44,39 €
Mehr erfahren.
- Herausgeber: Packt Publishing
- Kategorie: Wissenschaft und neue Technologien
- Sprache: Englisch
In these days of high-profile hacking, server security is no less important than securing your application or network. In addition many companies must comply with government security regulations. No matter how secure your application is, your business is still at risk if your server is vulnerable. Here is how you solve your WebSphere server security worries in the best possible way.
This tutorial is focused towards ways in which you can avoid security loop holes. You will learn to solve issues that can cause bother when getting started with securing your IBM WebSphere Application Server v7.0 installation. Moreover, the author has documented details in an easy-to-read format, by providing engaging hands-on exercises and mini-projects.
The book starts with an in-depth analysis of the global and administrative security features of WebSphere Application Server v7.0, followed by comprehensive coverage of user registries for user authentication and authorization information. Moving on you will build on the concepts introduced and get hands-on with a mini project. From the next chapter you work with the different front-end architectures of WAS along with the Secure Socket Layer protocol, which offer transport layer security through data encryption.
You learn user authentication and data encryption, which demonstrate how a clear text channel can be made safer by using SSL transport to encrypt its data. The book will show you how to enable an enterprise application hosted in a WebSphere Application Server environment to interact with other applications, resources, and services available in a corporate infrastructure. Platform hardening, tuning parameters for tightening security, and troubleshooting are some of the aspects of WebSphere Application Server v7.0 security that are explored in the book. Every chapter builds strong security foundations, by demonstrating concepts and practicing them through the use of dynamic, web-based mini-projects.
Das E-Book können Sie in Legimi-Apps oder einer beliebigen App lesen, die das folgende Format unterstützen:
Seitenzahl: 374
Veröffentlichungsjahr: 2011
Ähnliche
Table of Contents
IBM WebSphere Application Server v7.0 Security
IBM WebSphere Application Server v7.0 Security
Copyright © 2011 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.
First published: February 2011
Production Reference: 1180211
Published by Packt Publishing Ltd. 32 Lincoln Road Olton Birmingham, B27 6PA, UK.
ISBN 978-1-849681-48-3
www.packtpub.com
Cover Image by David Guettirrez (<[email protected]> )
Credits
Author
Omar Siliceo
Reviewers
Domenico Cantatore
Ty Lim
Jose Mariano Ruiz Martin
Development Editor
Susmita Panda
Technical Editors
Neha Damle
Erika Fernandes
Gaurav Datar
Indexer
Monica Ajmera Mehta
Editorial Team Leader
Vinodhan Nair
Project Team Leader
Priya Mukherji
Project Coordinator
Sneha Harkut
Proofreaders
Aaron Nash
Steve Maguire
Graphics
Geetanjali Sawant
Production Coordinator
Alwin Roy
Cover Work
Alwin Roy
About the Author
Omar Siliceo, a professional Systems Engineer with a Master of Science degree in Electrical Engineering, started his IT career in the year 1991 as a Research Specialist, performing the roles of systems specialist, Internet and Unix systems administrator, and Internet systems consultant, when he was invited to join the Computer Center group at Vanderbilt University. In 1994, he joined the information technology team as a consultant, performing systems integration at the King Faisal Specialist Hospital and Research Centre in Saudi Arabia. After returning to the United States of America in 1997, he launched his IT consulting practice, creating partnerships with companies such as CTG and Ajilon. During the period from 1997-2004 he spent most of it (1997-2002) working with IBM in finding e-commerce solutions for customers such as Macy's, the NBA Store and Blair, and event Cybercast Infrastructure Administration for customers such as The Wimbledon Championships and The Masters Golf Tournament. It was during this period that he became exposed to early WebSphere technologies, including but not limited to WebSphere Application Server, WebSphere Commerce Suite, WebSphere Portal, and WebSphere Everyplace Suite.
