ZIETrans administrative console and WebSphere security

The ZIETrans administrative console uses a Java™ Management Extensions (JMX) bean to perform remote administration. When WebSphere® Application Server global security is enabled, these JMX calls are authenticated by WebSphere security and must have a valid level of authorization in WebSphere. Consequently, remote administration from the ZIETrans administrative console does not work properly unless the user ID is defined as a WebSphere Application Server administrative console user with either Administrator or Operator authority.

The ZIETrans administrative console allows you to view and change problem determination settings. It also allows you to view connection status or disconnect host connections. When you deploy a ZIETrans application with ZIETrans administrative capabilities, you can map each of three ZIETrans roles to particular system user IDs for security. The three defined ZIETrans roles (ZIETransAdministrator, ZIETransOperator, and ZIETransMonitor) each have different capabilities within the ZIETrans administrative console. For more information see ZIETrans administrative console roles.

Similarly, the WebSphere Application Server administrative console allows you to view and change the configuration of the WebSphere Application Server environment. It enables you to install, start, stop, and uninstall Web applications such as ZIETrans applications. There are WebSphere console user roles (Administrator, Configurator, Operator, or Monitor) that provide different capabilities within the WebSphere Application Server administrative console. The following links from the WebSphere Application Server Knowledge Center provide additional detail on these security roles and policies:

If WebSphere global security is enabled, the users IDs that have a ZIETrans role can connect to the ZIETrans administrative console in a ZIETrans application, and can perform administration tasks within that specific ZIETrans application only. If the user tries to change the management scope to remotely administer another ZIETrans application, WebSphere security will check the authority of the user ID. If the user ID is not a valid WebSphere Application Server administrative console user with Administrator or Operator authority, the JMX calls will be blocked and ZIETrans remote administration will not function properly.

For example, if the user ID is either not defined as a WebSphere Application Server administrative console user at all, or defined with only Monitor authority, the Select Application list under Management Scope in the ZIETrans administrative console will not display any other ZIETrans applications. It will not be possible to change the management scope because no other applications are listed.

As another example, if the user ID is defined as a WebSphere Application Server administrative console user with Configurator authority, the list will show other ZIETrans applications, and the user can change scope from one application to another. However, the information shown in the ZIETrans administrative console may be incorrect, and any changes attempted through remote administration will not take effect.

Therefore, if WebSphere global security is enabled two options exist for using the ZIETrans administrative console.
Option 1: Keep ZIETrans and WebSphere Application Server user roles separate
If you do not want to give any WebSphere Application Server administration authority to any of the user IDs that are mapped to ZIETrans roles, then you must include the ZIETrans administrative console in every ZIETrans application, and you will need to administer each ZIETrans application separately using the ZIETrans administrative console for that specific application. You will not be able to use remote administration.
Option 2: Combine ZIETrans and WebSphere Application Server user roles
If you want to use the ZIETrans administrative console in a single ZIETrans application to remotely administer other ZIETrans applications by changing the management scope, then the user IDs that are mapped to ZIETrans roles must also be defined in WebSphere Application Server as WebSphere administrative console users with either Administrator role or Operator role. These users will be able to change the management scope in the ZIETrans administrative console, and they will be able to perform the other ZIETrans administrative tasks that are allowed for the specific ZIETrans role to which they are mapped. In addition, the users will also be able to log into the WebSphere Application Server administrative console and perform WebSphere administrative tasks that are allowed for the WebSphere Application Server administrative console user role to which they are mapped.

For either option, if WebSphere global security is enabled, ensure the Enable application security option is selected. For WebSphere Application Server V6.x, from the WebSphere administrative console, select Security > Secure administration, applications, and infrastructure > Application security > Enable application security. For WebSphere Application Server V7.x and v8.x, from the WebSphere administrative console, select Security > Global security > Application security > Enable application security.

In summary, if WebSphere global security is enabled, the user IDs that are mapped to any ZIETrans roles must also be mapped to WebSphere Application Server Administrator or Operator roles in order for ZIETrans remote administration to function properly.