i'm confused with the relationship between the file security.xml and inbound/outbound SSL from attached picture within websphere application server.
file security.xml locates under this path PROFILE_HOME/config/cells/CELL_NAME
if i make security disabled by setting the enable property as false from that secuirty.xml, is the SSL function also being disabled? that also means, if enable set as **true**, that SSL enabled accordingly.
Please correct me if i'm understanding wrongly.
In general security and SSL are not the same but there is a strong relationship there.
If security is enabled then SSL might be enforced in certain communications. As Davanum srinivas mentioned, the communication between the node agents and dmgr start using SSL. The deployment descriptors entries which mandate confidentiality would start enforcing when security is enabled etc.
HTH
Related
I am having an workstation specific Kerberos issue and hope anyone here would have additional recommendation.
Our application has an application server and web server and we have kerberos configured on both application layer and web layer.
And for certain users, when we provide the Kerberos link and they are not able to authorize in. And we found out the issue is workstation specific. And on the same problematic workstation, the user could access application server via Kerberos authentication.
And on the web logic we see the following error:
[SpnegoFilter.doFilter] Although user authentication to xxx was successful, Integrated Authentication could not extract the user's credentials because it appears delegation was either not configured or disallowed
I am looking for any of Windows setting could potential lead to this issue? We check that our domain is trusted on both working and nonworking machines on the browser level and GPO settings are the same.
What you're describing is unconstrained delegation, which is the act of a user handing the remote server their TGT so the server can impersonate the user without restriction.
Windows deems this as incredibly dangerous (it is) and is moving towards disabling it outright when certain security services are enabled on the client. Specifically Credential Guard. It will also block it for users that are members of the Protected Users security group, though the fact that it's affecting specific workstations leans towards Credential Guard.
If it is the above issues the correct solution is to switch to constrained delegation.
I have configured SPENGO for WebSphere and current SPENGO is working fine for fully qualified hostname say appserver.robo.com, I want a SPENGO configuration which can work for both
appserver.robo.com/productName as well as appserver/productName.
Is there such configuration is possible ?
Yes, it is possible. Make sure your keytab and SPNEGO configuration is for real hostname, and then enable Use the alias host name for the application server setting in the SPNEGO web authentication enablement (https://www.ibm.com/support/knowledgecenter/en/SSAW57_8.5.5/com.ibm.websphere.nd.doc/ae/usec_kerb_SPNEGO_config.html).
Also make sure that both names are correctly recognized by the browser as localIntranet or trusted sites and enabled for integrated authentication.
The other option is to create several keytabs and merge them, but it is not recommended as discussed here - https://www.ibm.com/developerworks/websphere/library/techarticles/0809_lansche/0809_lansche.html
I was wondering how can I disable the secure connection between cache host and cluster. I am using XML based config and I couldn't find any source for this. In default it is secure but it is not important for me so I want to disable it. Any help is appreciated.
Thanks.
I am not completely certain about what you mean, but security configuration server side can be found here and client side here.
i'm kind of confused with the SSL setting within Websphere Application Server.
As you can see from the attached picture, the Default SSL setting has been done both in cell and node scope. Below are my qeustions:
is either inbound or outbound data through websphere transfered with SSL way according to the setting?
is the above SSL setting enabled by default? If not, then how to enable it?
in the regard of KeyStore or TrustStore configuration, i can see it refers to path like
${CONFIG_ROOT}/cells/localhostCell01/key.p12
However, i can not find this variable CONFIG_ROOT within Webspehre Variables through Admin Console. Does it mean that SSL is disabled by default so it's ok for this variable having no value?
Thanks in advance
Please see the WebSphere Security Redbook chapter 4 for details - http://www.redbooks.ibm.com/redbooks/pdfs/sg246316.pdf CONFIG_ROOT is a substitution variable, so you should be fine - http://publib.boulder.ibm.com/infocenter/iadthelp/v6r0/index.jsp?topic=/com.ibm.ws.ast.st.v6.doc/topics/tsubvarv6.html. You can test which certificates are enabled using openssl from the command line - http://www.cyberciti.biz/faq/test-ssl-certificates-diagnosis-ssl-certificate/
When configuring the global security for Websphere Application Server, no matter you choose Federated Repositories, LDAP registry or custom registry, there is a property named 'Server user identity' to be setup. According to the official explanation, this is used for authentication during server to server communication. Does it mean when server communicating with each other within one cell, authentication is required and this value would be used there? And does this value only impact internal process, like within same cell? Or it can also be between cells? If it's not leveraged like this way, then how does 'Server user identity' work?
Kinda don't understand this. Please help me figure it out. Thanks in advance
Until WAS 6, a single user identity was required, namely 'primary administrative user', for both administrative access and internal process communication . This user, by definition, had to exist on the configured user registry.
From version 6.1 onwards, WAS requires an administrative user, distinguished from the server user identity, so that administrative actions can be audited separately.
For all practical purposes, if you are using version 6.1+, and you are not in a mixed-release cell (cell containing profiles of older versions of WAS in addition to current versions), you may just go ahead with automatically generated internal user id. An internally-generated server ID also adds a further level of protection to the server environment because the server password is not exposed.
For mixed-release cells you may check infocenter here for details on how to configure server user id in this case.
Server user id is used for server to server communication in a cell. I could not find any documentation that implies this parameter is also related with cross cell communication.