IBM Tivoli Monitoring > Version 6.3 Fix Pack 2 > Administrator's Guide > Enable user authentication > User authentication through the hub monitoring server
IBM Tivoli Monitoring, Version 6.3 Fix Pack 2
Prerequisites for configuring authentication on the hub monitoring server
Complete the following tasks before enabling user authentication on the hub monitoring server.
Tasks to complete before configuring authentication
Task Where to find information Set up Tivoli Enterprise Portal user accounts. Add a user ID Set up user accounts in the authenticating registry. See the documentation for setting up user accounts on the local operating system or LDAP directory server. For information on setting up users on z/OS, see Configure the Tivoli Enterprise Monitoring Server on z/OS.
- When the hub monitoring server is installed on a distributed operating system and is used to authenticate Tivoli Enterprise Portal users, the Tivoli Enterprise Portal user IDs must be 10 characters or less. However, hub monitoring users who only use the tacmd CLI commands that send requests to the hub or who send SOAP requests, can have user IDs up to 15 characters. The passwords of SOAP and tacmd command users are also limited to 15 characters or less.
- When the hub monitoring server is installed on z/OS, the user ID length is limited to 8 characters if authentication uses the RACF (Resource Access Control Facility) security for z/OS.
Setup TLS/SSL communication between the hub and an LDAP server. Configure TLS/SSL communication between the hub monitoring server and the LDAP server
If you intend to authenticate using the hub Tivoli Enterprise Monitoring Server, make sure that user accounts for the Tivoli Enterprise Portal Server log-in IDs are set up in the authenticating registry before authentication is enabled. At a minimum, add the sysadmin user ID to the local operating system user registry on the hub computer, so that sysadmin can log in after authentication has been enabled.
On Windows, the installer creates a sysadmin user account in the Windows user registry and asks you to specify a password for that ID. The password is not required unless password authentication is enabled.
Tip: The Windows installer does not set the "Password never expires" option when it creates the sysadmin account. If you do not set this option, the password will expire according to the security policy on the hub computer, and you will not be able to log in to the portal server. Use the Windows Administrative Tools to ensure that the "Password never expires" option is selected for the sysadmin user account.
Before you enable authentication, obtain the following information:
Procedure
- If you are using an external LDAP server for authentication, obtain the information shown in the following table from the LDAP administrator before configuring user authentication.
LDAP configuration parameters
Parameter Description LDAP User Filter The attributes used to map Tivoli Enterprise Portal user IDs to LDAP log-in IDs. The attribute must contain the same name as the Tivoli Enterprise Portal log-in ID. The portal user ID will usually become the "%v" in the LDAP user filter. For example: IBM Tivoli Directory Server: (&(mail=%v@yourco.com) (objectclass=inetOrgPerson)) Microsoft Windows Active Directory: (&(mail=%v@yourco.com) (objectclass=user)) Sun Java System Directory Server: (&(mail=%v@yourco.com) (objectclass=inetOrgPerson)Not all LDAPs have the mail attribute for the person. For example, the LDAP administrator might only set the common name, in which case the filter would look like the following:
(&(cn=%v) (objectclass=inetOrgPerson))The Tivoli Enterprise Portal administrator should verify exactly which LDAP attribute must be used to search for the user. With Active Directory, for example, the cn equals the Full Name of the Active Directory user, and this must be exactly the same as the Tivoli Monitoring user, and cannot have spaces (for example, "S Smith" must be "SSmith").
LDAP base LDAP base node in the LDAP user registry that is used in searches for users. For example: IBM Tivoli Directory Server: dc=yourdomain,dc=yourco,dc=com Microsoft Windows Active Directory: dc=yourdomain,dc=yourco,dc=com Sun Java System Directory Server: dc=yourdomain,dc=yourco,dc=com
LDAP bind ID LDAP user ID for bind authentication, in LDAP notation. This LDAP user ID must be authorized to search for LDAP users. This value can be omitted if an anonymous user can search for LDAP users. LDAP bind password Password for LDAP bind authentication. This value can be omitted if an anonymous user can bind to your LDAP server. This value is encrypted by the installer. LDAP host name LDAP server host name. This value can be omitted if your LDAP server is on the same host as the Tivoli Enterprise Monitoring Server. (The default is localhost.) LDAP port number LDAP server port number. This value can be omitted if your LDAP server is listening on port 389.
- If you are using Microsoft Active Directory, see LDAP user authentication using Microsoft Active Directory for planning and configuration information specific to this type of LDAP server.
- If you intend to use TLS/SSL communication between the hub Tivoli Enterprise Monitoring Server and the LDAP server, obtain the information described in the following table.
TLS/SSL parameters for communication between hub and LDAP server
Parameter Description LDAP key store file The location of GSKit key store data base file. You can specify any location. For example: C:\IBM\ITM\keyfiles
LDAP key store stash The location of the GSKit database password file. For example: C:\IBM\ITM\keyfiles\keyfile.sth
LDAP key store label The key store label. For example: IBM_Tivoli_Monitoring_Certificate
LDAP key store password Password required to access the key store.
Parent topic:
User authentication through the hub monitoring server