Cape Henry Technologies Inc.

Introduction

I’m up against a rather difficult situation to solve a security issue for local WebSphere 7.0 developers. The network users are not allowed to install anything on their PC workstations, yet several teams of developers will be required to develop Java code on secured workstations using WebSphere 7.0. Even if an administrator were to install each WebSphere application server, the user would not be able to administrate the server properly because he/she would not have administrative rights to execute scripts, programs, tools, services, monitoring, port access, etc. I’m determined to find a good solution to this problem. I will share anything I find here.

Solution No. 1 (Unsuccessful)

I found some documentation online where individual profiles can be created from within the Rational Application Developer (RAD) tool (Custom IBM Eclipse). I tried using the profile management tools that came with the installation. I tried all permutations of check boxes, user selections, permissions modifications and did not find an acceptable solution. Usually something requiring special permissions would be part of IBM’s customization of Eclipse hence Rational Application Developer. This information would not be available on the Internet. I quickly accepted this solution to be a failure.

Solution No. 2 (Successful)

I have a local administration account and a general user account. As admin, I set permissions on two folders. These are:

• c:\Websphere
• c:\Program Files\IBM

The general user was added to both directories with write access. The directory c:\Websphere is used as extract_root, i.e. the directory is used to explode the 788 mb download of Websphere 7.0 at http://www.ibm.com/developerworks/downloads/ws/wasdevelopers/index.html. Next, I logged out as admin and logged in as the general user.

As general user, now I would extract the install into c:\Websphere and then do the install. The extraction of the install file was successful. No problems there. The install was a different story. The install will use a limited JRE, Java.exe and begin to install the application server. To begin the install run the following:

5

c:\Websphere\WAS\install.exe

The first dialog seen was a system dialog warning that a file called “install.exe” is being run. Click run. The next dialog is another system UI presentation asking “who” is going to run this file. I selected to run the program as a general user. The third system dialog asks if you want to run java.exe. Click “Run” and you will see the initial WebSphere Application Server 7.0 dialog. No frills, select “Next”. You are now presented with a license dialog. There are IBM and Non-IBM terms. Just check the radio button (accepting) and “Next”. Now, a dialog is presented informing you (general user) that your operating system prerequisites failed. Ignore this and select “Next”. That dialog did note that Service Pack 2 could not be found. Service Packs are installed but the general user does not have the level of access needed to verify them. The next dialog provides some information to consider. It says that it detected a non-root or non-administrative user. This will mean that the installation program cannot create a Windows service and also cannot write to the registry. Specifically, it would create a Windows service for WebSphere and write entries to HKEY_LOCAL_MACHINE/System/CurrentControlSet/Services . It also notes that port access may be affected. Normally, locally running servers can access all ports locally as localhost. It “SHOULD” be okay to proceed. Select “Next”. You are now presented with a dialog for Optional Features Installation. You probably do want to select the checkbox for the Sample Applications. Select the check for the Sample Applications and then “Next”. Now you will see a dialog for specification of the installation directory. The default directory is normally for an administrator install c:\Program Files\IBM\Web, however in this case since we are installing something and not creating a Windows service, the installation has defaulted the directory to c:\IBM\WebSphere\AppServer . That “SHOULD” be okay. Accept that directory choice and then select “Next”. Another dialog is shown and it asks to select a particular environment. By default it’s set to Application Server. Select “Next” and proceed. You should now see a dialog called Enable Administrative Security. Select an administrative user name and password. I personally recommend that the password for the “samples” user be the same as your admin user. Now click “Next”. Now select the preview tasks and let the install begin. We will soon know if WebSphere Application Server 7.0 can be run and administrated by the general user.

It’s finished and … the dialog, Installation Results are in. The dialog noted “Partial Success”. The install of the IBM product WebSphere Application Server was successful. The IBM WebSphere Application Server Base is found at c:\IBM\WebSphere\AppServer . Some configuration steps have errors but these can be found at server_base\logs\install\log.txt . Also important information can be found server_base\profiles\AppSrv01\Logs\AboutThisProfile.txt . Click “Finish”.

