IBM Tivoli Monitoring > Version 6.3 Fix Pack 2 > Administrator's Guide
IBM Tivoli Monitoring, Version 6.3 Fix Pack 2
Enable user authentication
Login access to the Tivoli Enterprise Portal client is controlled by user accounts that are defined to the Tivoli Enterprise Portal Server. Password authentication is controlled by a registry, either the operating system user registry of the hub monitoring server or an external LDAP user registry that is configured at the hub monitoring server or at the portal server.
tacmd CLI login access and SOAP client requests to the hub Tivoli Enterprise Monitoring Server are controlled by user accounts that are defined to the hub monitoring server using either the operating system registry of the monitoring server or an external LDAP server that is configured at the hub monitoring server.
Login access to the IBM Dashboard Application Services Hub is controlled by the operating system user registry, an LDAP user registry, or a custom standalone user registry. If you plan to use monitoring dashboard applications or custom monitoring dashboards in IBM Dashboard Application Services Hub then you must configure the Tivoli Enterprise Portal Server and Dashboard Application Services Hub to use a federated LDAP user registry and single sign-on, if you want your dashboard users to launch the Tivoli Enterprise Portal client without being prompted for their credentials and if you want to control authorization to monitored resources on a per user basis. See the roadmaps in Prepare your dashboard environment to determine if you want to use a federated LDAP user registry and single sign-on.
Login access to the Open Services Lifecycle Collaboration Performance Monitoring service provider component of the Tivoli Enterprise Monitoring Automation Server is controlled by an LDAP user registry and using the Security Services component of Jazz for Service Management.
- The sysadmin user ID
- An initial sysadmin user ID with full administrator authority is provided at installation so that you can log on to the Tivoli Enterprise Portal client and add more user accounts. No password is required to log on to the portal client unless the hub monitoring server was configured to enable Security: Validate User.
- Tivoli Enterprise Portal user profile
- To login using a Tivoli Enterprise Portal client, a user must be authenticated by the portal server and have a Tivoli Enterprise Portal user ID. Each user ID that is defined in the Tivoli Enterprise Portal is assigned a set of permissions that determine the portal client features the user is authorized to see and use, the monitored applications the user is authorized to see, and the Navigator views (and the highest level within a view) the user can access.
- User IDs that will have the same permissions can be organized into user groups so that changes to the permissions are applied to all member user IDs.
- When the Dashboard Application Services Hub and portal server are configured for single sign-on, a Tivoli Enterprise Portal user ID must exist for each monitoring dashboard user. The first time a dashboard user accesses monitoring data, a Tivoli Enterprise Portal user ID is automatically created for the user if there is not already a user ID mapped to the user's LDAP distinguished name. In this case, the Tivoli Enterprise Portal user ID is a randomly generated ID and the user is not assigned any permissions. If Tivoli Enterprise Portal permissions are being used to control access to monitored resources in the dashboards instead of authorization policies, or if the dashboard user can launch the Tivoli Enterprise Portal, assign the user ID permissions and the monitored applications that can be accessed.
- For more information on assigning Tivoli Enterprise Portal permissions and monitoring applications, see Use Tivoli Enterprise Portal user authorization.
- