This content has been archived and is no longer being updated. Links may not function; however, this content may be relevant to outdated versions of the product.
LinkedIn
Copied!

How to secure the System Management Application by restricting user access (Oracle WebLogic)

The System Management Application (SMA) does not restrict user access. Any user who has access to the domain where the application server hosts SMA can use SMA and see system information. Any user with this access who clicks the SMA link, http://<host_name>:<port_number>/prsysmgmt, can see all information about the Pega application and the environment.

SMA uses Java Management Extensions (JMX) to track system functions. You can secure SMA by securing the JMX port or by securing the application server. This article explains the latter option, securing SMA from the application server. The procedure is specific to the Oracle WebLogic application server.

Suggested approach

Refer to your application server documentation for security concepts and procedures that explain how to restrict user access to domains. The following procedure explains how to do this for the pega_domain on Oracle WebLogic.

Preview

In the procedure that follows, you make a copy of the deployed prsysmgmt.war file and create a new group called PegaDiagnosticUser that contains a user called smauser assigned the password smauser1. In the WebLogic Administration Console, you grant this group and user permission to authenticate into SMA from the WebLogic pega_domain. Users must now log in to SMA when challenged for credentials. The example user smauser with password smauser1 is authenticated.

Create security elements in a copy of the deployed SMA WAR file

Replace the deployed SMA WAR file with the modified file containing the new security elements

Set up the WebLogic Security Realms to use the security elements of the newly created and deployed SMA WAR file

Verifying the result and first-time use

Configure SMA authentication

Create security elements in a copy of the deployed SMA WAR file

Create <security-role-assignment> and <security-constraint> elements in a copy of the deployed SMA WAR file, prsysmgmt.war.

  1. Find the copy of the prsysmgmt.war file that is already deployed on the WebLogic application server.
    On the Windows operating system, the file is usually located in this path: <path_to_server_domain>\servers\AdminServer\upload
  2. Open the prsysmgmt.war file using a compression utility (for example, 7-Zip) and create the weblogic.xml file as shown in this code example:

    <?xml version="1.0" encoding="UTF-8"?>

    <weblogic-web-app xmlns="http://www.bea.com/ns/weblogic/90">

    <description><![CDATA[PegaRULES Web Tier]]></description>

    <weblogic-version>9.0</weblogic-version>

    <security-role-assignment>

    <role-name>PegaDiagnosticUser</role-name>

    <principal-name>PegaDiagnosticUser</principal-name>

    </security-role-assignment>

    </weblogic-web-app>
  3. Add the weblogic.xml file to the \prsysmgmt.war\WEB-INF\ folder.
    weblogic.xml located in prsysmgmt.war WEB-INF folder
  4. Edit the web.xml file located in the prsysmgmt.war file in the \prsysmgmt.war\WEB-INF\ folder, adding the following lines at the end of the file, just above the closing </web-app> tag.

    <security-constraint>
    <web-resource-collection>
    <web-resource-name>System Management Application - DB utility Application </web-resource-name>
    <description>secure all urls for this application</description>
    <url-pattern>/*</url-pattern>
    <http-method>GET</http-method>
    <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
    <role-name>PegaDiagnosticUser</role-name>
    </auth-constraint>
    </security-constraint>

    <login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>PegaRULES</realm-name>
    </login-config>

    <security-role>
    <role-name>PegaDiagnosticUser</role-name>
    </security-role>

  5. Save your changes to the prsysmgmt.war file and close the 7-Zip editor.
    This is the prsysmgmt.war file that you deploy in the next section.

Replace the deployed SMA WAR file with the modified file containing the new security elements

In the WebLogic Administration Console, delete the currently deployed prsysmgmt.war file and replace it with the new SMA application file, the copy containing the security elements you added. Deploy the new prsysmgmt.war file.

  1. In the WebLogic Administration Console, for the pega-domain, click Domain Structure > Deployments, find prsysmgmt in the list of Deployments installed to the domain. Delete the existing prsysmgmt deployment.
    WebLogic Admin Console Deployments delete existing prsysmgmt
  2. In the WebLogic Administration Console, deploy the prsysmgmt.war file you that modified and saved in the previous section.

Set up the WebLogic Security Realms to use the security elements of the newly created and deployed SMA WAR file

In the WebLogic Administration Console, navigate to Security Realms and specify the new group and user that you created for SMA: the group PegaDiagnosticUser containing the user smauser assigned the password smauser1.

  1. Continuing in the WebLogic Administration Console, click Security Realms > myrealm. Click the tabs User and Groups > Groups to create a new group called PegaDiagnosticUser to contain the users that you want to have access to SMA.
    WebLogic Admin Console Security Realms group PegaDiagnosticUsers
  2. To assign users to the new PegaDiagnosticUser group, click the Users tab and create the user called smauser with the password smauser1. You can change this password later.
    Create smauser with password smauser1
  3. Be sure to assign this user to the PegaDiagnosticUser group.
    Assign User smauser to Group PegaDiagnosticUsers
  4. Save your changes.

Verifying the result and first-time use

Restart the WebLogic application server, type the SMA URL in the browser, and see the Windows Security pop-up window prompt for user credentials. SMA authenticates user smauser with password smauser1.

  1. Restart the WebLogic server that hosts SMA.

  2. In your browser, type the URL to SMA and see the Windows Security pop-up window:
    SMA URL displays Windows Security window

  3. In the Windows Security window, type the User name smauser and the Password smauser1 to log in to SMA.

Configure SMA authentication

Now that you have verified the first-time SMA log-in results, you need to configure the SMA node on WebLogic to always prompt users for credentials.

  1. In SMA, click Add a node icon_add.png to display the Enter Node Configuration Details window.
  2. In this window, in the section Administrative (JMX/SOAP) Credentials, for the field Please select mode of authentication, click Always Prompt for Credentials.
    Enter Node Configuration Details, Administrative (JMX/SOAP) Credentials
    This mode enforces authentication for SMA after the user logs off or opens a new browser session. Users are always asked to type credentials to get into SMA.
    SMA Principal Credentials to enforce authentication

References

Oracle WebLogic 12c Managing Users from the WebLogic Administration Console

IBM WebSphere Application Server 8.0, Securing applications and their environment

JBoss Enterprise Application Platform 5.0, Administration and Configuration Guide

Apache Tomcat 7.0, Documentation Index


Related Content

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.