session 7 lab

8/16/2019 Session 7 Lab

1/20

Lab – Websphere Application Server Session 8WebSphere Security

Table of Contents

Security configuration – Tivoli Directory Server 6.1 with Websphere 6.1.....................................................1.1 !onfigure "e#erate# $epository in Websphere %etwor& Deploy'ent (anager..........................1. !reate #efinition for the LDA) $epository...................................................................................1.* A##ing $epository to $eal'........................................................................................................+1.+ Assign A#'inistrative role............................................................................................................61., $estart the server........................................................................................................................-1.6 Test the !onfiguration..................................................................................................................

. Sa'ple LD/" file................................................................................................................................ 10*. SSL #igital certificates an# WebSphere Application server................................................................1+

*.1 rowser

Web Server............................................................................................................. 1+

*. WebSphere WebSphere 2between %o#es3............................................................................1+

*.* Web Server WebSphere 2through )lug4in3................................................................... .........1

y

Ayyanar 5eya&rishnan


2/20


Security configuration – Tivoli Directory Server 6.1 withWebsphere 6.1

1. Security !onfiguration in Websphere Application Server.

Websphere 6.1 supports Federated Repositories7 wherein7 'ultiple repositories can beconfigure# un#er a single real'. The #efault file base# repository can also be part of the list ofrepositories. /n this sa'ple7 we shall configure the fe#erate# repository in Websphere toinclu#e an a##itional LDA) TDS9 registry apart fro' the #efault file base# registry.

1.1 !onfigure "e#erate# $epository in Websphere %etwor&Deploy'ent (anager

1. Start the Websphere %etwor& Deploy'ent if the server not starte#.. Login to Websphere a#'in console with a#'inistrative privilege# user. Default :serna'e ;a#'in<

an# passwor# ;a#'in< is create# #uring the installation on WAS.*. "ro' a#'in console navigate to Security > Secured administration, application and

infrastructure.

1. !reate #efinition for the LDA) $epositoryThis tas& shows how to create an# configure a repository that lin&s to LDA) registry.

1. /n :ser account repository option select Federated repositories an# clic& on Configure.


3/20


. /n the configuration win#ow clic& on ‘Manage Repositories’ lin&. This is use# to list the alrea#yconfigure# repositories for that server. This lin& also has options for creating an# #eleting therepositories. As per our re=uire'ent7 we nee# to create a repository for the LDA) registrystructure available TDS9.

*. !lic& on ADD button. >nter the following #etails highlighte# in the i'age below4a. Repository Identifier ? Any uni=ue i#entifier which is use# to i#entify the repository7 say7

DS!b. Directory type? !hoose the appropriate LDA) server to be use#. /n our case7 it woul# be

I"M i#oli Directory Ser#er $ersion !

c. %rimary &ost 'ame? LDA) server hostna'e or /) a##ress will wor&.#. "ind distinguis(ed name? The D% use# to bin# with the LDA) server7 say7 cn)root.e. "ind %ass*ord? Appropriate passwor# for the bin# D% use#.f. +ogin %roperties The property which the users use to login to )rocess server. /n this

case7 the value woul# be uidNote:

I. In the below screen shot, we have used the Bind Name as the LDAP admin user. It ismandatory to state in the format ‘ cn=root’ . e are usin! this to connect "bind# to the LDAP server.

II. In Lo!in $ro$erties, we are usin! ‘ uid’ which says that the users at the LDAP re!istry arereco!ni%ed with this $ro$erty at lo!in to server. &he admin has the choice of usin! ' ormore $ro$erties while confi!urin!.

III. (est of the fields are left as default.


4/20


+. !lic& Apply. This operation gets bac& to Manage Repository. @ere verify for the entry you ustcreate#. Sa#e the changes to the repository

1.* A##ing $epository to $eal'This Tas& a##s the repository create# in the previous tas& to the ;$eal'


5/20


2. !hoose the repository DS!9 you want to a## to the real'. This lists the repository /#entity.3. A## the D% for base entry as dc)im,dc)com

Note: &his refers to the uni)ue re!istry tree with in the LDAP server which you want to connect to!et the user and*or !rou$s details.

4. !lic& Apply. An# Sa#e the changes to the 'aster configuration. Cerify that the entry is 'a#e atthe !onfiguration in "e#erate# repositories section.


6/20


5. >nter the ;Realm name’. This can be any na'e that woul# represent the security real'.6. >nter the ;%rimary administrati#e user name’. This is the admin user for WAS.7. !lic& Apply. An# Sa#e the changes to the 'aster configuration. This brings us bac& to the 'ain

page ‘Secure administration, applications, and infrastructure’8. @ere 'a&e sure that ‘Federated repositories’ is chosen un#er ‘A#ailale realm definitions’

an# then clic& on ‘Set as Current’ button.We have now co'plete# the tas& of a##ing the LDA) registry into the fe#erate# repository configurationfor WAS security.

