Front cover -- Contents -- Notices -- Trademarks -- Preface -- The team that wrote this redbook -- Become a published author -- Who should read this book -- Comments welcome -- Summary of changes -- New and revised cryptographic information -- Securing the file system -- Security domains -- Java 2 security -- Enhanced support for Tivoli Access Manager -- Other enhancements -- Information removed or relocated -- Part 1 Introduction to WebSphere and J2EE security -- Chapter 1. WebSphere Application Server V5 security overview -- 1.1 WebSphere Application Server for z/OS Version 5 infrastructure overview and terminology -- 1.2 WebSphere Application Server V5 security features -- 1.3 J2EE 1.3 compliance features -- 1.4 WebSphere Network Deployment family compliance features at interface layer -- 1.5 Support of WebSphere family security configurations -- 1.6 J2EE 1.3-compliant security enhancements -- 1.6.1 Java 2 security -- 1.6.2 J2EE role-based authorization enhancements -- 1.6.3 WebSphere Application Server V5 and JAAS -- 1.6.4 Java 2 security, J2EE security, and JAAS feature comparison -- 1.6.5 z/OS Java security components -- 1.6.6 JSSE security -- 1.6.7 CSIv2 security protocol -- 1.6.8 Pluggable authentication security -- 1.6.9 Security configuration in z/OS and OS/390 -- 1.6.10 Enabling global security -- 1.7 Comparisons between WebSphere Application Server for z/OS and OS/390 V4.0.1 and V5 -- 1.8 Key differences between WebSphere Application Server for z/OS and distributed platforms -- 1.8.1 Two types of SSL on z/OS -- 1.8.2 "Deprecated" V4 Advanced interfaces -- 1.8.3 z/OS security properties -- 1.9 Summary -- Chapter 2. Security design -- 2.1 Overview of security challenges -- 2.1.1 Assessing and managing security risks -- 2.1.2 Evolving with emerging technologies and trends -- 2.2 Finding the right level of security for your enterprise.

2.2.1 Evaluate security elements in each layer -- 2.2.2 Ask the key questions -- 2.3 Making some key decisions -- 2.3.1 Intranet or Internet? -- 2.3.2 Where will authentication take place? -- 2.3.3 How will authorization to resources be determined? -- 2.3.4 What other resources need to be accessed? -- 2.4 Finding the right balance for your application -- 2.4.1 Container-managed security -- 2.4.2 Application-managed security -- 2.5 Topological view of security -- 2.5.1 Base topological view -- 2.5.2 Encryption -- 2.5.3 User registries and authorization databases -- 2.5.4 Identity flow -- 2.6 Summary -- Chapter 3. J2EE 1.3 and WebSphere Application Server V5 security concepts -- 3.1 Overview -- 3.1.1 Security server topology -- 3.1.2 Terminology used for J2EE security -- 3.1.3 User registries -- 3.1.4 Global security -- 3.2 J2EE container-based security -- 3.2.1 Role-based authorization -- 3.2.2 Web container authentication and authorization -- 3.2.3 EJB container authentication and authorization -- 3.2.4 RunAs versus run-as: Identity propagation -- 3.3 Resource authentication -- 3.4 Security interoperability using IIOP -- 3.5 Additional security capabilities -- 3.5.1 Authentication mechanism and single sign-on (SSO) -- 3.5.2 Java 2 security -- 3.5.3 Java Authentication and Authorization Service (JAAS) -- 3.5.4 Additional programmatic login/logout capabilities -- 3.5.5 Cryptographic application and data security -- Chapter 4. WebSphere Application Server application security -- 4.1 Programmatic security -- 4.1.1 J2EE APIs -- 4.1.2 Programmatic authentication to resources -- 4.2 JAAS for application security -- 4.2.1 JAAS login verification using SWIPE -- 4.2.2 Your own JAAS application login configuration -- Chapter 5. WebSphere application migration security aspects -- 5.1 Application migration security aspect checklist.

5.2 Application migration strategies -- 5.3 Migrating IBM HTTP Server thread level-based security -- 5.3.1 Affected environments -- 5.3.2 What is causing this problem? -- 5.3.3 How can you make it work again? -- 5.4 Migrating WebSphere Application Server thread level-based security -- 5.5 Security aspects when migrating Common Connector Framework (CCF) connectors -- 5.5.1 Affected environments -- 5.5.2 What is causing this problem? -- 5.5.3 How can you make it work again? -- 5.6 Security aspects when migrating J2CA connectors -- 5.6.1 Affected environments -- 5.6.2 What is causing this problem? -- 5.6.3 How can you make it work again? -- 5.7 Migrating SOMDOBJS to EJBROLE -- 5.7.1 Using SOMDOBJS with WebSphere simple configuration option -- 5.7.2 Migrating from SOMDOBJS to the Web container and the EJBROLE profiles -- Part 2 SWIPE and our testing infrastructure -- Chapter 6. The sandbox infrastructure -- 6.1 Physical integration into the network infrastructure -- 6.2 System setup and service levels -- 6.2.1 Operating system and program products -- 6.2.2 Distributed environments -- 6.2.3 Development environment -- 6.3 Naming conventions -- 6.3.1 WebSphere cells -- 6.3.2 Naming convention variables -- 6.3.3 Data sets and files -- 6.3.4 Component trace procedure names -- 6.3.5 Configuration objects -- 6.3.6 Development base servers started tasks and user IDs -- 6.3.7 Deployment manager started tasks and user IDs -- 6.3.8 Node agent started tasks and user IDs -- 6.3.9 Managed servers started tasks and user IDs -- 6.3.10 TCP/IP ports -- 6.3.11 Common information -- 6.3.12 Starting servers -- Chapter 7. The security investigation application -- 7.1 The SWIPE application -- 7.1.1 SWIPE application structure -- 7.1.2 SWIPE application architecture and description -- 7.2 SWIPE authentication features -- 7.3 Authorization features.

