Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Save more on your purchases! discount-offer-chevron-icon
Savings automatically calculated. No voucher code required.
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Newsletter Hub
Free Learning
Arrow right icon
timer SALE ENDS IN
0 Days
:
00 Hours
:
00 Minutes
:
00 Seconds
IBM WebSphere Application Server v7.0 Security
IBM WebSphere Application Server v7.0 Security

IBM WebSphere Application Server v7.0 Security: For IBM WebSphere users, this is the complete guide to securing your applications with Java EE and JAAS security standards. From a far-ranging overview to the fundamentals of data encryption, all the essentials are here.

eBook
€8.99 €36.99
Paperback
€45.99
Subscription
Free Trial
Renews at €18.99p/m

What do you get with Print?

Product feature icon Instant access to your digital eBook copy whilst your Print order is Shipped
Product feature icon Paperback book shipped to your preferred address
Product feature icon Download this book in EPUB and PDF formats
Product feature icon Access this title in our online reader with advanced features
Product feature icon DRM FREE - Read whenever, wherever and however you want
OR
Modal Close icon
Payment Processing...
tick Completed

Shipping Address

Billing Address

Shipping Methods
Table of content icon View table of contents Preview book icon Preview Book

IBM WebSphere Application Server v7.0 Security

Chapter 1. A Threefold View of WebSphere Application Server Security

Imagine yourself at an athletic event. Hey! No, no-you are at the right place. Yes, this is a technical book. Just bear with me for a minute. Well, now that the little misunderstanding is out of the way let's go back to the beginning. The home crowd is really excited about the performance of its team. However, that superb performance has not been yet reflected on the scoreboard. When finally that performance pays off with the long-waited score, 'it' happens! The score gets called off. It is not at all unlikely that a controversial call would be made, or worse yet, not made! Or so we think. There is a group of players and fans of the team that just scored that 'see' the play as a masterpiece of athletic execution. Then there is another group, that of players and coaches of the visiting team who clearly see a violation to the rules just before the score. And there is a third group, the referees. Well, who knows what they see! The fact is that for the same action, there may be several perceptions of the same set of events. Albert Einstein and other scientists provided a great example of multi-perception with the wave-particle duality concept. In a similar fashion, a WebSphere based environment could be analyzed in a number of forms. None of the forms or views is absolutely correct or incorrect. Each view, however, helps to focus on the appropriate set of components and their relationships for a given situation or need.

WebSphere Application Server technology is a long and complex subject. This chapter provides three WAS ND environment views, emphasizing security, which will help the reader connect individual security tasks to the big picture. One view aids the WebSphere administrator to relate isolated security tasks to the overall middleware infrastructure (for example, messaging systems, directory services, and back-end databases to name a few). This is useful in possible interactions with teams responsible for such technologies. On the other hand, a second view helps the administrator to link specific security configuration tasks to a particular Enterprise Application (for example, EJB applications, Service Integration Bus, and many more) set of components. This view will help the administrator to relate to possible development team needs. The chapter also includes a third view, one that focuses on the J2EE technology stack as it relates to security. This view could help blend the former two views. So, in a nutshell, the three major parts that make up this first chapter are:

  • The Enterprise Application Server infrastructure architecture view

  • The WebSphere Application Server architecture view

  • The WebSphere technology stack view

Enterprise Application-server infrastructure architecture view

This chapter starts with the Application Server infrastructure architecture view. The actual order of each of these major chapter sub-sections is really unimportant. However, since it needs to be a beginning, the infrastructure architecture view is thus selected.

A possibly more formal name for what it is desired to convey in this section would be the Enterprise J2EE Application server infrastructure architecture. In this way, the scope of technologies that make up the application-centric architecture is well defined as that pertaining to J2EE applications. Nevertheless, this type of architecture is not exclusive to a WebSphere Application Server Network Deployment environment. Well, it's not in a way. If the architecture does not mention specific implementations of a function, it is a generic view of the architecture. On the other hand, if the architecture view defines or includes specific branded technologies of a function (for example, IHS for a web server function), then it is a specialized architecture. The point is that other J2EE application server products not related to the WebSphere umbrella may use the same generic type of infrastructure architecture.

Therefore, this view has to do with J2EE application servers and the enterprise infrastructure components needed to sustain such application servers in a way that they can host a variety of enterprise applications (also known as J2EE applications). The following diagram provides an example of a basic WebSphere Application Server infrastructure architecture topology:

Note

The use of multiple user registries is new in version 7.0

Simple infrastructure architecture characteristics

The architecture is basic since it only shows the minimum infrastructure components needed by a WebSphere Application Server infrastructure to become functional. In this diagram, the infrastructure elements are presented as they relate to each other functionally. In other words, the diagram is generic enough that it only shows and identifies the components by their main function. For instance, the infrastructure diagram includes, among others, proxy and messaging servers. Nothing in the diagram implies the mapping of a given functional component to a specific physical element such as an OS server or a specialized appliance.

Branded infrastructure elements

The infrastructure architecture presented in the diagram depicts a WebSphere clustered environment. The only technologies identified by their brand are the IBM HTTP Server (IHS) web server component (represented by the two rectangles (light blue) labeled IHS) and the WebSphere Application Server (WAS) nodes (represented by the rectangles (green) labeled WAS).

