Question
Pegasystems Inc.
JP
Last activity: 12 Sep 2018 4:16 EDT
Logs for SMA login details
Hi,
Is there anyway to enable logs to monitor the Users loging into SMA. We have enabled Security for SMA, but we do not have any track on who/when logged in to SMA.
Pegasystems Inc.
IT
Since SMA authentication is leveraging container managed authentication you need to configure the application server accordingly.
In Tomcat this is as easy as adding the following entries to your $CATALINA_BASE/conf/logging.properties
1catalina.org.apache.juli.FileHandler.bufferSize = -1
org.apache.catalina.realm.level = FINE
org.apache.catalina.realm.useParentHandlers = true
org.apache.catalina.authenticator.level = FINE
org.apache.catalina.authenticator.useParentHandlers = true
Then, when logging into SMA with the username (smauser) configured in the security realm, you can observe the following entries in the catalina.out logs
Since SMA authentication is leveraging container managed authentication you need to configure the application server accordingly.
In Tomcat this is as easy as adding the following entries to your $CATALINA_BASE/conf/logging.properties
1catalina.org.apache.juli.FileHandler.bufferSize = -1
org.apache.catalina.realm.level = FINE
org.apache.catalina.realm.useParentHandlers = true
org.apache.catalina.authenticator.level = FINE
org.apache.catalina.authenticator.useParentHandlers = true
Then, when logging into SMA with the username (smauser) configured in the security realm, you can observe the following entries in the catalina.out logs
lug 26, 2018 9:49:32 AM org.apache.catalina.realm.RealmBase findSecurityConstraints
FINE: Checking constraint 'SecurityConstraint[System Management Application - DB utility
Application]' against GET /index.jsp --> true
lug 26, 2018 9:50:02 AM org.apache.catalina.authenticator.AuthenticatorBase invoke
FINE: Security checking request GET /prsysmgmt/
...
lug 26, 2018 9:50:02 AM org.apache.catalina.authenticator.AuthenticatorBase invoke
FINE: Calling authenticate()
lug 26, 2018 9:50:02 AM org.apache.catalina.authenticator.AuthenticatorBase register
FINE: Authenticated 'smauser' with type 'BASIC'
lug 26, 2018 9:50:02 AM org.apache.catalina.authenticator.AuthenticatorBase invoke
FINE: Calling accessControl()
lug 26, 2018 9:50:02 AM org.apache.catalina.realm.RealmBase hasResourcePermission
FINE: Checking roles GenericPrincipal[smauser(PegaDiagnosticUser,)]
lug 26, 2018 9:50:02 AM org.apache.catalina.realm.RealmBase hasResourcePermission
FINE: Role found: PegaDiagnosticUser
lug 26, 2018 9:50:02 AM org.apache.catalina.authenticator.AuthenticatorBase invoke
FINE: Successfully passed all security constraints
Pegasystems Inc.
JP
domenicoGiffone_GCS Thank You, Any such property in WebSphere Application Server ?
AIG
PH
Hi domenicoGiffone_GCS is there any update on KrishnanS9686 question? apprecieate your help on this. thank you.
Pegasystems Inc.
IT
Hi @JohnPaulB apologies for the delayed reply.
The same task can be performed on WAS after the SMA application has been secured by enabling the WebSphere security auditing subsystem.
The main steps to follows are:
- Enabling the security auditing subsystem
- Configure the security auditing event type filters
- Configure the audit service provider
After applying the former steps and restarting the server an audit log file will be created in the $LOG_ROOT path.
In my case the file was placed in the /opt/IBM/WebSphere/AppServer/profiles/AppSrv01/logs path and named BinaryAudit_DefaultCell01_DefaultNode01_server1.log
To make a test I mapped the PegaDiagnosticUser role to the wsadmin user and the following content appeared in the audit log as soon as I logged in SMA:
Hi @JohnPaulB apologies for the delayed reply.
The same task can be performed on WAS after the SMA application has been secured by enabling the WebSphere security auditing subsystem.
The main steps to follows are:
- Enabling the security auditing subsystem
- Configure the security auditing event type filters
- Configure the audit service provider
After applying the former steps and restarting the server an audit log file will be created in the $LOG_ROOT path.
In my case the file was placed in the /opt/IBM/WebSphere/AppServer/profiles/AppSrv01/logs path and named BinaryAudit_DefaultCell01_DefaultNode01_server1.log
To make a test I mapped the PegaDiagnosticUser role to the wsadmin user and the following content appeared in the audit log as soon as I logged in SMA:
Seq = 642 | Event Type = SECURITY_AUTHN | Outcome = SUCCESSFUL | OutcomeReason = SUCCESS |
OutcomeReasonCode = 5 | SessionId = null | RemoteHost = Proprietary information hidden | RemoteAddr = Proprietary information hidden |
RemotePort = 56248 | ProgName = /getnodes | Action = webAuth | AppUserName = wsadmin |
ResourceName = GET | RegistryUserName = defaultWIMFileBasedRealm/wsadmin |
AccessDecision = authnSuccess | ResourceType = web |
ResourceUniqueId = 0 | PermissionsChecked = null |
PermissionsGranted = null | RolesChecked = null | RolesGranted = null |
CreationTime = Fri Aug 31 12:42:10 EET 2018 |
GlobalInstanceId = 0 | EventTrailId = null | FirstCaller = /UNAUTHENTICATED |
Realm = defaultWIMFileBasedRealm | RegistryType = WIMUserRegistry |
AuthnType = challengeResponse | Provider = WebSphere |
ProviderStatus = providerSuccess
For further details on Auditable security events please refer to the link below.
If you want to reduce the verbosity of the audit file you can create a dedicated filter for SECURITY_AUTHN events only.
https://www.ibm.com/support/knowledgecenter/en/SSAW57_8.5.5/com.ibm.websphere.nd.multiplatform.doc/ae/rsec_sa_event_types.html
AIG
PH
Hi DomenicoGiffone_GCS, thank you very much for your response it was very helpful and apology for belayed reply.
one more clarification please, as we checked all login logs is monitored including WAS/PRPC log in, is there a way to filter on SMA logs? thank you.
Pegasystems Inc.
IT
Hi @JohnPaulB,
thanks for the feedback. I'm not aware of a way to filter auditable events just for a single application but better to route this question to your Websphere administrator.
You can however filter the generated logs for all the events produced by the prsysmgmt application.
Another way to quickly identify SMA authentication events is to filter for events with the following predicates:
- "Event Type = SECURITY_AUTHN"
- "ProgName = /getnodes | Action = webAuth"
Cheers,
Domenico