For CA Identity Manager r12.5 SP6 onwards, logging.jsp and ping.jsp are no longer deployed by default. As specified in the readme.txt file located under <IMTOOLS>/samples/admin, it is now required to manually deploy the jsp files and then configure a security role within the Java Application server in order to protect these pages. This How-to document is to be used as a supplement to the original readme.txt file for a WebSphere environment.
Before following the below steps make sure the IM server is stopped, but leave the corresponding node agent running.
- Copy the logging.jsp and ping.jsp files from:
C:\Program Files\CA\Identity Manager\IAM Suite\IdentityManager\tools\samples\Admin\user_console.war
- Copy the ping.jsp file from:
C:\Program Files\CA\Identity Manager\IAM Suite\IdentityManager\tools\samples\Admin\user_console.war\app
- Get a copy of WebSphere\AppServer\profiles\<im profile>\installedApps\<cell >\iam_im.ear\user_console.war\WEB-INF\web.xml, put the copy in C:\
- Add following section after last taglib tag in the C:\web.xml:
<security-constraint><web-resource-collection><web-resource-name>IAMSecureAdminTooles</web-resource-name><description>Security constraint for IAM Admin Tools</description><url-pattern>/ping.jsp</url-pattern><url-pattern>/logging.jsp</url-pattern><url-pattern>/app/adapterBLTHTest.jsp</url-pattern><url-pattern>/app/objectTest.jsp</url-pattern><url-pattern>/app/ping.jsp</url-pattern><url-pattern>/app/pluginTest.jsp</url-pattern><url-pattern>/ui/ping.jsp</url-pattern><http-method>POST</http-method><http-method>GET</http-method></web-resource-collection><auth-constraint><description>only let the admin users use secured admin tools</description><role-name>IAMAdmin</role-name></auth-constraint><user-data-constraint><description>SSL not required</description><transport-guarantee>NONE</transport-guarantee></user-data-constraint></security-constraint><login-config><auth-method>BASIC</auth-method><realm-name>IAM Realm</realm-name></login-config><security-role><description>The IAM Secure Admin Role</description><role-name>IAMAdmin</role-name></security-role>
- On WebSphere Integrated Solutions Console, update the user_console.war\WEB-INF\web.xml by following the illustration:
Navigate to Applications > Enterprise Applications, select the iam_im application and click Update
Select the option of Replace or add a single file, fill in the target file path and location of the local copy
Save the change
- On WebSphere Integrated Solutions Console, create a new user for accessing the ping.jsp and logging.jsp
Navigate to Users and Groups > Manage Users > Create a User, click Create...
Fill in the user information on the Create a User panel. You can choose a preferred user name.
Close the panel.
The new user iamadmin (uid=iamadmin,o=defaultWIMFileBasedRealm) should be listed on the result panel.
- On WebSphere Integrated Solutions Console, associate the Security Role IAMAdmin with the new user.
Navigate to Enterprise Applications > iam_im, click the link of Security role to user/group mapping
Select the IAMAdmin role, click Lookup the users
Select iamadmin user, click OK
On the result panel, note the iamadmin user is mapped to IAMAdmin role
Save the change.
- On WebSphere Integrated Solutions Console, enable application security.
Navigate to Secure administration, applications, and infrastructure, select Enable application security and click Apply
The returned notes may contains:
The security configuration is enabled or modified in a Network Deployment environment. The following steps need to be followed so that all the processes in this environment have the same security run-time settings: 1) Verify that all nodes are synchronized with these security configuration changes before stopping these processes. 2) If any node agents are currently stopped, issue a manual syncNode command before starting that node agent. 3) Stop all of the processes in the entire cell, including the deployment manager, node agents, and Application Servers. 4) Restart all of the processes in the cell; restart the deployment manager and node agents first, then Application Servers.
- On WebSphere Integrated Solutions Console, synchronize the modified configuration accordingly.
Navigate to System administration > Nodes, select the Node which hosting iam_im application and click Synchronize
On WebSphere Integrated Solutions Console, start your IM server
After the IM server fully started, browse to http://<IMHOST_FQDN:PORT>/iam/im/ping.jsp - you are prompted to enter credentials.
Supply the credentials and then the ping.jsp page will appear: