Return to Main ContentsShowTable of Contents
This section introduces the IBM Lotus Expeditor integrator security model for the Web-based Interfaces (currently the REST Adapter and the Expeditor integrator GUI).
Securing GUI Component Access Overview
Since the tools in the Expeditor integrator GUI give access to very sensitive operational functions, for example configuration updates, platform reset, installation/removal/change of components, it was required to offer secured access.
The Expeditor integrator GUI frame is generally accessible as soon as the UI components are installed and started. The Start Page is displayed and shows basic status information about the accessed Expeditor integrator instance.
All further Web Applications that contribute to the Expeditor integrator GUI frame must be explicitly enabled in the Expeditor integrator configuration (e.g. in the XPDinteg.xml). Figure 39 shows the example tabs of the Configuration and Administration Tool applications. It also demonstrates how these application tabs provide access to the XPDinteg Config/Admin/etc UI components which are secured by the access roles defined in their web.xml configuration file.
Figure 39: Expeditor integrator GUI access control approach
The Start Page contains the Logon view which users must use to authenticate. Depending on the configured role/group (under “displayed_for_role” in the XPDinteg.xml GUI configuration section), the Expeditor integrator GUI Web Applications are displayed as tab or not. The access rights to the corresponding XPDinteg UI Plug-ins / Web Applications are further defined in their web.xml file. Per default, the Expeditor Client authentication service User Admin Service is exploited for user authentication and management. Section 8 describes in detail how the User Admin Service is used by Expeditor integrator.
Figure 40: Expeditor integrator GUI - access control configuration options
The REST Adapter is also secured. The access control is managed in the same way as for the Expeditor integrator GUI (see Figure 40).
The following default users, passwords, roles and access rights have been assigned (see Table 50 and Figure 40).
Table 50: Expeditor integrator GUI access roles
XPDinteg role / XPDinteg Servlet web.xml | ui admin | ui config | ui monitor | uitest | rest admin | restscriptexecute | rest support | rest resourcebrowser | restuser | anonymous |
AdminUI | √ | | | | | | | | | |
Config UI | | √ | | | | | | | | |
Monitor UI | | √ | √ | √ | | | | | | |
Test UI | | | | √ | | | | | | |
Welcome UI | √ | √ | √ | √ | | | | | | |
REST Dispatcher Servlet | | | | | √ | √ | √ | √ | √ | |
REST Admin Servlet | | | | | √ | | | | | |
REST Execute Servlet | √ | | | | | √ | | | | |
REST Support Servlet | √ | | | | | | √ | | | |
REST Browse Servlet | √ | | | | | | | √ | | |
REST User Servlet | √ | | | | | | | | √ | |
The following user accounts are created per default:
- xpdintegadmin / xpdintegadmin
This is the Administrator account which has access to all Expeditor integrator tools and GUI pages.
- xpdinteg / xpdinteg
This is the default user for the REST Adapter.
Note: The configuration of the default users and roles is configured in the XPDintegDefaultRoles.xml file (see
chapter 8.2 Configuring the Expeditor User Admin service with Expeditor integrator).
Per default, only a locally running browser can access the Expeditor integrator GUI. If required, remote access from other computers can be enabled by adding the following lines:
/ui=*:[8777,8778]
/config=*:[8777,8778]
/admin=*:[8777,8778]
/monitor=*:[8777,8778]
/testtool=*:[8777,8778]
/welcome=*:[8777,8778]
in the vconfig.txt file under either
a. <XPDintegHome>/config/system/ssl/ or
b. <XPDintegHome>\rcp\eclipse\plugins\com.ibm.rcp.integrator.config.deployment-<date>\payload\config\system\ssl\
(Changes according to a. require platform restart and will be ‘lost’ after platform reset. Changes according to b. need platform reset, but will ‘survive’ later reset.)
Expeditor integrator components such as the REST Adapter and the GUI provide direct access to sensitive operational functions (e.g. ExecuteScript, ConfigUpdate, PlatformReset etc.). Expeditor integrator offers user authenticated access to these components by using the Expeditor Client User Admin Service. Expeditor integrator user account and role information is retrieved from this User Admin Service.
The following sections contain information about how Expeditor integrator can be used to configure the User Admin Service.
Configuring the Expeditor User Admin service with Expeditor Integrator
The Expeditor User Admin Service keeps its configuration in the User Admin (configuration) store. Like other Eclipse platform configuration data, this store is wiped out when the platform is reset (the workspace folder is deleted). It is also empty after the first installation of Expeditor integrator.