These two simple components offer a variety of architectural choices, such as:

  • Hosting both components in a single OS host under a WAS node

  • Host each component in their own OS host in the same sub-network (normally an intranet)

  • Host each component in different OS hosts in different sub-network (normally a DMZ for the IHS and intranet for the WAS)

The choice for a specific architecture will be made in terms of a variety of requirements for your environment, including security requirements.

Generic infrastructure components

The infrastructure diagram also includes a number of components that are only identified by their function but no information is provided as to the specific technology/product implementing the function. For instance, there are four shapes (light yellow) labeled DB, Messaging, Legacy Systems, and Service Providers. In your environment, there may be choices to make in terms of the specific component. Take for instance, the DB component. Identifying what DB server or servers will be part of the architecture is dependent on the type of database employed by the enterprise application being hosted. Some corporations limit the number of database types to less than a handful. Nevertheless, the objective of the WebSphere Administrator responsible for the environment is to identify which type of databases will be interfacing with the WAS environment. Once that fact is determined, the appropriate brand/product could be added to the architecture diagram.

Other technologies/components that need to be identified in a similar way are the user registry (represented by the shape (light purple) labeled User Registry), the security access component (represented in the diagram by the oval (yellow) labeled Security Access). A common type of user registry used in WebSphere environments is an LDAP server. Furthermore, a popular security access product is SiteMinder (formerly by Netegrity, now offered by CA).

The remaining group of elements in the architecture has the function to front-end the IHS/WAS environment in order to provide high availability and added security. Proxy servers may be used or not, depending on whether the IHS function can be brought to the DMZ in its own OS host. Specialized appliances offered by companies such as CISCO or F5 normally implement load balancers. However, some software products can be used to implement this function. An example to the latter is the IBM WebSphere Edge suite. In general, most corporations already own and use firewalls and load balancers; so for the WebSphere administrator, it is just a matter of integrating them to the WebSphere infrastructure.

Using the infrastructure architecture view

Some of the benefits of picturing your WebSphere environment using the infrastructure architecture view come from realizing the following important points:

  • Identify the technology or technology choices to be used to implement a specific function. For instance, what type of user registry to use.

  • An immediate result of the previous point is identifying the corporate group the WebSphere administrator would be working with in order to integrate (that is, configure) said technology and WebSphere.

  • Once the initial architecture has been laid out, the WebSphere administrator will be responsible to identify the type of security involved to secure the interactions between the various infrastructure architecture components. For instance, what type of communication will take place between the IHS and the Security Access component, if any. What is the best way to secure the communication channel? How is the IHS component authenticated to the Security Access component?

Enterprise Application-server infrastructure architecture view


This chapter starts with the Application Server infrastructure architecture view. The actual order of each of these major chapter sub-sections is really unimportant. However, since it needs to be a beginning, the infrastructure architecture view is thus selected.

A possibly more formal name for what it is desired to convey in this section would be the Enterprise J2EE Application server infrastructure architecture. In this way, the scope of technologies that make up the application-centric architecture is well defined as that pertaining to J2EE applications. Nevertheless, this type of architecture is not exclusive to a WebSphere Application Server Network Deployment environment. Well, it's not in a way. If the architecture does not mention specific implementations of a function, it is a generic view of the architecture. On the other hand, if the architecture view defines or includes specific branded technologies of a function (for example, IHS for a web server function), then it is a specialized architecture. The point is that other J2EE application server products not related to the WebSphere umbrella may use the same generic type of infrastructure architecture.

Therefore, this view has to do with J2EE application servers and the enterprise infrastructure components needed to sustain such application servers in a way that they can host a variety of enterprise applications (also known as J2EE applications). The following diagram provides an example of a basic WebSphere Application Server infrastructure architecture topology:

Note

The use of multiple user registries is new in version 7.0

Simple infrastructure architecture characteristics

The architecture is basic since it only shows the minimum infrastructure components needed by a WebSphere Application Server infrastructure to become functional. In this diagram, the infrastructure elements are presented as they relate to each other functionally. In other words, the diagram is generic enough that it only shows and identifies the components by their main function. For instance, the infrastructure diagram includes, among others, proxy and messaging servers. Nothing in the diagram implies the mapping of a given functional component to a specific physical element such as an OS server or a specialized appliance.

Branded infrastructure elements

The infrastructure architecture presented in the diagram depicts a WebSphere clustered environment. The only technologies identified by their brand are the IBM HTTP Server (IHS) web server component (represented by the two rectangles (light blue) labeled IHS) and the WebSphere Application Server (WAS) nodes (represented by the rectangles (green) labeled WAS).

These two simple components offer a variety of architectural choices, such as:

  • Hosting both components in a single OS host under a WAS node

  • Host each component in their own OS host in the same sub-network (normally an intranet)

  • Host each component in different OS hosts in different sub-network (normally a DMZ for the IHS and intranet for the WAS)

The choice for a specific architecture will be made in terms of a variety of requirements for your environment, including security requirements.

Generic infrastructure components

The infrastructure diagram also includes a number of components that are only identified by their function but no information is provided as to the specific technology/product implementing the function. For instance, there are four shapes (light yellow) labeled DB, Messaging, Legacy Systems, and Service Providers. In your environment, there may be choices to make in terms of the specific component. Take for instance, the DB component. Identifying what DB server or servers will be part of the architecture is dependent on the type of database employed by the enterprise application being hosted. Some corporations limit the number of database types to less than a handful. Nevertheless, the objective of the WebSphere Administrator responsible for the environment is to identify which type of databases will be interfacing with the WAS environment. Once that fact is determined, the appropriate brand/product could be added to the architecture diagram.

