IBM Tivoli Monitoring > Version 6.3 Fix Pack 2 > Administrator's Guide > Prepare your dashboard environment > Roadmaps
IBM Tivoli Monitoring, Version 6.3 Fix Pack 2
Migrate a basic monitoring dashboard environment to a dashboard environment with single sign-on and per user authorization controls
Migrate your basic dashboard environment to an advanced dashboard environment.
After you have setup a basic monitoring environment as described in Set up a basic monitoring environment without single sign-on and without per user authorization controls, you can migrate to an advanced dashboard environment with single sign-on.
Roadmap
Use the following roadmap to help you get started:
Roadmap for migrating to an advanced dashboard environment
Step Description Where to find information 1 (required) Setup an LDAP server such as Tivoli Directory Server or Microsoft Active Directory to authenticate Dashboard Application Services Hub and portal server users and add your users to this registry. See Prerequisites for configuring LDAP authentication on the portal server, then refer to the documentation for your LDAP server. 2 (required) Ensure the time is synchronized to UTC on your portal server and Dashboard Application Services Hub. For more information and for planning considerations for using single sign-on, see About single sign-on. 3 (required) Use the WebSphere Administrator Console of IBM Dashboard Application Services Hub to configure the Dashboard Application Services Hub application server to use the LDAP user registry to authenticate users and to enable single sign-on. During the configuration, specify a realm name and a domain name. These same values must be specified when configuring the portal server and any other applications that perform single sign-on with the portal server or the dashboard server.
- The domain name is the Internet or Intranet domain for which SSO is configured, for example mycompany.com. Only applications available in this domain or its sub-domains are enabled for SSO.
- A realm identifies a set of federated repositories used by the portal server and other application servers. You can choose your own realm name, but this value must be the same across all applications that are configured for SSO within the specified domain.
Refer to the Jazz for Service Management Configuration Guide in the Jazz for Service Management Information Center for details on configuring Jazz for Service Management to use a central user registry, configuring SSO, configuring the LTPA token timeout values, and configuring a TLS/SSL connection to the LDAP server. 4 (required) Configure the portal server to use an LDAP user registry and specify the realm name and domain used for single sign-on. To configure the portal server to use LDAP, you can use the following options:
- IBM Manage Tivoli Enterprise Monitoring Services utility
- itmcmd command line interface on Linux and UNIX
- TEPS/e administration console
You use either IBM Manage Tivoli Enterprise Monitoring Services or the itmcmd command to enable LDAP user validation for the portal server. You can also use these utilities to configure the LDAP connection parameters unless:
- You want to use a server besides Microsoft Active Directory or Tivoli Directory Server
- You want to configure TLS/SSL between the portal server and the LDAP server
- You need to specify advanced LDAP configuration parameters
For these scenarios, you specify the type of Other when configuring the portal server and then use the TEPS/e administration console to complete the LDAP connection configuration.
You can also export the portal server's LTPA key or import the LTPA key from another application at the same time as configuring LDAP user authentication or you can perform these steps after you have verified the portal server's LDAP authentication is working.
Use the instructions in one of the following topics to enable LDAP user validation on the portal server:
- Use Manage Tivoli Enterprise Monitoring Services to configure the portal server for LDAP authentication
- Use the Linux or UNIX command line to configure the portal server for LDAP authentication
Then, follow the instructions in Use the TEPS/e administration console if you specified an LDAP server type of Other when enabling LDAP user validation for the portal server.
Usage notes:
If you are using Microsoft Active Directory, see LDAP user authentication using Microsoft Active Directory for planning and configuration information specific to this type of LDAP server.
If you are using Tivoli Directory Server, see Understanding single sign-on between IBM Tivoli Monitoring and Tivoli Integrated Portal using Tivoli Directory Server in the IBM Tivoli Monitoring Wiki. These instructions explain how to map entries configured in Tivoli Directory Server to the information configured using the TEPS/e administration console. Ignore the steps provided for Tivoli Integrated Portal.
5 (required) Login to the Tivoli Enterprise Portal client as sysadmin, then map your existing Tivoli Enterprise Portal user IDs to LDAP distinguished names except for sysadmin. If you do not have any Tivoli Enterprise Portal user IDs besides sysadmin, create a Tivoli Enterprise Portal user ID for at least one of your LDAP users and, when creating the user ID, enter the user's LDAP distinguished name.
You will login as one of your LDAP users in a later task to verify that data can be displayed in your monitoring dashboards. Use the Tivoli Enterprise Portal client to assign this user the monitoring applications that will be displayed in the dashboards and permission to view events if situation event data is displayed in the dashboard.
