WebSphere MP Guide for SCOM 2012 RC Addendum
For anyone using SCOM 2012 RC (or Beta), the WebSphere MP guides are missing a step to fully enable deep monitoring. This post will explain the missing step and detail how configure apply the appropriate settings.
Overview
When configuring BeanSpy on WebSphere, follow the steps below. Information about steps 1 - 6 and 8 may be found in the WebSphere MP guide. This blog post will detail the (missing) step 7.
- Enable WebSphere Security
- Enable authorization requirement
- Import/Deploy the BeanSpy on the Application Server
- Import BeanSpy
- Create a User in WebSphere
- Associate a user account with the BeanSpy's monitoring role
- Associate a user account with WebSphere's monitor role (new)
- Create RunAs Account in the Operations Manager Console
Associate a user account with WebSphere's monitor role
Within the WebSphere Admin Console, it is necessary to associate the user account with the internal WebSphere role of monitor. There are several roles and the exact list of roles will vary based on the version of WebSphere installed. The good news is that the least priviledged role is called monitor and that is all we need.
From the WebSphere 7 documentation:
WebSphere Application Server extends the Java security role-based access control to protect the product administrative and naming subsystems.... The administrative roles are effective only when administrative security is enabled.
Monitor: Least privileged. This role allows a user to view the WebSphere configuration and the current state of the application server.
In the IBM WebSphere Admin Console, expand Users and Groups in the left-hand panel and select Administrative user roles. In the list of applications, click the Add... button. From the Roles box select Monitor. Under the Seach and Select Users, click the Search button to see a list of available users. Select the user created above in step 4 and click the right arrow to move that user into the column entitled Mapped to role. Click the OK button. Be sure to save these changes prior to leaving the page.
Verification
To test this, now close the browser (to clear the cached user credentials). Open the url below (replacing hostname and port as necessary).
Example query: https://localhost:9443/BeanSpy/MBeans?JMXQuery=WebSphere:j2eeType=J2EEApplication,*
The expect behavior is that (a) user should be prompted for basic credentials, and (b) the user should see output like:
<?xml version="1.0" encoding="UTF-8" ?>
<MBeans version="7.3.2034.0">
<MBean Name="javax.management.modelmbean.RequiredModelMBean" objectName="WebSphere:J2EEName=ibmasyncrsp,J2EEServer=server1,Server=server1,cell=SCXOMD-WS7-11Node01Cell,j2eeType=J2EEApplication,mbeanIdentifier=cells/SCXOMD-WS7-11Node01Cell/applications/ibmasyncrsp.ear/deployments/ibmasyncrsp/deployment.xml#ApplicationDeployment_1185820123453,name=ibmasyncrsp,node=SCXOMD-WS7-11Node01,platform=dynamicproxy,process=server1,spec=1.0,type=J2EEApplication,version=7.0.0.0">
<Properties>
<Property Name="state" type="java.lang.Integer">1</Property>
<Property Name="startTime" type="java.lang.Long">1329852277267</Property>
<Property Name="server" type="java.lang.String">WebSphere:name=server1,process=server1,platform=proxy,node=SCXOMD-WS7-11Node01,j2eeType=J2EEServer,version=7.0.0.0,type=Server,mbeanIdentifier=cells/SCXOMD-WS7-11Node01Cell/nodes/SCXOMD-WS7-11Node01/servers/server1/server.xml#Server_1183122130078,cell=SCXOMD-WS7-11Node01Cell,spec=1.0,processType=UnManagedProcess</Property>
<Property Name="modules" type="[Ljava.lang.String;">
<Property Name="modules" index="0">WebSphere:name=ibmasyncrsp.war,process=server1,Application=ibmasyncrsp,platform=dynamicproxy,J2EEApplication=ibmasyncrsp,node=SCXOMD-WS7-11Node01,J2EEName=ibmasyncrsp#ibmasyncrsp.war,j2eeType=WebModule,J2EEServer=server1,Server=server1,version=7.0.0.0,type=WebModule,mbeanIdentifier=null,cell=SCXOMD-WS7-11Node01Cell,spec=1.0</Property>
</Property>
<Property Name="implementationVersion" type="java.lang.String">1 [3]</Property>
<Property Name="eventTypes" type="[Ljava.lang.String;">
<Property Name="eventTypes" index="0">j2ee.state.starting</Property>