Other technologies/components that need to be identified in a similar way are the user registry (represented by the shape (light purple) labeled User Registry), the security access component (represented in the diagram by the oval (yellow) labeled Security Access). A common type of user registry used in WebSphere environments is an LDAP server. Furthermore, a popular security access product is SiteMinder (formerly by Netegrity, now offered by CA).

The remaining group of elements in the architecture has the function to front-end the IHS/WAS environment in order to provide high availability and added security. Proxy servers may be used or not, depending on whether the IHS function can be brought to the DMZ in its own OS host. Specialized appliances offered by companies such as CISCO or F5 normally implement load balancers. However, some software products can be used to implement this function. An example to the latter is the IBM WebSphere Edge suite. In general, most corporations already own and use firewalls and load balancers; so for the WebSphere administrator, it is just a matter of integrating them to the WebSphere infrastructure.

Using the infrastructure architecture view

Some of the benefits of picturing your WebSphere environment using the infrastructure architecture view come from realizing the following important points:

  • Identify the technology or technology choices to be used to implement a specific function. For instance, what type of user registry to use.

  • An immediate result of the previous point is identifying the corporate group the WebSphere administrator would be working with in order to integrate (that is, configure) said technology and WebSphere.

  • Once the initial architecture has been laid out, the WebSphere administrator will be responsible to identify the type of security involved to secure the interactions between the various infrastructure architecture components. For instance, what type of communication will take place between the IHS and the Security Access component, if any. What is the best way to secure the communication channel? How is the IHS component authenticated to the Security Access component?

WebSphere architecture view


The next view to be presented is that of the WebSphere Application Server product architecture. In a nutshell, the WebSphere Application Server product is an implementation of the J2EE set of specifications with some added functionality only found in this IBM product. Therefore, as opposed to the previous section, this view is unique to WebSphere.

Consequently, this section briefly presents the salient components of the J2EE technologies and their relation to each other from the functional and architectural point of view. Furthermore, emphasis will be placed on aspects that affect or may be affected by security considerations.

WebSphere Application Server simplified architecture

The following diagram depicts a simplified version of the WebSphere Application Server architecture. It presents the application server in the context of a WebSphere node. The application server is the implementation of a JVM. The JVM is made up of various components and at the same time, the JVM interacts with several external components that make up the WebSphere node. So, the diagram presents two major components of a WebSphere environment. On the one hand, the JVM is represented by the parallelogram (purple ) labeled Application Server. On the other hand, a larger parallelogram (teal) labeled node represents the WebSphere node.

Keep in mind that the simplification to the architecture has been done to concentrate on how it relates to application hosting in a secure environment.

Note

The concept of local security domains is new in version 7.0.

WebSphere node component

The node component of this simplified architecture occupies itself with administrative and thus security aspects between the WebSphere environment and the infrastructure. In the previous diagram, three components can be observed. The first component is the node agent; represented by the small parallelogram labeled Node agent. Notice that the node agent in itself is implemented by a specialized JVM, containing the components required to efficiently perform administrative tasks, which will include security related tasks. The node agent will interact with WebSphere environment administrative components externals to the node (and not included in the diagram). The chief among those external WebSphere components is the Deployment Manager. One of the responsibilities of the node agent as it pertains to the node and thus, to the application server JVM, is to maintain updated and valid copies of the node configuration repository. Such a repository may include information dealing with security domain information, either inherited from the WebSphere cell global security or customized for the node, represented by the parallelogram (black) labeled Local Security Domain.

WebSphere JVM component

The second major component of this simplified architecture is the implementation of a JVM. It is represented in the diagram by a large parallelogram (purple) labeled Application Server. A WebSphere JVM is made of, among other components, several containers such as the Web and EJB containers. Containers, on top of hosting instantiations of Java classes such as servlets and beans, that is, offering the runtime environment for those classes to execute, deal with security aspects of the execution. For instance, a Web Container may, given the appropriate settings, oversee that hosted resources only execute if the principal making the request has the required proof that entitles such principal of receiving the result of said request.

In addition to containers, a WebSphere JVM may also instantiate a service integration bus (SIB) if a hosted application makes use of the JVM messaging engine. In the diagram, the arrow (brown) labeled SIB represents the bus. Finally, the other JVM components included in this simplified architecture are the administrative component and the JVM security mechanism. This mechanism will interact with the containers to ensure that security is propagated to the classes executing in the said containers.

From this discussion, it can be extrapolated that each vendor has certain leniency as to the actual implementation of Sun's JVM. IBM is not an exception to this practice. If you wish to find out more about the particulars of the IBM JVM implementation for WebSphere please refer to the Information Center article "Specifications and API" (http://publib.boulder.ibm.com/infocenter/wasinfo/v7r0/index.jsp?topic=/com.ibm.websphere.nd.doc/info/ae/ae/rovr_specs.html). In that article you will find out which Java specifications and application programming interfaces are implemented as well as the version each implements. This information is presented in a neat table that helps you compare each specification and API version to earlier editions of the WebSphere Application Server product (that is, 5.1, 6.0 and 6.1).

