How to deploy logging.jsp in a secured manner in Production - JBoss 5.x

Document ID : KB000009375
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

For CA Identity Manager releases R12.5 SP7 onwards, logging.jsp and ping.jsp are no longer by default.

As specified in the readme.txt file located under <IMTOOLS>/samples/admin, it is now required to manually deploy the jsp files and then configure a security role within JBoss in order to protect these pages. This How-to document is to be used as a supplement to the original readme.txt file. Steps 1 and 2 are copied from original readme.txt file for convenience purposes only. This document only adds information when we get to step 3.

How can one deploy logging.jsp in a secured way so it is not open for random users to access and adjust logging levels?

Environment:
IM 12.5 SPxIM 12.6 SPxUtilizing JBoss 5.x
Instructions:

Note: Before following the below steps make sure the JBoss server is stopped.

    Copy the content of the sample under IAM application EAR location.

    C:\Program Files\CA\Identity Manager\IAM Suite\IdentityManager\tools\samples\Admin\user_console.war

    To:

    C:\jboss-5.1.0.GA\server\default\deploy\iam_im.ear\user_console.war

    Add the following section after last taglib tag in the file user_console.war\WEB-INF\web.xml under the IAM application EAR location. This change will secure the admin toolkit. Repeat the environment specific section for each environment defined (see <environment_alias> below):

     <security-constraint>
     <web-resource-collection>
     <web-resource-name>IAMSecureAdminTooles</web-resource-name>
     <description>Security constraint for IAM Admin Tools</description>
     <url-pattern>/ping.jsp</url-pattern>
     <url-pattern>/logging.jsp</url-pattern>
     <url-pattern>/app/adapterBLTHTest.jsp</url-pattern>
     <url-pattern>/app/objectTest.jsp</url-pattern>
     <url-pattern>/app/ping.jsp</url-pattern>
     <url-pattern>/app/pluginTest.jsp</url-pattern>
     <url-pattern>/ui/ping.jsp</url-pattern>
     <!-- For each environment - start -->
     <url-pattern>/<environment_alias>/adapterBLTHTest.jsp</url-pattern>
     <url-pattern>/<environment_alias>/objectTest.jsp</url-pattern>
     <url-pattern>/<environment_alias>/ping.jsp</url-pattern>
     <url-pattern>/<environment_alias>/pluginTest.jsp</url-pattern>
     <!-- For each environment - end -->
     <http-method>POST</http-method>
     <http-method>GET</http-method>
     </web-resource-collection>
     <auth-constraint>
     <description>only let the admin users use secured admin tools</description>
     <role-name>IAMAdmin</role-name>
     </auth-constraint>
     <user-data-constraint>
     <description>SSL not required</description>
     <transport-guarantee>NONE</transport-guarantee>
     </user-data-constraint>
     </security-constraint>
     <login-config>
     <auth-method>BASIC</auth-method>
     <realm-name>IAM Realm</realm-name>
     </login-config>
     <security-role>
     <description>The IAM Secure Admin Role</description>
     <role-name>IAMAdmin</role-name>
     </security-role>

    Next we are going to create a security role IAMAdmin and assign at least one admin user to it using application server specific documentation.
    Below is an example for steps for creating the required security role and assigning admin users to it:
    It is assumed step 2 has been performed, and the relevant code was added to \user_console.war\WEB-INF\web.xml

    Edit C:\jboss-5.1.0.GA\server\default\deploy\iam_im.ear\user_console.war\WEB-INF\jboss-web.xml

    and add the following line

    <security-domain>java:/jaas/tools</security-domain>

    So the actual content will be similar to the following one:

     <jboss-web>
     <security-domain>java:/jaas/tools</security-domain>
     <depends>jboss.jca:service=ConnectionFactoryBinding,name=JmsXA</depends>
     <depends>jboss.messaging.destination:service=Topic,name=iam.im.jms.topic.ServerCommandTopic</depends>
     <depends>jboss.jca:service=DataSourceBinding,name=iam/im/jdbc/jdbc/objectstore</depends>
     </jboss-web>

    Note: tools is the name for an application policy name that will be created in the next step.

    Edit C:\jboss-5.1.0.GA\server\default\conf\login-config.xml by adding the following lines:

    <!-- start of tools configuration Identity Manager-->
     <application-policy name="tools">
     <authentication>
     <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">
     <module-option name="hashAlgorithm">MD5</module-option>
     <module-option name="hashEncoding">base64</module-option>
     <module-option name="usersProperties">tools-users.properties</module-option>
     <module-option name="rolesProperties">tools-roles.properties</module-option>
     </login-module>
     </authentication>
     </application-policy>
     <!-- end of tools configuration Identity Manager-->

    Open command prompt to C:\jboss-5.1.0.GA\server\default\lib and run following command:

    java -cp C:\jboss-5.1.0.GA\common\lib\jbosssx.jar org.jboss.security.Base64Encoder your_password md5

    replace your_password with the password value you would like to encrypt.

    Create a file named tools-users.properties under C:\jboss-5.1.0.GA\server\default\conf - each line in this file should contain a username and a password in the following format:

     username=password
     Add the following line to the newly created file:
     imuser=<Password_Generated_In_Previous_Step>

    Create a file named tools-roles.properties under C:\jboss-5.1.0.GA\server\default\conf - each line in this file should contain a username and a role in the following format:

    username=rolename

    Add the following line to the newly created file:

    imuser=IAMAdmin

    For JBoss, follow these additional steps. JBoss doesn't support auto recompile of newly deployed JSP files.

        From the command line, change to the <jboss_home>/bin directory

        For windows run "iam_im_compile_jsp.bat" to recompile the JSP files

        For unix run "iam_im_compile_jsp.sh" to recompile the JSP files

    Start JBoss

    To activate the tools access the URL adjusted for your IAM application

     http://<host>:<port>/iam/im/<environment_alias>/adapterBLTHTest.jsp
     http://<host>:<port>/iam/im/<environment_alias>/objectTest.jsp
     http://<host>:<port>/iam/im/<environment_alias>/ping.jsp
     http://<host>:<port>/iam/im/<environment_alias>/pluginTest.jsp
     http://<host>:<port>/iam/im/ui/ping.jsp
     http://<host>:<port>/iam/im/ping.jsp
     http://<host>:<port>/iam/im/logging.jsp