Posted: 9 Aug 2017 12:29 EDT Last activity: 16 Oct 2018 12:03 EDT
How to secure SMA in Tomcat 8
We have seen SMA is not secure by default. Whenever we open SMA it does not ask for any credentials. When we configured SMA to always ask for credentials, I was assuming that it would take only the credentials that is configured in tomcat-users.xml (i.e., PegaDiagnosticUser). However, we have seen it takes whatever text we type which makes it unsecure.
We do not want someone to mess up the agent configs or do other administrative stuff apart from people who know PegaDiagnosticUser credentials. Kindly let me know how can we secure SMA.
**Moderation Team has archived post**
This post has been archived for educational purposes. Contents and links will no longer be updated. If you have the same/similar question, please write a new post.
I have configured SMA with pegadiagnostic user in the tomcat-users.xml. But even after configuring the nodes with Always prompt for credentials, it is still taking any credentials. Even if I type wrong credentials, I am still able to login to SMA. Kindly let me know what else can be done.
Can you try the following which will restrict the authentication at the web container level (e.g. tomcat). You may already have the tomcat-Users.xml configured with a username / password using the PegaDiagnosticRole. Restart your server and you should be prompted to enter in a valid userid/password:
Please include the following in prsysmgmt web.xml
<web-resource-name>System Management Application - DB utility
<description>secure all urls for this application</description>
Make sure the following is in the tomcat-users.xml:
I tried this on a tomcat 8 instance and when hitting the URL for the SMA, it prompts me to enter in the credentials that were provided in the tomcat-users.xml. Once I enter those details, I have authenticated and the SMA screen is provided. I am not sure why you are getting the 403 error unless there is something that is incorrect in the configuration or the credentials are incorrect. I would suggest opening up an SR to have this looked at further.