<Property Name="eventTypes" index="1">j2ee.state.running</Property>
<Property Name="eventTypes" index="2">j2ee.state.stopping</Property>
<Property Name="eventTypes" index="3">j2ee.state.stopped</Property>
<Property Name="eventTypes" index="4">j2ee.state.failed</Property>
<Property Name="eventTypes" index="5">j2ee.attribute.changed</Property>
<Property Name="eventTypes" index="6">jmx.attribute.changed</Property>
</Property>
<Property Name="server" type="java.lang.String">WebSphere:name=server1,process=server1,platform=proxy,node=SCXOMD-WS7-11Node01,j2eeType=J2EEServer,version=7.0.0.0,type=Server,mbeanIdentifier=cells/SCXOMD-WS7-11Node01Cell/nodes/SCXOMD-WS7-11Node01/servers/server1/server.xml#Server_1183122130078,cell=SCXOMD-WS7-11Node01Cell,spec=1.0,processType=UnManagedProcess</Property>
<Property Name="deploymentDescriptor" type="java.lang.String"><?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE application PUBLIC "-//Sun Microsystems, Inc.//DTD J2EE Application 1.2//EN" "https://java.sun.com/j2ee/dtds/application_1_2.dtd">
<application id="Application_ID">
<display-name>WebSphere ASYNC Response Servlet Application</display-name>
<description>This application contains the JAX-WS async response servlet</description>
<module id="WebModule_1">
<web>
<web-uri>ibmasyncrsp.war</web-uri>
<context-root>/IBM_WS_SYS_RESPONSESERVLET</context-root>
</web>
</module>
<security-role id="SecurityRole_1177535736906">
<role-name>AuthenticatedWebServicesUsers</role-name>
</security-role>
</application>
</Property>
<Property Name="name" type="java.lang.String">ibmasyncrsp</Property>
<Property Name="javaVersion" type="java.lang.String">2.4</Property>
<Property Name="javaVendor" type="java.lang.String">IBM Corporation</Property>
<objectName type="java.lang.String">WebSphere:name=ibmasyncrsp,process=server1,platform=dynamicproxy,node=SCXOMD-WS7-11Node01,J2EEName=ibmasyncrsp,j2eeType=J2EEApplication,J2EEServer=server1,Server=server1,version=7.0.0.0,type=J2EEApplication,mbeanIdentifier=cells/SCXOMD-WS7-11Node01Cell/applications/ibmasyncrsp.ear/deployments/ibmasyncrsp/deployment.xml#ApplicationDeployment_1185820123453,cell=SCXOMD-WS7-11Node01Cell,spec=1.0</objectName>
<objectNameElements type="objectName">
<Domain>WebSphere</Domain>
<name>ibmasyncrsp</name>
<process>server1</process>
<platform>dynamicproxy</platform>
<node>SCXOMD-WS7-11Node01</node>
<J2EEName>ibmasyncrsp</J2EEName>
<j2eeType>J2EEApplication</j2eeType>
<J2EEServer>server1</J2EEServer>
<Server>server1</Server>
<version>7.0.0.0</version>
<type>J2EEApplication</type>
<mbeanIdentifier>cells/SCXOMD-WS7-11Node01Cell/applications/ibmasyncrsp.ear/deployments/ibmasyncrsp/deployment.xml#ApplicationDeployment_1185820123453</mbeanIdentifier>
<cell>SCXOMD-WS7-11Node01Cell</cell>
<spec>1.0</spec>
</objectNameElements>
<Property Name="stateManageable" type="java.lang.Boolean">true</Property>
<Property Name="statisticsProvider" type="java.lang.Boolean">false</Property>
<Property Name="eventProvider" type="java.lang.Boolean">true</Property>
</Properties>
</MBean>
...?
If the permissions are incorrectly set, it is likely that you will see output like:
<?xml version="1.0" encoding="UTF-8"?>
<MBeans version="7.2.1124.0">
<MBean Name="javax.management.modelmbean.RequiredModelMBean"
objectName="WebSphere:J2EEName=BeanSpy,J2EEServer=server1,Server=server1,cell=vd4APP01Node01Cell,j2eeType=J2EEApplication,mbeanIdentifier=cells/vd4APP01Node01Cell/applications/BeanSpy.ear/deployments/BeanSpy/deployment.xml#ApplicationDeployment_1329291533201,name=BeanSpy,node=vd4APP01Node01,platform=dynamicproxy,process=server1,spec=1.0,type=J2EEApplication,version=7.0.0.11">
<Properties/>
</MBean>
</MBeans>
Finally, if you are still experience problems be sure to review the WebSphere application server log file. The exact location will vary, but the log file should be in a location like C:\Program Files (x86)\IBM\WebSphere\AppServer\profiles\AppSrv01\logs\server1. The SystemOut.txt file is the one you want, if there are any other permission issues (did you remember to reboot the server) this file should indiciate any runtime permission issues.