Disabling Global Security

What happens if we make a mistake and cannot log in? Maybe we have forgotten a password or user-name. What do we do? Well we can try and modify the xml files, but this is dangerous. A better option is to turn of global security and re-set it. It will depend on your need/problem. A good thing to know is how to disable Global Security if you ever need to do it,

Note: The scripts referenced in this guide, are available then this course is published in Q2 2015.

What we are going to do now, us run the following script to turn of Global Security, look at the security.xml and how it has changed, then we will enable Global security again.

You can run an interactive wsadmin scripting session, and execute this Jython

AdminTask.setGlobalSecurity (‘[-enabled false]’)

Or you can run the script called toggleGlobalSecurity.py, which I have provided for example:

##############################################################################
#

# Script : toggleGlobalSecurity.py

# Purpose : Toggle Global Security on and off

# Authors : Steve Robinson – The MiddlewareShop (http://www.themiddlewareshop.com)

# Created : April 2015

# History

# date ver who what

# ——– — — ———-

# 14-April-2015 0.1 scr Start core script

#

#############################################################################

 

def saveConfiguration():

printer(“”,”Saving configuration….”)

AdminConfig.save( )

printer(“”,”Saved changes”)

#EndDef

 

def printer(prefix,msg):

if(cmp(prefix,”ERR”) == 0):

print “ERR:” + msg

elif(cmp(prefix,”WARN”) == 0):

print “WARN:” + msg

else:

print “INFO:” + msg

#EndIf

#endDef

 

#Get state of Global Security

isGlobalSecurityEnabled = AdminTask.isGlobalSecurityEnabled()

 

if (cmp(isGlobalSecurityEnabled, “true”) == 0):

printer(“”,”Global security is enabled….disabling”)

state=”false”

attr=”[-enabled “+state+”]”

printer(“”,”AdminTask.setGlobalSecurity attributes are as follows:”)

printer(“”,attr)

AdminTask.setGlobalSecurity(attr)

saveConfiguration()

printer(“”,”Restart the server for the changes to take affect”)

#endIf

 

if (cmp(isGlobalSecurityEnabled, “false”) == 0):

printer(“”,”Global security is disabled….enabling”)

state=”true”

attr=”[-enabled “+state+”]”

printer(“”,”AdminTask.setGlobalSecurity attributes are as follows:”)

printer(“”,attr)

AdminTask.setGlobalSecurity(attr)

saveConfiguration()

printer(“”,”Restart the server for the changes to take affect”)

#endIf

 

”’

##AdminTask.setGlobalSecurity requires an attribute:

##AdminTask.SetGlobalSecurity(*enabled)

##The administrative security field in the security.xml file is updated based on the input of true or false.

”’

To run the script, we use wsadmin.sh and pass the Jython file. I have created a sample shell-script called toggleGlobalSecurity.sh, which will demonstrate the -f option.

#!/bin/sh
export ADMIN_USER=wasadmin

echo “ADMIN_USER=”${ADMIN_USER}

export ADMIN_PASSWORD=wasadmin

echo “ADMIN_PASSWORD=”${ADMIN_PASSWORD}

export WAS_PROFILE_DIR=”/opt/IBM/WebSphere/AppServer/profiles/DV_AppServer01Prof”

echo “WAS_PROFILE_DIR=”${WAS_PROFILE_DIR}

export JYTHON_ROOT=”/var/apps/scripts/wasAdmin”

echo “JYTHON_ROOT=”${JYTHON_ROOT}

 

echo “Executing script….”

${WAS_PROFILE_DIR}/bin/wsadmin.sh -username ${ADMIN_USER} -password ${ADMIN_PASSWORD} -f ${JYTHON_ROOT}/security/toggleGlobalSecurity.py

Result of running the script against a running server.

ADMIN_USER=wasadmin
ADMIN_PASSWORD=wasadmin

WAS_PROFILE_DIR=/opt/IBM/WebSphere/AppServer/profiles/DV_AppServer01Prof

JYTHON_ROOT=/var/apps/scripts/wasAdmin

Executing script….

WASX7209I: Connected to process “server1” on node DV_AppServer01 using SOAP connector; The type of process is: UnManagedProcess

INFO:Global security is enabled….disabling

INFO:AdminTask.setGlobalSecurity attributes are as follows:

INFO:[-enabled false]

INFO:Saving configuration….

INFO:Saved changes

INFO:Restart the server for the changes to take affec

If Global Security is enabled, once the script has been run and we have restarted the Application Server, when we next log into the Admin Console we see that we are no longer asked for a password. We can use any User ID we wish, it does not matter. The console is not secure!

