How to secure the System Management Application by restricting user access (Oracle WebLogic)
The System Management Application (SMA) does not restrict user access. Any user who has access to the domain where the application server hosts SMA can use SMA and see system information. Any user with this access who clicks the SMA link, http://<host_name>:<port_number>/prsysmgmt, can see all information about the Pega application and the environment.
SMA uses Java Management Extensions (JMX) to track system functions. You can secure SMA by securing the JMX port or by securing the application server. This article explains the latter option, securing SMA from the application server. The procedure is specific to the Oracle WebLogic application server.
Refer to your application server documentation for security concepts and procedures that explain how to restrict user access to domains. The following procedure explains how to do this for the pega_domain on Oracle WebLogic.
In the procedure that follows, you make a copy of the deployed prsysmgmt.war file and create a new group called PegaDiagnosticUser that contains a user called smauser assigned the password smauser1. In the WebLogic Administration Console, you grant this group and user permission to authenticate into SMA from the WebLogic pega_domain. Users must now log in to SMA when challenged for credentials. The example user smauser with password smauser1 is authenticated.
<security-constraint> elements in a copy of the deployed SMA WAR file, prsysmgmt.war.
- Find the copy of the prsysmgmt.war file that is already deployed on the WebLogic application server.
On the Windows operating system, the file is usually located in this path: <path_to_server_domain>\servers\AdminServer\upload
- Open the prsysmgmt.war file using a compression utility (for example, 7-Zip) and create the weblogic.xml file as shown in this code example:
<?xml version="1.0" encoding="UTF-8"?>
<description><![CDATA[PegaRULES Web Tier]]></description>
- Add the weblogic.xml file to the \prsysmgmt.war\WEB-INF\ folder.
- Edit the web.xml file located in the prsysmgmt.war file in the \prsysmgmt.war\WEB-INF\ folder, adding the following lines at the end of the file, just above the closing
<web-resource-name>System Management Application - DB utility Application </web-resource-name>
<description>secure all urls for this application</description>
Save your changes to the prsysmgmt.war file and close the 7-Zip editor.
This is the prsysmgmt.war file that you deploy in the next section.
In the WebLogic Administration Console, delete the currently deployed prsysmgmt.war file and replace it with the new SMA application file, the copy containing the security elements you added. Deploy the new prsysmgmt.war file.
- In the WebLogic Administration Console, for the pega-domain, click
In the WebLogic Administration Console, deploy the prsysmgmt.war file you that modified and saved in the previous section.
Set up the WebLogic Security Realms to use the security elements of the newly created and deployed SMA WAR file
In the WebLogic Administration Console, navigate to Security Realms and specify the new group and user that you created for SMA: the group PegaDiagnosticUser containing the user smauser assigned the password smauser1.
- Continuing in the WebLogic Administration Console, click User and Groups > Groups to create a new group called PegaDiagnosticUser to contain the users that you want to have access to SMA.
- To assign users to the new PegaDiagnosticUser group, click the Users tab and create the user called smauser with the password smauser1. You can change this password later.
- Be sure to assign this user to the PegaDiagnosticUser group.
Save your changes.
Restart the WebLogic application server, type the SMA URL in the browser, and see the Windows Security pop-up window prompt for user credentials. SMA authenticates user smauser with password smauser1.
Restart the WebLogic server that hosts SMA.
In your browser, type the URL to SMA and see the Windows Security pop-up window:
In the Windows Security window, type the User name smauser and the Password smauser1 to log in to SMA.
Now that you have verified the first-time SMA log-in results, you need to configure the SMA node on WebLogic to always prompt users for credentials.
- In SMA, click Add a node to display the Enter Node Configuration Details window.
- In this window, in the section Administrative (JMX/SOAP) Credentials, for the field Please select mode of authentication, click Always Prompt for Credentials.
This mode enforces authentication for SMA after the user logs off or opens a new browser session. Users are always asked to type credentials to get into SMA.