In his last year with IBM, he focused on providing design, programming consultation, and problem solving to Fortune 500 software vendors and software integrators who were IBM's business partners. Between 2002 and 2004, he served as a consultant to The World Bank Group and Blue Cross Blue Shield of Florida. His role was the administration of WebSphere environments including some special projects such as the rollout of the latest version of their WebSphere environments. In 2004, he interrupted his consulting practice when he was invited to join the IT engineering team at Cummins, Inc. He served as Senior Web Technologies Engineer and later on as the Web Deployment team manager. As Senior Engineer, he architected the infrastructure environment for WebSphere 5.1, defining standards for platform creation, WAS deployment, and integration with existing enterprise technologies and services. In 2008, he resumed his consulting practice, supporting WebSphere Application Server, WebSphere Portal, and WebSphere Edge Components efforts and initiatives with Bank of America (2008), Blue Cross Blue Shield of Florida (2008 2009), and The World Bank Group, where he is currently Senior WebSphere Suite consultant.
First and foremost, I would like to thank the Lord for providing this unique, challenging, and rewarding opportunity as well as the resources to complete this fun project. Secondly, I would also like to thank my wife, Melissa, for her love, support, and encouragement throughout this undertaking. In addition, I wish to extend my gratitude to my sons, Tano and Chago, for allowing me to give up time that otherwise I would have spent with them.
Furthermore, I would like to express my appreciation to Packt for having reached out to me to propose this project. In particular, I thank my editorial team and their management for all the support provided in order to make this project a reality. I also would like to thank the technical team of experts who painstakingly reviewed each of the chapters for their corrections, observations, and most welcomed suggestions to improve the quality of this work.
Finally, I want to thank the folks at The World Bank Group, in particular Srini, Balaji, Suresh, and Ajay, for their encouragement during this project. I think they promised to buy a copy each.
About the Reviewers
Domenico Cantatore is a senior IT Specialist working for IBM Software Group in Dublin.
His areas of expertise include infrastructure architecture design, implementation, problem determination and performance, analysis, and tuning on WebSphere and Tivoli® products. These products include WebSphere Application Server, WebSphere Portal Server, WebSphere Process Server, WebSphere Commerce Server, WebSphere MQ, WebSphere Message Broker, and ITCAM. He has 10 years of experience in IT and various industry certifications.
Ty Lim has worked for various software startup companies, consulting firms, and was working in the Healthcare IT field for the last eight years. He now works in the telecommunications industry.
Ty Lim has been in the IT industry for more than 15 years. He started out using WebSphere Application Server back in 2003 and has been utilizing the technology ever since. He has a background in JAVA programming, Unix/Linux Systems administration and he keeps up to date with the latest open source technology. He holds a degree in Computer Science from the University of the Pacific, and is currently pursuing his Masters Degree in Information Systems at Boston University. He has interests in application server technology, open source technology, network security, and Java programming.
I would like to thank my parents (Lina and Roland) for giving me what I needed growing up so that I could achieve what I needed to accomplish thus far in my career. (A good home, a great education, and a drive to keep going.) I love you guys so much. 'Thank you' does not quite show the magnitude of what I owe you.
To Mike and Penny, both of you have shown me a lot over the last several years. Thank you so much for being my friends. Both of you have achieved what I have always sought. I hope this rolling stone can someday put up roots somewhere. Give a big hug to my god daughter Sophia for me. Tell her, her god father loves her very much.
To my sister Eileen and my brother-in-law Nguyen. Both of you have been an inspiration to me over the last several years. I wish both of you complete happiness.
To my colleagues in New York and New Jersey (BrianK, GeorgeT, TomB, DonN, JonL, JohnW, MikeR, GregM, MarkD, JohnH, VinceH), guys you're the best in the business. I can't be more prouder to call both a colleague and a friend. Keep up the great work.
To Jenny, thank you for being my friend all these years, I cherish our friendship very much.
To my friends and colleagues in CA and overseas, I hope to see all of you soon (or someday). All of you have been my inspiration for working my way back home.
To Geri, I just wanted you to know, that your happiness has always meant very much to me. I hope you find happiness wherever you go.
