Technote (FAQ)
Question
What are the steps needed to configure Collaboration & Deployment Services (C&DS) correctly after enabling WebSphere Security?
Answer
Initial C&DS Install
If you have not already, install C&DS and then run setup against a WebSphere profile as you would normally. We will assume that you disabled WebSphere global security prior to installing C&DS (and other optional packages). Once C&DS and the optional packages install completes, restart the server.
Updating the packages
We will need to update two packages and redeploy the updated packages.
These packages are:
PROCESS.package
Scoring.package
The packages can be found in the <install directory>/staging folder.
We will need to update two packages and redeploy the updated packages.
These packages are:
PROCESS.package
Scoring.package
The packages can be found in the <install directory>/staging folder.
Steps for updating the package:
1. Copy a package from <install dir>/staging folder to a temp directory. Then open it for editing using WinRAR archiver or another tool with similar capability. Do not use WinZIP, it will not work.
2. Navigate to the deployables folder. The .ear file that we will update is listed below:
1. Copy a package from <install dir>/staging folder to a temp directory. Then open it for editing using WinRAR archiver or another tool with similar capability. Do not use WinZIP, it will not work.
2. Navigate to the deployables folder. The .ear file that we will update is listed below:
| Package Name | ear name |
| PROCESS.package | process-ejb.ear |
| scoring.package | scoring-ejb.ear |
3. Expand the ear file. It will show a list of files in the ear. We will need to update a certain .jar file from each ear. The .jar file that will be updated is listed below:
| ear Name | Jar name |
| process-ejb.ear | process-ejb.jar |
| scoring-ejb.ear | scoring-ejb.jar |
4. Drag the jar file out to a folder onto your desktop or to another folder on your PC. Leave the WinRAR Window open for now.
5. Open the extracted jar file using WinRAR archiver or another tool with similar capability. Do not use WINZIP.
6. Navigate to the META-INF folder
7. Edit the ejb-jar.xml to create the security role named CADSRole. The following examples show the changes to make to the ejb-jar.xml; the added elements are highlighted in bold.
Revised ejb-jar.xml of process-ejb
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE ejb-jar PUBLIC '-//Sun Microsystems, Inc.//DTD Enterprise JavaBeans 2.0//EN' 'http://java.sun.com/dtd/ejb-jar_2_0.dtd'>
<ejb-jar>
<display-name>
process-ejb</display-name>
<enterprise-beans>
<session>
<description>Session Bean ( Stateless )</description>
<display-name>CalendarMonitorTimedObject</display-name>
<ejb-name>CalendarMonitorTimedObject</ejb-name>
<home>com.spss.process.internal.execution.ejb.CalendarMonitorTimedObjectHome</home>
<remote>com.spss.process.internal.execution.ejb.CalendarMonitorTimedObjectRemote</remote>
<ejb-class>com.spss.process.internal.execution.ejb.CalendarMonitorTimedObject</ejb-class>
<session-type>Stateless</session-type>
<transaction-type>Bean</transaction-type>
<security-identity>
<run-as>
<description>A private internal role</description>
<role-name>CADSRole</role-name>
</run-as>
</security-identity>
</session>
<session>
<description>Session Bean ( Stateless )</description>
<display-name>MessageMonitorTimedObject</display-name>
<ejb-name>MessageMonitorTimedObject</ejb-name>
<home>com.spss.process.internal.execution.ejb.MessageMonitorTimedObjectHome</home>
<remote>com.spss.process.internal.execution.ejb.MessageMonitorTimedObjectRemote</remote>
<ejb-class>com.spss.process.internal.execution.ejb.MessageMonitorTimedObject</ejb-class>
<session-type>Stateless</session-type>
<transaction-type>Bean</transaction-type>
<security-identity>
<run-as>
<description>A private internal role</description>
<role-name>CADSRole</role-name>
</run-as>
</security-identity>
</session>
<message-driven>
<ejb-name>ProcessEventMDB</ejb-name>
<ejb-class>com.spss.process.internal.execution.ejb.ProcessEventMDB</ejb-class>
<transaction-type>Bean</transaction-type>
<message-driven-destination>
<destination-type>javax.jms.Queue</destination-type>
</message-driven-destination>
<security-identity>
<run-as>
<description>A private internal role</description>
<role-name>CADSRole</role-name>
</run-as>
</security-identity>
</message-driven>
</enterprise-beans>
<assembly-descriptor>
<security-role>
<role-name>CADSRole</role-name>
</security-role>
</assembly-descriptor>
</ejb-jar>
Revised ejb-jar.xml of scoring-ejb
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE ejb-jar PUBLIC '-//Sun Microsystems, Inc.//DTD Enterprise JavaBeans 2.0//EN' 'http://java.sun.com/dtd/ejb-jar_2_0.dtd'>
<ejb-jar>
<display-name>scoring-ejb</display-name>
<enterprise-beans>
<message-driven>
<ejb-name>ScoringMDB</ejb-name>
<ejb-class>com.spss.scoring.internal.ejb.ScoringMDB</ejb-class>
<transaction-type>Container</transaction-type>
<message-driven-destination>
<destination-type>javax.jms.Queue</destination-type>
</message-driven-destination>
<security-identity>
<run-as>
<description>A private internal role</description>
<role-name>CADSRole</role-name>
</run-as>
</security-identity>
</message-driven>
<message-driven>
<ejb-name>ScoringNotificationsMDB</ejb-name>
<ejb-class>com.spss.scoring.internal.ejb.ScoringNotificationsMDB</ejb-class>
<transaction-type>Bean</transaction-type>
<message-selector>ActionType = 'FileVersionCreated' OR ActionType = 'FileVersionDeleted' OR ActionType = 'FileDeleted' OR
ActionType = 'VersionLabelApplied' OR ActionType = 'VersionLabelRemoved'</message-selector>
<message-driven-destination>
<destination-type>javax.jms.Topic</destination-type>
