The probleme

Connexion without user identification
During his installation Websphere is configure to accep all the users identification (wihout passwords) to accede to the administration console.
You can type anything it goes perfectly, there is no verification.
This is of course unacceptable and in the recent versions, a ‘wizard” lead you to activate the global security. But it activates all the J2EE security what is most of the time useless.


The goal of this little article is to explain you (I hope in a clear way) how to securate the access to the WAS administration console without activating the whole J2EE security.
Connexion without verification

A solution

Before changing anu important parameterin the WAS configuration, I remember you that it is always very important to do a backup of your configuration by a command.backupConfig.sh.

To do this modification you have to know the code and the pass word of the administrator account that make WAS turn (root).
We will limit us voluntarily to the local exploitation system’s account as “user register” for this implementation (you can also use LDAP and a personalisated solution -coded of course-).
You must have the 9043 port open (the WAS administration is done in https and change by default from the 9060 port to the 9043 port).

Etapes

1. If you have the “lead activities” you can use itfor “global security activation”, it leads very well the user.
Then you have to desactivate the “Java 2 security” and determine the users (see point 3).

2. Unlead activation
Display the page”Security>Global security” and un tick off the option “Apply the Java 2 security”

You have to go and see :
“Activate the global security” with “on”
“Apply the Java 2 security” with “off”
“Apply the JCA security at small granulousity ” with “off”
“Use defined user’s ID as a fonction of the domaine” with “off”

“Emit a warning of access right” with “on”
“Protocole active” normaly CSI (but you can activate CSI and SAS)
“Active Authentification Method ” par défaut “SWAP”
“Registre d’utilisateurs actif” sélectionnez “Système d’exploitation local”

When the modifications are done you can validate this and display the page “Users registers>Local system exploitation” which permit to configure the admin user ID (and his pass word).

3. Definitions of the users :
For that, you have to apply the page “System administration>Console parameters>Console users” and you can add at that the system users to who you want to give rights in WAS asministration.

Remarks

Warning : If your Websphere serveur run under an other user account than root You can’t use the local exploitation system as “User register”

Warningn : If you activate the security it is compulsoryto give authentification informations to command line tools (for exemple : stopNode plus d’info

    For a higher security you can also :

  • Configure your firewall to identify and filter the IP address which connect to the port 9043
  • Allow only the access to the administration in “local” (127.0.0.1) and use ssh tunels to admin this on an other computer.
Be Sociable, Share!