-
Introduction
If the global security is disabled, you can log in to the administrative console without supplying a password.
You can type any user id or even skip the user id and still you can log in to the administrative console.
There is no authentication when the global security is disabled.
-
How to enable administrative security (internal file-based built-in repository)?
Follow these steps to enable administrative security:
- In the administrative console.
- Click on "Security".
- Click on "Global security".
- Click the "Security Configuration Wizard" button.
Within the "Configure security" screen:
Step 1: Specify extent of protection
- Check the "Enable application security" checkbox.
- Optionally, check the "Use Java 2 security" checkbox if you want to restrict application access to local resources.
- Click Next
Step 2: Select user repository
- Check the "Federated repositories" checkbox (this will use the built-in repository).
- Click Next
Step 3: Configure federated repository
- Type your "Primary administrative user name"
- Type the password
Step 4: Summary
- This will displays a summary of values selected during the wizard.
- Click Finish
- Click Save
- Restart the server
Note:
You can find the file that contains the user information in:
${WAS_PROFILE_ROOT}\config\cells\[CELL_NAME]\fileRegistry.xml
Here's a typical content of the "fileRegistry.xml" file:
Note:
You can find the file that contains the repository information in:
${WAS_PROFILE_ROOT}\config\cells\[CELL_NAME]\security.xml
Look at the "activeUserRegistry" attribute of the "Security" element: [activeUserRegistry="WIMUserRegistry_1"]
With the value of this attribute you can find the "userRegistries" element that contains the repository information.
Here's a typical content of the "fileRegistry.xml" file:
-
How to enable administrative security (file-based standalone custom registry)?
Before you start, you need to create two files "usersFile.properties" and "groupsFile.properties".
You can save these two files in: ${WAS_PROFILE_ROOT}\fileRegistry
Here's the content of the "usersFile.properties": [user id]:[user password]:[user unique id]:[groups id list]:[user description]
useradmin1:admin1:100:groupadmin1:Administrator User
Here's the content of the "groupsFile.properties": [group id]:[group unique id]:[users id list]:[group description]
groupadmin1:100:useradmin1:Administrator group
Follow these steps to enable administrative security:
- In the administrative console.
- Click on "Security".
- Click on "Global security".
- Click the "Security Configuration Wizard" button.
Within the "Configure security" screen:
Step 1: Specify extent of protection
- Check the "Enable application security" checkbox.
- Optionally, check the "Use Java 2 security" checkbox if you want to restrict application access to local resources.
- Click Next
Step 2: Select user repository
- Check the "Standalone custom registry" checkbox.
- Click Next
Step 3: Configure federated repository
- Type your "Primary administrative user name": useradmin1
- The field "Custom registry class name" should be filled: com.ibm.websphere.security.FileRegistrySample
- Optionally, check the "Ignore case for authorization" checkbox.
- Add the first custom property: [Name: usersFile], [Value: C:\programs\IBM\WebSphere\AppServer\profiles\profile1\fileRegistry\usersFile.properties]
- Add the second custom property: [Name: groupsFile], [Value: C:\programs\IBM\WebSphere\AppServer\profiles\profile1\fileRegistry\groupsFile.properties]
Step 4: Summary
- This will displays a summary of values selected during the wizard.
- Click Finish
- Click Save
- Restart the server
Notes:
You may get the error: "SECJ7333E: Could not find admin name in the specified user registry".
This mean that may be something is incorrect with your properties files.
Or may be you have an old configuration with the built-in repository: ${WAS_PROFILE_ROOT}\config\cells\[CELL_NAME]\fileRegistry.xml
If it's the case, you can fix this problem by either: (1) delete the file "fileRegistry.xml", (2) or just remove the whole element "wim:entities" within this file.
-
How to change the user information (including the "Primary administrative user name")?
Follow these steps to enable administrative security:
- In the administrative console.
- Click on "Manage Users".
- Click the link of the user you want to change.
- Within the "Manage Users" screen, you can change the "User ID", "First name", "Last name", "E-mail", and "Password".
If you are using a file-based repository, you can find the file that contains the user information in:
${WAS_PROFILE_ROOT}\config\cells\[CELL_NAME]\fileRegistry.xml
-
How to disable the administrative security?
Note:
Before you start, be sure that WAS is down, otherwise you have to give the administrator user name/password to stop the server (because security is still enabled in the server running process).
If it's your case, just kill the server process.
Follow these steps to disable the WAS administrative security:
- Open a terminal window..
- Go to ${WAS_PROFILE_ROOT}\bin
- Type the following command: wsadmin.bat -conntype NONE
- Press the key Enter. This should open the "wsadmin" tool
- Type the following command: securityoff
- Press the key Enter
- You should get the following message "LOCAL OS security is off now but you need to restart server1 to make it affected."
- Type the following command: exit
- Press the key Enter
Start WAS, and log in to the administrative console. You may notice that you have to fill only the user id which can be left empty!
-
How to reset the administrator's password in the file registry?
Note:
Before you start, be sure that WAS is down, otherwise you have to give the administrator user name/password to stop the server (because security is still enabled in the server running process).
