 Finding the right level of security for your enterprise

1.2.1 Logon to z/OS

1.2.2 One userid fits all

1.2.3 Userid and password in a database

1.2.4 Reverse proxy

1.2.5 Security model selection

1.2.6 Additional security considerations

Putting the pieces together

1.2.7 Basic security setup

1.2.8 Basic reverse proxy setup

1.2.9 A business-to-business variation

1.3 Finding the right balance for your application

1.3.1 A little background

1.3.2 Container-managed security

1.3.3 Application-managed security

1.4 Summary

Chapter 2. The security investigation application

2.1 The SWIPE Application

2.1.1 SWIPE Application structure

2.1.2 SWIPE Application architecture and description

2.2 SWIPE's authentication features

2.3 Authorization features

2.3.1 EJBRoles in the sample

2.3.2 Declarative security

2.3.3 Programmatic security

2.3.4 The RunAs concept

2.3.5 The "Sync to OS Thread" concept

2.4 The downloadable SWIPE package

2.4.1 The Windows subdirectory

2.4.2 The z/OS subdirectory

2.4.3 The Trust-AI subdirectory

2.5 Deploying SWIPE

2.6 Running SWIPE

2.6.1 SWIPE - input Part A

2.6.2 SWIPE - input Part B

Chapter 3. The sandbox infrastructure

3.1 Physical integration into the network infrastructure

3.2 Logical and z/OS TCP/IP view

3.3 System setup and Service Levels

3.3.1 Server infrastructure, Application Server, backends, product levels, PTF levels

Part 2 J2EE security concepts and implementation.

Chapter 4. Introduction to J2EE and WebSphere Application Server for z/OS and OS/390 runtime conc...

4.1 J2EE concepts

4.1.1 J2EE components

4.1.2 Application programs

4.1.3 Runtime environments

4.1.4 Development and deployment process

4.2 Overview of J2EE implementation in WebSphere Application Server for z/OS and OS/390

4.2.1 WebSphere Application Server for z/OS and OS/390 runtime

4.2.2 Sources of requests

4.2.3 Developing and deploying J2EE applications for WebSphere Application Server for z/OS and OS...

Chapter 5. Introduction to J2EE security concepts

5.1 Overview of J2EE security

5.2 Terminology used for J2EE security

5.3 Authentication and authorization in J2EE containers

5.3.1 Role-based authorization

5.3.2 Web container authentication and authorization

5.3.3 EJB container authentication and authorization

5.4 Resource authentication

Chapter 6. WebSphere and J2EE security

6.1 WebSphere architecture review

6.2 Relationship of WebSphere Application Server for z/OS and OS/390 to System Authorization Faci...

6.2.1 EJBROLES

6.2.2 GEJBROLE: grouping EJBROLEs

6.3 Web container authentication and authorization

6.4 EJB container authentication and authorization

6.4.1 The RunAs concept

6.4.2 The ThreadID concept

6.4.3 Enabling ThreadID

6.5 Authenticating to J2EE resources

6.6 Authorization and serialization in the Administration Application (SMEUI)

6.7 System Management Scripting API (SMAPI)

Part 3 z/OS security foundation

Chapter 7. Beginner's guide to z/OS security

7.1 System Authorization Facility - concept

7.2 Resource Access Control Facility (RACF)

7.2.1 Identifying and verifying users

7.2.2 User and Group base resource protection

7.2.3 RACF PassTicket

7.2.4 Auditing and reporting

7.3 Authorization and program protection.

7.4 z/OS UNIX security

7.5 Accessor Environment Element (ACEE) and RACF objects

7.6 Storage keys

7.7 Secure Sockets Layer and Transport Layer security

Chapter 8. z/OS security - advanced topics

8.1 Cryptographic support

8.1.1 Securing and maintaining cryptography

8.2 TCP/IP

8.2.1 TCP/IP stacks

8.2.2 Protecting TCP/IP

8.3 Firewalls

8.4 Intrusion Detection Services (IDS)

Chapter 9. Integration of WebSphere into z/OS security mechanisms

9.1 WebSphere infrastructure security and integrity

9.2 Securing the WebSphere runtime environment

9.3 Administration Application

Chapter 10. Securing WebSphere using RACF

10.1 Introduction

10.2 Classes and profiles

10.3 Enabling WebSphere Application Server V4.0.1 for z/OS and OS/390 runtime in RACF

10.3.1 Activating EJBROLE for J2EE security constraints

10.3.2 Activating the CBIND class for client access to servers

10.3.3 Activating the SERVER class for server access to the daemon

10.3.4 Activating the SERVAUTH class to control z/OS Communication Server resources

10.3.5 Activating the PTKTDATA class to enable PassTickets support

10.3.6 BPX profiles in the Facility class

Chapter 11. Securing WebSphere using eTrust CA-ACF2

11.1 Introduction to eTrust CA ACF2

11.2 Classes and profiles

11.3 Enablement of WebSphere in eTrust CA ACF2

11.3.1 WebSphere Application Server for z/OS and OS/390

11.3.2 Authorization checking

11.3.3 Level of Trust and Access Authority for regions

11.3.4 User identification, authentication and network security

11.3.5 Resource managers

11.3.6 Protection and Protect directives

11.3.7 Prerequisites

11.3.8 Installation steps

11.3.9 ACFCSEC

11.3.10 Problem determination and debugging

11.3.11 Bibliography.

Chapter 12. Securing WebSphere using eTrust CA-Top Secret Security for z/OS and OS/390

12.1 Introduction to eTrust CA-Top Secret

12.2 Classes and special records

12.3 Enablement of WebSphere in eTrust CA-Top Secret

12.3.1 Server authorization checking

12.3.2 User identification, authentication and network security

12.3.3 WASADM

12.3.4 Problem determination and debugging

12.3.5 Bibliography

Part 4 Authentication and authorization

Chapter 13. Introduction to authentication and authorization

13.1 Introduction to authentication

13.1.1 Authentication methods

13.2 Introduction to authorization

13.2.1 Resource authorization at the operating system level

13.2.2 Resource authorization at the application level

Chapter 14. Authentication - details

14.1 Introduction to authentication

14.1.1 Authentication methods

14.2 Authentication in the Web container

14.2.1 Unauthenticated

14.2.2 HTTP Digest authentication

14.2.3 HTTP Basic authentication

14.2.4 HTTPS basic authentication

14.2.5 Certificate-based authentication

14.2.6 Form-based authentication

14.2.7 Form-based authentication pragmatics

14.2.8 Form-based authentication revision

14.3 Authentication in the EJB container

14.3.1 Basic authentication

14.3.2 Certificate-based authentication

14.3.3 Kerberos authentication

14.3.4 Asserted identity

14.3.5 Unauthenticated

14.4 EJB container authentication in a single-system environment

14.5 EJB container authentication in a sysplex

14.6 Authentication between z/OS systems outside a sysplex

14.7 Authentication with EJB applications on non-z/OS platforms

Chapter 15. Authentication flow

15.1 Introduction to authentication flow

15.2 The initial decision process

15.3 Authentication processing

15.4 Basic authentication.

15.5 Form-based authentication

15.6 Client certificate-based authentication

15.7 Setting the userid

15.8 Unauthenticated processing

15.9 HTTP Server processing flow

Chapter 16. Authorization - details

16.1 Introduction to authorization

16.1.1 Resource authorization at the operating system level

16.1.2 Resource authorization at the application level

16.2 Resource authorization in J2EE applications

16.2.1 Security identities

16.2.2 Security roles

16.2.3 Web container authorization

16.2.4 EJB container authorization

16.3 Operating system level resource authorization

16.3.1 Synchronizing operating system and container identities

Part 5 Cross-platform security infrastructures

Chapter 17. Cross-platform security

17.1 Trust Association Interceptor (TAI)

17.1.1 Overview

17.1.2 What the Trust Association Interceptor is

17.1.3 TAI decision flow

17.1.4 Coding a Trust Association Interceptor

17.1.5 Enabling TAI

17.1.6 Configuring the Trust Association Interceptor

17.1.7 Multiple Trust Association Interceptors

17.2 Tivoli Access Manager integration into WebSphere on z/OS

17.2.1 Overview

17.2.2 The products

17.2.3 Tivoli Access Manager integration into z/OS security

17.2.4 More integration scenarios

Part 6 Security for the Enterprise Integration Tier

Chapter 18. Security for Enterprise Integration Systems

18.1 Overview: backend access in J2EE

18.1.1 The difference between JCA and JDBC

18.2 Using JCA connectors

18.2.1 Accessing an EIS via a JCA connector

18.2.2 Comparing CCF and JCA

18.3 Using JDBC

18.3.1 Accessing a database via JDBC

18.4 Important attributes in the deployment descriptor

18.4.1 Transactions

18.4.2 RunAs

18.4.3 ThreadID

18.4.4 Resource Reference attribute: Authentication.

18.4.5 Resource reference attribute: Connection Management.

Notes:

"July 2003."

"SG24-6846-01."

Includes bibliographical references (p. 765-767) and index.

OCLC:

932363612