1.+ Assign A#'inistrative roleThis tas& is use# to assign the a#'inistrative role to the users9 in LDA).

1. (a&e sure that A#'inistrative security is enable#.. !lic& on ;Administrati#e user roles’. This lin& is assigne# to assign privileges to users

*. >nter an eisting userna'e E assign appropriate role.+. !lic& Apply E Save the changes to the 'aster configuration.,. /n this ea'ple7 we have assigne# 1 user ;*psadmin’ fro' LDA) as an a#'inistrator.


7/20


Note: It+s ‘Not Active+ as that user is not lo!!ed in.

1., $estart the server 1. "or the new security configuration to ta&e effect7 the WAS #eploy'ent (anager an# no#eagents

an# !luster server nee#s to be restarte#. $efer the below steps for restarting the server.

1. Log into the A#'inistrative !onsole.

a. >nter the following :$L in a Web browser?

(ttp//local(ost01!1/im/console/

>nter admin for user /D an# admin for the passwor#

. Stop the cluster 4(y!luster.

a. !lic& Ser#ers > Clusters.

b. !hec& MyCluster 7 an# then clic& Stop.

http://localhost:9060/ibm/console/http://localhost:9060/ibm/console/


8/20


Wait for the Status to change to soli# re#. !ontinually refresh the Status an# verify that the (y!luster status is soli# re#7 in#icating FStoppe#G.

*. Stopping the #eploy'ent (anager an# two no#eagents a. $eturn to the DHS co''an# shell on syste' that you use# to start an# stop the

Application Server if you close# the shell the #irectory is!?I/(IWebSphereIAppServerIprofilesIAppSrv0Ibin9

b. >nter the co''an#

stop%o#e.bat

(a&e sure that no#e is stoppe#

c. $eturn to the DHS co''an# shell on syste' A that you use# to start an# stop the Application Server if you close# the shell the #irectory is!?I/(IWebSphereIAppServerIprofilesIAppSrv01Ibin9

#. >nter the co''an#

stop%o#e.bat

(a&e sure that no#e is stoppe#

e. $eturn to the DHS co''an# shell on syste' A that you use# to start an# stop the Application Server if you close# the shell the #irectory is!?I/(IWebSphereIAppServerIprofilesID(gr01Ibin9

f. >nter the co''an#

stop(anager.bat –userna'e a#'in –passwor# a#'in

(a&e sure that #eploy'ent 'anager is stoppe#

1. Start the Deploy'ent (anager an# two no#eagents

a. "ro' a DHS co''an# pro'pt on Syste' A7 eecute the following?

cd c2I"M23eSp(ere2AppSer#er2profiles2Dmgr142instartManager.atWait until the Deploy'ent (anager has been starte#7

b. Start the %o#e Agent on Syste' A

"ro' a DHS co''an# pro'pt on Syste' A7 eecute the following?

cd c2I"M23eSp(ere2AppSer#er2profiles2AppSr#142instart'ode.at

c. Start the %o#e Agent on Syste'

"ro' a DHS co''an# pro'pt on Syste' A7 eecute the following?

cd c2I"M23eSp(ere2AppSer#er2profiles2AppSr#152instart'ode.at

. After the server restarts7 you shoul# be able to login to the a#'in console with the *psadmin user passwor# ? wpsa#'in9


9/20


1.6 Test the !onfiguration1. To verify the list of users fro' LDA)7 clic& on 6ser and 7roups > Manage 6sers. !lic& on

Searc(. All the users7 inclu#ing *psadmin user fro' the LDA) registry woul# be liste#.

. To verify the user groups7 clic& on Manage groups an# clic& on Searc(. Broups fro' the file

base# repository as well as the LDA) repository are liste# in the results.

*. To Cerify the users in the groups clic& the group na'e lin&s in the above i'age an# then clic& onMemers.


10/20


. Sa'ple LD/" fileSave below lines in a file with an etension of .l#if for ea'ple7 wpsusers.l#if9 so it can be i'porte# intoan LDA) server. efore you i'port the file7 re'e'ber to create a suffi in the LDA) server of dc)im,dc)com.version: 1

