HATS administrative console and WebSphere® security

The HATS administrative console uses a Java™ Management Extensions (JMX) bean to perform remote administration. When WebSphere® Application Server global security is enabled, these JMX calls are authenticated by WebSphere® security and must have a valid level of authorization in WebSphere®. Consequently, remote administration from the HATS administrative console does not work properly unless the user ID is defined as a WebSphere® Application Server administrative console user with either Administrator or Operator authority.

The HATS administrative console allows you to view and change problem determination settings. It also allows you to view connection status or disconnect host connections. When you deploy a HATS application with HATS administrative capabilities, you can map each of three HATS roles to particular system user IDs for security. The three defined HATS roles (HATSAdministrator, HATSOperator, and HATSMonitor) each have different capabilities within the HATS administrative console. For more information see HATS administrative console roles.

Similarly, the WebSphere® Application Server administrative console allows you to view and change the configuration of the WebSphere® Application Server environment. It enables you to install, start, stop, and uninstall Web applications such as HATS applications. There are WebSphere® console user roles (Administrator, Configurator, Operator, or Monitor) that provide different capabilities within the WebSphere® Application Server administrative console. The following links from the WebSphere® Application Server Knowledge Center provide additional detail on these security roles and policies:

Administrative roles and naming service authorization https://www.ibm.com/docs/en/was-nd/9.0.5?topic=technology-administrative-roles-naming-service-authorization
Default MBean security policy https://www.ibm.com/docs/en/was-nd/9.0.5?topic=mbeans-default-mbean-security-policy

If WebSphere® global security is enabled, the users IDs that have a HATS role can connect to the HATS administrative console in a HATS application, and can perform administration tasks within that specific HATS application only. If the user tries to change the management scope to remotely administer another HATS application, WebSphere® security will check the authority of the user ID. If the user ID is not a valid WebSphere® Application Server administrative console user with Administrator or Operator authority, the JMX calls will be blocked and HATS remote administration will not function properly.

For example, if the user ID is either not defined as a WebSphere® Application Server administrative console user at all, or defined with only Monitor authority, the Select Application list under Management Scope in the HATS administrative console will not display any other HATS applications. It will not be possible to change the management scope because no other applications are listed.

As another example, if the user ID is defined as a WebSphere® Application Server administrative console user with Configurator authority, the list will show other HATS applications, and the user can change scope from one application to another. However, the information shown in the HATS administrative console may be incorrect, and any changes attempted through remote administration will not take effect.

Therefore, if WebSphere® global security is enabled two options exist for using the HATS administrative console.

Option 1: Keep HATS and WebSphere® Application Server user roles separate: If you do not want to give any WebSphere® Application Server administration authority to any of the user IDs that are mapped to HATS roles, then you must include the HATS administrative console in every HATS application, and you will need to administer each HATS application separately using the HATS administrative console for that specific application. You will not be able to use remote administration.

Option 2: Combine HATS and WebSphere® Application Server user roles: If you want to use the HATS administrative console in a single HATS application to remotely administer other HATS applications by changing the management scope, then the user IDs that are mapped to HATS roles must also be defined in WebSphere® Application Server as WebSphere® administrative console users with either Administrator role or Operator role. These users will be able to change the management scope in the HATS administrative console, and they will be able to perform the other HATS administrative tasks that are allowed for the specific HATS role to which they are mapped. In addition, the users will also be able to log into the WebSphere® Application Server administrative console and perform WebSphere® administrative tasks that are allowed for the WebSphere® Application Server administrative console user role to which they are mapped.

For either option, if WebSphere® global security is enabled, ensure the Enable application security option is selected. For WebSphere® Application Server V6.x, from the WebSphere® administrative console, select Security > Secure administration, applications, and infrastructure > Application security > Enable application security. For WebSphere® Application Server V7.x and v8.x, from the WebSphere® administrative console, select Security > Global security > Application security > Enable application security.

In summary, if WebSphere® global security is enabled, the user IDs that are mapped to any HATS roles must also be mapped to WebSphere® Application Server Administrator or Operator roles in order for HATS remote administration to function properly.