If you have existing Tivoli Enterprise Portal users, see Map Tivoli Enterprise Portal user IDs to LDAP distinguished names. If create a new Tivoli Enterprise Portal user ID, see Add a user ID.
See Administer Users for details on assigning monitoring applications and permissions to Tivoli Enterprise Portal users.
See Reconfigure the browser client for SSO if Dashboard Application Services Hub and the portal server are on the same computer.
6 (optional best practice) Verify that you can login to the Tivoli Enterprise Portal client as an LDAP user who has been mapped to a Tivoli Enterprise Portal user ID. N/A 7 (optional best practice) Configure a TLS/SSL connection between the portal server and LDAP server if you want to secure this communication. Configure TLS/SSL communication between the portal server and the LDAP server 8 (optional best practice) Verify that you can login to the Tivoli Enterprise Portal client as an LDAP user who has been mapped to a Tivoli Enterprise Portal user ID. N/A 9 (required) You must ensure the following applications are using the same LTPA key as the portal server:
- A web-based or web-enabled application that launches the Tivoli Enterprise Portal
- A web-based or web-enabled application that can be launched from the Tivoli Enterprise Portal client
- IBM Dashboard Application Services Hub
- Another application such as Tivoli Integrated Portal that uses the IBM Tivoli Monitoring charting web service
Determine which application will be the source of the LTPA key for all of the other participating SSO applications and export its LTPA key. The key file and the password used to encrypt the key must be provided to the administrators of the other participating applications.
If you decide that the portal server will be the source of the LTPA key, export its LTPA key using the export instructions in Import and export LTPA keys. If IBM Dashboard Application Services Hub will be the source of the LTPA key, see "Exporting LTPA keys" in the Jazz for Service Management Configuration Guide on the Jazz for Service Management Information Center.
Otherwise, refer to the documentation of the application whose LTPA key will be exported to determine how to perform the export operation.
10 (required) The administrators of the other participating SSO applications must import the LTPA key that was exported in the previous step. They need the key file and the password that was used to encrypt the key. To import an LTPA key into the portal server, see the import instructions in Import and export LTPA keys. To import an LTPA key into IBM Dashboard Application Services Hub see "Importing LTPA keys" in the Jazz for Service Management Configuration Guide on the Jazz for Service Management Information Center.
See the documentation for the other participating SSO applications for instructions on importing the LTPA key.
11 (required) Login to IBM Dashboard Application Services Hub as an LDAP user who is also a dashboard hub administrative user using the URL http://hostname:port_number/ibm/console/. Because single sign-on has been enabled, specify the fully qualified hostname in this URL. The default port number for HTTP is 16310 and for HTTPS is 16311. The default path to the server is /ibm/console. However, this path is configurable, and might differ from the default in your environment. Then delete the existing dashboard data provider connection and create a new dashboard data provider connection that supports single sign-on.
Create a connection to the IBM Tivoli Monitoring dashboard data provider When creating your connection, select the box Use the credentials of the user (requires SSO Configuration).
12 (optional best practice) Login to IBM Dashboard Application Services Hub as an LDAP user who has permission to view your dashboard pages and who has a Tivoli Enterprise Portal user ID that is assigned monitoring applications and permissions to view events. Then launch the dashboard applications, and verify data is displayed. By default, the URL is http://hostname:port_number/ibm/console/. Because single sign-on has been enabled, specify the fully qualified hostname in this URL. The default port number for HTTP is 16310 and for HTTPS is 16311. The default path to the server is /ibm/console. However, this path is configurable, and might differ from the default in your environment.
See your dashboard application's user guide for details on how to launch and use the dashboard. Tip: First select System Status and Health > Dashboard Health Checks to verify your environment is working correctly. Then if you are using Infrastructure Management Dashboards for Servers, select System Status and Health > Server Dashboards.
For more information on using Infrastructure Management Dashboards for Servers, see the OS agent user's guides.
13 (optional best practice) If you have not already configured HTTPS between Dashboard Application Services Hub and the dashboard data provider, perform these tasks. 1. Configure TLS/SSL between the dashboard hub and data provider. Configure TLS/SSL communication between Dashboard Application Services Hub and the dashboard data provider 2. Login to IBM Dashboard Application Services Hub as an administrative user who has been assigned the administrator and iscadmins roles and delete the dashboard data provider connection that you previously created. Refer to the IBM Dashboard Application Services Hub online help and the Jazz for Service Management Integration Guide in the Jazz for Service Management Information Center for details on how to work with data provider connections. 3. While still logged into IBM Dashboard Application Services Hub as an administrative user, create the connection again and this time specify HTTPS as the protocol. Create a connection to the IBM Tivoli Monitoring dashboard data provider When creating your connection, select the box Use the credentials of the user (requires SSO Configuration).