Using the WebSphere architecture view

The main benefit of analyzing your WebSphere environment using this view is that it will provide you with the vocabulary to better understand the needs of application developers and architects and, equally important, to communicate back to them the special features the WebSphere environment may offer them as well as any possible restrictions imposed by security or other infrastructure characteristics.

An additional benefit provided by this view is that it offers alternatives to troubleshooting application related issues, as you will become more familiar with which JVM components are being used as the runtime environment for a given enterprise application.

WebSphere technology stack view


Finally, the third view covered in this chapter is that of the WebSphere environment technology stack. In other words, this view presents which technologies from the operating system to the WebSphere Application product are involved, highlighting the aspects related to security. This view is broken down into three categories, which are described in the following paragraphs. The stack and its categories are depicted in the diagram shown in the next sub-section.

OS platform security

At the bottom of the stack there are the primitive technologies. The term primitive in this context does not carry the meaning of backward, but rather that of foundation technologies. In the following diagram, the rectangular (bright green) area located at the bottom of the stack represents the OS platform layer.

In this layer, the presence of the underlying operating system can be observed. In the end, it is the responsibility of the OS to provide the low-level resources needed by the WebSphere environment. Furthermore, it is also its responsibility to enforce any security policies required on such resources. Two of the more prominent OS components as they relate to a WebSphere environment are the file system and the networking infrastructure. Both the file systems and the networking infrastructure are handlers of special resources.

Java technology security

The next layer in this architecture is that of the Java technology. This layer comprehends the core Java technologies and APIs used within the WebSphere environment. In the previous diagram, the layer is represented by the rectangle (teal) in the middle of the stack.

The layer is further broken down into three distinct groups among the Java stack. At the bottom sit the foundational bricks. The Java Virtual Machine and the Java Language Specification. The JVM is the enabler whereas the Language Specification lays down basic and general rules that must obeyed by the entities that will populate the JVM.

The middle brick of this layer is that of Java 2 Security. It includes more sophisticated rules that will enable entities in the JVM to achieve more complex behaviors in harmony with the rest of the inhabitants.

Finally, at the top of this layer there is the J2EE Security brick. It brings additional enablers to the JVM and rules that must be followed by the entities that populate these remote areas of the Java galaxy.

WebSphere security

At the top of the technology stack, sits the WebSphere security layer. It builds up on the previous layers and brings on board open and proprietary security bricks to supplement the Java foundation.

In other words, the WebSphere high-level security layer offers conduits using a number of technologies such as LTPA, Kerberos, and so on, that make the WebSphere environment more robust. This layer is represented in the previous diagram by the rectangle (maroon) located at the top.

In general, the number of technologies supported by this layer as well as the implementation version of such technologies is one of the aspects that make up each new WebSphere release.

Using the technology stack view

One of the main benefits of the technology stack view is that it helps WebSphere practitioners involved in various roles to map the various technologies included in this stack to the functional blocks that make up the other two views. Some practitioners will benefit by selecting the most appropriate subset among the classes offered by the WebSphere environment to implement a required functionality. Other practitioners will benefit by integrating into the WebSphere environment the best infrastructure component that will help to enable a piece of functionality required by a hosted application.

Summary


This chapter presents an introduction to WebSphere security by taking the reader to a tour that helps him observe the environment from three different angles. Each of the views presented in a way supplements the other two. Aspects related to security are at the center of each of the views described. In this chapter and in the remaining part of the book experienced users will get acquainted with new security aspects offered by the IBM WebSphere Application Server Network Deployment version 7.0. In addition, and perhaps more importantly, the material covered in this chapter and the rest of the book is presented so no prior knowledge of WebSphere security (as in earlier versions of WebSphere) is required. This fact makes it easier for new WebSphere administrators to learn the security aspects of WebSphere version 7.0. Throughout the rest of the book, the terms WebSphere Application Server Network Deployment version 7 and WAS ND7 will be used interchangeably. Let's get started!

Left arrow icon Right arrow icon

Key benefits

  • Discover the salient and new security features offered by WebSphere Application Server version 7.0 to create secure installations
  • Explore and learn how to secure Application Servers, Java Applications, and EJB Applications along with setting up user authentication and authorization
  • With the help of extensive hands-on exercises and mini-projects, explore the various aspects needed to produce secure IBM WebSphere Application Server Network Deployment v7.0 infrastructures
  • A practical reference with ready-to-implement best practices and tricks for configuring, hardening, tuning, and troubleshooting secure IBM WebSphere Application Server Network Deployment v7.0 environments

Description

In these days of high-profile hacking, server security is no less important than securing your application or network. In addition many companies must comply with government security regulations. No matter how secure your application is, your business is still at risk if your server is vulnerable. Here is how you solve your WebSphere server security worries in the best possible way. This tutorial is focused towards ways in which you can avoid security loop holes. You will learn to solve issues that can cause bother when getting started with securing your IBM WebSphere Application Server v7.0 installation. Moreover, the author has documented details in an easy-to-read format, by providing engaging hands-on exercises and mini-projects. The book starts with an in-depth analysis of the global and administrative security features of WebSphere Application Server v7.0, followed by comprehensive coverage of user registries for user authentication and authorization information. Moving on you will build on the concepts introduced and get hands-on with a mini project. From the next chapter you work with the different front-end architectures of WAS along with the Secure Socket Layer protocol, which offer transport layer security through data encryption. You learn user authentication and data encryption, which demonstrate how a clear text channel can be made safer by using SSL transport to encrypt its data. The book will show you how to enable an enterprise application hosted in a WebSphere Application Server environment to interact with other applications, resources, and services available in a corporate infrastructure. Platform hardening, tuning parameters for tightening security, and troubleshooting are some of the aspects of WebSphere Application Server v7.0 security that are explored in the book. Every chapter builds strong security foundations, by demonstrating concepts and practicing them through the use of dynamic, web-based mini-projects.

