IBM Tivoli Monitoring > Version 6.3 Fix Pack 2 > Administrator's Guide > Use role-based authorization policies

IBM Tivoli Monitoring, Version 6.3 Fix Pack 2

---

Enable authorization policies in the portal server

After you have created the initial set of authorization policies and assigned a user to the role with permission to distribute policies, enable authorization policy enforcement in the dashboard data provider by configuring the Tivoli Enterprise Portal Server using Manage Tivoli Enterprise Monitoring Services or the command-line.

Procedure

• Use Manage Tivoli Enterprise Monitoring Services

  1. Start Manage Tivoli Enterprise Monitoring Services on the computer where the portal server is installed:

     Click Start → Programs →IBM Tivoli Monitoring → Manage Tivoli Enterprise Monitoring Services.

     Where install_dir is the IBM Tivoli Monitoring installation directory, change to the install_dir/bin directory and run ./itmcmd manage [-h install_dir].

  2. Right-click Tivoli Enterprise Portal Server:

     Click Reconfigure, and click OK to accept the existing configuration and go to the second TEP Server Configuration window.

     Click Configure. The Common Event Console Configuration window is displayed. Click OK to accept the current values. On the Configure Tivoli Enterprise Portal window, select the Dashboard data provider tab.

  3. In the dashboard data provider area of the configuration window, verify the Enable authorization policies check box is selected. If it is not selected, then select it.

     1. When the dashboard data provider is enabled, you can specify a domain override value. This value is optional. It changes the default dashboard data provider ID and domain name for authorization policies from itm.<hub_monitoring_server_name> to itm.<domain_override_value>. The value may not exceed 124 characters. You should configure a domain override value for these scenarios:

        • The Hot Standby high availability feature is being used for the hub monitoring server. By configuring a domain override value, the dashboard data provider ID and domain name will not change when the portal server is configured to connect to the new acting hub monitoring server. If you do not configure a domain override value in this scenario, you must reconfigure the connection between the IBM Dashboard Application Services Hub and the dashboard data provider and update any domain-specific authorization policies when the portal server is configured to connect to the new acting hub monitoring server.

        • You have multiple hub monitoring servers that are using a common set of authorization policies for controlling dashboard access and you want to create some domain-specific authorization policies. You should specify a domain override value for this scenario if you want to use a more user-friendly domain name in your authorization policies than the default value of itm.<hub_monitoring_server_name>.

        If you modify the domain override after you have configured a connection in your Dashboard Application Services Hub to the dashboard data provider then you must delete the connection and re-add it. See Create a connection to the IBM Tivoli Monitoring dashboard data provider for details on how to configure a dashboard data provider connection. Also, if you have created any domain-specific authorization policies using the default domain name, then you must delete the permissions that use the previous domain name and create new permissions that use the new domain name when you change the domain override value.

     2. The Enable authorization policies option is selected if you want to use authorization policies to control which managed systems and managed system groups a user can access in monitoring dashboards. Only enable authorization policies if you are setting up a dashboard environment with single sign-on, you plan to use authorization policies to control access to monitoring dashboards, and your administrators have already created the initial set of policies for dashboard user access.

  4. In the Authorization Policy Server Configuration window specify the following information:

     
     

     Configuration information for the Authorization Policy Server

     Field	Description
     Hostname or IP Address	IP Address or fully qualified hostname of the IBM Dashboard Application Services Hub with the Authorization Policy Server. This parameter is required. If your environment includes an HTTP server for load balancing across multiple Dashboard Application Services Hub servers, the Authorization Policy Server can only be installed with one of the dashboard servers because it does not support load balancing. Therefore, you must determine which computer system has Dashboard Application Services Hub and the Authorization Policy Server installed and specify the hostname or IP address of that system.
     Protocol	Choose the protocol used to connect to the IBM Dashboard Application Services Hub with the Authorization Policy Server. The default value is HTTPS. This parameter is not required. You should only select HTTPS if you have already configured TLS/SSL between the portal server and the Authorization Policy Server. See Configure TLS/SSL communication with the Authorization Policy Server..
     Port	Choose the port used to connect to the IBM Dashboard Application Services Hub with the Authorization Policy Server. The default value is 16311 for the HTTPS protocol and 16310 for the HTTP protocol. The valid port values are from 1 to 65535 inclusive. This parameter is not required.
     Polling Interval	How often the local data store is updated from the Authorization Policy Server by the policy client running on the portal server. The default is 30 minutes. Valid values are from 5 to 1440 minutes inclusive. This parameter is not required.
     Policy Store Expiration Interval	If the policy store cannot be updated from the Authorization Policy Server, this interval is the amount of time the local policy store will continue to be utilized from the last update. If the Authorization Policy Server cannot be accessed for the time interval specified by this parameter, all subsequent requests for dashboard data will fail with an authorization error until the Authorization Policy Server is available again. The default is 7 days and 0 hours. The value specified for hours must be in the range of 0-23 hours. If the expiration interval is set to 0 days and 0 hours, the policy store will never expire. This parameter is not required.
     User ID	Name of the user that the portal server will use to access the IBM Dashboard Application Services Hub with Authorization Policy Server. This user must be added to the PolicyDistributor authorization policy core role or to a custom role that has been granted permission to perform the distribute operation for the role object type. This parameter is required.
     Password	Password for the user. This parameter is required.
     Confirm Password	Confirm the password by entering it again. This parameter is required.

