How to define and map security roles in WebSphere 6.1 for securing ping.jsp and logging.jsp

Document ID : KB000049508
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

For CA Identity Manager r12.5 SP6 onwards, logging.jsp and ping.jsp are no longer deployed by default. As specified in the readme.txt file located under <IMTOOLS>/samples/admin, it is now required to manually deploy the jsp files and then configure a security role within the Java Application server in order to protect these pages. This How-to document is to be used as a supplement to the original readme.txt file for a WebSphere environment.

Solution:

Before following the below steps make sure the IM server is stopped, but leave the corresponding node agent running.

  1. Copy the logging.jsp and ping.jsp files from:
    C:\Program Files\CA\Identity Manager\IAM Suite\IdentityManager\tools\samples\Admin\user_console.war

    To:
    WebSphere\AppServer\profiles\<im profile>\installedApps\<cell>\iam_im.ear\user_console.war

  2. Copy the ping.jsp file from:

    C:\Program Files\CA\Identity Manager\IAM Suite\IdentityManager\tools\samples\Admin\user_console.war\app

    To:
    WebSphere\AppServer\profiles\<im profile>\installedApps\<cell>\iam_im.ear\user_console.war
    WebSphere\AppServer\profiles\<im profile>\installedApps\<cell>\iam_im.ear\user_console.war\app
    WebSphere\AppServer\profiles\<im profile>\installedApps\<cell>\iam_im.ear\user_console.war\ui

  3. Get a copy of WebSphere\AppServer\profiles\<im profile>\installedApps\<cell >\iam_im.ear\user_console.war\WEB-INF\web.xml, put the copy in C:\

  4. Add following section after last taglib tag in the C:\web.xml:

    <security-constraint><web-resource-collection><web-resource-name>IAMSecureAdminTooles</web-resource-name><description>Security constraint for IAM Admin Tools</description><url-pattern>/ping.jsp</url-pattern><url-pattern>/logging.jsp</url-pattern><url-pattern>/app/adapterBLTHTest.jsp</url-pattern><url-pattern>/app/objectTest.jsp</url-pattern><url-pattern>/app/ping.jsp</url-pattern><url-pattern>/app/pluginTest.jsp</url-pattern><url-pattern>/ui/ping.jsp</url-pattern><http-method>POST</http-method><http-method>GET</http-method></web-resource-collection><auth-constraint><description>only let the admin users use secured admin tools</description><role-name>IAMAdmin</role-name></auth-constraint><user-data-constraint><description>SSL not required</description><transport-guarantee>NONE</transport-guarantee></user-data-constraint></security-constraint><login-config><auth-method>BASIC</auth-method><realm-name>IAM Realm</realm-name></login-config><security-role><description>The IAM Secure Admin Role</description><role-name>IAMAdmin</role-name></security-role>
  5. On WebSphere Integrated Solutions Console, update the user_console.war\WEB-INF\web.xml by following the illustration:

    Navigate to Applications > Enterprise Applications, select the iam_im application and click Update

    Figure 1

    Select the option of Replace or add a single file, fill in the target file path and location of the local copy

    Figure 2

    Save the change

    Figure 3

  6. On WebSphere Integrated Solutions Console, create a new user for accessing the ping.jsp and logging.jsp

    Navigate to Users and Groups > Manage Users > Create a User, click Create...

    Figure 4

    Fill in the user information on the Create a User panel. You can choose a preferred user name.

    Figure 5

    Close the panel.

    Figure 6

    The new user iamadmin (uid=iamadmin,o=defaultWIMFileBasedRealm) should be listed on the result panel.

    Figure 7

  7. On WebSphere Integrated Solutions Console, associate the Security Role IAMAdmin with the new user.

    Navigate to Enterprise Applications > iam_im, click the link of Security role to user/group mapping

    Figure 8

    Select the IAMAdmin role, click Lookup the users

    Figure 9

    Select iamadmin user, click OK

    Figure 10

    On the result panel, note the iamadmin user is mapped to IAMAdmin role

    Figure 11

    Save the change.

    Figure 12

  8. On WebSphere Integrated Solutions Console, enable application security.

    Navigate to Secure administration, applications, and infrastructure, select Enable application security and click Apply

    Figure 13

    The returned notes may contains:

    The security configuration is enabled or modified in a Network Deployment environment. The following steps need to be followed so that all the processes in this environment have the same security run-time settings: 1) Verify that all nodes are synchronized with these security configuration changes before stopping these processes. 2) If any node agents are currently stopped, issue a manual syncNode command before starting that node agent. 3) Stop all of the processes in the entire cell, including the deployment manager, node agents, and Application Servers. 4) Restart all of the processes in the cell; restart the deployment manager and node agents first, then Application Servers.

    Figure 14

  9. On WebSphere Integrated Solutions Console, synchronize the modified configuration accordingly.

    Navigate to System administration > Nodes, select the Node which hosting iam_im application and click Synchronize

    Figure 15

    On WebSphere Integrated Solutions Console, start your IM server

    Figure 16

    After the IM server fully started, browse to http://<IMHOST_FQDN:PORT>/iam/im/ping.jsp - you are prompted to enter credentials.

    Figure 17

    Supply the credentials and then the ping.jsp page will appear:

    Figure 18