This conflicts with the fact that the Expeditor User Admin store must contain defined default user accounts for a number of Expeditor integrator services to work securely (e.g. for the GUI services and the REST Adapter). Therefore, it must be ensured during start-up that the User Admin store is populated with user data for Expeditor integrator.
If the User Admin Service configuration store is NOT empty during start-up, the existing User Admin Service configuration is retained. This ensures that the Expeditor User Admin can also be configured by 3rd party tools or by connections to other directory services (e.g. LDAP).
Expeditor integrator allows for configuring the Expeditor User Admin Service in two situations:
1. during initial start-up after Expeditor integrator platform resets and
2. during Expeditor integrator operation.
The latter requires a platform restart to complete.
For both situations, the configuration source (configuration provider can be configured). The default configuration sources are XML configuration files:
- XPDintegDefaultRoles.xml
Contains all required Expeditor integrator default users, roles and passwords so that a new or reset platform can re-start and operate. Per default, this file is located in the config/system folder:
<XPDINTEG_HOME>/config/system/XPDintegDefaultRoles.xml
- XPDintegRoles.xml
Contains the current users, roles and passwords specific to a single Expeditor integrator instance. This file is also taken for applying updates during runtime. Per default, this file is located in the config/ folder:
<XPDINTEG_HOME>/config/XPDintegRoles.xml
Currently, the Expeditor integrator can only configure the User Admin store through its own configuration file based methods. An option for future integration of directory service support is also provided (e.g. for LDAP).
The name and the location of the two user admin configuration files is configurable in the <common> section of the Expeditor integrator configuration (e.g. in the XPDinteg.xml, see
chapter 4.2.5 Expeditor integrator User Access Control).
The structure of the XPDinteg(Default)Roles.xml configuration files is shown in Listing 57.
Listing 57: Example for initial access roles and user creation in XPDintegDefaultRoles.xml
<configuration>
<role name="uiadmin" description="Admin role for the XPDinteg GUI">
<users>
<user username="xpdintegadmin" password="xpdintegadmin"/>
</users>
</role>
<role name="uiconfig" description="Config role for the XPDinteg GUI">
<users>
<user username="xpdintegadmin" password="xpdintegadmin"/>
<user username="xpdintegconfig" password="xpdintegconfig"/>
</users>
</role>
<role name="uimonitor" description="Monitor role for the XPDinteg GUI">
<users>
<user username="xpdintegadmin" password="xpdintegadmin"/>
<user username="xpdintegconfig" password="xpdintegconfig"/>
<user username="xpdintegmonitor" password="xpdintegmonitor"/>
<user username="xpdintegtest" password="xpdintegtest"/>
</users>
</role>
<role name="uitest" description="Test role for the XPDinteg GUI">
<users>
<user username="xpdintegadmin" password="xpdintegadmin"/>
<user username="xpdintegtest" password="xpdintegtest"/>
</users>
</role>
<role name="restadmin" description="Admin role for the REST adapter">
<users>
<user username="xpdintegadmin" password="xpdintegadmin"/>
<user username="xpdintegrestadmin" password="xpdintegrestadmin"/>
</users>
</role>
<role name="restscriptexecute" description="Execute script role for the REST Adapter">
<users>
<user username="xpdintegadmin" password="xpdintegadmin"/>
<user username="xpdintegrestadmin" password="xpdintegrestadmin"/>
<user username="xpdintegrestscriptexecute" password="xpdintegrestscriptexecute"/>
</users>
</role>
<role name="restsupport" description="Config role for the REST Adapter">
<users>
<user username="xpdintegadmin" password="xpdintegadmin"/>
<user username="xpdintegrestadmin" password="xpdintegrestadmin"/>
<user username="xpdintegrestsupport" password="xpdintegrestsupport"/>
</users>
</role>
<role name="restresourcebrowser" description="Rest resource role for the REST Adapter">
<users>
<user username="xpdintegadmin" password="xpdintegadmin"/>
<user username="xpdintegrestadmin" password="xpdintegrestadmin"/>
<user username="xpdintegrestresourcebrowser" password="xpdintegrestresourcebrowser"/>
</users>
</role>
<role name="restuser" description="User role for the REST Adapter">
<users>
<user username="xpdintegadmin" password="xpdintegadmin"/>
<user username="xpdintegrestadmin" password="xpdintegrestadmin"/>
<user username="xpdintegrestuser" password="xpdintegrestuser"/>
</users>
</role>
</configuration>
Note: The passwords should be encrypted using the PasswordUtil utility (in <XPDINTEG_HOME>/tools).
