How to define and map security roles in WebSphere 6.1 for securing ping.jsp and logging.jsp

book

Article ID: 49508

calendar_today

Updated On:

Products

DIRECTORY CA Identity Manager CA Identity Governance CA Identity Portal CA Risk Analytics CA Secure Cloud SaaS - Arcot A-OK (WebFort) CLOUDMINDER ADVANCED AUTHENTICATION CA Secure Cloud SaaS - Advanced Authentication CA Secure Cloud SaaS - Identity Management CA Secure Cloud SaaS - Single Sign On SECURITY MISC CODES SINGLE SIGN ON - LEGACY CA Data Protection (DataMinder) CA User Activity Reporting

Issue/Introduction

Description:

For CA Identity Manager r12.5 SP6 onwards, logging.jsp and ping.jsp are no longer deployed by default. As specified in the readme.txt file located under <IMTOOLS>/samples/admin, it is now required to manually deploy the jsp files and then configure a security role within the Java Application server in order to protect these pages. This How-to document is to be used as a supplement to the original readme.txt file for a WebSphere environment.

Solution:

Before following the below steps make sure the IM server is stopped, but leave the corresponding node agent running.

  1. Copy the logging.jsp and ping.jsp files from:
    C:\Program Files\CA\Identity Manager\IAM Suite\IdentityManager\tools\samples\Admin\user_console.war

    To:
    WebSphere\AppServer\profiles\<im profile>\installedApps\<cell>\iam_im.ear\user_console.war

  2. Copy the ping.jsp file from:

    C:\Program Files\CA\Identity Manager\IAM Suite\IdentityManager\tools\samples\Admin\user_console.war\app

    To:
    WebSphere\AppServer\profiles\<im profile>\installedApps\<cell>\iam_im.ear\user_console.war
    WebSphere\AppServer\profiles\<im profile>\installedApps\<cell>\iam_im.ear\user_console.war\app
    WebSphere\AppServer\profiles\<im profile>\installedApps\<cell>\iam_im.ear\user_console.war\ui

  3. Get a copy of WebSphere\AppServer\profiles\<im profile>\installedApps\<cell >\iam_im.ear\user_console.war\WEB-INF\web.xml, put the copy in C:\

  4. Add following section after last taglib tag in the C:\web.xml:

    <security-constraint><web-resource-collection><web-resource-name>IAMSecureAdminTooles</web-resource-name><description>Security constraint for IAM Admin Tools</description><url-pattern>/ping.jsp</url-pattern><url-pattern>/logging.jsp</url-pattern><url-pattern>/app/adapterBLTHTest.jsp</url-pattern><url-pattern>/app/objectTest.jsp</url-pattern><url-pattern>/app/ping.jsp</url-pattern><url-pattern>/app/pluginTest.jsp</url-pattern><url-pattern>/ui/ping.jsp</url-pattern><http-method>POST</http-method><http-method>GET</http-method></web-resource-collection><auth-constraint><description>only let the admin users use secured admin tools</description><role-name>IAMAdmin</role-name></auth-constraint><user-data-constraint><description>SSL not required</description><transport-guarantee>NONE</transport-guarantee></user-data-constraint></security-constraint><login-config><auth-method>BASIC</auth-method><realm-name>IAM Realm</realm-name></login-config><security-role><description>The IAM Secure Admin Role</description><role-name>IAMAdmin</role-name></security-role>
  5. On WebSphere Integrated Solutions Console, update the user_console.war\WEB-INF\web.xml by following the illustration:

    Navigate to Applications > Enterprise Applications, select the iam_im application and click Update

    <Please see attached file for image>

    Figure 1

    Select the option of Replace or add a single file, fill in the target file path and location of the local copy

    <Please see attached file for image>

    Figure 2

    Save the change

    <Please see attached file for image>

    Figure 3

  6. On WebSphere Integrated Solutions Console, create a new user for accessing the ping.jsp and logging.jsp

    Navigate to Users and Groups > Manage Users > Create a User, click Create...