dn: cn=crypto,cn=localhost

cn: crypto

objectclass: ibm-cryptoConfig

objectclass: ibm-slapdConfigEntry

objectclass: top

ibm-slapdCryptoSync: 40!"#$g!%&p$%y0'==

ibm-slapdCryptoSalt: '()b*C#$+m

ibm-entry..id: ced0a/c-022-4//-b$1$-44ce4ea2/f

dn: dc=ibm,dc=com

dc: ibm

objectclass: domain

objectclass: top

ibm-entry..id: dffabac-aca-40$-240-12f$0a4d

dn: cn=3ohn,dc=ibm,dc=com

objectclass: inetrg!erson

objectclass: person

objectclass: top

objectclass: organi&ational!erson

sn: !lay

cn: 3ohn

.id: 3ohn


11/20


.serpass5ord: 6'ES/74ho38pm9;fbmb/$a4-c/ae-44>-2a01-ecf>11/$ce40

dn: cn=#ice!resident,dc=ibm,dc=com

objectclass: gro.pf?ames

objectclass: top

member: C?=?"@@

cn: #ice!resident

ibm-entry..id: f$f4f-ae1c-400/-add4-4/d2d00/

member: cn=3ohn,dc=ibm,dc=com

dn: cn='shish,dc=ibm,dc=com


objectclass: top

objectclass: person


sn: #

cn: 'shish

.serpass5ord: 6'ES/7vAt(0/i%vB@jDE%s9"'==

.id: 'shish

ibm-entry..id: 1c>dfd1-144-4$>-2f>-e1$0a0d$2

dn: cn=Samay,dc=ibm,dc=com


objectclass: person

objectclass: top


sn: +

cn: Samay

ibm-entry..id: a>a4f0de-a>cf-4fc-a4$4-f2$0ed>10$

dn: cn=Senior"nder5riters,dc=ibm,dc=com


objectclass: top

cn: Senior"nder5riters

DEDBE: C?=?"@@

ibm-entry..id: 2bb>b0$-4$$1-4$a->fdd-a>20ca4b0>0c

member: cn='shish,dc=ibm,dc=com

member: cn=Samay,dc=ibm,dc=ibm

dn: cn=!a5an,dc=ibm,dc=com


objectclass: top

objectclass: person


sn: ?egi

cn: !a5an

.id: !a5an

.serpass5ord: 6'ES/7d9@lDj'#FGS%2r99(9==

ibm-entry..id: 4be100-c$4-44bb-2b1f-f>/a2becfb

dn: cn=ohit,dc=ibm,dc=com


objectclass: person

objectclass: top


sn: %arg


12/20


cn: ohit

ibm-entry..id: a$c>/d0-100c-4$-bac-$0e0cf414

dn: cn='stha,dc=ibm,dc=com


objectclass: top

objectclass: person


sn: <

cn: 'stha

.id: 'stha

.serpass5ord: 6'ES/7!%v%S9sHH8s0bI(4G5==

ibm-entry..id: 4fac$>c-d2//-4/0-abd-4>e004a04c

dn: cn=!ar.l,dc=ibm,dc=com


objectclass: person

objectclass: top


sn: +hanna

cn: !ar.libm-entry..id: 0ddf4>2-edcc-4$df-a$/->aebfadd//a

dn: cn=@oanfficers,dc=ibm,dc=com


objectclass: top

cn: @oanfficers

member: C?=?"@@

ibm-entry..id: /e1a122-fc-4>ae-2c4c-eb/2ca$/440

member: cn='stha,dc=ibm,dc=com

member: cn=ohit,dc=ibm,dc=com

dn: cn="nder5riters,dc=ibm,dc=com


objectclass: top

cn: "nder5riters

member: C?=?"@@

ibm-entry..id: 020de$/>->4bb-4>>-b/2c-$c/2//ec1

member: cn=!ar.l,dc=ibm,dc=com

member: cn=!a5an,dc=ibm,dc=com

dn: cn=5psadmin,dc=ibm,dc=com

.serpass5ord: 6'ES/7>28#Jdclcs8SC.Drel55==


objectclass: person

objectclass: top


cn: 5psadminsn: 5psadmin

.id: 5psadmin

ibm-entry..id: f/f4a-cdca-44e/-a>/-/de$a0cf/0

dn: cn=ldapadmin,dc=ibm,dc=com


objectclass: top

objectclass: person



13/20


cn: ldapadmin

sn: ldapadmin

.id: ldapadmin

.serpass5ord: 6'ES/7J0or3?%HmBnCo;C3jmg==

ibm-entry..id: b0af>e-$/>/-4e>e-b$40-/01f102/0

dn: cn=admingro.p,dc=ibm,dc=com


objectclass: top

cn: admingro.p

DEDBE: C?=?"@@

ibm-entry..id: /f00140d-ee$-4f10-20$-$dcbaef0dd4

member: cn=5psadmin,dc=ibm,dc=com

member: cn=ldapadmin,dc=ibm,dc=com

'e'ber? cnJ5ohn7#cJib'7#cJco'


14/20


*. SSL #igital certificates an# WebSphere Applicationserver

*.1 rowser Web Server

!overe# in Session + Lab

*. WebSphere WebSphere 2between %o#es3

For WAS 6.x

"irst let


15/20


!lic& HK an# Save the changes

• Bo bac& to Security SSL certificate an# &ey 'anage'ent Key stores an#

certificates !ellDefaultKeyStore )ersonal certificates

• Select the ol# D(B$ certificate an# clic& $eplace.

