How to configure logging.jsp in JBoss EAP 6.x / Wildfly 8.2.x

Document ID : KB000043306
Last Modified Date : 14/02/2018
Show Technical Document Details

Summary:

We need to deploy logging.jsp in a secure manner in our IM server in order to allow dynamic, on-the-fly modification for the logging level, for troubleshooting and sharing with CA Support.

This techdoc can be used without needing to refer back to the original Readme.txt under \CA\Identity Manager\IAM Suite\Identity Manager\tools\samples\Admin.

Instructions: 

 

1. Copy the content of the sample from ..\CA\Identity Manager\IAM Suite\Identity Manager\tools\samples\Admin and place it under under IAM application EAR location \<JBOSS_HOME>\standalone\deployments\iam_im.ear.

 

2. Add the following section after last taglib tag in the file iam_im.ear\user_console.war\WEB-INF\web.xml - this change will secure the admin toolkit.
Repeat the environment specific section for each environment defined:

    <security-constraint>
        <web-resource-collection>
          <web-resource-name>IAMSecureAdminTooles</web-resource-name>
          <description>Security constraint for IAM Admin Tools</description>
          <url-pattern>/ping.jsp</url-pattern>
          <url-pattern>/logging.jsp</url-pattern>
          <url-pattern>/app/adapterBLTHTest.jsp</url-pattern>
          <url-pattern>/app/objectTest.jsp</url-pattern>
          <url-pattern>/app/ping.jsp</url-pattern>
          <url-pattern>/app/pluginTest.jsp</url-pattern>
          <url-pattern>/ui/ping.jsp</url-pattern>
        <!-- For each environment - start -->
          <url-pattern>/<environment_alias>/adapterBLTHTest.jsp</url-pattern>
          <url-pattern>/<environment_alias>/objectTest.jsp</url-pattern>
          <url-pattern>/<environment_alias>/ping.jsp</url-pattern>
          <url-pattern>/<environment_alias>/pluginTest.jsp</url-pattern>
        <!-- For each environment - end -->
          <http-method>POST</http-method>
          <http-method>GET</http-method>
        </web-resource-collection>
        <auth-constraint>
            <description>only let the admin users use secured admin tools</description>
            <role-name>IAMAdmin</role-name>
        </auth-constraint>
        <user-data-constraint>
          <description>SSL not required</description>
          <transport-guarantee>NONE</transport-guarantee>
        </user-data-constraint>
    </security-constraint>
    <login-config>
        <auth-method>BASIC</auth-method>
        <realm-name>IAM Realm</realm-name>
    </login-config>
    <security-role>
      <description>The IAM Secure Admin Role</description>
      <role-name>IAMAdmin</role-name>
    </security-role>

3. Unlike older versions of JBoss, there is no longer need to recompile the jsp file, this is done automatically, by default, upon restart of the Application Server
   a) Delete <JBOSS_HOME>\standalone\tmp\work\jboss.web\default-host\iam_im
   a) Restart JBoss

4. Create a JBoss Application User by running add-user.bat / add-user.sh and following the example: (JBoss requires no restart or downtime)
Note: when implementing logging.jsp in a SecureCloud system where Editable ID has been configured, please ensure the jboss user is identical to the LoginIDWSUser user defined via the csp console / sps tenant.properties (https://docops.ca.com/ca-secure-cloud-for-service-providers/1-56/EN/identity-management/editable-id-feature) - both username and password have to be identical


C:\wildfly-8.2.1.Final\bin>add-user.bat

What type of user do you wish to add?
 a) Management User (mgmt-users.properties)
 b) Application User (application-users.properties)
(a): b

Enter the details of the new user to add.
Using realm 'ApplicationRealm' as discovered from the existing property files.
Username : imuser
Password recommendations are listed below. To modify these restrictions edit the add-user.properties
 configuration file.
 - The password should not be one of the following restricted values {root, admin, administrator}
 - The password should contain at least 8 characters, 1 alphabetic character(s), 1 digit(s), 1 non-a
lphanumeric symbol(s)
 - The password should be different from the username
Password :
Re-enter Password :
What groups do you want this user to belong to? (Please enter a comma separated list, or leave blank
 for none)[  ]: IAMAdmin
About to add user 'imuser' for realm 'ApplicationRealm'
Is this correct yes/no? yes
Added user 'imuser' to file 'C:\wildfly-8.2.1.Final\standalone\configuration\application-users.prope
rties'
Added user 'imuser' to file 'C:\wildfly-8.2.1.Final\domain\configuration\application-users.propertie
s'
Added user 'imuser' with groups IAMAdmin to file 'C:\wildfly-8.2.1.Final\standalone\configuration\ap
plication-roles.properties'
Added user 'imuser' with groups IAMAdmin to file 'C:\wildfly-8.2.1.Final\domain\configuration\applic
ation-roles.properties'
Is this new user going to be used for one AS process to connect to another AS process?
e.g. for a slave host controller connecting to the master or for a Remoting connection for server to
 server EJB calls.
yes/no? no
Press any key to continue . . .

Note: The role name "IAMAdmin" on the right of the roles.properties file matches the <role-name> tag in the web.xml in step 2.

5. Browse to logging.jsp at http://<FQDN>:<8080>/iam/im/logging.jsp. User the credentials from step 4 to securely login to the page

 

Additional Information:

 

- More information on how to create security role and assign admin user to it using application server specific documentation:
   JBoss: http://community.jboss.org/wiki/SecureAWebApplicationInJBoss
- Tec554335 explains how to apply this configuration on the older JBoss 5.1 version