Description:

For CA Identity Manager releases R12 CR13 onwards/R12.5 SP6 onwards, logging.jsp and ping.jsp are no longer by default. As specified in the readme.txt file located under <IMTOOLS>/samples/admin, it is now required to manually deploy the jsp files and then configure a security role within JBoss in order to protect these pages. This How-to document is to be used as a supplement to the original readme.txt file. Steps 1 and 2 are copied from original readme.txt file for convenience purposes only. This document only adds information when we get to step 3.

Solution:

Before following the below steps make sure the JBoss server is stopped.

1. Copy the logging.jsp and ping.jsp files from:
   
   C:\Program Files\CA\Identity Manager\IAM Suite\IdentityManager\tools\samples\Admin\user_console.war
   To:
   C:\jboss-4.2.3.GA\server\default\deploy\IdentityMinder.ear\user_console.war
   
   Copy the ping.jsp file from:
   
   C:\Program Files\CA\Identity Manager\IAM Suite\IdentityManager\tools\samples\Admin\user_console.war\app
   To:
   C:\jboss-4.2.3.GA\server\default\deploy\IdentityMinder.ear\user_console.war\app
   
   Copy the ping.jsp file from:
   
   C:\Program Files\CA\Identity Manager\IAM Suite\IdentityManager\tools\samples\Admin\user_console.war\ui
   To:
   C:\jboss-4.2.3.GA\server\default\deploy\IdentityMinder.ear\user_console.war\ui
   
   
2. Add following section after last taglib tag in the file user_console.war\WEB-INF\web.xml under IAM application EAR location in order to secure the admin toolkit:

           <security-constraint>        <web-resource-collection>          <web-resource-name>IAMSecureAdminTooles</web-resource-name>          <description>Security constraint for IAM Admin Tools</description>          <url-pattern>/ping.jsp</url-pattern>          <url-pattern>/logging.jsp</url-pattern>          <url-pattern>/app/adapterBLTHTest.jsp</url-pattern>          <url-pattern>/app/objectTest.jsp</url-pattern>          <url-pattern>/app/ping.jsp</url-pattern>          <url-pattern>/app/pluginTest.jsp</url-pattern>          <url-pattern>/ui/ping.jsp</url-pattern>          <http-method>POST</http-method>          <http-method>GET</http-method>        </web-resource-collection>        <auth-constraint>            <description>only let the admin users use secured admin tools</description>            <role-name>IAMAdmin</role-name>        </auth-constraint>        <user-data-constraint>          <description>SSL not required</description>          <transport-guarantee>NONE</transport-guarantee>        </user-data-constraint>    </security-constraint>    <login-config>        <auth-method>BASIC</auth-method>        <realm-name>IAM Realm</realm-name>    </login-config>    <security-role>      <description>The IAM Secure Admin Role</description>      <role-name>IAMAdmin</role-name>    </security-role>

3. Create security role IAMAdmin and assign at least one admin user to it using application server specific documentation. Below is an example for steps for creating the required security role and assigning admin users to it:
   
   
4. It is assumed step 1 has been performed, and the relevant code was added to C:\jboss-4.2.3.GA\server\default\deploy\IdentityMinder.ear\user_console.war\WEB-INF\web.xml
   
   Create a new file named jboss-web.xml under
   
   C:\jboss-4.2.3.GA\server\default\deploy\IdentityMinder.ear\user_console.war\WEB-INF and add the following content:

   <jboss-web>       <context-root></context-root>       <security-domain>java:/jaas/tools</security-domain></jboss-web>

   Note: tools is the name for an application policy name that will be created in the next step.
   
   
5. Edit C:\jboss-4.2.3.GA\server\default\conf\login-config.xml by adding the following lines:

          <!-- start of tools configuration CR13 -->         <application-policy name="tools">           <authentication>           <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">             <module-option name="hashAlgorithm">MD5</module-option>             <module-option name="hashEncoding">base64</module-option>             <module-option name="usersProperties">tools-users.properties</module-option>             <module-option name="rolesProperties">tools-roles.properties</module-option>          </login-module>          </authentication>        </application-policy>       <!-- end of tools configuration CR13 -->

6. Open command prompt to C:\jboss-4.2.3.GA\server\default\lib and run following command:
   
   java -cp jbosssx.jar org.jboss.security.Base64Encoder your_password md5
   
   replace your_password with the password value you would like to encrypt.
   
   
7. Create a file named tools-users.properties under C:\jboss-4.2.3.GA\server\default\conf - each line in this file should contain a username and a password in the following format:
   
   username=password
   
   Add the following line to the newly created file:
   imuser=<Password_Generated_In_Previous_Step>
   
   
8. Create a file named tools-roles.properties under C:\jboss-4.2.3.GA\server\default\conf - each line in this file should contain a username and a role in the following format:
   
   username=rolename
   
   Add the following line to the newly created file:
   imuser=IAMAdmin
   
   
9. Open command prompt to C:\jboss-4.2.3.GA\bin and run compile_jsp.bat (or compile_jsp.sh on unix/linux)
   
   
10. Start JBoss, and browse to http://<JBOSS_FQDN:PORT>/idm/logging.jsp - you are prompted to enter credentials - use imuser for username and the password created for accessing logging.jsp.

These credentials are valid to all sample jsp files deployed in step 1.