Course Description

This course delves deep into the security administration of WebSphere Application Server v6. It also teaches the security programming model of J2EE. Creating secure applications and web sites requires close cooperation between the developers and the administrators. Keeping that in mind, this course is targeted towards the developer and the administrator community.

Topics

• Configure WebSphere Security
• Configuring Web Application Security
• Implementing EJB Security
• Integrating LDAP with WebSphere Application Server
• Configuring JDBC Security
• Using WebSphere Application Server to integrate legacy systems
• Configuring SSL

Target Student:

This course is designed for System Administrators and programmers who need to configure security and at both application level (development) and application server level (runtime).

Prerequisites:

The participant should have a good understanding of Java and web technologies (Servlets, JSPs and EJBs), operational skills for Windows and basic administration skills for WebSphere application server. 
 
Delivery Method:

Instructor led, group-paced, classroom-delivery learning model with structured hands-on activities.

Performance-Based Objectives:

After completing this course, the student should be able to:

• Configure global security in WebSphere Application Server
• Integrate WebSphere Application Server with LDAP
• Create and deploy a secure web application
• Configure role based security for EJBs
• Configure Data Source security and understand how Prepared Statements increases security
• Configure Single Sign-On
• Implement a custom user registry
• Understand what's involved in Web Services, messaging and J2C security
• Configure SSL in IBM HTTP Server

Course Content

1. Common Security Threats
 
Overview
Input Data Validation
Data Ownership Validation
SQL Injection Problem
SQL Injection Solution
Malicious File Execution Problem
Malicious File Execution Solution
Web Authentication Mechanism
Insecure Authentication Mechanism
Failure to Restrict URL Access Problem
Failure to Restrict URL Access Solution
Cross Site Scripting (XSS) Problem
Cross Site Scripting (XSS) Solution
Cross Site Scripting (XSS) Solution
Cross Site Request Forgery (CSRF) Problem
Cross Site Request Forgery (CSRF) Solution
Information Leakage and Improper Error Handling Problem
Information Leakage and Improper Error Handling Solution
Buffer Overflow
Buffer Overflow Example
More Buffer Overflows
Buffer Overflow Solution
Insecure Communications
Insecure Cryptographic Storage Problem
Insecure Cryptographic Storage Solution
Insecure Direct Object Reference
Message Replay Attack Problem
Message Replay Attack Solution
Summary
References

2. WebSphere Security
 
Objectives
Security Overview
Architecture Components
Security Components
Digital Certificates
SSL (Secure Sockets Layer)
SSL in WebSphere
Java Security
JAAS
CSIv2
J2EE Security
Authentication and Authorization
User Registry
Authentication Mechanism
Global Security Configuration
LTPA
Single Signon (SSO)
Configuring LTPA
Admin Console Roles
Stopping Secure Servers
WebSphere Security Questions
WebSphere Security Answers
Reference

3. Configuring WebSphere Security
 
Overview
WebSphere Security
Security Tasks
User Registries
WebSphere User Registries
LDAP
LDAP Security Basics
LDAP Data Structure
Example
Distinguished Name (DN)
DN and RDN Example
Loading Users in Tivoli Directory Server 6.0
Creating Users and Groups in Domino Server
Local OS
Custom Registry
Precaution
Selecting A Registry
Configure the LDAP User Registry
Configuring Domino Server
Configuring Domino Server with WAS
Configure Local OS Registry
Enable Global Security
Console Users
Console Roles
Console Role Mapping
Make It So!
Stopping Secure Servers
Summary
WebSphere Security Questions
WebSphere Security Answers
Resources

4. Securing The Installation
 
Overview
The Operating System
Pre-Installation Tasks
Windows Security Policy
Unix - Umask Value
Linux / Solaris Shadow File
Post-Installation Tasks
Securing Windows Files
Securing UNIX Files
UNIX File System
Running Application Server as non-root User UNIX Platform
Running Application Server as non-root User UNIX Platform
Running Application Server as non-root User UNIX Platform
Overview
Review Questions
Answers
References

