WebSphere application server for z/OS V5 and J2EE 1.3 security handbook / Steve Allison ... [et al.].

Format:

Book

Author/Creator:

Allison, Steve., Author.

Contributor:

International Business Machines Corporation. International Technical Support Organization.

Series:

IBM redbooks.

Redbooks

Language:

English

Subjects (All):

Computer networks--Security measures.

Computer networks.

Web servers--Security measures.

Web servers.

Java (Computer program language).

WebSphere.

z/OS.

Physical Description:

1 online resource (xxx, 742 p. ) ill.

Edition:

2nd ed.

Place of Publication:

Poughkeepsie, N.Y. : IBM Corp., International Technical Support Organization, c2005.

Language Note:

English

System Details:

text file

Summary:

What do you think of when someone mentions z/OS security? Probably of something that is trustworthy, or even impenetrable. Perhaps you also think of something that is a little complex and challenging to administer. What comes to mind when someone mentions Internet security? Perhaps you think of prominent Web sites that have been maliciously "hacked" or credit card numbers that have been stolen. Using working examples of code and configuration files, in this IBM Redbooks publication, we explain how you can run your Web-enabled applications with as high a level of security as other z/OS applications and subsystems, even if those applications were written or originally deployed on another platform, by using the Java 2 Platform Enterprise Edition (J2EE) programming model and IBM WebSphere Application Server for z/OS and OS/390. This book will help architects, application programmers, WebSphere and security administrators, and application and network architects to understand and use these products. Please note that the additional material referenced in the text is not available from IBM.

Contents:

