proxy.org.openldap.sentry.websphere.package.html Maven / Gradle / Ivy
Go to download
Show more of this group Show more artifacts with this name
Show all versions of sentry Show documentation
Show all versions of sentry Show documentation
Sentry is an ANSI RBAC INCITS 359 compliant policy enforcement engine.
The newest version!
Package Documentation for Java Sentry Websphere SPI
This package is the component that allows security checks to be performed within a
Websphere runtime environment. The Websphere Java Sentry has been split into two packages each contained within
its own jar file.
The Websphere Sentry Jars include:
- fortressProxyWebSphere-[version].jar
- fortressSentry-[version].jar and configuration artifacts
The fortressProxyWebSphere jar is a thin layer of code that calls the fortressSentry implementation code via standard
Java URLClassloader logic. The Fortress implementation code and configuration artifacts must remain separate from
Websphere's runtime system classpath. The rationale for separation is it necessary to allow a
predictable and repeatable installation process as throwing non-native jars on any application server
system classpath contains risk due to variability of the runtime environment itself.
To put it simply, it is to keep Fortress code out of the application server's visibility which means
setting up Fortress in Websphere will work every time if the instructions are followed faithfully.
JoshuaTree Java Sentry Websphere UserRegistry Setup Notes
This installation document contains instructions for installing the Fortress Websphere UserRegistry component. This component works
in Websphere 5,6,7.
Guidelines & Tips
- In the document that follows, replace [version] with Fortress version label. For example - if Fortress 1.0.0 release, change fortressProxyWebsphere-[version].jar to fortressProxyWebsphere-1.0.0.jar
- Restart Websphere server after any changes to Websphere config, Fortress config or lib files.
- You (usually) do NOT need to restart Websphere after changes to the LDAP data, i.e. users, passwords, roles.
- Steps I - III below are mandatory.
- Step IV is optional, for testing purposes.
- Common misconfiguration issues related to Fortress, LDAP and Websphere are located in section V.
-
Instructions to extract Fortress Java Sentry Package to Target System
- Copy fortressSentryDist-[version].zip to hard drive on target server env.
- Extract the zip. The location for archive can vary according to requirements. The location for package will be referred to as "FORTRESS_HOME" later in these instructions.
-
Instructions to configure Fortress Java Sentry to use Target System LDAP
Note: the dist Ant target on this project will use settings contained within the build.properties file contained within the root folder of this component and replace substitution params contained within fortress.properties.src and create new fortress.properties file automatically.
- Edit the FORTRESS_HOME properties file located in $FORTRESS_HOME/conf/fortress.properties. If you did not run Ant dist target you will need to create using fortress.properties.src
vi /home/user/fortressSentry-1.0.0/conf/fortress.properties
-
Set the LDAP Host name (or IP) and port properties:
host=myldaphostname
port=389
-
Set the LDAP admin creds:
admin=cn=Manager\,dc=jts\,dc=com
adminPw=secret
-
Set the LDAP connection pool info:
minUserConn=1
maxUserConn=10
minConn=1
maxConn=10
note: the min/max will vary according to anticipated load on your Websphere server. For busy systems, the max number of
ldap connections may be much higher.
-
Instructions to configure Websphere to use Fortress Java Sentry
- Load the Proxy jar onto server classpath (WEBSPHERE_HOME/lib).
Copy the proxy jar located, FORTRESS_HOME/proxy/fortressProxyWebsphere-[version].jar to the Websphere Server's lib folder.
/opt/IBM/Websphere/AppServer/lib$ sudo cp /home/user/fortressSentry-1.0.0/proxy/fortressProxyWebsphere-1.0.0.jar .
note: This is the only Fortress binary or configuration artifact that will reside directly on Websphere's server classpath.
- Restart the application server.
/opt/IBM/WebSphere/AppServer/profiles/AppSrv01/bin/stopServer.sh server1 -profileName AppSrv01
/opt/IBM/WebSphere/AppServer/profiles/AppSrv01/bin/startServer.sh server1 -profileName AppSrv01
- Go to Websphere Admin Console, i.e.:
https://localhost:9043/ibm/console/logon.jsp
- Navigate to Global Security Page: Security->GlobalSecurity
- Select dropdown: Available realm definitions: Standalone custom registry
- Click on Configure button
- Enter Primary administrative user name : wasadmin
- Select Radio button: Server identity that is stored in the repository
- Enter in field: Server user ID or administrative user on a Version 6.0.x node : wasadmin (or whatever you choose as your default console userId)./li>
- Enter in field: Password : @dmin123 (or whatever you choose as your default consle user's password)
- Enter in field: Information required Custom registry class name : org.openldap.sentry.websphere.WsAccessMgrProxy
- Enable checkbox: Ignore case for authorization
- Enter in field: Custom properties" :
Name REALM_CLASSPATH Value /home/user/fortressSentryDist-1.0.0/conf:/home/user/fortressSentryDist-1.0.0/lib/fortressSentry-1.0.0.jar
- Click on Apply button.