Updating the User Admin Service configuration with Expeditor Integrator
Currently, there are 2 methods for remotely updating the configuration of the User Admin store and the user roles:
1. Using the existing configuration update process of Expeditor integrator based on the ConfigUpdate ACS flow
a. (manually) triggered by a file in the config/new directory (see <config_update_location> property in Error! Reference source not found.)
b. Triggered by a ConfigUpdate message that either contains a complete XPDintegRoles.xml configuration file or a parameter list of the configuration values that must be updated.
2. Using the Expeditor Client Manager (XCM)
The following sections describe these two options in detail.
User Admin Service configuration using an Expeditor integrator Configuration File and ConfigUpdate flow
The User Admin configuration can be updated using the Expeditor integrator ConfigUpdate ACS flow method. A new UserConfigUpdate.flow is created which is similar to the default Configuration Update flow (see ConfigUpdate.flow). This is achieved in the same way as updates are provided to the Expeditor integrator configuration, by sending either:
- the complete configuration file (Option_1) or
- by providing a list of parameter-values which must be updated (Option_2).
The following inbound resource mapping settings are required for using the ConfigUpdate process to adjust the User Admin configuration (see Resource Mapper configuration in
chapter 4.6.1Inbound Resource Mapper):
Listing 58: UserConfigUpdateFile Resource Mapper example configuration (set in XPDinteg.xml)
<resource-mapping type="UserConfigUpdateFile">
<param name="TransportType" value="LocalFileSystem"/>
<param name="Description" value="User configuration properties file"/>
<param name="TransferMode" value="ASCII"/>
<param name="DestinationCreationMode" value="OVERWRITE"/>
<param name="DestinationPath" value="config"/>
<param name="DestinationName" value="XPDintegRoles.xml"/>
<param name="Encoding" value="UTF8"/>
</resource-mapping>
ConfigUpdate Message contains complete configuration file
Option 1: A new XPDintegRoles.xml file containing the User Admin configuration is sent in the ConfigUpdate control message with the message header properties set to:
MessagePurpose=ConfigUpdate
ResourceCmd=UserConfigFILE;[Command:{restart|stop};Param:console,reset]
Listing 59: Default configuration for JMS_DESTINATION_ADAPTER in XPDinteg.xml file for User Config Update through a new XPDintegRoles.xml file
<adapter type="XPDINTEG_JMS_DESTINATION_ADAPTER" name="UC350_UserConfigUpdateAdapter">
<!-- async mode -->
<listener>
<meta-data>MessagePurpose = 'ConfigUpdate' AND ResourceCmd LIKE 'UserConfigFILE%' </meta-data>
<topic>com/ibm/integrator/flowtriggerevent/ConfigUpdate/LocalFileSystem/UserConfigUpdateFile/JmsAdapter</topic>
</listener>
<configuration>
<param name="JndiConnectionFactoryKey" value="jms/XPDinteg_ConnectionFactory"/>
<param name="JndiDestinationKey" value="jms/XPDinteg_CtrlQ"/>
<param name="JndiDeadLetterKey" value="jms/XPDinteg_ServerDeadletterQ"/>
<param name="ValidateLocationId" value="ON"/>
</configuration>
</adapter>
Listing 60 lists the content of the UserConfigUpdate.flow file which describes the required steps for applying the changes received through the ConfigUpdate message to the Expeditor User Admin Service. In this case, the message payload contains the complete XPDintegRoles.xml file.