4. Login to IBM Dashboard Application Services Hub as a user who has permission to view your dashboard pages, then launch the dashboard application again and verify data is displayed. See your dashboard application's user guide for details on how to launch and use the dashboard. Tip: First select System Status and Health > Dashboard Health Checks to verify your environment is working correctly. Then if you are using Infrastructure Management Dashboards for Servers, select System Status and Health > Server Dashboards.
For more information on using Infrastructure Management Dashboards for Servers, see the OS agent user's guides.
14 (optional) Create authorization policies and enable authorization policy checking if you want role-based control rather than Tivoli Enterprise Portal permissions and monitoring application assignment. 1. Use the tivcmd CLI to assign authorization policy administrators, assign a user permission to distribute authorization policies, and create authorization policies to control which monitored resources your dashboard users can access. After you have verified that you can use the tivcmd CLI to login to the Authorization Policy Server, configure TLS/SSL between the tivcmd CLI and the Authorization Policy Server so that subsequent commands are secured.
Prepare to enable authorization policies and Configure TLS/SSL communication with the Authorization Policy Server
2. Enable authorization policy checking in the portal server. Once this task is performed, only dashboard users who are assigned an authorization policy role will be able to view monitored resources in your dashboards.
Enable authorization policies in the portal server 3. Login to IBM Dashboard Application Services Hub as an LDAP user who has permission to view your dashboard pages and who has been assigned one or more authorization policy roles that give the user permission to view attribute group data, situation event data, or both for the managed systems or managed system groups that they can be displayed in your dashboard pages. Launch the dashboard pages and verify that the user can only see the monitored resources they have been authorized for.
See your dashboard application's user guide for details on how to launch and use the dashboard. Tip: First select System Status and Health > Dashboard Health Checks to verify your environment is working correctly. Then if you are using Infrastructure Management Dashboards for Servers, select System Status and Health > Server Dashboards.
For more information on using Infrastructure Management Dashboards for Servers, see the OS agent user's guides.
4. Configure the portal server to use TLS/SSL when retrieving authorization policies from the Dashboard Application Services Hub where the Authorization Policy Server is installed. Configure TLS/SSL communication with the Authorization Policy Server 15 (optional) For each new dashboard user:
If Tivoli Enterprise Portal authorization is being used to control what monitored resources can be accessed in your dashboards, or if the new dashboards user will use the Tivoli Enterprise Portal client, then ensure the Tivoli Enterprise Portal user has the correct permission.First ensure there is a Tivoli Enterprise Portal user ID mapped to the dashboard user's LDAP distinguished name.
Then determine if the Tivoli Enterprise Portal user should be assigned to an existing Tivoli Enterprise Portal group that is assigned the permissions and monitoring applications required by the new dashboard user. If there is not an existing group that can be used, complete one of the following tasks:
- Best practice is to create a new Tivoli Enterprise Portal group, add the user to the group, and assign the group the appropriate permissions and application types.
- Assign the Tivoli Enterprise Portal user the appropriate permissions and monitoring applications directly.
If a dashboard user will not use the Tivoli Enterprise Portal client, they only need permission to view events and should be assigned the monitoring applications that they will be monitoring in the dashboard pages. For example, if the dashboard user will be using the Infrastructure Management Dashboards for Servers then they need to be assigned one or more of these application types: Linux OS, UNIX OS, or Windows OS.
If the dashboard user will also use the Tivoli Enterprise Portal client, they might need additional permissions.
To launch the Tivoli Enterprise Portal client from Dashboard Application Services Hub, the user must be assigned either the Tivoli Enterprise Portal <All Application> or Tivoli Monitoring Server application. Otherwise, they might see the KFWITM388E message after performing the launch.
See Manage user IDs for details on creating new Tivoli Enterprise Portal user IDs. See Manage user groups for details on adding Tivoli Enterprise Portal user IDs to groups.
See Administer Users for details on assigning monitoring applications and permissions to Tivoli Enterprise Portal users and groups.
16 (optional) Review the roadmap if you plan to set up load balancing for a high availability dashboard environment. Set up load balancing for a high availability dashboard environment
Parent topic:
Roadmaps