500 likes | 508 Views
WAS for z/OS V5: Security. After completing this unit, you should be able to: Describe the security options available for WebSphere V5 client authentication/identification, secure communications, and authorizing access to resources
E N D
After completing this unit, you should be able to: Describe the security options available for WebSphere V5 client authentication/identification, secure communications, and authorizing access to resources Compare the various J2EE client authentication options including options usable across multiple platform types Assist developers by implementing infrastructure for the following J2EE authorization techniques EJB roles RunAs resauth Synch to OS thread Assist developers by implementing infrastructure for the following web client authentication options Basic authentication Forms-based authentication Client certificates Unit Objectives
Terminology • Basic security terminology • Identification • Examples: userid, distinguished name • Authentication • How do we know you're really Adam? • Authorization • OK Adam, you may freely eat of every tree in the garden; but of the tree of the knowledge of good and evil you shall not eat. • Confidentiality • Protection or messages and other data from observation by unauthorized entities • Integrity • Assurance that a message has not been altered in transmission • Non-repudiation • The woman whom you gave to be with me, she gave me fruit from the tree, and I ate -- blame her!
z/OS WebSphere Security V5 run-timeenvironment Application Server Node J2EE Security API Java 2 Security J2EE scalable applicationserver JVM 1.3.1 Java Principal Servants Controllerregion J2EE application Request z/OS userid / UID Resource Connector TCP/IP z/OS userid / UID MVS userid / UID MVS userid / UID z/OS userid / UID z/OS Security and SAF WAS V5 - Co-existing Security Models
Using tickets issued by the Active Directory KDC Using tickets issued by the z/OS KDC z/OS - RACF KDC Kerberos enabled service z/OS inter-realm key RACF KDC Kerberos enabled service Active Directory inter-realm key Windows 2000 Windows 2000 z/OS Network Authentication Service (Kerberos) • Can be used to authenticate to OS/390-z/OS Servers • DB2 V7 • WebSphere Application Server 4.x and above - with zSAS only for the time being • LDAP (z/OS 1.2) • FTP (z/OS 1.2) • Telnet (z/OS 1.2) • rshd (z/OS 1.2) Requires new profiles and segments in RACF to map Kerberos principals to z/OS userids
z/OS V5 run-timeenvironment Application Server Node WebSphere Security J2EE Security API J2EE scalable applicationserver Java 2 Security Java Principal Servants JVM 1.3.1 Controllerregion J2EE application Request Resource Connector z/OS userid / UID TCP/IP z/OS Security and SAF z/OS userid / UID MVS userid / UID MVS userid / UID z/OS userid / UID WAS V5 - Co-existing Security Models
WebSphere Unifies J2EE and z/OS Security z/OS Security domain ACEE= J2SRVID CICS WebSphere J2EE Server, server region HTTP Server ACEE IMS Authentication RunAs Roles res-auth ACEE ThreadID or "Synch to OS Thread" DB2 HFS ACEE USP* • Within the J2EE server, security identities can be set/changed but the ACEE stays equal to the RACF userid of the J2EE application server region. • Principal identity can be changed via "Sync to OS Thread" option
Summary of J2EE Security Concepts • People often work in various roles • Application developer defines roles required for use • Application assembler defines what identity should be used when running (RunAs) • Application assembler can map application roles to organizational roles using role references • Security administrator defines roles as profiles in the RACF EJBROLE class • Permits users and groups to EJBROLE profiles • Security can be container-based (declarative) or application-based (programmatic)
J2EE Security Model • Declarative • Specified outside the program code - in the deployment descriptor • Controls how authentication is performed and who is authorized to which resources • Roles, run-as, res-auth • Java 2 security • Programmatic • Program code performs authentication, authorization, or both • JAAS
