LDAP Authentication in WebSphere

1. A request arrives on an input channel (for example, Web or EJB).

2. The authentication data is passed through the authentication modules.

3. This flow highlights the WebSphere Application Server default trust

association interceptor (TAI) for LTPA token. LTPA is the application server’s

default and the recommended trust token implementation. Trust is asserted at

this stage of the processing. If the token is determined valid, the user

information that it contains is trusted and the identity of the user is asserted.

4. After token processing, the user credentials are

rebuilt from the information that is retrieved from the token.

5. User credentials are created based on user information retrieved from the

registry.

6. The credential is forwarded as the request is processed by different

architectural tiers of the application server.

How to Turnoff Security for WebSphere Admin console

If you are unable to authenticate, you can turn off security to help

troubleshoot the problem by running the following wsadmin commands

(command in jacl format). You must run this command locally; it cannot be

executed remotely.

Executed from /bin directory where is the profile’s install

directory.

wsadmin -conntype NONE

WASX7357I: By request, this scripting client is not connected to any

server process. Certain configuration and application operations

will be available in local mode.

WASX7029I: For help, enter: "$Help help"

wsadmin>securityoff

LOCAL OS security is off now but you need to restart server1 to make

it affected.

wsadmin>$AdminConfig save

wsadmin>exit
----------------------------------------------

WAS_INSTALL_DIR/profiles/<profileName>/config/cells/<cellName>/ and open the file security.xml. Search for a tag name <security:Security. This would be the first tag in security.xml file. In this tag we can see an attribute called enabled="true" Just change the value to false. Save the file and restart the server. Security will be disabled on the server. --------------------------------------------------------------------------------------------------------------------------------- WAS Admin Security WebSphere Security. Configuring security with scripting You can configure security with scripting and the wsadmin tool. Before you begin Before starting this task, the wsadmin tool must be running. See the Starting the wsadmin scripting client article for more information. About this task If you enable security for a WebSphere Application Server cell, supply authentication information to communicate with servers. The sas.client.props and the soap.client.props files are located in the following properties directory for each WebSphere Application Server profile: profile_root/properties Procedure The nature of the properties file updates required for running in secure mode depend on whether you connect with a Remote Method Invocation (RMI) connector, or a SOAP connector: If you use a Remote Method Invocation (RMI) connector, set the following properties in thesas.client.props file with the appropriate values: o com.ibm.CORBA.loginUserid= com.ibm.CORBA.loginPassword= Also, set the following property: com.ibm.CORBA.loginSource=properties The default value for this property is prompt in the sas.client.props file. If you leave the default value, a dialog box appears with a password prompt. If the script is running unattended, it appears to hang. If you use a SOAP connector, set the following properties in the soap.client.props file with the appropriate values: o com.ibm.SOAP.securityEnabled=true o com.ibm.SOAP.loginUserid= com.ibm.SOAP.loginPassword= Optionally, set the following property: com.ibm.SOAP.loginSource=none The default value for this property is prompt in the soap.client.props file. If you leave the default value, a dialog box appears with a password prompt. If the script is running unattended, it appears to hang. Specify user and password information. Choose one of the following methods: Specify user name and password on a command line, using the -user and -passwordcommands. For example: wsadmin -conntype RMI -port 2809 -user u1 -password secret1 Specify user name and password in the sas.client.props file for a RMI connector or thesoap.client.props file for a SOAP connector. If you specify user and password information on a command line and in the sas.client.props file or thesoap.client.props file, the command line information overrides the information in the props file. Note: The use of -password option may result in security exposure as the password information becomes visible to the system status program such as ps command which can be invoked by other user to display all the running processes. Do not use this option if security exposure is a concern. Instead, specify user and password information in the soap.client.props file for SOAP connector or sas.client.props file for RMI connector. The soap.client.props and sas.client.props files are located in the properties directory of your WebSphere Application Server profile To run any command without exposing the password in the command line, use the below format command for any operation through shell. WAS-TEST:/opt/IBM/WebSphere/AppServer/profiles/Dmgr01/bin #./stopManager.sh -conntype SOAP ADMU0116I: Tool information is being logged in file /opt/IBM/WebSphere/AppServer/profiles/Dmgr01/logs/dmgr/stopServer.log ADMU0128I: Starting tool with the Dmgr01 profile ADMU3100I: Reading configuration for server: dmgr ADMU3201I: Server stop request issued. Waiting for stop status. ADMU4000I: Server dmgr stop completed. Example: Enabling and disabling Java 2 security using wsadmin An example of enabling and disabling Java 2 security follows: Identify the security configuration object and assign it to the security variable: Using Jacl: set security [$AdminConfig list Security] An example of this output follows: (cells/mycell:security.xml#Security_1) Using Jython: security = AdminConfig.list('Security') print security Modify the enforceJava2Security attribute. To enable Java 2 security: Using Jacl: $AdminConfig modify $security {{enforceJava2Security true}} Using Jython: AdminConfig.modify(security, [['enforceJava2Security', 'true']]) To disable Java 2 security: Using Jacl: $AdminConfig modify $security {{enforceJava2Security false}} Using Jython: AdminConfig.modify(security, [['enforceJava2Security', 'false']]) Save the changes with the following command: Using Jacl: $AdminConfig save Using Jython: AdminConfig.save() IF the security has to be disabled through wsadmin: Enforce Java 2 Security Specifies whether to enable or disable Java 2 Security permission checking. By default, Java 2 security is disabled. However, if you enabled global security, this automatically enables Java 2 security. You can choose to disable Java 2 security, even when global security is enabled. When Java 2 Security is enabled and if an application requires more Java 2 security permissions then are granted in the default policy, then the application might fail to run properly until the required permissions are granted in either the app.policy file or the was.policy file of the application. AccessControl exceptions are generated by applications that do not have all the required permissions. Consult the InfoCenter and review the Java 2 Security and Dynamic Policy sections if you are unfamiliar with Java 2 security. If your server does not restart after you enable global security, you can disable security. Go to your${was_install_root}\bin directory. Excecute the command wsadmin -conntype NONE. At the wsadmin> prompt, enter securityoff. Type exit to get back to a command prompt. Now you should be able to start the server again, with security disabled. This enables you to check what might not be set correctly through the administrative console. Data type Boolean Default Disabled Range Enabled or Disabled

