Symantec IGA

  • Private Community
Back to discussions
Expand all | Collapse all

Setting up Logging JSP page for IDM12 5 on JBOSS5X

  • 1.  Setting up Logging JSP page for IDM12 5 on JBOSS5X

    Posted Feb 14, 2012 05:17 PM

    This is a follow-up to the current tech doc TEC537308 which discusses setting up logging.jsp for JBOSS 4.2.3. You can follow this tech tip completely without needing to refer back to the Readme at
    \CA\Identity Manager\IAM Suite\Identity Manager\tools\samples\Admin.

    Note: This example assumes use of jboss-5.1.0.GA but the same file path will follow for any other jboss 5 version - this just represents your JBOSS_HOME directory.

    Note: In the case of a cluster, replace all file references to \jboss-5.1.0.GA\server\default\deploy with
    \jboss-5.1.0.GA\server\all\farm. The same steps can be used otherwise for a cluster.

    Copy over the logging.jsp from the \CA\Identity Manager\IAM Suite\Identity Manager\tools\samples\Admin to \jboss-5.1.0.GA\server\default\deploy\iam_im.ear\user_console_war.

    Recompile your JSPs. Run iam_im_compile_jsp in C:\Program Files\jboss-5.1.0.GA\bin and wait to get a successful build message.

    3. If you have no intention of securing the logging.jsp, then restart jboss and skip to step 9.

    4. If you want to secure the logging.jsp using JBOSS's native authentication mechanism
    (and not Siteminder) then follow the steps below.
    Add the following section after the last taglib tag in the \jboss-5.1.0.GA\server\default\deploy\iam_im.ear\user_console_war\WEB-INF\web.xml.

    <security-constraint>
    <web-resource-collection>
    <web-resource-name>IAMSecureAdminTools</web-resource-name>
    <description>Security constraint for IAM Admin Tools</description>
    <url-pattern>/ping.jsp</url-pattern>
    <url-pattern>/logging.jsp</url-pattern>
    <url-pattern>/app/adapterBLTHTest.jsp</url-pattern>
    <url-pattern>/app/objectTest.jsp</url-pattern>
    <url-pattern>/app/ping.jsp</url-pattern>
    <url-pattern>/app/pluginTest.jsp</url-pattern>
    <url-pattern>/ui/ping.jsp</url-pattern>
    <!-- For each environment - start -->
    <url-pattern>/<environment_alias>/adapterBLTHTest.jsp</url-pattern>
    <url-pattern>/<environment_alias>/objectTest.jsp</url-pattern>
    <url-pattern>/<environment_alias>/ping.jsp</url-pattern>
    <url-pattern>/<environment_alias>/pluginTest.jsp</url-pattern>
    <!-- For each environment - end -->
    <http-method>POST</http-method>
    <http-method>GET</http-method>
    </web-resource-collection>
    <auth-constraint>
    <description>only let the admin users use secured admin tools</description>
    <role-name>IAMAdmin</role-name>
    </auth-constraint>
    <user-data-constraint>
    <description>SSL not required</description>
    <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
    </security-constraint>
    <login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>IAM Realm</realm-name>
    </login-config>
    <security-role>
    <description>The IAM Secure Admin Role</description>
    <role-name>IAMAdmin</role-name>
    </security-role>

    Note: If you don't have any environments (IMEs) configured yet, comment out the lines with <environment_alias>


    5. Edit the existing jboss-web.xml in \jboss-5.1.0.GA\server\default\deploy\iam_im.ear\user_console.war\WEB-INF.
    This is what the file should look like:
    <jboss-web>
    <depends>jboss.jca:service=ConnectionFactoryBinding,name=JmsXA</depends>
    <depends>jboss.messaging.destination:service=Topic,name=iam.im.jms.topic.ServerCommandTopic</depends>
    <depends>jboss.jca:service=DataSourceBinding,name=iam/im/jdbc/jdbc/objectstore</depends>
    <security-domain>java:/jaas/IAMAdmin</security-domain>
    </jboss-web>
    Note: We added the line for my security domain and called it IAMAdmin - doesn't matter what this is called. We are creating the security domain here.


    6. Edit the login-config.xml file in \jboss-5.1.0.GA\server\default\conf. For the IAMAdmin
    security-domain in 5), create the application-policy like this:

    <application-policy name="IAMAdmin">
    <authentication>
    <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">
    <module-option name="usersProperties">props/IAMAdmin-users.properties</module-option>
    <module-option name="rolesProperties">props/IAMAdmin-roles.properties</module-option>
    </login-module>
    </authentication>
    </application-policy>

    Note: The application-policy name IAMAdmin matches the security domain name created in 5).


    7. Open a Command Prompt and navigate to the following directory: \jboss-5.1.0.GA\server\default\lib
    Run the following command to generate an encrypted password for the user who will need access to logging.jsp:
    java -cp jbosssx.jar org.jboss.security.Base64Encoder yourpassword md5

    8. Create in \jboss-5.1.0.GA\server\default\conf\props a file called IAMAdmin-users.properties and a file called
    IAMAdmin-roles.properties. The users and roles properties file names must again match the name of the security domain created in 5).

    IAMAdmin-users.properties looks like this:
    # A sample users.properties file for use with the UsersRolesLoginModule
    admin=<put encrypted password generated from 7)>

    IAMAdmin-roles.properties looks like this:
    # A sample roles.properties file for use with the UsersRolesLoginModule
    admin=IAMAdmin

    Note: The role name "IAMAdmin" on the right of the roles.properties file matches the <role-name> tag in the web.xml in 1).


    9. Directly access the logging.jsp at http://<FQDN>:<8080>/iam/im/logging.jsp.



  • 2.  RE: Setting up Logging JSP page for IDM12 5 on JBOSS5X

     
    Posted Feb 16, 2012 04:36 PM
    Thanks for providing the community with all this great information Palaka!