Jose Mariano Ruiz Martin is a Computing Science Engineer and senior specialist at Technologies of Information. He has worked at some of the most important Spanish companies including Telefónica Spain, Vodafone Spain, Caja Madrid, and Mapfre as systems engineer and technical leader.
After finishing his degree in Computing Science and completing a Master's in Computer Networking and Communications, he has specialized in systems engineering, obtaining several certifications such as Sun Certified Security Administrator, Sun Certified System Administrator for Solaris 9, BEA Certified WebLogic 9 Administrator, BEA Certified WebLogic 8.1 Administrator, and Cisco Certified Network Associate. Besides this he has been a professor at several courses on Information Systems Administration.
He is now working at IBM Spain on electronic commerce infrastructures and SOA/BPM technologies as IT specialist on the IBM's WebSphere platform.
I would like to dedicate this book to all those who do not resign themselves to be mere spectators in life, and work resolutely to achieve their own goals; with a special mention to my father, who is still the best example for both my brother and me, and has resisted all the difficulties he has had to face.
www.PacktPub.com
Support files, eBooks, discount offers and more
You might want to visit www.PacktPub.com for support files and downloads related to your book.
Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at <[email protected]> for more details.
At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters and receive exclusive discounts and offers on Packt books and eBooks.
http://PacktLib.PacktPub.com
Do you need instant solutions to your IT questions? PacktLib is Packt's online digital book library. Here, you can access, read and search across Packt's entire library of books.
Why Subscribe?
Free Access for Packt account holders
If you have an account with Packt at www.PacktPub.com, you can use this to access PacktLib today and view nine entirely free books. Simply use your login credentials for immediate access.
Instant Updates on New Packt Books
Get notified! Find out when new books are published by following @PacktEnterprise on Twitter, or the Packt Enterprise Facebook page.
Preface
IBM WebSphere Application Server Network Deployment is IBM's flagship J2EE application server platform. It implements the J2EE technology stack. This stack enables the WebSphere Application Server platform to execute the user's Java enterprise applications that perform business functions. There are several roles who use this platform such as architects, developers, and administrators, to mention a few. Within the administrator role, in turn, there are several functions such as installation, performance, security, and so on.
This book starts with an in-depth analysis of the global and administrative security features of WebSphere Application Server v7.0, followed by comprehensive coverage of user registries for user authentication and authorization information. Moving on you will build on the concepts introduced and get hands-on with a mini project. In the next chapter, you work with the different front-end architectures of WAS along with the Secure Socket Layer protocol, which offer transport layer security through data encryption.
You can learn user authentication and data encryption, which demonstrate how a clear text channel can be made safer, by using SSL transport to encrypt its data. This book will show you how to enable an enterprise application hosted in a WebSphere Application Server environment to interact with other applications, resources, and services available in a corporate infrastructure. Platform hardening, tuning parameters for tightening security, and troubleshooting are some of the aspects of WebSphere Application Server v7.0 security that are explored in the book. Every chapter builds strong security foundations, by demonstrating concepts and practicing them through the use of dynamic, web-based mini projects.
What this book covers
Chapter 1, A Threefold View of WebSphere Application Server Security, uses a novel approach to compare ways in which WebSphere security elements are perceived, usually according to the role of the individual working with the technology. These ways or views help you understand the foundations of WebSphere security, providing multiple angles from where to analyze this set of technologies and communicate in their language with different functional teams within your organization.
Chapter 2, Securing the Administrative Interface, walks you through the necessary steps to secure access to the WebSphere graphical interface, known as the ISC (Integrated Solutions Console). As a prerequisite to securing the ISC, you must first enable the WebSphere Application Server platform security, known as global security. During these processes, the chapter succinctly describes relevant security topics (for example, user registries) and highlights what parameters are required in order to perform each step.