• Hn the net screen7 you are able to choose which certificate will replace the ol# certificate.

Accept your new certificate. Do not select either Delete ol# certificate after replace'ent or Delete ol# signers. Accept your new certificate an# any browser pro'pts.

• Hn the net screen7 select the ol# certificate an# clic& Delete. !lic& HK an# Save the changes.

The certs nee# to be echange# for establishing secure co''unication. So a## the D(B$cert to Default!ellTrustStore

• Bo to SSL certificate an# &ey 'anage'ent Key stores an# certificates.

• Select !ellDefaultKeyStore an# !ellDefaultTrustStore an# clic& >change signers


16/20


• Select the certificate in !ellDefaultKeyStore personal certificates create# in previous

step an# clic& A##.

• !lic& HK an# Save the changes.

B. Node Certificates

• Bo to Security SSL certificate an# &ey 'anage'ent (anage en#point

security configurations.

• :n#er /nboun#7 clic& the lin& for the no#e7 no#ena'e%o#eDefaultSSLSettings7null9.


17/20


• !lic& the (anage certificates button.

!lic& on create a self4signe# certificate an# >nter the re=uire# attributes.• !lic& HK an# Save the changes

• Bo bac& to Security SSL certificate an# &ey 'anage'ent (anage en#point

security configurations7 clic& no#ena'e%o#eDefaultSSLSettings7null97 clic& (anagecertificates.

• Select the ol# certificate an# clic& $eplace.

• Hn the net screen7 you are able to choose which certificate will replace the ol# certificate.

Accept your new certificate. Do not select either Delete ol# certificate after replace'ent or Delete ol# signers.

• Hn the net screen7 select the ol# certificate an# clic& Delete. !lic& HK an# save the changes.

%ow >change the %o#e Signer cert with Default!ellTrustStore

• Bo to Security SSL certificate an# &ey 'anage'ent (anage en#point

security configurations.

• :n#er /nboun#7 clic& the lin& for the no#e7 no#ena'e%o#eDefaultSSLSettings7null9 an#

selectKey stores an# certificates.

• Select %o#eDefaultKeyStore an# !ellDefaultTrustStore an# then !lic& >change signers.


18/20


• Select the certificate in %o#eDefaultKeyStore personal certificates create# in previous

step an# clic& A##.

• !lic& HK an# Save the changes.

• Delete the ol# signer certificates an# etract


19/20


the newones.

• Bo to SSL certificate an# &ey 'anage'ent Key stores an# certificates

!ellDefaultTrustStore Signer certificates

• Select all of the ol# signer certificates an# clic& Delete. /f you are not sure7 you can co'pare

the "ingerprint an#Mor the >piration #ates with the personal certificate in the &eystores.

•

Select one of the new certificates. !lic& >tract.

• >nter a "ile %a'e that correspon#s to the certificate. "or ea'ple7 no#e1.ar'. !lic& H&.

• "or each of the new certificates 'a&ing sure you have #one this for the cell signer an# all

of the no#e signers. These files are save# to the profilerootMD'grMetc #irectory

(anually copy the trust store to each of the Metc #irectories.

• ac&up the trust.p1 in profilerootID'grIetc

• !opy the profilerootID'grIconfigIcellsIcell4na'eItrust.p1 to profilerootID'grIetc

• ac&up the trust.p1 on each of the no#es profilerootIAppsrvIetc #irectories.

•

!opy the profilerootID'grIconfigIcellsIcell4na'eItrust.p1 to profilerootIAppsrvIetc

' o te? /f you have 'ultiple no#esN Oou nee# to #o the %o#e !ertificate section for all no#es separately.

%ow7 $estart the D(B$ an# sync the no#es using ;syncno#e< co''an#. Then start %o#e Agents an#

Application Servers.

*.* Web Server WebSphere 2through )lug4in3

• Bo to Servers Web servers. !lic& webserverna'e7 an# then un#er A##itional )roperties

clic& )lug4in properties.

• !lic& (anage &eys an# certificates un#er A##itional )roperties7 clic& Signer certificates

an# then clic& A##7 >nter a uni=ue Alias %a'e an# then specify the "ile %a'e that youeporte# as .ar' file.


20/20


$epeat this for each of the new certificates 'a&ing sure you have #one this for the cellsigner an# all of the no#e signers.

• (anually copy the plugin4&ey.b fro' the local configuration to the Web server. 2

#efault locations? profilerootID'grIconfigIcellsIcell4na'eIno#esIno#e4

na'eIserversIweb4server4 na'eIplugin4&ey.b to Web4server4rootI)luginsIconfigIweb4server4na'eIplugin4&ey.b3

• Start the Web server

session 7 lab

Documents