WebSphere (7.0 & 6.1), Security, and BeanSpy
This page contains information about configuring the WebSphere Web Server to require BASIC authentication when accessing servlets. Security is a very Application Server specific task. During the development of this feature, it was noted that depending on the setup of the application server, certain behaviors were observed. Below are the steps necessary for requiring authentication when connecting to BeanSpy. This is intended for use with the JEE feature of OpsMgr 2012 / 2012SP1.
Overview
The short version either security needs to be off (such as you in your test lab) or both Administrative and Application Security.
1. Enable WebSphere Security
2. Enable authorization requirement
3. Import/Deploy the BeanSpy on the Application Server
4. Create a User in WebSphere
5. Associate a user account with the BeanSpy's monitoring role
1. WebSphere 7.0
2. WebSphere 6.1
6. Create RunAs Account in the Operations Manager Console
Step #1) Enable WebSphere Security
It is strongly recommended that a profile be used that was installed with security enabled.
If it has not already been turned on (it could be off by default), turn on Administration Security. This can be done by logging into the WebSphere Console and expanding Security and clicking on Global Security. Ensure that the check box for Enable administrative security is checked. If necessary click Apply to set these changes.
The next step is to enable application security. This can be done by logging into the WebSphere Console and expanding Security and clicking on Global Security. Ensure that the check box for Enable application security is checked. If necessary click Apply to set these changes.
Restart the application server for the changes to take effect.
Step #2) Choose the right EAR file
Inside the MPB, there are four files:
- BeanSpy.war
- BeanSpy.ear
- BeanSpy.HTTP.NoAuth.ear
- BeanSpy.HTTP.NoAuth.war
Assuming you want the authentication, choose BeanSpy.ear.
The relevant difference (and these are just technical details) are below. Useful Link: https://community.jboss.org/wiki/SecureAWebApplicationInJBoss (just the web.xml stuff)
<!-- /////////////////////////////////////////////////////////////// -->
<!-- BEGIN WEBSPHERE SECTION -->
<!-- /////////////////////////////////////////////////////////////// -->
<!-- The following security constraints are for WebSphere. -->
<security-constraint>
<web-resource-collection>
<web-resource-name>BeanSpy resources</web-resource-name>
<description>Protects BeanSpy resources</description>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>monitoring</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>monitoring</role-name>
</security-role>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Monitoring Realm</realm-name>
</login-config>
<!-- /////////////////////////////////////////////////////////////// -->
<!-- END WEBSPHERE SECTION -->
<!-- /////////////////////////////////////////////////////////////// -->
Step #3) Import/Deploy the BeanSpy on the Application Server
Import the security-enabled BeanSpy.ear file into WebSphere. Use the IBM Admin Console to import the package and start it. A user account still needs to be created and associated with the monitoring role created above. Look in the MP guide for more details about the role
Step #4) Create a user in WebSphere
In the IBM WebSphere Admin Console, expand Users and Groups in the left-hand panel and select Manage Users.
Step #5) Associate the user with the BeanSpy's monitoring role
Between WebSphere 7.0 and 6.1 there are a few differences for how to associate user accounts with the BeanSpy role.
WebSphere 7.0
In the IBM WebSphere Admin Console, expand Applications in the left-hand panel, expand Application Types, and select WebSphere enterprise applications. In the list of applications, click the link for the BeanSpy. Under the Detail Properties, click the link for Security role to user/group mappings.
In the table that now displays, there should be a table with a single entry: monitoring (or the name of the role you defined in the web.xml in one of the previous steps. Click the check-box and click the Map Users... button. In the next screen perform the necessary steps to locate your user account and move this from the Available block to the Selected one. Click OK when finished.
On the next screen there should be a warning about saving or reviewing changes, be sure to do this! When finished, verify that in Enterprise Applications > BeanSpy > Security role to user/group mapping the Mapped users include the desired users(s).
At this point, it is recommended performing a quick sanity-check. Open a browser and point it too the BeanSpy. Any URL should work, but for simplicity try the Stats page (https://localhost:9080/BeanSpy/Stats). Before accessing the page, there should be a prompt for username and password credentials.
Note: most browsers will cache username & password (I'm looking at you Internet Explorer) once entered. Thus, to re-enter username and password it would be necessary to restart the browser.
WebSphere 6.1
In the IBM WebSphere Admin Console, expand Applications in the left-hand panel and select WebSphere enterprise applications. In the list of applications, click the link for the BeanSpy. Under the Detail Properties, click the link for Security role to user/group mappings. This mapping link will not be available if the imported EAR does not contain the uncommented security constraints in the web.xml.
In the table that now displays, there should be a table with a single entry: monitoring (or the name of the role you defined in the web.xml in one of the previous steps. Click the check-box and click the Look up users... button. In the next screen perform the necessary steps to locate your user account and move this from the Available block to the Selected one. Click OK when finished.
On the next screen there should be a warning about saving or reviewing changes, be sure to do this! When finished, verify that in Enterprise Applications > BeanSpy > Security role to user/group mapping the Mapped users include the desired users(s).
At this point, it is recommended performing a quick sanity-check. Open a browser and point it too the BeanSpy. Any URL should work, but for simplicity try the Stats page (https://localhost:8080/BeanSpy/Stats). Before accessing the page, there should be a prompt for username and password credentials
.
Note: most browsers will cache username & password once entered. Thus, to re-enter username and password it would be necessary to restart the browser.
Step #6) Create RunAs Account in the Operations Manager Console
Now switch over to the Operations Manager Console. If it has not already been done, import the WebSphere MP. Before running the "Deep" discoveries (i.e. managed application server or application/application modules), the created user account needs to be associated with the appropriate object. This way when monitoring discovery/rule/etc... runs, it knows to use the associated credentials when establishing the HTTP connection.
- Choose the Administration Tab.
- In the navigation pane, choose Administration > Run As Configuration > Accounts
- Under Tasks, click Create Run As Account
- For the first tab to specify general properties
- Run As account type: Basic Authentication
- Display name: websphere account
- Click Next
- The second tab to specify credentials
- Username: <username entered for step #4 above>
- Password: <password entered for step #4 above>
- Confirm Password
- Click Next
- Distribution Security (As per your needs)
- Click Create
The final step is to associate the Run As profile with the account(s) created above. A Run As profile is targeted at classes or instances. This is an OpsMgr feature and a full discussion of this topic is beyond the scope of this guide.
To use this feature, locate the JEE Monitoring Account and associate accounts with the profile.
- Choose the Administration Tab.
- In the navigation pane, choose Administration > Run As Configuration > Accounts
- Select JEE Monitoring Account
- Under Tasks, click Properties
- From the pulldown box, select the desired account created above.
- Select the objets to target with the Run As Account. The "easy option is to select the All targed objects option
- Select All targeted objects to automatically applied to the right targeted object.
- To target the minimal amount of Classes for WebSphere monitoring:
- From the Java EE IBM WebSphere Application Server MP
- Managed IBM WebSphere Application Server Profile on Windows
- Specific objects (i.e. instances) can also be targeted
- Having selected the appropriate objects, click Save
At this point, the Deep Managed and Application Discoveries. When a HTTP connection is setup, the username and password will be supplied.