Who is this book for?

If you are a system administrator or an IT professional who wants to learn about the security side of the IBM WebSphere Application Server v7.0, this book will walk you through the key aspects of security and show you how to implement them. You do not need any previous experience in WebSphere Application Server, but some understanding of Java EE technologies will be helpful. In addition, Java EE application developers and architects who want to understand how the security of a WebSphere environment affects Java EE enterprise applications will find this book useful.

What you will learn

  • Create security domains using the wsadmin scripting tool
  • Get hands-on experience working with a mini-project to protect a Java EE Application Server
  • Secure your frontend with Secure Socket Layer Protocol and IBM HTTP Server
  • Get to grips with user authentication and authorization by building a multi-module Enterprise Web Application; packaging, deploying, and testing it
  • Work around to secure an EJB application by building on the existing mini-project
  • Configure authentication and resource access (authorization) using user registry groups and application-defined roles
  • Configure WebSphere Application Server v7.0 for SSO and LTPA and work across remote servers
  • Explore the powerful concepts of data encryption and SSL certificates practically
  • Practice platform hardening with respect to the Operating System, File System, and network configuration
Estimated delivery fee Deliver to France

Premium delivery 7 - 10 business days

€10.95
(Includes tracking information)

Product Details

Country selected
Publication date, Length, Edition, Language, ISBN-13
Publication date : Feb 23, 2011
Length: 312 pages
Edition : 1st
Language : English
ISBN-13 : 9781849681483
Vendor :
IBM
Concepts :

What do you get with Print?

Product feature icon Instant access to your digital eBook copy whilst your Print order is Shipped
Product feature icon Paperback book shipped to your preferred address
Product feature icon Download this book in EPUB and PDF formats
Product feature icon Access this title in our online reader with advanced features
Product feature icon DRM FREE - Read whenever, wherever and however you want
OR
Modal Close icon
Payment Processing...
tick Completed

Shipping Address

Billing Address

Shipping Methods
Estimated delivery fee Deliver to France

Premium delivery 7 - 10 business days

€10.95
(Includes tracking information)

Product Details

Publication date : Feb 23, 2011
Length: 312 pages
Edition : 1st
Language : English
ISBN-13 : 9781849681483
Vendor :
IBM
Concepts :

Packt Subscriptions

See our plans and pricing
Modal Close icon
€18.99 billed monthly
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Simple pricing, no contract
€189.99 billed annually
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just €5 each
Feature tick icon Exclusive print discounts
€264.99 billed in 18 months
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just €5 each
Feature tick icon Exclusive print discounts

Frequently bought together


Stars icon
Total 143.97
IBM Websphere Portal 8: Web Experience Factory and the Cloud
€48.99
IBM WebSphere Application Server 8.0 Administration Guide
€48.99
IBM WebSphere Application Server v7.0 Security
€45.99
Total 143.97 Stars icon
Banner background image

Table of Contents

11 Chapters
A Threefold View of WebSphere Application Server Security Chevron down icon Chevron up icon
Securing the Administrative Interface Chevron down icon Chevron up icon
Configuring User Authentication and Access Chevron down icon Chevron up icon
Front-End Communication Security Chevron down icon Chevron up icon
Securing Web Applications Chevron down icon Chevron up icon
Securing Enterprise Java Beans Applications Chevron down icon Chevron up icon
Securing Back-end Communication Chevron down icon Chevron up icon
Secure Enterprise Infrastructure Architectures Chevron down icon Chevron up icon
WebSphere Default Installation Hardening Chevron down icon Chevron up icon
Platform Hardening Chevron down icon Chevron up icon
Security Tuning and Troubleshooting Chevron down icon Chevron up icon

