1.0 Introduction

2.0 Enabling Basic Authentication for Web Services

1.0 Introduction

Product: CA Access Control Enterprise Edition

Release: 12.5.x, 12.6, 12.6.01

OS: All

This scenario describes how to configure Basic Authentication for the [assign the pupm variable value for your book] web services SDK.

This Knowledge Base Article constitutes a portion of the official CA product documentation for this CA product. This Knowledge Base Article is subject to the following notices, terms and conditions.

2.0 Enabling Basic Authentication for Web Services

The Web Services PUPM SDK lets you write applications that check in and check out privileged account passwords. You do not need to install CA Access Control to use the Web Services PUPM SDK.

To ensure that only authorized users access the Web Services programs, you can enable basic authentication on the Enterprise Management Server.

The following diagram illustrates how you enable basic authentication for Web Services programs:

<Please see attached file for image>

Follow these steps:

1. Enable the CA Identity Manager Management Console.
   
   
2. Enable Basic Authentication mode.
   
   
3. Configure the JBoss application server for Web Services.
   
   
4. Verify the Basic Authentication mode.

2.1 Enable the CA Identity Manager Management Console

When you install the Enterprise Management Server for the first time, the CA Identity Manager Management Console option is disabled. To enable the CA Identity Manager Management Console, change the default settings.

Important!: Complete the following procedure only if you selected to use Active Directory or the embedded user store during installation.

Follow these steps:

1. Stop JBoss if it is running. Do one of the following:
   
   
   • From the JBoss job windows, interrupt (Ctrl+C) the process.
     
     
   • Stop the JBoss Application Server service from the Services Panel.
     
     
2. Navigate to the following directory, where JBoss_HOME is the directory where you installed JBoss:

   JBoss_HOME/server/default/deploy/IdentityMinder.ear/management_console.war/WEB-INF

3. Open the web.xml file in an editable form.
4. Search for the following section:

   AccessFilter

5. In the <param-value> field, change the value to True.
   
   
6. Save and close the file.
   
   
7. Start JBoss.

   The CA Identity Manager Management Console is enabled.

2.2 Enable Basic Authentication Mode

You use the CA Identity Manager Management Console to enable the basic authentication mode.

Follow these steps:

1. Open a web browser and enter the following URL, for your host:

   http://enterprise_host:port/idmmanage

2. Click Environments, ac-env, Advanced Settings, Web Services.
   
   The Web Services Properties screen opens.
   
   
3. Check the following options:
   
   
   • Enable Execution
     
     
   • Enable WSDL
     
     
   • Enable admin_id
     
     
4. Verify that the the SiteMinder Authentication option is set to None.
   
   
5. Click Continue.
   
   The ac-env screen opens.
   
   
6. Click Restart to restart the environment.
   
   You have enabled the basic authentication mode.

2.3 Configure the JBoss application server for Web Services

After you enable the basic authentication mode, you modify the JBoss application server settings to support the authentication mode.

Follow these steps:

1. Navigate to the following directory, where JBoss_HOME is the directory where you installed JBoss:

   JBoss_HOME/server/default/dpeloy/IdentityMinder.ear/user_console.war/WEB-INF

2. Open the web.xml file. Do the following:
   
   
   1. Add the following snippet to the end of the file:

      <security-constraint>        <display-name>require valid user</display-name>        <web-resource-collection>            <web-resource-name>internal application</web-resource-name>             <!-- secure only admin pages-->            <url-pattern>/TEWS6/*</url-pattern>             <http-method>GET</http-method>             <http-method>POST</http-method>        </web-resource-collection>        <auth-constraint>            <!--Admin pages secured only for admin-->            <role-name>admin</role-name>        </auth-constraint>    </security-constraint>
      
      <!-- For BASIC authentication--> <login-config>           <auth-method>BASIC</auth-method>           <realm-name>domain_name</realm-name> </login-config>

   2. Locate the <realm-name> entry and replace the value with the name of the domain where you installed the Enterprise Management Server.
      
      
   3. Save and close the file.
      
      
3. Open the jboss-web.xml file. Do the following:
   
   
   1. Add the following snippet to the bottom of the file:

      <!--<security-domain>java:/jaas/<WebApplicationName></security-domain>--><security-domain>java:/jaas/auth</security-domain>

4. Navigate to the following directory:

   JBoss_HOME/server/default/conf

5. Open the login-config.xml file. Do the following:
   
   
   1. Locate the following section:

      <!-- Used by clients within the application server VM such as    mbeans and servlets that access EJBs.    -->

   2. Add the following underneath above mentioned section:

      <application-policy name = "auth">     <authentication>            <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag = "required">                  <module-option name="usersProperties">users.properties</module-option>                  <module-option name="rolesProperties">roles.properties</module-option>            </login-module>     </authentication></application-policy>

   3. Save and close the file.
      
      
6. Create a file named users.properties in the following directory:

   JBoss_HOME/server/default/conf

7. Specify the username and passwords for each user that you want to allow access to the Web Services, as follows:

   <username>=<password>

   For example: admin=Passw0rd
   
   
8. Create a file named roles.properties.
   
   
9. Specify the roles assigned to the users you specified in the users.properties file, as follows:

   <rolename>=<user>

   For example: admin=admin
   
   
10. Save and close the file.

    You have successfully configured the JBoss application server for basic authentication mode.

