Академический Документы
Профессиональный Документы
Культура Документы
Security in WebSphere
Application Server Version 6.1
and J2EE 1.4 on z/OS
ibm.com/redbooks
International Technical Support Organization
December 2007
SG24-7384-00
Note: Before using this information and the product it supports, read the information in
“Notices” on page xi.
This edition applies to WebSphere Application Server Version 6.1 for z/OS.
© Copyright International Business Machines Corporation 2007. All rights reserved.
Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP
Schedule Contract with IBM Corp.
Contents
Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
The team that wrote this book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
Become a published author . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi
Comments welcome. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi
Chapter 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.1 Securing WAS for z/OS simplified . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.2 WAS and security layers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2.1 Security terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2.2 Security layering overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.2.3 z/OS security overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.2.4 Java security overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.2.5 WebSphere security overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
1.3 Securing WAS and applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
1.3.1 WAS and security checkpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
1.3.2 Web client authentication overview . . . . . . . . . . . . . . . . . . . . . . . . . . 15
1.3.3 EJB client authentication overview . . . . . . . . . . . . . . . . . . . . . . . . . . 18
1.3.4 MQ client authentication overview . . . . . . . . . . . . . . . . . . . . . . . . . . 19
1.3.5 Web services security overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
1.3.6 Backend connectivity security overview . . . . . . . . . . . . . . . . . . . . . . 22
1.3.7 User registry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
1.3.8 Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
iv Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
5.6.5 SecurityInfo in action. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Contents v
Chapter 7. Secure Sockets Layer (SSL) . . . . . . . . . . . . . . . . . . . . . . . . . . 209
7.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
7.2 Centrally managed SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
7.3 WebSphere V6.1 for z/OS SSSL to JSSE changes . . . . . . . . . . . . . . . . 213
7.4 SSL RACF certificate management . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
7.4.1 Viewing certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
7.4.2 Monitoring certificate expiration . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
7.4.3 Importing certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
7.4.4 Exporting certificates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
7.4.5 Deleting certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
7.4.6 Deleting keystores and truststores . . . . . . . . . . . . . . . . . . . . . . . . . 222
7.5 Hardware crypto and Java crypto providers . . . . . . . . . . . . . . . . . . . . . . 222
7.5.1 Choosing a JCE provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
7.5.2 Admin console keystore types . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
7.5.3 Keystores and truststores . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
7.6 IBMJCECCA and IBMJCE characteristics . . . . . . . . . . . . . . . . . . . . . . . 227
7.7 SSL and JCERACFKS keystore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
7.7.1 Keyring and certificate setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
7.7.2 WebSphere admin console setup . . . . . . . . . . . . . . . . . . . . . . . . . . 230
7.8 Hardware crypto using a JCECCARACFKS keystore . . . . . . . . . . . . . . . 233
7.8.1 Keyring and certificate setup with keys in hardware . . . . . . . . . . . . 234
7.8.2 Installing the unrestricted Java policy jars. . . . . . . . . . . . . . . . . . . . 236
7.8.3 Update the java.security file with the IBMJCECCA provider . . . . . . 236
7.8.4 Admin console setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
7.9 SSL troubleshooting and traces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
7.9.1 Diagnostic steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
7.9.2 SSL traces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
7.9.3 Common errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
vi Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
8.3 Confidentiality with SSL. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
8.3.1 Confidentiality with SSL scenario description . . . . . . . . . . . . . . . . . 268
8.3.2 Configuring the z/OS Web service provider SSL configuration. . . . 269
8.3.3 Configuring the Web service requestor SSL configuration . . . . . . . 269
8.3.4 Configuring the z/OS Web service provider for confidentiality . . . . 269
8.3.5 Configuring the Web service requestor for confidentiality . . . . . . . . 269
8.3.6 Validating confidentiality with SSL . . . . . . . . . . . . . . . . . . . . . . . . . 271
8.4 Confidentiality with SSL using hardware crypto . . . . . . . . . . . . . . . . . . . 272
8.4.1 Confidentiality with SSL using hardware crypto prerequisites . . . . 272
8.4.2 Installing the unrestricted Java policy jars. . . . . . . . . . . . . . . . . . . . 275
8.4.3 Updating the JVM to use the IBMJCECCA provider . . . . . . . . . . . . 275
8.4.4 Configuring the z/OS Web service provider SSL configuration. . . . 276
8.4.5 Configuring the Web service requestor SSL configuration . . . . . . . 280
8.4.6 Configuring the z/OS Web service provider for confidentiality . . . . 281
8.4.7 Configuring the Web service requestor for confidentiality . . . . . . . . 281
8.4.8 Validating confidentiality with SSL using hardware crypto . . . . . . . 281
8.5 Confidentiality and basic authentication . . . . . . . . . . . . . . . . . . . . . . . . . 282
8.6 Confidentiality and client certificate authentication . . . . . . . . . . . . . . . . . 282
8.6.1 Confidentiality and client certificate scenario description . . . . . . . . 283
8.6.2 Confidentiality and client certificate prerequisites . . . . . . . . . . . . . . 283
8.6.3 Configuring the z/OS Web service provider SSL configuration. . . . 287
8.6.4 Configuring the Web service requestor SSL configuration . . . . . . . 288
8.6.5 Configuring z/OS Web service provider for authentication . . . . . . . 289
8.6.6 Validating client certificate authentication . . . . . . . . . . . . . . . . . . . . 291
Contents vii
9.4.2 Vertical attribute propagation versus CSIv2 identity assertion . . . . 329
9.4.3 Vertical attribute propagation with CSIv2 in action . . . . . . . . . . . . . 330
9.4.4 Vertical attribute propagation with CSIv2 implementation. . . . . . . . 331
9.4.5 Cross-cell considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
viii Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
12.1.3 Security customization jobs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438
12.1.4 Comparison of security settings . . . . . . . . . . . . . . . . . . . . . . . . . . 440
12.2 Automatically generated server IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . 441
12.3 RACF - mixed-case password support . . . . . . . . . . . . . . . . . . . . . . . . . 443
12.4 Sync-to-OS thread update. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477
Contents ix
x Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
Notices
This information was developed for products and services offered in the U.S.A.
IBM may not offer the products, services, or features discussed in this document in other countries. Consult
your local IBM representative for information about the products and services currently available in your
area. Any reference to an IBM product, program, or service is not intended to state or imply that only that
IBM product, program, or service may be used. Any functionally equivalent product, program, or service that
does not infringe any IBM intellectual property right may be used instead. However, it is the user's
responsibility to evaluate and verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter described in this document.
The furnishing of this document does not give you any license to these patents. You can send license
inquiries, in writing, to:
IBM Director of Licensing, IBM Corporation, North Castle Drive, Armonk, NY 10504-1785 U.S.A.
The following paragraph does not apply to the United Kingdom or any other country where such
provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION
PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR
IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT,
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer
of express or implied warranties in certain transactions, therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically made
to the information herein; these changes will be incorporated in new editions of the publication. IBM may
make improvements and/or changes in the product(s) and/or the program(s) described in this publication at
any time without notice.
Any references in this information to non-IBM Web sites are provided for convenience only and do not in any
manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the
materials for this IBM product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without
incurring any obligation to you.
Information concerning non-IBM products was obtained from the suppliers of those products, their published
announcements or other publicly available sources. IBM has not tested those products and cannot confirm
the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on
the capabilities of non-IBM products should be addressed to the suppliers of those products.
This information contains examples of data and reports used in daily business operations. To illustrate them
as completely as possible, the examples include the names of individuals, companies, brands, and products.
All of these names are fictitious and any similarity to the names and addresses used by an actual business
enterprise is entirely coincidental.
COPYRIGHT LICENSE:
This information contains sample application programs in source language, which illustrate programming
techniques on various operating platforms. You may copy, modify, and distribute these sample programs in
any form without payment to IBM, for the purposes of developing, using, marketing or distributing application
programs conforming to the application programming interface for the operating platform for which the
sample programs are written. These examples have not been thoroughly tested under all conditions. IBM,
therefore, cannot guarantee or imply reliability, serviceability, or function of these programs.
Enterprise JavaBeans, EJB, Java, Java Naming and Directory Interface, JavaBeans, JavaServer,
JavaServer Pages, JDBC, JDK, JMX, JSP, JVM, J2EE, and all Java-based trademarks are trademarks of
Sun Microsystems, Inc. in the United States, other countries, or both.
Active Directory, Expression, Internet Explorer, Microsoft, Windows Server, Windows, and the Windows logo
are trademarks of Microsoft Corporation in the United States, other countries, or both.
UNIX is a registered trademark of The Open Group in the United States and other countries.
Linux is a trademark of Linus Torvalds in the United States, other countries, or both.
Other company, product, or service names may be trademarks or service marks of others.
xii Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
Preface
This IBM® Redbooks® publication was written with the objective to provide a
technical description of some of the most important security scenarios available
with WebSphere® Application Server Version 6.1 for z/OS®. We chose
scenarios that are not really documented elsewhere and that have had
significant changes in Version 6.1.
In the first two chapters we provide an overview of security with WAS on z/OS for
those readers who are unfamiliar with the security landscape on z/OS. From
Chapter 3, “Web container security” on page 63, onwards we go into more
technical depth.
Marc van der Meer is a z/OS IT Specialist with IBM GTS/ITS in the Netherlands.
He has been specializing in security and WebSphere on z/OS for several years.
His current assignments include high-availability WebSphere infrastructures on
z/OS through sysplex functionality, security migrations, and J2EE™ security
implementations.
Gabriel Mogos has been working on the z/OS platform for many years in the
areas of VTAM® and TCP/IP products. He worked as a VTAM change team
member in troubleshooting and fixing internal and external reported problems.
He also worked as a services consultant assisting customers migrate from SNA
to IP network infrastructure and custom application programming. He holds a
Msc. degree in Mechanical/Industrial Engineering from the University of
Cincinnati. Currently, he is working in Enterprise Network Transformation
Solutions (ENTS) support and development.
xiv Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
Figure 1 The team (left to right): Gabriel Mogos, Keith Jabcuga, Foulques de Valence, Yukari
Hanya, and Eran Yona (Alex Louwe Kooijmans and Marc van der Meer not pictured)
Thanks to the following people for their contributions to this project (In
alphabetical order):
Paola Bari
Rich Conway
Franck Injey
Al Schwab
International Technical Support Organization, Poughkeepsie Center
Tom Hackett
IBM System z, Poughkeepsie, NY
Tim Hefele
WebSphere z/OS Performance
Preface xv
Ut V. Le
WebSphere Security Development, Austin, TX
Bill O’Donnell
WebSphere Security Development, Madison, WI
Gary Puchkoff
WebSphere Application Server for z/OS Design and Development
Ben Rogers
IBM STG System z Lab Services, Poughkeepsie, NY
Wade Wallace
International Technical Support Organization, Austin Center
Nigel Williams
IBM Montpellier
Your efforts will help increase product acceptance and customer satisfaction. As
a bonus, you will develop a network of contacts in IBM development labs, and
increase your productivity and marketability.
Find out more about the residency program, browse the residency index, and
apply online at:
ibm.com/System Authorization Facilitys/residencies.html
Comments welcome
Your comments are important to us!
xvi Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
Send your comments in an e-mail to:
System Authorization Facilitys@us.ibm.com
Mail your comments to:
IBM Corporation, International Technical Support Organization
Dept. HYTD Mail Station P099
2455 South Road
Poughkeepsie, NY 12601-5400
Preface xvii
xviii Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
1
Chapter 1. Introduction
Because of the rapid growth of e-business and the integration of different
organizations, securing and managing information technology (IT) infrastructures
has become very complex and demanding. Protecting sensitive and confidential
data from malicious intruders, deadly viruses, and worms is not an easy task. It
requires constant monitoring of the daily IT business operations and deploying
the latest security technology.
WAS for z/OS security and the underlying operating system infrastructure
security can provide customers running enterprise applications with secure and
reliable services.
In this chapter, we introduce new and upgraded security features that are
implemented in WebSphere Application Server WAS for z/OS V6.1 to secure
WAS and e-business applications.
Needless to say, it is very tough out there. The competition has never been more
intense than today. To survive in this highly competitive global market, companies
must be innovative and come up with new ways of doing things within a short
period of time. If they do not, they become obsolete and fade away.
The product life cycle has now been shortened. To beat the competition,
companies must invent, re-invent, and upgrade their products every six months
to a year in order to stay in business and be successful.
2 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
Note that these new and enhanced v6.1 security features have been made
available to the public in the WebSphere Application Server for z/OS InfoCenter.
In addition, these features are described in detail in this book in later chapters.
Chapter 1. Introduction 3
Non-repudiation means that in the case of a transaction between two parties
(a provider and a consumer), both parties can provide legal proof to a third
party that the provider delivered and the consumer received the services.
Auditing refers to the ability to discern from gathered data who did what,
when, and for what reason. This is usually made possible by the usage of
monitoring tools and traces, which are then analyzed for patterns. This type of
activity has been engaged in for several hundred years, across many fields,
so most of the general concepts applied in other fields apply. A robust
auditing and traceability implementation could dissuade potential attackers.
In this chapter and in the rest of the book, we discuss security terms while
introducing the new security features of WebSphere Application Server v6.1
Naming, HTML,
WebSphere/Application
Admin Servlet/JSPs,
Resources
EJBs
Access Control
WebSphere Security WebSphere Security
JVM 5 Security
In WAS Version 4 there was security in many different layers. In WAS Versions 5
and 6, the security options and capabilities in many of these layers were
enhanced. In WAS Version 5 on the System z platform and later, the WAS
security layers are intended to work like those on any other platform. What is
unique to each platform is the operating system security.
4 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
Operating system (OS) security
The security infrastructure of the underlying operating system provides certain
security services to the WebSphere security application. This includes the file
system security support to secure sensitive files in WebSphere product
installation. The WebSphere system administrator can configure the product to
obtain authentication information directly from the operating system user registry,
for example, the NT Security Access Manager (SAM). On z/OS, we refer to that
as SAF, which stands for System Authorization Facility. SAF is a common set of
APIs being used to access RACF, Computer Associates’ Top Secret or ACF2
security software and security databases that are present on the z/OS operating
environment. These security products contain information about users, groups of
users, resources, and user or group access to those resources. The purpose of
these products is to provide authentication and access control for the z/OS
environment.
Java security
The Java security is based on a few security elements:
The JVM™ in the SDK 1.5
The JVM security model provides a layer of security above the operating
system layer. For example, JVM security protects the memory from
unrestricted access, creates exceptions when errors occur within a thread,
and defines array types.
J2EE security
The security collaborator enforces J2EE-based security policies and supports
J2EE security APIs.
Java 2 security
The Java 2 security model offers access control to system resources
including file systems, system property, socket connection, threading, class
loading, and so on. Application code must explicitly grant the required
permission to access a protected resource.
CSIv2
Any calls made among secure object request brokers (ORBs) are invoked
over the Common Secure Interoperability Version 2 (CSIv2) security protocol,
which sets up the security context and the necessary quality of protection.
After the session is established, the call is passed up to the enterprise bean
layer. CSIv2 is an IIOP-based, three-tiered, security protocol that is
developed by the object management group (OMG). This protocol provides
message protection, interoperable authentication, and delegation. The three
layers include a base transport security layer, a supplemental client
authentication layer, and a security attribute layer.
Chapter 1. Introduction 5
WebSphere Security
WebSphere Application Server security relies on and enhances all the
above-mentioned layers. It enforces security policies and services in a unified
manner on access to Web resources and enterprise beans. It consists of
WebSphere security technologies and features to support the needs of a secure
enterprise environment.
In summary, RACF has the following capabilities and functionality. It allows the
administrator to:
Create and manage digital certificates.
Protect data sets and UNIX® System Services HFS files.
Protect system resources and services.
Manage a large user database, and add, delete, list, and change user
profiles.
RACF keeps a profile for each system resource user that it knows, and the profile
is kept in storage in the format shown in Figure 1-2.
6 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
As you can see in Figure 1-2 on page 6, the RACF profile contains:
User ID and password. The password is encrypted.
Owner of the profile. The owner can be a group or a single user.
Attributes, which allow users to do specific tasks with RACF. Four attributes
that can be specified are special, auditor, operations, and protected.
Security classifications. This is optional, but it gives an additional way of
controlling user authority.
Segments. Z./OS process or address spaces such as TSO, OMVS, and CICS
can be added to a user profile.
Finally, RACF provides a way to record what is done on the system. It keeps
track of what happens on the system so that an organization can monitor who is
logged on the system at any time. RACF reports whether anyone has attempted
to perform unauthorized actions. For example, RACF can record that someone
has tried to access or change data to which they do not have the correct
authority.
RACF GROUP
Groups are a way to categorize subjects and objects. The types of groups used
are administrative, resource control, and functional.
RACF Administration EJB™ roles and their respective capabilities are classified
as follows:
Monitor View configuration files and status but not anything else.
Configurator A monitor that can modify a configuration information but
cannot change runtime states.
Operator Can trigger runtime state changes, such as start/stop an
application server, but cannot change configuration files.
Administrator An operator as well as a configurator.
Chapter 1. Introduction 7
RACF CLASS
This section describes the pertinent RACF classes that are applicable to
implementing WebSphere Application Server for Version 6 on z/OS. These
classes represent a small subset of all available classes in RACF.
APPL - used for VTAM application ID (APPLID) access. The APPL class
controls access to applications.
CBIND - controls the client’s ability to bind to the server. WebSphere uses the
CBIND class to control access to the server.
DIGTCERT - contains digital certificates and related information.
DSNR - controls access to DB2 subsystems.
EJBROLE and GEJBROLE - These classes are used to register Enterprise
JavaBeans™ (EJB) roles that will be used by WebSphere Application Server
applications. EJBROLE is the member class for EJB authorization roles. The
APPLDATA field in an EJBROLE profile defines the target Java identity when
running in RunAs ROLE mode. GEJBROLE is the grouping class for EJB
authorization roles. EJBROLE profiles have to be added for the required roles
and for users to be given access to these profiles when SAF authorization is
used.
FACILITY - miscellaneous uses. Profiles are defined in this class so that
resource managers can check users’ access to the profiles when the users
take some action. Here is where we place profiles for Digital Certificate, DCE,
and Kerberos, plus UNIX System Services profiles (for example,
BPX.DAEMON).
KERBLINK - mapping class for user identities of local and foreign principals.
Used in Kerberos to map a unique RACF user ID to each foreign principal.
LOGSTRM - controls which applications can access the system logger
resources.
SERVER - controls the server’s ability to register with the daemon. This class
is used in WebSphere to control whether a servant can call authorized
programs in the controller.
SERVAUTH - contains profiles that are used by servers to check a client’s
authorization to use the server or to use the resources managed by the
server. Use this class to protect TCP/IP ports. If you are using this class, you
must give WebSphere and Kerberos access.
STARTED - used for identifying authorized system started procedures.
WebSphere Application Server normally starts as a system task and would
need an entry in the STARTED class to associate a valid RACF user ID and
connected group to be able to access protected resources. This is used in
preference to the started procedures table to assign an identity during the
8 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
processing of an MVS™ START command. For example, WebSphere and
Kerberos are defined as started tasks in this profile.
SURROGAT - whether surrogate submission or login is allowed, and if
allowed, which user IDs can act as surrogates. SURROGAT is used here in
conjunction with BPX.SRV profiles in the SURROGAT class to allow security
context switches for unauthenticated user IDs.
Java 2 security
Java 2 security provides a policy-based, fine-grained access control mechanism
that increases overall system integrity by checking for permissions before
allowing access to certain protected system resources. Java 2 security guards
access to system resources such as file I/O, sockets, and properties, while Java
2 Platform, Enterprise Edition (J2EE) security guards access to Web resources
such as servlets, JavaServer™ Pages™ (JSP™) files, and Enterprise
JavaBeans (EJB) methods.
Many existing or even new applications might not be prepared for the very
fine-grained access control programming model that Java 2 security is capable
of enforcing. Administrators need to understand the possible consequences of
enabling Java 2 security if applications are not prepared for Java 2 security. Java
2 security places some new requirements on application developers and
administrators.
Chapter 1. Introduction 9
Attention: Java 2 security is very CPU consuming and therefore not
recommended for a production environment.
J2EE security
The J2EE specification defines the building blocks and elements of a J2EE
application that builds an enterprise application. The specification also provides
details about security related to the different elements. A typical J2EE application
consists of an application client tier, a Web tier, and an EJB tier. When designing
a security solution, you need to be aware of the connections between each of the
modules.
It is possible that the J2EE application can control its own security issues
programmatically, but with WAS, the J2EE application can be configured to
enforce security features during deployment time. When an administrator installs
the application, he can give the required users access to the application based
on the roles as defined in the applications’s EJBROLES profiles. The permission
given to the users is based on their roles and needs.
10 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
access. For such cases, there are a few security APIs that the developers can
implement.
Based on the J2EE container-based security architecture, the Web container and
the EJB container can provide security without application code having to be
written to provide security. Not all applications, however, can be designed in
such a way that the application programmer is completely isolated from issues of
security. But there are cases where WAS declarative security alone cannot
provide security to application programs that require some functions. In this
situation programmatic security can be done by the application.
J2EE provides an API with two methods for the Web container and two methods
for the EJB container.
Chapter 1. Introduction 11
retrieve a principal object for the caller’s identity. The
user ID can be retrieved from this principal object.
The application can use the returned user ID or principal object for decisions in
its program flow. For example, a program might have a private authorization
protocol and use the principal name to search an authorization table. Another
possibility would be if data is being retrieved from a relational database, and the
principal name forms part of a key field.
A certain country with all its territorial boundaries puts into effect an immigration
law to enforce that entry to its territory is not breached. To protect its territory, the
country places checkpoints in all its entry points. The possible entry points would
be sea ports, airports, border towns, and other ground entry points. So, the
country places its immigration offices in all the entry points to allow or reject entry
visas based on its rules and regulations. For example, if a person tries to enter
the country using a falsified document, then he would be in trouble for breaking
the law to enter the country.
12 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
To demonstrate the entry checkpoint concept, we present Figure 1-3. Figure 1-3
externalizes the communication channels between WAS and the outside world,
and it represents the most common connections into and out of WAS. We also
believe that knowing the entry checkpoints helps IT architects and designers
consider the security issues during an overall network design phase and
implementation.
Chapter 1. Introduction 13
Similarly, the back end connections are:
Connecting to DB2 via Java DataBase Connectivity (JDBC™), either using a
local connection (T2) or a remote connection (T4).
Connecting to CICS and IMS via J2C connectors. Those connectors can also
be used in local (cross-memory) or remote mode (over TCP/IP).
Connecting to an MQ Queue Manager, again, either in local (cross-memory)
mode or remote mode (TCP/IP).
There are more possibilities, but for the purpose of this introduction we do not
discuss all of the options.
After identifying the various access points to WAS for z/OS, the next step is
handling security issues at these entry points.
WAS on z/OS, like any TCP/IP application, obtains sockets and binds them to
several defined or defaulted ports and IP addresses. In fact, WAS uses the
INADDR_ANY parameter for all its listening ports by default. This means that it
can accept requests from any IP address used by any client. By doing that, the
gate is wide open for a security attack.
To WAS and its clients, TCP/IP is just an underlying transport protocol. The real
communication occurs on the application layer protocols (HTTPs, IIOP) that run
on top of the TCP layer. The HTTP protocol is very well known and is much
easier to use than the IIOP. The IIOP is more complex than the HTTP since it
deals with objects and inter-communication between programs.
The details follow in later chapters, but let us see how security is handled when
an end-to-end communication is established between two endpoints. The two
endpoints are a Web client and CICS on z/OS in one case, and a J2EE client and
CICS on the same z/OS in the other case.
14 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
In Figure 1-4, we show numbers for each stop the Web client and the J2EE client
make as they go through the connection path to reach CICS.
0 1
2
3
In each case the number zero (0) represents the initial point before doing
anything, and WAS and CICS are local to each other, meaning that they are on
the same LPAR on z/OS.
To fully understand the security flow on the HTTP(s) and IIOP layers, it requires
deep understanding of the specification and architecture of these protocols.
Once TCP/IP delivers the data, the HTTP(s) and the IIOP code must parse and
interpret the HTTP and GIOP (IIOP) headers in order to take an appropriate
security action.
We do not discuss the HTTP(s) and IIOP internal flow here in this book, but the
security mechanisms implemented to secure HTTP and IIOP protocols are
discussed later on.
Chapter 1. Introduction 15
In this section, we describe the mechanisms to authenticate Web clients. The
Web authentication mechanisms are:
Single sign-on (SSO)
– Lightweight Third Party Authentication (LTPA)
The security token is created by WAS using configured keys.
– Simple WebSphere Authentication Mechanism (SWAM)
The security token is not created by WAS. If the authentication is needed
to go from server to server, then the LTPA mechanism should be used.
Single sign-on
Single sign-on is a mechanism where a principal can log in to multiple servers
without being required to resubmit his credentials. Single sign-on is supported
only when Lightweight Third Party Authentication protocol is being used.
When using SSO, at initial login a cookie is returned in the HTTP response.
Then, when the user accesses other servers that are in the same domain name
service (DNS), she is not prompted to re-enter the credentials again for
re-authentication.
If you need to interoperate with network distributed servers you must use LTPA.
Attribute propagation
With security attribute propagation, WebSphere Application Server can transport
security attributes (authenticated subject contents and security context
information) from one server to another in your configuration. WebSphere
Application Server might obtain these security attributes from either an enterprise
user registry, which queries static attributes, or a custom login module, which can
query static or dynamic attributes. Dynamic security attributes, which are custom
in nature, might include the authentication strength that is used for the
connection, the identity of the original caller, the location of the original caller, the
IP address of the original caller, and so on.
16 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
Security attribute propagation provides propagation services using Java
serialization for any objects that are contained in the subject. WebSphere
Application Server also offers a token framework that enables custom
serialization functionality.
Identity assertion
Identity assertion is one of the most important areas of RMI-IIOP security. When
coding EJBs and setting up the infrastructure, a key goal is to allow for access to
a remote EJB with total transparency to the user while maintaining security.
Common Secure Inter operability Version 2 (CSIv2) allows for an identity from
one server to be passed to a downstream EJB call.
In a trust association setup, the back-end server accepts HTTP requests that
pass through the front-end server. The back-end server is configured to receive
HTTP requests only from the trusted server. HTTP requests that come in through
other servers are rejected.
The trust association function could be used with configurations that provide
ways to demilitarize zones.
Chapter 1. Introduction 17
1.3.3 EJB client authentication overview
For EJB client authentication, two technologies are important to mention:
Common Secure Interoperability Specification v2 (CSIv2) can be used to
enter a J2EE server on z/OS remotely from a J2EE client and authenticate to
an EJB running in that server.
Java Authentication and Authorization Service (JAAS) can be used in any
J2EE application to perform authentication functions.
18 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
Java Authentication and Authorization Service (JAAS)
Briefly, JAAS is a J2EE standard and pluggable Java code (stub) that enables
J2EE-compliant applications to authenticate and enforce access controls upon
users. JAAS provides two interfaces:
An application-level programming interface (API) for use by J2EE applications
A service programming interface (SPI) for the providers of its functionality
JAAS uses the concept of a subject in which a principal and credential are
created for a user request to log in.
There are two ways WAS and WMQ can communicate. If WMQ is local (that is,
on the same LPAR as WAS), then the communication is via cross memory. If
WMQ is remote to WAS, then the communication is over TCP/IP.
MQ clients and other WMQ queue managers communicate with WMQ queue
managers over channels. When WAS applications use direct JMS connections to
a WebSphere MQ queue manager, not using the Service Integration Bus, the
WAS applications appear as MQ clients. When communication is done via the
Service Integration Bus, the MQ link appears as another queue manager to
WebSphere MQ. Regardless of what method is used, communication is done
over one or more channels. SSL properties on the channel allow for selection of
which Cipher Spec to use and which clients, based on DN, to accept connections
from. Enabling SSL on the channel is as simple as selecting the Cipher Spec and
restarting the channel.
Chapter 1. Introduction 19
Securing connections between WebSphere Application Server and
WebSphere MQ: Part 2: Secure the WebSphere MQ link using the service
integration bus at:
http://www-128.ibm.com/developerworks/websphere/techjournal/0601_
smithson/0601_smithson.html
For more information about security related to the usage of JMS and WAS on
z/OS, refer to Java Message Service (JMS) Security on z/OS, REDP-4203, at:
http://www.System Authorization
Facilitys.ibm.com/abstracts/redp4203.html?Open
Web services and service-oriented architecture (SOA) are being used by most
people synonymously lately, but are in fact not the same things. When we talk
about Web services, we refer to the usage of a set of protocols that make it
easier to transparently access a component from anywhere else. SOA is much
more a way of architecting the entire IT landscape in such a way that it becomes
easier to use and manage.
20 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
As depicted in Figure 1-5, there are two ways of securing Web services
communication. They are:
Message level security
Transport level security (TLS/SSL)
TCP Socket
Socket
Port
IP IP address IP address
The SOAP Message Security 1.0 (WS-Security 2004) is proposed by the OASIS
WSS Technical Committee.
http://www.w3c.org/Signature
http://www.w3c.org/Encryption
Chapter 1. Introduction 21
of security: identification, authentication, authorization, integrity, confidentiality,
auditing, and non-repudiation. It is based on the WS-Security specification,
co-developed by IBM, Microsoft®, and VeriSign.
22 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
J2C connector components
J2C defines contracts between the application, the connector, and the
application server where the application will be deployed:
Container contract
The container contract defines what the application server expects to find in a
deployed application. This is the standard contract between an EJB and its
container. It consists of the bean callback methods, such as ejbCreate(),
ejbLoad(), and ejbActivate().
Application contract
The application contract defines what the connector expects to receive from
the application. It is defined by the Common Client Interface (CCI) API.
System contract
The system contract specifies the behavior that every J2C resource adapter
must support. The contract components are:
– Connection management contract
This allows the application server, with the assistance of the adapter, to
pool connections to the EIS.
– Transaction management contract
Transactions are a key concept needed to support distributed computing.
– Security management contract
This details the sign-on procedures that are carried out when the client in
WebSphere establishes a connection to the resource adapter or EIS.
These contracts imply that all participating components are J2EE connector
architecture-compliant. The application, connector, and application server must
all be compliant with the J2EE architecture.
Chapter 1. Introduction 23
application or the J2C connection factory in
the component-managed authentication
alias entry.
Each registry has its own way of registering and saving user information. Usually,
users are added into groups based on their roles:
LocalOS
In was for z/OS, this implements a SAF-based user registry used for
authentication and group information lookup.
LDAP
The Lightweight Directory Access Protocol is used as the user registry for
authentication and group information lookup. WAS supports a wide range of
directory solutions.
24 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
Custom
This registry mechanism is user customized and can use relational database
files, flat files, and others to organize and store user information
Federated Repository
This is new in WAS Version 6.1 and supports multiple registry chaining. Its
most popular use is the ability to chain LDAP directories. In addition,
federated repository supports identity management capabilities.
How are registries used in WebSphere Application Sever for z/OS? Here we
present how authentication is performed using registries in WAS for z/OS. These
steps are performed in sequential order:
1. The client’s credentials (usually, user ID/password) are passed to an
authenticating module.
2. The authenticating login module then passes on the credentials to a login
module that determines what protocol to use to process the request, for
example, LTPA.
3. The user data is received by the protocol processor (LTPA in this case) and
performs authentication against the current active registry.
4. After authentication is successfully done, the login module generates a JAAS
subject and credential list for the user and passes control back to the
authentication module.
5. The authenticating module then saves the credentials for future use.
1.3.8 Authorization
WebSphere Application Server provides many different methods for authorizing
accessing resources. For example, you can assign roles to users and configure a
built-in or external authorization provider. The default authorization uses
application deployment descriptors for authorization rules. As an alternative to
WebSphere Application Server default authorization, security authorization
facility (SAF)-based authorization (for example, using the RACF EJBROLE
profile) can be used to control access by a client to Java 2 Platform, Enterprise
Edition (J2EE) roles in EJB and Web applications. When SAF authorization is
enabled, SAF EJBROLE profiles are used to authorize J2EE roles. WebSphere
Application Server supports authorization that is based on the Java
Authorization Contract for Containers (JACC) specification. JACC is a new
specification in Java 2 Platform, Enterprise Edition (J2EE) 1.4. It enables
third-party security providers to manage authorization in the application server.
