Security for WebSphere applications

This is the definitive course for all those who will be dealing with the security aspects that are critical for web applications running in a WebSphere Application Server V7 (WAS) environment.

On successful completion of this course, attendees will be able to:

  • describe the set-up of global security, administrative security, application security and Java 2 security
  • configure administrative security for particular users to gain different access to the admin console
  • set up security domains for admin security and application security
  • set up the security cache and security auditing features
  • create a secure web application using security constraints and security roles and mapping to specific groups and users
  • configure the VMM
  • explain the Public Key Infrastructure
  • describe digital certificates and digital signatures using both Certificate Authorities and Self Signed Certificates
  • configure SSL for JDBC connections and within the cell
  • understand and setup cross cell authentication
  • explain the new application policy sets that can be installed to define the integrity and confidentiality of messages and transactions for Web Services
  • understand the use of CSIv2 when securing client to server applications
  • use logs and traces to recognise problems
  • use performance tools, recognise performance problems and tune accordingly.

Schedule

REQUEST IN-COMPANY TRAINING

 

Public training calendar

No public sessions are currently scheduled. We will be pleased to set up an on-site course or to schedule an extra public session (in case of a sufficient number of candidates). Interested? Please let us know.

Intended for

Webmasters, application administrators and system administrators who are going to install, configure and secure web-oriented applications on a WebSphere Application Server runtime.

This course is also suitable for developers who want to test thoroughly for a WebSphere Application Server roll-out. System architects and developer/deployers will get to know the runtime context for the enterprise applications that they build.

Background

Attendees should have experience in WebSphere Application Server (see WebSphere Application Server V8.5 - installation & administration) and now want to engage in all aspects of security within WAS.

Main topics

  • Security in the WebSphere J2EE Environment

Objectives & topics; WAS security implementation; Administrative security; Secure System Administration; Federated repositories feature; Simplified certificate and key management; Tips for configuring default security; Secure processes; Extensible, layered security infra-architecture; J2EE security features compared; Java2 security; JAAS (Java Authentication and Authorization Service; J2EE security roles; J2EE security the full picture explained; SSL - Secure Sockets Layer; Authentication; External WAS security components; JACC - Java Authorization Contract for Containers; J2EE Application Security (focus on); Security roles; Taken from EJB specification; EJB specification translated; J2EE container based security; Configuring application security; handling security role mappings from Admin console; Securing J2EE components in practice; Web components; Web module; Securing EJBs; Security Cache, Multiple Security Domains; Different application security realms.

  • Virtual Member Manager

Objectives & topics; How does it work; different types of VMM; configuring the VMM using default adapters; configuring VMM with Property Extension Repository (PER) and Entry Mapping Repository (EMR); configuring database repository in VMM.

  • SSL and Encryption

Objectives and Topics; Cryptography in Internet applications; Public key cryptography overview; What is a digital certificate?; Public key & certificate; Uses for certificates in applications; CA and self signed certificates; Auto replacement of certificates; autosecurity and privacy; firewalls and encryption; Secure Sockets Layer; Secure communications using SSL; SSL administration.

  • CSIv2

Objectives and Topics; Overview of CSIv2; the protocol; three layers of authentication; identity assertion and mapping; security attribute propagation; configuration on the client and the server,

  • Troubleshooting Made Easy?

Objectives & topics; Resources for problem determination; Console messages; Log Files; WAS logs overview; Basic format for log/trace entry; If logs are not enough; To trace or not to trace; Trace strings; Web Server - Web container: mind the gap!; HTTP Server logs; Dump Name Space; Thread analyzer; Collector tool; First Failure Data Capture logs; HTTP session monitoring; Product installation information; Log and Trace analyzer for Autonomic Computing.

  • Security Performance

Objectives & topics; Performance enhancing technologies; Performance data; Transaction oriented; Built-in performance booster; Performance data and tools; PMI overview; PMI data; Performance data hierarchy; PMI data organization; Tivoli Performance Viewer; Performance Advisors; Performance (PMI) Servlet; JVMPI facility; PMI request metrics; Request Metrics functionality; What's the point?; Current architecture; Configuring Request Metrics; Limit the monitoring; Request Metrics output; Application Response Measurement (ARM); Dynamic Cache (optional section); Dynamic Cache functionality; What can be cached?; How it works; Dynamic Cache setup; Dynamic Cache monitoring; Security Cache and Auditing.

Training method

The course combines formal classroom teaching with numerous practical, hands-on sessions.

Duration

3 days.

Course leader

RSM Technology.


SESSION INFO AND ENROLMENT