WebSphere Application Server V7 Security

Course details

This instructor-led course covers security topics that are critical for advanced application server security configuration for WebSphere Application Server V7.

The course begins with a general discussion of the three major parts of global security: administrative security, application security, and Java 2 security. Students use security domains to configure cell-wide access. They then configure fine-grained security to the administrative console and configure application security by defining security constraints and security roles for a web application. Students also learn about the implications of application security by mapping special subjects and user groups to security roles.

This course presents the core concepts of federated repositories. Students create a federated repository using a file-based repository and add a Lightweight Directory Access Protocol (LDAP) server to the configuration. They secure the connection between the application server and the LDAP server, and learn to configure and manage a Virtual Machine Manager (VMM) security connection feature that allows the VMM to function either with or without all of its repositories available.

Secure Sockets Layer (SSL) is covered through extensive discussions about encryption technologies, digital signatures, the SSL handshake, and certificates. The course also provides additional information on SSL in the cell, including cell default trust stores, node keystores, plug-in keystores, certification expiration, and auto replacement. Lab exercises demonstrate both SSL configuration within the application server and the configuration of SSL between the application server and DB2 database. Students also configure cross cell single signon between two cells. Students also learn how to harden the security of their application server environment by identifying areas that should be addressed in production environments. These areas include hardening the web server, configuring TAIs, protecting configuration files and private keys, using administrative roles, encrypting various links, and improving SSL configuration. Students learn how to use tracing and logs to determine authentication and authorization failures, and how to identify and resolve SSL connection problems by diagnosing log information.

Finally, students learn about the performance cost of security features in the application server, including core J2EE, messaging, and web services. A hands-on exercise on performance tuning lets students discuss techniques and trade-offs for tuning the security performance of the runtime environment. 

Target Audience:

This course is designed for experienced WebSphere Application Server administrators who want to deepen their understanding of securing the application server and its environment.

Objectives:

• Describe the conceptual differences between administrative security, application security, and Java 2 security
• Configure WebSphere Application Server to limit administrative onsole access to specific users
• Create and configure a security domain representing the administrative security configuration and application configuration
• Configure fine-grained administrative access to specific parts of a cell
• Define security constraints and security roles for a web application
• Map special subjects and user groups to security roles
• Configure the VMM security manager feature that allows the VMM to function either with or without all of its repositories available
• Explain the differences between symmetric and asymmetric key encryption
• Describe how digital signatures are generated and validated
• Configure secure communication between a client and a server
• Explain how certificates and certificate authorities provide secure communication
• Configure SSL for the Java Database Connectivity (JDBC) connection to the database
• Configure SSL within the cell
• Create and configure cross-cell authentication between two cells
• Harden the security configuration of the application server and its environment
• Modify the performance of security features in WebSphere Application Server
• Explain the cost of security in various areas, specifically core J2EE, messaging, and web services
• Perform problem determination tasks that are related to authentication, authorization, and SSL errors
• Tune the WebSphere Application Server security runtime through custom property and administrative console configuration

Prerequisites:

Students should have experience administering WebSphere Application Server, specifically the configuration of security aspects of the application server.