Authorization has also been covered in WebSphere Application Server for z/OS
V5 and J2EE 1.3 Security Handbook, SG24-6086.
Chapter 1. Introduction 25
26 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
2
Here we provide the most common security design scenarios that can be used in
the real world. Each configuration is designed to address specific security
implementation scenarios. The purpose of being specific is to simplify the
complexity of using various security methodologies in a single configuration.
Using the configurations we show in this chapter, users can build their own
security solutions based on their overall network topologies and requirements.
We compiled this chapter to prepare you to successfully perform the above three
tasks. Briefly, what this chapter attempts to address are the following areas:
End-to-end security design/configuration.
Connection protocols and their security aspects. The protocols addressed are
HTTP, RMI-IIOP, SOAP, CSIv2, and MQ messaging.
SSL handshake communication flows. This is very important information to
diagnose security-related problems.
Authentication via LDAP or RACF and authentication flows during initial
sign-on and thereafter.
Authorization via RACF, J2EE roles, or through an external authorization
server.
We advise the reader to use this chapter as a starting point before getting into a
more detailed security implementation and analysis.
28 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
2.2 Network protocol architecture overview
The foundation of network communication has been based on the architecture of
protocol layering. The two most widely known network architectures are the
Open System Interconnection (OSI) model and System Network Architecture
(SNA), and they both have seven layers, the link layer at the bottom, and the
application layer at the top. At each layer there is a protocol that must be
followed before a full communication between two endpoints can be made, in
any given network configuration.
The TCP/IP architecture is based on the OSI model. Originally, it was limited to
the United States Department of Defense and universities to do simple mail
transfer and file transfer type of operations. But, after the emergence of the
Internet and World Wide Web (WWW), it became the dominant network transport
provider. Even though it is based on the OSI model, the TCP/IP architecture is
much more simple than the OSI or SNA layers. From an architectural point of
view, there are two layers besides the link layer: the IP/UDP layer and the TCP
layer. Anything above the TCP layer is considered an application layer, and it is
the responsibility of the application to handle any protocol beyond the TCP layer.
WAS for z/OS is just another application to TCP/IP. This means that the HTTP,
IIOP, and MQ message headers and protocols are handled by WAS front-end
processing modules.
The discussions of the various security designs are based on the protocol
architecture illustrated in Figure 2-1.
WS – Security ( Authentication)
SOAP SOAP
Authentication
HTTP MSG IIOP HTTP MSG IIOP
SSL (Integrity,Confidentiality)
SSL SSL
TCP Socket
Socket
Port
`
Router Router
Also, sometimes protocols are stacked on top of each other and the
security-related information may be in any or all of the levels. A good example of
this is the usage of SOAP over HTTP. There may be a user ID/password at the
HTTP level, but there might also be security artifacts in the SOAP message.
This allows Web clients and servers to pass confidential or sensitive data
through the Internet or intranet. SSL is also used by the Lightweight Directory
Access Protocol (LDAP) for secure connections between LDAP clients and LDAP
servers.
30 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
Referring to Figure 2-2, the steps are as follows:
1. First, the client sends a Client Hello message that lists the cryptographic
capabilities of the client (sorted in client preference order) and contains the
SSL/TLS protocol version desired. It also contains a random value.
1. Client Hello
2. Server Hello
3. Server certificate
4. Certificate Request
5. Certificate done
6. Client certificate
7. Client key exchange
8. Certificate verify
9. Change cipher spec
10. Finished
Client/Requester
11. Change cipher spec
12. Finished Server/Service Provider
Figure 2-2 SSL handshake
2. The server responds with a Server Hello message, which contains the
cryptographic method (cipher suite) selected by the server, the session ID,
another random number, and the acceptable SSL/TLS protocol version. The
client and server must support at least one common cipher suite or the
handshake will fail.
3. Following the Server Hello message, the server sends its certificate. With
Secure Sockets Layer (SSL), X.509 V.3 certificates are used.
4. If SSL Version 3 is used and the server application (for example, the Web
server) requires a certificate for client authentication, the server sends a
certificate request message. In the certificate request message, the server
sends a list of the types of certificates supported and the distinguished names
of acceptable certification authorities.
5. The server then sends a Server Hello done message and waits for a client
response. Upon receipt of the Server Hello done message, the client (the
Web browser) verifies the validity of the server’s certificate and checks that
the server hello parameters are acceptable.
6. If the server requested a client certificate, the client sends a certificate or, if no
suitable certificate is available, a no certificate alert. This alert is only a
warning, but the server application can fail the session if client authentication
is mandatory.
The SSL record protocol transfers application data using the encryption
algorithm and keys agreed upon during the handshake phase.
32 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
2.4 Authorization and EJB roles
In Chapter 1, “Introduction” on page 1, we said that the servant region of the
server is the address space (task/thread) that does the real work, executing
servlet or EJB code. The servlet and the EJB both have two identities associated
with them:
A security identity, which is used for controlling access to J2EE resources and
downstream processing (calling another EJB or J2C resource). The default
identity is the calling entity (user ID or another program’s process ID).
An execution identity, which is associated with the operating system
task/thread during run time. The default identity is the servant region’s
address space (process ID). This is supposed to be always trusted.
To better control the security identity part, the J2EE authorization model provides
for the usage of security roles for each servlet and EJB that is deployed to WAS
for z/OS. The security role is determined at deployment time and is located in the
deployment descriptor. The security role is then defined in RACF using the
EJBROLE class in which the profile is checked against the role name to verify
authority to access code.
Furthermore, the default caller identity can be changed using the RunAs identity
mechanism. The RunAs can be:
Run as the caller (which is just like the default).
Run as server (servant region’s user ID).
Run as based on role (role provided by the deployment descriptor) and
mapped to an EJBROLE in RACF.
Data confidentiality and integrity are secured when SSL is enabled. This means
that when we say SSL, both confidentiality and integrity are implied. So, by doing
In addition, this scenario can be used as a starting point to develop, secure, and
deploy simple J2EE applications for testing and some small-scale production.
Description
Figure 2-3 describes what this design provides. The HTTP server is on z/OS and
it uses RACF facilities for its authentication requests. Since RACF is already
used for other security purposes, it can also be used for securing the Web
applications with minimum effort. The user registry used in WAS is LocalOS
(SAF-based).
Keep in mind that this design does not cover the back-end systems such as
CICS, IMS, and DB2. Connectivity to the back-end systems is addressed
separately.
z/OS
CICS
IMS
HTTP(s)
HTTP SSO WebSphere
Server Application Server
Web
Client
The configuration illustrated in Figure 2-3 assumes that the user is a Web client
and that all client requests start with sending an HTTP request from the browser
34 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
to the HTTP server on z/OS. The server redirects all HTTP requests to WAS after
having done an authentication.
Single sign-on (SSO) is enabled in WAS, and the user’s security credentials are
propagated from the HTTP server to WAS. We assume that the user ID with
which a user authenticates to the HTTP server is the same user ID that will be
used to access WAS. The HTTP server sends the user’s credentials (certificate,
basic authentication headers) to WAS when making requests. In this case, the
HTTP server only operates as a proxy server. It forwards credentials at the HTTP
protocol layer level. There is no propagation of a user’s identity, but only
propagation of the user’s security credentials.
We would like to inform the reader that data integrity and confidentiality is implied
by the fact that the connection is over SSL.
HTTP WAS
Client Server (sso, TAI) RACF
1
2
5
6
2. The HTTP server receives the request from the client, retrieves the client user
ID and password from the HTTP header, and calls RACF to verify the client’s
identity.
3. RACF verifies the identity of the client in its database and replies with a
positive/negative response.
4. If the response from RACF is negative, the HTTP server sends a request to
the client to provide a valid user ID and password. If the response was
positive, the HTTP server forwards the request to WAS.
5. WAS looks at the HTTP request and, since single sign-on is enabled,
bypasses the client authentication step and calls RACF to verify whether the
client is authorized to execute the operation.
6. RACF, based on its security definitions, either authorizes the request or
rejects it. The URI needs to be defined as a protected resource for this
purpose.
36 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
7. If the response from RACF for the authorization request was yes, then the
application requested by the client is executed and a reply is sent back to the
client with the results.
Configuration tasks
Here we provide the list of tasks that need to be done to configure security for
this design. The main task items are as follows:
Enable single sign-on (SSO) via the WebSphere administrative console, as
follows: secure administration, applications, and infrastructure > single
sign-on (SSO).
Add user ID/password of client to RACF.
Define EJBROLES in RACF to enable application authorization.
Configure SSL in each endpoint.
References
Refer to:
IBM HTTP Server Web site at:
http://www-306.ibm.com/software/webservers/httpservers/doc/v51/icswg
003.html
WebSphere Application Server on z/OS and Security Integration, REDP-4161
In addition to the RPSS, a firewall can be placed to further tighten the security.
Therefore, the goal is to have a tightly secured z/OS environment.
z/OS
CICS
IMS
WebSphere
HTTP(s) HTTP(s) Web SSO
RPSS Application
Server
Server
Web client
DB2
Authorization
Authentication Native
LDAP RACF
Authentication
Privacy is implemented by using SSL/TLS between the Web client and HTTP
server. Similarly, SSL can be used between the HTTP server and the application
server.
In this design, the RPSS is outside z/OS and it is using the LDAP registry located
inside z/OS to carry out the authentication of the client. The RPSS and the LDAP
communication is secured via SSL.
38 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
This design does not cover the back-end systems such as CICS, IMS, and DB2.
Connectivity to the back-end systems is addressed separately.
Logical flow
Data integrity and confidentiality is implied by the fact that the connection is over
SSL. The flow deals mostly with authentication and to some degree
authorization.
Figure 2-6 shows a flow of the authentication from end to end. The flow
describes a Web client accessing a Web-based application that resides in WAS
for z/OS.
Web WAS
Client RPSS LDAP Server (sso, TAI) RACF
1
2
3
4
5
7
8
9
10
Figure 2-6 Scenario 2 - authenticating in reverse proxy security server - logical flow
The flow given in Figure 2-6 describes an event that takes place at each step as
clients initiate a connection to a J2EE application that is deployed to WAS. The
sequence of events is:
1. The client initiates a connection via HTTP to the Reverse Proxy Security
Server. The connection goes through a three-way handshake and the
connection is secured if SSL is enabled. Then the client sends the user ID
and password in a secure communication.
2. The RPSS receives the client request, looks at the HTTP header, and finds a
user ID and password. To authenticate the user ID/password, the RPSS
queries the LDAP server.
3. The LDAP server is tied to RACF for native authentication and queries RACF
if the specified user ID is known and valid to RACF.
Configuration tasks
Here we provide the list of tasks that need to be done to configure security for
this design. This list may not be complete, but the main task items are:
Enable single sign-on (SSO) via the WebSphere Administrative console as
follows: secure administration, applications, and infrastructure > single
sign-on (SSO).
Set up LDAP with SDBM configuration.
Add user ID/password of client to RACF.
Define EJBROLES in RACF to enable application authorization.
Configure SSL in each endpoint.
References
For more information see:
WebSphere Application Server on z/OS and Security Integration, REDP-4161
Secure Production Deployment of B2B Solutions using WebSphere Business
Integration Connect, SG24-6457
40 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
Description
Figure 2-7 is very simple. The J2EE client communicates directly with the
application server on z/OS using the J2EE Remote Method Invocation over
Internet Inter-Orb Protocol (RMI-IIOP). There is no HTTP server involved. Again,
the user registry used in WAS is LocalOS (SAF-based).
z/OS
CSIv2
WebSphere
DB2
Application
RMI/IIOP Server
J2EE
Client CICS
IMS
Authentication Authorization
RACF
At the WAS V6.1 level, there is only one available protocol for communicating
securely between a J2EE client and WAS for z/OS: Common Secure
Interoperability Version 2 (CSIv2). CSIv2 is a standard protocol that should be
used for any new implementations. CSIv2 enables user ID propagation between
J2EE environments. Using CSIv2, this user ID can be an LDAP distinguished
name, a client certificate, a basic user ID, and so on. The user ID that is retrieved
from the CSIv2 protocol can either be a RACF user ID or be mapped to a RACF
user ID. The transport layer can be secured using SSL/TLS.
Keep in mind that this design does not cover the back-end systems, such as
CICS, IMS, and DB2. Connectivity to the back-end systems is addressed
separately.
Logical flow
Data integrity and confidentiality is implied by the fact that the connection is over
CSIv2/SSL. The flow deals mostly with authentication and to some degree
authorization.
J2EE
Client WAS
RACF
1
The J2EE client initiates the communication using the CSIv2 protocol. By default,
SSL ports for Common Secure Interoperability Version 2 are dynamically
generated. The WAS port being used is a secured ORB port.
1. Once the SSL handshake is complete, the J2EE client sends the internal IIOP
(GIOP) request to WAS with security information added to the GIOP header.
2. WAS receives the IIOP (GIOP) request, retrieves the security information,
and queries RACF to authenticate the client.
3. RACF checks the database to verify that the client is valid and known, and
replies to WAS.
4. WAS receives a positive or negative response for the authentication and, if
the response from RACF is positive, queries RACF again to verify that the
client is authorized to execute the code.
5. RACF checks its profiles to see whether the client is authorized to access and
execute the requested method and replies to WAS with positive or negative.
6. WAS receives the response from RACF and, if the reply is yes, the method is
executed and the reply is sent back to the client with the results.
Note that all communication between WAS (servlet, EJB) and RACF is internal
via interprocess communication.
42 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
Configuration tasks
Here we provide a list of tasks that need to be done to configure security for this
design. This list may not be complete, but the main task items are as follows:
Add the user ID/password of client to RACF.
Define EJBROLES in RACF to enable application authorization.
Enable CSIv2 (inbound/outbound) via the WebSphere administrative console
on z/OS.
CSIv2 is considered enabled on the client with the existence of the
com.ibm.CORBA.ConfigURL Java property. If the property is not specified or
the property does not exist, CSIv2 is not enabled.
References
Refer to:
IBM Redbooks Technote: Configuration of WebSphere Application Server
Security, TIPS0206, at:
http://www.System Authorization
Facilitys.ibm.com/abstracts/TIPS0206.html?Open
IBM Education Assistant at:
http://publib.boulder.ibm.com/infocenter/ieduasst/v1r1m0/index.jsp?
topic=/com.ibm.iea.doc/welcome.htm&tab=search&searchWord=csiv2&maxHi
ts=50
WebSphere Application Server on z/OS and Security Integration, REDP-4161
This is the most commonly used J2EE application connectivity, where two J2EE
servers talk to each other over a secure connection using CSIv2.
The integrity and confidentiality of data aspect of the security has been taken
care of by CSIv2 internally and there is no need to describe it.
z/OS
CICS
Identity IMS
J2EE assertion WebSphere
Server CSIv2 Application Server
Client RMI/IIOP
Authorization
DB2
Authentication Native
LDAP RACF
Authentication
For each request made by a client ORB to a server ORB, an associated reply is
made by the server ORB back to the client ORB. Prior to any request flowing, a
connection between the client ORB and the server ORB must be established
over secured TCP/IP transport (SSL is a secure version of TCP/IP).
An identity assertion is a way for one server to trust another server without the
need to re-authenticate or re-validate the originating client. In this case, WAS for
44 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
z/OS is the server configured as the identity asserting server. The server being
trusted is the J2EE server.
Also note that this design does not cover back-end systems such as CICS, IMS,
and DB2. Connectivity to the back-end systems is addressed separately.
Logical flow
The numbers shown in Figure 2-10 represent security actions taken at each step
during a connection setup process.
1. Initially, the client requests that it wants to access an object that resides on
WAS for z/OS. Then the client starts its connection request via HTTP or IIOP.
The connection is secured if SSL is enabled.
J2EE z/OS
Client Server LDAP WAS RACF
1
2
3
4
5
6
7
8
9
10
2. The J2EE server receives the client request and binds to LDAP to see
whether the client can be authenticated. The binding to LDAP is over a secure
connection using SSL.
3. LDAP, which is connected to RACF via SDBM, then queries RACF to see
whether the client can be authenticated.
4. RACF checks its database profiles to verify that the client in question has a
UID/GID defined for him and replies back to LDAP with the results of the client
being authenticated or rejected.
5. LDAP looks at the response from RACF and if the client cannot be
authenticated, it sends a negative response back to the J2EE server. If the
response is positive, then connection continues.
Configuration tasks
Here we provide the list of tasks that need to be done to configure security for
this design. This list may not be complete, but the main task items are as follows:
Add the user ID/password of the client to RACF.
Define EJBROLES in RACF to enable application authorization.
Enable CSIv2 (inbound/outbound) via the admin console on z/OS.
Enable identity assertion via the WebSphere administrative console on z/OS.
References
Refer to:
IBM Redbooks Technote: Configuration of WebSphere Application Server
Security, TIPS0206, at:
http://www.System Authorization
Facilitys.ibm.com/abstracts/TIPS0206.html?Open
IBM Education Assistant at:
http://publib.boulder.ibm.com/infocenter/ieduasst/v1r1m0/index.jsp?
topic=/com.ibm.iea.doc/welcome.htm&tab=search&searchWord=csiv2&max
Hits=50
The demand to do more business online has forced companies to find ways to
integrate their back-end systems such as CICS, IMS, and DB2 to the Internet. To
integrate the back-end system to the Internet, one of the available solutions is to
use J2C connectors. But with the J2C security architecture integrated with the
46 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
back-end rigid security system, accessing applications running on these systems
may not be trivial.
Log in to any of the back-end systems via the Internet t requires the user provide
to his user ID/password several times. The requirement to re-authenticate a user
is repetitive to some clients. In addition, it is not efficient to use many login
passwords to access a single application in a system. The requirement to
re-authenticate users must be minimized to a single sign-on, or at the most two
sign-ons.
The Java Connector Architecture (JCA) 1.5 has enhanced its connection factory
specification to use JAAS for customizing principal login capability. This
enhanced custom mapping capability allows users accessing the back-end
system through the connectors to not have to resubmit their user ID/password
information.
Description
Figure 2-11 to shows J2C custom principal mapping.
SAF user ID /
password
z/OS z/OS
WebSphere
TAM sso Application Server
WebSEAL JCA CTG CICS
Web Client Mapping
Module
Authentication Authorization
RACF
Authentication TAM
LDAP Policy
Server
Note also that the CICS Transaction Gateway (CTG) and CICS reside in a
separate z/OS system, and there is a big difference between the CTG being local
to WAS or remote. We cover the difference later in the flow.
The EIS security domain user ID and password are defined under each
connection factory by an authDataAlias attribute. The authDataAlias attribute
does not contain the user name and password. This attribute contains an alias
that refers to a user name and password pair that is defined elsewhere.
The Tivoli Access Manager principal mapping module uses the authDataAlias
attribute to determine the GSO resource name and the user name that is
required to perform the lookup on the Tivoli Access Manager GSO database.
The Tivoli Access Manager Policy Server retrieves the GSO data from the user
registry.
Tivoli Access Manager stores authentication information about the Tivoli Access
Manager GSO database against a resource and user name pair.
48 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
Logical flow
The logical shown in Figure 2-12 describes the steps taken at each stage during
end-to-end communication with an enterprise information systems (EIS), in this
case CICS. The flow is very high level but can be useful for indentifying the key
areas when considering securing an application that communicates with an EIS,
namely CICS and IMS.
J2C
WAS Principal TAM Policy
TAM (sso, TAI) Mapping server CTG CICS RACF
Client LDAP
WebSeal Module
1
2
3
4
5
8
9
10
11
12
13
14
15
16
Figure 2-12 Scenario 5 - J2C custom principal mapping authentication - logical flow
Configuration tasks
To enable the J2C custom principal mapping scenario, at least the following
configurations are required:
CTG configuration
J2C adapter resource configuration
TAM configuration
JAAS login module
References
The following resources are helpful in enabling J2EE connectors and the Tivoli
Access Manager implementation:
WebSphere for z/OS V6 Connectivity Handbook, SG24-7064
WebSphere Application Server V6.1 InfoCenter
Security with IBM Tivoli Access Manager V6 and IBM WebSphere Application
Server V6 on IBM z/OS, REDP-4205
50 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
2.5.6 Scenario 6 - Web services authentication
Web services is being touted to be the next Web communication protocol. It uses
the service-oriented architecture model where one partner is the service
consumer and the other one is the service provider. Web services uses SOAP for
its communication, and SOAP is carried over by either HTTP or JMS.
z/OS
Web Service
HTTP(s) WebSphere
WAS ID assertion
Application
Distributed SOAP/HTTP Server
Web
Client
Authentication
Authentication
LDAP
The user name and password information is stored in the SOAP message
header as a username Token. When the username token is received by the Web
service provider, the user name and password are extracted from the username
token and are verified. Only when both user name and password are valid is the
message accepted and processed at the server.
Using the username token is just one of the ways of implementing authentication.
This mechanism is also known as basic authentication. Other forms of
authentication are digital signature, ID assertion, LTPA, and custom tokens.
WAS z/OS
Client Distributed LDAP WAS RA
1
2
3
4
5
6
7
8
Configuration tasks
Web services message security configuration is described in Chapter 6, “Web
services message layer security” on page 107.
52 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
References
Refer to WebSphere Version 6 Web Services Handbook Development and
Deployment, SG24-6461.
It would be efficient to run the queue managers on z/OS and the clients running
WMQ on a different machine. In this case the application doing the MQI calls is a
WMQ client, and there are benefits in doing that. The benefits can be:
There is no need for a full WebSphere MQ implementation on the client
machine.
System administration requirements are reduced.
A WebSphere MQ application running on the client machine can connect to
multiple queue managers on different systems.
Alternative channels using different transmission protocols can be used.
z/OS
When a JMS listener port passes on a message with a JMS or MQ format header
to the MDB asynchronous processor, there is no password provided in the
message header and there is no trust relationship established.
After receiving the message from the listener port, the MDB analyzes the
message and calls an EJB (stateless session bean), which runs under a system
user. When the EJB is called, it might be desirable to run it under a user ID
different from this system user ID in order to use standard J2EE role-based
security at the user level, and eventually propagate the user ID downstream.
If you have this requirement, you can have the EJB run under a meaningful user
ID by performing a JAAS login, with the JMSX user ID. This way the EJB can be
scheduled with this user ID, and the user information from the MQ message can
be propagated further.
54 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
permits should reflect the identities related to the work being done after a
message has been processed by an MDB.
Logical flow
By default, WMQ does not provide secure access when using client mode (see
JMS transport security part 1 and 2 at developerWorks®), which communicates
over TCP/IP. So, the client mode is unsecure unless SSL is configured and the
JMS port is secured.
Application Server
WMQ 1
Client MDB EJB CICS RACF
1
2
3
4
5
7
8
Figure 2-16 Scenario 7 - WMQ client authentication and authorization - logical flow
Reference
Refer to:
WebSphere MQ Security, SC34-6588
WebSphere MQ Clients, GC34-6590
IBM WebSphere Developer Technical Journal: Securing connections
between WebSphere Application Server and WebSphere MQ -- Part 1 at:
http://www-128.ibm.com/developerworks/websphere/techjournal/0601_rat
nasinghe/0601_ratnasinghe.html
Externalizing authorization can be cost effective, but at the same time it can be
costly in terms of authorization response time. It can also introduce additional
complexity, when multiple registries (on z/OS and on distributed) are being used
and have to be kept in-sync. We cannot say that externalizing authorization is
good for everyone. It depends on the end-to-end configuration of the systems
that require user authorization.
Description
Java Contract for Containers (JACC) support allows the use of third-party
authorization providers for access decisions. The default JACC provider for WAS
56 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
is the Tivoli Access Manager. Tivoli Access Manager client functions are
integrated in WAS.
The configuration shown in Figure 2-17 has an external authorization server that
has access to WAS on z/OS.
z/OS
HTTP(s) WebSphere
HTTP(s) HTTP(s) Web
RPSS Application
Server SSO
Web Client Server
First the authentication is done through propagation of the client user ID using
two possible mechanisms: LTPA tokens or the Trust Association Interceptor,
which both provide single sign-on capability. Then WAS communicates with the
external authorization server to verify that the user has been authorized to
access the requested object.
Configuration tasks
To configure an external authorization server, use the WAS admin console:
1. Select Secure administration, applications, and infrastructure →
External authorization providers.
2. Then select External authorization using a JACC provider.
3. Select Secure administration, applications, and infrastructure →
External authorization providers → Tivoli Access Manager.
4. Fill out the general properties and Tivoli Access Manager properties. The
general properties are:
– Name (This is the name of the external authorization server name.)
– Policy class name
– Policy configuration factory class name
– Role configuration factory class name
– Provider initialization class name
JAAS has been defined in many books in many ways, but in the simplest terms
JAAS is pluggable code used by WAS to authenticate and authorize users. In
fact, JAAS means a user exit.
This configuration describes a scenario where two existing security domains that
operate in two different platforms can be consolidated.
58 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
Description
Bridging, as defined in networking, is to join two or more different network
platforms so that there is communication between users residing in either side of
network. The distributed world and the z/OS world are two different platforms,
and JAAS can be used for securing communication between them.
z/OS
LDAP RACF
References
Refer to IBM WebSphere Application Server V6.1 Security Handbook,
SG24-6316.
60 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
The objective of this scenario is to describe the benefits of running an LDAP with
SDBM. See Figure 2-19.
z/OS
WebSphere
HTTP(s) Web HTTP(s)
Application
Server
Web Server
Client
Authorization
Authentication
z/OS SDBM
RACF
LDAP
Authentication
WAS distributed
Web
Client
Figure 2-19 Scenario 10 - centralized z/OS LDAP user registry
The Lightweight Directory Access Protocol is an open industry standard that has
evolved to meet these needs. LDAP defines a standard method for accessing
and updating information in a directory. LDAP has gained wide acceptance as
the directory access method of the Internet.
62 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
3
Depending upon the option that you select, WebSphere Application Server can
retain the authentication data for future use. This adds flexibility to the handling
of authentication for Web applications:
To allow failed certificate authentication to fall back to basic authentication
(user ID/password challenge).
To allow the retention of an authenticated identity and make it available to
Web applications running under an unprotected URI. Without this capability,
64 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
such Web applications would not be able to use getRemoteUser(),
isUserInRole(), or getUserPrincipal().
The following options exist to change the behavior of Web authentication when
accessing a URI:
Authenticate only when the URI is protected.
This is a default option, and is the same as in the previous version of
WebSphere. The Web client can retrieve an authenticated identity only when
it accesses a protected URI. WebSphere Application Server challenges the
The following options are available for Web authentication enhanced control:
Use available authentication data when an unprotected URI is accessed.
The Web client is authorized to call the getRemoteUser, isUserInRole, and
getUserPrincipal methods. It retrieves an authenticated identity from either a
protected or an unprotected URI. Although the authentication data is not used
when you access an unprotected URI, the authentication data is retained for
future use. This option is available when you select the “Authenticate only
when the URI is protected” check box.
Default to basic authentication when certificate authentication for the HTTPS
client fails.
The WebSphere Application Server challenges the Web client for a user ID
and password when the required HTTPS client certificate authentication fails.
66 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
Figure 3-3 Web authentication enhanced control
68 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
Figure 3-5 shows that a new property has been added.
You can override the general settings of Web security by specifying a system
property on the server level.
72 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
addition, transport settings that guarantee integrity or confidentiality are also not
in effect, and the application can be accessed from a non-SSL port.
For enterprise bean resources, when application security is disabled, the client
Common Secure Interoperability Version 2 (CSIv2) code ignores the CSIv2
security tags for objects that are unknown system objects. When pure clients see
that application security is disabled, these clients prompt for naming lookups, but
do not prompt for enterprise bean operations.
74 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
5
This chapter focuses on presenting Web services security concepts, whereas the
following two chapters focus on the practical implementation of these concepts in
WebSphere Application Server for z/OS.
WebSphere Application Server for z/OS is a central component in an SOA for the
following purposes:
SOA-enable, extend, and reuse existing mainframe assets.
Execute business critical services requiring the highest quality of service.
Connect and integrate services or composite applications across disparate
information systems.
WebSphere Application Server for z/OS is also the foundation of strong SOA
building blocks such as WebSphere ESB for z/OS (Enterprise Service Bus) and
WebSphere Process Server for z/OS. WebSphere ESB for z/OS provides a
flexible connectivity infrastructure for integrating services. WebSphere Process
Server for z/OS forms processes and orchestrates services.
Web services is the most common technology standard used to implement SOA.
However, it is not the only technology one can use to develop the parts of an
SOA. Many SOAs involve the integration of legacy data, which is contained in
systems that use technology such as MQSeries and CORBA. However, Web
services is rapidly becoming the de facto standard used to support SOA.
76 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
5.2 Web services security exposures
Generally, an end-to-end security solution addresses the security issues found
along the path of a request from an end client to a target service, including any
intermediary services that route, or participate in, the service request.
Because TLS establishes security context that is meaningful only to the two
physical endpoints of a connection, it does not fully meet typical Web services
end-to-end security requirements. For example, an HTTP connection can be
protected by SSL/TLS. However, the security context resulting from the partners’
mutual authentication, and the negotiation of cryptographic parameters, cannot
be propagated from the user to the final service if intermediary services or
gateways have to be traversed.
On the other hand, the WS-Security specifications allow for the propagation of
security context, using SOAP messages.
78 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
Figure 5-2 illustrates the differences between message and transport layer
security.
In the two following sections, we provide general guidelines to help decide what
type of security solution to implement.
80 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
The Web service client or provider does not support the WS-Security
specification.
A trust relationship needs to be created between two parties. This is
particularly useful to build up the trust relationship for identity assertion. In
that case, identity assertion occurs at the message layer and the trust
relationship occurs at the transport layer.
Transport layer security can be used with or without message layer security.
WS-Security defines a set of extensions to the SOAP standards, which are used
to:
Provide message integrity and confidentiality for SOAP messages.
Associate a security token to a SOAP message.
Provide for the propagation of a security context.
82 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
WS-Trust
This describes a framework for trust models that enable Web services to
securely interoperate.
WS-Privacy
This describes a model for how Web service providers and requestors state
privacy preferences and organizational privacy practice statements.
WS-Secure Conversation
This describes how to manage and authenticate message exchanges
between parties, including security context exchange and establishing and
deriving session keys.
WS-Federation
This describes how to manage and broker the trust relationships in a
heterogeneous federated environment, including support for federated
identities.
WS-Authorization
This describes how to manage authorization data and authorization policies.
There are other token profiles that OASIS is currently working on: Web Services
Security: SAML Token Profile, Web Services Security: Rights Expression®
The support of the April 2002 specification is provided in WebSphere 5.0.2 and
5.1. WebSphere Application Server Versions 6.0 and 6.1 support the
WS-Security 1.0 specification and two profiles (UserName-Token 1.0, x.509
Token 1.0).
For more details about what precisely is supported with WebSphere Application
Server for z/OS, refer to the InfoCenter:
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp?topic=/
com.ibm.websphere.zseries.doc/info/zseries/ae/cwbs_supportfunction.html
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp?topic=/
com.ibm.websphere.zseries.doc/info/zseries/ae/cwbs_welcwebsvcsec.html
WS-I Basic Security Profile (BSP) v1.0 is a working group draft that consists of a
set of non-proprietary Web services specifications that clarifies and amplifies
those specifications to promote Web services security interoperability across
different vendor implementations.
84 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
5.4.5 WS-Security high-level architecture
Figure 5-4 shows the WS-Security high-level architecture of how WebSphere
applies WS-Security information to the SOAP message.
The security constraints of the request sender and the request receiver must
match. Also, the security constraints of the response sender and response
Authentication
Web services security provides a general-purpose mechanism to associate
security tokens with messages for single message authentication. A specific type
of security token is not required by Web services security. Web services security
is designed to be extensible and support multiple security token formats to
accommodate a variety of authentication mechanisms.
86 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
Integrity
Integrity is applied to a message to ensure that no one modifies the message
while it is in transit. Essentially, integrity is provided by generating an XML digital
signature on a part of the SOAP message. If the message data changes, the
signature would no longer be valid.
The use of XML digital signatures also provides authentication, because a valid
signature implies proof of possession of a private key. A message with a digital
signature contains the digital certificate of the signer, and therefore the signer’s
name and bound public key are validated by a trusted certificate authority. The
trustworthiness of the signature is then a transitive trust process. The trusted
certification authority vouches for the public key value used to verify the
signature.
88 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
2. In the second step, the digest code is encrypted with the sender's private key.
This two-step process creates the digital signature. The digital signature is
appended to the SOAP message before being sent to the service provider.
When the service provider receives the message, it follows these steps to verify
the signature:
1. It recomputes the digest code for the message.
2. It decrypts the signature by using the sender's public key. This decryption
yields the original digest code for the message.
3. It compares the original and recomputed digest codes. If these codes match,
the message is both intact and authentic. If not, something has changed and
the message is not to be trusted.
The receiver normally obtains the sender’s public key from the sender’s X.509
certificate, which is sent as a security token in the SOAP message.
6.3, “Integrity with XML digital signature” on page 131 describes in detail how to
configure WS-Security integrity with WebSphere Application Server for z/OS.
Confidentiality
Confidentiality is the process in which a SOAP message is protected so that only
authorized recipients can read the SOAP message. Confidentiality is provided by
encrypting the contents of the SOAP message using XML encryption. If the
SOAP message is encrypted, only a service that knows the key for confidentiality
can decrypt and read the message.
The XML encryption standard specifies a process for encrypting data and
representing the result in XML. XML encryption can be used to encrypt any part
of a SOAP message, normally sensitive data such as bank account numbers or
user credentials. The result of encrypting data is an XML encryption element that
contains or references the cipher data.
6.4, “Confidentiality with XML encryption” on page 164 describes in detail how to
configure WS-Security confidentiality with WebSphere Application Server for
z/OS.
Section 6.5, “Identity assertion” on page 192, describes in detail how to configure
WS-Security identity assertion with WebSphere Application Server for z/OS.
90 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
Secure Sockets Layer (SSL) is a cryptographic protocol to provide secure
communication over the Internet. SSL makes use of symetric or assymetric
key encryption, and can provide client certificate authentication (mutual
authentication).
Hyptertext Transfer protocol over SSL (HTTPS) is a combination of HTTP
communication over an encrypted SSL connection.
Java Message Service (JMS) is a set of standard APIs for accessing
enterprise messaging systems using Java programs. JMS supports the
publish/subscribe and point-to-point messaging, and is included in the J2EE
specification.
Remote Method Invocation over Internet Inter-ORB Protocol (RMI-IIOP) is
the use of Java Remote Method Invocation (RMI) interfaces over the IIOP
(CORBA) protocol. This is used for remote EJB calls, for example.
Java API for XML based Remote Procedure Call (JAX-RPC) is a
transport-neutral process for performing XML-based remote procedure calls
using SOAP.
There are certain advantages to using SOAP over HTTP for Web services. The
HTTP protocol is widely used in most Internet communication on various
platforms. SOAP over HTTP can be implemented in different programming
languages, allowing Web services to be portable and interoperable across
platforms. In J2EE, support for SOAP over HTTP has been standardized with the
The benefit of using SOAP over JMS as a transport is that you inherit the quality
of service that is associated with JMS messaging. For example, JMS guarantees
message delivery through persistent messages and acknowledgements, and it
provides transaction support. If a message client or receiver experiences an
outage, the message will remain in the client or receiver queue until both parties
are available to transfer messages again. The message that could not be sent
when the outage occurred can be retrieved from persistent storage and resent
until transmission is successful.
JMS also scales well with large volumes of messages, and supports
asynchronous communication. Depending on your messaging provider, JMS can
service numerous messaging clients concurrently.
There are some drawbacks to using SOAP over JMS. There is no standard on
how to implement SOAP over JMS, and it can pose interoperability issues when
trying to communicate across platforms or programming languages. SOAP over
JMS requires a messaging engine for communication, and additional setup on
both the client and server to make use of the messaging engine. The client may
not have access to a messaging engine or messaging APIs, and the need for a
message engine to be set up may be excessive for simple client SOAP
communication. JMS does not provide an API for controlling the privacy and
integrity of messages, thus leaving the responsibility of this security to the JMS
provider.
The advantage of using RMI/IIOP with the JAX-RPC protocol instead of a SOAP
with JAX-RPC protocol is that XML processing is not required to send and
92 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
receive messages. Java serialization and deserialization are used instead. This
can lead to better performance since the EJB Web service is invoked directly
rather than having the overhead of sending a SOAP message over HTTP to a
Web service router that then invokes an EJB. The JAX-RPC client using
RMI/IIOP can also participate in a user transaction, which is not possible with
SOAP over HTTP.
We choose to focus on the security aspects of the SOAP over HTTP protocol in
Chapter 8, “Web services transport security” on page 245 based on many of the
points highlighted here.
Authentication
Web services support builds on top of existing J2EE infrastructure. Currently,
there are two forms of authentication available for use with Web services: basic
Authentication (BA) and client certificate authentication.
For Web services transport layer security, basic authentication information (user
ID and password) is provided by the client programmatically or using WebSphere
client bindings, and is passed in the HTTP header of the request that carries the
SOAP message. The application server extracts the basic authentication
information from the header and authenticates the user ID to a user registry. The
application server uses the authentication information to authorize the user to
application components or resources.
94 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
For example, a stock company may want to send an up-to-the-minute stock price
to a client so that the client can decide whether to buy, hold, or sell. The stock
company does not care whether others can see the stock price, but the client
would be concerned if the data was not accurate, as it might affect his
purchasing decision.
Confidentiality ensures that the data sent from the client and received by the
server cannot be viewed. Privacy is maintained by encrypting the data prior to
transmission and decrypting the data on the receiving end.
Integrity and confidentiality are provided through the use of SSL over HTTP, also
known as HTTP(S). Web services makes use of a secure transport by sending
SOAP messages over HTTPS utilizing the security features of the transport.
SSL Flow
Figure 5-6 illustrates the message flow for a full SSL handshake. The steps are
listed to explain what occurs in the process. The SSL flow is provided to show
where the certificates are needed for establishing an SSL handshake and
providing client certificate authentication (mutual authentication).
96 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
10.The client sends the finished command. This command includes a digest of
all the SSL handshake commands that have flowed between the client and
the server up to this point. This command is sent to validate that none of the
commands sent previously, which flow between the client and the server
unencrypted, were altered in flight.
11.The change cipher spec message is sent by the server to notify the client that
subsequent records will be protected under the newly negotiated CipherSpec
and keys.
12.The server sends the finished command, which includes a digest of all the
SSL handshake commands that have flowed between the server and the
client up to this point. This is also used to validate the integrity of the
commands sent previously.
Subsequent requests are done using symetric keys, which are less
computationally intensive.
Securing the TCP/IP transport that JMS messages flow across may not be
sufficient, and a more desirable JMS application-level of protection may be
needed. An alternate end-to-end security mechanism is available using
WebSphere MQ Extended Security Edition, which secures JMS messages by
signing each message with a private key associated with the sending application,
and encrypting individual messages under unique keys.
98 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
5.6.1 SecurityInfo J2EE architecture in our environment
A Web request is initiated by a client browser to the SecurityCaller index.html
page. The page presents a link to the SecurityCaller ClientServlet that, when
clicked, invokes the local SecurityCallerEJB. The SecurityCallerEJB performs the
JAX-RPC Web service call using SOAP over HTTP to the Web service enabled
SecurityInfoEJB. The Web service enabled SecurityInfoEJB has a Web service
router SecurityInfoRouterWS for receiving a SOAP request and routing the call to
the SecurityInfoEJB. A response is sent back to the client Web page showing
assorted information about the local and remote EJBs.
Figure 5-7 illustrates a typical flow of the SecurityInfo Web service by the
SecurityInfoCaller.
The SecurityInfo EJB has been Web service enabled through a router module
SecurityInfoRouterWS that is generated by the Rational® Application Developer
tooling. The router module Web application provides a Web service endpoint for
receiving requests over HTTP.
J2RE 1.5.0 IBM J9 2.3 Windows XP J2RE 1.5.0 IBM z/OS build
x86-32 j9vmwi3223-20060504 pmz31devifx-20060727a
100 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
the Web service, the WebSphere bindings are sufficient for overriding the service
endpoint URI in the sample scenarios. The actual call to the Web service is
performed by doing a lookup on the service reference
java:comp/env/service/SecurityInfoService, which is coded in the
SecurityCallerEJB deployment descriptor. The remote Web service method
obtainSecurityInfo is called to obtain the SecurityCallEJB information.
Example 5-1 contains the source for the actual Web service invocation.
For the scenario role customer is used for the identity assertion. The purpose of
this role is to secure part of the application so that a user can authenticate. The
user identity can then be propogated with identity assertion.
102 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
Deployment of SecurityInfo ear file on z/OS
The SecurityInfo ear file can be deployed to WebSphere for z/OS, leaving the
default settings. Additional steps need to be taken after deployment to configure
the client bindings or setup of a role in RACF depending on how your
WebSphere is configured for authorization.
If the external authorization provider is set to default authorization, then the users
permitted to the role should be set to All Authenticated in the application client
bindings. Select Enterprise Applications → SecurityInfoEAR → Manage
Modules → SecurityInfoRouterWS.war → Security role to user/group
mapping. See Figure 5-10.
104 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
The SecuredClientServlet link is used in 6.5, “Identity assertion” on page 192 so
that the user can authenticate. See Figure 5-12.
Here we discuss about how to configure Web services message layer security
for different purposes such as authentication, integrity, confidentiality, and
identity assertion.
108 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
After configuring WS-Security, security tags are added to the SOAP message
security header. As illustrated in Figure 6-1, the security header may possess
security tokens, time stamps, signatures, keys, encrypted data, and so on. The
SOAP body might be encrypted. With WS-Security, encryption can be applied to
parts of the SOAP message only.
This chapter shows some sample SOAP messages with various security
techniques applied in the validation sections.
In this chapter we show how to configure Web services security at the application
level.
The format of the deployment descriptor and the binding file is IBM proprietary
and is not available. However, WebSphere Application Server provides the
following tools that you can use to edit the deployment descriptor and the binding
file:
Rational Application Developer (RAD)
Use RAD to develop Web services and configure the deployment descriptor
and the binding file for Web services security. RAD enables you to assemble
both Web and EJB modules.
Application Server Toolkit v6.1 (AST)
Use AST as an assembly tool designer for WebSphere Application Server
Version 6.0.x and later, to specify the deployment descriptor and the binding
file for Web services security. It is not possible to develop Web services with
the AST.
WebSphere Application Server Administrative console
It is possible to use the administrative console to configure the Web services
security binding of a deployed application with Web services security
constraints that are defined in the deployment descriptor.
In this chapter we show how to configure Web services security using RAD or
AST, as the panels are the same for the deployment descriptors we configured.
Important: The format of the deployment descriptor and the binding file for
Web services security in WAS Version 6.0.x and later is different from WAS
Versions 5.0.2, 5.1, and 5.1.1. Web services security support in WAS versions
5.0.2, 5.1, and 5.1.1 is based on the Web services security draft 13
specification and the username token draft 2 profile. But this support is
deprecated. However, applications that you configured using the Web service
security Versions 5.0.2, 5.1, and 5.1.1 deployment descriptor and binding file
can work with WebSphere Application Server Version 6 and later.
110 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
configuration files, which are the application-level deployment descriptor
extensions and bindings for a client and a server. See Figure 6-2.
The deployment descriptor extension files specify what security constraints are
required, for example, what type of security token and whether to sign the
message. The binding files specify how to apply the required security constraints
defined in the deployment descriptor extension, for example, which security
token is inserted and which keys are used for signing.
These files are updated using the tooling when configuring the J2EE module
deployment descriptor, as follows:
On the Web service provider side (server), open the webservices.xml file.
On the Web service client side, open the deployment descriptor relevant to
the J2EE module you configure:
– For a Web client (servlet, JSP, JavaBean), edit the web.xml file.
– For an EJB client (a session bean accessing a Web service), edit the
ejb-jar.xml file.
– For a J2EE application client, edit the application-client.xml file.
112 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
For each of these files, the tooling offers two tabs for WS-Security configuration:
WS Extension (or Extension) for configuring what security measures to apply
(This tab updates the Web services extension deployment descriptor in the
background.)
WS Binding (or Binding Configurations) for configuring how to apply the
security measures (This tab updates the Web services bindings deployment
descriptor in the background.)
Figure 6-3 shows the Application Server Toolkit v6.1 display including the
Extension and the Binding Configurations tabs. In this example the
webservices.xml file has been opened for configuration on the server side.
For authentication purposes, only the request generator and the request
consumer might need some security configuration. But, for integrity and
confidentiality, generally both the request and the response have these
Token generator
The token generator inserts a security token (username or binary) in the SOAP
request. The token generator needs to know the type of token, where to find the
token value, and how to secure the token value in order to generate the token
consequently.
CallbackHandler
The CallbackHandler retrieves security-related information from the security
context. As an example, for a Web service request reaching the Web service
provider, the CallbackHandler may acquire the security token that is inserted in
the Web services security header within the SOAP message. The token
acquisition is a pluggable framework that leverages the JAAS
javax.security.auth.callback.CallbackHandler interface for acquiring the security
token.
Caller part
On the Web service provider side, the caller part specifies the security token,
signed part, or encrypted part used for authentication. This configuration explains
where to find the authentication credentials within the incoming SOAP message.
If a signed or encrypted part is used, the value of the part attribute must be the
name of a defined required integrity or required confidentiality constraint. If a
stand-alone security token is used for authentication, then the URI and local
name attributes must define the type of security token used for authentication.
Key locator
The key locator information for the generator specifies which key locator
implementation is used to locate the key to be used for signature validation or
encryption.
Key information
The key information is used to specify the configuration needed to generate the
key for digital signature and encryption. The signing information and the
114 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
encryption information configurations can share the key information, so they are
both defined at the same level.
Trust anchor
A trust anchor specifies key stores that contain trusted root certificates, which
validate the signer certificate. These key stores are used by the request
generator and the response generator (when acting as a client) to generate the
signer certificate for the digital signature.
Nonce
Nonce is a randomly generated, cryptographic token that is used to prevent
replay attacks. Although nonce can be inserted anywhere in the SOAP message,
it is typically inserted in the UsernameToken element.
Without nonce, when a user name token is passed from one machine to another
machine using a nonsecure transport, such as HTTP, the token might be
intercepted and used in a replay attack. The same password might be reused
when the user name token is transmitted between the client and the server,
which leaves it vulnerable to attack. The user name token can be stolen even if
you use an XML digital signature and XML encryption.
Time stamp
A time stamp can be attached in the target element of the signature and
encryption to put a lifetime on the signed and encrypted element. If the time
stamp is specified when an element is signed, a time stamp is attached to the
target element, and the target element with the time stamp is signed. Because
this is an extension of WebSphere Application Server 6.1, other vendor
implementations might not be able to consume the message generated with the
additional time stamp inserted in the message.
A specific type of security token is not required by Web services security. Web
services security is designed to be extensible and support multiple security token
formats to accommodate a variety of authentication mechanisms. For example, a
client might provide proof of identity and proof of a particular business
certification. However, the security token usage for Web services security is
defined in separate profiles such as the username token profile, the X.509 token
profile, the Security Assertion Markup Language (SAML) token profile, the
eXtensible rights Markup Language (XrML) token profile, the Kerberos token
profile, and so on.
Username token
A username token is a token mainly for basic authentication, which has a user
name and password. The username token profile 1.0 is published by OASIS, and
WS-Security in WebSphere Application Server 6.1 supports the profile.
116 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
Custom token
A user can implement a custom token using a pluggable token architecture
provided by WebSphere Application Server 6.1. To implement a custom token,
WebSphere provides interfaces that must be implemented
(TokenGeneratorComponent, CallbackHandler, TokenConsumerComponent,
LoginModule).
On the Web service client side, the user does not provide any credentials to the
application. Hence, the principal of the client EJB is unauthenticated. This client
On the Web service provider side (WebSphere for z/OS), the Web service
request consumer receives the security token and uses a JAAS login module to
authenticate the user name and password and set the principal. The EJB runs
with a WINSERV principal.
Authentication occurs only when sending the request. Hence, there is no security
mechanism when receiving the response.
118 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
UsernameTokenConsumer, is provided by the Web services security run time
as a default implementation.
120 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
d. Expand the Token Generator section and click Add.
Configure the Token Generator dialog () Figure 6-6:
a. Enter Token generator name such as BasicAuthTokenGen.
b. Select a token generator class or input your custom token generator class
name manually. You have to select a corresponding token generator class
122 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
If you specified a key store, add the key. You can specify which key is
used. Enter the alias of the key, the key pass (password to get the key
from key store file), and the key name.
h. If you have to specify the properties of the callback handler or token
generator, add a call back handler property or a property.
If you specify a token generator for a list of X.509 certificates and CRLs in
a PKCS#7, select Use certificate path settings and select the
Certificate path reference. If you select Certificate path reference, you
can select the certificate store from the drop down-list. Select one
collection certificate store name from the list, which is packed in PKCS#7.
i. Click OK and a token generator is created.
3. Save the configuration.
6.2.5 Configuring the z/OS Web service provider for security token
To configure the Web service provider for security token:
b. Select a token type from the drop-down list, matching the client
specification. If a client’s security token is the username token, you should
select Username token as the token type. The URI and local name are
filled in automatically except when using a custom token.
c. Select the usage type from the drop-down list. The available choices are
required or optional. If you select required, a SOAP fault is thrown if a
required security token is not included in a client’s request message. If you
select optional, the process of consuming a request message continues
without throwing a SOAP fault.
Click OK.
124 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
2. Configure the caller part.
Expand Caller Part under Request Consumer Service Configuration Details
and click Add.
Configure the Caller Part Dialog (Figure 6-8):
a. Enter a name for the caller part, such as BasicAuthCallerPart.
126 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
– Expand Token Consumer and click Add.
Configure the Token Consumer Dialog (Figure 6-9):
i. Enter a token consumer name such as BasicAuthTokenConsumer.
128 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
ix. Click OK and a token consumer is created.
4. Save the configuration.
The application displays the Principal on Web service client side and also on the
Web service provider side. See Figure 6-10.
The display shows that the user did not authenticate, as the principal on the Web
service client side is unauthenticated.
The display shows that the Web services client sent a username security token
and authenticated, as the principal on the Web service provider side is
WINSERV.
The Web service provider log confirms that the Web service has been called,
run, and that the Principal is WINSERV, as shown in Example 6-2.
We use the Ethereal software to see messages flowing between the Web service
client and the provider. The Ethereal output shows that the Web service request
includes the security token with the <wsse:Username> and <wsse:Password>
tags. See Example 6-3.
130 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soapenv:Header><wsse:Security soapenv:mustUnderstand="1"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wss
ecurity-secext-1.0.xsd">
<wsse:UsernameToken><wsse:Username>WINSERV</wsse:Username><wsse:Passwor
d
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-
token-profile-1.0#PasswordText">WINSERV</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</soapenv:Header>
<soapenv:Body><p98:obtainSecurityInfo
xmlns:p98="http://itso.ibm.com"><input>ITSO136</input></p98:obtainSecur
ityInfo></soapenv:Body></soapenv:Envelope>
All this validates that authentication of the Web service client occurs at the Web
service provider level using WS-Security.
A signature is created using the sender private key. Unauthorized sniffers do not
have this key. When the receiver gets the message, it also creates a signature
using the message content. Only if the two signatures match does the receiver
honor the message. If the signatures are different, a SOAP fault is returned to the
sender.
This section describes how WS-Security supports integrity, explains our integrity
scenario, gives an overview of how to configure integrity, and thoroughly
describes the steps to configure this scenario.
The specification for XML Signatures can be found at the following URL:
http://www.w3c.org/Signature
132 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
On the Web service client side, the user does not provide any credential to the
application. Hence, the principal of the client EJB is unauthenticated. This client
EJB makes a Web service call. The Web service request generator signs the
body part of the SOAP message with the Web service client private key. The
Web service request generator also includes its own public key as a security
token in the SOAP message header.
On the Web service provider side (WebSphere for z/OS), the Web service
request consumer receives the security token and retrieves the client public key.
It uses this client public key to decrypt the signature. It verifies the signature so
that the SOAP message body part has not been changed while flowing. No
identity is being used for authentication. Hence, the EJB runs with an
unauthenticated principal.
For the response, a digital signature is also used to ensure integrity. On the Web
service provider side (WebSphere for z/OS), the response generator side signs
the body part of the SOAP message with the Web service provider private key.
The Web service response generator also includes its own public key as a
security token in the SOAP message header.
On the Web service client side, the Web service response consumer receives
the security token and retrieves the provider public key. It uses this provider
public key to decrypt the signature. It verifies the signature so that the SOAP
message body part has not been changed while flowing.
Client side
To specify integrity for a part of a SOAP message, you have to specify the part
that should be signed and the method of signing in the client’s WS-Security
configuration:
Specify the parts of the message that have to be signed in the request
generator configuration. The message parts can be specified by predefined
keywords or XPath expressions. You can specify multiple parts that require a
signature.
In the most typical integrity example, a security token is inserted into the
SOAP message, which is used for signature verification by the server. In such
an example, a token generator should be specified in the request generator
configuration. The token generator for an X.509 certificate token,
Server side
To specify integrity for a part of a SOAP message, you have to specify the part
that was signed and the way of verifying the signature in the server’s
WS-Security configuration:
Specify the parts of the message that require a signature in the request
consumer configuration. The message parts can be specified by predefined
keywords or XPath expressions. You can specify multiple parts that require a
signature.
In a most typical integrity example, a security token is inserted into the SOAP
message, which will be used for the signature verification by the server. In
such an example, a token consumer should be specified in the request
consumer configuration. This token consumer’s role is to receive the token
and extract the client certificate for signature verification. The token consumer
for an X.509 certificate token, X509TokenConsumer, is provided by the Web
services security run time as a default implementation.
Specify key-related information, which includes the location of the key to be
used (which is in the token in our example).
Specify signing information, which defines how the signature should be
verified. You have to specify some options, such as a signature method
algorithm and key-related information.
If the server sends a response that includes integrity information by the
server, the server also has to be configured to sign the response message in
the response generator configuration.
134 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
6.3.4 Configuring the requestor for request XML digital signature
To configure the Web service requestor for integrity:
1. Configure the Integrity.
Open the SecurityCallerEJB ejb-jar.xml deployment descriptor. Select the WS
Extension tab. In the Port Qualified Name Bindings section, select the
SecurityInfo port. (This is necessary in order to activate the Add button in the
next step.) Expand the Request Generator Configuration section. Expand
the Integrity section and click Add.
Configure the Integrity dialog (Figure 6-12 on page 136):
a. Select the order in which the signature is generated. Multiple integrity
parts can be specified, and you have to specify the order of generating the
signature. In our case, we select 1. The WS-Security runtime of Version
6.1 supports multiple signature and encryption parts in one SOAP
message. For multiple signature and encryption parts, you have to specify
the processing order. For example, if you want to sign and encrypt the
SOAP body, you should specify 1 in the Integrity dialog and 2 in the
Confidentiality dialog.
b. Add and configure the message part. The default created part is for
signing the SOAP body. If you want to sign the SOAP body only, you have
nothing more to do. For another integrity part, you have to specify the
dialect (WebSphere keywords or XPath).
In the parts keyword section, you can select from predefined keywords for
which message parts are signed. The keywords are body (SOAP body
element is signed), time stamp (all time stamp elements are signed),
securitytoken (all security tokens are signed), dsigkey (KeyInfo elements
of the signature are signed), enckey (KeyInfo elements of the encryption
are signed), messageid (MessageID element of WS-Addressing is
signed), to (To element of WS-Addressing is signed), action (action
element of WS-Addressing is signed), relatesto (RelatesTo element of
WS-Addressing is signed), wsaall (all the WS-Addressing elements are
signed), wsafrom (from element of WS-Addressing is signed), wsareplyto
(ReplyTo element of WS-Addressing is signed), wsafaultto (FaultTo
element of WS-Addressing is signed), and wsacontext (WS-Context
header is signed).
In our case we choose to sign the body part only.
c. If the XPath expression dialect is selected, you should input the XPath
expression to specify the integrity part.
d. Add a nonce or time stamp, or both, if you require WebSphere Application
Server Version 6.1 extensions. For both, you select the dialog and
keyword in the same way as for the message parts. For the time stamp,
you can specify an expiration date.
136 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
e. You can add multiple message parts, a nonce, and a time stamp in one
dialog. All message parts that are specified in one Integrity dialog are
signed by the same signing information, which is defined on the WS
Binding page.
Click OK and an integrity part is created. If you need multiple integrity parts,
you can add them. Save the configuration.
2. Configure the token generator (Figure 6-13 on page 138).
Open the SecurityCallerEJB deployment descriptor. Select the WS Binding
tab. Expand the Security Request Generator Binding Configuration
section. You have to know whether a token reference type and a security
token are inserted. Expand Token Generator and click Add.
Note that to specify a token generator used for signing, a security token is not
specified on the WS Extension page.
138 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
Configure the Token Generator dialog:
a. Enter a token generator name such as IntegrityX509Token.
b. For the token generator class, select X509TokenGenerator.
c. Do not select a security token.
d. Select Use value type, and then select X509 certificate token.
e. Select X509CallbackHandler.
f. Select Use key store. In our case, we use the WebSphere default pkcs12
keystore. Enter the password keystore (WebAS for the WebSphere
default), the keystore path, and the keystore type.
g. Click Add under Key and enter default as the alias, WebAS as the key
password, and the key name.
h. Click OK and a token generator is created.
Tip: The WebSphere default keystore path can be found with the
administrative console in Security → SSL certificate and key
management → SSL configurations → NodeDefaultSSLSettings →
Key stores and certificates → NodeDefaultKeyStore.
b. Select or enter a key locator class name. The class to retrieve a key
implements the com.ibm.wsspi.wssecurity.keyinfo.KeyLocator interface.
Three implementations of KeyLocator are provided in WebSphere
Application Server Version 6.1, and you can implement your own class if
necessary.
The provided implementations are KeyStoreKeyLocator (locates and
obtains the key from the specified key store file), SignerCertKeyLocator
(uses the public key from the certificate of the signer of the request
message), and X509TokenKeyLocator (uses the X.509 security token
from the requester message for signature validation and encryption). The
two last ones are used by the request consumer and the response
consumer. In our case, we select the KeyStoreKeyLocator.
140 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
c. If the selected key locator class requires the key store file, you can specify
the key store and key by selecting Use key store. Enter the same
information as in the previous dialog.
Click OK and a key locator is created.
4. Configure the key information.
Expand Key Information and click Add. Specify which type of security token
reference is used.
Configure the Key Information dialog (Figure 6-15):
a. Enter a name such as IntegrityKeyInfo.
142 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
Configure the Signing Information dialog:
a. Enter a name such as IntegritySigning.
b. Select a canonicalization method algorithm. The supported algorithms are:
• http://www.w3.org/2001/10/xml-exc-c14n# (canonical XML algorithm
without comments (our choice))
• http://www.w3.org/2001/10/xml-exc-c14n#WithComments (canonical
XML algorithm with comments)
• http://www.w3.org/TR/2001/REC-xml-c14n-20010315 (exclusive XML
canonicalization algorithm without comments)
• http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments
(exclusive XML canonicalization algorithm with comments)
c. Select a signature method algorithm from the list. The supported
algorithms are:
• http://www.w3.org/2000/09/xmldsig#rsa-sha1 (RSA with SHA1 (our
choice))
• http://www.w3.org/2000/09/xmldsig#dsig-sha1 (DSA with SHA1)
• http://www.w3.org/2000/09/xmldsig#hmac-sha1 (HMAC-SHA1)
d. Enter any key information name such as IntegrityKeyInfo.
e. Select a key information element from the list. Predefined key information
is listed. Select IntegrityKeyInfo.
f. If you specify signature information for integrity on the KeyInfo element of
the signature or encryption, meaning that dsigkey or enckey is specified
as an integrity part, you can specify how to sign the KeyInfo element.
Select Use key information signature and select from the following
choices:
• keyinfo specifies the whole KeyInfo element to be signed.
• keyinfochildelements specifies the child elements of KeyInfo element
to be signed.
In our case, we do not have to specify this.
Click OK and the signing information is created.
144 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
7. Configure the transforms (Figure 6-18).
After adding part references, adding a transform becomes enabled. Expand
Transforms and click Add and complete the dialog.
146 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
b. Select the usage type, required or optional. If the usage type is required, a
request message without integrity throws a SOAP fault. If the usage type
is optional, and a request message does not have the integrity part, the
message is received. We select Required.
c. Click Add under Message Parts to specify an integrity required part. We
select http://..../dialect-was and body to match our client configuration.
d. Nonce and time stamp extensions can be specified in the same way as for
the client.
e. Click OK and a required integrity part is created.
2. Configure the token consumer.
Select the Binding Configurations tab. Expand the Request Consumer
Binding Configuration Details section.
You have to know whether a required token reference type and a security
token are required. These settings should match the client configuration:
a. If you want to specify a token consumer for the three types of X.509
certificate tokens, specify a trust anchor. We do not specify this.
b. If the token consumer for the X.509 certificate token is necessary, and you
want to specify an intermediate trusted certificate store, specify a
collection certificate store under Certificate Store List. We do not specify
this.
c. If the security token is inserted in the request message, add a Token
Consumer (expand Token Consumers and click Add). To specify a token
consumer, refer to “Configuring the z/OS Web service provider for security
token” on page 123. To specify a token consumer for the token used for
signing, a required security token is not specified in the deployment
descriptor.
Configure the Token Consumer dialog (Figure 6-20 on page 148):
a. Enter a name such as IntegrityToken.
b. Select the token consumer class X509TokenConsumer.
c. Do not select a security token.
d. Select Use value type and select X509 certificate token.
e. Select Use jaas.config and enter system.wssecurity.X509BST as the
name.
f. Select Use certificate path settings and select Trust any certificate.
148 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
3. Configure the key locator (Figure 6-21).
Expand Key Locators and click Add to specify how to retrieve a key for a
signature verification.
150 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
5. Configure the signing information (Figure 6-23).
Expand Signing Information and click Add to define how to verify a required
integrity part.
152 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
7. Configure the transform (Figure 6-25).
Expand Transforms and click Add.
154 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
2. Configure the token generator (Figure 6-27).
Select the Binding Configurations tab. Expand the Response Generator
Binding Configuration Details section. Expand Token Generator and click
Add.
Tip: The WebSphere default keystore path can be found with the
administrative console in Security → SSL certificate and key
management → SSL configurations → NodeDefaultSSLSettings →
Key stores and certificates → NodeDefaultKeyStore.
156 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
4. Configure the key information (Figure 6-29).
158 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
7. Configure the transform (Figure 6-32).
The display shows that the user did not authenticate, as the principal on the Web
service client side is unauthenticated.
The display shows that the Web services client does not authenticate to the Web
service provider, as the principal on the Web service provider side is
unauthenticated.
160 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
The Web service client log confirms that the principal is unauthenticated, as
shown in Example 6-4.
The Web service provider log confirms that the Web service has been called,
run, and that the principal is unauthenticated, as shown in Example 6-5.
We use the Ethereal software to see messages flowing between the Web service
client and the provider. The Ethereal output shows that the Web service request
includes the security token containing the client public key and also the signature
of the signed SOAP body.
We also see the security token and the digital signature for the response SOAP
message.
The SOAP messages flow in clear, as the purpose of integrity is only to make
sure that the content has not been altered.
HTTP/1.1 200 OK
...
