It's all about the answers!

Ask a question

CLM password security features - WAS


Norman Dignard (35045798) | asked Oct 16 '15, 12:08 p.m.

We have a mandate to establish user account securtity features (aging, length, re-use) for JAZZ access. We are currently using tomcat user registry but that , as I understand it does not support this capability. 

Does WAS support this or is it similar to tomcat, relying on some LDAP integration?

 In our org we need to support users on 2 separate AD domains in which not all users are in both as well as external users to our company.

I noted comments from Frank Ning on https://jazz.net/forum/questions/102992/clm-best-way-to-handle-the-password-change-for-database-user  but it is not clear to me on how his setup works.  I don't know anything about IBM's WAS suite, were this "federated repo" sits . Frank's comment #3  appears to indicate that LDAP and WAS don't talk.

Accepted answer


permanent link
Donald Nong (14.3k213) | answered Oct 18 '15, 10:26 p.m.
To enforce the security rules, you need to have an LDAP client (dedicated or web-based) that can read these rules from the server and prompt the users with errors if any rules are violated. I am not aware of WAS having such a feature. In this case, WAS is no better than Tomcat.

To clarify Frank's comment in the other post, it's about how not to be locked out of the WAS admin console, not about how to enforce security rules. When configuring federated repository, you can combine the built-in file-based repository (similar to Tomcat's offering) with one or more external LDAP services. Since the password in the file-based repository will never expire, you don't have to worry about being locked out of the WAS admin console if you pick a user from the file-based repository as the primary WAS administrator. Of course this is a loophole in a security viewpoint. For more information about setting up federated repository in WAS, see the below article.
https://jazz.net/library/article/604
Norman Dignard selected this answer as the correct answer

One other answer



permanent link
Ralph Schoon (55.5k23642) | answered Oct 16 '15, 12:57 p.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER
edited Oct 16 '15, 12:59 p.m.
You have to set up a LDAP system that provides that kind of functionality. WAS (or tomcat) delegate the authentication to LDAP and you set up LDAP parameters in the regular setup procedure.

Your answer


Register or to post your answer.