Customer reviews

Rating distribution
Full star icon Full star icon Full star icon Empty star icon Empty star icon 3
(2 Ratings)
5 star 0%
4 star 0%
3 star 100%
2 star 0%
1 star 0%
Jacek Laskowski Nov 09, 2011
Full star icon Full star icon Full star icon Empty star icon Empty star icon 3
I found the announcement about "IBM WebSphere Application Server v7.0 Security" book in the WebSphere SME's group on LinkedIn and asked Packt for a review copy. They graciously provided one and I dived into its reading.I'm an IT Specialist for IBM WebSphere product family who works for IBM Poland for over 5 years now. I'm not a security specialist, and I doubt I'll ever be, but am constantly exposed to security issues with IBM WebSphere Application Server, since the version 6.1. The security concepts have always lagged behind. I felt I needed to renew my efforts to get the necessary security skills reinforced. And the book's title seemed to have promised it.The book has got 280 pages split into 11 chapters that aim at "building strong security foundations, by demonstrating concepts and practicing them through the use of dynamic, web-based mini projects." (from "Preface", page 1). Well said, it caught my attention even more.The author, Omar Siliceo, "is currently Senior WebSphere Suite consultant" (from "About the Author") and with his experience (he seemed to have been an IBMer, too), and the book's reviewers who also were IBMers working with IBM WebSphere AS, guaranteed a good understanding of the topic (not necessarily its reading!). The reviewers include Domenico Cantatore who's a senior IT Specialist in IBM Software Group in Dublin, and Jose Mariano Ruiz Martin who is a IT Specialist in IBM Spain. With three experienced IBMers engaged in the book writing project I was quite assured I can finally delve into WAS7's security topics in a organized manner.But I was disappointed quite often, likely for the title and Preface that rose my expectations very high. The book had ups and downs, and although the time I spent on the book's reading was way too long, I could find many places that ultimately filled the bill. The book requires a lot of patience to read from a cover to cover and I don't think it's a kind of book to read in one sitting. I believe it reads fine when a single chapter is picked for a single go.It's a book about IBM WebSphere Application Server Network Deployment version 7.0 and according to "Who this book is for" it's for "a system administrator or an IT professional who wants to learn about the security side of the IBM WebSphere Application Server v7.0[...] You do not need any previous experience in WebSphere Application Server". Sorry, but I can't agree on that. The use of "node", "WebSphere cell", "DMgr", "deployment manager", "synchronizing nodes", "node agent" vocabulary in WAS7's book before they're explained was not (and could not have been) accidental and despite the assumption the book's not aimed at people who've got some experience in WAS7, it was proved otherwise many times.At some point you'll realize that the book assumes you had already created a fully functional WAS environment with Dmgr and a federated server. Don't expect it's explained though - it's not. Could it be that the number of pages constrained it a bit? I don't think so since there are many that should not have existed at all. It turns out that the book missed a clear planning on its structure and how to introduce a reader to it. Take Chapter 5 that paid too much attention to develop a very "primitive" (page 166) MVC-based portal application and explained the gory details of JSP files (even though they're against the rule of not including Java snippets within JSPs). Or take the application as a sample to explain EJB security? If the author meant to get readers bored to death, he scored very high. Oracle's Java EE 5 tutorial would've done a better job for such learnings.You'll eventually reach page 156 where it reads: "As stated before, the author is not a developer, so there may be better ways to code the JSP file to avoid the caching side effect". He couldn't have been right more.Another example for wasting pages for unnecessary stuff? Take Chapter 1. I read it twice to finally figured out I should have not. I'm still uncertain what the author tried to get across. It's an architectural overview of WAS7, but it's incomplete (as its features go, esp. about so-called "flexible management topology") and less focused on WAS7. I doubt the book would diminish substantially in value if the chapter were to be removed. Ditch it to save time.I could not understand why "the second major component [...] is the implementation of a JVM" (page 13). The author has freely used the term "A WebSphere JVM" for "WebSphere Application Server" and although I could agree upon its principles, JVM is not a Java EE application server. Neither is it "a messaging engine" (page 13). Note it's a book about WAS7 and these terms have their well-known meaning for WebSpherians.There are many "hows" and too less "whys" with their explanations. It's not clear why we set up SSO before enabling administrative security. Why is only a simple user name supplied to log into the system? How come we use LDAP and only wasadm is given, not FQDN?! The book reminded silent about it. Alas, there were more questions left unanswered. Take another example - the LDAP server in this book is Sun Java System Directory Server, but there are no steps how to install and configure it. I'd like to have some introductory pages about it.It's not that the book had just only downs. There were ups, too. They ultimately made the reading bearable and worth the time.The security concepts were introduced with factious scenarios or corporate standards and almost every chapter began with a real-life story that I found compelling and helpful to get a point across. The author made sure that the material was presented in a more friendly manner with references to daily activities. The author seemed to have gained a lot of experience in his career, and it sprung from the pages often. Real-life examples introduced to WAS parlance world very well. The writing style was often humorous and so I kept my faith in further reading till the very end.Typos in the text as well as in the commands were annoying and reminded me to be very careful not to take all this without a pinch of salt. You should not, neither! Jython was used for administration scripts, but the author insisted on specifying -lang jython command line parameter to wsadmin while setting it up in the properties files would be preferred. Wasn't the aim of the book to introduce WAS7 to newcomers? Such tips might help a lot!Why didn't Chapter 5 provide wsadmin scripts to create users and groups, or at least check their existence? Should it be acceptable in a book like this? I don't think so. Same for figures. They could've been better drawn. They're too small and don't invite for their study. There were a few figures and diagrams, but they're hardly informative. Why did Application name have to change to match the DataSource? (page 71) Not explained. Assumed known?!The book was often too focused on the theory, not practice. There seem to be a gradual shift towards this kind of explaining WAS7's security.Wait! Wasn't I supposed to provide the ups? It's not such a tough task, after all.Excellent Chapter 4 with configuring SSL. There were much explained. A complete procedure of configuring SSL for LDAP communication is described. It's accompanied with many screenshots, so people who are tasked to perform it shouldn't be concerned with its complexities. The book encouraged a habit to create separate virtual hosts and security domains for different webapps. I'm getting used to it and liked the idea greatly. I learnt about the policy of a clean split between executables, configuration, and log files of WAS on different file systems. I liked the scheme so much! I had only a vague understanding of its benefits before. I've never bothered myself with the ports WAS listens to, but having read Chapter 9 I will. Changing it doesn't cost much, as the book showed, but may introduce a clear structure for different WAS environments - prod, uat or test. The book put much focus on silent installations with response files. Finally, the book concluded with a chapter that was packed with useful tips I'm going to use in my WAS7 assignments.And again, back to the downs.On page 160, a EJB was accessed via InitialContext.lookup() not @EJB. Oh, how could it have slipped through the review process?! I think it's unfortunate that the pages about application development were added to the book at all. The aim of the book was security not development of a very primitive portal application. I wished Chapter 8 had presented a bit more hands-on samples of using the security concepts with ready-to-use sample applications.In "JDBC: WebSphere-managed authentication" section I could read about "brief general descriptions of a concept (...) using one or two of the most popular databases used in a WebSphere v7 environment." (page 180) Guess what, beside Oracle and DB2, Sybase was mentioned. Is Sybase "one of the most popular database"? Really? Contrary to the book's main concept of WAS7 security, the section presented how to define a JDBC provider and DataSource for a database with no security. Too bad.Netegrity SiteMinder was presented, but I was hoping to learn IBM Tivoli Access Manager instead. I missed that.The book needs more practical tips for WAS7 itself not its entire hosting environment. I missed the bits that delve into intricacies of IBM WebSphere Application Server V7's security layer. I'm thus still on a lookout for a serious book about WAS7 Security.
Amazon Verified review Amazon
AmazonBuyer Mar 08, 2011
Full star icon Full star icon Full star icon Empty star icon Empty star icon 3
The Websphere Security V 7.0 Security is a good reference book, for a reader that is interesed in getting aware about the security aspects in dealing with the default components like DB JDBC, Admin Console, User registries in a WAS system, secured connections with the front end web servers, and the application server components like EJBs etc, and secured entraprise architecture. IMHO, many of the Red books already provide such information.My expectation was that this book would show us some light ( for distributed systems) in implementing SSO systems between Unix ( AIX ) systems and the AD Windows ( 2003 an 2008 systems) usually on which the AD system is hosted. Hope the author plans to have such a book (soon in the market) dealing with implemenatton and maintenance of SSL features for a distributed systems like thosebetween a WAS 7 and Windows ( AD) systems along with some interesting case histories. In summary this book is good for someone that is wanting to learn the basics of security features on A WAS 7 ND system. We look forward from the author, about a book that deals with the Kerberos /SSO configurations, deployments and maintenance for a distributed system like AIX Kerberos enhabled system working with a Windows ( 2003 b/ 2008) AD hosting system ina business enterprise. Thanks
Amazon Verified review Amazon
Get free access to Packt library with over 7500+ books and video courses for 7 days!
Start Free Trial