Content-Length: 3276
Date: Fri, 10 Nov 2006 15:48:12 GMT
Server: WebSphere Application Server/6.1
162 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
...><soapenv:Header><wsse:Security soapenv:mustUnderstand="1"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wss
ecurity-secext-1.0.xsd"><wsse:BinarySecurityToken
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-s
oap-message-security-1.0#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509
-token-profile-1.0#X509" wsu:Id="x509bst_13"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wsse
curity-utility-1.0.xsd">MIICADCCAWmgAwIBAgIERT6FVDANBgkqhkiG9w0BAQUFADA
5MQswCQYDVQQGEwJVUzEMMAoGA1UE..............Hb62hxqB28S29uNKgiMatiySUfG5
8SFsyOTjnQk1UVtud8Y9JLjz7kI1LVTiM1EP6Y++XP+Pq2t8qSNWAN+nVnaE8A4X8EuGRDU
b/DjAjh8LCAWY6Cs</wsse:BinarySecurityToken><ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:Canoni
calizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamesp
aces PrefixList="xsi xsd soapenv soapenc wsse ds "
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Canonicalizati
onMethod><ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference
URI="#wssecurity_signature_id_12"><ds:Transforms><ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamesp
aces PrefixList="xsi xsd soapenv soapenc wsu p98 "
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transform></ds
:Transforms><ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>A37
Up9iFTwgagkadxBg4uk5wprQ=</ds:DigestValue></ds:Reference></ds:SignedInf
o><ds:SignatureValue>pO+JYmFGdps3yutO6oUbqggknDagy+0pv1cb7C0SRhdw/jD5Vr
Ixe+9Jp/xqZcNrz+yhuE05cCNwk/QznjHxvQ0L8YB4C88A/uG9k7M4Lnv+Dd0RD+MfFaxbP
v3MQETlPBdV69frKEdz+SjJO5jxFhxb4OomHIFKoXQpMXKcVQQ=</ds:SignatureValue>
<ds:KeyInfo><wsse:SecurityTokenReference><wsse:Reference
URI="#x509bst_13"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509
-token-profile-1.0#X509"/></wsse:SecurityToken
Reference></ds:KeyInfo></ds:Signature></wsse:Security></soapenv:Header>
<soapenv:Body wsu:Id="wssecurity_signature_id_12"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wsse
curity-utility-1.0.xsd"><p98:obtainSecurityInfoResponse
xmlns:p98="http://itso.ibm.com"><obtainSecurityInfoReturn><string>ITSO3
036</string><string>Fri Nov 10 15:48:04 GMT+00:00
2006</string><string>WTSC58</string><string>9.12.4.8</string><string>UN
AUTHENTICATED</string><string>z/OS</string><string>01.08.00</string></o
All this validates that digital signatures are being used to sign SOAP messages
between the Web service client and the Web service provider using
WS-Security.
164 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
6.4.1 Confidentiality support with WS-Security
Confidentiality is the process in which a SOAP message is protected so that only
authorized recipients can read the SOAP message. Confidentiality is provided by
encrypting the contents of the SOAP message using XML encryption. If the
SOAP message is encrypted, only a service that knows the key for confidentiality
can decrypt and read the message.
The XML encryption standard specifies a process for encrypting data and
representing the result in XML. XML encryption can be used to encrypt any part
of a SOAP message, normally sensitive data such as bank account numbers or
user credentials. The result of encrypting data is an XML encryption element that
contains or references the cipher data.
On the Web service client side, the user does not provide any credential to the
application. Hence, the principal of the client EJB is unauthenticated. This client
EJB makes a Web service call. The Web service request generator encrypts the
body part of the SOAP message with the Web service provider public key. This
Web service provider public key is available as a signer certificate in the client
key store.
On the Web service provider side (WebSphere for z/OS), the Web service
request consumer receives the SOAP message request with the encrypted body
part. It uses its own private key to decrypt the body part. Its own private key is
available as a personal certificate in its key store. No identity is being used for
authentication. Hence, the EJB runs with a unauthenticated principal.
For the response, encryption is also used to ensure confidentiality. On the Web
service provider side (WebSphere for z/OS), the reponse generator side
encrypts the body part of the SOAP message with the Web service client public
key. This Web service client public key is available as a signer certificate in the
provider key store.
166 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
On the Web service client side, the Web service response consumer receives
the SOAP message response with the encrypted body part. It uses its own
private key to decrypt the body part. Its own private key is available as a personal
certificate in its key store.
In our configuration we use the default key stores that already have the default
personal certificates configured. So we only have to extract the public keys (in
the form of signer certificates) from the personal certificates and transfer them to
the other party key store.
We show in this section how to extract the WebSphere z/OS signer certificate
using the administrative console. It is also possible to do it using RACF
commands, as shown in 8.2.2, “Integrity scenario prerequisites” on page 253. A
detailed description about different export options is available in 7.4.4, “Exporting
certificates” on page 220.
It is important to click Extract and not Export. Extract takes the public key
only. Export takes the public key and the private key. But the private key
should stay private and should not be shared with other parties.
2. Enter an HFS path and file name to store the resulting signer certificate.
Select the Binary DER data type and click OK (Figure 6-36).
3. FTP this DER file in binary format to the Web service client.
168 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
4. Using the Web service client administrative console, navigate to the Add
signer certificate section of the defaultkey store in SSL certificate and key
management → Key stores and certificates → NodeDefaultKeyStore →
Signer certificates and select the Add signer certificate.
Enter an alias refering to the Web service provider name. Enter the path and
the file name of the DER file you just transfered. Select the Binary DER data
type and click OK (Figure 6-37).
The signer certificate now appears in the list of signer certificates on the Web
service client side.
3. FTP this DER file in binary format to the Web service provider (WebSphere
for z/OS).
4. Using the Web service provider administrative console, navigate to the Add
signer certificate section of the defaultkey store in SSL certificate and key
management → Key stores and certificates → NodeDefaultKeyStore →
Signer certificates and select the Add signer certificate.
Enter an alias refering to the Web service client name. Enter the path and the
file name of the DER file you just transfered. Select the Binary DER data
type and click OK (Figure 6-39).
170 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
The signer certificate now appears in the list of signer certificates on the Web
service provider side.
Client side
To specify confidentiality for a part of a SOAP message, you have to specify the
parts that should be encrypted and the method of encryption in the client’s
WS-Security configuration:
Specify the parts of the message that have to be encrypted in the request
generator configuration. The message parts can be specified by predefined
keywords or XPath expressions. You can specify multiple parts that require
encryption.
Specify key-related information, which includes the location of the encryption
key, type of key, and a password for protecting the key.
Specify encryption information, which defines how to encrypt to the specified
part. You have to specify options, such as an encryption method algorithm
and key-related information. Application Server Toolkit helps you to specify
these options.
If a client expects a response that includes confidentiality by the server, the
client also has to be configured to decrypt the server’s encryption of the
response message in the response consumer configuration.
Server side
To specify confidentiality required for part of a SOAP message, you have to
specify the encrypted parts and the method of decryption in the server’s
WS-Security configuration:
Specify the parts of the message that require decryption in the request
consumer configuration. The message parts can be specified by predefined
keywords or XPath expressions. You can specify multiple parts that require
encryption.
Specify key-related information, which includes the location of the decryption
key, the type of key, and a password for protecting the key.
Specify encryption information, which defines how to decrypt the specified
part. You have to specify options, such as an encryption method algorithm
and key-related information.
172 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
Figure 6-40 Request generator Confidentiality dialog
d. Add a nonce or time stamp, or both, if you require them. For both, select
the dialog and keyword in the same way as for the message parts. For the
time stamp, you can specify an expiration date.
e. You can add multiple message parts, a nonce, and time stamp in one
dialog. All message parts that are specified in one Confidentiality dialog
are encrypted by the same encryption information, which is defined on the
WS Binding page.
Click OK, and a confidentiality part is created. Save the configuration.
To specify a key locator, refer to 6.3.4, “Configuring the requestor for request
XML digital signature” on page 135.
Configure the Key Locator dialog:
a. Enter a name such as ConfidentialityKeyLocator.
b. Select KeyStoreKeyLocator as the class name. The class to retrieve a
key implements the com.ibm.wsspi.wssecurity.keyinfo.KeyLocator
interface.
c. Select Use key store and specify a client key store. We choose the
WebSphere default key store.
174 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
d. Click Add under Key to define the key. Enter the provider key alias, a key
password, and the provider key name. We choose the wtsc58 alias.
Tip: The WebSphere default key store path can be found with the
administrative console in Security → SSL certificate and key
management → SSL configurations → NodeDefaultSSLSettings →
Key stores and certificates → NodeDefaultKeyStore.
176 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
• http://www.w3.org/2001/04/xmlenc#aes192-cbc: AES 192 in CBC
• http://www.w3.org/2001/04/xmlenc#aes256-cbc: AES 256 in CBC
c. Select a Key encryption method algorithm from the list. The supported
algorithms are:
• http://www.w3.org/2001/04/xmlenc#rsa-1_5: RSA Version 1.5 (our
choice)
• http://www.w3.org/2001/04/xmlenc#kw-tripledes: Triple DES Key Wrap
• http://www.w3.org/2001/04/xmlenc#kw-aes128: AES 128 Key Wrap
• http://www.w3.org/2001/04/xmlenc#kw-aes192: AES 192 Key Wrap
• http://www.w3.org/2001/04/xmlenc#kw-aes256: AES 256 Key Wrap
• http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p: RSA-OAEP
If no algorithm is selected, the encryption key is not encrypted.
d. Enter any key information name. This specifies the key information
reference. We specify ConfidentialityKeyInfo.
e. Select a key information element from the list of the key information that
was defined. The selected key information is used for encryption. In our
case, we select ConfidentialityKeyInfo from the list.
f. Select a confidentiality part from the list of confidentiality parts that were
defined in the extensions. In our case, we select ConfidentialityBody from
the list.
g. Click OK and the encryption information is created. Save the
configuration.
178 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
b. Select the usage type, either required or optional. If the usage type is
required, an unencrypted request message throws a SOAP fault. If the
usage type is optional, an unencrypted message is received. Select
Required.
c. Click Add for message parts and select http://.../dialect-was and
bodycontent as the keyword.
d. Nonce and time stamp extensions can be specified as on the generator
side. In our case, we do not specify them.
e. Click OK and a required confidentiality part is created.
2. Configure the trust anchor (Figure 6-45).
Select the Binding Configurations tab. Expand the Request Consumer
Binding Configuration Details section. Expand Trust Anchor and click
Add.
To specify a key locator, refer to 6.3.4, “Configuring the requestor for request
XML digital signature” on page 135.
180 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
Configure the Key Locator dialog:
a. Enter a name such as ConfidentialityKeyLocator.
b. Select KeyStoreKeyLocator as the class name. The class to retrieve a
key implements the com.ibm.wsspi.wssecurity.keyinfo.KeyLocator
interface.
c. Select Use key store and specify a client key store. We choose the
WebSphere z/OS default key store.
d. Click Add under Key to define the key. Enter the provider key alias, a key
password, and the provider key name. We choose the wtsc58 Alias.
4. Configure key information (Figure 6-47).
Expand Key Information and click Add to specify which type of key
reference is used.
182 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
d. Select a key information element from the list of the key information that
was defined. The selected key information is used for encryption. In our
case, we select ConfidentialityKeyInfo from the list.
e. Select a confidentiality part from the list of confidentiality parts that were
defined in the extensions. In our case, we select ConfidentialityBody from
the list.
f. Click OK and the encryption information is created. Save the
configuration.
184 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
3. Configure key information (Figure 6-50).
Expand Key Information and click Add to specify which type of key
reference is used.
Refer to 6.4.6, “Configuring the z/OS provider for request XML encryption” on
page 178, for details about this dialog configuration.
186 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
3. Configure the key locator (Figure 6-52).
Expand Key Locators and click Add to specify how to retrieve a key for
decryption.
Refer to 6.4.6, “Configuring the z/OS provider for request XML encryption” on
page 178 for details about this dialog configuration.
Refer to 6.4.6, “Configuring the z/OS provider for request XML encryption” on
page 178, for details about this dialog configuration.
5. Configure encryption information.
Expand Encryption Information and click Add and specify how to encrypt.
Refer to 6.4.6, “Configuring the z/OS provider for request XML encryption” on
page 178, for details about this dialog configuration. The configuration of this
dialog is similar.
188 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
The application displays the principal on Web service client side and also on the
Web service provider side (Figure 6-54).
The display shows that the user did not authenticate, as theprincipal on the Web
service client side is unauthenticated.
The display shows that the Web services client does not authenticate to the Web
service provider, as the principal on the Web service provider side is
unauthenticated.
The Web service client log confirms that the principal is unauthenticated, as
shown in Example 6-7.
We use the Ethereal software to see messages flowing between the Web service
client and the provider. The Ethereal output shows that the Web service request
body part is encrypted and not readable. An EncryptedData tag is added to the
SOAP message.
We also see that the body part of the SOAP message for the response is
encrypted.
<soapenv:Envelope ...><soapenv:Header><wsse:Security
soapenv:mustUnderstand="1"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wss
ecurity-secext-1.0.xsd"><EncryptedKey
xmlns="http://www.w3.org/2001/04/xmlenc#"><EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/><ds:KeyInfo
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><wsse:SecurityTokenRefere
nce><wsse:KeyIdentifier
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509
-token-profile-1.0#X509SubjectKeyIdentifier">SnrZxQvN4uw=</wsse:KeyIden
tifier></wsse:SecurityTokenReference></ds:KeyInfo><CipherData><CipherVa
lue>YLx8JzXGihdnEFtk7NMKxrZ/jO5V2dZWOhXiEL0Y/c72Tf3nkoUmRz3r1xTuSW9fcvn
6LKtKzAM0WNFEzIFpeoOVoUtMWoRNLUBLSI3SyUdBIaS6en6536M2CwFRbFCDDzekPQ6ynY
mxpYxrQiIpkRIsbxMIw6O+66lG43y88rU=</CipherValue></CipherData><Reference
190 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
List><DataReference
URI="#wssecurity_encryption_id_1"/></ReferenceList></EncryptedKey></wss
e:Security></soapenv:Header>
<soapenv:Body><EncryptedData Id="wssecurity_encryption_id_1"
Type="http://www.w3.org/2001/04/xmlenc#Content"
xmlns="http://www.w3.org/2001/04/xmlenc#"><EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/><CipherData
><CipherValue>Ngo63Q72UWG0r/Z3zvyFAVTTlAdTlw4+vtumTqZSgvzbLp8/V5pjE7Pru
X1MxUN+arMjxaC0afV7yP+9nKbNgagf+EB5yFVRCju3PzJXYpg6OBWHwfl/6WWwIpbNLVXN
4ntU5dRSQ5+bC6o6lTQk/PuH3LNAWWlm</CipherValue></CipherData></EncryptedD
ata>
</soapenv:Body></soapenv:Envelope>
HTTP/1.1 200 OK
...
Date: Mon, 13 Nov 2006 13:55:55 GMT
Server: WebSphere Application Server/6.1
<soapenv:Envelope...><soapenv:Header><wsse:Security
soapenv:mustUnderstand="1"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wss
ecurity-secext-1.0.xsd"><EncryptedKey
xmlns="http://www.w3.org/2001/04/xmlenc#"><EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/><ds:KeyInfo
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><wsse:SecurityTokenRefere
nce><wsse:KeyIdentifier
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509
-token-profile-1.0#X509SubjectKeyIdentifier">Q/HFFBeGh/U=</wsse:KeyIden
tifier></wsse:SecurityTokenReference></ds:KeyInfo><CipherData><CipherVa
lue>kB+/NZaPzXVouZYZVa/l991AnRXRMsDkIm/nyJhwWzchOMeE3eaXYHRExjIWCOazJ+G
wZ3tRGLRpkfg9BKJBmQWzKgiGnflgSl+hyqmNnzNb9xzi4Y4zkrvKYuk4Ov6yub7NG94bIS
ndgeSqqBVeMY0KYcAPzx8jo3ES7WghqRk=</CipherValue></CipherData><Reference
List><DataReference
URI="#wssecurity_encryption_id_19"/></ReferenceList></EncryptedKey></ws
se:Security></soapenv:Header>
<soapenv:Body><EncryptedData Id="wssecurity_encryption_id_19"
Type="http://www.w3.org/2001/04/xmlenc#Content"
xmlns="http://www.w3.org/2001/04/xmlenc#"><EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/><CipherData
><CipherValue>M1YgSFnIrz89VFHdPsmVT0PauBHcbxs+qdeLp1/f+BnsDzzz8dCIr1RT5
Sy2fK2nUuW2YRFOjr+0Ryaaw6gWbDDCbG+1FyG3E6YqGvaHng6uM39Hm/Om4wTq8kKYqQaG
HX0lnlieRs04D6iyzk3NfPLXDoxqov4LIuEZaLL5YcxuVmF5+OgPj8mnEe3QN47ENF9Ygjw
mzv2jb21Euz8H0oK5nVBBqMXJH8zakgU2+qOGMsTAUrLd5eCsVqH1jwKmW+VvwXRH65VlZT
o1PV40x5Zn8BpLCA/sfd5GzmtoytAIjxipAVoYw0ebd6IA4msJZ1U/EcLD+rD/bABSSdelF
zHgyw6MZmpWfYgkAC6fw/2p1PrRCCnC12M2xz214TUQgHrljPbtGl73/dz5F77ow8wW+oK9
All this validates that XML encryption is used to encrypt SOAP messages
between the Web service client and the Web service provider using
WS-Security.
For more information see 7.5, “Hardware crypto and Java crypto providers” on
page 222, which describes extensively the different achoices vailable for
exploiting hardware cryptography. Section 7.8.2, “Installing the unrestricted Java
policy jars” on page 236, shows how to install the unrestricted Java policy jar
files.
You can use ID assertion when an intermediary server must invoke a service
from a downstream server on behalf of the client. The intermediary server
establishes a trust relationship with the downstream server (using authentication,
for instance, but not necessarily) and then is recognized as a trusted partner by
the downstream server. The intermediary server can then assert the client
identity to the downstream server.
192 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
This section describes how WS-Security supports identity assertion, explains our
identity assertion scenario, gives an overview of how to configure identity
assertion, and thoroughly describes the steps to configure this scenario.
When you use the BasicAuth and digital signature trust modes, the intermediary
server passes its own authentication information to the downstream server for
authentication. The Web services security implementation for WebSphere
Application Server validates the trust relationship by following this procedure:
1. The downstream server validates the authentication information of the
ntermediary server.
2. The downstream server verifies whether the authenticated intermediary
server is authorized for identity assertion. For example, the intermediary
server must be in the trust list for the downstream server.
3. If the validations described previously succeed, the asserted identity is set as
the identity of the running thread. If any of the validations fail, the request is
rejected with a SOAP fault exception.
On the Web service client side, the user authenticates to the intermediary server
(winbax) using a user ID (USER1) and a password. These credentials are
validated against the intermediary server user registry. Because credentials are
valid, the login module sets the user ID (USER1) in the Java principal for
194 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
executing the client EJB. This client EJB makes a Web service call. The Web
service request generator includes a security token in the SOAP message
header. This security token is a username token that contains the user username
only (USER1). No password is inserted. The Web service request generator also
performs the actions necessary to establish the trust relationship (basic
authentication token, sign the user name, or nothing). In our example the trust is
presumed, hence no additional action is required.
On the Web service provider side (WebSphere for z/OS), the Web service
request consumer receives the security token and uses a JAAS login module to
accept the asserted user name and set the principal. The EJB runs with a
USER1 principal.
In this example, the user identity USER1 flows from the browser, through the
intermediary server (winbax), to the downstream server (wtsc58).
Identity assertion occurs only when sending the request. Hence, there is no
security mechanism when receiving the response.
Client side
To insert an asserted identity into a SOAP message, a username token and its
token generator must be specified in the client’s WS-Security configuration:
Specify a security token in the request generator configuration. In case of
identity assertion, the security token type must be username. This security
token is sent inside the SOAP header to the server.
Specify a token generator for the user name token in the request generator
configuration. The role of the token generator is to retrieve the user name
from the current Java principal and generate the user name token with the
user name only and no password. The token generator class for the user
name token, UsernameTokenGenerator, is provided by the Web services
security run time as a default implementation. Some specific properties need
to be defined so that the callback handler knows where to find the user name.
196 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
Configure the Security Token dialog:
a. Enter a name such as IDAssertionToken.
b. Select the Username Token type from the drop-down list. When you
select a token type, the local name is filled in automatically. The URI is not
necessary (leave it empty).
Click OK.
198 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
Configure the Token Generator dialog:
a. Enter a token generator name such as IDAssertionTokenGen.
b. Select the UsernameTokenGenerator token generator class.
c. For the security token, expand the drop-down list and select the security
token defined on the WS Extension page (IDAssertionToken).
d. Check the Use value type check box.
e. Select the Username Token value type from the drop-down list. This
selection fills the local name and callback handler.
f. Verify the callback handler class is NonPromptCallbackHandler.
g. Do not specify any user ID and password, as the flowing identity comes
from the principal.
h. Add callback handler properties:
• com.ibm.wsspi.wssecurity.token.IDAssertion.isUsed set to true: This
option indicates that the identity of the initial sender is required and
inserted into the Web services security header within the SOAP
message. For example, WebSphere Application Server only sends the
user name of the original caller for a username token generator. For an
X.509 token generator, the application server sends the original signer
certification only.
• com.ibm.wsspi.wssecurity.token.IDAssertion.useRunAsIdentity set to
true: This option indicates that the RunAs identity will be used instead
of the initial caller identity for identity assertion for a downstream call.
i. Click OK and the identity assertion token generator is created.
3. Save the configuration.
200 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
2. Configure the caller part (Figure 6-59).
Expand Caller Part under Request Consumer Service Configuration
Details and click Add.
202 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
Configure the Token Consumer dialog:
a. Enter a token consumer name such as IDAssertionTokenConsumer.
b. Select the IDAssertionUsernameTokenConsumer token consumer
class. This class processes the username token for identity assertion,
which does not have a password element. This interface invokes the
system.wssecurity.IDAssertionUsernameToken JAAS login configuration
with the
com.ibm.wsspi.wssecurity.auth.module.IDAssertionUsernameLoginModul
e login module to validate the IDAssertion user name token. An object of
the com.ibm.wsspi.wssecurity.auth.token.UsernameToken class is created
for the validated username token and stored in the JAAS subject.
c. Expand the drop-down list for security token and select the token specified
on the extension page (IDAssertionToken).
d. Select Use value type and select the Username Token value type from
the list. This fills the local name automatically.
e. Select Use jaas.config to validate the security token in the client’s
request message. Specify the name of the JAAS configuration:
system.wssecurity.IDAssertionUsernameToken. This enables the
application to use identity assertion to map a user name to an application
server credential principal.
f. Click OK and the token consumer is created.
4. Save the configuration.
This section discusses different ways to create the trust relationship between the
intermediary server and the downstream server.
Consider that basic authentication is not very secured by itself, as the user name
and password flow in clear in the SOAP message. If you choose basic
authentication, you should also consider some other security mechanisms such
as SSL at the transport layer level.
Presumed trust
If the trust relationship is not created at the Web service message layer level,
then it is only presumed at the message layer level, and it can be enforced
outside of the Web service flow itself.
Trust can be enforced at the network level, for instance. For example, network
appliances such as firewalls can be used to create a secured zone in which
servers trust each others. Another example at the network level could be using
different networks for incoming communication to the intermediary server and for
outgoing communication to the downstream server.
204 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
The application is called with the following URL:
http://windowsbax.pok.ibm.com:9081/SecurityCallerWAR/
For this scenario we use the secured servlet so that the user has to authenticate
and provide credentials. We provide the username and password known to the
Web service client (windowsbax) user registry. This username is valence in our
example. See Figure 6-61.
The servlet runs, calls the client EJB, makes the Web service call, and displays
the results.
The display shows that the user did authenticate, as the principal on the Web
service client side is valence.
The display shows that the Web services client sent a username security token
with the asserted identity, as the principal on the Web service provider side is
valence.
The Web service client log confirms that the principal is valence, as shown in
Example 6-10, “Web service requestor server log” on page 206.
206 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
The Web service provider log confirms that the Web service has been called,
run, and that the principal is valence, as shown in Example 6-11.
We use the Ethereal software to see messages flowing between the Web service
client and the provider. The Ethereal output shows that the Web service request
includes the username security token with the <wsse:Username> tag only. There
is no password being transfered. This is indeed an asserted identity. See
Example 6-12.
<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><soapenv:Header><
wsse:Security soapenv:mustUnderstand="1"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wss
ecurity-secext-1.0.xsd"><wsse:UsernameToken><wsse:Username>valence</wss
e:Username></wsse:UsernameToken></wsse:Security></soapenv:Header><soape
nv:Body><p98:obtainSecurityInfo
xmlns:p98="http://itso.ibm.com"><input>ITSO1235</input></p98:obtainSecu
rityInfo></soapenv:Body></soapenv:Envelope>
HTTP/1.1 200 OK
Content-Type: text/xml; charset=utf-8
<soapenv:Envelope ...
><soapenv:Header/><soapenv:Body><p98:obtainSecurityInfoResponse
xmlns:p98="http://itso.ibm.com"><obtainSecurityInfoReturn><string>ITSO1
235</string><string>Mon Nov 13 15:19:21 GMT+00:00
2006</string><string>WTSC58</string><string>9.12.4.8</string><string>va
lence</string><string>z/OS</string><string>01.08.00</string></obtainSec
urityInfoReturn></p98:obtainSecurityInfoResponse></soapenv:Body></soape
nv:Envelope>
All this validates that identity assertion occurs between the Web service client
and the Web service provider using WS-Security.
208 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
7
210 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
A new WebSphere base installation will have only one SSL configuration defined
at the node level, as illustrated in Figure 7-1. Select SSL certificate and key
management → Manage endpoint security configurations.
In Figure 7-1, the server and endpoints under the inbound topology inherit their
SSL configuration NodeDefaultSSLSettings from the node-level SSL
configuration. Additional SSL configurations can be defined at a lower scope
overriding the node-level configuration by simply clicking the server or endpoint
and choosing a new SSL configuration.
SSL aliases are still supported in WebSphere V6.1, but using centrally managed
SSL configuration is recommended for ease of management. Application servers
that are migrated from earlier releases of WebSphere to WebSphere V6.1 still
use SSL aliases, and the endpoints need to be manually configured to take
advantage of the centrally managed SSL support.
Following any of the paths for the endpoints in Table 7-2 on page 214, the
transport chain can be changed from using an SSL configuration alias specific to
an endpoint to using the centrally configured SSL configuration.
212 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
7.3 WebSphere V6.1 for z/OS SSSL to JSSE changes
There have been improvements to the way SSL is configured and managed in
the admin console in WebSphere V6.1. In previous versions of WebSphere an
SSL repertoire could be defined as one of two types, either as Java Secure
Socket Extension (JSSE) or System SSL (SSSL). JSSE and SSL differed in the
following ways:
JSSE
– Used Java APIs for SSL
– Defined with path to an HFS Java keystore file
– Defined with a path to a safkeyring URI
SSL (system SSL)
– Used z/OS set of C/C++ APIs for SSL
– Defined with z/OS SAF keyring name only
Certain endpoints were designed to only work with SSSL or JSSE, and each
endpoint needed to be configured with a repertoire alias. It was important to
know the location in the admin console for updating the alias of a transport.
Table 7-1 shows the WebSphere V6.0 SSL type and admin console location for
specifying a repertoire alias.
In WebSphere V6.1, all endpoints with the exception of the daemon use JSSE as
the SSL type. The daemon is a lightweight address space that uses system SSL
because the address space does not run with a JVM. All other endpoints are
used in a WebSphere control regions that run with a JVM.
214 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
platforms. For certificates stored in the HFS keystore and trustore files, full
management of the certificates can be done from the admin console.
For certificates stored in RACF, the keystores are read only, meaning that
certificates cannot be added, deleted, received, or imported. These operations
need to be performed by the RACF administrator. However, it is possible to view
the certificates and monitor their expirations in the administrative console.
This section shows how to perform certain administrative tasks with safkeyrings
and are supplemented with sample RACF commands. The tasks include
viewing, importing, exporting, and deleting certificates. For more details about
the RACF commands, see Security Server RACF Command Language
Reference, SA22-7687, which provides a complete list of RACF security
commands and options.
Figure 7-3 Viewing signer certificate and personal certificate in the admin console
216 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
Important certificate information such as issuer, issued by, and validity period
can be obtained for a signer certificate or personal certificate. The certificate
information obtained from the administrative console can be useful for
diagnosing problems related to SSL and for confirming that the application server
is able to access the certificates for a particular keyring. See Figure 7-4.
The admin console path to manage certificate expiration is SSL certificate and
key management → Key stores and certificates → Manage certificate
expiration.
218 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
Figure 7-5 illustrates the options for managing certificate expiration.
The following RACF commands and steps are provided to show an example of
how to export a signer certificate or personal certificate into an HFS file to be
transferred to another system:
Exporting a signer certificate to an HFS file:
RACDCERT ID(userid) CERTAUTH
EXPORT(LABEL('certificate_authority_label')) DSN(CA.DSN.NAME)
FORMAT(CERTDER)
Once the certificate is exported to a data set in DER format, the data set can
be moved to an HFS file with the following command:
OPUT CA.DSN.NAME '/tmp/ca.crt' binary convert(no)
Exporting a personal certificate to an HFS file:
RACDCERT ID(userid) EXPORT(LABEL('personal_certificate_label'))
DSN(PS.DSN.NAME) FORMAT(PKCS12DER) PASSWORD('XXXX')
Once the certificate is exported to a data set in PKCS12 format, the data set
can be moved to an HFS file with the following command:
OPUT PS.DSN.NAME '/tmp/personal.p12' binary convert(no)
220 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
Table 7-3 shows the available formats that the WebSphere administration
console can import from a file.
CERTB64 Specifies X.509 certificate and public key that has been encoded
using Base64. This format can be transferred in ASCII.
PKCS12B64 Specifies a PKCS #12 package that has been encoded using
Base64. This format may not be compatible with non-IBM
applications, and should be transferred in ASCII.
The signer certificate or personal certificate can then be transferred from an HFS
file to a client in binary using FTP.
8.2, “Integrity with SSL” on page 252 shows one example of using the RACF
commands to export a certificate to an HFS file, and 6.4, “Confidentiality with
XML encryption” on page 164 shows how to export a certificate from the
administration console to an HFS file.
Figure 7-6 Error received when deleting a keystore defined in an SSL configuration
To resolve this issue, delete the SSL configuration that has this keystore
specified first before deleting the keystore.
Vendors such as SUN and IBM provide their implementations of JCE. The IBM
version of the Java Cryptography Extension (IBMJCE) is an implementation of
the JCE cryptographic service provider compatible in z/OS environments. The
IBMJCE is similar to SunJCE with a few differences. IBMJCE has a different
package naming convention, it offers more algorithms, and it supports
z/OS-specific keystores.
222 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
interfaces. IBMJCECCA provides secure, high-speed cryptographic services on
various platforms through hardware cryptographic devices.
The IBMJCECCA provider is new in Java 1.5, which ships as part of WebSphere
V6.1. Previous WebSphere configurations running with Java 1.4.2 may have
been accessing keys stored in hardware using the IBMJCE4758 provider. The
IBMJCECCA provider extends and replaces the IBMJCE4758 provider from
earlier releases. At this time, the IBMJCECCA provider and the IBMJCE4758
provider are functionally equivalent.
There are a variety of other security providers that can be used with the JCE
architecture. The focus of this section is on the IBMJCE and IBMJCECCA
providers in a WebSphere 6.1 z/OS environment.
A new default provider can be chosen by setting the provider name as the first in
the list and saving the file. WebSphere needs to be restarted to pick up any
changes made to the java.security file.
In Example 7-2 the java.security file was modified to have only the IBMJCE
provider.
224 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
Figure 7-7 illustrates only the keystore types available for the IBMJCE provider.
The keystore types are listed as:
PKCS12
JCERACFKS
JCEKS
JKS
PKCS11
Figure 7-8 shows the additions to the keystore list. Select SSL certificate and
key management → Key stores and certificates → New.
Figure 7-8 Keystore types from the IBMJCECCA and IBMCE providers
226 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
A truststore is a type of keystore whose database contains one or more
certificates that are trusted belonging to another party. In WebSphere a trusted
certificate and public key are stored as a signer certificate. The certificates are
considered trusted because the truststore owner trusts that the public key in the
certificate belongs to the identity identified by the subject of the certificate. The
public key certificate can be used to confirm that a person is really who she
claims to be, and that data really came from that person. In general terms,
truststores and keystores are often referred to as keystores.
Table 7-4 describes the characteristics between the IBMJCE and IBMJCECCA
providers based on the keystore types.
The Use HW column indicates that hardware is used for SSL acceleration.
Keystore descriptions
A description of each of the keystore types from Table 7-4 on page 227 is
provided:
JKS (Java KeyStore file)
This is a traditional file-based keystore format available with the standard
JDK™. Files based on this format are usually stored with a .jks extension.
Use this option if the keystore file is stored in JKS format.
JCEKS (Java Cryptography Extension Keystore)
This is a file-based keystore implementation of the Java Cryptography
Extensions provider. Files based on this format are usually stored with a
*.jceks extension.
Use this option if the keystore file is stored in JCEKS format.
