WSADMIN Security

Hi,

I have a requirement to restrict the WSADMIN locally to the server where the WAS server process is running.

We create and use windows services with -stopArgs -uname - password options for our WAS servers.  But when the admin creds are changed the windows services are behaving odd, leaving the server process in intermittent state while starting and stopping.

As an alternate to this I have recreated the windows services without the stop  Args and encrypted the new pwd and declared the creds in soap.client.props

But this opened up a security hole that the wsadmin can be invoked from any machine in the same internal network.

I don't want this behavior. The user who tries to use wsadmin for a server from a remote machine he should be challenged. But since I am using the soap client properties this is not happening.

Can anyone explain me how to best address this problem(restricting wsadmin to local) or I request anyone in EE to provide the best approach for wsadmin secutiry.

Thanks,
Rishi





I
RishiBangAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

HonorGodSoftware EngineerCommented:
> But this opened up a security hole that the wsadmin can be invoked from any machine in the same internal network.

  Well, the machines would have to have a version of WebSphere >= the version of WebSphere that you are trying to protect, but I see your point.

  Interesting problem.

1 possible solution:
- Have a local process "generate" a new admin password, but not write it to file
- Have this process invoke wsadmin locally to change the admin password, and
  either "stick around" waiting for any requests (TCP/IP connections) of the form:
  - What's the current password
  - The result could then be used to start a local wsadmin session
  or, it could even write it to some local file somewhere

Then, you could have a process either read this password file, or connect to that monitor process and request the current password before starting wsadmin.

Make sure that if you write a file, the directory, and file are not network accessible.

If you use the password process form, only accept connection requests from the local machine.

How's that sound?
RishiBangAuthor Commented:
Hi HonorGod,

The solution discussed is not feasible for us as we use LDAP as user registry for WAS Global Security.
 
One possible solution is to disable the SOAP & RMI ports for remote machines.

But I am not sure whether it gives the expected behavior or raises problems with the Admin console web app.

Pls let me know your thoughts.

Thanks,
Rishi
HonorGodSoftware EngineerCommented:
If you are able to disable remote access to SOAP & RMI ports, that certainly would be an easy solution.

This would require administration to be done locally.
Why Diversity in Tech Matters

Kesha Williams, certified professional and software developer, explores the imbalance of diversity in the world of technology -- especially when it comes to hiring women. She showcases ways she's making a difference through the Colors of STEM program.

AdminRAMCommented:

If you can run wsadmin with mutiple user with different soap.client.props files. steps as follows

created new  setupcmdline.bat and wsadmin.bat with called user1setupCmdLine.bat and user1wsadmin.bat


SET CLIENTSAS=-Dcom.ibm.CORBA.ConfigURL=file:%USER_INSTALL_ROOT%/properties/sas.client.props
SET CLIENTSOAP=-Dcom.ibm.SOAP.ConfigURL=file:%USER_INSTALL_ROOT%/properties/user1soap.client.props

user1wsadmin.bat

set WAS_USER_SCRIPT=C:\WebSpherev6.1\profiles\Dmgr01\bin\user1setupCmdLine.bat

Dont define any userid and password in that user1soap.client.props

When user try to use user1wsadmin.bat it will ask username and password.

C:\WebSpherev6.1\profiles\Dmgr01\bin>user1wsadmin -lang jython

Hope this helps to you :-)
AdminRAMCommented:
If run wsadmin command run on remote machine then soap.client.prop files will look into local that machine.  Not on the server.

Example I have websphere run on server1

I am using wsadmin command to connect server1 from server2 then wsadmin will read soap.client.prop reside on server2

RishiBangAuthor Commented:
Hi AdminRAM,

Thanks for the detailed info. The solutions looks good but I need to try.

But pls clarify one thing abt
"I am using wsadmin command to connect server1 from server2 then wsadmin will read soap.client.prop reside on server2"

By this did you mean even if the remote user issues a cmd like "wsadmin server1" from server2 would it looks for the soap props on the server2 ??

Thanks,
Rishi

HonorGodSoftware EngineerCommented:
It would depend upon the exact command, and how it was issued.

If, on machine #1, I execute:

wsadmin -conntype soap -host hostname -port port# -user userName -password PaSsWoRd

I would expect the specified userid and password to be used to authenticate the user.

However, if I specified:

wsadmin -conntype soap -host hostname -port port#

Would the soap.client.properties file (identified in the wsadmin.properties file) be used?  One would expect so, yes.
RishiBangAuthor Commented:
HonorGod.

When you say  "if I execute the command wsadmin -conntype soap -host hostname -port port#"

 Do you mean it will search for the creds (soap props) on the machine on which the command is run???

Pls clarify.

Thanks,
Rishi
HonorGodSoftware EngineerCommented:
Yes.  wsadmin needs the SOAP hostname & port# so that these values don't have to be provided on the command line.

Does that make sense?
AdminRAMCommented:
Hello

 Do you mean it will search for the creds (soap props) on the machine on which the command is run???

Yes soap.props.cleint will read belong to that profile where you running wsamdin

for example

IF run wsadmin command from c:/ibm/websphere/appserver/profile/appsrv01 --> wsadmin will read soap.client.props from c:/ibm/websphere/appserver/profile/appsrv01/properties

IF run wsadmin command from c:/ibm/websphere/appserver/profile/appsrv02 --> then wsadmin will read belong this profile c:/ibm/websphere/appserver/profile/appsrv02/properties

how to check which soap.client .properties is reading when i wsadmin command. see following details.

wsadmin -conntype soap -host hostname -port port -traces

look into logs file wsadmintraceout under  c:/ibm/websphere/appserver/profile/appsrv02/logs

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
HonorGodSoftware EngineerCommented:
Will it look for SOAP creds?  No, it looks for the values to be sent to the server for authentication.

Does that make sense?

If you have a local client.soap.properties with a userid & password specified, then the local wsadmin will retrieve them (should the SOAP protocol be defaulted, or specified as the communication protocol for connection to the server).

If the file isn't present, or if the userid and password values aren't defined, then wsadmin needs to prompt the user for their values.

Otherwise, you have to specify them on the wsadmin command line...
RishiBangAuthor Commented:
Thanks to HonorGod & AdminRam
HonorGodSoftware EngineerCommented:
Thanks for the assist and the points.

Good luck & have a great day.
AdminRAMCommented:
Thank you for the points.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Java App Servers

From novice to tech pro — start learning today.