If it's your case, just kill the server process.
Follow these steps to enable administrative security:
- Open a terminal window.
- Go to ${WAS_PROFILE_ROOT}\bin
- Type the following command: wsadmin.bat -conntype NONE
- Press the key Enter
- Type the following command: $AdminTask changeFileRegistryAccountPassword {-userId [WAS_ADMIN_ID] -password [WAS_ADMIN_NEW_PASSWORD]}
(Replace [WAS_ADMIN_ID] and [WAS_ADMIN_NEW_PASSWORD] by your administrator user id and its new password, then press the key Enter)
- Type the following command: $AdminConfig save
- Press the key Enter
- Type the following command: exit
- Press the key Enter
Start WAS, and log in to the administrative console using the administrator user id and its new password.
-
How to stop specifying the userName/password when stopping the server?
- Open the file "${WAS_PROFILE_ROOT}\properties\soap.client.props".
- Locate and modify the following properties:
- Save the file.
Next time, when you stop the server you won't be asked for the administrator password.
Notes:
If you change the administrator id or password, you have to modify this file to match the modification you made.
Also if you disable the global security, you have to reset the properties:
-
How to map users to administrative roles?
You can assign different administrative roles to users which allow them to do specific administrative tasks within the administrative console.
You can assign the following administrative roles to users: "Operator", "Deployer", "Configurator", "Monitor", "ISC Admins", "Administrator", "Auditor", "Admin Security Manager"
Follow these steps to map a user to administrative roles:
- In the administrative console.
- Click on "Security".
- Click on "Global security".
- Click the "Administrative user roles" link.
You can also go to "Users and Groups" and then lick the "Administrative user roles" link.
- Within the "Administrative user roles" screen:
- Click the "Add..." button.
- Select the roles you want to assign to users.
- Click the "Search" button to find users that match the search filter.
- Add the found users to the list "Mapped to role".
- Click OK
- Click Save
-
SSL - Certificates
WAS save by default two stores for certificates: Default key store & Default trust store
- The key store file saves the public and private certificates of WAS: ${WAS_PROFILE_ROOT}\config\cells\[CELL_NAME]\nodes\[NODE_NAME]\key.p12
- The trust store file save the private certificates of external servers or trusted Certificate Authorities: ${WAS_PROFILE_ROOT}\config\cells\[CELL_NAME]\nodes\[NODE_NAME]\trust.p12
To view the WAS default personal certificate in the key store:
- In the administrative console.
- Click on "Security".
- Click on "SSL certificate and key management".
- In the "Related Items" section, click on "Key stores and certificates"
- Click on "NodeDefaultKeyStore"
- Click on "Personal certificates"
To view the WAS root certificate in the trust store:
- In the administrative console.
- Click on "Security".
- Click on "SSL certificate and key management".
- In the "Related Items" section, click on "Key stores and certificates"
- Click on "NodeDefaultTrustStore"
- Click on "Signer certificates"
Notes:
The default and root certificates are created during the profile creation.
The default certificate is a chained certificate that has been signed by the root certificate.
-
How to monitor certificate expiration?
You can configure WAS to automatically replace expiring self-signed and chained certificates.
To configure the certificate expiration monitor:
- In the administrative console.
- Click on "Security".
- Click on "SSL certificate and key management".
- Click on "Manage certificate expiration"
- The screen shows all the information related to the certificate expiration monitoring.
You can also configure the notifications related to certificate expiration monitoring:
- In the "Related Items" section, click on "Notifications"
- Click the existing notification name "MessageLog"
- You can add an email if you want to receive notifications via email.
-
How to create a personal certificate request?
To create a personal certificate request:
- In the administrative console.
- Click on "Security".
- Click on "SSL certificate and key management".
- Click on "Key stores and certificates".
- Click on "NodeDefaultKeyStore".
- Click on "Personal certificate requests".
- Click New
- Type the path and file name for the "File for certificate request": "C:/programs/IBM/WebSphere/AppServer/profiles/profile1/personalCertificateRequests/myPersonalCertificateRequest.pcr"
- Type the information about the certificate.
- Click Apply
- Click Save
-
How to apply a certificate signing request (CSR)?
You can apply a certificate that is generated by a certificate authority:
- In the administrative console.
- Click on "Security".
- Click on "SSL certificate and key management".
- Click on "Key stores and certificates".
- Click on "NodeDefaultKeyStore".
- Click on "Personal certificates".
- Click on "Receive from a certificate authority..." button.
- Type the path and file name for the "Certificate file name": "C:/programs/IBM/WebSphere/AppServer/profiles/profile1/personalCertificateRequests/myPersonalCertificateRequest.csr"
- Select the data type.
- Click Apply
- Click Save
-
How to configure WAS to use the right certificate for the SSL transports?
You can configure the certificate that WAS will use for the SSL transports:
- In the administrative console.
- Click on "Security".
- Click on "SSL certificate and key management".
- Click on "SSL configurations".
- Click on "NodeDefaultSSLSettings".
- Select the alias of your certificate for the "Default server certificate alias"
- Select the alias of your certificate for the "Default client certificate alias"
- Click Apply
- Click Save