PKCS12KS (Public Key Cryptography Standards version 12 Keystore)
This is a file format commonly used to store private keys with accompanying
public key certificates protected with a password-based symmetric key. Files
based on this format are usually stored with a .p12 extension.
Use this option if your keystore uses the PKCS#12 file format.
JCERACFKS (JCE RACF Keystore)
This is the keystore used in which certificates are stored in a SAF keyring and
the keys stored in RACF.
JCECCARACFKS (JCE Common Crytpographic Architecture RACF
Keystore)
This is the keystore used for certificates that are stored in a SAF keyring, and
the keys can be stored in RACF, or stored in hardware, and are ICSF
managed.
228 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
JCECCAKS (JCE Common Crytpographic Architecture Keystore)
A file-based keystore where certificates are stored in a file, but the keys are in
hardware managed with hwkeytool utility.
PKCS11KS (Public Key Cryptography Standards version 11 Keystore)
This option is not currently supported on WebSphere V6.1 for z/OS.
To better understand how to use certificates that are stored in RACF, see 7.7,
“SSL and JCERACFKS keystore” on page 229 and 7.8, “Hardware crypto using
a JCECCARACFKS keystore” on page 233, which provide two examples that
step through setting up and accessing certificates in RACF with a safkeyring
URI.
The Read Only check box is checked since SAF keystores are read only.
230 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
Figure 7-9 shows the options chosen in the admin console when setting up the
keystore.
Important: The admin console stores the exact string that you type for the
safkeyring URI in the security.xml file in the HFS. Be sure not to add any
trailing spaces when specifying the safkeyring URI, otherwise you will not be
able to view or access your certificates in RACF. The port configured with this
SSL configuration will not work correctly.
For safkeyring URIs, the admin console only confirms that the Change
password entry and the Confirm password entry match. It does not verify that
the password should be password, which is the valid password that can be
used to access certificates using a safkeyring URI.
232 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
Figure 7-11 shows the output of the personal certificate for WASKeyring.TEST
created for this example.
The commands in step 3 connect the HDCA signer certificate to both the control
and servant region keyrings. It may not be necessary to connect the signer
certificate to the servant region keyring depending on the endpoint for SSL
communication, but it is done in this step so that the signer certificate can be
viewed in the administration console.
The creation of the certificates is appended with the ICSF keyword, which
indicates that RACF should attempt to store the private key associated with this
certificate in the ICSF PKDS.
234 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
Example 7-4 shows a display of the signer certificate information:
RACDCERT CERTAUTH LIST(LABEL('HDCA'))
Label: HDCA
Certificate ID: 2QiJmZmDhZmjgcjEw8FA
Status: TRUST
Start Date: 2006/12/04 00:00:00
End Date: 2007/12/04 23:59:59
Serial Number:
>00<
Issuer's Name:
>CN=HDwtsc58.itso.ibm.com.OU=IBM<
Subject's Name:
>CN=HDwtsc58.itso.ibm.com.OU=IBM<
Key Usage: CERTSIGN
Private Key Type: ICSF
Private Key Size: 1024
PKDS Label: IRR.DIGTCERT.CERTIFAUTH.SC58.BFCDC999793165CE
Ring Associations:
Ring Owner: ASCR1
Ring:
>WASKeyring.HD<
Ring Owner: ASSR1
Ring:
>WASKeyring.HD<
Label: HDPersonal
Certificate ID: 2QXB4sPZ8cjE14WZopaVgZNA
Status: TRUST
Start Date: 2006/12/04 00:00:00
End Date: 2007/12/04 23:59:59
Serial Number:
>01<
Issuer's Name:
To obtain the Java unrestricted policy jars and place them on the WebSphere
z/OS system:
1. Obtain the unrestricted policy jars from:
http://www.ibm.com/developerworks/java/jdk/security/index.html
2. Make a backup of the original restricted local_policy.jar and
US_export_policy.jar.
3. Download the unrestricted local_policy.jar and US_export_policy.jar to your
WebSphere z/OS system in <WAS_HOME>/AppServer/java/lib/security.
4. After copying the local_policy.jar and US_export_policy.jar, change the
permissions so that the control and servant region address spaces can
access the jar files:
– chmod 644 local_policy.jar
– chmod 644 US_export_policy.jar
236 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
Example 7-6 illustrates the addition made to the java.security file.
security.provider.1=com.ibm.crypto.hdwrCCA.provider.IBMJCECCA
security.provider.2=com.ibm.crypto.provider.IBMJCE
security.provider.3=com.ibm.jsse.IBMJSSEProvider2
security.provider.4=com.ibm.jsse2.IBMJSSEProvider
security.provider.5=com.ibm.security.jgss.IBMJGSSProvider
security.provider.6=com.ibm.security.cert.IBMCertPath
security.provider.7=com.ibm.security.sasl.IBMSASL
security.provider.8=com.ibm.security.cmskeystore.CMSProvider
security.provider.9=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
When setting up the certificates, the HDCA certificate was connected to both the
control region and servant region user ID so that the certificate information can
be viewed in the admin console.
238 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
Figure 7-13 shows the signer certificate information for keyring WASKeyring.HD.
240 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
– SSL handshake issues when using HFS clients (that is, wsadmin.sh,
syncNode.sh, launchClient.sh, and so on)
• User ID executing the client on z/OS
• User ID of admin console it is running in (either the user ID of the
deployment manager control region (network deployment) or the user
ID of the application control region user ID (base))
3. For a z/OS client or server, display the certificates on the keyring associated
with the user ID and provide the certificate details for the signer certificate and
personal certificate (if there is one). The SSL commands to display the
certificate information are provided in “Viewing certificates” on page 215
For the distributed client or server, display the certificate information for the
signer certificate and personal certificate (if there is one) using the admin
console SSL management, or ikeyman utility.
4. From the displayed information check the validity period for the signer
certificate on the SSL client side and SSL server side. Verify that the current
date falls within the start date and end date for the certificates. The
certificate’s start date should precede the current date and not be expired.
5. From the displayed information, confirm that the SSL client’s truststore
contains the signer certificate of the server. Verify that the issuer’s
distinguished name and subject distinguished name for the server’s signer
certificate on the SSL client side matches that the server personal certificate
on the SSL server side.
Follow the path in the admin console in WebSphere: Logging and Tracing >
servername → Change Log Detail Levels. Click the Configuration tab and
add the WebSphere trace specification:
SSL=all
The Java trace setting cannot be enabled dynamically and requires the
application server to be restarted to pick up the change.
242 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
Exception is javax.net.ssl.SSLHandshakeException: Client requested
protocol Unknown 0.2 not enabled or not supported.
com.ibm.ws.ssl.channel.impl.SSLHandshakeErrorTracker
The error text shows a problem while starting WebSphere using the
IBMJCECCA provider, but with the ICSF address space not running:
java.lang.RuntimeException: Hardware error from call CSNBOWH
returnCode 12 reasonCode 0
com.ibm.crypto.hdwrCCA.provider.SHA.a(Unknown Source)
com.ibm.crypto.hdwrCCA.provider.SHA.engineDigest(Unknown Source)
java.security.MessageDigest$Delegate.engineDigest(MessageDigest.java
:554)
java.security.MessageDigest.digest(MessageDigest.java:332)
com.ibm.ws.management.repository.DocumentDigestImpl.calc(DocumentDig
estImpljava:128)
com.ibm.ws.management.repository.FileDocument.calcDigest(FileDocumen
t.java:212)
Figure 8-1 Web service transport security HTTP basic authentication scenario
In this scenario, we demonstrate how the client SecureCaller EJB can provide a
user name and password to authenticate to the SecureInfo EJB that is Web
246 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
service enabled. An authentication method of BASIC is specified in the
SecurityInfoRouterWS deployment descriptor. The user name and password are
specified in a Web service client binding, as opposed to specifying them
programmatically in the code. The transport does not have SSL enabled.
6. In the J2EE perspective, traverse the tree under Enterprise Applications, and
open the deployment descriptor for the SecurityInfoEAR.
7. Select the Security tab. Click the Gather button, and check the box for All
authenticated users under WebSphere bindings.
The Web service client example uses a POST method to invoke the Web
service. Since the GET method was included in the security constraint, the URI
for the service endpoint can be invoked from a Web browser to verify that a
challenged response is sent to the Web browser. This can be useful for verifying
that basic authentication has been set up correctly for the Web service provider
before proceeding to set up the Web service requestor.
Upon entering a valid user ID and password for an ID permitted to the role
SecureCustomer, the following output appears on the Web browser:
{http://itso.ibm.com}SecurityInfo
Hi there, this is a Web service!
248 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
8.1.3 Configuring the Web service requestor to authenticate
WebSphere bindings facilitate where to specify the user name and password for
a Web services client so that the application does not have to do this
programmatically. In this section we demonstrate how to set the user ID and
password in the Rational Application Developer tool and in the WebSphere
distributed admin console.
Follow the steps in 5.6.4, “SecurityInfo deployment” on page 101, for overriding
the client endpoint URL of the client if it has not already been done. This step is
necessary so that the client knows the host name and port for the Web service
provider.
250 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
In Figure 8-4, principal WINSERV can be seen.
Using the TCP/IP monitor to view the header information, you can verify that the
authorization field is set to BASIC. The SOAP message in the HTTP request is
unchanged.
Example 8-2 shows example output of the header information and authorization
field. The SOAP message follows the HTTP header information.
<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><soapenv:Header/>
<soapenv:Body><p98:obtainSecurityInfo
xmlns:p98="http://itso.ibm.com"><input>ITSO5285</input></p98:obtainSecu
rityInfo></soapenv:Body></soapenv:Envelope>
252 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
Figure 8-5 illustrates the Integrity with SSL scenario.
In this section, we demonstrate how to set up SSL at the transport layer between
WebSphere distributed and WebSphere z/OS. We extract the signer certificate
from the WebSphere z/OS server and import it into the WebSphere distributed
server using the new admin console SSL support. A new SSL-enabled inbound
transport chain is created on WebSphere z/OS in order to isolate inbound Web
service SSL calls. A new SSL configuration is defined for both the Web service
client and the Web service port so that the quality of protection can be modified
for those SSL configurations. Lastly, we demonstrate using Web service client
bindings to configure the Web service client to use the SSL configuration, and to
override the host and port of the service endpoint URL.
Specify the absolute path to where the certificate was downloaded in binary and
provide a new alias name for the certificate. The data type indicates whether the
certificate was downloaded as Binary Der Data or base64. The certificate was
exported with a format option CERTDER, and must be imported using the same
binary der format.
254 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
In this example:
Alias: webspherezos_ca
File name: C:\TEMP\certauth.der
Data type: Binary DER data
The goal of this step is to create a new SSL configuration that does not affect the
existing default node-level SSL settings. Creating a new SSL configuration, SSL
inbound channel, and SSL port provides this isolation.
256 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
Click Get certificate Aliases and then click OK.
In the admin console of the WebSphere Application Server for z/OS, follow the
path to create a new transport chain: Severs → Application Servers →
servername → Web Container Settings → Web Container Transport
Chains.
Transport chain name: SecureWebServiceInbound
Transport chain template: WebContainer-Secure
Select a port for the Web service to accept inbound SSL calls to. In this example:
Port name: SecureWebServicePort
Host: *
Port: 19445
258 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
At this point, a new transport chain is created, however, the transport chain
defaults to the default SSL configuration, in our case NodeDefaultSSLSetttings.
The SSL configuration for the inbound transport chain needs to be changed to
the new SSL configuration WebServiceSSLConfig that was created in the
previous steps.
1. Select the SecureWebServiceInbound transport chain.
2. Click SSL inbound channel (SSL_4).
3. Check the radio button Centrally Managed (Figure 8-9).
Follow the path in the admin console to: SSL certificate and key
management → Manage endpoint security configurations →
SecureWebServicePort.
The user may be wondering whether it was necessary to create a new transport
chain and SSL configuration instead of using the centrally managed SSL
configuration that is defined at the node level from the WebSphere installation.
The forthcoming steps involve changing the ciphers for an SSL configuration.
Changing the ciphers for the node-level SSL configuration can result in problems
accessing the admin console in a base server configuration since it also uses
260 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
SSL and the admin console requires confidentiality. By creating a new SSL
configuration and transport chain, the SSL changes are isolated to the Web
service only.
In this example, the Web service requestor uses an SSL configuration that is
specific to this Web service port rather than a centrally manage SSL
configuration. The reason for choosing the SSL configuration that is specific to
the this Web service port is that the client binding only affects this Web service’s
outbound SSL call. Choosing a centrally managed SSL configuration would
require setting up an SSL configuration for an outbound port, which could affect
262 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
all applications using that port. Select Enterprise Applications →
SecurityCallerEAR → Manage Modules → SecurityCallerEJB.jar → Web
services deployment descriptor Extension → Web services client
bindings → Web services: Client security bindings → HTTP SSL
configuration. See Figure 8-12.
Figure 8-12 Selecting the SSL configuration for Web service client binding
Follow the path in the admin console to override the endpoint URL to reflect the
host name and port of the WebSphere z/OS system. The port should be the
same port you defined for the SSL inbound transport chain
SecureWebServicePort. Select Enterprise Applications →
SecurityCallerEAR → Manage Modules → SecurityCallerEJB.jar → Web
services deployment descriptor Extension → Web services client
bindings → SecurityInfoService:SecurityCallerEJB.
Figure 8-13 Changing the endpoint URL in Web service client binding
Figure 8-14 on page 265 illustrates the quality of protection panel for both
platforms.
264 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
Figure 8-14 illustrates the quality of protection panel for both platforms.
Host: wtsc58.itso.ibm.com:19445
Accept: application/soap+xml,multipart/related,text/*
User-Agent: IBM WebServices/1.0
Cache-Control: no-cache
Pragma: no-cache
SOAPAction: ""
Connection: Keep-Alive
Content-Type: text/xml; charset=utf-8
Content-Length: 402
Date: Fri, 10 Nov 2006 15:25:10 GMT
<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><soapenv:Header/>
<soapenv:Body><p98:obtainSecurityInfo
xmlns:p98="http://itso.ibm.com"><input>ITSO1916</input></p98:obtainSecu
rityInfo></soapenv:Body></soapenv:Envelope>(....[xU.n..........QHTTP/1.
1 200 OK
Content-Type: text/xml; charset=utf-8
Content-Language: en-US
266 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
Content-Length: 650
Date: Fri, 10 Nov 2006 15:25:13 GMT
Server: WebSphere Application Server/6.1
<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><soapenv:Header/>
<soapenv:Body><p98:obtainSecurityInfoResponse
xmlns:p98="http://itso.ibm.com"><obtainSecurityInfoReturn><string>ITSO1
916</string><string>Fri Nov 10 15:25:13 GMT+00:00
2006</string><string>WTSC58</string><string>9.12.4.8</string><string>UN
AUTHENTICATED</string><string>z/OS</string><string>01.08.00</string></o
btainSecurityInfoReturn></p98:obtainSecurityInfoResponse></soapenv:Body
></soapenv:Envelope>...K.....g.\..o
Note: With the cipher suite group set to weak, you may not be able to access
the service endpoint URI from your Web browser directly to see the following
message since the browser does not support this cipher suite group:
{http://itso.ibm.com}SecurityInfo
Hi there, this is a Web service!
Example 8-4 shows the xml that will be added to the web.xml.
Using the previous setup from 8.2, “Integrity with SSL” on page 252,
confidentiality can be provided by switching the cipher suite group from weak to
medium or strong. Selecting a medium cipher suite group, WebSphere uses
40-bit encryption algorithms for providing confidentiality, and with a strong cipher
suite group, WebSphere uses 128-bit encryption algorithms. Both the medium
and strong cipher suite groups maintain data integrity as well as provide
268 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
confidentiality. The stronger the encryption algorithm the more secure the
connection. However, more processing is needed to encrypt and decrypt the
information.
Figure 8-16 on page 270 illustrates changing the cipher suite in the admin
console for both platforms.
270 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
8.3.6 Validating confidentiality with SSL
Execute the SecurityInfo application. The output should look like the same as
when you ran the SecurityInfo application with no security.
Looking at the output in the TCP/IP Monitor, the HTTP header and SOAP
message are no longer visible, as the data is now encrypted.
Note: You can also invoke the Web service from a browser using the Web
service endpoint URL, as the browser supports the cipher suite group:
https://wtsc58.itso.ibm.com:19445/SecurityInfoRouterWS/services/
SecurityInfo
Example 8-5 shows the xml that will be added to the web.xml.
The application must be redeployed after making the change to the deployment
descriptor.
Create a new keyring called WASKeyring.HD for the control user ID ASCR1 and
servant user ID ASSR1:
RACDCERT ADDRING(WASKeyring.HD) ID(ASCR1)
RACDCERT ADDRING(WASKeyring.HD) ID(ASSR1)
272 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
Create a new personal certificate HDPersonal signed by HDCA with its key in
ICSF:
RACDCERT ID (ASCR1) GENCERT SUBJECTSDN(CN('HDPersonal') O('IBM'))
WITHLABEL('HDPersonal') SIGNWITH(CERTAUTH LABEL('HDCA')) TRUST
NOTAFTER(DATE(2010/12/20)) ICSF
Label: HDCA
Certificate ID: 2QiJmZmDhZmjgcjEw8FA
Status: TRUST
Start Date: 2006/11/21 00:00:00
End Date: 2010/12/20 23:59:59
Serial Number:
>00<
Issuer's Name:
>CN=HDwtsc58.itso.ibm.com.OU=IBM<
Subject's Name:
>CN=HDwtsc58.itso.ibm.com.OU=IBM<
Key Usage: CERTSIGN
Private Key Type: ICSF
Private Key Size: 1024
PKDS Label: IRR.DIGTCERT.CERTIFAUTH.SC58.BFBDE7690EF01249
Ring Associations:
Ring Owner: ASCR1
Ring:
>WASKeyring.HD<
Ring Owner: ASSR1
Ring:
>WASKeyring.HD<
Label: HDPersonal
Certificate ID: 2QXB4sPZ8cjE14WZopaVgZNA
Status: TRUST
Start Date: 2006/11/21 00:00:00
End Date: 2010/12/20 23:59:59
Serial Number:
>02<
Issuer's Name:
>CN=HDwtsc58.itso.ibm.com.OU=IBM<
Subject's Name:
>CN=HDPersonal.O=IBM<
Private Key Type: ICSF
Private Key Size: 1024
PKDS Label: IRR.DIGTCERT.ASCR1.SC58.BFBDE9BD1F5C88CC
Ring Associations:
Ring Owner: ASCR1
Ring:
>WASKeyring.HD<
274 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
SSL configurations → NodeDefaultSSLSettings → Key stores and
certificates → NodeDefaultTrustStore → Signer certificates.
Specify the absolute path to where the certificate was downloaded in binary and
provide a new alias name for the certificate. The data type indicates whether the
certificate was downloaded as binary data or base64. In this example:
Alias: HDCA
File name: C:\TEMP\certauth.der
Data type: Binary DER Data
Once imported, follow the admin console path SSL certificate and key
management → SSL configurations → WebServiceSSLConfig.
security.provider.1=com.ibm.crypto.hdwrCCA.provider.IBMJCECCA
security.provider.2=com.ibm.crypto.provider.IBMJCE
security.provider.3=com.ibm.jsse.IBMJSSEProvider2
security.provider.4=com.ibm.jsse2.IBMJSSEProvider
security.provider.5=com.ibm.security.jgss.IBMJGSSProvider
security.provider.6=com.ibm.security.cert.IBMCertPath
security.provider.7=com.ibm.security.sasl.IBMSASL
security.provider.8=com.ibm.security.cmskeystore.CMSProvider
security.provider.9=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
The admin console in WebSphere V6.1 obtains the list of providers dynamically
from this file. Restart the application server to pick up the changes.
If the java.security file was updated with the IBMJCECCA provider, the admin
console shows two new types, JCECCARACFKS and JCECCAKS, in the
drop-down menu, as shown in Figure 8-17.
276 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
Create the new certificate store with the values below and click Apply.
Name: HDCertStore
Path: safkeyringhw:///WASKeyring.HD
Change password: password
Confirm password: password
Type: JCECCARACFKS
Notice that the safkeyring URI has been changed to safkeyringhw:/// to indicate
that the keys are stored in hardware. See Figure 8-18.
Since the HDCA was added to the keyring for both control and servant region
user IDs, the signer certificate HDCA is viewable from the admin console.
The personal certificate will not be viewable since it was only added to the
keyring for the control region user ID.
278 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
Click the Get Certificate aliases button, and then click Apply (Figure 8-20).
280 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
8.4.6 Configuring the z/OS Web service provider for confidentiality
In this example, the cipher suite group was changed to strong in the WebSphere
for z/OS admin console. Select Security → Secure Administration,
applications, and infrastructure → SSL Confirugrations.
1. Choose the WebServiceSSLConfig.
2. Under Additional Properties, select quality of protection (Qop) settings.
3. Change the cipher suite groups to strong.
If you are on a test system, stopping the ICSF address space and executing the
SecurityInfo application results in an SSLException:
javax.net.ssl.SSLException: Received close_notify during handshake
The application executes successfully after restarting the ICSF address space.
282 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
8.6.1 Confidentiality and client certificate scenario description
The user client invokes a servlet from a static Web page running in the
WebSphere distributed system. The WebSphere distributed run time initiates an
SSL handshake with the WebSphere for z/OS run time. During the handshake,
the WebSphere for z/OS certificate is sent to the WebSphere Application Server
on Windows. WebSphere on distributed validates this certificate against its
truststore. Additionally, a client certificate and encrypted message is sent from
WebSphere on Windows to WebSphere for z/OS to authenticate the client. A
strong cipher algorithm is negotiated between WebSphere on distributed and
WebSphere on z/OS. Finally, an SSL connection is established between the
client and server endpoints. Once the transport is secure, the SOAP message
flows from client to server.
284 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
Click the Get key file aliases button. The certificate alias to import should fill in
with winservcert (Figure 8-23).
Otherwise, you will not be able to import the personal certificate exported from
WebSphere for z/OS.
Refer to:
http://www.ibm.com/developerworks/java/jdk/security/index.html
Label: WINSERVCERT
Certificate ID: 2QfmydXixdnl5snV4sXZ5cPF2eNA
Status: TRUST
Start Date: 2006/11/21 00:00:00
End Date: 2010/12/29 23:59:59
Serial Number:
>24<
Issuer's Name:
>CN=WAS CertAuth for Security Domain.OU=WebSphere for zOS<
Subject's Name:
>CN=WINSERV.OU=ITSO.O=IBM<
Private Key Type: Non-ICSF
Private Key Size: 1024
Ring Associations:
Ring Owner: WINSERV
Ring:
>WASKeyring.CL6581<
286 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
In the Windows admin console follow the path to SSL certificate and key
management → Key stores and certificates → NodeDefaultKeyStore →
Personal certificates → winserv. See Figure 8-24.
288 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
8.6.5 Configuring z/OS Web service provider for authentication
The process for configuring transport-level client certificate authentication for a
Web service is similar to that described in 8.1.1, “HTTP basic authentication
scenario description” on page 246. The Web service endpoint resides in a WAR
file and can be configured using the Web deployment descriptor editor.
1. In the J2EE perspective, traverse the tree under Dynamic Web Projects and
open the deployment descriptor for the SecurityInfoRouterWS.
2. Select the Security tab. Under the Security Roles, add a role named
SecureCustomer.
3. Under Security Constraints, add a security constraint named
SecureConstraint.
– Set Resource Name to Secure Web Resource.
– Select the check box for “GET, and POST” HTTP Methods.
– Add the pattern /*.
4. Under Authorized Roles, add SecureCustomer.
5. Select the Pages tab. Under Authentication Method, select CLIENT_CERT.
290 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
8.6.6 Validating client certificate authentication
Successful output from the application should show the user principal of the user
ID associated with the personal certificate in the Web page table Remote
SecurityInfoBean Information. In this scenario WINSERV is seen as the user
principal. See Figure 8-27.
Attention: For the client certificate scenario to work successfully, the fix for
PK31729 needed to be applied, which corrected a problem with authorization
errors when creating native credentials.
Identity propagation refers to the basic level capability of passing the user
identity from one server to another server. In the context of WebSphere
Application Server for z/OS, a user initially authenticates to one server. This
WebSphere server creates a JAAS subject that contains a principal that
possesses the user identity. If there is any following request to another
WebSphere server, the user identity is propagated to this other server so that
single sign-on occurs and so that the other server’s principal gets populated with
the user identity.
294 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
There are two different security attribute propagation styles:
Horizontal propagation
Propagation occurs across front-end servers for Web application HTTP
requests. Propagation relies on DynaCache and JMX.
Vertical propagation
Propagation occurs between a front-end server and a back-end server for
EJB application RMI-IIOP requests. Propagation relies on RMI-IIOP and
CSIv2. This vertical attribute propagation style is also called downstream
propagation.
WebSphere Application Server for z/OS may obtain security attributes from
either an enterprise user registry, which queries static attributes, or a custom
login module, which can query static or dynamic attributes. WebSphere
propagates only the objects within the subject that it can serialize. This means
that it propagates custom objects on a best-effort basis.
Figure 9-1 Horizontal and vertical propagation - initial and propagation login
When an user connects to a Web infrastructure for the first time, he typically
does an initial login with WebSphere Application Server for z/OS. His credentials
are validated against the user registry and the JAAS subject is created by the
login module. This request might make a remote EJB call, and vertical security
attribute propagation would happen. A following user request can reach the
same server or a different server. Because the user already provided his
296 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
credentials, a propagation login happens. If the request reaches a server
different from the original server, then horizontal security attribute propagation
happens.
Custom tokens added by other servers and front end are not used by
WebSphere for authorization or authentication. Any custom tokens that are used
in this framework are not used by WebSphere Application Server for
authorization or authentication. WebSphere Application Server handles the
propagation details, but does not handle serialization or deserialization of custom
tokens. Serialization and deserialization of these custom tokens are carried out
by the implementation and handled by a custom login module.
For more information about how to develop a custom token, refer to IBM
WebSphere Application Server V6.1 Security Handbook, SG24-6316.
298 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
tells the receiving server where the originating server is located and how to
communicate with that server. Additionally, the SSO token also contains the key
to look up the serialized attributes.
The benefit of using horizontal attribute propagation is that you do not need to
perform any remote user registry calls during a propagation login because the
application server can regenerate the JAAS subject from the serialized
information. Without this ability, the application server might make five to six
separate remote calls. It is also very useful if you need to gather dynamic
security attributes set at the original login server that cannot be regenerated at
the other front-end server.
If JMX fails, WebSphere falls back to an initial login in order to recreate the JAAS
subject. In this case security attribute propagation does not occur, but identity
propagation (or single sign-on) still occurs because the user identity is stored in
the single sign-on token. The login modules are called to recreate the JAAS
subject but the user does not have to re-authenticate.
In this example, server 1 and server 2 are part of the same data replication
service. Server 3 and server 4 are part of the same data replication service.
300 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
5. Server 1 creates the single sign-on token that represents this subject. It
contains the user uniqueid and time stamp, optional custom key information,
and the application server’s JMX administrative endpoint.
6. Server 1 sends this single sign-on token to the user’s browser in the form of a
cookie (LtpaToken2).
7. The user then accesses another Web application in server 3. This is a
propagation login. The browser sends the single sign-on token along with the
request.
8. Server 3 retrieves the user identity, and retrieves the uniqueid and the original
server JMX endpoint from the single sign-on token.
9. Server 3 tries to find the security context information in the local security
cache. Because the user did not use this server 3 before, it cannot find it.
10.Server 3 tries to find the security context information in the DynaCache.
Because DRS is not configured between server 1 and server 3, it cannot find
it.
11.Server 3 then makes a JMX call to the original server to retrieve the serialized
JAAS subject.
12.Server 3 creates the subject containing all the security context information
found in the original server 1.
With the Web inbound security attribute propagation enabled, the security
attributes of the originating server where the initial login occurred will get
propagated to the receiving server. These security attributes include any custom
attributes or tokens that are set in the custom login modules in the login server.
302 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
in the cell. In a deployment manager configuration, the LTPA keys generated at
the deployment manager level are automatically replicated to all servers’
members of the same cell.
For cross-cell single sign-on to happen, all servers must be able to decrypt the
single sign-on token (new LtpaToken2). Hence, they must all share the same
LTPA key. If LTPA keys are generated separately in every cell, then all LTPA
keys are different, and servers from one cell are not able to decrypt single
sign-on tokens coming from other cells. See Figure 9-4.
Figure 9-4 Cross-cell identity propagation or single sign-on and LTPA tokens
To share the same LTPA key, it is necessary to generate the LTPA key once in
one cell, to export this LTPA key, and to import this LTPA key in any other cell
that you want to single sign-on with. Then all servers share the same LTPA, and
they are all able to decrypt the LTPA token coming from another.
3. Transfer the key file in binary format to the deployment manager of the target
cell.
4. Import the LTPA keys to this target cell. From the deployment manager
administrative console, navigate to Secure administration, applications,
and infrastructure → Authentication mechanisms and expiration. Under
Cross-cell single sign-on, specify the same password for the key file. Enter
the transferred key file name and path in an HFS. Click Import. Save the
changes to the master configuration.
5. Repeat the last two steps with any other cell that you want to single sign-on
with.
304 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
Cross-cell horizontal attribute propagation
For cross-cell attribute propagation to happen, identity propagation or single
sign-on is a prerequisite. Hence, the process described in the preceding section
has to be executed.
Horizontal attribute propagation implies the usage of JMX calls. If you are using
JMX across cells then a great deal of trust is implied between the cells. In
addition to the requirement for shared LTPA encryption keys, the cell level server
identities end up with substantial authority across the cell boundaries. This is
because, as with any administrative call, the JMX call requires authentication
and authorization.
For the remote JMX administration call across the cell to succeed, the two cells
must share a common security infrastructure, registries, SSL Keys, and so on.
Also, the cell’s security server ID must have administrative access to the remote
cell. All cells must completely trust each other. Each has administrative authority
over the other. The same behavior holds with propagation within a cell, but in that
case there is no issue because servers within a cell already trust each other and
share a common administrative identity.
Note: This does not apply when vertical or downstream attribute propagation
occurs using IIOP. In that case the upstream server simply sends the
complete serialized subject to the downstream server. No JMX callbacks are
required.
9.3.1 CSIv2
Common Secure Interoperability version 2 (CSIv2) is a standard security
protocol for RMI-IIOP communication. CSIv2 defines the Security Attribute
Service (SAS) that enables interoperable authentication, delegation, and
privileges. CSIv2 supports SSL and interoperability across J2EE vendors. CSIv2
is the authentication protocol of choice for the EJB container.
The standard CSIv2 protocol defines three layers: the transport layer, the
message layer, and the attribute layer, as shown in Figure 9-6.
306 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
CSIv2 offers multiple authentication mechanisms depending on the layer being
used:
At the transport layer level, SSL client certificate authentication (mutual
authentication) can be used. This authentication occurs during the connection
handshake using SSL certificates. The advantage of using a certificate is
increased authentication performance. The disadvantage is the complexity of
configuring each client with the proper keystore.
At the message layer level, basic authentication or mechanism-specific
format tokens such as the LTPA token can be used.
At the attribute layer level, an identity token when doing identity assertion can
be used.
You can use ID assertion when an intermediary server must invoke a service
from a downstream server on behalf of the client. The intermediary server
establishes a trust relationship with the downstream server (using authentication,
for instance, but not necessarily) and then is recognized as a trusted partner by
the downstream server. The intermediary server can then assert the client
identity to the downstream server.
CSIv2 identity assertion is standard. This means that it can be used across J2EE
vendor application servers.
With identity assertion, the authenticated user in one server is validated by the
downstream server. Hence, users’ identities must be known by both servers.
Asserted identity
The asserted identity flows in the attribute layer. WebSphere Application Server
for z/OS supports the following identity formats:
SAF identity
This is a raw user identity. It is typically used with the local operating system
user registry.
Distinguished name
This is typically used when LDAP is the user registry.
Certificate
This is typically used when client certificate authentication is configured in the
front-end server.
Trust relationship
Identity assertion relies on the trust relationship between an intermediary server
and a downstream server. Because of this, the downstream server trusts the
intermediary server and accepts the asserted identity.
With CSIv2 standard identity assertion, the trust relationship can be established
in different ways:
At the message layer level using basic authentication or a LTPA token.
At the transport layer level using client certificate authentication (mutual
authentication).
