How to define a security role in WebSphere 6.1 for manual deployment of logging.jsp / ping.jsp

Document ID : KB000049583
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

For CA Identity Manager release R12.5 SP6 onwards (as well as r12 CR13 onwards), logging.jsp and ping.jsp are no longer deployed by default. As specified in the readme.txt file located under <IMTOOLS>/samples/admin, it is now required to manually deploy the jsp files and then configure a security role within WebSphere in order to protect these pages.

This How-to document is to be used as a supplement to the original readme.txt file. Steps 1-3 are copied from original readme.txt file for convenience purposes only. This document only adds information when we get to step 4.

Solution:

Before following the below steps make sure the WebSphere Application Server is stopped.

  1. Copy the content of the sample under IAM application EAR location.

  2. Add the following section after last taglib tag in the file

    user_console.war\WEB-INF\web.xml under the IAM application EAR location.

    This change will secure the admin toolkit. Repeat the environment specific section for each environment defined:
    <security-constraint><web-resource-collection><web-resource-name>IAMSecureAdminTooles</web-resource-name><description>Security constraint for IAM Admin Tools</description><url-pattern>/ping.jsp</url-pattern><url-pattern>/logging.jsp</url-pattern><url-pattern>/app/adapterBLTHTest.jsp</url-pattern><url-pattern>/app/objectTest.jsp</url-pattern><url-pattern>/app/ping.jsp</url-pattern><url-pattern>/app/pluginTest.jsp</url-pattern><url-pattern>/ui/ping.jsp</url-pattern><!-- For each environment - start --><url-pattern>/<environment_alias>/adapterBLTHTest.jsp</url-pattern><url-pattern>/<environment_alias>/objectTest.jsp</url-pattern><url-pattern>/<environment_alias>/ping.jsp</url-pattern><url-pattern>/<environment_alias>/pluginTest.jsp</url-pattern><!-- For each environment - end --><http-method>POST</http-method><http-method>GET</http-method></web-resource-collection><auth-constraint><description>only let the admin users use secured admin tools</description><role-name>IAMAdmin</role-name></auth-constraint><user-data-constraint><description>SSL not required</description><transport-guarantee>NONE</transport-guarantee></user-data-constraint></security-constraint><login-config><auth-method>BASIC</auth-method><realm-name>IAM Realm</realm-name></login-config><security-role><description>The IAM Secure Admin Role</description><role-name>IAMAdmin</role-name></security-role>

    You might want to edit web.xml located under C:\IBM\WebSphere\AppServer\profiles\AppSrv01\config\cells\<your_cell>\applications\iam_im.ear\deployments\iam_im\user_console.war\WEB-INF with the same change, or make sure you clear WebSphere cache if only updating user_console.war\WEB-INF\web.xml under the IAM application EAR location

  3. For WebSphere, follow these additional steps. This is based on information on page 497 (actual page 519) of http://www.redbooks.ibm.com/redbooks/pdfs/sg246316.pdf:

    1. Open application.xml which is under IAM Application EAR location/META-INF.

    2. At the end of the XML document, before </application> element, enter the following:
      <security-role id="SecurityRole_IAMAdmin"><role-name>IAMAdmin</role-name></security-role>


    3. Also at the same folder, open ibm-application-bnd.xmi.

    4. Replace the existing content with
      <?xml version="1.0" encoding="UTF-8"?><applicationbnd:ApplicationBinding xmi:version="2.0" xmlns:xmi="http://www.omg.org/XMI" xmlns:applicationbnd="applicationbnd.xmi"><authorizationTable><authorizations><specialSubjects xmi:type="applicationbnd:AllAuthenticatedUsers" name="AllAuthenticatedUsers"/><role href="META-INF/application.xml#SecurityRole_IAMAdmin"/></authorizations></authorizationTable><application href="META-INF/application.xml#Application_ID"/></applicationbnd:ApplicationBinding>


    5. After the changes done as in d), re-deploy application with above suggested changes, if administrative and application security is enabled, the role can be mapped through the link "Enterprise Applications-><application-name>->Configuration->Security role to user/group mapping in the Websphere administration console.

  4. Create security role IAMAdmin and assign at least one admin user to it using application server specific documentation. Below is an example for steps for creating the required security role and assigning admin users to it:

    http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/topic/com.ibm.websphere.nd.multiplatform.doc/info/ae/ae/tsec_tasroles.html

    • Create two new text files, named users.props and groups.props, and place them in the following directory:
      C:\Program Files\IBM\WebSphere\AppServer\profiles\AppSrv01\access (Please note you may need to create folders that do not exist)

    • From a text editor, add the following lines to users.props:

      wsadmin:password:1:100:wsadmin
      IDM:password:2::IDM

      Format is
      name:passwd:uid:gids:display name

    • Please note the IDM user above is needed for the Workflow. This username and password MUST match the username and password in the Workflow ra.xml file.

    • From a text editor, add the following line to groups.props:

      admins:100:wsadmin:Administrative group
      Format is
      name:gid:users:display name

    • Log into the Websphere Administrative Console

    • Go to Security-->Secure administration, applications, and infrastructure

    • Check the following settings:

      • Enable administrative security

      • Enable application security

      • Remove the check marks in the Java 2 Security section

    • Under Available realm definition select "Standalone custom registry". Then, click on configure.

    • Enter wsadmin for the Primary administrative username.

    • Select "Automatically generated server identity"

    • Click on Custom properties

    • Click New and enter the following:

      • Name: usersFile

      • Value: C:\Program Files\IBM\WebSphere\AppServer\profiles\AppSrv01\access\users.props

    • Click OK

    • Click New and enter the following:

    • Name: groupsFile

    • Value: C:\Program Files\IBM\WebSphere\AppServer\profiles\AppSrv01\access\groups.props

    • Click OK.

    • Save your changes

    • Navigate back to the screen "Secure administration, applications, and infrastructure"

    • Ensure that "Enable administrative security" and "Enable application security" are selected.

    • Under "Available Real Definitions" select "Standalone custom registry"

    • Click on "Set as Current".

    • Apply and save your settings.

    • Save your changes and restart the Websphere services.

    • Log back into the Websphere Administrative Console

    • Click on Applications, Enterprise Applications.

    • Select the iam_im application.

    • Under Detail Properties click on "Security role to users/group mapping".

    • Select "IAMAdmin" and click "Look up users".

    • Click Search.

    • Select the "wsadmin" and use the right arrow button to move it to the right.

    • Click OK, twice.

    • Save your changes.

    • Restart the iam_im application.

    • Log in to http://servername:9080/iam/im/logging.jsp

    • You should be prompted for authentication. Enter the username/password that you defined above.

    • You should now see the protected logging.jsp page.

Make sure to verify that Workflow still functions properly after making these changes.