Jazz Forum Welcome to the Jazz Community Forum Connect and collaborate with IBM Engineering experts and users

CLM password security features - WAS

Questions
Tags
Users
Badges
Norman Dignard
(356796177) Oct 16 '15, 12:08 p.m.

We have a mandate to establish user account securtity features (aging, length, re-use) for JAZZ access. We are currently using tomcat user registry but that , as I understand it does not support this capability. 

Does WAS support this or is it similar to tomcat, relying on some LDAP integration?

 In our org we need to support users on 2 separate AD domains in which not all users are in both as well as external users to our company.

I noted comments from Frank Ning on https://jazz.net/forum/questions/102992/clm-best-way-to-handle-the-password-change-for-database-user  but it is not clear to me on how his setup works.  I don't know anything about IBM's WAS suite, were this "federated repo" sits . Frank's comment #3  appears to indicate that LDAP and WAS don't talk.

0 votes

2 answers
4,705 views
0 votes

Accepted answer

Permanent link
Donald Nong
(14.5k614) Oct 18 '15, 10:26 p.m.
To enforce the security rules, you need to have an LDAP client (dedicated or web-based) that can read these rules from the server and prompt the users with errors if any rules are violated. I am not aware of WAS having such a feature. In this case, WAS is no better than Tomcat.

To clarify Frank's comment in the other post, it's about how not to be locked out of the WAS admin console, not about how to enforce security rules. When configuring federated repository, you can combine the built-in file-based repository (similar to Tomcat's offering) with one or more external LDAP services. Since the password in the file-based repository will never expire, you don't have to worry about being locked out of the WAS admin console if you pick a user from the file-based repository as the primary WAS administrator. Of course this is a loophole in a security viewpoint. For more information about setting up federated repository in WAS, see the below article.
https://jazz.net/library/article/604
Norman Dignard selected this answer as the correct answer

0 votes

One other answer

Permanent link
Ralph Schoon
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER (63.9k33648) edited
Oct 16 '15, 12:59 p.m.
You have to set up a LDAP system that provides that kind of functionality. WAS (or tomcat) delegate the authentication to LDAP and you set up LDAP parameters in the regular setup procedure.

0 votes

Your answer

Register or log in to post your answer.

Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.

Ask a question
Guidelines
FAQ
Search context
Follow this question

By Email: 

Once you sign in you will be able to subscribe for any updates here.

By RSS:

Answers
Answers and Comments
Question details
× 12,019
× 7,495

Question asked: Oct 16 '15, 12:08 p.m.

Question was seen: 4,705 times

Last updated: Oct 18 '15, 10:26 p.m.

Confirmation Cancel Confirm