Basic Linux commands

IFCONFIG : It is used to display the IP address and configure Kernal-

resident network.

Syntax: ifconfig

Kill -9: To terminate or kill the process in Linux we use the kill command

Syntax: kill -9 pid#

Kill -3: It is used to take thread dumps on Linux platforms.

Syntax: kill -3

Tail: The tail command displays the last few lines of a file. By default, tail will

show the last 10 lines of a file.

Syntax: tail filename

Syntax: tail –n filename

Where n is number of lines

Head: The Head command displays the first few lines of a file. By default,

Head will show the first 10 lines of a file.

Syntax: Head filename

Syntax: Head –N filename

Where N is number of lines

Top: It is used to show CPU consumption, RAM memory consumption and

the top sessions on a Linux server.

Syntax: root> top

Cpu status:

CPU LOAD USER NICE SYS IDLE BLOCK SWAIT INTR SSYS

VMSTAT: The VMSTAT displays various server values over given time

interval. It is invoked from UNIX prompt, and it has several numeric

parameters.

The first numeric argument to VMSTAT represents the time interval

[expressed in seconds] between server samples. The second argument specifies

the number of samples to be reported

Syntax: root> vmstat [first argument] [second argument]

Ex: root> vmstat 2 2

DU: It displays the disk usage for all directories and subdirectories under the

current directory.

Syntax: du

DF: It displays the disk space free on each file system. It is very useful.

Syntax: df -m results in megabytes

df -k results in kilobytes

df –h results in gigabytes

PS: It displays the current process information.

Syntax: root> ps

root> ps –ef | grep –i java

LS –ltr: It list the files and directories with complete description

Syntax: root> ls –ltr

PWD: It displays the present working directory.

Syntax: root> pwd

Free: This command is used to quickly display the amount of RAM memory

on the server.

Syntax: root> free

UMASK: This command can be used to read or set default file permissions for

the current user.

Syntax: root> umask 022

• the umask value is subtracted from the default permissions(666) to give

the final permissions.

666 : Default permission

022 : - umask value

644 : Final permission

CHMOD: This command is used to alter the file permissions after the file has

been created.

Syntax: root> chmod 777 *.log

Owner

=======

7 (u+rwx)

6 (u+wx)

5 (u+rx)

Group

=======

7 (g+rwx)

6 (g+wx)

5 (g+rx)

World

=====

7 (o+rwx)

6 (o+wx)

5 (o+rx)

Permission

=========

read + write + execute

write + execute

read + execute

VI Editor: Vi editor is modifying, coping, deleting and adding

Syntax: VI filename

i is the command to insert the data

a is the command append the data

:w it is for saving

:q we need to quit from vi editor

:wq we need to save and quit from vi editor

:q! Forcefully quitting from vi editor without saving

Rm: Rm is a command to remove a file

Syntax: rm[options] file/dir

Ex: rm file1

Rm dir : it can delete dir

Rm –r dir1: Before delete it will ask I am gong to delete or not

Rm –rf dir1: It will delete the dir1 forcefully without asking

CHOWN: This command is used to change the ownership of files after

creation. The “-R” flag causes the command to recurse through subdirectories.

Syntax: root> chown –R oinstall.dba *

CP: This command is used to copy files and directories

Syntax: root> cp [from] [to]

Ex: cp file1 file2

SCP: It will copy the files from one server to another server

Syntax:

USERADD: The useradd command is used add the OS users

Syntax:root> useradd -G oinstall –g dba –d

/user/users/

my_user –m –s /bin/ksh my_user

NETSTAT: It is useful for checking the network configuration and activity. It

is in fact a collection several tools lumped together

The –n flag makes netstat print addresses as dotted quad IP numbers

rather than the symbolic host and network names.

The –r flag displays the kernel routing table in the way we have been

doing with route.

The –i flag displays statistics for the network interfaces currently

configured.

The –a flag by itself will display all sockets from all families

Tar: Tar command is used to create tape archives and add or extract the files

Creating tar file: tar –cvvf file.tar myfile.txt

Extracting the files from tar file:

1) tar –xvvf : This command is used to uncompresse(untar)

the file.

Ex: tar –xvvf myfile.txt

2) tar –xvzf : This command is used to extract the file

Ex: tar –xnzf myfile .txt

NSLOOKUP:

Nslookup [-option….] [host-to-find [server name]]

It is program to query Internet domain name servers. Nslookup has two

modes:

1. Interactive: It allows the user to query name servers for

information about various hosts and domains or to print a list of

hosts in a domain.

2. Non-interactive: It is used to print just the name and requested

information for a host or domain.

Interactive mode is entered in the following cases:

a) when no arguments are given(the default name server will be used)

b) when the first argument is hyphen (-) and the second argument is the

host name or internet address of a name server.