| Determine when and how we will enable WebSphere Application Security.
|
|
| Create a strategy for admin security.
|
|
| Plan for auditing.
|
|
| Determine if multiple security domains will be used.
|
|
| Determine the type of user registry we will use and procure the appropriate products and licenses. If we do not want to use a federated repository, delay turning on admin security until after installation. Populate the user registry with the appropriate user IDs and groups for initial security.
|
|
| Determine the authentication mechanism (LTPA is strongly suggested).
|
|
| Determine the authorization method (default or JACC). If using JACC, plan for the implementation of the JACC provider.
|
|
| Plan where we will implement SSL in the network.
|
|
| Plan for certificate management.
|
|
| Plan for single sign-on.
|
|
| Create a strategy for securing apps using Java EE security. Choose either declarative or programmatic. If selecting declarative, then should annotations be used or not? Application security requires close cooperation between app developers, security specialists, and administrators. Plan for coordinating role definitions with development and assigning users to roles during the app installation. Determine individual app components that have special security requirements.
|
|
| Review and incorporate security strategies for Web services.
|
|
| Review and incorporate security strategies for the service integration bus.
|
|