How to define and map security roles in WebSphere 6.1 for securing ping.jsp and logging.jsp
Description:
For CA Identity Manager r12.5 SP6 onwards, logging.jsp and ping.jsp are no longer deployed by default. As specified in the readme.txt file located under <IMTOOLS>/samples/admin, it is now required to manually deploy the jsp files and then configure a security role within the Java Application server in order to protect these pages. This How-to document is to be used as a supplement to the original readme.txt file for a WebSphere environment.
Solution:
Before following the below steps make sure the IM server is stopped, but leave the corresponding node agent running.
- Copy the logging.jsp and ping.jsp files from:
C:\Program Files\CA\Identity Manager\IAM Suite\IdentityManager\tools\samples\Admin\user_console.war
To:
WebSphere\AppServer\profiles\<im profile>\installedApps\<cell>\iam_im.ear\user_console.war - Copy the ping.jsp file from:
C:\Program Files\CA\Identity Manager\IAM Suite\IdentityManager\tools\samples\Admin\user_console.war\app
To:
WebSphere\AppServer\profiles\<im profile>\installedApps\<cell>\iam_im.ear\user_console.war
WebSphere\AppServer\profiles\<im profile>\installedApps\<cell>\iam_im.ear\user_console.war\app
WebSphere\AppServer\profiles\<im profile>\installedApps\<cell>\iam_im.ear\user_console.war\ui - Get a copy of WebSphere\AppServer\profiles\<im profile>\installedApps\<cell >\iam_im.ear\user_console.war\WEB-INF\web.xml, put the copy in C:\
- Add following section after last taglib tag in the C:\web.xml:
<security-constraint><web-resource-collection><web-resource-name>IAMSecureAdminTooles</web-resource-name><description>Security constraint for IAM Admin Tools</description><url-pattern>/ping.jsp</url-pattern><url-pattern>/logging.jsp</url-pattern><url-pattern>/app/adapterBLTHTest.jsp</url-pattern><url-pattern>/app/objectTest.jsp</url-pattern><url-pattern>/app/ping.jsp</url-pattern><url-pattern>/app/pluginTest.jsp</url-pattern><url-pattern>/ui/ping.jsp</url-pattern><http-method>POST</http-method><http-method>GET</http-method></web-resource-collection><auth-constraint><description>only let the admin users use secured admin tools</description><role-name>IAMAdmin</role-name></auth-constraint><user-data-constraint><description>SSL not required</description><transport-guarantee>NONE</transport-guarantee></user-data-constraint></security-constraint><login-config><auth-method>BASIC</auth-method><realm-name>IAM Realm</realm-name></login-config><security-role><description>The IAM Secure Admin Role</description><role-name>IAMAdmin</role-name></security-role> - On WebSphere Integrated Solutions Console, update the user_console.war\WEB-INF\web.xml by following the illustration:
Navigate to Applications > Enterprise Applications, select the iam_im application and click Update<Please see attached file for image>
Select the option of Replace or add a single file, fill in the target file path and location of the local copy<Please see attached file for image>
Save the change<Please see attached file for image>
- On WebSphere Integrated Solutions Console, create a new user for accessing the ping.jsp and logging.jsp
Navigate to Users and Groups > Manage Users > Create a User, click Create...<Please see attached file for image>
Fill in the user information on the Create a User panel. You can choose a preferred user name.<Please see attached file for image>
Close the panel.<Please see attached file for image>
The new user iamadmin (uid=iamadmin,o=defaultWIMFileBasedRealm) should be listed on the result panel.<Please see attached file for image>
- On WebSphere Integrated Solutions Console, associate the Security Role IAMAdmin with the new user.
Navigate to Enterprise Applications > iam_im, click the link of Security role to user/group mapping<Please see attached file for image>
Select the IAMAdmin role, click Lookup the users<Please see attached file for image>
Select iamadmin user, click OK<Please see attached file for image>
On the result panel, note the iamadmin user is mapped to IAMAdmin role<Please see attached file for image>
Save the change.<Please see attached file for image>
- On WebSphere Integrated Solutions Console, enable application security.
Navigate to Secure administration, applications, and infrastructure, select Enable application security and click Apply<Please see attached file for image>
The returned notes may contains:
The security configuration is enabled or modified in a Network Deployment environment. The following steps need to be followed so that all the processes in this environment have the same security run-time settings: 1) Verify that all nodes are synchronized with these security configuration changes before stopping these processes. 2) If any node agents are currently stopped, issue a manual syncNode command before starting that node agent. 3) Stop all of the processes in the entire cell, including the deployment manager, node agents, and Application Servers. 4) Restart all of the processes in the cell; restart the deployment manager and node agents first, then Application Servers.<Please see attached file for image>
- On WebSphere Integrated Solutions Console, synchronize the modified configuration accordingly.
Navigate to System administration > Nodes, select the Node which hosting iam_im application and click Synchronize<Please see attached file for image>
On WebSphere Integrated Solutions Console, start your IM server<Please see attached file for image>
After the IM server fully started, browse to http://<IMHOST_FQDN:PORT>/iam/im/ping.jsp - you are prompted to enter credentials.<Please see attached file for image>
Supply the credentials and then the ping.jsp page will appear:<Please see attached file for image>
Release:
Component: IDMGR