Subject Jack Principal Server Principal Caller Server Cred Caller Cred Principal Leader (Role) Role Cred The Subject and Principals • 'Subject' is a user abstraction • The principal is a user in a particular context • A subject may have multiple principals • A credential is what the securitymechanism returned after the userauthenticated
Two Principals: ACEE and Java Application Server (SR) Web Container EJB Container JSP EJB Servlet This servlet may invoke EJB No, you may not touch that file! Principal ACEE SAF Database • EJBROLES • Datasets • Users File
Security Constraintsin deployment descriptor protected web resources data constraint authentication method basic client certificate (SSL/TLS) form-based Client Client Web Client Authentication z/OS WebSphere V5 run-time HTTP Server http/https DMZ WAS for z/OS Plug-in Web Container EJB Container Authentication driven from Web Container z/OS WebSphere V5 run-time http/https DMZ Transport Handler Web Container EJB Container J2EE "Principal" in J2EE "Subject" Front-end reverse proxy strongly recommended also for functionality reason User registry invoked for userid/password validation or certificate mapping h
Web Server Security in z/OS RACF Users HTTP Server authentication authorization & userid selection 755CE 1.44 ACEE switch USS HFS httpd.conf access Protect statements authorization static content
WebSphere 5 Security authentication authorization RACF Registry Authorization Table • Users • Roles • CERTS Users Roles • Users • CERTS 755CE CUR SAF USS 1.44 TH Web Container HTTP Server do local authorization WebSphere V5 Plug-in WebSphere Application Server private header pass through & SSL access httpd.conf web.xml HFS no Protect statements Authorization constraints • Content • WebApps
WebSphere HTTP Authentication Trust Association interceptor Reverse Secure Proxy server user id X509 certificate authenticated user principal Web Resources • Servlets • JSP files • HTML files HTTPS Credential Mapping Client certificate Security Role-based Access Control HTTP Client userid/ password HTTP Basic Auth Authentication Form based LOGIN HTTP Security Cookie Validation HTTPS security token
Authentication: HTTP Server and HTTP Transport any platform IHS V5 Plugin HTTP HTTPS z/OS ThinkPad B TH EJB container Web container HTTP HTTPS B 755CE 1.44 A IHS HTTP HTTPS Servlets JSPs IIOP V4.01 Plugin EJBs Via HTTP Transport or HTTP Plug-in SAF and CUR: 1. Basic Authentication 2. Form-based login 3. Trust Association Interceptor 4. Client certificates Via HTTP Server local redirector plug-in: SAF only: 1. Basic Authentication 2. Form-based login 3. Client certificates B A
HTTP Transport Handler Request for protected resource WLM Controller Region HTTP 401 response TH WLM 755CE Request withUserid/ password in HTTP authentication header 1.44 HTTP Client Servant Region
Basic Authentication 1. User clicks on link to protected page Request: GET http://server/restricted.html 2. Server checks authority and rejects request 755CE 1.44 Response: Status 401 Realm "IMWEBSRV_Administration" 3. Browser pop-up window prompts user for userId and password 4. Browser resends request with userid/password in request header Request: GET http://server/restricted.html
Form-Based Login with SAF and ICSF Hiper APAR PQ66396. PTF is UQ71461 (W401404) Request for protected resource Web container Login page RACF Post to j_security_check J_userid, J_password OK? no error page 755CE Send/Set encrypted Login Token 1.44 create token T yes decrypt token Requests T ICSF Response authorize process Crypto Engines
Client Certificates with Transport Handler 755CE CERT 1.44 ssl_mode= server instance SR CR IHS SSL handshake SAF/CUR SR private hdr • Users • Certs TH SR Plugin CERT 755CE CERT 1.44 ssl_mode=internal "trusted" • Client Certificate returned from SSL Handshake • Client Certificate info passed to Server Region via private header with request • Certificate not passed unless running in BBOC_HTTP_SSL_MODE=INTERNAL. The Plug-in will pass any needed certificate info via HTTP headers
