Securing help server for WebSphere 8.5 ND deployment
I made an installation of RTC + DM + RELM, all release 4.0.4, using the WebSphere ND deployment, source: https://jazz.net/wiki/bin/view/Deployment/ConfiguringEnterpriseCLMReverseProxiesWebSphere85NDProxy). All applications deployed in a separate WAS profile and global security set for both administrative and application security. The help for all applications were deployed in the according application server profile. WAS is configured for usage of federated realm.
Securing the help administration site during the finalization I accidentally navigate from my notebook to the URL of the server https://sses.domain.corp/clmhelp/updater/admin.jsp instead of using localhost as described in the IBM documentation. But no problem the page was displayed. I was wondering a little bit that the connection was established at all. The default settings were not changed after installation.
I think it’s related to the WAS reverse proxy configuration?! There is also no difference between a deployment on a single server or a dedicated server for each application.
In general this would not a be problem changing the access to “Role Based Security” but this is not working as expected. I changed this setting and set a password for the default admin user. After that I was asked for credentials for “Update…” and “Remote…” sub sections which still accept the default password? Trying to access the sub section “Administrative Access…” was rejecting for both the default and the password set by me earlier.
Another security issue for me is that the settings for “Network Connections” are accessible without any authentication. So the only acceptable configuration is the “Local Access Only”.
Anybody knows how to limit the access to all the administration pages of the help servers?