- Click on Save directly to the master configuration. link.
- Navigate back to Global security page by clicking on link of same name.
- Enable checkbox: Enable application security
- Do NOT enable: Use Java 2 security to restrict application access to local resources
- For dropdown Available realm definitions select: Standalone custom registry and click on Set as current button.
- Click on Apply button
Note: If you are going to have errors enabling Fortress as security manager, this is where it occurs.
If no errors continue to next step, else go to Troubleshooting section of this document to determine what went wrong.
- Click on # Save directly to the master configuration. link.
- Restart Webshere server:
/opt/IBM/WebSphere/AppServer/bin$ ./stopServer.sh server1 -profileName AppSrv01
/opt/IBM/WebSphere/AppServer/bin$ ./startServer.sh server1 -profileName AppSrv01
- Verify that sentry started successfully by viewing following message in Websphere's log:
/opt/IBM/WebSphere/AppServer/profiles/AppSrv01/logs/server1$ tail -f -n10000 SystemOut.log
...
[6/5/11 18:46:16:745 CDT] 00000000 SystemOut O 2011-06-05 18:46:16,744 (INFO ) J2eePolicyMgrImpl - Initialized successfully
[6/5/11 18:46:16:745 CDT] 00000000 WsAccessMgrPr I org.openldap.sentry.websphere.WsAccessMgrProxy.initialize - Fortress UserRegistry initialized no errors.
[6/5/11 18:46:16:748 CDT] 00000000 SystemOut O 2011-06-05 18:46:16,748 (INFO ) WsAccessMgrImpl. J2EE policy agent initialization successful
[6/5/11 18:46:16:759 CDT] 00000000 UserRegistryI A SECJ0136I: Custom Registry:org.openldap.sentry.websphere.WsAccessMgrProxy has been initialized
If you made it this far without errors you are now ready to use Fortress enabled security in Websphere runtime environment.
If you need help understanding how Java EE security works, check out this link:
The Java EE 5 Tutorial
-
Instructions to test Websphere Security
- logon to admin console:
https://localhost:9043/ibm/console/logon.jsp
- enter creds: wasadmin/@dmin123
- Verify you get in successfully and can access Websphere Admin Console functions.
-
Common Troubleshooting Tips
- Server can't find config files (realmClasspath="/fortressSentry-1.0.0/conf/")
Error
[6/6/11 18:33:44:556 CDT] 00000000 WsAccessMgrPr W WsAccessMgrProxy.getRealmImplClassname - REALM_IMPLEMENTATION default=WsAccessMgrImpl
[6/6/11 18:33:44:572 CDT] 00000000 CpUtil I CpUtil.parseRealmClasspath
[6/6/11 18:33:44:575 CDT] 00000000 CpUtil I CpUtil.parseRealmClasspath path0
[6/6/11 18:33:44:578 CDT] 00000000 CpUtil I CpUtil.parseRealmClasspath path1
[6/6/11 18:33:44:581 CDT] 00000000 WsAccessMgrPr I WsAccessMgrProxy.initialize - instantiate class: WsAccessMgrImpl
[6/6/11 18:33:44:854 CDT] 00000000 FfdcProvider W com.ibm.ws.ffdc.impl.FfdcProvider logIncident FFDC1003I: FFDC Incident emitted on /opt/IBM/WebSphere/AppServer/profiles/AppSrv01/logs/ffdc/server1_76887688_11.06.06_18.33.44.817562839570554853342.txt null 484
[6/6/11 18:33:44:871 CDT] 00000000 ContainerHelp E WSVR0501E: Error creating component null [class com.ibm.ws.security.core.SecurityComponentImpl]
java.lang.ExceptionInInitializerError
at java.lang.J9VMInternals.initialize(J9VMInternals.java:222)
at J2eePolicyMgrFactory.(J2eePolicyMgrFactory.java:32)
at java.lang.J9VMInternals.initializeImpl(Native Method)
at java.lang.J9VMInternals.initialize(J9VMInternals.java:200)
at WsAccessMgrImpl.(WsAccessMgrImpl.java:41)
at java.lang.J9VMInternals.initializeImpl(Native Method)
at java.lang.J9VMInternals.initialize(J9VMInternals.java:200)
at java.lang.J9VMInternals.newInstanceImpl(Native Method)
at java.lang.Class.newInstance(Class.java:1325)
at WsAccessMgrProxy.initialize(WsAccessMgrProxy.java:60)