Outside of the CSIv2 protocol, assuming that the trust is enforced outside of
the CSIv2 flow itself. Trust can be enforced at the network level, for instance.
For example, network appliances such as firewalls can be used to create a
secured zone in which servers trust each others.
308 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
9.3.3 CSIv2 standard identity assertion in action
During a CSIv2 identity assertion between an upstream server (outbound server)
and a downstream server (inbound server), the following happens:
The outbound server authenticates to the inbound server to establish trust
with one of the following mechanisms:
– Client certificate authentication
The outbound server’s client certificate must be verifiable by the inbound
server. The client certificate authority must be connected to the inbound
server’s keyring. The outbound server’s certificate must be mapped to an
identity in the inbound server registry.
– Basic authentication
The outbound server identity and password must be in the inbound
server’s registry.
The outbound server provides the attribute layer asserted identity only with no
password. This identity can be a RACF ID, an LDAP DN, a certificate, and so
on.
The inbound server receives the outbound server identity and the asserted
identity.
The inbound server checks whether the outbound server (from the outbound
server identity) is in its list of trusted servers. If so, it authenticates the
upstream server. You can use the System Authorization Facility (SAF) CBIND
class to indicate that a process is trusted to assert identities to WebSphere
Application Server for z/OS.
The inbound server accepts the asserted identity and creates credentials by
querying the registry. No validation is performed on the asserted identity (no
password, token, and so on).
For CSIv2 stateful connections, this checking is done only once. All subsequent
requests are made through a session ID.
310 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
Consider the following options:
TCP/IP
If you select this option, the server opens TCP/IP connections with
downstream servers only.
SSL required
If you select this option, the server opens SSL connections with downstream
servers.
SSL supported
If you select this option, the server opens SSL connections with any
downstream server that supports them and opens TCP/IP connections with
any downstream servers that do not support SSL.
If you choose SSL required or supported, you can configure the SSL settings you
wish to use.
312 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
Consider how to create the trust relationship for identity assertion:
Basic authentication
If you select Required for this option, then message-layer authentication
occurs. This can be basic authentication user ID and password or it can be an
LTPA token being sent.
Client certificate authentication
If you select Required for this option, then transport-layer SSL client
certificate authentication occurs. Typically, client certificate authentication has
a higher performance than message-layer authentication, but requires some
additional setup. These additional steps include verifying that this server has
a personal certificate and that the downstream server has the signer
certificate of this server.
For identity assertion to occur, select the Identity assertion check box. The
identity asserted is the client identity. If there are multiple identity types to assert,
the identity is asserted in the following order: client certificate, distinguished
name (DN), System Authorization Facility (SAF) user ID.
Once you check the Identity assertion check box, choose between “Use server
trusted identity” and “Specify an alternative trusted identity.”
314 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
“Use server trusted identity” specifies the server identity that the application
server uses to establish trust with the target server. The server identity can be
sent using a server ID and password when the server password is specified in
the registry configuration, or using a server ID in an LTPA token when the
internal server ID is used.
For interoperability with application servers other than WebSphere, configure the
server ID and password in the registry, then select the Specify an alternative
trusted identity option and specify the trusted identity and password so that an
interoperable Generic Security Services Username Password (GSSUP) token is
sent instead of an LTPA token.
On z/OS systems, the stateful sessions option is ignored. The sending server
prefers stateful sessions and uses them if the receiving server supports them.
“Login configuration” specifies the type of system login configuration that is used
for outbound authentication. You can add custom login modules before or after
this login module. “Custom outbound mapping” enables the use of custom RMI
outbound login modules. The custom login module maps or performs other
functions before the predefined RMI outbound call.
316 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
For identity assertion, depending on the trust relationship mechanism you want
to use, you have to choose the transport accordingly. For example, if you want to
create a trust relationship with SSL client certificate authentication, then you
need to choose SSL required. If you want to create a trust relationship with basic
authentication, you may simply use TCP/IP as a transport, although you may
choose to use SSL for encrypting the communication flow so that identities and
passwords do not flow in clear.
If you choose SSL required or supported, you can configure the SSL settings you
wish to use.
318 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
This configuration has to match the CSIv2 client server configuration. See
Figure 9-11.
For identity assertion to occur, select the Identity assertion check box. The
identity asserted is the client identity.
On z/OS systems, the stateful sessions option is ignored. The sending server
prefers stateful sessions and uses them if the receiving server supports them.
On the CSIv2 downstream server side, using the administrative console, click
Security → Secure administration, applications, and infrastructure. Under
Authentication, click RMI/IIOP security → CSIv2 inbound transport → z/OS
Additional Settings.
Choose the type of client identities allowed to be asserted from the upstream
server:
System Authorization Facility (SAF) user names
Distinguished names (LDAP user identities, for example)
X.509 certificates
This configuration has to match the CSIv2 client server configuration. See
Figure 9-12.
320 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
9.3.5 Our CSIv2 identity assertion scenario
We present in this section our CSIv2 identity assertion scenario in our
environment.
The ejbMagic application does some local EJB calls and some remote EJB calls.
It can be deployed into multiple WebSphere cells, and then used to call itself to
help verify inter-WebSphere cell communication. The SnoopMagicEjb EJB
consists of a method called snoopInfo. This is the method that gathers the
information such as Java principal, and so on, and calls the remote EJB. In
addition, four other EJB methods allow the testing of different RunAs settings
(siNoRunAs, siRunAsServer, siRunAsCaller, siRunAsRoleWorker).
On the upstream server, we check the Identity Assertion check box. Because
we use the local operating system user registry (RACF), a SAF identity is
asserted in the CSIv2 attribute layer. See Figure 9-14.
For more information about how to configure this panel, refer to 9.3.4, “CSIv2
standard identity assertion implementation” on page 310.
322 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
On the downstream server, we check the Identity Assertion check box to
enable identity assertion. See Figure 9-15.
For more information about how to configure this panel, refer to 9.3.4, “CSIv2
standard identity assertion implementation” on page 310.
324 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
Our EJBMagic scenario in action
In our scenario, a servlet calls a local EJB and then this local EJB calls a remote
EJB, as shown in Figure 9-17.
With our scenario, the local EJB is called by the servlet with the runAs role of
worker and the remote EJB is called by the local EJB with runAs caller.
The JNDI value we use for the remote EJB call is the following:
corbaname::9.12.4.34:22809/NameServiceServerRoot#cell/nodes/nd6622/serv
ers/ws6622/ejb/itso/em/ejb/SnoopMagicEjbHome
This value tells the ejbMagic application running in the ws6611 server to pass
this lookup value to WebSphere to locate the remote EJB in the ws6622 server.
The 22809 port is the Boostrap port of the ws6622 server. More information
about how to find the initial context is available in the InfoCenter:
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r0/index.jsp?topic=/
com.ibm.websphere.zseries.doc/info/zseries/ae/rnam_example_prop1.html
326 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
We then click the Let’s do some magic button.
Figure 9-19 shows that the servlet JAAS principal is daubman. This is the user
who authenticates to the upstream server.
Figure 9-20 shows that the local EJB JAAS principal is TIWARI. It also shows
that the caller (the servlet) identity was daubman. TIWARI is the runAs role
worker identity set in the APPLDATA field of the EJBROLE RACF profile.
CSIv2 identity assertion flowed the runAs identity from the upstream server to the
downstream server.
328 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
attributes are passed to the EJB running on the downstream server by using the
CSIv2 protocol that is established between the WebSphere Application Servers.
CSIv2 is the authentication mechanism used for EJBs, and hence the vertical
security propagation is enabled in the CSIv2 inbound and outbound panels in the
administrative console.
CSIv2 identity assertion is standard. This means it can be used across J2EE
vendors’ application servers.
330 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
4. The user request accesses a remote EJB located on server 5 with CSIv2.
Server 1 serializes the complete JAAS subject content with all attributes and
tokens within the RMI-IIOP request.
5. Server 5 receives the request and, because tokens are found, executes a
propagation login. If no token was found it would execute an initial login
asking for credentials. The propagation login deserializes the complete JAAS
subject content with all attributes and tokens.
6. Server 5 creates the subject containing all the security context information
similar to the security context in the original server 1. This hydrated subject is
associated with the CSIv2 session for the following requests.
332 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
3. Check the option for Security attribute propagation (Figure 9-24). This
option enables vertical or downstream propagation. It deserializes the full
security context within the RMI-IIOP call.
4. Click Apply and save the configuration in the master repository.
With the security attribute propagation enabled, the security attributes of the
originating server where the initial login occurred get propagated to the
downstream server. These security attributes include any custom attributes or
tokens that are set in the custom login modules in the login server.
In a multiple cells environment, LTPA keys and security configurations are likely
to be different by default and need some adjustment to be able to communicate.
Refer to “Cross-cell identity propagation or single sign-on” on page 303 for how
to configure LTPA keys across cells.
334 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
10
Unlike the distributed platforms, the local operating system registry on the z/OS
platform can be used in a multiserver z/OS environment, since the security
database can be easily shared across the sysplex. In such a configuration,
multiple WebSphere z/OSs on different LPARs share the same security
database.
The local operating system registry on z/OS is compatible with z/OS Enterprise
Information Systems such as CICS, IMS, and DB2. This is major benefit when
flowing the original identity from WebSphere Application Server for z/OS to
back-end EIS.
336 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
When should you use a local operating system registry?
When the authenticated users are present in the local security subsystem
(intranet)
When the best performance available is mandatory
When comprehensive end-to-end security is needed (user ID existing in the
Web server, Web container, EJB container, and back-end system)
When good auditing support is needed
When the users and application security need to be managed by the RACF
security administrators
When OS thread security or thread identity support are needed
LDAP servers act as a repository for user and group information. WebSphere
Application Server for z/OS binds to the LDAP server to retrieve this user and
group information. This support is provided by using different user and group
filters. These filters are highly configurable to be able to access all sorts of LDAP
servers.
LDAP servers are incompatible with z/OS Enterprise Information Systems such
as CICS, IMS, and DB2. Hence, some more complex steps are required to
access these systems with the user identity.
It allows you to plug in any kind of registry whose support is not implemented by
WebSphere Application Server security.
Federated repositories
This registry type is new with WebSphere Application Server for z/OS v6.1.
Federated repositories enable us to use simultaneously multiple repositories with
WebSphere Application Server for z/OS. These repositories, which can be
file-based repositories, LDAP repositories, or a sub-tree of an LDAP repository,
are defined combined under a single realm. All of the user repositories that are
configured under the federated repository functionality are transparent to
WebSphere Application Server for z/OS.
Unlike the local operating system, standalone LDAP registry, or custom registry
options, federated repositories provide user and group management with read
and write capabilities. If you do not configure the federated repositories
functionality or do not enable federated repositories as the active repository, you
cannot use the user management capabilities that are associated with federated
repositories.
338 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
10.2 Our scenario and our environment
This chapter focuses on showing how to configure WebSphere Application
Server for z/OS with different registry types. For this purpose we define a LDAP
tree whose goal is to be accessed by WebSphere Application Server for z/OS in
different manners, illustrating typical WebSphere configurations. This LDAP tree
is shown in Figure 10-1.
Figure 10-1 Our scenario LDAP tree and supporting LDAP servers
340 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
10.3.1 WebSphere and z/OS LDAP SDBM back end (RACF)
z/OS LDAP can handle many different types of back ends. One of them is SDBM,
and it uses the RACF database as a data repository.
With a SDBM back end, RACF user profiles, group profiles, and user to groups
connections appear as LDAP entries with distinguished name to LDAP clients. All
binds are authenticated with a RACF distinguished name and a RACF password.
z/OS LDAP SDBM supports add, modify, delete, and search operations. The
access controls for user and group profiles are the RACF privileges of the
authenticated user.
342 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
The RACF user ID being used (valence in our example) must have the proper
access to list users and groups from the RACF database. It should be a
RACF user ID with the AUDITOR attribute, a valid OMVS segment (specific
or implied by a defaulted segment), and it does not need a TSO segment.
See Figure 10-2.
Figure 10-2 LDAP client connection configuration for SDBM back end
Figure 10-3 LDAP client showing z/OS LDAP SDBM back-end (RACF) content
Verify that administrative security is enabled and also that application security
is enabled if necessary. Click Apply on this page to keep these settings.
2. Click Configure and set up the general properties for the z/OS LDAP server:
– Primary administrative user name: This ID is the security server ID, which
is only used for WebSphere Application Server administrative security and
is not associated with the system process that runs the server. We use
racfid=valence,profiletype=user,ou=itsoracf,o=itso in our environment.
This primary user name will be used to log on to the administrative
console, for example.
– Server user identity: Select Automatically generated server identity in a
WebSphere 6.1 only environment.
– Type of LDAP server: Select Custom.
– Host and port: Enter the full DNS host name and TCP port to access z/OS
LDAP. We use wtsc58.itso.ibm.com and 3389 in our environment.
– Base distinguished name (DN): The base DN indicates the starting point
for searches in this LDAP directory server. It is the suffix ou=itsoracf,o=itso
in our environment.
– Bind distinguished name (DN) and password: The bind DN is required if
anonymous binds are not possible on the LDAP server to obtain user and
group information. We use
racfid=mogos,profiletype=user,ou=itsoracf,o=itso in our environment. This
344 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
is a technical user identity to connect to LDAP. This identity is allowed to
list RACF users and groups.
– Make sure that Ignore case for authorization is selected. RACF user
names and group names are not case-sensitive.
Then click Apply.
346 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
It is also possible to validate the user registry being used with the snoop servlet,
which is bundled in WebSphere for z/OS. With application security enabled, the
snoop servlet requires basic authentication. Call the snoop with a URL such as
the following:
http://wtsc58.itso.ibm.com:49080/snoop/
Authenticate providing a z/OS LDAP SDBM user name and password (RACF
user name and password) (Figure 10-7). The snoop servlet then appears and
shows the authenticatedprincipal.
Once authenticated, the snoop servlet displays lots of information and more
specifically the authenticated user (valence in our example). See Figure 10-8.
348 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
SAF ID is already part of the DN. LTPA is assumed to be the authentication
mechanism. SWAM has been deprecated as of v6.1.
2. Add SampleSAFMappingModule to JAAS login. This configuration is identical
in V6.0 and V6.1. Only the admin console path is different.
– v6.0: Go to Security → Global Security.
– v6.1: Go to Security → Secure administration, applications, and
infrastructure. Under Authentication expand JAAS Configuration on
v6.0 and Java Authentication and Authorization Service on v6.1.
Click System Logins.
3. Modify DEFAULT, RMI_INBOUND, and WEB_INBOUND. Modification is
identical for all three system login configurations. Make sure that you alter all
three of them. Click the Alias name, click JAAS login modules, click New.
For the module class name enter
com.ibm.websphere.security.SampleSAFMappingModule and check the Use
login module proxy check box. Verify that the authentication strategy is set
to REQUIRED. Click OK. The SampleSAFMappingModule needs to be
searched just before the MapPlatformSubject module. The ltpaLoginModule
is at search order one. The MapPlatformSubject should occupy the last
position. Since a newly added login module is always placed at the last
position, we need to change the login module search order. Click Set Order.
Select the just added
com.ibm.websphere.security.SampleSAFMappingModule and click the
Move up button, then click OK. See Figure 10-9.
Figure 10-9 Change login module load order (WAS v6.0.2 illustration)
Figure 10-10 JAAS login modules on a system login alias (WAS v6.0.2 illustration)
5. Make sure that the EJBROLE class is active and RACLISTed. Optionally,
configure the grouping class GEJBROLE. Define all administrative and
naming roles as explained in 13.1.3, “Administrative security with SAF
authorization” on page 450, and 13.3.2, “Mapping users or groups to
CosNaming roles” on page 468, and permit the appropriate user IDs and
groups to the profiles. If you already have applications deployed, examine the
J2EE roles and define them as well in the EJBROLE class, with the
appropriate access list. Both administrative and application security must be
enabled. Remove all WebSphere bindings from the configuration. If you are
migrating from WebSphere bindings to SAF authorization (SAF bindings), we
recommend that you define all EJBROLE class profiles and permits in
advance.
Now bring down the cell or base server and restart. One difference between
WebSphere and SAF bindings to be aware off is the possibility that more than
one application could specify the same J2EE role name. In the case of SAF
bindings, authorization checks to the roles in those applications would result in a
SAF call to one and the same profile in the EJBROLE class, and therefore would
grant access to all applications with identical role names. In the case of
WebSphere bindings the mapping is at application level. We always recommend
having development discuss role naming with RACF security administrators.
350 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
z/OS LDAP TDBM configuration
The z/OS LDAP installation is described in Distributed Security and High
Availability with Tivoli Access Manager and WebSphere Application Server for
z/OS, SG24-6760. In this section we focus on the configuration part.
1. For configuring z/OS LDAP with an TDBM back end, find the LDAP
configuration that should be in the SLAPDCNF member of the LDAP
customization data set. In our environment, the z/OS LDAP configuration file
is WTSC58.LDAP1.CNTL(SLAPDCNF). In this LDAP configuration file,
uncomment or set up the following parameters:
database tdbm GLDBTDBM
suffix "ou=itsotdbm,o=itso"
servername DB2B
dbuserid GLDSRV
databasename GLDDB
dsnaoini WTSC58.LDAP1.CNTL(DSNAOINI)
attroverflowsize 255
where the suffix is the top of the LDAP tree that you want for your
organization. We choose ou=itsotdbm,o=itso in our environment. the suffix
does not necessarily need to have an organization unit (ou=). It may contain
an organization only (o=). The DB2 back-end configuration refers to the DB2
setup made at z/OS LDAP installation time.
Example 10-3 shows an extract of our z/OS LDAP configuration for using a
TDBM back end.
Attention: There are no spaces between the comma (,) and o=. Those
schema files contain the objects and attributes used to organize data
following IBM schema and for the SAF native authentication object class.
352 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
5. From Unix System Services, use the ldapmodify command to load the
schema files into z/OS LDAP:
ldapmodify -h wtsc58 -p 3389 -D "cn=LDAP Administrator" -w secret -f
/etc/ldap/schema.user.ldif
ldapmodify -h wtsc58 -p 3389 -D "cn=LDAP Administrator" -w secret -f
/etc/ldap/schema.IBM.ldif
Load schema.user.ldif followed by schema.IBM.ldif. The options here are:
– -h host name: defines the host name where LDAP is running
– -p portnumber: defines the port on which LDAP is listening
– -D adminDN: defines the administrator distinguished name (DN)
– -w password: administrator password
6. We now add entries to the z/OS LDAP with a TDBM back end because it is
empty. We add a suffix entry and a person entry. For this purpose create a
new schema.suffix.ldif that contains the following:
dn: ou=itsotdbm,o=itso
objectclass: organizationalUnit
objectclass:top
ou: itsotdbm
dn: cn=UserTdbm,ou=itsotdbm,o=itso
objectClass: inetOrgPerson
objectClass: ePerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: UserTdbm
uid: UserTdbm
sn: 2006
description: Test user for TDBM
Customize the above entries to match your suffix and the user name you want
for a first user.
Use a command similar to the following to add the entries to the LDAP tree:
ldapadd -h wtsc58 -p 3389 -D "cn=LDAP Administrator" -w secret -f
schema.suffix.ldif
7. We set up a password for the above new user creating a file called
user.password.ldif, which contains the following:
dn: cn=UserTdbm,ou=itsotdbm,o=itso
changetype:modify
replace:userpassword
userpassword: usertdbm
Figure 10-11 LDAP client connection configuration for TDBM back end
354 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
Using this configuration we access the z/OS LDAP TDBM content. We can
see the suffix entry and the UserTdbm entry. See Figure 10-12.
Figure 10-12 LDAP client showing z/OS LDAP TDBM back-end content
Verify that administrative security is enabled and also the application security
is enabled if necessary. Click Apply on this page to keep these settings.
2. Click Configure and set up the general properties for the z/OS LDAP server:
– Primary administrative user name: This ID is the security server ID, which
is only used for WebSphere Application Server security and is not
associated with the system process that runs the server. We use
356 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
Then click Apply.
Also, it is possible to validate the user registry being used with the snoop servlet,
which is bundled in WebSphere for z/OS. With the application security enabled,
the snoop servlet requires basic authentication. Call the snoop servlet with a
URL such as the following:
http://wtsc58.itso.ibm.com:49080/snoop/
358 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
Authenticate providing the user name and password defined earlier. The snoop
servlet then appears and shows the authenticated principal. Once authenticated,
the snoop servlet displays lots of information and more specifically the
authenticated user (usertdbm in our example). See Figure 10-15.
Figure 10-15 Snoop servlet showing authenticated z/OS LDAP TDBM user ID
360 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
Restart the LDAP server to activate these configuration modifications. You
should now see the following message in the LDAP JOBLOG:
The useNativeAuth configuration option SELECTED has been enabled.
When using the TDBM back end for native authentication, users need to have
the ibm-nativeAuthentication objectclass and ibm-nativeId attribute. If you have
existing users in your LDAP TDBM back end, you need to modify their definition
to include the ibm-nativeAuthentication objectclass and ibm-nativeId attribute.
For our configuration we create a new user with such an attribute and objectclass
using a file called newuser.ldif, which contains the following:
dn: cn=valence,ou=itsotdbm,o=itso
objectClass: inetOrgPerson
objectClass: ePerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: valence
uid: valence
sn: 2006
description: Test user for TDBM Native
ibm-nativeId: VALENCE
objectclass: ibm-nativeAuthentication
Use a command similar to the following to add the entries to the LDAP tree:
ldapadd -h wtsc58 -p 3389 -D "cn=LDAP Administrator" -w secret -f
newuser.ldif
This ldif entry does not have any password. The password will be verified against
the VALENCE entry in the RACF database.
The ibm-nativeId attribute specifies the user ID to which the entry binds to in the
RACF database. In this example, the valence LDAP entry binds to the user
VALENCE in the RACF database.
Figure 10-16 LDAP client showing z/OS LDAP TDBM native authentication entry
362 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
Authenticate providing the user name and password defined earlier with the
native authentication attribute and objectclass. The distinguished name
(cn=valence,ou=itsotdbm,o=itso) or the common name only (valence) can be
used. The RACF password corresponding to the ibm-nativeId attribute has to be
provided. If the common name and the ibm-nativeId match, credentials provided
are RACF credentials. The snoop servlet then appears and shows the
authenticated principal. See Figure 10-17.
Figure 10-17 Snoop servlet showing authenticated z/OS LDAP TDBM native
authentication user ID
When you configure a property extension repository, you can supply a valid data
source, a direct connection configuration, or both. WebSphere first tries to
connect by way of the data source. If the data source is not available, then the
system uses the direct access configuration.
364 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
Figure 10-18 presents the WebSphere federated repositories architecture
overview. The federated repository feature is also called Virtual Member
Manager (VMM).
Simultaneous Yes No
multi-registry support
When you use the federated repositories functionality, all of the configured
repositories, which you specify as part of the federated repository configuration,
become active. It is required that the user ID, and the distinguished name (DN)
for an LDAP repository, be unique in multiple user repositories that are
configured under the same federated repository configuration.
366 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
In this section we focus on configuring WebSphere Application for z/OS for a
federated repository composed of z/OS LDAP TDBM and IBM Tivoli Directory
Server. See Figure 10-19.
In the following section we start to federate z/OS LDAP TDBM. Then we validate
that it works also with native authentication, and finally we federate ITDS. At the
Note: WebSphere Application Server for z/OS v6.1 does not currently support
federated repositories with a z/OS LDAP SDBM back end. For accessing a
z/OS LDAP SDBM back end, WebSphere can use a Standalone LDAP
registry configuration.
368 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
– For a TDBM back end with the schema loaded, leave uid in the Login
properties field.
– It is possible to configure SSL for securing the connection to the LDAP
server. We do not implement this feature in our environment.
Then click Apply and save to the master configuration. WebSphere validates
that it can access the LDAP server.
Figure 10-20 WebSphere configuration for z/OS LDAP TDBM as a federated repository
370 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
d. Remove the existing file-based InternalFileRepository by selecting it and
clicking Remove.
Then click Apply and save to the master configuration. WebSphere validates
that it can find the administrative user identity.
372 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
Also, it is possible to validate the user registry being used with the snoop servlet,
which is bundled in WebSphere for z/OS. With the application security enabled,
the snoop servlet requires basic authentication. Call the snoop servlet with a
URL such as the following:
http://wtsc58.itso.ibm.com:49080/snoop/
Authenticate providing the user name and password defined earlier. The snoop
servlet then appears and shows the authenticated principal (Figure 10-24).
Figure 10-24 Snoop servlet showing authenticated z/OS LDAP TDBM user ID
You can now access your secured applications with user IDs and password in
RACF. For example, in our environment, the valence user can access the snoop
servlet providing his RACF password. See Figure 10-25.
Figure 10-25 Snoop servlet showing authenticated z/OS LDAP TDBM native
authorization user ID
In order to access the administrative console, users need to be added to the list
of administrative roles.
374 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
For example, access the administrative console with the existing administrative
user ID (usertdbm in our example), then add any new user (valence in our
example) with an administrative role. See Figure 10-26.
On the Windows platform, ITDS can be configured using the idsxcfg utility. This
utility is available using the following command:
C:\Program Files\IBM\LDAP\V6.0\sbin\idsxcfg.cmd
Figure 10-27 IBM Tivoli Directory Server idsxcfg current configuration display
We now add entries to ITDS because it is empty. We add a suffix entry and a
person entry. For this purpose create a new schema.suffix.ldif that contains the
following:
dn: ou=itsoitds,o=itso
ou: itsoitds
objectclass: organizationalUnit
objectclass: top
376 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
Customize the above entries to match your suffix and the user name you want for
a first user.
Use a command similar to the following to add the entries to the LDAP tree:
C:\Program Files\IBM\LDAP\V6.0\bin>ldapadd -D "cn=LDAP Administrator"
-w secret -i schema.suffix.ldif
We set up a password for the above new user, creating a file called
user.password.ldif, which contains the following:
dn: cn=UserItds,ou=itsoitds,o=itso
changetype:modify
replace:userpassword
userpassword: useritds
Use a command similar to the following to modify the user entry in the LDAP tree:
C:\Program Files\IBM\LDAP\V6.0\bin>ldapmodify -D "cn=LDAP
Administrator" -w secret -i user.password.ldif
378 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
g. It is possible to configure SSL for securing the connection to the LDAP
server. We do not implement this feature in our environment.
Then click Apply and save to the master configuration. WebSphere validates
that it can access the LDAP server.
380 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
In our configuration we federate z/OS LDAP with ITDS. Because we already
configured this panel for z/OS LDAP, we do not need to do any further
configuration. This means that the primary administrative user name stays a
user name from our first registry (cn=UserTdbm,ou=itsotdbm,o=itso). The
realm name is the one for all federated registries. See Figure 10-32.
It is possible to validate the federated user registry with the snoop servlet, which
is bundled in WebSphere for z/OS. With the application security enabled, the
snoop servlet requires basic authentication. Call the snoop servlet with a URL
such as the following:
http://wtsc58.itso.ibm.com:49080/snoop/
Authenticate providing the user name and password defined ealier for the last
federated repository (UserItds in our example). The snoop servlet then appears
and shows the authenticated principal. See Figure 10-33.
Because user registries are now federated, the user from z/OS LDAP TDBM
(UserTdbm) can also be used with the same configuration at the same time.
All this validates the federated repositories set up with a z/OS LDAP TDBM and
IBM Tivoli Directory Server. Native authentication can also be used.
382 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
In this section we describe specific z/OS options available when using the local
operating system registry.
Use SAF authorization to have EJBROLE security enforced by the z/OS security
product, such as RACF. In that case, SAF EJBROLE profiles are used for
user-to-role authorization for both J2EE applications and the role-based
authorization requests (naming and administration) that are associated with
application server run time. WebSphere Application Server for z/OS uses the
authorization policy that is stored in the z/OS security product for authorization.
This option is available when your environment contains z/OS nodes only. It is
available using the Administrative Console in Secure administration, applications,
and infrastructure → External authorization providers, as shown in Figure 10-34.
In this example, the domain name is PRODCELL. The role name is bankTeller.
The authorized user ID is JOHN.
Default authorization Access to servlets or EJB methods is based upon the role (job title,
(WebSphere bindings) function, and so on) of the user or caller.
Roles are associated with servlets or EJBs at assembly time.
Roles are stored in the application's .ear file: application.xml.
Which users and groups have which roles is also stored in the
application's .ear file: ibm-application-bnd.xmi.
Roles are managed by the application developer and the application
deployer.
RACF only provides user and group information.
System Authorization Access to servlets or EJB methods is based upon the role (job title,
Facility authorization function, and so on) of the user or caller.
Roles are associated with servlets or EJBs at assembly time.
Roles are represented in the application's .ear file: application.xml.
Which users and groups have which roles is determined in RACF by
profiles in the EJBROLE class.
If a user is in the access list of an EJBROLE profile, he has that role.
If a group is in the access list of an EJBROLE profile, users in that
group have that role.
Roles are managed through RACF.
384 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
Authorization providers Characteristics
External authorization Access to servlets or EJB methods is based upon the role (job title,
using a JACC provider function, and so on) of the user or caller.
Roles are associated with servlets or EJBs at assembly time.
Roles are represented in the application's .ear file: application.xml.
Which users and groups have which roles is determined in the JACC
provider.
Roles are managed through the JACC provider.
SAF delegation
System Authorization Facility delegation minimizes the need to store user IDs
and passwords in many locations in the configuration. SAF delegation is used in
conjunction with the RunAs feature.
SAF delegation requires that the SAF authorization be enabled. The SAF security
administrator would be responsible for the assignment of users to the role.
Using SAF EJBROLE class profiles can conflict with the standard J2EE role
naming conventions. J2EE role names are Unicode strings of any length. RACF
The custom SAF role mapper is a Java-based exit to replace the EJBROLE class
profile construction algorithm. The custom SAF role mapper is called to generate
a profile for authorization and delegation requests. The role mapper passes the
name of the application, and the name of the role then passes back the
appropriate class profile name. Information about the server name, cell name,
and the z/OS security domain name prefix is provided to the implementation
during initialization.
This feature can be used in the middle of a J2EE application with Synch-to-OS
Thread to access z/OS system-level ressources, or it can be used in a connector
with Connection Manager RunAs Identity to access some Enterpsie Information
Systems (EIS) such as DB2 or IMS JDBC.
Synch to OS Thread
Sync-to-OS Thread (or z/OS thread identity synchronization) applies when the
application requires access to system resources (for example, HFS files, TCP/IP
sockets, and so on). The application requests this function and the container
changes the OS thread identity to the J2EE identity.
This option indicates whether an operating system thread identity is enabled for
synchronization with the J2EE identity that is used in the application server run
time if an application is coded to request this function.
Synchronizing the operating system identity to the J2EE identity causes the
operating system identity to synchronize with the authenticated caller, or
delegated RunAs identity in a servlet or Enterprise JavaBeans (EJB). This
synchronization or association means that the caller or security role identity,
386 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
rather than the server region identity, is used for z/OS system service requests
such as access to files.
For the SyncToOS function to be active, the following conditions must all be true:
An application includes within its deployment descriptor an env-entry of
com.ibm.websphere.security.SyncToOSThread set to true.
z/OS thread identity synchronization is enabled in the administrative console.
The configured user registry is the local operating system.
The BBO.SYNC facility class is defined in RACF, and the control region user
ID has control or read access to it. Use the optional SURROGAT facility class
for finer-grained access controls.
When these conditions are true, the OS thread identity is set to the authenticated
caller identity of a Web or EJB request. The OS thread is modified each time the
J2EE identity is modified. The J2EE identity can be modified either by a RunAs
specification on the deployment descriptor or a programmatic WSSubject.doAs()
request. See Figure 10-35.
This “Enable application server and z/OS thread identity synchronization” option
is available using the administrative console in Secure administration,
applications, and infrastructure → z/OS security options.
Thread security support for DB2 and IMS JDBC is enabled when:
Connection manager RunAs thread identity is enabled.
A local connection is used between the application server and the EIS.
Res-auth=Container is specified for the resource reference defined in the
deployment descriptor.
The connection factory does not specify a JAAS authentication alias.
The configured user registry is the local operating system.
The BBO.SYNC facility class is defined in RACF and the control region user
ID has control or read access to it. Use the optional SURROGAT facility class
for finer-grained access controls.
This “Enable the conection manager RunAs thread identity” option is available
using the administrative console in Secure administration, applications, and
infrastructure → z/OS security options.
