Unable to query WebSphere MBeans with Global Security Enabled

classic Classic list List threaded Threaded
1 message Options
JJinMaine JJinMaine
Reply | Threaded
Open this post in threaded view
|

Unable to query WebSphere MBeans with Global Security Enabled

Hello,

This is an issue with a WebSphere 8.5.5.13 standalone JVM with security enabled using the jvm agent, not the WAR file. I've created a jolokia admin user in the WebSphere console and this is my default-jolokia-agent.properties:

port=8778
agentContext=/jolokia
backlog=10
user=jolokia
password=XXXXXXXXXXXXXX
authMode=basic
historyMaxEntries=10
debug=true
debugMaxEntries=100
maxDepth=15
maxCollectionSize=0
maxObjects=0
discoveryEnabled=true
secureSocketProtocol=TLS
keyStoreType=JKS
serverKeyAlgorithm=RSA

It's all pretty default except the user and password. My expectation is that the user and password above should match the account I created in the admin console and I should be able to query WebSphere mBeans. This is the error I get:

[5/28/18 13:56:04:043 EDT] 00000068 RoleBasedAuth A   SECJ0305I: The role-based authorization check failed for admin-authz operation Server:getServerVersion.  The user UNAUTHENTICATED (unique ID: unauthenticated) was not granted any of the following required roles: monitor, auditor, configurator, administrator, deployer, operator, adminsecuritymanager.
[5/28/18 13:56:04:085 EDT] 00000068 SystemOut     O E> Error while using detector WebsphereDetector: javax.management.RuntimeOperationsException: Exception occured trying to invoke the getter on the MBean
[5/28/18 13:56:04:098 EDT] 00000068 RoleBasedAuth A   SECJ0305I: The role-based authorization check failed for admin-authz operation Server:getName.  The user UNAUTHENTICATED (unique ID: unauthenticated) was not granted any of the following required roles: monitor, auditor, configurator, administrator, deployer, operator, adminsecuritymanager.
[5/28/18 13:56:04:099 EDT] 00000068 SystemOut     O E> Error 500

I saw the thread here:

http://jolokia.963608.n3.nabble.com/WebSphere-javax-management-InstanceNotFoundException-td3773027.html

And that solution involved the web.xml because it was the WAR file version of Jolokia, not the JVM Agent version. Is there an equivalent setting that I'm missing somewhere? The non-WebSphere MBeans are detected just fine - it's the WebSphere ones I can't get data from.

I have to believe that there are people using WebSphere w/ global security enabled and the Jolokia jvm agent jar this way and it would be a normal use case ... right?

Any help would be appreciated - thanks!

- Jim