Chapter 3, Configuring User Authentication and Access, provides concise technical background on the security topics related to setting up user authentication (validation of presented user credentials) and user access—determining if an authenticated user has rights to access to the requests made. The chapter describes some important concepts such as WebSphere Security Domains (a new feature in version 7 of WAS), user registries (reviewed in more depth), as well as a review of popular user registries available to be used in a WebSphere environment. The chapter ends by binding all these concepts using a mini project that walks you through protecting application servers.
Chapter 4, Front-End Communication Security, describes and compares popular infrastructure architectures used to design front-end of a WebSphere environment. The chapter goes on explaining a major security used to secure communication channels, SSL, and describes several related aspects such as SSL certificates and CA (certificate authority). At the end, the chapter walks you through the process, in the way of a mini project, used to secure the front-end of a WebSphere environment from the HTTP server (IHS) to the actual Application Server.
Chapter 5, Securing Web Applications, briefly introduces concepts related to securing Java Web Applications (or more succinctly Web Applications). The chapter then uses an in-depth mini project where you will be walked through in the various stages to design, code, package, deploy, and configure a simple Web Application that offers access to employees of a fictional corporation. Each type of employee will have access only to sections of the Web Application. Therefore, you will configure WebSphere in order to implement this secure functionality.
Chapter 6, Securing Enterprise Java Beans Applications, introduces concepts related to Enterprise Java Beans (EJB) technologies such as declarative and programmatic security. The chapter then uses the mini-project approach to walk you through the stages needed to design, code, package, deploy, and configure a simple EJB application. The mini-project in this chapter reuses modules from the previous chapter to implement a very simple portal application that will offer a better user experience to the employees of our fictional corporation.
Chapter 7, Securing Back-end Communication, focuses on two major concepts: authentication and data encryption. Authentication is reviewed from the point of view of trust between two infrastructure components, for example, WebSphere and a back-end database. The chapter expands on the major topics by providing in detail two examples of their use. It explores how encryption is used in the communication between WebSphere and a popular type of user registry, LDAP. The chapter also examines the use of authentication during the exchanges between WebSphere and databases using the JDBC protocol.
Chapter 8, Secure Enterprise Infrastructure Architectures, describes areas that will enable an enterprise application hosted in a WebSphere environment interact with possibly other applications, resources, and services available in a corporation infrastructure. It covers central concepts such as LTPA and SSO. The chapter ends by showing you how to fine-tune authorization at the HTTP Server level as well as at the WebSphere level.
Chapter 9, WebSphere Default Installation Hardening, deals with engineering the default WebSphere installation by changing its default parameters in order to harden the product's security side and customizing the files that hold the WebSphere environment security certificates and signers. The chapter focuses on two major aspects. While it points out what characteristics in the OS to review and modify, on the other hand, it discusses securing files related to certificates—key and trust stores—and files that hold passwords.
Chapter 10, Platform Hardening, looks at aspects of the platform where WebSphere is hosted that can be modified to increase the environment security. The chapter breaks down the OS into areas relevant to the WebSphere platform: generic operating system characteristics (for example, user accounts), file system features (for example, file permissions), and network system configuration.
Chapter 11, Security Tuning and Troubleshooting, overviews three major areas that can be improved by tuning key parameters as well as a couple of troubleshooting areas. The tuning section overviews general security, CSIv2 connectivity, and user directories and user permissions. Finally, the troubleshooting section reviews general security configuration exceptions and run time security exceptions.
What you need for this book
The following is a list of software that you will need to download for this book:
Who this book is for
If you are a system administrator or an IT professional who wants to learn about the security side of the IBM WebSphere Application Server v7.0, this book will walk you through the key aspects of security and show you how to implement them. You do not need any previous experience in WebSphere Application Server, but some understanding of Java EE technologies will be helpful. In addition, Java EE application developers and architects who want to understand how the security of a WebSphere environment affects Java EE enterprise applications will find this book useful.
Conventions
In this book, you will find a number of styles of text that distinguish between different kinds of information. Here are some examples of these styles, and an explanation of their meaning.
Code words in text are shown as follows: "Start the wsadmin interface."
