Websphere security: five tips for first time WAS hardeners


Posted:   |  More posts about security websphere

Spent some time trying to enable Websphere security on my machine. Here are some tips:

  1. Before trying to secure your WAS create the additional profile and use it to train yourself. Creation of the profile takes five minutes and you could delete it after you finished.
    Use %was_install_dir%/bin/ProfileCreator/pctWindows.exe or use command line tool from %was_install_dir%/profiles/default/bin/wasprofile.bat
  2. Before you going to mess up this profile, make a copy %profile_dir%/config/cells/%cell_name%/security.xml
    If you mess up the security and server won't start at all - just replace security.xml with saved copy. Chances are that server will start after that and you don't have to re-create profile.
  3. If you made some mistake and profile won't start anymore - just delete profile using wasprofile -delete -profileName %your_profile_name%
    Sometimes this command won't remove the profile. In this case go to %was_install_dir%/properties and remove line with your profile from profileRegistry.xml. Then you can just simply delete the profile folder.
  4. After you enabled security you may see the exceptions in the SystemOut.log: (SECJ0305I, ADMN0007I) saying something about UNAUTHORIZED user can not be authorized. To resolve this simply add group, named EVERYONE to the Monitor role
    Admin Console - System Administration - Console settings - Console Groups - Add - Select from special subject
  5. If you securing Websphere, supplied with Rational Software Development Platform, you will have problems starting server and/or deploying applications to it. Editing of the server profile will not always help. The best way is to create the Server project in J2EE perspective and then create the server in that project.
    Don't forget to use Security options in the server profile and use SOAP for server communications as RMI not always work.
Contents © 2013 Aleksey Maksimov - Powered by Nikola