1) When does WebSphere Application Server contact the registry for user information?
A) --> WebSphere Application Server queries the registry for user information as well as for administrative operations.
--> Here are the reasons why WebSphere Application Server will contact the registry:
a) When users authenticate: (password or certificate, and not needed with a Web SSO proxy). WebSphere Application Server might query when it:
----> Checks the user's password.
----> Maps certificate information to a user id
----> Converts user id to registry unique-id (for example, LDAP DNS).
----> Obtains group information.
b) When an LTPA token is passed to a server for the first time: WebSphere Application Server still obtains group information even when a Lightweight Third Party Authentication (LTPA) token is passed to a server for the first time (for example, by WebSEAL or IIOP traffic) because the LTPA token contains only the user's distinguished name (DN). The same applies for Trust Association Interceptors (TAIs) because they normally provide only the userid. If WebSphere Application Server V5.1.1 is used, AND subject propagation is enabled, AND the TAI or login module projects group information (as the new WebSEAL TAI in WebSphere Application Server V5.1.1 can do), then WebSphere Application Server will not query LDAP for user group information for that user.
5) Will Local OS authentication work in a distributed environment?
A) In WebSphere Application Server Network Deployment with application server nodes distributed over more than one physical machine, you cannot use Local OS authentication. In this environment, you must use either LDAP or a custom registry. There is one exception though; a Windows domain registry is a centralized registry and can be used in this situation. Be aware that NIS, while technically a centralized registry, is not suitable for use with WebSphere Application Server Network Deployment.
A) --> WebSphere Application Server queries the registry for user information as well as for administrative operations.
--> Here are the reasons why WebSphere Application Server will contact the registry:
a) When users authenticate: (password or certificate, and not needed with a Web SSO proxy). WebSphere Application Server might query when it:
----> Checks the user's password.
----> Maps certificate information to a user id
----> Converts user id to registry unique-id (for example, LDAP DNS).
----> Obtains group information.
b) When an LTPA token is passed to a server for the first time: WebSphere Application Server still obtains group information even when a Lightweight Third Party Authentication (LTPA) token is passed to a server for the first time (for example, by WebSEAL or IIOP traffic) because the LTPA token contains only the user's distinguished name (DN). The same applies for Trust Association Interceptors (TAIs) because they normally provide only the userid. If WebSphere Application Server V5.1.1 is used, AND subject propagation is enabled, AND the TAI or login module projects group information (as the new WebSEAL TAI in WebSphere Application Server V5.1.1 can do), then WebSphere Application Server will not query LDAP for user group information for that user.
C) If the subject propagation fails: Even with subject propagation enabled, if the subject propagation is fail (for example, if a server is down), then WebSphere Application Server will attempt to recreate the subject unless a custom cache key has been set.
d) When users authenticate for administrative operations : Web, JMX, and so on
e) Whenever an application starts : the role bindings are verified against the registry
f) Whenever an administrator sets binding information: In the administrative console.
2) Does WebSphere Application Server work with NIS?
A) WebSphere Application Server does not directly support NIS (Network Information Service) for authentication.
It supports LDAP, OS, and custom. When running on a UNIX operating system.
WebSphere Application Server uses the standard UNIX password APIs (getpw*, and so on) for verifying user password (WebSphere Application Server must run as root for this to work). If those APIs call to NIS, then WebSphere Application Server will use NIS for authentication, but this is transparent to WebSphere Application Server. when an OS registry is used on UNIX, then multi-node cells are not supported.
2) Does WebSphere Application Server work with NIS?
A) WebSphere Application Server does not directly support NIS (Network Information Service) for authentication.
It supports LDAP, OS, and custom. When running on a UNIX operating system.
WebSphere Application Server uses the standard UNIX password APIs (getpw*, and so on) for verifying user password (WebSphere Application Server must run as root for this to work). If those APIs call to NIS, then WebSphere Application Server will use NIS for authentication, but this is transparent to WebSphere Application Server. when an OS registry is used on UNIX, then multi-node cells are not supported.
It might be possible to write a custom registry to use NIS.
In most cases, the answer to this question is no.
3) What are my options if I want to turn on security with a non-administrator account in a Windows® environment?
A) When running the WebSphere Application Server processes as a non-administrator, if global security is enabled, the user registry must be either LDAP or a custom registry
To use the Local OS user registry, the user under which the product processes run must have Administrative and Act as part of the operating system privileges to call the Windows operating system APIs that authenticate or collect user and group information. The process needs special authority, which is given by these privileges. The user in this example should not be the same as the security server ID (the requirement for which is a valid user in the registry). This user logs into the machine (if using the command line to start the product process) or the Log On User setting in the services panel (if the product processes have started using the services). If the machine is also part of a domain, this user should be part of the Domain Admin group in the domain to call the operating system APIs in the domain, in addition to having the Act as part of operating system privilege in the local machine.
4) What are my options if I want to turn on security with a non-root server ID in a UNIX® environment?
A) When running WebSphere Application Server as non-root, if global security is enabled, the user registry must be either LDAP or a custom registry.
To use the Local OS user registry, the user under which the product processes run must have the root privilege. This privilege is needed to call the UNIX operating system APIs to authenticate or to collect user and group information. The process needs special authority, which is given by the root privilege. Using the Local OS user registry requires the node agent, the deployment manager, and the application server process to run as root.
4) What are my options if I want to turn on security with a non-root server ID in a UNIX® environment?
A) When running WebSphere Application Server as non-root, if global security is enabled, the user registry must be either LDAP or a custom registry.
To use the Local OS user registry, the user under which the product processes run must have the root privilege. This privilege is needed to call the UNIX operating system APIs to authenticate or to collect user and group information. The process needs special authority, which is given by the root privilege. Using the Local OS user registry requires the node agent, the deployment manager, and the application server process to run as root.
5) Will Local OS authentication work in a distributed environment?
A) In WebSphere Application Server Network Deployment with application server nodes distributed over more than one physical machine, you cannot use Local OS authentication. In this environment, you must use either LDAP or a custom registry. There is one exception though; a Windows domain registry is a centralized registry and can be used in this situation. Be aware that NIS, while technically a centralized registry, is not suitable for use with WebSphere Application Server Network Deployment.
No comments:
Post a Comment