5. Web Application Security
 
Overview
Servlet Security
Setting up Servlet Security
Defining Roles
Create a Security Constraint
Configuring Declarative Security Using RAD
Defining Roles Using RAD
Defining Security Constraint Using RAD
Configuring Declarative Security Using RAD
Defining Roles at Application Level
Defining Roles At Application Level Using RAD
J2EE Role Management
Sample Role Mapping
Mapping Roles to Users and Groups in WebSphere
Authentication Mechanism
Configuring Authentication Mechanism Using RAD
HTTP Basic Authentication
HTTP Digest Authentication
Form-based Authentication
HTTPS Client Authentication
Lab Time
User Context of a Servlet Execution
Accessing User Credentials
Accessing User Credentials
User Context Used by RequestDispatcher
User Context Used When Invoking an EJB
Specifying User Context
Specifying User Context
Specifying User Context
Specifying User Context
Configuring Run As Identity Using RAD
Mapping Run As Roles to Users Using WebSphere
The init method
Programmatic Role-based Security
Creating Role Sensitive Views
Security Role References
Configuring Security Role Reference Using RAD
Lab Time
Problems with Basic Authentication
Set Up Form-based Authentication
Create an HTML Form
Configure a login-config Element
Configuring a login-config Element using RAD
Handling Login Failure
Protecting Session with WebSphere Security
Implementing a Logout Feature
User Data Constraint
Configuring a User Data Constraint in RAD
Summary
Lab Time
References

6. EJB Security
 
Overview
EJB Security
Setting up EJB Security
Sample Role Mapping
Defining Roles
Setting Method Permission
Configuring Declarative Security Using RAD
Defining Roles Using RAD
Configuring Method Permissions Using RAD
Disable Security Check
Disabling Security Check Using RAD
Disabling Security Check Using RAD
Excludes List
Configuring Excludes List Using RAD
Configuring Unprotected Methods Using WebSphere
Lab Time
Programmatic Role-based Security
Security Role References
Configuring Security Role Reference Using RAD
Lab Time
User Context of a Method Execution
Accessing User Credentials
Accessing User Credentials
Specifying User Context
Specifying User Context
Use Caller Identity Scenario
Run As Scenario
Configuring Use Caller Identity Using RAD
Configuring Use Caller Identity Using RAD
Configuring Run As Identity Using RAD
Mapping Run As Roles to Users Using WebSphere
WebSphere EJB Delegation Policies
Configuring Use Identity of Caller Using RAD
Configuring Use System Identity Using RAD
Overriding System Identity Using WebSphere
Configuring Run As Specified Identity Using RAD
Summary
Lab Time
References

7. SSL Configuration

Overview
The Need for Encryption
Public Key Infrastructure (PKI)
Certificates
SSL Basics
WebSphere and SSL
WebSphere SSL Configuration
SSL Configuration Repertoire
SSL Repertoires
Creating an SSL Repertoire
Dummy Certificates
Key Files
Trust File
Default Key Stores
Obtaining a Certificate
Key Management Tools
Using keytool
Generate a Self-Signed Certificate
Getting a CA Signed Certificate
Specify the Key Store
Different SSL Interactions
Web Client to Web Server
Enable SSL For IBM HTTP Server
Web Server to WebSphere
Java Client to WebSphere
Summary
Review Questions
Answers
References

8. Web Services Security

Overview
The Challenges
Overview of Web Services Security
WebSphere and Web Services Security
SOAP Message Security
Message Integrity
Message Confidentiality
Symmetric Encryption Example
Authentication
Transport Level Security
Configuring Security in WebSphere
Configuring a Server Module
Configuring a Client Module
Summary
Review Questions
Answers
References  

9. Security
 
Java Security
Attacks and Dangers
Overview of JDK Security Features
Overview of JDK Security Features cont
Basic Concepts of Computer Security
Encryption
Cryptography Algorithm
Message Digest
Symmetric Ciphers
Asymmetric Ciphers
Digital Signature
Authentication
Certificate Manipulation
Java Cryptography Architecture (JCA)
Java Cryptography Extension
Using the MessageDigest Class
Example of Using the MessageDigest Class
Example of Using MessageDigest Class cont
Example of Using MessageDigest Class cont
Using the Signature Class
Java Security Architecture
JDK 1.0 Security Model Sandbox
JDK 1.1 Security Model Trusted Signed Code
JDK 1.2 Security Model Security Policy
JDK 1.4 Security Enhancement
Protection Domains and Security Policies
ProtectionDomain Class
Permission Classes
Using Permission Classes
Policy Class
Policy Configuration File
AccessController Class
SecurityManager Class
Using the SecurityManager Class
Dynamic Class Loader
Loader Classes
Example of Security Check in a Class Loader
Java Security Tools
Using Java Security Tools Code Signing
Using Java Security Tools Code Signing
Java Security
Enabling Java Security
WebSphere Policy
WebSphere Policy Files
Other WebSphere Policy Files
Application Security
was.policy
Using was.policy
was.policy Example
Deployment
Summary
Review Questions
Answers
References