A block of code is set as follows:
When we wish to draw your attention to a particular part of a code block, the relevant lines or items are set in bold:
Any command-line input or output is written as follows:
New terms and important words are shown in bold. Words that you see on the screen, in menus or dialog boxes for example, appear in the text like this: "From the list of links located at the bottom, on the right-hand side of the window, click the Open WebSphere Bindings link"
Note
Warnings or important notes appear in a box like this.
Note
Tips and tricks appear like this.
Reader feedback
Feedback from our readers is always welcome. Let us know what you think about this book—what you liked or may have disliked. Reader feedback is important for us to develop titles that you really get the most out of.
To send us general feedback, simply send an e-mail to <[email protected]>, and mention the book title via the subject of your message.
If there is a book that you need and would like to see us publish, please send us a note in the SUGGEST A TITLE form on www.packtpub.com or e-mail <[email protected]>.
If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, see our author guide on www.packtpub.com/authors.
Customer support
Now that you are the proud owner of a Packt book, we have a number of things to help you to get the most from your purchase.
Tip
Downloading the example code for this book
You can download the example code files for all Packt books you have purchased from your account at http://www.PacktPub.com. If you purchased this book elsewhere, you can visit http://www.PacktPub.com/support and register to have the files e-mailed directly to you.
Errata
Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you find a mistake in one of our books maybe a mistake in the text or the code—we would be grateful if you would report this to us. By doing so, you can save other readers from frustration and help us improve subsequent versions of this book. If you find any errata, please report them by visiting http://www.packtpub.com/support, selecting your book, clicking on the errata submission form link, and entering the details of your errata. Once your errata are verified, your submission will be accepted and the errata will be uploaded on our website, or added to any list of existing errata, under the Errata section of that title. Any existing errata can be viewed by selecting your title from http://www.packtpub.com/support.
Piracy
Piracy of copyright material on the Internet is an ongoing problem across all media. At Packt, we take the protection of our copyright and licenses very seriously. If you come across any illegal copies of our works, in any form, on the Internet, please provide us with the location address or website name immediately so that we can pursue a remedy.
Please contact us at <[email protected]> with a link to the suspected pirated material.
We appreciate your help in protecting our authors, and our ability to bring you valuable content.
Questions
You can contact us at <[email protected]> if you are having a problem with any aspect of the book, and we will do our best to address it.
Chapter 1. A Threefold View of WebSphere Application Server Security
Imagine yourself at an athletic event. Hey! No, no-you are at the right place. Yes, this is a technical book. Just bear with me for a minute. Well, now that the little misunderstanding is out of the way let's go back to the beginning. The home crowd is really excited about the performance of its team. However, that superb performance has not been yet reflected on the scoreboard. When finally that performance pays off with the long-waited score, 'it' happens! The score gets called off. It is not at all unlikely that a controversial call would be made, or worse yet, not made! Or so we think. There is a group of players and fans of the team that just scored that 'see' the play as a masterpiece of athletic execution. Then there is another group, that of players and coaches of the visiting team who clearly see a violation to the rules just before the score. And there is a third group, the referees. Well, who knows what they see! The fact is that for the same action, there may be several perceptions of the same set of events. Albert Einstein and other scientists provided a great example of multi-perception with the wave-particle duality concept. In a similar fashion, a WebSphere based environment could be analyzed in a number of forms. None of the forms or views is absolutely correct or incorrect. Each view, however, helps to focus on the appropriate set of components and their relationships for a given situation or need.
WebSphere Application Server technology is a long and complex subject. This chapter provides three WAS ND environment views, emphasizing security, which will help the reader connect individual security tasks to the big picture. One view aids the WebSphere administrator to relate isolated security tasks to the overall middleware infrastructure (for example, messaging systems, directory services, and back-end databases to name a few). This is useful in possible interactions with teams responsible for such technologies. On the other hand, a second view helps the administrator to link specific security configuration tasks to a particular Enterprise Application (for example, EJB applications, Service Integration Bus, and many more) set of components. This view will help the administrator to relate to possible development team needs. The chapter also includes a third view, one that focuses on the J2EE technology stack as it relates to security. This view could help blend the former two views. So, in a nutshell, the three major parts that make up this first chapter are:
Enterprise Application-server infrastructure architecture view
This chapter starts with the Application Server infrastructure architecture view. The actual order of each of these major chapter sub-sections is really unimportant. However, since it needs to be a beginning, the infrastructure architecture view is thus selected.
