HACP & HATS User Group - Group home

Accessing HATS administrative console on Liberty server

  

The HATS administrative interface can be used to manage connections and perform problem determination for HATS Web applications.

The HATS administrative console allows you to view and change problem determination settings. It also allows:

  • Manage license information
  • Select the scope of management
  • View active connections, connection pools, connection pool definitions, user lists, and logs
  • Terminate active connections
  • View log and trace files
  • Set log and trace options
  • View potentially sensitive data by seeing the display terminal, change the trace settings, terminate existing connections, and download trace files.

To access the HATS administration console on the project created for the Liberty server, administrative console support must be enabled during the HATS project creation.

Note: If the project is created without admin console support, it cannot be enabled later for the HATS project on the liberty server

Launch HATS Administrative Console: 

The administrative console can be opened by right-clicking on the HATS project -> click on ‘Open Administrative Console’.

Authentication credentials are required to access the admin console.

More details: Starting HATS administrative console - IBM Documentation

HATS administrative console roles:

HATS administrative console operations are restricted based on the role defined for a user ID. There are three roles defined for use of the HATS administrative console. Each role has different capabilities.

When a HATS application is deployed with HATS administrative capabilities, an user can map each of three HATS roles to particular system user IDs for security.

  1. HATSAdministrator - This role has full administration capability
  2. HATSOperator - This role is equivalent to the HATSAdministrator role but cannot access potentially sensitive data. 
  3. HATSMonitor - This role only allows the user to view non-sensitive data

More details: HATS administrative console roles - IBM Documentation

Configure authentication credentials in Liberty:

Authentication credentials can be configured using the basic user registry by defining the users and groups' information for authentication on the Liberty server.

Configure the basic registry for the server as follows in server.xml:

<basicRegistry id="basic" realm="customRealm">
<user name="<username>" password="<password>"/>
<group name="HATSAdministrator">
<member name="<username>"/>
</group>
</basicRegistry>

More details: Configuring a basic user registry for Liberty - IBM Documentation

Restart liberty server after changes made in server.xml. HATS administrative console is accessible after successful login.

When Error 404: SRVE0190E: File not found: /hatsadmin/: is shown, additional authorization information has to be provided.

Configuring authorization for applications in Liberty

Configuring authorization for your application is to verify whether a user or group belongs to a specified role and whether this role has the privilege to access a resource.

The Liberty server extracts user and group mapping information from a user registry, then checks the authorization configuration for the application to determine whether a user or group is assigned to one of the required roles. Then the server reads the deployment descriptor of the application, to determine whether the user or group has the privilege to access the resource.

To Configure the authorization information such as the user and group to role mapping add the authorization configuration definition to the ibm-application-bnd.xml in the EAR project.

If file is not present, then new XML file can be created with name ‘ibm-application-bnd.xml’ under EAR project with sample content shown below:

Example of ibm-application-bnd.xml file to specify group to specified security role.

<?xml version="1.0" encoding="UTF-8"?>
<application-bnd
       xmlns="http://websphere.ibm.com/xml/ns/javaee"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="http://websphere.ibm.com/xml/ns/javaee
         http://websphere.ibm.com/xml/ns/javaee/ibm-application-bnd_1_0.xsd"
       version="1.0">
       <security-role name="HATSAdministrator">
             <group name="<group’s name in Basic registry>" />
       </security-role>
       <profile name="">
             <client-profile name="" />
       </profile>
</application-bnd>