authentication requests • Single Registry/Authentication mechanism active for a cell, cannot be overridden by server definition Security Server Interface User Registry Interface implements implements User Registry/ Custom Registry Authentication Server uses uses implements Custom User Registry LDAP User Registry SWAM (*) SAF User Registry LTPA token z/OS SSO cookie (ICSF) User Registry Authentication Mechanism (*) SWAM not available for ND configuration WAS V5 HTTP Access Pluggable Security
Request for protected resource Web Web Login page container container User registry Post to j_security_check Error page userid/password no OK? yes Send LTPA token Create Process LTPA token requests Requests encrypt Response WAS V5 Authentication Mechanism - LTPA Basic authentication Form based authentication LTPA token contains • token type (LTPA/ICSF) • userid • expiration time digitally signed and encrypted stored as a cookie in client browserwith domain specification For client certificate authentication: userid is the result of certificate mapping to user registry
HTTP HTTPS Web Client User Registry userid/password cert form-based z/OS SSO cookie LTPA token HTTP HTTPS form based LTPA token z/OS SSO cookie user registry: xml SAF User Registry: SAF - certificate mapping capability LDAP - certificate mapping capability Custom User Registry (CUR)
Web Container Authentication • Same as in J2EE 1.2 (WebSphere Application Server V4): • Basic • Form-based • Client certificate
Authentication Options 'Client' authentication options Web Container EJB container Basic authentication SSL Basic authentication Form-based login Asserted Identities Certificates Certificates Userid and PassTicket Userid and Password No security No security • Authentication in Web Container is defined for each application in the deployment descriptor • Authentication in the EJB container for IIOP requests is specified with properties set for the J2EE server Cross Platform Security Web Container EJB container Trust Association Interceptor Kerberos secure association service (SAS) CSI v2 • For Cross System Security, with Trust Association, authentication has already taken place in another server and the web container 'trusts'. • Kerberos support is currenly available only in the EJB container
The Monster’s Still With Us • Within the J2EE server, security identities can be set/changed but the ACEE stays equal to the RACF userid of the J2EE application servant region. • ACEE can no longer be changed via "Sync to OS Thread" option
J2EE Roles • Roles are defined in the deployment descriptor • Web components • EJB components • A RACF profile in classes GEJBROLE or EJBROLE control use of the role • The APPLDATA field in the profile specifies a RACF userid to be associated with the role when RunAs(role) • Although the classes are GEJBROLE/EJBROLE, the profiles protect all roles, not just roles for EJBs Roles
Run-as RunAs Are Two Monsters with Many Heads • RunAs sets the principal • used to run this method and for downstream propagation • Caller (the default) • Run this method with the identity of the user who instantiated me • Server (EJB Container only) • Run this method with the identity of the server on which I was instantiated • Role • Run this method with the RACF ID associated with this role’s RACF EJBROLE/GEJBROLE profile
Roles Application assembler/Deployer Component provider .war Security admin Deployment Descriptor Servlet isUserInRole("manager") "manager" = Supervisor "boss" = Supervisor Role "Supervisor" User JANE User BOB EJB isCallerInRole("boss") .jar
Roles Using WSAD enter security role xpand .jar.xml add security role select * (all methods) security
(RUNAS role) USERID BOSS PERMIT Supervisors CLASS(GEJBROLE) ID(HOLGER) ACC(READ) APPLDATA (BOSS) CLASS GEJBROLE: Supervisors User HOLGER now has access to all application defined roles. CLASS GEJBROLE ADDMEM "hiring" CLASS GEJBROLE ADDMEM "Managers" CLASS GEJBROLE ADDMEM "payroll" The Power of the Grouping Class
Servlet or EJB WAS V5 RunAs Support RunAs for servlets(Servlet 2.3) • Caller • Role RunAs for EJB (EJB 2.0) • At the bean level • IBM extension: at the method level • IBM extension: run-as Server Web / EJB Container RunAs Caller (*) Server Role (**) SAF server region userid ejbrole profile access list USER profile APPLDATA=role_surrogate (**) or CUR, or WebSphere bindings (*) RunAs Caller can use CUR or LDAP identity