</message-driven-destination>
<security-identity>
<run-as>
<description>A private internal role</description>
<role-name>CADSRole</role-name>
</run-as>
</security-identity>
</message-driven>
<message-driven>
<ejb-name>ScoreLogMDB</ejb-name>
<ejb-class>com.spss.logging.ejb.LoggingMDB</ejb-class>
<transaction-type>Bean</transaction-type>
<message-selector>LoggingDestination = 'ScoringService'</message-selector>
<message-driven-destination>
<destination-type>javax.jms.Queue</destination-type>
</message-driven-destination>
<env-entry>
<description>target table name</description>
<env-entry-name>target_table</env-entry-name>
<env-entry-type>java.lang.String</env-entry-type>
<env-entry-value>SPSSSCORE_LOG</env-entry-value>
</env-entry>
<security-identity>
<run-as>
<description>A private internal role</description>
<role-name>CADSRole</role-name>
</run-as>
</security-identity>
</message-driven>
<session>
<ejb-name>ScoringTimerSessionBean</ejb-name>
<home>com.spss.scoring.internal.ejb.ScoringTimerHome</home>
<remote>com.spss.scoring.internal.ejb.ScoringTimer</remote>
<ejb-class>com.spss.scoring.internal.ejb.ScoringTimerSessionBean</ejb-class>
<session-type>Stateless</session-type>
<transaction-type>Bean</transaction-type>
<security-identity>
<run-as>
<description>A private internal role</description>
<role-name>CADSRole</role-name>
</run-as>
</security-identity>
</session>
</enterprise-beans>
<assembly-descriptor>
<security-role>
<role-name>CADSRole</role-name>
</security-role>
<container-transaction>
<method>
<ejb-name>ScoringMDB</ejb-name>
<method-name>*</method-name>
</method>
<trans-attribute>NotSupported</trans-attribute>
</container-transaction>
</assembly-descriptor>
</ejb-jar>
8. Close the WinRAR that was used for editing the .jar. This will save the changes into the .jar
9. Now drag the updated .jar file into the WinRAR window left open in step 4.
10. Close the WinRAR archive window, this will save the changes in the package.
Repeat these steps for each package you need to update.
Install the Updates
Use package manager to deploy the updated packages into your existing C&DS install. The packagemanager.bat (or, use packagemanager.sh for Unix) file is located in <install dir>/setup folder.
Make sure that package manager install completes successfully. Any error here would indicate a potential problem with package update.
If this is a clustered environment see the chapter “Clustering” in the IBM SPSS Collaboration and Deployment Services Repository 4.2 Installation and Configuration Guide for steps on Installing new packages and patches.
Once package manager completes, restart the server.
Use package manager to deploy the updated packages into your existing C&DS install. The packagemanager.bat (or, use packagemanager.sh for Unix) file is located in <install dir>/setup folder.
Make sure that package manager install completes successfully. Any error here would indicate a potential problem with package update.
If this is a clustered environment see the chapter “Clustering” in the IBM SPSS Collaboration and Deployment Services Repository 4.2 Installation and Configuration Guide for steps on Installing new packages and patches.
Once package manager completes, restart the server.
Update WebSphere Security Setup
Open WebSphere admin console and navigate to Global Security panel. On WebSphere 7, this is under Security->Global Security.
1. Check “Enable administrative security” option
2. Check “Enable application security” option
3. Uncheck “Use Java 2 security to restrict application access to local resources” option
Update deployed applications security setting
Next we will associate CADSRole with an existing Websphere profile.
1. Expand Application->Application Types->WebSphere enterprise applications
2. Locate process-ejb in the Enterprise Applications panel.
3. Click on the desired application.
4. Click on “Security role to user/group mapping”
5. On the displayed Enterprise Applications panel (1) Check the box against CADSRole, (2) Click on “Map Special Subjects” button, (3) select “Everyone” from the drop down that appears, and (4) click OK.
6. Click on “User RunAs roles”
7. On the displayed Enterprise Applications panel (1) Check the box next to CADSRole, (2) Enter a username and password for a WebSphere profile that has administrator or operator role, (3) Click on Apply, and (4) Click on OK.
8. Click on Save link
9. Repeat steps 1-8 for scoring-ejb.
10. Restart the WebSphere profile.
Open WebSphere admin console and navigate to Global Security panel. On WebSphere 7, this is under Security->Global Security.
1. Check “Enable administrative security” option
2. Check “Enable application security” option
3. Uncheck “Use Java 2 security to restrict application access to local resources” option
Update deployed applications security settingNext we will associate CADSRole with an existing Websphere profile.
1. Expand Application->Application Types->WebSphere enterprise applications
2. Locate process-ejb in the Enterprise Applications panel.
3. Click on the desired application.
4. Click on “Security role to user/group mapping”
5. On the displayed Enterprise Applications panel (1) Check the box against CADSRole, (2) Click on “Map Special Subjects” button, (3) select “Everyone” from the drop down that appears, and (4) click OK.6. Click on “User RunAs roles”
7. On the displayed Enterprise Applications panel (1) Check the box next to CADSRole, (2) Enter a username and password for a WebSphere profile that has administrator or operator role, (3) Click on Apply, and (4) Click on OK.
8. Click on Save link9. Repeat steps 1-8 for scoring-ejb.10. Restart the WebSphere profile.
댓글 없음:
댓글 쓰기