Topic
  • 7 replies
  • Latest Post - ‏2012-04-27T21:33:53Z by jtoma
SystemAdmin
SystemAdmin
704 Posts

Pinned topic Prevent webaccess to IMS Configuration Utility on port 443

‏2012-04-11T18:43:50Z |
Hello everyone,

I have TAM E-SSO 8.1 FP4 installed. In the IMS Configuration Utility from the console (https://servername:9443/webconf) I have configured that the IMS AccessAdmin webpage is accessible (Allow form-based login to AccessAdmin from remote machine), like https://servername/admin

However what I do not want, is that the IMS Configuration Utility is also accessbile from remote machines on port 443 (https://servername/webconf), which it is now.
How can I prevent that?
Updated on 2012-04-27T21:33:53Z at 2012-04-27T21:33:53Z by jtoma
  • jtoma
    jtoma
    757 Posts

    Re: Prevent webaccess to IMS Configuration Utility on port 443

    ‏2012-04-13T22:22:53Z  
    If you enable application security in Websphere ISC (Security -> Global Security -> Check the box for "Enable application security" -> Apply - > Save.

    Restart Websphere and now when you try to get to the IMS configuration utility, you will be prompted for Websphere credentials. Use the Websphere credentials that you use to login to ISC to gain access to the web configurator.
  • SystemAdmin
    SystemAdmin
    704 Posts

    Re: Prevent webaccess to IMS Configuration Utility on port 443

    ‏2012-04-14T06:21:56Z  
    • jtoma
    • ‏2012-04-13T22:22:53Z
    If you enable application security in Websphere ISC (Security -> Global Security -> Check the box for "Enable application security" -> Apply - > Save.

    Restart Websphere and now when you try to get to the IMS configuration utility, you will be prompted for Websphere credentials. Use the Websphere credentials that you use to login to ISC to gain access to the web configurator.
    Hi, application seurity is already enabled for me. But that does not prevent that the IMS Config Wizard is accessible on everyworkstation on https (port 443). Yes, you do need wasadmin credentials to logon, but I want to prevent that the IMS Config even is shown.
    So can it be accessible only throught port 9043 / 9443 for instance? In that way, you will need to logon to the Windows Server first (RDP) to be able to access the IMS Config.
  • HomerJSimpson
    HomerJSimpson
    11 Posts

    Re: Prevent webaccess to IMS Configuration Utility on port 443

    ‏2012-04-16T14:52:57Z  
    Hi, application seurity is already enabled for me. But that does not prevent that the IMS Config Wizard is accessible on everyworkstation on https (port 443). Yes, you do need wasadmin credentials to logon, but I want to prevent that the IMS Config even is shown.
    So can it be accessible only throught port 9043 / 9443 for instance? In that way, you will need to logon to the Windows Server first (RDP) to be able to access the IMS Config.
    In order to prevent /webconf from being accessible via normal HTTP/HTTPS port(s), you need to make sure you haven't mapped the modules for this app to your webserver (or configured your WAS Server (Deployment Manager) to listen on the ports 80/443).

    Login to WAS admin console and navigate to:
    Applications > Application Type > WebSphere Enterprise Applications
    Select the IMSConfig application (names are different depending on version of IMS).
    Click on 'Manage Modules' (in the 'Modules' section)
    In the Module table, you'd want to see if any module is mapped to your webserver (would be listed in the "Server" column.
    If so, select the module(s) and remap them to just your appserver (if single server env) or your cluster (if a clustered env).

    Save your settings.
    (sync your nodes if this is a cluster)
    regenerate/propogate your webserver plugin
    and restart your app/webservers
  • SystemAdmin
    SystemAdmin
    704 Posts

    Re: Prevent webaccess to IMS Configuration Utility on port 443

    ‏2012-04-17T07:14:54Z  
    Thank you for this answer, really helpfull!
  • jtoma
    jtoma
    757 Posts

    Re: Prevent webaccess to IMS Configuration Utility on port 443

    ‏2012-04-20T23:01:44Z  
    In order to prevent /webconf from being accessible via normal HTTP/HTTPS port(s), you need to make sure you haven't mapped the modules for this app to your webserver (or configured your WAS Server (Deployment Manager) to listen on the ports 80/443).

    Login to WAS admin console and navigate to:
    Applications > Application Type > WebSphere Enterprise Applications
    Select the IMSConfig application (names are different depending on version of IMS).
    Click on 'Manage Modules' (in the 'Modules' section)
    In the Module table, you'd want to see if any module is mapped to your webserver (would be listed in the "Server" column.
    If so, select the module(s) and remap them to just your appserver (if single server env) or your cluster (if a clustered env).

    Save your settings.
    (sync your nodes if this is a cluster)
    regenerate/propogate your webserver plugin
    and restart your app/webservers
    Note that the suggestion provided above should only be used on 8.2. In 8.1, if the TAMESSOIMS application is removed from the webserver mapping, this affects the entire IMS functionality. The IMSConfig application was only separated starting in v8.2.
  • SystemAdmin
    SystemAdmin
    704 Posts

    Re: Prevent webaccess to IMS Configuration Utility on port 443

    ‏2012-04-21T06:13:34Z  
    • jtoma
    • ‏2012-04-20T23:01:44Z
    Note that the suggestion provided above should only be used on 8.2. In 8.1, if the TAMESSOIMS application is removed from the webserver mapping, this affects the entire IMS functionality. The IMSConfig application was only separated starting in v8.2.
    This is true, in 8.2 it is seperated. But in 8.1 there is a IMS WebConfig in the Modules.
    I have remapped that one only to the server (and not the webserver) and it seemed that it did the job.
  • jtoma
    jtoma
    757 Posts

    Re: Prevent webaccess to IMS Configuration Utility on port 443

    ‏2012-04-27T21:33:53Z  
    This is true, in 8.2 it is seperated. But in 8.1 there is a IMS WebConfig in the Modules.
    I have remapped that one only to the server (and not the webserver) and it seemed that it did the job.
    Good to know. Thanks for the info.