at com.ibm.ws.security.registry.UserRegistryImpl.initialize(UserRegistryImpl.java:260)
at com.ibm.ws.security.config.UserRegistryConfigImpl.do_createRegistryObjects(UserRegistryConfigImpl.java:680)
at com.ibm.ws.security.config.UserRegistryConfigImpl.createRegistryObjects(UserRegistryConfigImpl.java:637)
at com.ibm.ws.security.config.UserRegistryConfigImpl.getUserRegistryImpl(UserRegistryConfigImpl.java:622)
at com.ibm.ws.security.core.distSecurityComponentImpl.bindRegistry(distSecurityComponentImpl.java:509)
at com.ibm.ws.security.core.distSecurityComponentImpl.bindRegistries(distSecurityComponentImpl.java:486)
at com.ibm.ws.security.core.distSecurityComponentImpl.start(distSecurityComponentImpl.java:434)
at com.ibm.ws.security.core.SecurityComponentImpl.start(SecurityComponentImpl.java:104)
at com.ibm.ws.runtime.component.ContainerHelper.startComponents(ContainerHelper.java:538)
at com.ibm.ws.runtime.component.ContainerImpl.startComponents(ContainerImpl.java:627)
at com.ibm.ws.runtime.component.ContainerImpl.start(ContainerImpl.java:618)
at com.ibm.ws.runtime.component.ServerImpl.start(ServerImpl.java:503)
at com.ibm.ws.runtime.WsServerImpl.bootServerContainer(WsServerImpl.java:298)
at com.ibm.ws.runtime.WsServerImpl.start(WsServerImpl.java:214)
at com.ibm.ws.runtime.WsServerImpl.main(WsServerImpl.java:666)
at com.ibm.ws.runtime.WsServer.main(WsServer.java:59)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:48)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:37)
at java.lang.reflect.Method.invoke(Method.java:600)
at com.ibm.wsspi.bootstrap.WSLauncher.launchMain(WSLauncher.java:213)
at com.ibm.wsspi.bootstrap.WSLauncher.main(WSLauncher.java:93)
at com.ibm.wsspi.bootstrap.WSLauncher.run(WSLauncher.java:74)
at org.eclipse.core.internal.runtime.PlatformActivator$1.run(PlatformActivator.java:78)
at org.eclipse.core.runtime.internal.adaptor.EclipseAppLauncher.runApplication(EclipseAppLauncher.java:92)
at org.eclipse.core.runtime.internal.adaptor.EclipseAppLauncher.start(EclipseAppLauncher.java:68)
at org.eclipse.core.runtime.adaptor.EclipseStarter.run(EclipseStarter.java:400)
at org.eclipse.core.runtime.adaptor.EclipseStarter.run(EclipseStarter.java:177)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:48)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:37)
at java.lang.reflect.Method.invoke(Method.java:600)
at org.eclipse.core.launcher.Main.invokeFramework(Main.java:340)
at org.eclipse.core.launcher.Main.basicRun(Main.java:282)
at org.eclipse.core.launcher.Main.run(Main.java:981)
at com.ibm.wsspi.bootstrap.WSPreLauncher.launchEclipse(WSPreLauncher.java:340)
at com.ibm.wsspi.bootstrap.WSPreLauncher.main(WSPreLauncher.java:110)
Caused by: org.openldap.fortress.ConfigurationRuntimeException: org.openldap.fortress.configuration.Config static init: Error loading from configuration file: [oamConfig.xml] Exception=java.lang.RuntimeException: org.openldap.fortress.configuration.Config static init: Error, null configuration file: oamConfig.xml, errCode=127
at org.openldap.fortress.configuration.Config.(Config.java:95)
at java.lang.J9VMInternals.initializeImpl(Native Method)
at java.lang.J9VMInternals.initialize(J9VMInternals.java:200)
... 46 more
Caused by: java.lang.RuntimeException: org.openldap.fortress.configuration.Config static init: Error, null configuration file: oamConfig.xml
at org.openldap.fortress.configuration.Config.(Config.java:52)
... 48 more
6/6/11 18:34:01:566 CDT] 00000000 WsServerImpl A WSVR0002I: Server server1 open for e-business, problems occurred during startup
Corrective Action
Ensure step III.M points to Fortress sentry configuration folder.