7.3.1 Web container authentication and authorization -- 7.3.2 EJB container authorization: EJBRoles -- 7.3.3 EJB container: Declarative security -- 7.3.4 EJB container: Programmatic security -- 7.3.5 EJB: RunAs concept -- 7.3.6 Servlet run-as example -- 7.3.7 The "Sync to OS Thread" concept -- 7.4 The downloadable SWIPE package -- 7.5 Deploying SWIPE -- 7.5.1 SWIPE: JVM property for location discovery -- 7.5.2 SWIPE and Java 2 security -- 7.5.3 Setting the IBMEBizEnv environment variable -- 7.6 SWIPE: Running EJBCaller -- 7.6.1 SWIPE: EJBCaller - Input Part A -- 7.6.2 SWIPE: EJBCaller - Input Part B -- 7.6.3 SWIPE: EJBCaller - Input Part C, JAAS -- 7.6.4 SWIPE: RunAsServlet -- 7.6.5 SWIPE: index.html -- 7.6.6 Remote JNDI example -- 7.7 RACF definitions -- 7.7.1 Overview -- 7.7.2 Define user IDs -- 7.7.3 Define a group -- 7.7.4 Define EJBRoles -- 7.7.5 Define GEJBROLE -- 7.7.6 Permit access -- 7.7.7 Verify security using SWIPE -- Chapter 8. The security investigation applications for EIS -- 8.1 The SWIPE application for CICS, IMS, and DB2 -- 8.1.1 How SWIPE for EIS works -- 8.1.2 SWIPE EIS application structure -- 8.1.3 Define security roles for SWIPE/EIS -- 8.1.4 Prepare WebSphere security to run the samples -- 8.1.5 Plan resource reference to connection factory bindings -- 8.2 Define J2CA connection factories and data sources -- 8.2.1 Suggested scenarios for security verification -- 8.2.2 Set up JAAS authentication aliases -- 8.2.3 Set up connection factories and data sources for SWIPE/EIS -- 8.3 Install SWIPE for CICS, IMS, and DB2 -- 8.4 Install the CICS components of SWIPECICS -- 8.5 Start SWIPE for CICS, IMS, and DB2 -- 8.6 Run SWIPE for CICS, IMS, and DB2 -- 8.7 Debug SWIPE for CICS, IMS, and DB2 -- 8.8 The SWIPE application for JMS -- 8.8.1 Invoke the JMS sample -- 8.8.2 SWIPE application for JMS contents -- 8.8.3 Security roles in the samples.

8.8.4 WebSphere MQ -- 8.8.5 Prepare WebSphere security to run the samples -- 8.8.6 WebSphere MQ: Queue definitions -- 8.8.7 WebSphere MQ: RACF resource profiles -- 8.8.8 J2C authentication data entries -- 8.8.9 JMS queue connection factory definitions -- 8.8.10 Queue destination definitions -- 8.8.11 SWIPE JMS: Logical resources -- 8.8.12 Install the SWIPE JMS application -- 8.8.13 Run the SWIPE JMS application -- 8.8.14 RACF messages -- 8.8.15 Check the user ID that flows to WebSphere MQ -- Part 3 Cryptography -- Chapter 9. Using cryptographic services -- 9.1 Cryptographic support -- 9.2 How WebSphere fits in z/OS and zSeries cryptographic infrastructure -- 9.2.1 Supported J2EE APIs -- 9.2.2 SSL overview -- 9.3 Hardware cryptography support for zSeries 2084 or 2086 engines -- 9.4 Activation of hardware cryptography support for zSeries 2084, 2086, 9672, 2064, 2066, or 7060 engines -- 9.4.1 Verify that your processor has Cryptographic Coprocessor -- 9.4.2 Obtain the correct configuration enablement diskette or diskettes for your processor -- 9.4.3 Load the configuration enablement diskette(s) -- 9.4.4 Assign Cryptographic Coprocessors to LPARs -- 9.4.5 Additional instruction for assigning the PCI crypto features to LPARs with a 2084 or 2086 engine -- 9.4.6 Install and initialize Integrated Cryptographic Service Facility -- 9.4.7 Initialize the CKDS and PKDS and load your master key -- 9.5 Configure WebSphere to use hardware cryptographic services -- 9.5.1 Configure WebSphere to use hardware cryptography for SSL -- 9.5.2 Configure WebSphere to use hardware cryptography in support of the ICSF authentication mechanism -- 9.6 Securing and maintaining cryptography -- 9.6.1 RACF protection for ICSF -- 9.6.2 RACF setup to secure OCSF and OCEP -- 9.7 Create RACF keyrings and certificates -- 9.8 Set up Secure Sockets Layer (SSL) for WebSphere for z/OS.

9.8.1 Certificates in WebSphere and RACF.