WA1523 WebSphere v6 Security Administration and Programming Training and Courseware Course Outline

WA1523 WebSphere v6 Security Administration and Programming Training and Courseware Course Outline

1. Common Security Threats
	Overview Input Data Validation Data Ownership Validation SQL Injection Problem SQL Injection Solution Malicious File Execution Problem Malicious File Execution Solution Web Authentication Mechanism Insecure Authentication Mechanism Failure to Restrict URL Access Problem Failure to Restrict URL Access Solution Cross Site Scripting (XSS) Problem Cross Site Scripting (XSS) Solution Cross Site Scripting (XSS) Solution Cross Site Request Forgery (CSRF) Problem Cross Site Request Forgery (CSRF) Solution Information Leakage and Improper Error Handling Problem Information Leakage and Improper Error Handling Solution Buffer Overflow Buffer Overflow Example More Buffer Overflows Buffer Overflow Solution Insecure Communications Insecure Cryptographic Storage Problem Insecure Cryptographic Storage Solution Insecure Direct Object Reference Message Replay Attack Problem Message Replay Attack Solution Summary References

2. WebSphere Security
	Objectives Security Overview Architecture Components Security Components Digital Certificates SSL (Secure Sockets Layer) SSL in WebSphere Java Security JAAS CSIv2 J2EE Security Authentication and Authorization User Registry Authentication Mechanism Global Security Configuration LTPA Single Signon (SSO) Configuring LTPA Admin Console Roles Stopping Secure Servers WebSphere Security Questions WebSphere Security Answers Reference

3. Configuring WebSphere Security
	Overview WebSphere Security Security Tasks User Registries WebSphere User Registries LDAP LDAP Security Basics LDAP Data Structure Example Distinguished Name (DN) DN and RDN Example Loading Users in Tivoli Directory Server 6.0 Creating Users and Groups in Domino Server Local OS Custom Registry Precaution Selecting A Registry Configure the LDAP User Registry Configuring Domino Server Configuring Domino Server with WAS Configure Local OS Registry Enable Global Security Console Users Console Roles Console Role Mapping Make It So! Stopping Secure Servers Summary WebSphere Security Questions WebSphere Security Answers Resources

4. Securing The Installation
	Overview The Operating System Pre-Installation Tasks Windows Security Policy Unix - Umask Value Linux / Solaris Shadow File Post-Installation Tasks Securing Windows Files Securing UNIX Files UNIX File System Running Application Server as non-root User UNIX Platform Running Application Server as non-root User UNIX Platform Running Application Server as non-root User UNIX Platform Overview Review Questions Answers References

5. Web Application Security
	Overview Servlet Security Setting up Servlet Security Defining Roles Create a Security Constraint Configuring Declarative Security Using RAD Defining Roles Using RAD Defining Security Constraint Using RAD Configuring Declarative Security Using RAD Defining Roles at Application Level Defining Roles At Application Level Using RAD J2EE Role Management Sample Role Mapping Mapping Roles to Users and Groups in WebSphere Authentication Mechanism Configuring Authentication Mechanism Using RAD HTTP Basic Authentication HTTP Digest Authentication Form-based Authentication HTTPS Client Authentication Lab Time User Context of a Servlet Execution Accessing User Credentials Accessing User Credentials User Context Used by RequestDispatcher User Context Used When Invoking an EJB Specifying User Context Specifying User Context Specifying User Context Specifying User Context Configuring Run As Identity Using RAD Mapping Run As Roles to Users Using WebSphere The init method Programmatic Role-based Security Creating Role Sensitive Views Security Role References Configuring Security Role Reference Using RAD Lab Time Problems with Basic Authentication Set Up Form-based Authentication Create an HTML Form Configure a login-config Element Configuring a login-config Element using RAD Handling Login Failure Protecting Session with WebSphere Security Implementing a Logout Feature User Data Constraint Configuring a User Data Constraint in RAD Summary Lab Time References

6. EJB Security
	Overview EJB Security Setting up EJB Security Sample Role Mapping Defining Roles Setting Method Permission Configuring Declarative Security Using RAD Defining Roles Using RAD Configuring Method Permissions Using RAD Disable Security Check Disabling Security Check Using RAD Disabling Security Check Using RAD Excludes List Configuring Excludes List Using RAD Configuring Unprotected Methods Using WebSphere Lab Time Programmatic Role-based Security Security Role References Configuring Security Role Reference Using RAD Lab Time User Context of a Method Execution Accessing User Credentials Accessing User Credentials Specifying User Context Specifying User Context Use Caller Identity Scenario Run As Scenario Configuring Use Caller Identity Using RAD Configuring Use Caller Identity Using RAD Configuring Run As Identity Using RAD Mapping Run As Roles to Users Using WebSphere WebSphere EJB Delegation Policies Configuring Use Identity of Caller Using RAD Configuring Use System Identity Using RAD Overriding System Identity Using WebSphere Configuring Run As Specified Identity Using RAD Summary Lab Time References

7. SSL Configuration
	Overview The Need for Encryption Public Key Infrastructure (PKI) Certificates SSL Basics WebSphere and SSL WebSphere SSL Configuration SSL Configuration Repertoire SSL Repertoires Creating an SSL Repertoire Dummy Certificates Key Files Trust File Default Key Stores Obtaining a Certificate Key Management Tools Using keytool Generate a Self-Signed Certificate Getting a CA Signed Certificate Specify the Key Store Different SSL Interactions Web Client to Web Server Enable SSL For IBM HTTP Server Web Server to WebSphere Java Client to WebSphere Summary Review Questions Answers References

8. Web Services Security
	Overview The Challenges Overview of Web Services Security WebSphere and Web Services Security SOAP Message Security Message Integrity Message Confidentiality Symmetric Encryption Example Authentication Transport Level Security Configuring Security in WebSphere Configuring a Server Module Configuring a Client Module Summary Review Questions Answers References

9. Security
	Java Security Attacks and Dangers Overview of JDK Security Features Overview of JDK Security Features cont Basic Concepts of Computer Security Encryption Cryptography Algorithm Message Digest Symmetric Ciphers Asymmetric Ciphers Digital Signature Authentication Certificate Manipulation Java Cryptography Architecture (JCA) Java Cryptography Extension Using the MessageDigest Class Example of Using the MessageDigest Class Example of Using MessageDigest Class cont Example of Using MessageDigest Class cont Using the Signature Class Java Security Architecture JDK 1.0 Security Model Sandbox JDK 1.1 Security Model Trusted Signed Code JDK 1.2 Security Model Security Policy JDK 1.4 Security Enhancement Protection Domains and Security Policies ProtectionDomain Class Permission Classes Using Permission Classes Policy Class Policy Configuration File AccessController Class SecurityManager Class Using the SecurityManager Class Dynamic Class Loader Loader Classes Example of Security Check in a Class Loader Java Security Tools Using Java Security Tools Code Signing Using Java Security Tools Code Signing Java Security Enabling Java Security WebSphere Policy WebSphere Policy Files Other WebSphere Policy Files Application Security was.policy Using was.policy was.policy Example Deployment Summary Review Questions Answers References

WA1523 WebSphere v6 Security Administration and Programming Training and Courseware Course Outline

1. Common Security Threats

2. WebSphere Security

3. Configuring WebSphere Security

4. Securing The Installation

5. Web Application Security

6. EJB Security

7. SSL Configuration

8. Web Services Security

9. Security