Listing 60: Default_UserConfigUpdate.flow definition file (based on ConfigUpdate flow)
<?xml version="1.0" encoding="UTF-8"?>
<Process Name="UserConfigUpdate_Process" Trigger="com/ibm/integrator/flowtriggerevent/ConfigUpdate/LocalFileSystem/UserConfigUpdateFile/JmsAdapter">
<XPDintegActivity
Name="UserConfigUpdate_ReadResource"
ActivityName="XPDINTEG_MESSAGE_READ"
PropertyKey="DATA_REFERENCE"
/>
<XPDintegActivity
Name="UserConfigUpdate_MessageToFile"
ActivityName="XPDINTEG_MESSAGE_TO_FILE"
JndiConnectionFactoryKey="jms/XPDinteg_ConnectionFactory"
/>
<XPDintegActivity
Name="UserConfigUpdate_FileWriteToFileSystem"
ActivityName="XPDINTEG_FILE_WRITE_TO_FILE_SYSTEM"
AdapterName="XPDINTEG_FILE_SYSTEM_ADAPTER"
/>
<XPDintegActivity
Name="UserConfigUpdate_UserAdminStoreUpdate"
ActivityName="XPDINTEG_USERADMINSTORE_UPDATE_ACTIVITY"
/>
<XPDintegActivity
Name="UserConfigUpdate_PlatformRestart"
ActivityName="XPDINTEG_PLATFORM_RESTART"
LocalScriptFile="services/XPDintegRestart.bat"
/>
</Process>
The above flow is similar to a ConfigUpdate flow for properties. The first three activities in the flow result in detaching the XPDintegRoles.xml file (passed as a message) to the local file system.
The XPDINTEG_
USERADMINSTORE_UPDATE_ACTIVITYerases the existing useradmin store and populates the store using the file written by the preceding activity.
Since a restart of the platform is required for applying useradmin store updates, the XPDINTEG_PLATFORM_RESTART is the last activity within the flow.
ConfigUpdate Message contains list of configuration properties
Option 2: A list with User Admin configuration properties is sent in the ConfigUpdate control message with the message header properties set to:
MessagePurpose=ConfigUpdate
ResourceCmd=UserConfigParamList;[Command:{restart|stop};Param:console,reset]
Listing 61: Default configuration for JMS_DESTINATION_ADAPTER in XPDinteg.xml file for User Admin configuration update as parameter list
<adapter type="XPDINTEG_JMS_DESTINATION_ADAPTER" name="UC350_ UserConfigUpdateResourceCmdAdapter">
<!-- async mode -->
<listener>
<meta-data> MessagePurpose = 'ConfigUpdate' AND ResourceCmd LIKE '%UserConfigParamList%'</meta-data>
<topic>com/ibm/integrator/flowtriggerevent/ConfigUpdate/MESSAGE/UserConfigUpdate/JmsAdapter</topic>
</listener>
<configuration>
<param name="JndiConnectionFactoryKey" value="jms/XPDinteg_ConnectionFactory"/>
<param name="JndiDestinationKey" value="jms/XPDinteg_CtrlQ"/>
<param name="JndiDeadLetterKey" value="jms/XPDinteg_ServerDeadletterQ"/>
<param name="ValidateLocationId" value="ON"/>
</configuration>
</adapter>
Listing 62: Default_UserConfigUpdateResourceCmd.flow definition file (based on ConfigUpdateResourceCmd flow)
<?xml version="1.0" encoding="UTF-8"?>
<Process Name="UserConfigUpdate_Process" Trigger="com/ibm/integrator/flowtriggerevent/ConfigUpdate/MESSAGE/UserConfigUpdate/JmsAdapter">
<XPDintegActivity
Name="UserConfigUpdateResourceCmd_ReadResource"
ActivityName="XPDINTEG_MESSAGE_READ"
PropertyKey="DATA_REFERENCE"
/>
<XPDintegActivity
Name="UserConfigUpdateResourceCmd_RetrieveAndUpdateUserAdminStore"
ActivityName="XPDINTEG_USERADMINSTORE_RETRIEVE_UPDATE"
/>
<XPDintegActivity
Name="UserConfigUpdateResourceCmd_FileWriteToFileSystem"
ActivityName="XPDINTEG_FILE_WRITE_TO_FILE_SYSTEM"
AdapterName="XPDINTEG_FILE_SYSTEM_ADAPTER"
/>
<XPDintegActivity
Name="UserConfigUpdateResourceCmd_UserAdminStoreUpdate"
ActivityName=" XPDINTEG_USERADMINSTORE_UPDATE_ACTIVITY"
/>
<XPDintegActivity
Name="UserConfigUpdateResourceCmd_PlatformRestart"
ActivityName="XPDINTEG_PLATFORM_RESTART"
LocalScriptFile="services/XPDintegRestart.bat"
/>
</Process>
Manual ConfigUpdate with configuration files
Similar to the existing manual Expeditor integrator configuration update process through the XPDinteg.xml file, updates to the User Admin Service configuration can be applied.