I reviewed the install log and it looks like IBM is merely concerned that it cannot query the resident OS. We know the following about the partial success of this product.

• Installer cannot verify Service Pack 2 (It’s Installed)
• Installer cannot create a Windows Service
• Installed cannot write to Registry

The IBM product defines the “failure” where it cannot write to the Registry as “cannot perform a native registration with the operating system”. This should be okay. It only means that the general user has installed something that the administrators know nothing about unless they were to inspect the general user’s hard drive for this installation. The general user may not start and stop his development application using the Window’s service tools found under Control Panel/Administrative Tools. The start menu was modified during the install and start and stop options are available to the general user. I will test this thoroughly now.

When the installation completes it runs a Java application (dialog pop-ups) that provides a panel called WebSphere Application Server – First Steps – AppSrv01. AppSrv01 is the initial profile that is created during the installation. It should be sufficient for your local development. Select Installation Verification first. It should run some things and provide a log of its success.

20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48

Server name is:server1
Profile name is:AppSrv01
Profile home is:C:\IBM\WebSphere\AppServer\profiles\AppSrv01
Profile type is:default
Cell name is:TestMachineNode01Cell
Node name is:TestMachineNode01
Current encoding is:Cp1252
Start running the following command:cmd.exe /c "C:\IBM\WebSphere\AppServer\profiles\AppSrv01\bin\startServer.bat" server1 -profileName AppSrv01
>ADMU0116I: Tool information is being logged in file
>           C:\IBM\WebSphere\AppServer\profiles\AppSrv01\logs\server1\startServer.log
>ADMU0128I: Starting tool with the AppSrv01 profile
>ADMU3100I: Reading configuration for server: server1
>ADMU3200I: Server launched. Waiting for initialization status.
>ADMU3000I: Server server1 open for e-business; process id is 3040
Server port number is:9080
IVTL0010I: Connecting to the TestMachine WebSphere Application Server on port: 9080
IVTL0015I: WebSphere Application Server TestMachine is running on port: 9080 for profile AppSrv01
Testing server using the following URL:http://localhost:9080/ivt/ivtserver?parm2=ivtservlet
IVTL0050I: Servlet engine verification status: Passed 
Testing server using the following URL:http://localhost:9080/ivt/ivtserver?parm2=ivtAddition.jsp
IVTL0055I: JavaServer Pages files verification status: Passed 
Testing server using the following URL:http://localhost:9080/ivt/ivtserver?parm2=ivtejb
IVTL0060I: Enterprise bean verification status: Passed
IVTL0035I: The Installation Verification Tool is scanning the C:\IBM\WebSphere\AppServer\profiles\AppSrv01\logs\server1\SystemOut.log file for errors and warnings.
[2/8/10 12:40:58:079 EST] 00000000 WSKeyStore    W   CWPKI0041W: One or more key stores are using the default password.
[2/8/10 12:41:06:782 EST] 00000000 ThreadPoolMgr W   WSVR0626W: The ThreadPool setting on the ObjectRequestBroker service is deprecated.
IVTL0040I: 2 errors/warnings are detected in the C:\IBM\WebSphere\AppServer\profiles\AppSrv01\logs\server1\SystemOut.log file
IVTL0070I: The Installation Verification Tool verification succeeded.
IVTL0080I: The installation verification is complete.

This proves that the general user can run the server. Now, the server sample applications should be tested to see if ports remain unblocked locally.

Select the link on the First Steps Dialog called “Administrative console”. You should get a browser with a block because of the self-signed certificate. Ignore the warning after you are sure that you understand what is happening. You will now see the login for the Administrative Console at URL https://localhost:9044/ibm/console/logon.jsp. I’m almost convinced that WebSphere only requires Java and use of ports locally. The server is running as localhost. An interesting note is that when you log in as the application administrator, the server switches the console server to port 9043 (security trick).