2.4 Verify the Basic Authentication Mode

After you have configured basic authentication, you can use a SOAP (Simple Object Access Protocol) utility to verify that the basic authentication mode protects access to the [assign the pupm variable value for your book] Web Services.

Example: Use SOAPUI to verify basic authentication

The following example shows you how to verify basic authentication using soapUI utility.

Follow these steps:

1. Open the soapUI and select File, New SoapUI project.
   
   The new soapUI screen opens.
   
   
2. Specify the project name and the initial WSDL URL, as follows, then click OK:

   http://<HOST_NAME>:port/iam/TEWS6/ac?wsdl  

   Example: http://ENTM_server:18080/iam/TEWS6/ac?wsdl
   
   
3. Locate and expand the CheckOutAccount method.
   
   
4. Select Request1.
   
   
5. Specify the username and password that you specified in the users.properties file in the Request Properties section,
   
   
6. Double click Request1.
   
   An XML document opens on the right pane.
   
   
7. Replace the content of the XML file with the following:

   <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsdl="http://tews6/wsdl">   <soapenv:Header/>
      <soapenv:Body>
         <wsdl:TaskContext>
            <!--You may enter the following 11 items in any order-->
            <!--Optional:-->
            <wsdl:admin_id>superadmin</wsdl:admin_id>
         </wsdl:TaskContext>
         <wsdl:CheckOutAccount>
            <!--Optional:-->
            <wsdl:CheckOutAccountcheckOutAccountPasswordTewsTab>
               <!--Optional:-->
               <wsdl:Namespace>Disconnected</wsdl:Namespace>
               <!--Optional:-->
               <wsdl:EndpointName>TestEndpoint</wsdl:EndpointName>
               <!--Optional:-->
               <wsdl:AccountName>testaccount</wsdl:AccountName>
               <!--Optional:-->
               <wsdl:Container>Accounts</wsdl:Container>
            </wsdl:CheckOutAccountcheckOutAccountPasswordTewsTab>
         </wsdl:CheckOutAccount>
      </soapenv:Body>
   </soapenv:Envelope>  

   In this example, you specified that users can check out privileged accounts of type Disconnected (<wsdl:Namespace>Disconnected</wsdl:Namespace>), from an endpoint TestEndpoint (<wsdl:EndpointName>TestEndpoint</wsdl:EndpointName>) and the privileged account testaccount (wsdl:AccountName>testaccount</wsdl:AccountName>)
   
   Note: the <wsdl:admin_id>superadmin</wsdl:admin_id> line defines the impersonation user, the user that the operations are performed on behalf-of.
   
   
8. Click Submit.
   
   The Raw tab opens.
   
   
9. Verify that in the Authorization entry you see the basic authentication identification string.

   You have verified the basic authentication mode.

2.5 Copyright

This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the "Documentation") is for your informational purposes only and is subject to change or withdrawal by CA at any time.

This Documentation may not be copied, transferred, reproduced, disclosed, modified or duplicated, in whole or in part, without the prior written consent of CA. This Documentation is confidential and proprietary information of CA and may not be disclosed by you or used for any purpose other than as may be permitted in (i) a separate agreement between you and CA governing your use of the CA software to which the Documentation relates; or (ii) a separate confidentiality agreement between you and CA.

Notwithstanding the foregoing, if you are a licensed user of the software product(s) addressed in the Documentation, you may print or otherwise make available a reasonable number of copies of the Documentation for internal use by you and your employees in connection with that software, provided that all CA copyright notices and legends are affixed to each reproduced copy.

The right to print or otherwise make available copies of the Documentation is limited to the period during which the applicable license for such software remains in full force and effect. Should the license terminate for any reason, it is your responsibility to certify in writing to CA that all copies and partial copies of the Documentation have been returned to CA or destroyed.

TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENTATION "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO EVENT WILL CA BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY LOSS OR DAMAGE, DIRECT OR INDIRECT, FROM THE USE OF THIS DOCUMENTATION, INCLUDING WITHOUT LIMITATION, LOST PROFITS, LOST INVESTMENT, BUSINESS INTERRUPTION, GOODWILL, OR LOST DATA, EVEN IF CA IS EXPRESSLY ADVISED IN ADVANCE OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE.

The use of any software product referenced in the Documentation is governed by the applicable license agreement and such license agreement is not modified in any way by the terms of this notice.

The manufacturer of this Documentation is CA.

Provided with "Restricted Rights." Use, duplication or disclosure by the United States Government is subject to the restrictions set forth in FAR Sections 12.212, 52.227-14, and 52.227-19(c)(1) - (2) and DFARS Section 252.227-7014(b)(3), as applicable, or their successors.

Copyright ? 2012 CA. All rights reserved. All trademarks, trade names, service marks, and logos referenced herein belong to their respective companies.

Release:
Component: SEOSWG