FAQs

What is the delivery time and cost of print book? Chevron down icon Chevron up icon

Shipping Details

USA:

'

Economy: Delivery to most addresses in the US within 10-15 business days

Premium: Trackable Delivery to most addresses in the US within 3-8 business days

UK:

Economy: Delivery to most addresses in the U.K. within 7-9 business days.
Shipments are not trackable

Premium: Trackable delivery to most addresses in the U.K. within 3-4 business days!
Add one extra business day for deliveries to Northern Ireland and Scottish Highlands and islands

EU:

Premium: Trackable delivery to most EU destinations within 4-9 business days.

Australia:

Economy: Can deliver to P. O. Boxes and private residences.
Trackable service with delivery to addresses in Australia only.
Delivery time ranges from 7-9 business days for VIC and 8-10 business days for Interstate metro
Delivery time is up to 15 business days for remote areas of WA, NT & QLD.

Premium: Delivery to addresses in Australia only
Trackable delivery to most P. O. Boxes and private residences in Australia within 4-5 days based on the distance to a destination following dispatch.

India:

Premium: Delivery to most Indian addresses within 5-6 business days

Rest of the World:

Premium: Countries in the American continent: Trackable delivery to most countries within 4-7 business days

Asia:

Premium: Delivery to most Asian addresses within 5-9 business days

Disclaimer:
All orders received before 5 PM U.K time would start printing from the next business day. So the estimated delivery times start from the next day as well. Orders received after 5 PM U.K time (in our internal systems) on a business day or anytime on the weekend will begin printing the second to next business day. For example, an order placed at 11 AM today will begin printing tomorrow, whereas an order placed at 9 PM tonight will begin printing the day after tomorrow.


Unfortunately, due to several restrictions, we are unable to ship to the following countries:

  1. Afghanistan
  2. American Samoa
  3. Belarus
  4. Brunei Darussalam
  5. Central African Republic
  6. The Democratic Republic of Congo
  7. Eritrea
  8. Guinea-bissau
  9. Iran
  10. Lebanon
  11. Libiya Arab Jamahriya
  12. Somalia
  13. Sudan
  14. Russian Federation
  15. Syrian Arab Republic
  16. Ukraine
  17. Venezuela
What is custom duty/charge? Chevron down icon Chevron up icon

Customs duty are charges levied on goods when they cross international borders. It is a tax that is imposed on imported goods. These duties are charged by special authorities and bodies created by local governments and are meant to protect local industries, economies, and businesses.

Do I have to pay customs charges for the print book order? Chevron down icon Chevron up icon

The orders shipped to the countries that are listed under EU27 will not bear custom charges. They are paid by Packt as part of the order.

List of EU27 countries: www.gov.uk/eu-eea:

A custom duty or localized taxes may be applicable on the shipment and would be charged by the recipient country outside of the EU27 which should be paid by the customer and these duties are not included in the shipping charges been charged on the order.

