Objective
Auto-deploy Contrast's Java agent within an IBM Websphere container.
Process
The Contrast Java agent must run within the JVM started by Websphere. This can be done by adding the -javaagent:jarpath parameter into the generic JVM options. Normally this can be achieved via the Administrator console (see https://www.ibm.com/support/pages/node/397841 for details).
Adding Contrast in Docker environments:
To make the Java agent files available to the container, the latest agent can be acquired from the Contrast UI (TeamServer) via curl:
RUN curl -X GET <Teamserver URL>/Contrast/api/ng/<OrganizationID>/agents/default/JAVA?jvm=1_8 -H 'Authorization: <Authorization>' -H 'API-Key: <API KEY>' -o contrast.jar
Note: The <Authorization> and the <API KEY> can be downloaded from TeamServer under User Menu > User settings > Profile.
Alternatively, the jar can be copied:
COPY --chown=was:root contrast.jar /home/was/contrast.jar
or hosted in a persistent volume.
Note: Utilizing a persistent volume can improve startup times as the agent will not have to rebuild its cache from scratch each time.
The agent can be configured via JVM properties, a YAML config file, or environment variables (see https://docs.contrastsecurity.com/en/java-configuration.html for options). An organization-specific
contrast_security.yaml
can be downloaded via the following curl:
curl -HAuthorization:<AUTHORIZATION> -HAPI-Key:<API_KEY> -Haccept:'application/json' -Hcontent-type:'application/json' 'https://<SERVER>/Contrast/api/ng/<ORG_ID>/agents/external/default/JAVA' --data-binary '{"metadata":[]}' -OJ
or downloaded from the Contrast UI and copied in:
COPY --chown=was:root contrast_security.yaml /home/was/contrast_security.yaml
Adding the Java agent into Websphere's JVM:
Contrast can be added via the server.xml:
${WEBSPHERE_DIR}\AppServer\profiles\AppSrv01\config\cells\<CellName>\nodes\<NodeName>\servers\server1\server.xml <jvmEntries genericJvmArguments="-javaagent:${DOWNLOADS}/contrast.jar -Xshareclasses:none -Xmx512m"> ... </jvmEntries>
Alternatively, it can be added using jython within the Dockerfile:
RUN wsadmin.sh -lang jython -conntype NONE -c "AdminConfig.modify(AdminConfig.list('JavaVirtualMachine', \
AdminConfig.list('Server')), [['genericJvmArguments', \
'-Xshareclasses:none -javaagent:/home/was/contrast.jar -Dcontrast.config.path=/home/was/contrast_security.yaml']])"