RunAs .... Separate Objects EJBROLE: Leader APPLDATA("TOM") Jack's Roles: ImportantGuy Leader Boss Method1 EJB1 Method2 EJB2 User Jack User Jack RunAs Caller (Running as Jack) RunAs RoleLeader (Running as Tom) Tom's Roles: Leader Presenter User Tom The Java principal changes according to the RunAs setting as methods are invoked on different objects User ServerID Method3 EJB3 RunAs Server (Running as ServerID)
Global Security (via admin console, at the cell level) applies to all servers in the cell (unless modified by server security) security disabled or enabled user registry authentication mechanism (LTPA, z/OS SSO *, others)) Naming and Admin roles security Server level security (via admin console) server security enabled or disabled Java2 security enabled or not RMI/IIOP security configuration Application security (in DD via AAT, admin console, or programmatic) application specific requirements method for authenticating users application specific resources authorization mechanism role-based access control roles to user/group mapping ... Different Security Setup Levels initial setting * z/OS SSO = LTPA like, using zSeries hardware crypto
Admin Transport Security in WAS R5 - Admin Subsystem = RACF keyring, keyfile/trustfile Console SSL MVS System or LPAR MVS System or LPAR Cell Boundary Daemon Daemon DM CR CR CR SR SSL Cell Boundary Node Agent Server_A Node Agent Server_C SSL SSL SSL Cell Boundary CR CR CR SR CR SR SSL SSL Server_B Server_D CR SR CR SR Node 1 Node 2 Cell Boundary SYSA SYSB
Cross-Platform Security • Authentication/authorization with a non-local security registry • IBM Tivoli Access Manager for e-business integration • LDAP/third-party products • Enterprise-wide registries • Two solutions available today: • Trust Association Interceptor • Custom User Registry
Client WAS V5 Trust Association Interceptor (TAI) can be z/OS LDAP withoptionally native authentication LDAP User Registry authentication DMZ TAM Access Control Lists z/OS WebSphere V5 Runtime http or https WebSeal authenticated identity Transport Handler EJB Container Web Container https with client (WebSeal) authentication recommended TAI class • verifies configured TAIs • assigns a principal Tivoli WebSeal Netegrity SiteMinder Entrust TruePass J2EE "Principal"
Using any remote user registry WebSphere Edge Server Trust Association Interceptor Private HTTP Headers HTTP 1.1 get / PRIVATEHEADER:USER:EVA WSEdge Caching Proxy CBR z/OS server instance WebSeal Plug-In SR CR SR TH SR Tivoli Access Manager TAI user mapping Policy Director RACF Trust Association Interceptor
Custom User Registry Overview HFS 755CE Content WebApp web.xml WAS CR WAS SR Auth. constraints 1.44 Transport Handler IHS Web Container Plugin private HDR SAF CUR SYS SSL authorization • Basic Authentication • checkPassword() • FormBasedLogin • J_security_check() • checkPassword() • Client Certificates • mapCertificate() Users Roles authentication User Registry RACF • Authorization Table • Bindings Keyring LDAP Users/password Certs/Users
res-auth: J2EE Connector Security • It all depends on the extendeddeployment descriptor (xdd) tag: • Res-auth • res-auth= container • The container will pass the required identity and credential to the connector (more detail later. . .) • If the application codes, for example, getConnection(userid,password), the passed identity and credential will be ignored • res-auth = application • The application is expected to provide the required identity and credential, for example, getConnection(userid,password)
Having completed this unit, you should be able to: Describe the security options available for WebSphere V5 client authentication/identification, secure communications, and authorizing access to resources Compare the various J2EE client authentication options including options usable across multiple platform types Assist developers by implementing infrastructure for the following J2EE authorization techniques EJB roles RunAs resauth Synch to OS thread Assist developers by implementing infrastructure for the following web client authentication options Basic authentication Forms-based authentication Client certificates Unit Summary