During his installation Websphere is configure to accep all the users identification (wihout passwords) to accede to the administration console.
You can type anything it goes perfectly, there is no verification.
This is of course unacceptable and in the recent versions, a ‘wizard” lead you to activate the global security. But it activates all the J2EE security what is most of the time useless.


The goal of this little article is to explain you (I hope in a clear way) how to securate the access to the WAS administration console without activating the whole J2EE security.

A solution

Before changing anu important parameterin the WAS configuration, I remember you that it is always very important to do a backup of your configuration by a command.backupConfig.sh.

To do this modification you have to know the code and the pass word of the administrator account that make WAS turn (root).
We will limit us voluntarily to the local exploitation system’s account as “user register” for this implementation (you can also use LDAP and a personalisated solution -coded of course-).
You must have the 9043 port open (the WAS administration is done in https and change by default from the 9060 port to the 9043 port).

Etapes

1. If you have the “lead activities” you can use itfor “global security activation”, it leads very well the user.
Then you have to desactivate the “Java 2 security” and determine the users (see point 3).

2. Unlead activation
Display the page”Security>Global security” and un tick off the option “Apply the Java 2 security”

You have to go and see :
“Activate the global security” with “on”
“Apply the Java 2 security” with “off”
“Apply the JCA security at small granulousity ” with “off”
“Use defined user’s ID as a fonction of the domaine” with “off”

“Emit a warning of access right” with “on”
“Protocole active” normaly CSI (but you can activate CSI and SAS)
“Active Authentification Method ” par défaut “SWAP”
“Registre d’utilisateurs actif” sélectionnez “Système d’exploitation local”

When the modifications are done you can validate this and display the page “Users registers>Local system exploitation” which permit to configure the admin user ID (and his pass word).

3. Definitions of the users :
For that, you have to apply the page “System administration>Console parameters>Console users” and you can add at that the system users to who you want to give rights in WAS asministration.

Remarks

Warning : If your Websphere serveur run under an other user account than root You can’t use the local exploitation system as “User register”

Warningn : If you activate the security it is compulsoryto give authentification informations to command line tools (for exemple : stopNode plus d’info

For a higher security you can also :
• Configure your firewall to identify and filter the IP address which connect to the port 9043
• Allow only the access to the administration in “local” (127.0.0.1) and use ssh tunels to admin this on an other computer.

A few days ago I had a little problem when I tried to deploy in WAS 6.0 (Websphere Application Serveur 6) an application including a PDF signature.
During the execution of the servlet’s signature, I had the following problem :

java.lang.Exception: java.lang.Exception: java.io.IOException:
Error in loading the keystore: Private key decryption error:
(java.lang.SecurityException: Unsupported keysize or algorithm parameters)

Resolution

This error is caused by the JCE libraries used by the virtual java’s machine executing WAS. This JVM is the standard version and it had a limited support of cryptographie’s algorithme. To correct this you just have to substitute two jar files in teh configuration of the JVM IBM (local_policy.jar et US_export_policy.jar).
This files are in the index $JAVA_HOME/jre/lib/security (for exemple /usr/lib/jvm/jre-ibm/lib/security or /opt/IBM/WebSphere/AppServer/java/jre/lib/security).
You can download this non limited librairies http://www-128.ibm.com/developerworks/java/jdk/security/142/ (file unrestrict142.zip)

When the file is download you had to:

• Decompress the downloaded file
• Verify that this file contains local_policy.jar et US_export_policy.jar
• Stop Websphere
• Save the old files
• Substitute the two files
• Take off again WAS

For his installation Websphere need to use root account. The installation’s script don’t propose the creation or utilisation of an other user account. This is disturbing because all the objets created by Webphere belong to root.

But it’s easy to correct this problem.

Modifications to do

I take in account that you have created the user and the group that you wanted. After that you just have to connect yourself to the Websphere’s administration console to change some parametres in this page : Execution process parameters.

You can go to this page thanks to the menu Servers > Applications server > name_of_your_server and (in the options of this page) Server Infrastructure > Gestion des processus and Java > Processus Execution.

So you can change the user and group wich is going to run the principal process of Websphere ( java ). With that, all objects created by websphere (images, files, …) are accessible even to other user than root.

Warning : after this you must change the owner of all files and directorys read by Websphere ( $WAS_HOME/ and your WebApp and all other required files)