- Server can't find proxy jar (Realm className="WsAccessMgrProxy")
Error
com.ibm.ws.security.registry.UserRegistryImpl.initialize 253
[6/6/11 18:40:06:982 CDT] 00000000 UserRegistryI E SECJ0330E: The registry implementation file org.openldap.sentry.websphere.WsAccessMgrProxy cannot be loaded because of the following exception java.lang.ClassNotFoundException: org.openldap.sentry.websphere.WsAccessMgrProxy
at java.lang.Class.forNameImpl(Native Method)
at java.lang.Class.forName(Class.java:169)
at com.ibm.ws.security.registry.UserRegistryImpl.initialize(UserRegistryImpl.java:224)
at com.ibm.ws.security.config.UserRegistryConfigImpl.do_createRegistryObjects(UserRegistryConfigImpl.java:680)
at com.ibm.ws.security.config.UserRegistryConfigImpl.createRegistryObjects(UserRegistryConfigImpl.java:637)
at com.ibm.ws.security.config.UserRegistryConfigImpl.getUserRegistryImpl(UserRegistryConfigImpl.java:622)
at com.ibm.ws.security.core.distSecurityComponentImpl.bindRegistry(distSecurityComponentImpl.java:509)
at com.ibm.ws.security.core.distSecurityComponentImpl.bindRegistries(distSecurityComponentImpl.java:486)
at com.ibm.ws.security.core.distSecurityComponentImpl.start(distSecurityComponentImpl.java:434)
at com.ibm.ws.security.core.SecurityComponentImpl.start(SecurityComponentImpl.java:104)
at com.ibm.ws.runtime.component.ContainerHelper.startComponents(ContainerHelper.java:538)
at com.ibm.ws.runtime.component.ContainerImpl.startComponents(ContainerImpl.java:627)
at com.ibm.ws.runtime.component.ContainerImpl.start(ContainerImpl.java:618)
at com.ibm.ws.runtime.component.ServerImpl.start(ServerImpl.java:503)
at com.ibm.ws.runtime.WsServerImpl.bootServerContainer(WsServerImpl.java:298)
at com.ibm.ws.runtime.WsServerImpl.start(WsServerImpl.java:214)
at com.ibm.ws.runtime.WsServerImpl.main(WsServerImpl.java:666)
at com.ibm.ws.runtime.WsServer.main(WsServer.java:59)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:48)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:37)
at java.lang.reflect.Method.invoke(Method.java:600)
at com.ibm.wsspi.bootstrap.WSLauncher.launchMain(WSLauncher.java:213)
at com.ibm.wsspi.bootstrap.WSLauncher.main(WSLauncher.java:93)
at com.ibm.wsspi.bootstrap.WSLauncher.run(WSLauncher.java:74)
at org.eclipse.core.internal.runtime.PlatformActivator$1.run(PlatformActivator.java:78)
at org.eclipse.core.runtime.internal.adaptor.EclipseAppLauncher.runApplication(EclipseAppLauncher.java:92)
at org.eclipse.core.runtime.internal.adaptor.EclipseAppLauncher.start(EclipseAppLauncher.java:68)
at org.eclipse.core.runtime.adaptor.EclipseStarter.run(EclipseStarter.java:400)
at org.eclipse.core.runtime.adaptor.EclipseStarter.run(EclipseStarter.java:177)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:48)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:37)
at java.lang.reflect.Method.invoke(Method.java:600)
at org.eclipse.core.launcher.Main.invokeFramework(Main.java:340)
at org.eclipse.core.launcher.Main.basicRun(Main.java:282)
at org.eclipse.core.launcher.Main.run(Main.java:981)
at com.ibm.wsspi.bootstrap.WSPreLauncher.launchEclipse(WSPreLauncher.java:340)
at com.ibm.wsspi.bootstrap.WSPreLauncher.main(WSPreLauncher.java:110)
Server fails to launch.
Corrective Action
Ensure step III.A copied the Fortress sentry proxy jar to /opt/IBM/Websphere/AppServer/lib folder.