A possibly more formal name for what it is desired to convey in this section would be the Enterprise J2EE Application server infrastructure architecture. In this way, the scope of technologies that make up the application-centric architecture is well defined as that pertaining to J2EE applications. Nevertheless, this type of architecture is not exclusive to a WebSphere Application Server Network Deployment environment. Well, it's not in a way. If the architecture does not mention specific implementations of a function, it is a generic view of the architecture. On the other hand, if the architecture view defines or includes specific branded technologies of a function (for example, IHS for a web server function), then it is a specialized architecture. The point is that other J2EE application server products not related to the WebSphere umbrella may use the same generic type of infrastructure architecture.
Therefore, this view has to do with J2EE application servers and the enterprise infrastructure components needed to sustain such application servers in a way that they can host a variety of enterprise applications (also known as J2EE applications). The following diagram provides an example of a basic WebSphere Application Server infrastructure architecture topology:
Note
The use of multiple user registries is new in version 7.0
Simple infrastructure architecture characteristics
The architecture is basic since it only shows the minimum infrastructure components needed by a WebSphere Application Server infrastructure to become functional. In this diagram, the infrastructure elements are presented as they relate to each other functionally. In other words, the diagram is generic enough that it only shows and identifies the components by their main function. For instance, the infrastructure diagram includes, among others, proxy and messaging servers. Nothing in the diagram implies the mapping of a given functional component to a specific physical element such as an OS server or a specialized appliance.
Branded infrastructure elements
The infrastructure architecture presented in the diagram depicts a WebSphere clustered environment. The only technologies identified by their brand are the IBM HTTP Server (IHS) web server component (represented by the two rectangles (light blue) labeled IHS) and the WebSphere Application Server (WAS) nodes (represented by the rectangles (green) labeled WAS).
These two simple components offer a variety of architectural choices, such as:
The choice for a specific architecture will be made in terms of a variety of requirements for your environment, including security requirements.
Generic infrastructure components
The infrastructure diagram also includes a number of components that are only identified by their function but no information is provided as to the specific technology/product implementing the function. For instance, there are four shapes (light yellow) labeled DB, Messaging, Legacy Systems, and Service Providers. In your environment, there may be choices to make in terms of the specific component. Take for instance, the DB component. Identifying what DB server or servers will be part of the architecture is dependent on the type of database employed by the enterprise application being hosted. Some corporations limit the number of database types to less than a handful. Nevertheless, the objective of the WebSphere Administrator responsible for the environment is to identify which type of databases will be interfacing with the WAS environment. Once that fact is determined, the appropriate brand/product could be added to the architecture diagram.
Other technologies/components that need to be identified in a similar way are the user registry (represented by the shape (light purple) labeled User Registry), the security access component (represented in the diagram by the oval (yellow) labeled Security Access). A common type of user registry used in WebSphere environments is an LDAP server. Furthermore, a popular security access product is SiteMinder (formerly by Netegrity, now offered by CA).
The remaining group of elements in the architecture has the function to front-end the IHS/WAS environment in order to provide high availability and added security. Proxy servers may be used or not, depending on whether the IHS function can be brought to the DMZ in its own OS host. Specialized appliances offered by companies such as CISCO or F5 normally implement load balancers. However, some software products can be used to implement this function. An example to the latter is the IBM WebSphere Edge suite. In general, most corporations already own and use firewalls and load balancers; so for the WebSphere administrator, it is just a matter of integrating them to the WebSphere infrastructure.
