How to protect Identity Manager's management console (without Site Minder) on WebSphere 7.0

Document ID : KB000049033
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

This tech doc has been updated with the steps to protect Identity Manager's management console under Web Sphere 7.0.x

Solution:

This Tech Doc is updated and includes the steps for WAS 7.0.0.x
to apply WAS global security in order to protect Identity Manager management's console.

Please note:

  1. The document discusses the changes that need to be implemented per one node. For a clustered environment you will need to apply the changes to all nodes. This means that all steps below need to be done for every node of the cluster.

  2. You do not need to export the ear file, make the changes externally and redeploy it. The steps below will cover how to correctly apply the changes into an already deployed environment taking the nodes caching into account.

  3. It is suggested that you take a backup of the files you are modifying prior to modifying them. Keep the backup files into a location outside the web sphere folders.

WebSphere (version 7.0.0.x)
----------------------------

Step 1:
-------
Create two new text files, named users.props and groups.props, and place them in the following directory:

C:\Program Files\IBM\WebSphere\AppServer\profiles\AppSrv01\access

Note: You may need to create folders that do not exist

From a text editor, add the following lines to users.props:

# Format: 
# name:passwd:uid:gids:display name   
# where name = userId/userName of the user   
#    passwd = password of the user   
#    uid = uniqueId of the user   
#    gid = groupIds of the groups that the user belongs to   
#    display name = a (optional) display name for the user.   
wsadmin:password:1:100:wsadmin   
IDM:password:2::IDM 

Note: The IDM user above is needed for the Workflow. This username and password MUST match the username and password in the Workflow ra.xml file.

From a text editor, add the following lines to groups.props:

# Format:   
# name:gid:users:display name   
# where name = groupId of the group   
#    gid = uniqueId of the group   
#    users = list of all the userIds that the group contains   
#    display name = a (optional) display name for the group.   
admins:100:wsadmin:Administrative group   
Log into the Websphere Administrative Console

Step 2: Apply WAS Global Security.
-------
Go to Security-->Secure administration, applications, and infrastructure

Check the following settings:

Enable administrative security
Enable application security
Remove the check marks in the Java 2 Security section
Under Available realm definition select "Standalone custom registry". Then, click on configure.
Enter wsadmin for the Primary administrative username.
Select "Automatically generated server identity"
Click on Custom properties.
Click New and enter the following:
Name: usersFile
Value: C:\Program Files\IBM\WebSphere\AppServer\profiles\AppSrv01\access\users.props
Click OK
Click New and enter the following:
Name: groupsFile
Value: C:\Program Files\IBM\WebSphere\AppServer\profiles\AppSrv01\access\groups.props
Click OK.
Save your changes
Navigate back to the screen "Secure administration, applications, and infrastructure" and complete the following steps:
Ensure that "Enable administrative security" and "Enable application security" are selected.
Under "Avaliable Real Definitions," select "Standalone custom registry."
Click on "Set as Current."
Apply and save your settings.


Step 3: Apply the security into the IDM's Management Console application
-------
Please make sure you do this step for EVERY node in your clustered envrionment (if clustered):

In a text editor, open web.xml located in the following directory:

C:\Program Files\IBM\WebSphere\AppServer\profiles\AppSrv01\installedApps
\<cell name>\iam_im.ear\management_console.war\WEB-INF

Add the following code to the bottom of web.xml, just above </web-app>:

<security-constraint> 	
  <web-resource-collection> 	
   <web-resource-name>IDMManage</web-resource-name> 	
    <url-pattern>/*</url-pattern> 	
    <http-method>GET</http-method> 	
    <http-method>POST</http-method> 	
   </web-resource-collection> 	
  <auth-constraint> 	
    <role-name> 	
 	   imadministrators 	
 	</role-name> 	
 </auth-constraint> 	
   <user-data-constraint> 	
 <transport-guarantee>NONE</transport-guarantee> 	
 </user-data-constraint> 	
</security-constraint> <login-config> 	
    <auth-method>FORM</auth-method> 	
    <form-login-config> 	
   <form-login-page>/login.html</form-login-page> 	
 <form-error-page>/error.html</form-error-page> 	
</form-login-config> 	
</login-config> <security-role> 	
<role-name> 	
 	imadministrators 	
 	</role-name> 	
</security-role> 

Save the file.

Copy this file that you just updated to:

C:\Program Files\IBM\WebSphere\AppServer\profiles\AppSrv01
\config\cells\<CellName>\applications\IdentityMinder.ear\deployments\IdentityMinder\management_console.war\WEB-INF

You should run over the file that existed there and paste your new copy on it (you can backup the previous file beforehand as pointed out earlier).

Step 4:
-------
Make sure you do this step for EVERY node in your clustered environment (if clustered):

Create the login.html and error.html files (see below) and copy them into the following directory:

C:\Program Files\IBM\WebSphere\AppServer\profiles\AppSrv01
\installedApps\<CellName>\IdentityMinder.ear\management_console.war

** login.html
Create a text file named login.html. Add the following code to this file.

<html> 	
  <head><title>CA Identity Manager</title></head> 	
   <body> 	
  <form method="POST" action="j_security_check"> 	
  <table border=0> 	
  <tr> 	
   <td>Username:</td> 	
   <td><input type="text" name="j_username"></td> 	
  </tr> 	
   <tr> 	
   <td>Password:</td> 	
    <td><input type="password" name="j_password"></td> 	
  </tr> 	
  <tr> 	
 <td colspan=2 align=center><input type=submit value="Submit"></td> 	
</tr> 	
</table> 	
</form> 	
</body> 	
</html> 
** error.html <html> <head><title>Login failed</title></head> <body> <h4>Sorry, your user name and password were not recognized.</h4> <a href="login.html">Return to login page</a> </body> </html>

Copy these two files into:

C:\Program Files\IBM\WebSphere\AppServer\profiles\AppSrv01\config\cells\<cell name>\applications\iam_im.ear
\deployments\iam_im\management_console.war

Step 5:
-------
Make sure to do this step for EVERY node in your clustered environment (if clustered):

In a text editor, open application.xml located in the following directory:

C:\Program Files\IBM\WebSphere\AppServer\profiles\AppSrv01\installedApps\<cell name>\iam_im.ear\META-INF

Edit this file by adding the following lines, just above </application>:
<security-role id="imadministrators">
<role-name>imadministrators</role-name>
</security-role>

Save the file.

Copy the file to the following location (it's advised that you backup the file before running it over):

C:\Program Files\IBM\WebSphere\AppServer\profiles\AppSrv01
\config\cells\<CellName>\applications\IdentityMinder.ear\deployments\IdentityMinder\META-INF

Step 6:
-------
restart the Websphere services.

Step 7:
-------
Log back into the Websphere Administrative Console.

Click on Applications, Enterprise Applications.
Select the IdentityMinder application.
Under Detail Properties click on "Security role to users/group mapping."
Select imadministrators and click "Look up users."
Click Search.
Select the "wsadmin" and use the right arrow button to move it to the right.
Click OK twice.
Save your changes.
Restart the IdentityMinder application.
Log in to http://servername:9080/idmmanage.
You should see a form login page.
Enter the username/password that you defined above.
The Management Console is now protected.
Note: Verify that Workflow still functions properly after making these changes.