Note: if we have a look at security xml we can see that the attribute enabled=false

<?xml version=”1.0″ encoding=”UTF-8″?>
<security:Security xmi:version=”2.0″ xmlns:xmi=”http://www.omg.org/XMI” xmlns:orb.securityprotocol=”http://www.ibm.com/websphere/appserver/schemas/5.0/orb.securityprotocol.xmi” xmlns:security=”http://www.ibm.com/websphere/appserver/schemas/5.0/security.xmi” xmi:id=”Security_1″ useLocalSecurityServer=”true” useDomainQualifiedUserNames=”false” enabled=”false” cacheTimeout=”600″ issuePermissionWarning=”true” activeProtocol=”BOTH” enforceJava2Security=”false” enforceFineGrainedJCASecurity=”false” appEnabled=”false” dynamicallyUpdateSSLConfig=”true” allowBasicAuth=”true” activeAuthMechanism=”LTPA_1″ activeUserRegistry=”WIMUserRegistry_1″ defaultSSLSettings=”SSLConfig_DV_AppServer01_1″ adminPreferredAuthMech=”RSAToken_1″>

If there is ever an emergency and you are locked out of the console, then you can turn security off by editing this file. I do not advocate manually changing WAS XML files unless you know what you’re doing. If you are going to do it, then best you back up the file first!

Each time we run the Jython script, the security.xml file is updated i.e. it toggles between enabled=true and enabled =false

Now what we are going to do is manually re-enable Global security, so you can see what the wizard does, but before we do, let’s run a security report

We can see below that Administrative is now no longer enabled as shown below.

  • Once we click on the Security Configuration Report, we will get a pop=up screen that shows a report.

If you scroll down you will see the report starts with Security settings and we see that Administrative Security is not enabled.

Then later in the User Registry section, we see that we have Primary administrative username, once again this is because we declared a username and password during our profile creation.

  • Close the Report pop-up window.
  • We can re-enable security using the toggleGlobalSecurity.sh script.
cd /opt/IBM/WebSphere/AppServer/profiles/DV_AppServer01Prof
./toggleGlobalSecurity.sh

Result

ADMIN_USER=wasadmin
ADMIN_PASSWORD=wasadmin

WAS_PROFILE_DIR=/opt/IBM/WebSphere/AppServer/profiles/DV_AppServer01Prof

JYTHON_ROOT=/var/apps/scripts/wasAdmin

Executing script….

WASX7209I: Connected to process “server1” on node DV_AppServer01 using SOAP connector; The type of process is: UnManagedProcess

INFO:Global security is disabled….enabling

INFO:AdminTask.setGlobalSecurity attributes are as follows:

INFO:[-enabled true]

INFO:Saving configuration….

INFO:Saved changes

INFO:Restart the server for the changes to take affect

  • Restart the server

 


INTRODUCTION
JEE SECURITY
GLOBAL SECURITY
UNSECURE CONSOLE
TURNING ON GLOBAL SECURITY
Security Configuration Wizard
Virtual Member Manager
ROLE MANAGEMENT
Administrative roles
DISABLING GLOBAL SECURITY
SETTING THE INTERNAL REPOSITORY USING SCRIPTING
APACHEDS
Installing ApacheDS
Adding a new partition
ADDING LDAP TO A FEDERATED REPOSITORY
FEDERATED REPOSITORIES RECAP
Security settings
Wimconfig.xml

CHANGING THE OU FOR LDAP BIND
Looking at User Groups

STANDALONE LDAP
CONFIGURING THE STANDALONE LDAP SERVER
TESTING THE CONNECTION
REVIEW OF SECURITY.XML

SUMMARY

To learn more about the courses available from The Middleware Shop, please go to http://www.themiddlewareshop.com/products to see a full list of the current courses available.

Consulting

If you or your organization require support in architecture, performance tuning, automation or simply advice, then please contact me via my support site and request a conversation, where we can discuss your requirement.

About Steve

Steve is a seasoned passionate technology professional, strategist and leader.

An expert in technical communications, and adept in almost all forms of Internet and mobile related technology, Steve has time and time again proven his tenacity to improve systems around him and deliver.

Steve has worn many hats during his career such as Chief Technical Officer, Founding Member of several business ventures, Programmer, Systems Administrator, Architect, Blogger and Published Author to name a few.

Due to 20 years Industry experience in Middleware, Programming, Networks and Internet Technologies, He combines systems knowledge with efficient working methods and inter personal skills required to build effective relationship with clients and colleagues alike. Exceeding typical expectations in any role undertaken, Steve is certain to become a valuable asset within any organisation He joins.

Key Skills

• Leadership (Team, Project, Business, People).

• Architecture (Solutions, Information, Technical, Applications).

Simply, I help you deal with CANETI: Constant And Never Ending Technological Innovation

Specific IBM WebSphere skills:

WebSphere Application Server (WAS Base, WAS ND & Liberty Profile & Liberty Runtime)

  • Automation
  • Security, SSL
  • Dev Ops
  • Architecture
  • Performance Tuning

Middleware Integration Skills:

  • .NET programming, and Architecture
  • Java Programming, and Architecture
  • SOA, SOAP and XML messaging
  • JBoss Fuse, WMQ, IIB, Mule

Integration Skills:

  • SOA
  • Process Improvement
  • ICD’s
  • Messaging Architecture
  • Governance

General Digital Architecture & Governance

  • Lightweight Architectures
  • Digital Strategy, platform stacks for example IAAS, PAAS, SAAS
  • PCI DSS

Industry Qualifications & Recognition

  • TOGAF 9.1
  • IBM Champion 2013
Facebooktwittergoogle_plusredditpinterestlinkedinmail

Leave a Reply