388 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
10.5.3 Thread identity support
Thread identity support is the ability to pass the identity of the Java principal
within the subject (J2EE identity) through a JCA connector or a JDBC ressource
adapter to an Enterprise Information System. Depending on the connector being
used, thread identity support may or may not require you to configure connection
manager RunAs identity. Some connectors can accomplish thread identity
support without synchronizing the J2EE identity with the OS thread identity.
Some connectors accomplish thread identity support by synchronizing the J2EE
identity with the OS thread identity.
Table 10-3 lists the JCA resource adapter and JDBC provider processes that
support thread identity and thread security. It also provides the level of thread
identity support.
RRA DB2 for z/OS local JDBC provider - data sources configured to Allowed Supported
the local DB2
RRA DB2 Universal JDBC Driver Provider using Type 2 connectivity Allowed Supported
RRA DB2 Universal JDBC Driver Provider using Type 4 connectivity Not allowed Not supported
WebSphere MQ JMS Provider - Connection Factory (TransportType Not allowed Not supported
= CLIENT)
WebSphere JMS Provider (such as Integral JMS Provider): Not allowed Not supported
Connection Factory
390 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
11
The principal is a unique identifier that the KDC can assign tickets to. There are
three parts in a principal name:
primaryname/instancename@REALM
The primary name: It can be either the user’s name, the word host, or the
name of the service. An example of a principal in the ITSO.IBM.COM realm
could be fdevalence@ITSO.IBM.COM.
The instance name: This is optional. It is used to further define the primary
name, for example, fdevalence/admin@ITSO.IBM.COM. Note that the
principals fdevalence and fdevalence/admin are two completely separate
principals with different passwords and possibly a different set of authorities.
The instance component is also used when specifying a host or a service
principal. In this case, it can be the fully qualified domain name of the host
such as telnet/wtsc58.itso.ibm.com@ITSO.IBM.COM.
392 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
The realm name: The realm portion of the principal’s name is the name of the
Kerberos realm, which is usually the domain name in uppercase.
The two primary functions of the KDC are to grant ticket granting tickets and to
grant service tickets.
Kerberos ticket
The word ticket is used to describe how authentication data is transmitted in the
Kerberos environment. Tickets are essentially an encrypted data structure that
uses shared keys issued by the KDC to communicate in a secure fashion. The
purpose of the ticket depends on where it has been created.
When the principal wants to use a service in the network, it sends a request
including his TGT to the ticket granting server. The TGS responds by issuing and
sending a service ticket (ST).
When the principal uses a service in the network, it sends a request including his
ST to the server hosting the service. The server accepts the ST and executes the
service.
Each ticket can also contain options that give you more control over the use of
the tickets.
394 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
which are the Kerberos service and Active Directory (AD). AD is Microsoft’s
implementation of the LDAP protocol.
When a user logs onto the Windows domain, the information entered by the user
is captured by the logon program and is transmitted to the computer’s local
security authority (LSA). The LSA is a Windows component that authenticates
users to the local system. This LSA then communicates with the network’s KDC
in order to receive ticket granting tickets and service tickets so that this user can
access kerberized services on the Windows domain.
Kerberos on Windows server platforms use the Active Directory for all
information about principals on the Kerberos network. The encryption key used
in communicating with principals is stored in the Active Directory database in the
user’s profile.
Active Directory not only plays the role of an LDAP server on a Windows server,
it is also used as the KDC database. This can be a great benefit to an
organization in terms of one central store, but can be equally devastating in the
event of system failure.
Trust association applies for Web requests where some other servers, like
Reverse Proxy Security Servers (RPSS), authenticate the request and forward
the request to the application server. The WebSphere Application Server TAI
only validates the trust relationship with the RPSS and retrieves the identity from
the incoming request and returns it as a principal.
Some examples of Reverse Proxy Security Servers are IBM Tivoli Access
Manager WebSeal or IBM Datapower, and so on.
It can be coded so that only some requests are validated by the TAI. That is, the
TAI can decide that it will not perform a trust association operation on a request,
in which case the authentication process returns to WebSphere for processing.
You can develop your own TAI, but WebSphere Application Server for z/OS v6.1
comes with four trust association interceptors. These can be found with the
396 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
SPNEGO supports both Active Directory credentials (based on Kerberos) and
the older style (and less secure) NTLM credentials. The WebSphere SPNEGO
TAI supports only the Active Directory credentials.
The SPNEGO TAI can work with Web services clients for HTTP transport-level
security with SPNEGO tokens. The SPNEGO TAI is for Web client authentication
and is not relevant for EJB clients.
In a simple solution, there is one Microsoft Windows Active Directory domain with
one Kerberos KDC. The WebSphere Application Server for z/OS service is
defined as kerberized in the Windows Kerberos KDC and the corresponding
principal keytab file is transferred to the WebSphere for z/OS configuration.
398 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
When designing such a solution, the WebSphere Application Server for z/OS
repository need to be considered. For single sign-on to occur, users identities
need to be known to both Active Directory and the WebSphere registry.
You may choose to use RACF as a local operating system registry for
WebSphere. This is the configuration we choose for our scenario. In that case, it
is necessary to synchronize the Windows identities with the RACF identities. We
do this manually in our scenario.
If you decide to use another registry then, depending on your environment, you
may need to do some name mapping for users presented. Also, a process must
be implemented to make sure that there is user mapping between registries. This
mapping may be one-to-one or many-to-one, depending upon the environments
architecture.
11.2.2 Single sign-on with z/OS KDC and Microsoft Windows KDC
The Kerberos protocol is designed to operate across organizational boundaries.
Each organization wanting to run a Kerberos server can establish its own realm.
The name of the realm in which a client is registered is part of the client's name
and can be used by the application server to decide whether to honor a request.
By establishing cross-realm keys, the administrators of two realms can allow a
client authenticated in one realm to use its credentials in the other realm. The
exchange of cross-realm keys registers the ticket-granting service of each realm
as a principal in the other realm. A client is then able to obtain a ticket-granting
ticket for the remote realm's ticket-granting service from its local ticket-granting
service. Tickets issued to a service in the remote realm indicate that the client
was authenticated from another realm.
You may already have a z/OS KDC in your organization. You may want to take
advantage of the strong z/OS KDC capabilities such as sysplex awareness. You
may choose z/OS as your trusted security vault. In these cases, it is possible to
have WebSphere Application Server for z/OS defined as a kerberized service in
the z/OS KDC Kerberos realm (zOSKerbRealm).
The Microsoft Windows Active Directory KDC still has its own Windows Kerberos
realm (WinKerbRealm). The user client workstation authenticates to this
Kerberos realm.
Figure 11-3 Single sign-on with z/OS KDC and Microsoft Windows KDC
400 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
validate user credentials that come from SPNEGO-enabled clients that are part
of a Microsoft Windows Active Directory domain.
In this section we first describe our environment and our scenario, then we
explain in detail how to configure the three main components of this solution,
which are WebSphere Application Server for z/OS, Windows Active Directory
KDC, and the user workstation browser, and finally we provide hints about how
to troubleshoot this solution.
The user logs onto the Microsoft Windows Active Directory domain with an
identity known in Active Directory (USER1). He then accesses a Web application
using his browser, and his identity is propagated to WebSphere Application
Server for z/OS. This identity is mapped to a known RACF identity (USER1).
Single sign-on occurs between the Windows domain and the WebSphere
application server.
At the very beginning the user logs onto the Windows domain from the
workstation. After the user enters a user name and password, Winlogon sends
the information to the workstation local security authority, which passes the
request to the Kerberos authentication package. The client sends an initial
authentication request (AS_REQ), which includes the user’s credentials and an
encrypted time stamp to the KDC. This is a request for authentication and a ticket
granting ticket. The first domain controller in the domain generates the
krbtgt/domain_name ticket. The KDC uses the secret key to decrypt the time
stamp and issues a TGT to the client. The AS_REP is encrypted with the user’s
key and returned to the user. The ticket is encrypted with the KDC’s key and
enclosed in the AS_REP.
402 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
When the user accesses the Web application, the scenario executes the
following steps for single sign-on:
1. The user requests a secured Web resource using a browser. This sends a
HTTP get request to WebSphere Application Server for z/OS.
2. WebSphere Application Server for z/OS and SPNEGO TAI answer to the
client browser with an HTTP challenge header 401 containing the
Authenticate: Negotiate status.
3. The client browser recognizes the negotiate header because it has been
configured to support integrated Windows authentication. The client parses
the requested URL for the host name. The client uses the host name as an
attribute to request a valid Kerberos Service Ticket from the Kerberos ticket
granting service in Active Directory KDC (TGS_REQ). The TGS then issues a
service ticket (TGS_REP) to the client.
4. The client puts this Kerberos service ticket in an SPNEGO token. The service
ticket proves both the user’s identity and permissions to the service, and the
service’s identity to the user. The client responds to the WebSphere
Application Server for z/OS Authenticate: Negotiate challenge with the
SPNEGO token in the request HTTP header.
5. WebSphere Application Server for z/OS and SPNEGO TAI see the HTTP
header with the SPNEGO token. It extracts the Kerberos service ticket and
gets the identity (principal) of the user.
6. The SPNEGO TAI maps the identity to a valid RACF identity and validates
this identity against RACF. This identity is set in the principal of the JAAS
subject. Once the identification process is executed, WebSphere executes
the related Java code (servlets, JSPs, EJBs, and so on) and checks
authorizations.
7. If all access is granted, WebSphere Application Server for z/OS sends back
the response with an HTTP 200. WebSphere also includes in the response a
LTPA token (in the form of a cookie).
For all subsequent requests, the LTPA token is used to access resources
securely. Hence, the SPNEGO protocol is executed once for the first request.
The key point to notice here is that the user is not prompted to authenticate to
WebSphere Application Server for z/OS in this scenario. The solution flows the
user’s existing Active Directory credentials to the WebSphere server. The user's
access is via his Windows credentials. This is single sign-on between Windows
and WebSphere Application Server for z/OS using the SPNEGO.
Before configuring
A working domain controller and at least one client computer in that domain are
required for this solution, as trying to use SPNEGO from the domain controller
does not work.
We recommend making sure that you have the following before configuring:
A functioning Microsoft Windows 2000/2003 Active Directory Domain
including:
– Domain controller
– Client workstation
– Users that can log into the client workstation
A functioning WebSphere Application Server for z/OS with application
security enabled.
The users from the Active Directory should be able to successfully access
WebSphere Application Server’s protected resources using a native
authentication mechanism such as basic authentication (BA) or forms
authentication.
Windows 200x Support Tools must be installed on the Microsoft Windows
Server. These include the setspn, the ktpass, and the adsiedit tools. These
support tools are available on the Windows Server installation CD or from the
Microsoft Web site:
http://www.microsoft.com/downloads/details.aspx?familyid=6EC50B78-8B
E1-4E81-B3BE-4E7AC4F0912D
The SPNEGO TAI configuration requirements must be satisfied. These are
described in the InfoCenter at:
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp?topic
=/com.ibm.websphere.zseries.doc/info/zseries/ae/rsec_SPNEGO_tai_reqs.
html
We also recommend installing the Windows Server 2003 Resource Kit Tools,
which provide the kerbtray.exe utility to see Kerberos tickets. This package can
be installed on the user workstation:
http://www.microsoft.com/downloads/details.aspx?FamilyID=9d467a69-57ff-
4ae7-96ee-b18c4790cffd
404 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
Creating the WebSphere service principal name
Create a user account for WebSphere Application Server for z/OS in the
Microsoft Active Directory. This account is mapped to the Kerberos service
principal name (SPN). This identifies the WebSphere Application Server for z/OS
installation as a kerberized service.
406 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
The new user account then appears in the list of Windows users and
computers (Figure 11-7).
408 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
5. Invoke the Active Directory service interface snap-in by typing the following
command in the Start/Run menu:
adsiedit.msc
Verify that the new user (wtsc58 in our case) has been created and check its
distinguished name (CN=wtsc58a,CN=Users,DC=kkdc,DC=test,DC=com in
our example).
6. Map the user account to the Kerberos service principal name. This user
account represents the WebSphere Application Server as being a kerberized
service with the Kerberos key distribution center.
Use the following setspn command for this task:
setspn -a HTTP/<full_WAS_z/OS_dns_name> <user_account>
We run the following command for our environment:
setspn -a HTTP/wtsc58a.kkdc.test.com wtsc58a
C:\>setspn -l wtsc58a
Registered ServicePrincipalNames for
CN=wtsc58a,CN=Users,DC=kkdc,DC=test,DC=com:
HTTP/wtsc58a.kkdc.test.com
Tip: More information about the setspn tool can be found here:
http://technet2.microsoft.com/WindowsServer/en/library/318642de-15a3
-4478-beb0-8022696def511033.mspx?mfr=true
Ktpass allows you to configure a non Windows Server 2003 Kerberos service
(like WebSphere applications on a z/OS platform) as a security principal in the
Windows Server 2003 Active Directory. This tool generates a keytab file
containing the shared key of the service. This keytab file is then transferred over
to the WebSphere server so that the SPNEGO TAI can use it.
The most common options are (use the -help switch to get a full list of switches):
princ principal_name specifies the principal name. The Windows Domain can
be found on the Active Directory service interface snap-in displayed before. It
has to be all upper-case.
out filename specifies the keytab to produce.
pass password specifies the password to use.
mapuser username maps princ to the user.
410 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
crypto specifies the type of cryptographic system to use. With the wtsc58a
Windows account we set up, DES-CBC-MD5 has to be selected.
Tip: More information about the keytab files and the ktpass command can be
found here:
http://technet2.microsoft.com/WindowsServer/en/library/5090598d-a735
-4c73-9e37-1a95a4651fa51033.mspx?mfr=true
The realm name has to be written in uppercase letters for the ktpass command.
We choose the DES-CBC-MD5 encryption algorithm for compatibility reasons.
There might be a warning regarding the account type and the ptype, but that can
safely be ignored.
WebSphere Application Server for z/OS has a wsadmin utility to generate the
Kerberos configuration file.
1. Transfer in binary format the previously generated keytab file from the
Windows server to the z/OS partition in UNIX System Services. We put the
keytab file in the existing z/OS Kerberos directory in /etc/skrb. A Kerberos
keytab configuration file contains a list of keys that are analogous to user
passwords. It is important for hosts to protect their Kerberos keytab files.
2. If Kerberos is not already used by another component in z/OS, rename the
existing Kerberos configuration with a command such as the following in
UNIX System Services:
mv krb5.conf krb5.conf.backup20061115
3. The SPNEGO TAI expects the configuration file to be in the /etc/krb5
directory. Create a symbolic link from /etc/krb5 to the /etc/skrb directory with
the following command:
ln -s /etc/skrb /etc/krb5
You can specify another location by using the JVM system property
java.security.krb5.conf.
412 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
4. The following steps use the wsadmin utility to create a Kerberos configuration
file. An administrator user is needed to be able to connect to WebSphere with
the wsadmin utility. Make sure that the user is declared as an administrator in
the administrative console administrative user roles list. In our environment
we use the wsadmin user for wsadmin scripting. See Figure 11-10.
7. Make sure that WebSphere users (controller region and servant region) have
sufficient read access to the /etc/krb5/krb5.conf file.
414 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
3. Click Security → Secure administration, applications, and infrastructure.
Expand Web security. Under the General Properties heading, select the
check box to Enable trust association and click Apply. See Figure 11-11.
4. Click Interceptors and then click the SPNEGO TAI in the list of interceptors,
com.ibm.ws.security.spnego.TrustAssociationInterceptorImpl, then click
Custom properties, then click Add to set up properties as follows:
– com.ibm.ws.security.spnego.SPN<id>.hostName: This attribute is
required. It specifies the full DNS host name in the SPN used by the
SPNEGO TAI to establish a Kerberos secured context. It is the host name
used with the ktpass command.
– com.ibm.ws.security.spnego.SPN<id>.filter: This attribute is optional. It
specifies the conditions that are matched against the HTTP request
headers to determine whether the HTTP request is selected for SPNEGO
authentication. In a WebSphere Standalone server configuration, we
strongly recommend using this option so that the SPNEGO TAI does
operate when accessing the administrative console.
In our environment we add the following properties with the following values:
com.ibm.ws.security.spnego.SPN1.hostName : wtsc58a.kkdc.test.com
com.ibm.ws.security.spnego.SPN1.filter : request-url%=snoop
In our example, we use the WebSphere embedded snoop servlet to verify our
configuration setup.
5. After you finish defining your custom properties, click Save to store the
updated SPNEGO TAI configuration.
416 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
Control → Java Virtual Machine and locate the Generic JVM arguments
text box. Add the following option in this text box:
-Dcom.ibm.ws.security.spnego.isEnabled=true
3. For the Servant region, navigate to Servers → Application servers →
server_name → Java and Process management → Process Definition →
Servant → Java Virtual Machine and locate the Generic JVM arguments
text box. Add the following option in this text box:
-Dcom.ibm.ws.security.spnego.isEnabled=true
Tip: To enable the JGSS and KRB5 traces, add the following to the
Generic JVM arguments text box:
-Dcom.ibm.security.jgss.debug=all
-Dcom.ibm.security.krb5.Krb5Debug=all
At server startup, the servant region log should appear the SPNEGO TAI
initialization and parameters. Example 11-5 shows our servant region log.
com.ibm.ws.security.spnego.SPN.filterClass=com.ibm.ws.security.spnego.H
TTPHeaderFilter@641c641c
com.ibm.ws.security.spnego.SPN.NTLMTokenReceivedPage=null
com.ibm.ws.security.spnego.SPN.spnegoNotSupportedPage=null
418 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
11.3.4 Configuring the Web browser
In this section, we describe how to configure the Web browser on the user
workstation. We show how to configure Microsoft Internet Explorer and Mozilla
Firefox.
420 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
5. On the Internet Options window, click the Advanced tab and scroll to Security
settings. Ensure that the Enable Integrated Windows Authentication (requires
restart) box is selected. Click OK. See Figure 11-15.
422 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
With the Administrative Console in Servers → Application servers →
server_name → Java and Process management → Process Definition →
Servant → Java Virtual Machine, locate the Generic JVM arguments text
box. Add the following options in this text box to enable JGSS and KRB5
traces:
-Dcom.ibm.security.jgss.debug=all
-Dcom.ibm.security.krb5.Krb5Debug=all
Here are some ideas for troubleshooting a new SPNEGO TAI configuration:
Make sure that you are trying to access WebSphere Application Server with a
user that is logged into the domain.
Make sure that you are not trying to access the application server from the
domain controller.
Make sure that the TAI initialized successfully with a message such as the
following in the servant region:
CWSPN0006I: SPNEGO Trust Association Interceptor initialialization
is complete.
Make sure that you have the correct encryption types specified in your
Kerberos configuration file and that all encryption type configurations match.
Make sure that you have the same time on the WebSphere Application
Server host and the domain controller.
On the user workstation side, use kerbtray.exe to see what tickets have been
granted to the user logged in. This utility is provided with the Windows Server
2003 Resource Kit Tools.
Restart the user workstation. Sometimes if the client was brought up before
the domain controller, then this can have adverse affects.
Remove any filters you have specified for the TAI. Try to get a connection
working before you start filtering requests.
Make sure that you have SPNEGO authentication enabled on the client’s
browser.
Some other good tips are available in the InfoCenter at the following URL:
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp?topic=/
com.ibm.websphere.zseries.doc/info/zseries/ae/rsec_SPNEGO_trouble_shoot
.html
Using the user workstation, log on to the Windows Active Directory domain. We
use the Valence user ID in our configuration. This user ID exists both in Active
Directory and in RACF.
Using the kerbtray.exe utility, it is possible to see the Kerberos tickets acquired
by the user. The kerbtray.exe utility is available from the Windows Server 2003
Resource Kit Tools. Right after logon, we can verify that the workstation obtained
the ticket granting ticket from the Windows KDC.
Launch a Web browser such as Microsoft Internet Explorer. Enter the URL
address of the application that you want to single sign-on with. We use the
WebSphere embedded snoop servlet in our example at the following address:
http://wtsc58a.kkdc.test.com:49080/snoop/
When security is on with WebSphere, the embedded snoop servlet asks for
authentication. Because we use the SPNEGO TAI, because we configured the
424 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
browser accordingly, because the Windows KDC, the browser asks the KDC for
a Service Ticket to use the HTTP service with wtsc58a. Then the browser sends
the HTTP request including a SPNEGO token with the user identity (Valence) to
WebSphere Application Server for z/OS.
The browser displays the snoop servlet, which shows the authenticated user.
The WebSphere authenticated user (Valence) is the Windows domain
authenticated user. Single sign-on occurred between the Windows domain and
WebSphere Application Server for z/OS using the SPNEGO TAI.
The WebSphere for z/OS servant region log confirms this scenario, shows that
the SPNEGO token is processed, and highlights the authenticated user.
Example 11-6 shows this log.
426 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
FunctionName: trimUsername
SourceId: com.ibm.ws.security.spnego.SpnegoHandler
Category: FINER
ExtendedMessage: Principal name was trimmed to: VALENCE
Trace: 2006/11/16 14:26:31.283 01 t=8C7718 c=UNK key=P8 (13007002)
ThreadId: 00000029
FunctionName: negotiateValidateandEstablishTrust
SourceId: com.ibm.ws.security.spnego.TrustAssociationInterceptorImpl
Category: FINER
ExtendedMessage: Authenticated user: VALENCE Subject: Subject:
Principal: VALENCE@KKDC.TEST.COM
All this validates the scenario described in Figure 11-4 on page 402 and confirms
the single sign-on between the Windows domain and WebSphere Application
Server for z/OS.
428 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
12
In WebSphere Application Server V6.1 for z/OS, global security has been split
into administrative and application security. By enabling administrative security
by default, you can keep unauthorized users from accessing the administrative
console and your business applications. Administrative security should be
enabled to restrict access.
In earlier versions of WAS for z/OS, cell-wide security information is set up in the
Security domain configuration option. It defines user groups and user IDs
including the application server administrator, SSL customization, security
domain name, and more. In Version 6.1, this is now done in the “Configure
common MVS groups and users” option, and its parameters have been changed.
In Figure 12-1, all the definitions are shown. Note that they are cell-wide. Other
430 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
security values, which were part of the security domain configuration in the
previous version of WAS, are now specified in the process of the application
server configuration. There you can specify additional detailed security settings
for each application server in the same cell.
WebSphere Application Server HFS owner is a new user ID added in WAS V6.1.
This user ID owns many of the cell's files in the configuration file system. It
should have the WebSphere Application Server configuration group (see the
example below) as its default group.
Security Customization
432 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
Option 1: Use a z/OS security product
If you want to enable administrative security and use a local z/OS repository for
authentication and authorization, you must choose this option. These are the
characteristics of this option:
Each WebSphere Application Server user and group identity corresponds to a
user ID or group in the z/OS system's SAF-compliant security server, such as
RACF.
Access to WebSphere Application Server J2EE roles is controlled using the
SAF EJBROLE class profiles in conjunction with the GEJBROLE class, if you
choose to use the grouping class.
Digital certificates for SSL communication are stored in the z/OS security
product.
The “Use a z/OS security product” option is appropriate when servers or cells
reside entirely on z/OS systems, with SAF as the user registry. Customers who
plan to implement an LDAP or a custom user registry and plan to map
LDAP/CUR identities to SAF identities and use SAF authorization should also
choose this option so that initial SAF EJBROLE setup is performed.
The server ministration user ID needs to be defined with a password. The expiry
policies for passwords need to be checked with your security administrators. It is
advisable to either assign a non expiring password or have good password reset
policies. Your cell will not function if the administrators password has expired.
If you want to prefix the EJBROLE class RACF profiles with a security domain
and include this domain in CBIND profiles (see below), set “Use security domain
identifier in RACF profiles” to Y and enter the security domain name.
If you set “Use security domain identifier” to Y and specify the security domain
identifier, the domain name is added to the profile. The resulting RACF command
would be:
RDEFINE CBIND CB.BIND.<domain>.** UACC(READ)
PERMIT CB.BIND.<domain>.** CLASS(CBIND) ID(WSCFG1) ACCESS(CONTROL)
434 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
You can verify the current WebSphere Application Server security settings via
the administrative console by clicking Security → Secure Administration,
applications, and infrastructure. Figure 12-4 shows the current z/OS security
settings for option 1.
Self-signed digital certificates for servers are created in the configuration file
system automatically by WebSphere Application Server.
When selecting option 2 you will be presented with the customization panel, as
shown in Figure 12-5. The user ID that you specify here is stored in the
file-based user registry and used as initial administrative user. The sample user
ID is optional. This field appears once you have selected to install the sample
application.
436 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
You can verify the current WebSphere Application Server security settings via
the administrative console by clicking Security → Secure Administration,
applications, and infrastructure. Figure 12-6 shows the current settings of
option 2.
Figure 12-6 Security configuration page using WebSphere Application Server security
Note: If you aim to enable SAF security for your application server
environment in the future, but choose to do initial setup with security disabled,
you should reconsider. Contrary to previous versions of WebSphere, where
security was disabled by default, choosing option 3 in Version 6.1 would mean
having to configure the complete security infrastructure without the help of
generated installation jobs. Refer to Technote swg1237841:
http://www-1.ibm.com/support/docview.wss?uid=swg21237841
438 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
– Set up EJBROLE class profiles:
• Administrative roles (administrator, monitor, configurator, operator,
deployer, and adminSecurityManager) are created, and the
administrator user ID is granted the administrator role.
• Naming roles (CosNamingRead, CosNamingWrite, CosNamingCreate,
and CosNamingDelete) are created. You should permit the
configuration group for WebSphere Application Server (servers and
administrators) READ access to all of these profiles.
– Create an SSL keyring (WAS CA certificates/commercial CAs) for the
application server. Digital keyrings are created for the administrator,
controller, controller region adjunct, and server user IDs.
– Generate a certificate. Digital certificates are created for each server
controller.
– Connect the certificate to the keyring.
– Create Sync-to-OS thread profile (new in WAS Version 6.1). See
“Sync-to-OS thread update” on page 444 for more information.
– Create a facility class profile for trusted applications (new in WAS Version
6.1)
A trusted application is an application that requires WebSphere
Application Server to build SAF credentials without an authenticator, for
instance, a TCB level ACEE being created if SyncToOSthread is enabled.
The facility class profile is BBO.TRUSTEDAPPS.<domain>.<cluster>. The
control region user ID needs to be permitted with access READ and the
custom property EnableTrustedApplications needs to be set to true in
Security → Secure administration, applications and infrastructure.
440 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
z/OS security WebSphere Application
Server security
In previous versions the administrative user ID and password are used not only
for administrative purposes but also for internal server-to-server communication.
There was a possibility of password exposure during server-to-server
communication. WebSphere V6.1 makes a distinction between the
administrative user ID and the server ID. Automatically generated server IDs do
not require a password and are not stored in any registry. By default, the server
ID is the cell name. The administrative user ID is stored in a registry. This ID is
used to log on to the administrative console when administrative security is
To change from the internally generated server ID to the z/OS started task
identity follow the next steps.
1. Go to Security → Secure administration, applications, and
infrastructure.
2. Click the Available realm definitions drop-down list and select your
repository under User account repository.
3. Click Configure.
This configuration option differs for each registry. Figure 12-7 illustrates the
server identity setting for the local operating system user registry.
Figure 12-7 Server user identity configuration for local operating system registry
442 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
12.3 RACF - mixed-case password support
The password is important in protecting users, applications, and systems. The
harder it is to guess a password the better the protection level. Mixed case
passwords provide a higher level of security and are harder to break.
WebSphere for z/OS V6.1 supports multiple user registries. Both file-based
repositories and a Lightweight Directory Access Protocol repository support
case-sensitive passwords. In z/OS v1.7 RACF mixed-case password support
has been introduced.
To display the current system-wide RACF options for your environment issue:
SETROPTS LIST
444 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
security environments representing users in the SURROGAT class are allowed,
while CONTROL allows for security environments to represent any RACF
defined user ID.
446 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
13
Security wizard
The security wizard helps you to configure an existing user registry and to enable
administrative, application, and resource security.
The console name entry is the name of the security setting or variable as it is
presented in the admin console. The security configuration name is the name of
the same variable as used internally by WebSphere. The security configuration
name is what you would find in the configuration file system if you browse files
like security.xml.
448 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
Figure 14-1 shows an example of a security configuration report.
450 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
3. Click the Security Configuration Wizard button.
a. Specify the extent of protection (see Figure 13-2). Optionally, enable
application security and Java 2 security.
c. Configure the user repository (see Figure 13-4). Enter the primary (RACF
defined) administrative user ID.
Figure 13-4 Specify primary administrative user for z/OS security default authorization
452 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
e. Click Finish.
4. Select the authorization provider.
a. Click Security → Secure administration, applications, and
infrastructure → External authorization providers.
b. Verify that Default authorization is selected.
5. Save your changes.
You can review which files are updated before saving changes.
Administrative security will be active after restarting the server. When logging on
to the admin console you will need to provide the primary administrative user ID
and its password.
If you choose the SAF authorization provider, follow these steps. Follow the
same steps as for the default provider. In addition, RACF setup is required.
Follow steps 1–3 of the default authorization provider.
1. Log on to the administrative console.
2. Click Security → Secure administration, applications, and infrastructure.
3. Click the Security Configuration Wizard button.
The primary administrative user specified in step 3 (c) is invalid when
choosing SAF authorization provider. The administrative user ID needs to be
defined in RACF.
To display an EJBROLE profile and its ACL execute the following command
RLIST EJBROLE <domain.>administrative_role ALL
We recommend using JCL to execute RACF commands for ease of viewing the
resulting output. A sample JCL to list all EJBROLE class profiles is shown in
Example 13-1.
Example 13-1 Sample JCL to display all profiles in the EJBROLE class
//LSTRACF EXEC PGM=IKJEFT01
//SYSLBC DD DSN=SYS1.BRODCAST,DISP=SHR
//SYSTSPRT DD SYSOUT=*
//SYSPRINT DD SYSOUT=*
//SYSOUT DD SYSOUT=*
//SYSIN DD DUMMY
//SYSTSIN DD *
RLIST EJBROLE * ALL
/*
454 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
13.1.4 Administrative security with default authorization provider
Here we show the necessary steps to enable administrative security. We did not
enable administrative security during the installation process.
1. Log on to the administrative console.
2. Click Security → Secure administration, applications, and infrastructure.
3. Click the Security Configuration Wizard button.
a. Specify the extent of protection. Enable application security and Java 2
security, if you need them.
b. Select the user repository. Select federated repositories.
c. Configure the user repository (see Figure 13-5). Specify an administrative
user name. The administrative user ID and password are stored in the
WebSphere Application Server file-based repository.
456 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
<?xml version="1.0" encoding="UTF-8"?>
<sdo:datagraph xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:sdo="commonj.sdo" xmlns:wim="http://www.ibm.com/websphere/wim">
<wim:Root>
<wim:entities xsi:type="wim:PersonAccount">
<wim:identifier externalId="cc750038-75ad-4454-b9b6-c5bdced553ca" external
Name="uid=itsouser,o=defaultWIMFileBasedRealm"
uniqueId="cc750038-75ad-4454-b9b6-c5bdced553ca" uniqueName="uid=itsous
er,o=defaultWIMFileBasedRealm"/>
<wim:parent>
<wim:identifier uniqueName="o=defaultWIMFileBasedRealm"/>
</wim:parent>
<wim:createTimestamp>2006-11-28T15:33:24.449+00:00</wim:createTimestamp>
<wim:password>U0hBLTE6ZW9oYTM4dnYxc3l6OnEwK2FFN2RRMUtVTldiVlVNdFJtdE5HWlZt
dz0K</wim:password>
<wim:uid>itsouser</wim:uid>
<wim:cn>itsouser</wim:cn>
<wim:sn>itsouser</wim:sn>
</wim:entities>
</wim:Root>
</sdo:datagraph>
Figure 13-7 Created fileRegistry.xml
Administrative security is active after restarting your server. You need to log in to
the admin console using the primary administrative user ID and its password.
If you can still log on to the administrative console you can disable security
through the administrative console.