- Server can't find binaries (realmClasspath="...FORTRESS_HOME/lib/fortressSentry-[version].jar")
Error
[6/6/11 18:48:02:471 CDT] 00000000 WsAccessMgrPr I org.openldap.sentry.websphere.WsAccessMgrProxy.initialize - instantiate class: WsAccessMgrImpl
[6/6/11 18:48:02:474 CDT] 00000000 WsAccessMgrPr E org.openldap.sentry.websphere.WsAccessMgrProxy.initialize ClassNotFoundException=java.lang.ClassNotFoundException: WsAccessMgrImpl
[6/6/11 18:48:02:508 CDT] 00000000 UserRegistryI E SECJ0331E: The registry implementation file org.openldap.sentry.websphere.WsAccessMgrProxy cannot be initialized because of the following exception com.ibm.websphere.security.CustomRegistryException: org.openldap.sentry.websphere.WsAccessMgrProxy.initialize ClassNotFoundException=java.lang.ClassNotFoundException: WsAccessMgrImpl
at org.openldap.sentry.websphere.WsAccessMgrProxy.initialize(WsAccessMgrProxy.java:78)
at com.ibm.ws.security.registry.UserRegistryImpl.initialize(UserRegistryImpl.java:260)
at com.ibm.ws.security.config.UserRegistryConfigImpl.do_createRegistryObjects(UserRegistryConfigImpl.java:680)
at com.ibm.ws.security.config.UserRegistryConfigImpl.createRegistryObjects(UserRegistryConfigImpl.java:637)
at com.ibm.ws.security.config.UserRegistryConfigImpl.getUserRegistryImpl(UserRegistryConfigImpl.java:622)
at com.ibm.ws.security.core.distSecurityComponentImpl.bindRegistry(distSecurityComponentImpl.java:509)
at com.ibm.ws.security.core.distSecurityComponentImpl.bindRegistries(distSecurityComponentImpl.java:486)
at com.ibm.ws.security.core.distSecurityComponentImpl.start(distSecurityComponentImpl.java:434)
at com.ibm.ws.security.core.SecurityComponentImpl.start(SecurityComponentImpl.java:104)
at com.ibm.ws.runtime.component.ContainerHelper.startComponents(ContainerHelper.java:538)
at com.ibm.ws.runtime.component.ContainerImpl.startComponents(ContainerImpl.java:627)
at com.ibm.ws.runtime.component.ContainerImpl.start(ContainerImpl.java:618)
at com.ibm.ws.runtime.component.ServerImpl.start(ServerImpl.java:503)
at com.ibm.ws.runtime.WsServerImpl.bootServerContainer(WsServerImpl.java:298)
at com.ibm.ws.runtime.WsServerImpl.start(WsServerImpl.java:214)
at com.ibm.ws.runtime.WsServerImpl.main(WsServerImpl.java:666)
at com.ibm.ws.runtime.WsServer.main(WsServer.java:59)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:48)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:37)
at java.lang.reflect.Method.invoke(Method.java:600)
at com.ibm.wsspi.bootstrap.WSLauncher.launchMain(WSLauncher.java:213)
at com.ibm.wsspi.bootstrap.WSLauncher.main(WSLauncher.java:93)
at com.ibm.wsspi.bootstrap.WSLauncher.run(WSLauncher.java:74)
at org.eclipse.core.internal.runtime.PlatformActivator$1.run(PlatformActivator.java:78)
at org.eclipse.core.runtime.internal.adaptor.EclipseAppLauncher.runApplication(EclipseAppLauncher.java:92)
at org.eclipse.core.runtime.internal.adaptor.EclipseAppLauncher.start(EclipseAppLauncher.java:68)
at org.eclipse.core.runtime.adaptor.EclipseStarter.run(EclipseStarter.java:400)
at org.eclipse.core.runtime.adaptor.EclipseStarter.run(EclipseStarter.java:177)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:48)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:37)
at java.lang.reflect.Method.invoke(Method.java:600)
at org.eclipse.core.launcher.Main.invokeFramework(Main.java:340)
at org.eclipse.core.launcher.Main.basicRun(Main.java:282)
at org.eclipse.core.launcher.Main.run(Main.java:981)
at com.ibm.wsspi.bootstrap.WSPreLauncher.launchEclipse(WSPreLauncher.java:340)
at com.ibm.wsspi.bootstrap.WSPreLauncher.main(WSPreLauncher.java:110)
Server fails to launch
Corrective Action
Ensure step III.M configuration points fortressSentry jar,
i.e. FORTRESS_HOME/lib/fortressProxyWebsphere[version].jar.
© 2015 - 2025 Weber Informatics LLC | Privacy Policy