Configuring Big Match web application security (V11.5.0.5)

By default, security is enabled for all Big Match web applications. To manage security for the web applications, edit the corresponding XML configuration files associated with the WebSphere® Profile instance.

Before you begin

This topic assumes that you have edited the port number designations if necessary. For more information, see the link at the end of this topic about checking for port conflicts.

For more information about WebSphere Liberty security, including information about users and groups, see the links at the end of this topic.

About this task

The Big Match offering takes advantage of the security features provided by IBM WebSphere Liberty. Specifically, Big Match uses the Basic Registry that WebSphere Liberty offers to store user credentials. The Basic Registry is located in $<BIGMATCH_HOME>/conf/bigmatch-wlp-security-config.xml.

Note: If you need to change the security configuration to use an LDAP registry instead, see the WebSphere Liberty documentation about configuring LDAP user registries.
Out of the box, InfoSphere® Big Match for Hadoop includes a predefined set of demo users and groups defined in the Basic Registry:
bmadmin
The bmadmin user is part of the bigmatch group. Users in the bigmatch group have access to:
  • the InfoSphere Big Match Console web application. The default URL and port for this application is https://<host>:9443/bmconfig.
  • the InfoSphere Big Match Search sample application. The default URL and port for this web application is https://<host>:9443/bmconfig.

The bmadmin user's default password is bmadmin.

mdmadmin

The mdmadmin user is part of the publisher group. Users in the publisher group have access to the IBM MDM Publisher web application. The default URL and port for this application is https://<host>:9443/publisher.

The mdmadmin user's default password is mdmadmin.

Demo and test

The Demo user and the test user are part of the analytics group. Users in the analytics group have access to the IBM Entity Insight web application. The default URL and port for this application is https://<host>:9443/insight. These users are also used for authenticating against the REST layer of the IBM Entity Insight application. (analytics-graph-api-rest.war).

The Demo user's default password is Demo.

The test user's default password is test.

The InfoSphere Big Match for Hadoop application configuration files contain the bindings between users and groups to security roles. The application configuration files are stored in the following locations:
  • For the InfoSphere Big Match Console, Big Match Search sample, and Big Match REST service applications: $<BIGMATCH_HOME>/conf/bigmatch-wlp-security-config.xml.
  • For IBM MDM Publisher and associated REST services: $<BIGMATCH_HOME>/conf/publisher-wlp-security-config.xml.
  • For IBM Entity Insight and associated REST services: $<BIGMATCH_HOME>/conf/analytics-wlp-security-config.xml.

The groups defined in $<BIGMATCH_HOME>/conf/bigmatch-wlp-security-config.xml are bound to these roles.

Note: The InfoSphere Big Match Console and IBM MDM Publisher user interface also call the IBM Entity Insight (analytics) REST services, so there are bindings for the analytics user groups to the AnalyticsUser security role in both publisher-wlp-security-config.xml and bigmatch-wlp-security-config.xml

Procedure

To add new users or groups, or to make changes to permissions, edit the XML configuration files.
For example, to add users to the IBM Entity Insight user interface:
  1. Edit $<BIGMATCH_HOME>/conf/bigmatch-wlp-security-config.xml.
  2. Add the new users in the <basicRegistry id="basic" realm="customRealm"> section.
  3. Add the same users to the <group name="analytics"> group in the same XML file.
To add new user groups for a web application, first add the new groups to $<BIGMATCH_HOME>/conf/bigmatch-wlp-security-config.xml, then add the groups to the respective <application>-wlp-security-config.xml file.

What to do next

By default, the Big Match WebSphere Liberty Profile instance uses the same Java installation that is running Ambari Server. To modify this, edit the /usr/ibmpacks/current/bigmatch/wlp/usr/servers/bigmatch-server/server.env file and set the value of JAVA_HOME to some other JDK/JRE.

Note: To ensure that you are not vulnerable to various SSL attacks, make sure that you use a patched version of Java and WebSphere Liberty Profile. For more details, follow the security bulletins of Java and WebSphere Liberty.

If you need to change the security configuration to use an LDAP registry instead, see the WebSphere Liberty documentation about configuring LDAP user registries.

Tip: To configure LDAP authentication for IBM Entity Insight and IBM MDM Publisher, follow the steps documented in the WebSphere Liberty documentation, with these slight modifications in mind:
  • To configure authentication, apply the changes documented in steps 1 and 2 of the linked WebSphere Liberty page to the file <BIGMATCH_HOME>/conf/bigmatch-wlp-config.xml instead of the file server.xml. The LDAP server configuration (steps 3 and on) should be applied to the file <BIGMATCH_HOME>/conf/bigmatch-wlp-security-config.xml.
  • To configure authorization, create the appropriate groups on your LDAP server and then edit the file <BIGMATCH_HOME>/conf/analytics-wlp-application-config.xml to add those LDAP groups as necessary under the relevant security roles to grant the AnalyticsUser or PublisherUser access rights to the intended users.