Two steps are required:
1. configuration of LocalFileSystem Resource Adapter which monitors the config/new directory for the existence of the XPDintegRoles.xml (Listing 61).
2. creation of LocalUserConfigUpdate.flow (based on the LocalConfigUpdate.flow) which is triggered by the above Resource Adapter. This flow retrieves the XPDintegRoles.xml file, applies the configuration to the User Admin store and deletes XPDintegRoles.xml from config/new. If the property <config_updates>|<config_location> is provided, the XPDintegRoles.xml is copied to the value specified under there (Listing 62).
Listing 63: LocalFileSystem Resource Adapter for updating User Admin store locally
<?xml version="1.0" encoding="UTF-8"?>
<adapter type="XPDINTEG_FILE_SYSTEM_ADAPTER" name="UC350AdapterForUserConfigUpdate">
<!-- sync mode -->
<polling>
<interval>60000</interval>
<meta-data>ASCII-config/new/XPDintegRoles.xml</meta-data>
<topic>com/ibm/integrator/flowtriggerevent/ConfigUpdate/LocalFileSystem/UserConfigUpdateFile/LocalFileSystemAdapter</topic>
</polling>
<configuration>
<param name="ResourceType" value="UserConfigUpdateFile"/>
<param name="TransferConfirmationMode" value="DELETE"/>
<param name="DestinationName" value="config/new/XPDintegRoles.xml"/>
<param name="ProcessZeroLengthFiles" value="FALSE"/>
</configuration>
</adapter>
Listing 64: Default_LocalUserConfigUpdate.flow flow for updating User Admin store locally
<?xml version="1.0" encoding="UTF-8"?>
<Process Name="UserConfigUpdate_Process" Trigger=" com/ibm/integrator/flowtriggerevent/ConfigUpdate/LocalFileSystem/UserConfigUpdateFile/LocalFileSystemAdapter">
<XPDintegActivity
Name="UserConfigUpdateResourceCmd_ReadResource"
ActivityName="XPDINTEG_MESSAGE_READ"
PropertyKey="DATA_REFERENCE"
/>
<XPDintegActivity
Name="UserConfigUpdateResourceCmd_RetrieveAndUpdateUserAdminStore"
ActivityName="XPDINTEG_USERADMINSTORE_RETRIEVE_UPDATE"
/>
<XPDintegActivity
Name="UserConfigUpdateResourceCmd_FileWriteToFileSystem"
ActivityName="XPDINTEG_FILE_WRITE_TO_FILE_SYSTEM"
AdapterName="XPDINTEG_FILE_SYSTEM_ADAPTER"
/>
<XPDintegActivity
Name="UserConfigUpdateResourceCmd_ConfigStoreUpdate"
ActivityName="XPDINTEG_CONFIGSTORE_UPDATE_ACTIVITY"
/>
<XPDintegActivity
Name="UserConfigUpdateResourceCmd_PlatformRestart"
ActivityName="XPDINTEG_PLATFORM_RESTART"
LocalScriptFile="services/XPDintegRestart.bat"
/>
</Process>
Updating the initial default User Admin configuration:
The default configuration for the User Admin store which is loaded from the XPDintegDefaultRoles.xml file after a platform reset can be changed by sending a new XPDintegDefaultRoles.xml file based on the existing default Default_PutLocalFileSystemFiles.flow (see Admin Guide).
Note: A special customer case would be: A directory service, e.g. LDAP, is used to manage the User Admin configuration store. At the same time, the manual update process described above (copy XPDintegRoles.xml into config/new folder) is enabled. This is not recommended since the applied configuration is not in sync anymore. The manual process should always be disabled when User Admin Service configuration tools other then the Expeditor integrator is used (by removing the Resource Adapter and the flow definition file for the manual update process again).
Using Expeditor Client Manager
The Expeditor User Admin service settings can be queried after deployment using the Preferences Jobs supplied by the Expeditor Client Management Server. User Admin Service settings are located at /configuration/org.eclipse.core.runtime.preferences.OSGiPreferences.xx , where xx is the bundle number of the User Admin bundle (org.eclipse.equinox.useradmin). See
Getting an inventory of Eclipse preferences in the Expeditor online information center for more information (see Ref_2.).
Use the following mechanisms to add, update, or delete user settings:
More information in Ref_8:
http://publib.boulder.ibm.com/infocenter/ledoc/v6r2/index.jsp?topic=/com.ibm.rcp.tools.doc.admin/ManagingUserAdminprefs.html