securing SMA on Websphere
We are getting below error while accessing individual nodes configured in SMA.
Access is denied for the getName operation on enterprise MBean because of insufficient or empty credentials
And below error in logs:
The user UNAUTHENTICATED (unique ID: unauthenticated) was not granted any of the following required roles: deployer, operator, configurator, monitor, administrator, adminsecuritymanager, auditor.
Looks like role based access has been configured somewhere.
We are using Web Sphere server. Any idea how to restrict Access to SMA with Role-Based Security?
From System Management Application reference guide i found below:
If implementing role-based security, users who will access the SMA must be assigned the PegaDiagnosticUser role in order to have complete access to SMA functions.
PegaDiagnosticUser is defined as a security constraint in the Process Commander‘s web.xml file (found, for example, at TOMCAT_HOME/webapps/prweb/WEB-INF/web.xml).
PegaDiagnosticUser is assigned to individual users in the application server‘s user definitions file (found, for example, at TOMCAT_HOME/conf/tomcat-users.xml).
We need similar setting for Web Sphere. or some pointer to solve above access issue.
Accepted Solution
- Refer to following PDN article for more details:
https://pdn.pega.com/security/implementing-authentication-for-prsysmgmt-and-prdbutil
Add the following security contraint entry in your web.xml and repackage the EAR:
<security-constraint> <web-resource-collection> <web-resource-name>System Management Application - DB utility Application </web-resource-name> <description>secure all urls for this application</description> <url-pattern>/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>PegaDiagnosticUser</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name>PegaRULES</realm-name> </login-config> <security-role> <role-name>PegaDiagnosticUser</role-name> </security-role>
2. Make sure Administrative security is enabled on Websphere and set of users or groups who will have access to SMA configured:
- Refer to following PDN article for more details:
https://pdn.pega.com/security/implementing-authentication-for-prsysmgmt-and-prdbutil
Add the following security contraint entry in your web.xml and repackage the EAR:
<security-constraint> <web-resource-collection> <web-resource-name>System Management Application - DB utility Application </web-resource-name> <description>secure all urls for this application</description> <url-pattern>/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>PegaDiagnosticUser</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name>PegaRULES</realm-name> </login-config> <security-role> <role-name>PegaDiagnosticUser</role-name> </security-role>
2. Make sure Administrative security is enabled on Websphere and set of users or groups who will have access to SMA configured:
3. Deploy the repackaged war on Websphere and pick an appropriate User or Group
4. Now when you try and access the prsysmgmt URL, you’ll be prompted for the credentials