Configuring access URLs.

TrueSight IT Data Analytics prevents CSRF attacks by checking the HTTP header, also known as Referer, of the incoming HTTP request. This header is present in the requests that come from browsers. All invalid requests return a HTTP 403 response.

By default, the product allows access only to particular requests. For more information, see Security planning for IT Data Analytics . To enable access to additional requests, you need to make certain configurations.

Configuring access URLs for olaengine

  1. Navigate to %BMC_ITDA_HOME%\tomcat\webapps\olaengine\WEB-INF\

  2. In the web.xml file, navigate to the Referer-Filter section by searching for the text "Referer-Filter". 
    This section contains rules for URLs that must have access to the product.
  3. After the last <init-param> element, add a new <init-param> element and specify your rule. To understand this, see Example of adding a new rule.
    The <init-param> element has two elements, <param-name> and <param-value>. These elements are explained as follows:
    • The value of the <param-name> element must have "pattern" as prefix.
    • The value of the <param-value> element is a set of two regular expressions that are separated by a space. The first regular expression represents the incoming HTTP requests that are checked. The second regular expression represents what the HTTP header (Referer) must include so that the HTTP requests are allowed.

Example of adding a new rule for configuring access URLs

In this example, a new rule, pattern3, is added after pattern2. Pattern3 allows all requests (represented by .*) in which Referer has http or https followed by the IPv6 address, and where the Console Server port is either 9454 or 9443. Note that in pattern 3, <IPv6 address of your machine> refers to a variable value that denotes the IPv6 address of the server on which the product is installed.

<filter>
<filter-name>Referer-Filter</filter-name>
<filter-class>com.bmc.ola.filters.RefererFilter</filter-class>
<init-param>
<param-name>pattern1</param-name>
<param-value>.* ^http(s)?://\
[::1\]:(9797|9443)/.*</param-value>
</init-param>
<init-param> <param-name>pattern2</param-name>
<param-
value>.* ^http(s)?://localhost:(9797|9443)/.*</param-value>
</init-param>


<init-param>
  <param-name>pattern3</param-name>
  <param-value>.* ^http(s)?://<IPv6 address of your machine>:(9454|9443)/.*</param-value>
</init-param> 


</filter>

Configuring access URLs for console

  1. Navigate to %BMC_ITDA_HOME%\tomcat\webapps\console\WEB-INF\
  2. In the web.xml file, navigate to the Referer-Filter section by searching for the text "Referer-Filter". 
    This section contains rules for URLs that must have access to the product.

  3. Uncomment the following elements

    <!--<filter>

    <filter-name>Referer-Filter</filter-name>
    <filter-class>com.bmc.rest.client.RefererFilter</filter-class>
    <init-param>
    <param-name>pattern1</param-name>
    <param-value>.* ^http(s)?://[::1](:\d+)?/.*</param-value>
    </init-param>
    <init-param>
    <param-name>pattern2</param-name>
    <param-value>.* ^http(s)?://localhost(:\d+)?/.*</param-value>
    </init-param>


    <init-param>
    <param-name>pattern3</param-name>
    <param-value>.* ^http(s)?://<IPv6 address of your machine>(:\d+)?/.*</param-value>
    </init-param>


    </filter>
    <filter-mapping>
    <filter-name>Referer-Filter</filter-name>
    <url-pattern>/console/*</url-pattern>

    </filter-mapping> -->

Configuring domain access

To provide permissive cross-domain policy, do the following:

  1. Navigate to %BMC_ITDA_HOME%\tomcat\webapps\ROOT
  2. In the clientaccesspolicy.xml file, change the value of “*” to the specific domain name where TrueSight IT Data Analytics is installed.

    <allow-from http-request-headers="*">
          <domain uri="*"/>
    </allow-from>
Was this page helpful? Yes No Submitting... Thank you

Comments