     Enter the required information for the Authorization Policy Server connection parameters in the fields provided and click OK.

  5. You are prompted to reconfigure the warehouse connection information, answer No.

  6. On Windows, after some processing of the configuration settings, the Common Event Console Configuration window is displayed. Sometimes this window does not open in the foreground and is hidden by other windows. If processing seems to be taking longer than expected, minimize other windows and look for the configuration window. When the Common Event Console Configuration window is displayed, click OK.

  7. If you made configuration changes, ensure the portal server is restarted.

• Use the command-line

  If the Tivoli Enterprise Portal Server is on Linux or UNIX, you can modify the portal server configuration from the command-line and enable authorization policies if it is not already enabled.

  1. Log on to the computer where the Tivoli Enterprise Portal Server is installed.

  2. At the command-line, change to the install_dir/bin directory, where install_dir is the directory where you installed the product.

  3. Run the following command to configure the Tivoli Enterprise Portal Server: ./itmcmd config -A cq.

     The message Agent configuration started is displayed, followed by a prompt: Tivoli Enterprise Portal Server will be stopped during configuration. Do you want to continue? [1=Yes, 2=No] (Default is: 2).

  4. Enter 1. The following prompt is displayed: Edit "Common event console for IBM Tivoli Monitoring" settings? [ 1=Yes, 2=No ] (default is: 1).

  5. Enter 2. The following prompt is displayed: Will this agent connect to a TEMS? [1=YES, 2=NO] (Default is: 1).

  6. Accept the default values for this prompt and the prompts that follow it until you see the prompt about configuring the dashboard data provider. If it is not enabled, select a value of 1 to enable it.

  7. Next you are asked if you want to specify a domain override value. Enter 1 for Yes and 2 for No.

     When the dashboard data provider is enabled, you can specify a domain override value. This value is optional. It changes the default dashboard data provider ID and domain name for authorization policies from itm.<hub_monitoring_server_name> to itm.<domain_override_value>. The value may not exceed 124 characters. You should configure a domain override value for these scenarios:

     • The Hot Standby high availability feature is being used for the hub monitoring server. By configuring a domain override value, the dashboard data provider ID and domain name will not change when the portal server is configured to connect to the new acting hub monitoring server. If you do not configure a domain override value in this scenario, you must reconfigure the connection between the IBM Dashboard Application Services Hub and the dashboard data provider and update any domain-specific authorization policies when the portal server is configured to connect to the new acting hub monitoring server.

     • You have multiple hub monitoring servers that are using a common set of authorization policies for controlling dashboard access and you want to create some domain-specific authorization policies. You should specify a domain override value for this scenario if you want to use a more user-friendly domain name in your authorization policies than the default value of itm.<hub_monitoring_server_name>.

     If you modify the domain override after you have configured a connection in your Dashboard Application Services Hub to the dashboard data provider then you must delete the connection and re-add it. See Create a connection to the IBM Tivoli Monitoring dashboard data provider for details on how to configure a dashboard data provider connection. Also, if you have created any domain-specific authorization policies using the default domain name, then you must delete the permissions that use the previous domain name and create new permissions that use the new domain name when you change the domain override value.

  8. If the dashboard data provider is enabled, you are prompted whether you want to enable authorization policies. Use the information in Table 1.

     Only enable authorization policies if you are setting up a dashboard environment with single sign-on, you plan to use authorization policies to control access to monitoring dashboards, and your administrators have already created the initial set of policies for dashboard user access.

  9. After the command has completed the configuration, the following message is displayed: Agent configuration completed and you are asked if you want to restart the portal server. Select 1 to restart it.

Results

You have successfully enabled authorization policies on the portal server.

After you have recycled the Tivoli Enterprise Portal Server with the Enable authorization policies box checked, the dashboard data provider will start making authorization calls against its local policy store to allow or exclude managed system group and managed system access for dashboard users.

If authorized dashboard users do not see any monitored resources in the dashboards or they do not see the correct set of resources, see the IBM Tivoli Monitoring Troubleshooting Guide for steps to diagnosis this issue.

Parent topic:

Use role-based authorization policies

---

+

Search Tips   |   Advanced Search