Security for WebSphere Applications

This is the definitive course for all those who will be dealing with the security aspects that are critical for web applications running in a WebSphere Application Server environment.
The course introduces and explains global security, administrative security, application security and Java 2 security, using the features of security domains and cell-wide security that have been available since V7. This includes defining security constraints and security roles for web applications. Different repositories can be used, including federated, local and custom repositories, which are all explained and configured in detail. together with the VMM (Virtual Member Manager), which allows security to function with or without all of its repositories available.

Following on from this, SSL, Encryption , Digital Signatures and certificates are explained in great detail plus SSL Cell configuration, including trust stores, keystores, plugin keystores, expiration of certificates and replacement. In addition, SSL between WebSphere and Db2 and single sign on is explained.

Secruity must be hardened by addressing different areas, such as web server, configuration files, SSL, etc. However, problems will occur and, by looking at logs and traces, these problems can be resolved quickly.
Performance tools are also explained, so that secure applications can be fine-tuned to run more smoothly.

The course combines formal classroom teaching with numerous practical, hands-on sessions.

Virtual Classroom Environment dates - click to book!


USA/Canada Start Times

12 August 2024 25 November 2024 24 March 2025 14 July 2025

What is a 'Virtual Classroom Environment'?


What do I need?

  • webcam
  • headphones with microphone
  • sufficient bandwidth, at least 1.5 Mb/s in each direction.

What you will learn

On successful completion of this course you will be able to:

  • describe the set-up of global security, administrative security, application security and Java 2 security
  • configure administrative security for particular users to gain different access to the admin console
  • set up security domains for admin security and application security
  • set up the security cache and security auditing features
  • create a secure web application using security constraints and security roles and mapping to specific groups and users
  • configure the VMM
  • explain the Public Key Infrastructure
  • describe digital certificates and digital signatures using both Certificate Authorities and Self Signed Certificates
  • configure SSL for JDBC connections and within the cell
  • understand and setup cross cell authentication
  • explain the new application policy sets that can be installed to define the integrity and confidentiality of messages and transactions for Web Services
  • understand the use of CSIv2 when securing client to server applications
  • use logs and traces to recognise problems
  • use performance tools, recognise performance problems and tune accordingly.

Who Should Attend

Webmasters, application administrators and system administrators who are going to install, configure and secure web-oriented applications on a WebSphere Application Server runtime.
This course is also suitable for developers who want to test thoroughly for a WebSphere Application Server roll-out. System architects and developer/deployers will get to know the runtime context for the enterprise applications that they build.


Attendees should have experience in WebSphere Application Server (WAS) and now want to engage in all aspects of security within WAS.


3 days

Fee (per attendee)

£2100 (ex VAT)


This includes free online 24/7 access to course notes.


Hard copy course notes are available on request from

at £50.00 plus carriage per set.

Course Code



Security in the WebSphere J2EE Environment

Objectives & topics; WAS security implementation; Administrative security; Secure System Administration; Federated repositories feature; Simplified certificate and key management; Tips for configuring default security; Secure processes; Extensible, layered security infra-architecture; J2EE security features compared; Java2 security; JAAS (Java Authentication and Authorization Service; J2EE security roles; J2EE security the full picture explained; SSL - Secure Sockets Layer; Authentication; External WAS security components; JACC - Java Authorization Contract for Containers; J2EE Application Security (focus on); Security roles; Taken from EJB specification; EJB specification translated; J2EE container based security; Configuring application security; handling security role mappings from Admin console; Securing J2EE components in practice; Web components; Web module; Securing EJBs; Security Cache, Multiple Security Domains; Different application security realms.

Virtual Member Manager

Objectives & topics; How does it work; different types of VMM; configuring the VMM using default adapters; configuring VMM with Property Extension Repository (PER) and Entry Mapping Repository (EMR); configuring database repository in VMM.

SSL and Encryption

Objectives and Topics; Cryptography in Internet applications; Public key cryptography overview; What is a digital certificate?; Public key & certificate; Uses for certificates in applications; CA and self signed certificates; Auto replacement of certificates; autosecurity and privacy; firewalls and encryption; Secure Sockets Layer; Secure communications using SSL; SSL administration.


Objectives and Topics; Overview of CSIv2; the protocol; three layers of authentication; identity assertion and mapping; security attribute propagation; configuration on the client and the server,

Troubleshooting Made Easy?

Objectives & topics; Resources for problem determination; Console messages; Log Files; WAS logs overview; Basic format for log/trace entry; If logs are not enough; To trace or not to trace; Trace strings; Web Server - Web container: mind the gap!; HTTP Server logs; Dump Name Space; Thread analyzer; Collector tool; First Failure Data Capture logs; HTTP session monitoring; Product installation information; Log and Trace analyzer for Autonomic Computing.

Security Performance

Objectives & topics; Performance enhancing technologies; Performance data; Transaction oriented; Built-in performance booster; Performance data and tools; PMI overview; PMI data; Performance data hierarchy; PMI data organization; Tivoli Performance Viewer; Performance Advisors; Performance (PMI) Servlet; JVMPI facility; PMI request metrics; Request Metrics functionality; What's the point?; Current architecture; Configuring Request Metrics; Limit the monitoring; Request Metrics output; Application Response Measurement (ARM); Dynamic Cache (optional section); Dynamic Cache functionality; What can be cached?; How it works; Dynamic Cache setup; Dynamic Cache monitoring; Security Cache and Auditing.

© RSM Technology 2022