Jazz Forum Welcome to the Jazz Community Forum Connect and collaborate with IBM Engineering experts and users

CLM password security features - WAS

We have a mandate to establish user account securtity features (aging, length, re-use) for JAZZ access. We are currently using tomcat user registry but that , as I understand it does not support this capability. 

Does WAS support this or is it similar to tomcat, relying on some LDAP integration?

 In our org we need to support users on 2 separate AD domains in which not all users are in both as well as external users to our company.

I noted comments from Frank Ning on https://jazz.net/forum/questions/102992/clm-best-way-to-handle-the-password-change-for-database-user  but it is not clear to me on how his setup works.  I don't know anything about IBM's WAS suite, were this "federated repo" sits . Frank's comment #3  appears to indicate that LDAP and WAS don't talk.

0 votes


Accepted answer

Permanent link
To enforce the security rules, you need to have an LDAP client (dedicated or web-based) that can read these rules from the server and prompt the users with errors if any rules are violated. I am not aware of WAS having such a feature. In this case, WAS is no better than Tomcat.

To clarify Frank's comment in the other post, it's about how not to be locked out of the WAS admin console, not about how to enforce security rules. When configuring federated repository, you can combine the built-in file-based repository (similar to Tomcat's offering) with one or more external LDAP services. Since the password in the file-based repository will never expire, you don't have to worry about being locked out of the WAS admin console if you pick a user from the file-based repository as the primary WAS administrator. Of course this is a loophole in a security viewpoint. For more information about setting up federated repository in WAS, see the below article.
https://jazz.net/library/article/604
Norman Dignard selected this answer as the correct answer

0 votes


One other answer

Permanent link
You have to set up a LDAP system that provides that kind of functionality. WAS (or tomcat) delegate the authentication to LDAP and you set up LDAP parameters in the regular setup procedure.

0 votes

Your answer

Register or log in to post your answer.

Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.

Search context
Follow this question

By Email: 

Once you sign in you will be able to subscribe for any updates here.

By RSS:

Answers
Answers and Comments
Question details
× 12,019
× 7,495

Question asked: Oct 16 '15, 12:08 p.m.

Question was seen: 4,705 times

Last updated: Oct 18 '15, 10:26 p.m.

Confirmation Cancel Confirm