1. Click Security → Secure administration, applications, and infrastructure.
2. Uncheck the Enable administrative security check box.
3. Save the changes and restart the server.
If you cannot log on to the administrative console, you can disable the
administrative security using the wsadmin command-line interface, as follows:
1. Bring down the server.
2. Log in to a UNIX System Services shell.
wsadmin>exit
/WebSphereBS2/V6R1/AppServer/profiles/default/bin #
Security trace
When you have administrative security enabled but administrative operations fail
to execute, you must search for the cause of the problem. Setting a security trace
helps you identify the security configuration problem. If administering the server
was without problems before enabling security, it is safe to assume that a
problem exists in the security configuration.
458 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
Figure 13-8 shows a trace options and trace level example.
Note: The Runtime trace tab and the MVS modify command change trace
options dynamically. The Configuration trace tab sets trace options
permanently and requires a restart of the server.
460 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
Role Description
If you install your application server with the z/OS security product option, all but
one administrative role profile are defined in the SAF EJBROLE class. The
iscadmins role is not defined because the purpose of this role is to secure the
When using the default authorization provider, users and groups are mapped to
the administrative roles through the admin console (WebSphere bindings). When
SAF is your authorization provider you need to permit users and groups to the
EJBROLE administrative profiles (SAF bindings) with access READ.
Permit users and groups to the appropriate role and refresh the RACLISTed
class:
PERMIT <domain.>role_name CLASS(EJBROLE) ID(user_id or group_id)
ACCESS(READ)
SETROPTS RACLIST(EJBROLE) REFRESH
The authorization group outlines the scope of authorization. Users can then be
granted an administrative role in an authorization group. In this way users are
only allowed to administer a delimited scope of resources.
The administrative roles are granted per authorization group and therefore per
resource instance rather than to the entire cell. However, there is a cell-wide
authorization group for compatibility with previous versions. Users assigned to
administrative roles in the cell-wide authorization group can still access all of the
resources within the cell.
462 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
Fine-grained administrative security can also be used in single-server
environments. Various applications in the single server can be grouped and
placed in different authorization groups.
Note: The standalone server itself cannot be part of any authorization group.
[server environment]
cell name: cl6582
node name: nd6582
server name: ws6582
server_profile_root: /WebSphereBS2/V6R1/AppServer/profiles/default/bin
464 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
wsadmin>AdminTask.addResourceToAuthorizationGroup('[-authorizationGroup
Name APPG -resourceName Application=HelloApplication]')
''
If you are using the SAF authorization provider as the authorization provider
you need to define additional profiles to the EJBROLE class, as follows:
a. Define <authorization group>.<rolename> profiles in EJBROLE (again,
prefix those profiles with your domain identifier if you have one
configured):
RDEFINE EJBROLE <domain.>APPG.administrator UACC(NONE)
RDEFINE EJBROLE <domain.>APPG.configurator UACC(NONE)
RDEFINE EJBROLE <domain.>APPG.operator UACC(NONE)
RDEFINE EJBROLE <domain.>APPG.monitor UACC(NONE)
RDEFINE EJBROLE <domain.>APPG.deployer UACC(NONE)
RDEFINE EJBROLE <domain.>APPG.adminsecuritymanager UACC(NONE)
Note: EJBROLE profiles for all of the roles in each authorization group
should be created regardless of whether any user is mapped to its role,
or at least define an appropriate catching profile at authorization group
level.
APPUSER1 is assigned the deployer role for HelloApplication, but does not have
administrative authority for other applications. Example 13-6 and Example 13-7
show that the setup works well. ITSOUSER can list and control all deployed
applications. APPUSER1 can list and control only the authorized resource.
466 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
wsadmin>appManager = AdminControl.queryNames('type=ApplicationManager,*
')
wsadmin>AdminControl.invoke(appManager,'stopApplication','HelloApplicat
ion')
''
wsadmin>AdminControl.invoke(appManager,'stopApplication','DefaultApplic
ation')
WASX7015E: Exception running command:
"AdminControl.invoke(appManager,'startApplication','DefaultApplication'
)"; exception information:
javax.management.JMRuntimeException: ADMN0022E: Access is denied for
the startApplication operation on ApplicationManager MBean because of
insufficient or empty credentials.
wsadmin>
For more information about the AdminTask object related to fine-grained security
refer to the InfoCenter. More information about implementing fine-grained
security can be found in TechDoc TD103324:
http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/TD103324
You can control access to the name space using CosNaming roles. All
CosNaming roles are shown in Table 13-2.
CosNamingDelete Destroy objects in the name space, for example, using the
JNDI destroySubcontext method and CosNamingCreate
operations.
The ALL_AUTHENTICATED special-subject is the default
policy for this role.
468 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
In the administrative console, CosNaming roles mapping can be defined at the
following panel: Environment → Naming → CORBA Naming Service Users
or CORBA Naming Service Groups.
Figure 13-9 shows a default role definition granting read access to EVERYONE.
The role mappings that are added through the administrative console are ignored
if SAF authorization is enabled. If you use SAF as the authorization provider,
access to the naming role is controlled by RACF.
These are the commands to define the naming profiles in the EJBROLE class.
Prefix the profiles with your security domain identifier if you have one configured.
RDEFINE EJBROLE <domain.>CosNamingRead UACC(READ)
PERMIT <domain.>CosNamingRead CLASS(EJBROLE) ID(WSGUEST) ACCESS(READ)
RDEFINE EJBROLE <domain.>CosNamingWrite UACC(NONE)
RDEFINE EJBROLE <domain.>CosNamingCreate UACC(NONE)
RDEFINE EJBROLE <domain.>CosNamingDelete UACC(NONE)
PERMIT <domain.>CosNamingWrite CLASS(EJBROLE) ID(WSCFG1) ACCESS(READ)
470 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
A
Select the Additional materials and open the directory that corresponds with
the book form number, SG247384.
Attention: We have developed and used the samples with IBM Rational
Application Developer. We strongly recommend using this tool for using the
samples. The samples are developed at the J2EE 1.4 level.
472 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
Related publications
The publications listed in this section are considered particularly suitable for a
more detailed discussion of the topics covered in this book.
IBM Redbooks
For information about ordering these publications, see “How to get IBM
Redbooks” on page 475. Note that some of the documents referenced here may
be available in softcopy only.
Understanding LDAP - Design and Implementation, SG24-4986
WebSphere for z/OS V6 Connectivity Handbook, SG24-7064
WebSphere Application Server for z/OS V5 and J2EE 1.3 Security Handbook,
SG24-6086
Implementation and Practical Use of LDAP on the IBM eServer iSeries
Server, SG24-6193
Using LDAP for Directory Integration, SG24-6163
Secure Production Deployment of B2B Solutions using WebSphere Business
Integration Connect, SG24-6457
WebSphere Version 6 Web Services Handbook Development and
Deployment, SG24-6461
Distributed Security and High Availability with Tivoli Access Manager and
WebSphere Application Server for z/OS, SG24-6760
IBM WebSphere Application Server V6.1 Security Handbook, SG24-6316
WebSphere Application Server on z/OS and Security Integration, REDP-4161
Security with IBM Tivoli Access Manager V6 and IBM WebSphere Application
Server V6 on IBM z/OS, REDP-4205
Enabling security after initial customization in Version 6.1, Technote 1237841
Configuration of WebSphere Application Server Security, TIPS0206
Online resources
These Web sites are also relevant as further information sources:
The specification for XML Signatures
http://www.w3.org/Signature/
XML Encryption WG
http://www.w3c.org/Encryption
WebSphere Application Server Version 6 and later support Organization for
the Advancement of Structured Information (OASIS) Web services Security
(WS-Security) specifications
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp?topic
=/com.ibm.websphere.zseries.doc/info/zseries/ae/cwbs_supportfunction.
html
What is new for securing Web services
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp?topic
=/com.ibm.websphere.zseries.doc/info/zseries/ae/cwbs_welcwebsvcsec.
html
IBM HTTP Server - setting up a secure server
http://www-306.ibm.com/software/webservers/httpservers/doc/v51/icswg
003.html
WebSphere Application Server documentation
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp?topic
=/com.ibm.websphere.zseries.doc/info/welcome_nd.html
IBM Education Assistant - CSIv2
http://publib.boulder.ibm.com/infocenter/ieduasst/v1r1m0/index.jsp?
topic=/com.ibm.iea.doc/welcome.htm&tab=search&searchWord=csiv2&maxHi
ts=50
474 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
IBM WebSphere Developer Technical Journal: Securing connections
between WebSphere Application Server and WebSphere MQ
http://www-128.ibm.com/developerworks/websphere/techjournal/0601_
ratnasinghe/0601_ratnasinghe.html
IBM SDKs - security information
http://www-128.ibm.com/developerworks/java/jdk/security/index.html
IBM Tivoli Directory Server, Version 6.0 - Quick installation path for a server
http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic
=/com.ibm.IBMDS.doc/install04.htm
Windows Server 2003 Service Pack 1 32-bit Support Tools
http://www.microsoft.com/downloads/details.aspx?familyid=6EC50B78-8B
E1-4E81-B3BE-4E7AC4F0912D
Windows Server 2003 Resource Kit Tools
http://www.microsoft.com/downloads/details.aspx?FamilyID=9d467a69-57
ff-4ae7-96ee-b18c4790cffd
SPNEGO TAI configuration requirements
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp?topic
=/com.ibm.websphere.zseries.doc/info/zseries/ae/rsec_SPNEGO_tai_reqs.
html
SPNEGO TAI custom configuration attributes
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp?topic
=/com.ibm.websphere.zseries.doc/info/zseries/ae/rsec_SPNEGO_tai_
attribs.html
SPNEGO trust association interceptor (TAI) troubleshooting tips
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp?topic
=/com.ibm.websphere.zseries.doc/info/zseries/ae/rsec_SPNEGO_trouble_
shoot.html
476 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
Index
iscadmins 460
Numerics Monitor 460
128-bit encryption algorithm 268
Operator 460
40-bit encryption algorithm 268
administrative security 72
default authorization provider 455
A disabling
administration security using admin console 457
options 432 disabling, using wsadmin 457
do not enable security 437 options 449
use a z/OS security product 433 security trace 458
use a z/OS security product, user IDs creat- administrative security, fine-grained 462
ed 433 options to implement 463
use WAS security 435 adminstrative security
Administrative Console what does it protect? 72
Accessing ITDS configuration 378 Application Security
administrative security 449 enabling, in admin console 73
Certificate application security 72
manage certificate expiration 218 asymmetric cipher algorithm 30
change internal server user id 442 Auditing 4
Configuring the JVM for the SPNEGO TAI 416 authDataAlias 48
Develop your own TAI 396 Authentication 3
LDAP authentication keys 32
TDBM Authorization 3
Federate Repositories 368 Default authorization 384
z/OS LDAP SDBM 344 External authorization using JACC provider 385
z/OS LDAP TDBM 355 SAF authorization 384
RunAs thread identity 388 authorization group 462
SAF authorization 383, 385 authorization providers 450
Security Attribute Propagation default authorization 450
Vertical propagation 331 Java Contract for Containers (JACC)
security configuration reporting tool 448 external authorization 450
Security role-based System Authorization Facility (SAF) 450
AdminSecurityManager 461 authorization, SAF-based 25
Deployer 461
iscadmins 461
security wizard 448
B
base64 254
SPNEGO configuration 414
Basic Authentication 72, 98, 246
z/OS thread identity synchronization 387
Identity assertion 193
administrative roles
basic authentication 51
added in WAS V6.1 460
Binary Der Data 254
Administrator 461
AdminSecurityManager 460
Configurator 460 C
Deployer 460 CA - Top Secret 228
478 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
EJB authenticating in HTTP server
execution identity 33 logic al flow 36
Runas identity 33 HTTP(s) 13
security identity 33 Hypertext Transfer Protocol (HTTP) 90
security role 33 Hyptertext Transfer protocol over SSL (HTTPS) 91
EJB container
programmatic security APIs 11
ejbActivate() method 23
I
IBM SDKs 475
ejbCreate() method 23
IBM Tivoli Access Manager 3, 48, 360, 395, 397
ejbLoad() method 23
principal mapping module 48
Enterprise Information Systems (EIS) 22
IBM Tivoli Access Manager for e-business (TAMeb)
errors
17
creating native credentials 291
IBM Tivoli Directory Server v6 (ITDS) 340, 356,
External Authorization Server
367, 375, 475
Authorization using external authorization server
Configuration 375
configuration tasks 57
How to install 375
WebSphere z/OS configuration 378
F IBMJCECCA 192, 222, 275
Federated 25 ibm-webservices-bnd.xmi 112
Federated Repositories 363 ibm-webservices-bnd.xml 110
ITDS 378 ibm-webservicesclient-bnd.xmi 111
SPNEGO 399 ibm-webservicesclient-ext.xmi 111
what are federated repositories? 363 ibm-webservices-ext.xmi 111
fingerprint 88 ibm-webservices-ext.xml 110
fixes ICSF managed keys 192
PK31729 291 Identity Assertion
Form based authentication 72 Configuration
z/OS provider 199
Identity assertion 17
G IMS 336–337, 386, 388
General Inter-ORB Protocol (GIOP) 44
authorization and authentication support, in
Generic Security Services Username Password
WAS 24
(GSSUP) token 315
Connector 389
global security 71, 430
JDBC Connector 389
group 430
INADDR_ANY parameter 14
Integrity 3
H Intermediaries 80
Hardware Cryptography Internet 29
IBMJCE Interoperable Inter-ORB Protocol (IIOP) 44
characteristics 227 IP/UDP layer 29
IBMJCECCA
characteristics 227
hardware cryptography 192 J
J2C
HFS owner user ID, adding 432
application contract 23
HTTP Server
connector components 23
Authenticating in HTTP server
container contract 23
configuration tasks 37
contracts 23
HTTP server
system contract 23
Index 479
J2EE 9 Kerberos 392, 397
Security 5 Authentication protocol 393
J2EE client 13 Encryption types 411
J2EE client authentication using CSIv2 40 Keytab file 410
configuration tasks 43 Realm
logical flow 41 WinKerbRealm 399–400
J2EE Connector Architecture (JCA) zOSKerbRealm 399–400
custom mapping 47 Service Principal Name (SPN) 405
JCA custom principal mapping 46 key encryption method algorithm 177
J2EE deployment descriptor files 112 key information 114
J2EE security 10 key locator 114
declarative security 10 key store path, WebSphere default 175
programmatic security 10 keystore 226
J2EE security,architecture 11
J2EE server
J2EE server authentication using CSIv2 43
L
LDAP - Lightweight Directory Access Protocol
JAAS login module 59
337–338, 378
JACC - Java Contract for Containers
336–337, 340
External authorization 385
Active Directory 395
Java 2 security 5, 9
JOBLOG 361
Java Authentication and Authorization Service
messages 361
(JAAS) 19
SAF authorization 384
Java Authorization Contract for Containers (JACC)
SLAPDCNF member 341, 351
25
SPNEGO 399
Java Contract for Containers (JACC)
z/OS
authorization using external authorization server
SDBM 340–341
56
schema 342
Java Cryptography Extension (JCE) 222
WebSphere z/OS configuration 344
Java Cryptography Extension (JCE), IBM version
TDBM 337, 340, 350, 367
222
configuration 351
Java Message Service (JMS) 91
Federated Repositories 368
Java security 5
Native Authentication configuration 360
java.security file 223, 275
WebSphere z/OS configuration 355
JAX-RPC 91–92
WebSphere z/OS configuration for Native
JCA - J2EE Connector Architecture
Authentication 362
JCA custom principal mapping
Lightweight Directory Access Protocol (LDAP) 30
configuration tasks 50
Lightweight Third Party Authentication (LTPA) 16
resource adapter 389
link layer, 29
JCE - Java Cryptography Extension
LSA - Local Security Authority 395, 402
IBMJCECCA
LTPA token 116, 302
227
keys 302
What is JCE? 222
LtpaToken 297
JCECCRACFKS 276
LtpaToken2 297
K M
KDC - Key Distribution Center 392–393, 395, 398,
Message Authentication Code (MAC) 222
402, 412
Microsoft Internet Explorer 398
z/OS 399
SPNEGO configuration 419
480 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
Microsoft Windows Active Directory (AD) 392, EJBROLE 8
395–396, 398 FACILITY 8
Create a user account for WebSphere Applica- GEJBROLE 8
tion Server for z/OS 405 KERBLINK 8
Microsoft Windows Server 2003 475 LOGSTRM 8
SP 1 475 SERVAUTH 8
SP1 401 SERVER 8
Microsoft Windows XP Professional 2002 SP2 401 STARTED 8
Mozilla Firefox 398 SURROGAT 9
SPNEGO configuration 421 Commands
ADDUSER 432
PERMIT 104, 434
N RACDCERT 284
naming service security 467
RDEFINE 104, 384–385, 434
Native Authentication 359, 373
SETROPTS 104
Why to use Native Authentication? 360
Cosnaming EJB Roles 9
nonce 115
GROUP 7
non-ICSF managed keys 192
How to define an EJBROLE in RACF 384
Non-repudiation 4
keystore 215
NTLM credential 397
MIXEDCASE option 443
mixed-case password support, enabling 443
O profile
OASIS 21 segments 7
Object Management Group (OMG) 5 profile, attributes 7
Open System Interconnection (OSI) 29 RACO (ENVR Object) 7
Operating System (OS) security 4 SPNEGO 399
org.omg.CORBA.NO_PERMISSION exception User Profiles 341
468 Redbooks Web Site 475
Organization for the Advancement of Structured In- Contact us xvi
formation Standards (OASIS) 82 Registries
OS thread identity 386 Introduction 336
Local Operating System 336, 382
Configurating WAS to use local z/OS for au-
P
Presumed Trust thorization 433
Identity assertion 193 SPNEGO 399
When 337
Standalone Custom Registry 336, 338
R How to write a custom registry? 338
RACDCERT 218 SAF authorization 384
RACF 103 Standalone LDAP Registry 336–337, 340
Access Control Element (ACEE ) 7 SDBM 340–341
Attribute configuration 341
AUDITOR 343 schema 342
CLASS 8 WebSphere z/OS configuration 344
classes, relevant to WAS on z/OS 8 TDBM 337, 340, 350
APPL 8 configuration 351
CBIND 8 WebSphere z/OS configuration 355
DIGTCERT 8 Why should you use a LDAP registry? 337
DSNR 8 Remote Method Invocation over Internet Inter-ORB
Index 481
Protocol (RMI-IIOP) 91 deleting a CA signer certificate 222
Repositories deleting a keyring 221
Federated repositories 336, 338 deleting a personal certificate 222
Resource Access Control Facility (RACF) 6 exporting a personal certificate 220
functionality 6 exporting a signer certificate to an HFS
profile 6 file 220
resource instances 462 generating a signer certificate 229
Reverse Proxy Security Server (RPSS) PKCS12B64 keyword 220
authenticating in reverse proxy security server PKCS12DER keyword 220
37 removing a CA signer certificate from a
configuration tasks 40 keyring 221
forwarding the user id mechanisms 38 removing a personal certificate from a
logical flow 39 keyring 221
RMI-IIOP 13 viewing a list of certificates on a keyring
Using jax-rpc to support non-SOAP binding 92 for a user ID 218
RPSS - Reverse Proxy Security Server viewing certificate authority information
TAI 395 218
RunAS 33 viewing personal certificate information
for a user ID 218
viewing in Admin console 217
S WebSphere
SAF - System Authorization Facility 336
available export formats 221
Authorization 383
certificate expiration monitoring 218
Delegation 385
deleting 221
EJBROLE 385
expired certificates 218
Profile mapper 385
expired certificates, email notification
Sample applications
218
SecurityInfo 98
importing 220
sas.client.props file 310
cipher suite 31
SDK 1.5 5
client certificate authentication 282
Secure Hash Algorithm (SHA-1) 164
configuration the z/OS Web Service provider
Secure Sockets Layer (SSL) 30, 91
255
aliases 211
configuring the Web Service requestor 261
authentication keys 32
configuring the Web Service requestor endpoint
Basic Authentication
URL 264
configuring 282
creating a new SSL Configuration in WAS 256
centrally managed 210
creating a new SSL inbound channel in WAS
certificate request 31
257
certificates
enforcing confidentiality 271
deleting keystores and truststores 222
enforcing integrity 267
deleting or adding to or from RACF keyring
errors
217
CWPKI0022E 242
RACF commands 218
ICSF address space unavailable 242
CERTB64 keyword 220
signer certificate is from a client’s truststore
CERTDER keyword 220
242
connecting a personal certificate 230
SSLC0008E 242
connecting to a ring 229
starting Websphere using IBMJCECCA pro-
creating a personal certificate 229
vider 243
creating a ring 229
handshake 30
482 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
handshake errors 239 JCECCARACFKS 226
handshake flow 95 JCEKS 225
handshake, common errors 242 JCERACFKS 225
hardware cryptographic support 272 JKS 225
configuring the Web Service provider for PKCS11 225
confidentiality 281 PKCS12 225
configuring the Web Service requestor for Java Secure Socket Extension (JSSE) 213
confidentiality 281 JCE provider 223
configuring the Web Service requestor SSL keystore 226
configuration 280 storage 227
connecting a CA to a keyring 272 keystore types 227–228
connecting a personal certificate to a keyring JCECCAKS 229
273 JCECCARACFKS 228
creating a new CA 272 JCEKS 228
creating a new keyring 272 JCERACFKS 228
creating a new personal certificate 273 JKS 228
exporting the signer certificate 274 PKCS11KS 229
HDWebServiceSSLConfig 280 PKCS12KS 228
importing the signer certificate 274 master secret 32
installing the unrestricted Java policy jars NodeDefaultSSLSettings 211
275 pre-master secret 32
JCECCRACFKS 276 protocol version 31
JCECCRACFKS, creating a new keystore repertoire alias 210
276 setting the cipher suite group, for Web Service
SSLException 281 provider 264
updating the JVM to use IBMJCECCA 275 symmetric encryption keys 32
validating confidentiality 281 System SSL (SSSL) 213
viewing CA information 273 trace, enabling dynamically 242
viewing the personal certificate information trace, JSSE 242
274 traces 241
hardware cryptography traces, enabling 241
Common Cryptographic Architecture (CCA) transport chain 259
interfaces 222 truststore 227
creatING a new keystore 237 WebSphere
diagnosing SSL handshake issues 240 keystores, available 224
IBMJCE4758 223 WebSphere V6.0 endpoint details 213
IBMJCECCA 222 WebSphere V6.1 210
IBMJCECCA, prereqs 223 WebSphere V6.1 endpoint details 214
JCECCARACFKS keystore 233 X.509 v.3 certificates 31
keys in hardware 234 security attribute propagation 294
safkeyring URI 237 attribute propagation 294
unrestricted policy jars 236 benefits 295
unrestricted policy jars, installing in Web- horizontal propagation 295, 298, 305
Sphere 236 configuration 301
update the java.security file with the IB- cross-cell considerations 302
MJCECCA provider 236 Data Replication Service (DRS) 299
IBMJCE provider DynaCache 299
keystore types example 300
JCECCAKS 226 JMX 299
Index 483
JMX calls 305 security role 33
LTPA key, sharing 303 Simple Object Access Protocol (SOAP) 90
LTPA keys, sharing 304 confidentiality 89
LTPA keys, sharing, automatically generated identity assertion 90
304 integrity 87
mechanisms, in WebSphere 299 Web Services authentication 51
performance implications 299 WS-Security standard 82
Single Sign On, cross-cell 303 Simple WebSphere Authentication Mechanism
SSO token 298 (SWAM) 16
identity propagation 294 Single Sign On (SSO) 16
initial login 295 authenticating in HTTP server 35
JAAS Subject 294 SOA - Service Oriented Architecture
Java serialization 297 Introduction to soa and z/OS security 76
Lightweight Third Party Authentication (LTPA) SOAP - Simple Object Access Protocol
296 RMI-IIOP with multiprotocol jax-rpc 92
Principal 294 SPNEGO 391
propagation login 295 Configuring Microsoft Internet Explorer 419
Reverse Proxy Security Server (RPSS) 295 Configuring Mozilla Firefox 421
Run-As 295 Configuring the JVM 416
Single Sign On (SSO) 294 Configuring the Microsoft Windows server 404
styles 295 Configuring WebSphere Application Server for
token framework 297 z/OS 414
vertical propagation 295 handshake 397
Webseal 295 RACF 399
WebSphere token framework Troubleshooting 422
authentication token 297 What is SPNEGO? 396
authorization token 297 SSO - Single Sign On 16
LtpaToken 297 SPNEGO 392
LtpaToken2 297 WebSphere Application Server for z/OS using
propagation token 297 SPNEGO 397
Single Sign On 297 z/OS KDC and Microsoft Windows KDC 399
Subject-based tokens 297 symmetric algorithm 30
thread-based token 297 symmetric encryption keys 32
security attribute propoagation Sync-to-OS Thread 386, 444
vertical propagation 328 activation 387
cross-cell considerations 334 defining RACF profile 446
implementation 331 What’s new in Version 6.1? 444
Remote Method Invocation (RMI) over the System Access Facility(SAF) 6
Internet Inter-ORB Protocol (RMI over IIOP) System Authorization Facility (SAF) 5
328 System Network Architecture (SNA) 29
Security Attribute Service (SAS) 305 system.wssecurity.IDAssertionUsernameToken
Security Constraint 267 128
security.xml file 218 system.wssecurity.PKCS7 128
server ID 441 system.wssecurity.PkiPath 128
Service Oriented Architecture (SOA) 51 system.wssecurity.UsernameToken 128
servlet system.wssecurity.X509BST 128
execution identity 33
Runas identity 33
security identity 33
484 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
T for any URI 66
TCP layer 29 for protected URIs only 65
Ticket system properties
Kerberos 392–393 com.ibm.wsspi.security.web.webauthreq
Ticket Granting Server (TGS) 393 67
Ticket Granting Ticket (TGT) 393 Web authentication behavior
token generator 114 admin console, settings 65
Top Secret 5 Web container
Trust association 17 programmatic security APIs 11
Trust Association Interceptor (TAI) 16, 38, 395 Web Services
Trust Relationship Authentication
TAI 395 logic flow 52
trust store path, WebSphere default 180 authentication 51
truststore 227 Confidentiality
configure z/OS provider 183
configure z/OS requestor 185
U Identity Assertion
unrestricted policy jars 275
configure the z/OS provider 199
user 430
Message layer security 21
user account repository 440
message layer security 78
User registry
authentication
federated repository 24
configuring a token for Web Service pro-
Local Operating System (LocalOS) 24
vider 123
standalone custom registry 24–25
configuring a token for Web Service re-
standalone LDAP 24
questor 119
custom token 117
V LTPA token 116
Virtual Member Manager (VMM) 365 token generator, configuring 120
token type 119
W custom 119
WAS - WebSphere Application Server Username 119
Accessing ITDS 378 X509 certificate token 119
Build Number Username token 116
cf20633.22 401 X.509 certificate token 116
Configuration XML digital signature 117
administration security option components
Do not enable security 437 callbackhandler 114
Use a z/OS security product 433 caller part 114
Use WebSphere Application Server se- key information 114
curity 435 key locator 114
Create a user account in the AD 405 nonce 115
JMS Provider 390 timestamp 115
OS thread identity 386 token generator 114
SPNEGO 391, 396 trust anchor 115
Kerberos requirements 412 confidentiality
trace 422 164
z/OS KDC 399 asymmetric encryption algorithms 164
Web authentication configuring encryption, server 171
Index 485
configuring provider 178 HTTP(S)
configuring requestor 172 authentication 94
configuring, encryption algorithm 171 Basic Authentication 94
encryption, algorithms 164 Basic Authentication information 94
extracting WebSphere for z/OS signer benefits 93
certificate 167 client certificate authentication 94
one-way encryption algorithm 164 integrity and confidentiality 94
support in WS-Security 165 Universal Resource Identifier (URI) 91
symmetric encryption algorithms 164 JMS
configuration components 114 SSL 97
configuration files 111 point-to-point security 93
deployment descriptors 110 Remote Method Invocation over Internet In-
deployment descriptors, editing tools 110 ter-ORB Protocol (RMI-IIOP) 92
deployment descriptors, format in Web- RMI over IIOP 98
Sphere versions 110 CSIv2 98
identity assertion 192 SOAP over HTTP 91
configuring 195 SOAP over JMS 92
configuring Web Service requestor 196 when to use? 80
trust modes 193 Web Services Interpretability Organization (WS-I)
trust relationship 203 84
WS-Security support 193 Web Services Security (WS-Security) 108
integrity 131 WebSeal 17
canonicalization method algorithm 143 Webseal 395
configuring the Web Service provider WebSphere Application Server
146 What is new in v6.1 security? 2
configuring the Web Service requestor WebSphere Application Server (WAS)
135 connections 13
configuring the z/OS provider for XML encryption algorithms 268
digital signature 154 security settings 440
configuring the z/OS requestor for XML WebSphere Application Server configuration group,
digital signature 159 create 431
digest method algorithm 144 WebSphere Application Server HFS Owner 431
signature method algorithm 143 WebSphere Message Queueing
transform 145 WMQ client authentication 53
XML digital signature 131 WebSphere MQ 19
integritysignature algorithm 133 communication protocols 97
security token 116 WebSphere MQ Extended Security Edition 97
SOAP security header 109 WebSphere token framework 297
when to use? 80 WebSphereCA 254
WS Binding 113 WMQ - WebSphere Message Queueing
WS Extension 113 JMS Provider 390
security exposures 77 World Wide Web (WWW) 29
Transport layer security 21 WS Binding 113
transport layer security 78 WS Extension 113
Basic Authentication, configuring 247 WS-Authorization 22
Basic Authentication, validating 250 WS-Federation 22
configuring the requestor to authenticate WS-Policy 22
249 WS-Privacy 22
Enterprise Service Bus (ESB) 93 WS-SecureConversation 22
486 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
WS-Security Z
authentication mechanisms 86 z/OS KDC 399
high level architecture 85 z/OS thread identity 389
identity assertion RunAs 388
basic authentication 90 synchronization 386
digital signature activation 387
90
modes 90
presumed trust 90
Kerberos Token Profile 84
Minimalist Profile (MProf) 84
Rights Expression Language (REL) Token Pro-
file 83
SAML Token Profile 83
SOAP Message Security 1.0 83
SOAP Message with Attachments (SwA) Profile
84
specifications 82
support in WAS V6.x 84
Web Services Security Username Token Profile
1.0 83
Web Services Security X.509 Certificate Token
Profile 1.0 83
WS-Authorization 83
WS-Federation 83
WS-I Basic Profile 84
support in WAS v6.0 and later 84
WS-I Basic Security Profile (BSP) v1.0 84
WS-Policy 82
WS-Privacy 83
WS-Secure Conversation 83
WS-Trust 83
XML digital signature 87
XML encryption standard 165
Ws-Security
XML encryption 89
WS-Security authentication mechanism
basic authentication 86
custom 86
ID assertion 86
LTPA 86
signature 86
WS-Trust 22
X
X.509 certificate token 116
X.509 v.3 certificates 31
XML digital signature 117
Index 487
488 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
Security in WebSphere
Application Server Version 6.1
and J2EE 1.4 on z/OS
Security in WebSphere Application
Server Version 6.1 and J2EE 1.4 on z/OS
Security in WebSphere Application Server Version 6.1 and
Security in WebSphere Application Server Version 6.1 and J2EE 1.4
Security in WebSphere
Application Server
Version 6.1 and J2EE
Security in WebSphere
Application Server
Version 6.1 and J2EE
Back cover ®
Security in WebSphere
Application Server Version 6.1
and J2EE 1.4 on z/OS
WAS and J2EE This IBM® Redbooks® publication was written with the
security concepts objective to provide a technical description of some of the INTERNATIONAL
and their most important security scenarios available with TECHNICAL
implementation on WebSphere® Application Server Version 6.1 for z/OS®. We SUPPORT
z/OS chose scenarios that are not really documented elsewhere ORGANIZATION
and that have had significant changes in Version 6.1.
Security integration
In the first two chapters we provide an overview of security
scenarios, including with WAS on z/OS for those readers who are unfamiliar with BUILDING TECHNICAL
SPNEGO and CSIv2 the security landscape on z/OS. From Chapter 3 onwards we INFORMATION BASED ON
PRACTICAL EXPERIENCE
go into more technical depth.
Web services
security and SSL in IBM Redbooks are developed by
WAS V6.1 the IBM International Technical
Support Organization. Experts
from IBM, Customers and
Partners from around the world
create timely technical
information based on realistic
scenarios. Specific
recommendations are provided
to help you implement IT
solutions more effectively in
your environment.