IBM s WebSphere Basics

A brief WAS overview

The WAS Advanced Edition (WASAE) architecture is based on the J2EE v 1.2 specification. It provides out-of-the-box support for most of the J2EE containers - the applet container is not included. However, you can configure WASAE by using the IBM Java 1.2.2 Runtime Environment (JRE).

A WebSphere domain consists of nodes that can be configured together; this configuration is kept in a single-shared WAS database. Each node may contain multiple application servers. Each server may contain a servlet container and an EJB container. Both of these containers run on a single JVM.

Here are some of the components and tools included in WASAE:

• The administrator's console, which is used to change the configuration of a WebSphere domain.

• The Web server, which listens by default on port 80 and supports servers such as IBM's HTTP server.

• XML Config, which allows the exportation/importation of configuration information to and from nodes. The deployment descriptors are XML files that contain information including security.

Understanding the basics of WAS security

WebSphere security is divided into global security and application security. The application security settings are specific for each application (and may override the global security settings). Global security is common for all applications running in the server and saved in XML configuration files. You can choose among three different user registries for authentication: LDAP, OS, or custom user registry. The user registry is a repository of users and groups. The application security settings (some of which are included in the web.xml file) can be customized using the Application Assembly Tool (AAT), the Administrator's Console, and the WebSphere Control Program tool. The configuration and management of application components are supported via these WAS tools as well.

The authentication mechanisms supported by WAS are HTTP basic authentication, HTTPS client authentication, and form-based authentication. You can configure these authentication mechanisms using the Application Assembly Tool.

WAS provides access controls, which are set using the WAS-provided tools such as the AAT. The Web containers and EJB containers get authentication and authorization services and delegation policies from the security server component of WLS. WebSphere provides method-level security.

WebSphere supports PKI for obtaining a personal certificate and SSL for secure communications. WAS supports SOAP services for Web security. WebSphere administrators may use the IBM ikeyman tool to create and manage digital certificates.

Security policies (such as role and method permission, login configuration, and data integrity settings) are described in the deployment descriptor of the application. These are XML-based files that can be managed via an administration console. You can associate principals (users and groups) with roles. WLS also has a security collaborator (Web and EJB) that enforces the security constraints and attributes specified in the application deployment descriptors.

WebSphere has the capability to plug in a Reverse Proxy Security Server (RPSS) third-party authentication product. WAS communicates with the RPSS through a plug-in called a "Trust Association Interceptor" and you must implement the com.ibm.websphere.security.TrustAssociationInterceptor interface.