Writer instructions

Page title

For most spaces, this page must be titled Space announcements.

For spaces with localized content, this page must be titled Space announcements l10n.

Purpose

Provide an announcement banner on every page of your space.

Location

Move this page outside of your home branch.

Guidelines

Limited supportBMC provides limited support for this version of the product. As a result, BMC no longer accepts comments in this space. If you encounter problems with the product version or the space, contact BMC Support.BMC recommends upgrading to the latest version of the product. To see documentation for that version, see MainView Middleware Administrator 9.1.

How to implement HTTP Request Header verification

For enhanced security, MainView Middleware Administrator (MVMA) by default implements HTTP Request Header verification, validating the requester from the X-Requested-With header.

By default, applications interacting with the MVMA web interface MUST set a non-empty value for this header when sending an HTTP request to MVMA after successful login.

While the MVMA web interface and the MVMA JavaScript API support this header, other applications such as TrueSight Middleware and Transaction Monitor 8.1 or MainView for MQ (from version 5.4), or custom applications using the MVMA REST API not through the JavaScript API but through a different web client (such as curl), may not work out-of-the-box. 

There are two alternative options to enable applications to interact with the MVMA web interface:

  • Modify the application to pass a non-empty value with the X-Requested-With header with every request sent.
  • Disable request header verification within MVMA (not recommended).

For example, to enable a custom application using curl to interact with MVMA through its REST API, change the curl command to send the affected X-Requested-With header with any non-empty value, such as, for example, MyApp.

curl --insecure -b cookies.txt --header "Content-Type:application/json"  --header "X-Requested-With:MyApp" https://quicksilver.bmc.com:8443/bmmadmin/admin/projects

The identifier used with the header may be any string not containing whitespaces or commas.

MVMA uses different identifiers depending on its underlying component: 

MVMA Component

X-Requested-With

Used by

Web UI (from within the browser)

XMLHttpRequest

Browsers (e.g. Internet Explorer, Firefox, Chrome)

MVMA JavaScript API

TSMAJavaScriptAPI

Custom applications using the MVMA JavaScript API

MVMA Java API

TSMAJavaAPI

BMC applications such as TrueSight Middleware and Transaction Monitor (from version 8.1.00)

While these identifiers are not strictly reserved, custom applications are recommended to use their own identifiers.

MVMA supports whitelisting for these identifiers to allow customers to better control access to the MVMA web application by setting the system property com.bmc.mmadmin.ValidXRequesters to a comma separated list of identifiers that should be able to able to access MVMA by the identifier they set with the X-Requested-With header.

To configure a whitelist of requester identifiers with MVMA

  1. Stop MVMA services.
  2. Open the wrapper.conf in the configuration sub-folder of the MVMA installation directory.
  3. Add an entry wrapper.java.additional.NN=-Dcom.bmc.mmadmin.ValidXRequesters=<whitelist> where NN is the highest number of the current entries of this type increased by one and <whitelist> is the comma separated list of accepted header identifiers. Make sure to include the identifiers used by the MVMA components to ensure you do not lock out using MVMA through a browser or through a custom application using the MVMA JavaScript API.

    For example:
    wrapper.java.additional.22=-Dcom.bmc.mmadmin.ValidXRequesters=XMLHttpRequest,TSMAJavaScriptAPI,TSMAJavaAPI,MyApp
  4. Save your changes to wrapper.conf.
  5. Restart MVMAservices.

While adjusting a custom application relying on the JavaScript API of an earlier version may be as easy as pointing it to the MVMA JavaScript API it may be more difficult for custom applications using another web client or may even be impossible for other products integrating with MVMA such as TrueSight Middleware and Transaction Monitor (from version 8.1.00) or MainView for MQ (from version 5.4).

To enable these applications to interact with MVMA, request header verification can optionally be disabled by setting the system property com.bmc.mmadmin.CheckRequester to false. This can be temporarily useful to enable existing applications to work with MVMA until a solution providing the required support of request headers is implemented.

To disable HTTP request header verification within MVMA

  1. Stop MVMA services.
  2. Open the wrapper.conf in the configuration sub-folder of the MVMA installation directory.
  3. Add an entry wrapper.java.additional.NN=-Dcom.bmc.mmadmin.CheckRequester=false where NN is the highest number of the current entries of this type increased by one and <whitelist> is the comma separated list of accepted header identifiers. Make sure to include the identifiers used by the MVMA components to ensure you do not lock out using MVMA through a browser or through a custom application using the MVMA JavaScript API.

    For example:
    wrapper.java.additional.22=-Dcom.bmc.mmadmin.CheckRequester=false
  4. Save your changes to wrapper.conf.
  5. Restart MVMA services.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*