    <Please see attached file for image>

    Figure 4

    Fill in the user information on the Create a User panel. You can choose a preferred user name.

    <Please see attached file for image>

    Figure 5

    Close the panel.

    <Please see attached file for image>

    Figure 6

    The new user iamadmin (uid=iamadmin,o=defaultWIMFileBasedRealm) should be listed on the result panel.

    <Please see attached file for image>

    Figure 7

  7. On WebSphere Integrated Solutions Console, associate the Security Role IAMAdmin with the new user.

    Navigate to Enterprise Applications > iam_im, click the link of Security role to user/group mapping

    <Please see attached file for image>

    Figure 8

    Select the IAMAdmin role, click Lookup the users

    <Please see attached file for image>

    Figure 9

    Select iamadmin user, click OK

    <Please see attached file for image>

    Figure 10

    On the result panel, note the iamadmin user is mapped to IAMAdmin role

    <Please see attached file for image>

    Figure 11

    Save the change.

    <Please see attached file for image>

    Figure 12

  8. On WebSphere Integrated Solutions Console, enable application security.

    Navigate to Secure administration, applications, and infrastructure, select Enable application security and click Apply

    <Please see attached file for image>

    Figure 13

    The returned notes may contains:

    The security configuration is enabled or modified in a Network Deployment environment. The following steps need to be followed so that all the processes in this environment have the same security run-time settings: 1) Verify that all nodes are synchronized with these security configuration changes before stopping these processes. 2) If any node agents are currently stopped, issue a manual syncNode command before starting that node agent. 3) Stop all of the processes in the entire cell, including the deployment manager, node agents, and Application Servers. 4) Restart all of the processes in the cell; restart the deployment manager and node agents first, then Application Servers.

    <Please see attached file for image>

    Figure 14

  9. On WebSphere Integrated Solutions Console, synchronize the modified configuration accordingly.

    Navigate to System administration > Nodes, select the Node which hosting iam_im application and click Synchronize

    <Please see attached file for image>

    Figure 15

    On WebSphere Integrated Solutions Console, start your IM server

    <Please see attached file for image>

    Figure 16

    After the IM server fully started, browse to http://<IMHOST_FQDN:PORT>/iam/im/ping.jsp - you are prompted to enter credentials.

    <Please see attached file for image>

    Figure 17

    Supply the credentials and then the ping.jsp page will appear:

    <Please see attached file for image>

    Figure 18

Environment

Release:
Component: IDMGR

Attachments

1558712349432000049508_sktwi1f5rjvs16sl5.gif get_app
1558712347636000049508_sktwi1f5rjvs16sl4.gif get_app
1558712345757000049508_sktwi1f5rjvs16sl3.gif get_app
1558712341677000049508_sktwi1f5rjvs16sl2.gif get_app
1558712339775000049508_sktwi1f5rjvs16sl1.gif get_app
1558712337937000049508_sktwi1f5rjvs16sl0.gif get_app
1558712335880000049508_sktwi1f5rjvs16skz.gif get_app
1558712334193000049508_sktwi1f5rjvs16sky.gif get_app
1558712332385000049508_sktwi1f5rjvs16skx.gif get_app
1558712330516000049508_sktwi1f5rjvs16skw.gif get_app
1558712328552000049508_sktwi1f5rjvs16skv.gif get_app
1558712326546000049508_sktwi1f5rjvs16sku.gif get_app
1558712323550000049508_sktwi1f5rjvs16skt.gif get_app
1558712321589000049508_sktwi1f5rjvs16sks.gif get_app
1558712319738000049508_sktwi1f5rjvs16skr.gif get_app
1558712317954000049508_sktwi1f5rjvs16skq.gif get_app
1558712316191000049508_sktwi1f5rjvs16skp.gif get_app
1558712314039000049508_sktwi1f5rjvs16sko.gif get_app