This tech doc has been updated with the steps to protect Identity Manager's management console under Web Sphere 7.0.x
This Tech Doc is updated and includes the steps for WAS 7.0.0.x
to apply WAS global security in order to protect Identity Manager management's console.
WebSphere (version 7.0.0.x)
Create two new text files, named users.props and groups.props, and place them in the following directory:
Note: You may need to create folders that do not exist
From a text editor, add the following lines to users.props:
# Format: # name:passwd:uid:gids:display name # where name = userId/userName of the user # passwd = password of the user # uid = uniqueId of the user # gid = groupIds of the groups that the user belongs to # display name = a (optional) display name for the user. wsadmin:password:1:100:wsadmin IDM:password:2::IDM
Note: The IDM user above is needed for the Workflow. This username and password MUST match the username and password in the Workflow ra.xml file.
From a text editor, add the following lines to groups.props:
# Format: # name:gid:users:display name # where name = groupId of the group # gid = uniqueId of the group # users = list of all the userIds that the group contains # display name = a (optional) display name for the group. admins:100:wsadmin:Administrative group Log into the Websphere Administrative Console
Step 2: Apply WAS Global Security.
Go to Security-->Secure administration, applications, and infrastructure
Check the following settings:
Enable administrative security
Enable application security
Remove the check marks in the Java 2 Security section
Under Available realm definition select "Standalone custom registry". Then, click on configure.
Enter wsadmin for the Primary administrative username.
Select "Automatically generated server identity"
Click on Custom properties.
Click New and enter the following:
Value: C:\Program Files\IBM\WebSphere\AppServer\profiles\AppSrv01\access\users.props
Click New and enter the following:
Value: C:\Program Files\IBM\WebSphere\AppServer\profiles\AppSrv01\access\groups.props
Save your changes
Navigate back to the screen "Secure administration, applications, and infrastructure" and complete the following steps:
Ensure that "Enable administrative security" and "Enable application security" are selected.
Under "Avaliable Real Definitions," select "Standalone custom registry."
Click on "Set as Current."
Apply and save your settings.
Step 3: Apply the security into the IDM's Management Console application
Please make sure you do this step for EVERY node in your clustered envrionment (if clustered):
In a text editor, open web.xml located in the following directory:
Add the following code to the bottom of web.xml, just above </web-app>:
<security-constraint> <web-resource-collection> <web-resource-name>IDMManage</web-resource-name> <url-pattern>/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name> imadministrators </role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/login.html</form-login-page> <form-error-page>/error.html</form-error-page> </form-login-config> </login-config> <security-role> <role-name> imadministrators </role-name> </security-role>
Save the file.
Copy this file that you just updated to:
You should run over the file that existed there and paste your new copy on it (you can backup the previous file beforehand as pointed out earlier).
Make sure you do this step for EVERY node in your clustered environment (if clustered):
Create the login.html and error.html files (see below) and copy them into the following directory:
Create a text file named login.html. Add the following code to this file.
<html> <head><title>CA Identity Manager</title></head> <body> <form method="POST" action="j_security_check"> <table border=0> <tr> <td>Username:</td> <td><input type="text" name="j_username"></td> </tr> <tr> <td>Password:</td> <td><input type="password" name="j_password"></td> </tr> <tr> <td colspan=2 align=center><input type=submit value="Submit"></td> </tr> </table> </form> </body> </html>
** error.html <html> <head><title>Login failed</title></head> <body> <h4>Sorry, your user name and password were not recognized.</h4> <a href="login.html">Return to login page</a> </body> </html>
Copy these two files into:
C:\Program Files\IBM\WebSphere\AppServer\profiles\AppSrv01\config\cells\<cell name>\applications\iam_im.ear
Make sure to do this step for EVERY node in your clustered environment (if clustered):
In a text editor, open application.xml located in the following directory:
C:\Program Files\IBM\WebSphere\AppServer\profiles\AppSrv01\installedApps\<cell name>\iam_im.ear\META-INF
Edit this file by adding the following lines, just above </application>:
Save the file.
Copy the file to the following location (it's advised that you backup the file before running it over):
restart the Websphere services.
Log back into the Websphere Administrative Console.
Click on Applications, Enterprise Applications.
Select the IdentityMinder application.
Under Detail Properties click on "Security role to users/group mapping."
Select imadministrators and click "Look up users."
Select the "wsadmin" and use the right arrow button to move it to the right.
Click OK twice.
Save your changes.
Restart the IdentityMinder application.
Log in to http://servername:9080/idmmanage.
You should see a form login page.
Enter the username/password that you defined above.
The Management Console is now protected.
Note: Verify that Workflow still functions properly after making these changes.