How do I know my custom duty charges? Chevron down icon Chevron up icon

The amount of duty payable varies greatly depending on the imported goods, the country of origin and several other factors like the total invoice amount or dimensions like weight, and other such criteria applicable in your country.

For example:

  • If you live in Mexico, and the declared value of your ordered items is over $ 50, for you to receive a package, you will have to pay additional import tax of 19% which will be $ 9.50 to the courier service.
  • Whereas if you live in Turkey, and the declared value of your ordered items is over € 22, for you to receive a package, you will have to pay additional import tax of 18% which will be € 3.96 to the courier service.
How can I cancel my order? Chevron down icon Chevron up icon

Cancellation Policy for Published Printed Books:

You can cancel any order within 1 hour of placing the order. Simply contact customercare@packt.com with your order details or payment transaction id. If your order has already started the shipment process, we will do our best to stop it. However, if it is already on the way to you then when you receive it, you can contact us at customercare@packt.com using the returns and refund process.

Please understand that Packt Publishing cannot provide refunds or cancel any order except for the cases described in our Return Policy (i.e. Packt Publishing agrees to replace your printed book because it arrives damaged or material defect in book), Packt Publishing will not accept returns.

What is your returns and refunds policy? Chevron down icon Chevron up icon

Return Policy:

We want you to be happy with your purchase from Packtpub.com. We will not hassle you with returning print books to us. If the print book you receive from us is incorrect, damaged, doesn't work or is unacceptably late, please contact Customer Relations Team on customercare@packt.com with the order number and issue details as explained below:

  1. If you ordered (eBook, Video or Print Book) incorrectly or accidentally, please contact Customer Relations Team on customercare@packt.com within one hour of placing the order and we will replace/refund you the item cost.
  2. Sadly, if your eBook or Video file is faulty or a fault occurs during the eBook or Video being made available to you, i.e. during download then you should contact Customer Relations Team within 14 days of purchase on customercare@packt.com who will be able to resolve this issue for you.
  3. You will have a choice of replacement or refund of the problem items.(damaged, defective or incorrect)
  4. Once Customer Care Team confirms that you will be refunded, you should receive the refund within 10 to 12 working days.
  5. If you are only requesting a refund of one book from a multiple order, then we will refund you the appropriate single item.
  6. Where the items were shipped under a free shipping offer, there will be no shipping costs to refund.

On the off chance your printed book arrives damaged, with book material defect, contact our Customer Relation Team on customercare@packt.com within 14 days of receipt of the book with appropriate evidence of damage and we will work with you to secure a replacement copy, if necessary. Please note that each printed book you order from us is individually made by Packt's professional book-printing partner which is on a print-on-demand basis.

What tax is charged? Chevron down icon Chevron up icon

Currently, no tax is charged on the purchase of any print book (subject to change based on the laws and regulations). A localized VAT fee is charged only to our European and UK customers on eBooks, Video and subscriptions that they buy. GST is charged to Indian customers for eBooks and video purchases.

What payment methods can I use? Chevron down icon Chevron up icon

You can pay with the following card types:

  1. Visa Debit
  2. Visa Credit
  3. MasterCard
  4. PayPal
What is the delivery time and cost of print books? Chevron down icon Chevron up icon

Shipping Details

USA:

'

Economy: Delivery to most addresses in the US within 10-15 business days

Premium: Trackable Delivery to most addresses in the US within 3-8 business days

UK:

Economy: Delivery to most addresses in the U.K. within 7-9 business days.
Shipments are not trackable

Premium: Trackable delivery to most addresses in the U.K. within 3-4 business days!
Add one extra business day for deliveries to Northern Ireland and Scottish Highlands and islands

EU:

Premium: Trackable delivery to most EU destinations within 4-9 business days.

Australia:

Economy: Can deliver to P. O. Boxes and private residences.
Trackable service with delivery to addresses in Australia only.
Delivery time ranges from 7-9 business days for VIC and 8-10 business days for Interstate metro
Delivery time is up to 15 business days for remote areas of WA, NT & QLD.

Premium: Delivery to addresses in Australia only
Trackable delivery to most P. O. Boxes and private residences in Australia within 4-5 days based on the distance to a destination following dispatch.

India:

Premium: Delivery to most Indian addresses within 5-6 business days

Rest of the World:

Premium: Countries in the American continent: Trackable delivery to most countries within 4-7 business days

Asia:

Premium: Delivery to most Asian addresses within 5-9 business days

Disclaimer:
All orders received before 5 PM U.K time would start printing from the next business day. So the estimated delivery times start from the next day as well. Orders received after 5 PM U.K time (in our internal systems) on a business day or anytime on the weekend will begin printing the second to next business day. For example, an order placed at 11 AM today will begin printing tomorrow, whereas an order placed at 9 PM tonight will begin printing the day after tomorrow.


Unfortunately, due to several restrictions, we are unable to ship to the following countries:

  1. Afghanistan
  2. American Samoa
  3. Belarus
  4. Brunei Darussalam
  5. Central African Republic
  6. The Democratic Republic of Congo
  7. Eritrea
  8. Guinea-bissau
  9. Iran
  10. Lebanon
  11. Libiya Arab Jamahriya
  12. Somalia
  13. Sudan
  14. Russian Federation
  15. Syrian Arab Republic
  16. Ukraine
  17. Venezuela