Enabling WebSphere global security

Global security represents the security configuration that is effective for the entire security domain. It includes the configuration of the common user registry, authentication mechanism, Java 2 Platform, Enterprise Edition (J2EE) role-based authorization, the Common Secure Interoperability Version 2 (CSIv2) authentication protocol, and the Secure Sockets Layer (SSL) configuration. In particular, J2EE role-based authorization guards access to Web resources such as servlets, JavaServer Pages (JSP) files, and Enterprise JavaBeans (EJB) methods.

  • WebSphere administrative security

    Enabling WebSphere administrative security protects the system environment including administrative console from unauthorized users. Administrative security is enabled by default in production environment. If you plan to have application security enabled, administrative security must be enabled.

  • WebSphere application security

    Enabling WebSphere application security prevents all Enterprise JavaBeans components from being exposed to remote invocation by anyone. If you operate your WebSphere Commerce site from behind a firewall, you can disable WebSphere application security. However, you should disable it only if you are sure that no malicious applications are running behind the firewall.

Before you begin

  1. LinuxAIXWindows When enabling WebSphere global security, it is strongly recommended that your machine meets the following requirements:
    • A minimum machine memory of 1 GB.
    • A minimum heap size of 384 MB, for the WebSphere Commerce application.
  2. WindowsWhen enabling WebSphere global security on Windows 2003 platform, it is recommended that you enlarge the TCP Ports to 65534 on all nodes on your system that are running on Windows 2003. This includes the WebSphere Commerce node, the LDAP server node, and the Commerce-enabled Portals node. After enlarging the TCP Ports, you will need to restart the servers on the nodes that were changed. For more information, see the following topic in Microsoft support: When you try to connect from TCP ports greater than 5000 you receive the error 'WSAENOBUFS(10055)'
    If you do not enlarge the TCP Ports, you might receive an error similar to the following:
    Authentication failed for user
uid=wpsbind,cn=users,dc=ibm,dc=com because of the following
exception javax.naming.CommunicationException: svt4.cn.ibm.com:389.
Root exception is java.net.BindException: Address in use:
connect
  3. LinuxAIXWindowsAfter WebSphere global security is enabled for a WebSphere Commerce instance or payment instance, you must provide a username and password when starting and stopping the WebSphere Commerce instance or payment instance. For example: stopServer server1 -username administrator -password passw0rd.

Before you begin to enable security, you will need to know how the WebSphere Application Server, where you are enabling security, validates user IDs. WebSphere Application Server can use the operating system user registry or federated repositories as the WebSphere Application Server user registry. See one of the following pages for instructions on enabling security using one of the user registries:

About this task

Enabling WebSphere application security prevents all Enterprise JavaBeans components from being exposed to remote invocation by anyone. If you operate your WebSphere Commerce site from behind a firewall, you can disable WebSphere application security. However, you should disable it only if you are sure that no malicious applications are running behind the firewall.

The WebSphere Commerce instance has global security enabled by default during the instance creation process. That is, WebSphere Application Server administrative security is enabled, with application security disabled by default. Disabling application security has the advantage of better performance when compared to running with application security enabled. The primary administrative user is a user from the built-in file registry. The instance creation process creates the user by initially taking the credentials used to login to the WebSphere Commerce Configuration Manager. You can change the primary administrative user using the WebSphere Application Server Administrative Console.

Global security controls both administrative security and application security. Due to the fact that WebSphere Commerce has its own authentication and authorization structure, you may disable application security if WebSphere Commerce is deployed in a trusted zone behind a firewall. This configuration will allow you to enable the single sign-on capability and secure WebSphere Application Server administrative functions without exercising any J2EE security checks on the application.

For more information, see theAdministrative security topic in the WebSphere Application Server Information documentation.

Important: The application server where WebSphere Commerce and WebSphere Commerce Payments are deployed is configured to use the DummyServerKeyFile.jks and DummyServerTrustFile.jks files with the default self-signed certificate out-of-the-box. Using the dummy key and trust file certificates is not safe; consequently, you should generate your own certificate to replace the dummy certificates immediately. For information about encoding passwords in files see Encoding password in files.

Procedure

WebSphere Commerce security deployment options
WebSphere Commerce supports various security deployment configurations. The following table illustrates the security deployment options available to you:
Single machine security scenarios

The following table shows security scenarios on a single machine.
Option Description
WebSphere global security is enabled.
  • Use the operating system as the WebSphere Application Server registry.
  • Use the database as the WebSphere Commerce registry.
  • Use LDAP as the WebSphere Application Server registry.
  • Use LDAP as the WebSphere Commerce registry.
  • Use LDAP as the WebSphere Application Server registry.
  • Use the database as the WebSphere Commerce registry.
WebSphere global security is disabled, and your WebSphere Commerce site is located behind a firewall.
  • A WebSphere Application Server registry is not required.
  • Use the database as the WebSphere Commerce registry.
  • A WebSphere Application Server registry is not required.
  • Use LDAP the WebSphere Commerce registry.
Multiple machine security scenarios

The following table shows security scenarios on multiple machines.
Option Description
WebSphere global security is enabled. LDAP is always deployed.
  • Use LDAP as the WebSphere Application Server registry.
  • Use LDAP as the WebSphere Commerce registry.
  • Use LDAP as the WebSphere Application Server registry.
  • Use a database as the WebSphere Commerce registry.
  • You will need to set up LDAP, and place one administrative entry into the LDAP registry.
WebSphere global security is disabled, and your WebSphere Commerce site is located behind a firewall.
  • Use a database as the WebSphere Commerce registry.
  • A WebSphere Application Server registry is not required.
  • Single sign-on is not supported.
  • Use LDAP as the WebSphere Commerce registry.
  • A WebSphere Application Server registry is not required.