How to secure SMA in Tomcat 8
Hi,
We have seen SMA is not secure by default. Whenever we open SMA it does not ask for any credentials. When we configured SMA to always ask for credentials, I was assuming that it would take only the credentials that is configured in tomcat-users.xml (i.e., PegaDiagnosticUser). However, we have seen it takes whatever text we type which makes it unsecure.
We do not want someone to mess up the agent configs or do other administrative stuff apart from people who know PegaDiagnosticUser credentials. Kindly let me know how can we secure SMA.
**Moderation Team has archived post**
This post has been archived for educational purposes. Contents and links will no longer be updated. If you have the same/similar question, please write a new post.
Accepted Solution
Updated: 14 Aug 2017 11:26 EDT
Pegasystems Inc.
US
Hi Manjunath,
Can you try the following which will restrict the authentication at the web container level (e.g. tomcat). You may already have the tomcat-Users.xml configured with a username / password using the PegaDiagnosticRole. Restart your server and you should be prompted to enter in a valid userid/password:
Please include the following in prsysmgmt web.xml
prsysmgmt web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>System Management Application - DB utility
Application </web-resource-name>
<description>secure all urls for this application</description>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
Hi Manjunath,
Can you try the following which will restrict the authentication at the web container level (e.g. tomcat). You may already have the tomcat-Users.xml configured with a username / password using the PegaDiagnosticRole. Restart your server and you should be prompted to enter in a valid userid/password:
Please include the following in prsysmgmt web.xml
prsysmgmt web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>System Management Application - DB utility
Application </web-resource-name>
<description>secure all urls for this application</description>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>PegaDiagnosticUser</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>PegaRULES</realm-name>
</login-config>
<security-role>
<role-name>PegaDiagnosticUser</role-name>
</security-role>
Make sure the following is in the tomcat-users.xml:
Tomcat-Users.xml:
<role rolename="PegaDiagnosticUser"/>
<user username="smauser" password="sma" roles="PegaDiagnosticUser"/>
Here smauser/sma are the credentials that uses to authenticate SMA
Pegasystems Inc.
US
Hi ManjunathPai,
Have you taken a look at the installation guide: https://docs-previous.pega.com/pega-722-platform-installation-guide-apache-tomcat-and-oracle under the section:
Let us know if that helps you out.
Pegasystems Inc.
US
The section is Configuring roles and users on page 37. They discuss the PegaDiagnosticUser role and setup in tomcat-users.xml.
Pegasystems Inc.
US
Hi ManjunathPai,
Please check below following article:
https://pdn.pega.com/support-articles/how-enable-authentication-sma-portal
I think you need to add PegaDiagnosticUser role in tomcat-users.xml as illustrated in the following example:
<role rolename="PegaDiagnosticUser"/>
<user username="user1" password="secret" roles="PegaDiagnosticUser"/>
And then on SMA, Administrative (JMX/SOAP) Credentials, for the field Please select mode of authentication, click Always Prompt for Credentials.
This mode enforces authentication for SMA after the user logs off or opens a new browser session. Users are always asked to type credentials to get into SMA.
I hope this helps.
Thanks,
mukul
Pai G
IN
Hi BradTainter_GCS and rathm1
I have configured SMA with pegadiagnostic user in the tomcat-users.xml. But even after configuring the nodes with Always prompt for credentials, it is still taking any credentials. Even if I type wrong credentials, I am still able to login to SMA. Kindly let me know what else can be done.
Accepted Solution
Updated: 14 Aug 2017 11:26 EDT
Pegasystems Inc.
US
Hi Manjunath,
Can you try the following which will restrict the authentication at the web container level (e.g. tomcat). You may already have the tomcat-Users.xml configured with a username / password using the PegaDiagnosticRole. Restart your server and you should be prompted to enter in a valid userid/password:
Please include the following in prsysmgmt web.xml
prsysmgmt web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>System Management Application - DB utility
Application </web-resource-name>
<description>secure all urls for this application</description>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
Hi Manjunath,
Can you try the following which will restrict the authentication at the web container level (e.g. tomcat). You may already have the tomcat-Users.xml configured with a username / password using the PegaDiagnosticRole. Restart your server and you should be prompted to enter in a valid userid/password:
Please include the following in prsysmgmt web.xml
prsysmgmt web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>System Management Application - DB utility
Application </web-resource-name>
<description>secure all urls for this application</description>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>PegaDiagnosticUser</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>PegaRULES</realm-name>
</login-config>
<security-role>
<role-name>PegaDiagnosticUser</role-name>
</security-role>
Make sure the following is in the tomcat-users.xml:
Tomcat-Users.xml:
<role rolename="PegaDiagnosticUser"/>
<user username="smauser" password="sma" roles="PegaDiagnosticUser"/>
Here smauser/sma are the credentials that uses to authenticate SMA
Pai G
IN
Hi Brad,
Thanks for your response. Our server is configured to login with windows credentials on the server. We have a group account where all the sys admins login with thier own credentials.
I added the lines which you provided in prsysmgmt.xml and when I try to open it, it is giving me an error as per screenshot below.
Pai G
IN
Hi Brad,
This configuration finally worked for me. It was conflicting with our SSO configuration. We fixed the SSO config and this started to work. Thanks.
Regards,
Manju.
Pegasystems Inc.
US
Hi Manjunath,
How are you accessing SMA? Are you directly going against the SMA portal or trying to access via the Developer Portal? Did you update the Tomcat-Users.xml file as well with the role and user?
Pegasystems Inc.
US
Hi Manjunath,
I tried this on a tomcat 8 instance and when hitting the URL for the SMA, it prompts me to enter in the credentials that were provided in the tomcat-users.xml. Once I enter those details, I have authenticated and the SMA screen is provided. I am not sure why you are getting the 403 error unless there is something that is incorrect in the configuration or the credentials are incorrect. I would suggest opening up an SR to have this looked at further.
Ameriprise Financial
US
Hi Brad - do you know if the solution you provided will still work when -Dcom.sun.management.jmxremote.authenticate=true is in the setenv.sh file?
Thanks.