Front cover

Contents

Notices

Trademarks

Preface

The team that wrote this redbook

Become a published author

Who should read this book

Comments welcome

Summary of changes

New and revised cryptographic information

Securing the file system

Security domains

Java 2 security

Enhanced support for Tivoli Access Manager

Other enhancements

Information removed or relocated

Part 1 Introduction to WebSphere and J2EE security

Chapter 1. WebSphere Application Server V5 security overview

1.1 WebSphere Application Server for z/OS Version 5 infrastructure overview and terminology

1.2 WebSphere Application Server V5 security features

1.3 J2EE 1.3 compliance features

1.4 WebSphere Network Deployment family compliance features at interface layer

1.5 Support of WebSphere family security configurations

1.6 J2EE 1.3-compliant security enhancements

1.6.1 Java 2 security

1.6.2 J2EE role-based authorization enhancements

1.6.3 WebSphere Application Server V5 and JAAS

1.6.4 Java 2 security, J2EE security, and JAAS feature comparison

1.6.5 z/OS Java security components

1.6.6 JSSE security

1.6.7 CSIv2 security protocol

1.6.8 Pluggable authentication security

1.6.9 Security configuration in z/OS and OS/390

1.6.10 Enabling global security

1.7 Comparisons between WebSphere Application Server for z/OS and OS/390 V4.0.1 and V5

1.8 Key differences between WebSphere Application Server for z/OS and distributed platforms

1.8.1 Two types of SSL on z/OS

1.8.2 "Deprecated" V4 Advanced interfaces

1.8.3 z/OS security properties

1.9 Summary

Chapter 2. Security design

2.1 Overview of security challenges

2.1.1 Assessing and managing security risks

2.1.2 Evolving with emerging technologies and trends

2.2 Finding the right level of security for your enterprise.

2.2.1 Evaluate security elements in each layer

2.2.2 Ask the key questions

2.3 Making some key decisions

2.3.1 Intranet or Internet?

2.3.2 Where will authentication take place?

2.3.3 How will authorization to resources be determined?

2.3.4 What other resources need to be accessed?

2.4 Finding the right balance for your application

2.4.1 Container-managed security

2.4.2 Application-managed security

2.5 Topological view of security

2.5.1 Base topological view

2.5.2 Encryption

2.5.3 User registries and authorization databases

2.5.4 Identity flow

2.6 Summary

Chapter 3. J2EE 1.3 and WebSphere Application Server V5 security concepts

3.1 Overview

3.1.1 Security server topology

3.1.2 Terminology used for J2EE security

3.1.3 User registries

3.1.4 Global security

3.2 J2EE container-based security

3.2.1 Role-based authorization

3.2.2 Web container authentication and authorization

3.2.3 EJB container authentication and authorization

3.2.4 RunAs versus run-as: Identity propagation

3.3 Resource authentication

3.4 Security interoperability using IIOP

3.5 Additional security capabilities

3.5.1 Authentication mechanism and single sign-on (SSO)

3.5.2 Java 2 security

3.5.3 Java Authentication and Authorization Service (JAAS)

3.5.4 Additional programmatic login/logout capabilities

3.5.5 Cryptographic application and data security

Chapter 4. WebSphere Application Server application security

4.1 Programmatic security

4.1.1 J2EE APIs

4.1.2 Programmatic authentication to resources

4.2 JAAS for application security

4.2.1 JAAS login verification using SWIPE

4.2.2 Your own JAAS application login configuration

Chapter 5. WebSphere application migration security aspects

5.1 Application migration security aspect checklist.

5.2 Application migration strategies

5.3 Migrating IBM HTTP Server thread level-based security

5.3.1 Affected environments

5.3.2 What is causing this problem?

5.3.3 How can you make it work again?

5.4 Migrating WebSphere Application Server thread level-based security

5.5 Security aspects when migrating Common Connector Framework (CCF) connectors

5.5.1 Affected environments

5.5.2 What is causing this problem?

5.5.3 How can you make it work again?

5.6 Security aspects when migrating J2CA connectors

5.6.1 Affected environments

5.6.2 What is causing this problem?

5.6.3 How can you make it work again?

5.7 Migrating SOMDOBJS to EJBROLE

5.7.1 Using SOMDOBJS with WebSphere simple configuration option

5.7.2 Migrating from SOMDOBJS to the Web container and the EJBROLE profiles

Part 2 SWIPE and our testing infrastructure

Chapter 6. The sandbox infrastructure

6.1 Physical integration into the network infrastructure

6.2 System setup and service levels

6.2.1 Operating system and program products

6.2.2 Distributed environments

6.2.3 Development environment

6.3 Naming conventions

6.3.1 WebSphere cells

6.3.2 Naming convention variables

6.3.3 Data sets and files

6.3.4 Component trace procedure names

6.3.5 Configuration objects

6.3.6 Development base servers started tasks and user IDs

6.3.7 Deployment manager started tasks and user IDs

6.3.8 Node agent started tasks and user IDs

6.3.9 Managed servers started tasks and user IDs

6.3.10 TCP/IP ports

6.3.11 Common information

6.3.12 Starting servers

Chapter 7. The security investigation application

7.1 The SWIPE application

7.1.1 SWIPE application structure

7.1.2 SWIPE application architecture and description

7.2 SWIPE authentication features

7.3 Authorization features.

7.3.1 Web container authentication and authorization

7.3.2 EJB container authorization: EJBRoles

7.3.3 EJB container: Declarative security

7.3.4 EJB container: Programmatic security

7.3.5 EJB: RunAs concept

7.3.6 Servlet run-as example

7.3.7 The "Sync to OS Thread" concept

7.4 The downloadable SWIPE package

7.5 Deploying SWIPE

7.5.1 SWIPE: JVM property for location discovery

7.5.2 SWIPE and Java 2 security

7.5.3 Setting the IBMEBizEnv environment variable

7.6 SWIPE: Running EJBCaller

7.6.1 SWIPE: EJBCaller - Input Part A

7.6.2 SWIPE: EJBCaller - Input Part B

7.6.3 SWIPE: EJBCaller - Input Part C, JAAS

7.6.4 SWIPE: RunAsServlet

7.6.5 SWIPE: index.html

7.6.6 Remote JNDI example

7.7 RACF definitions

7.7.1 Overview

7.7.2 Define user IDs

7.7.3 Define a group

7.7.4 Define EJBRoles

7.7.5 Define GEJBROLE

7.7.6 Permit access

7.7.7 Verify security using SWIPE

Chapter 8. The security investigation applications for EIS

8.1 The SWIPE application for CICS, IMS, and DB2

8.1.1 How SWIPE for EIS works

8.1.2 SWIPE EIS application structure

8.1.3 Define security roles for SWIPE/EIS

8.1.4 Prepare WebSphere security to run the samples

8.1.5 Plan resource reference to connection factory bindings

8.2 Define J2CA connection factories and data sources

8.2.1 Suggested scenarios for security verification

8.2.2 Set up JAAS authentication aliases

8.2.3 Set up connection factories and data sources for SWIPE/EIS

8.3 Install SWIPE for CICS, IMS, and DB2

8.4 Install the CICS components of SWIPECICS

8.5 Start SWIPE for CICS, IMS, and DB2

8.6 Run SWIPE for CICS, IMS, and DB2

8.7 Debug SWIPE for CICS, IMS, and DB2

8.8 The SWIPE application for JMS

8.8.1 Invoke the JMS sample

8.8.2 SWIPE application for JMS contents

8.8.3 Security roles in the samples.

8.8.4 WebSphere MQ

8.8.5 Prepare WebSphere security to run the samples

8.8.6 WebSphere MQ: Queue definitions

8.8.7 WebSphere MQ: RACF resource profiles

8.8.8 J2C authentication data entries

8.8.9 JMS queue connection factory definitions

8.8.10 Queue destination definitions

8.8.11 SWIPE JMS: Logical resources

8.8.12 Install the SWIPE JMS application

8.8.13 Run the SWIPE JMS application

8.8.14 RACF messages

8.8.15 Check the user ID that flows to WebSphere MQ

Part 3 Cryptography

Chapter 9. Using cryptographic services

9.1 Cryptographic support

9.2 How WebSphere fits in z/OS and zSeries cryptographic infrastructure

9.2.1 Supported J2EE APIs

9.2.2 SSL overview

9.3 Hardware cryptography support for zSeries 2084 or 2086 engines

9.4 Activation of hardware cryptography support for zSeries 2084, 2086, 9672, 2064, 2066, or 7060 engines

9.4.1 Verify that your processor has Cryptographic Coprocessor

9.4.2 Obtain the correct configuration enablement diskette or diskettes for your processor

9.4.3 Load the configuration enablement diskette(s)

9.4.4 Assign Cryptographic Coprocessors to LPARs

9.4.5 Additional instruction for assigning the PCI crypto features to LPARs with a 2084 or 2086 engine

9.4.6 Install and initialize Integrated Cryptographic Service Facility

9.4.7 Initialize the CKDS and PKDS and load your master key

9.5 Configure WebSphere to use hardware cryptographic services

9.5.1 Configure WebSphere to use hardware cryptography for SSL

9.5.2 Configure WebSphere to use hardware cryptography in support of the ICSF authentication mechanism

9.6 Securing and maintaining cryptography

9.6.1 RACF protection for ICSF

9.6.2 RACF setup to secure OCSF and OCEP

9.7 Create RACF keyrings and certificates

9.8 Set up Secure Sockets Layer (SSL) for WebSphere for z/OS.

9.8.1 Certificates in WebSphere and RACF.

Notes:

"This edition applies to Versions 5 and 5.1 of IBM WebSphere Application Server for z/OS and OS/390."

"June 2005."

Includes bibliographical references and index.

OCLC:

61859201