Using the infrastructure architecture view
Some of the benefits of picturing your WebSphere environment using the infrastructure architecture view come from realizing the following important points:
WebSphere architecture view
The next view to be presented is that of the WebSphere Application Server product architecture. In a nutshell, the WebSphere Application Server product is an implementation of the J2EE set of specifications with some added functionality only found in this IBM product. Therefore, as opposed to the previous section, this view is unique to WebSphere.
Consequently, this section briefly presents the salient components of the J2EE technologies and their relation to each other from the functional and architectural point of view. Furthermore, emphasis will be placed on aspects that affect or may be affected by security considerations.
WebSphere Application Server simplified architecture
The following diagram depicts a simplified version of the WebSphere Application Server architecture. It presents the application server in the context of a WebSphere node. The application server is the implementation of a JVM. The JVM is made up of various components and at the same time, the JVM interacts with several external components that make up the WebSphere node. So, the diagram presents two major components of a WebSphere environment. On the one hand, the JVM is represented by the parallelogram (purple ) labeled Application Server. On the other hand, a larger parallelogram (teal) labeled node represents the WebSphere node.
Keep in mind that the simplification to the architecture has been done to concentrate on how it relates to application hosting in a secure environment.
Note
The concept of local security domains is new in version 7.0.
WebSphere node component
The node component of this simplified architecture occupies itself with administrative and thus security aspects between the WebSphere environment and the infrastructure. In the previous diagram, three components can be observed. The first component is the node agent; represented by the small parallelogram labeled Node agent. Notice that the node agent in itself is implemented by a specialized JVM, containing the components required to efficiently perform administrative tasks, which will include security related tasks. The node agent will interact with WebSphere environment administrative components externals to the node (and not included in the diagram). The chief among those external WebSphere components is the Deployment Manager. One of the responsibilities of the node agent as it pertains to the node and thus, to the application server JVM, is to maintain updated and valid copies of the node configuration repository. Such a repository may include information dealing with security domain information, either inherited from the WebSphere cell global security or customized for the node, represented by the parallelogram (black) labeled Local Security Domain.
WebSphere JVM component
The second major component of this simplified architecture is the implementation of a JVM. It is represented in the diagram by a large parallelogram (purple) labeled Application Server. A WebSphere JVM is made of, among other components, several containers such as the Web and EJB containers. Containers, on top of hosting instantiations of Java classes such as servlets and beans, that is, offering the runtime environment for those classes to execute, deal with security aspects of the execution. For instance, a Web Container may, given the appropriate settings, oversee that hosted resources only execute if the principal making the request has the required proof that entitles such principal of receiving the result of said request.
In addition to containers, a WebSphere JVM may also instantiate a service integration bus (SIB) if a hosted application makes use of the JVM messaging engine. In the diagram, the arrow (brown) labeled SIB represents the bus. Finally, the other JVM components included in this simplified architecture are the administrative component and the JVM security mechanism. This mechanism will interact with the containers to ensure that security is propagated to the classes executing in the said containers.
From this discussion, it can be extrapolated that each vendor has certain leniency as to the actual implementation of Sun's JVM. IBM is not an exception to this practice. If you wish to find out more about the particulars of the IBM JVM implementation for WebSphere please refer to the Information Center article "Specifications and API" (http://publib.boulder.ibm.com/infocenter/wasinfo/v7r0/index.jsp?topic=/com.ibm.websphere.nd.doc/info/ae/ae/rovr_specs.html). In that article you will find out which Java specifications and application programming interfaces are implemented as well as the version each implements. This information is presented in a neat table that helps you compare each specification and API version to earlier editions of the WebSphere Application Server product (that is, 5.1, 6.0 and 6.1).
Using the WebSphere architecture view
The main benefit of analyzing your WebSphere environment using this view is that it will provide you with the vocabulary to better understand the needs of application developers and architects and, equally important, to communicate back to them the special features the WebSphere environment may offer them as well as any possible restrictions imposed by security or other infrastructure characteristics.
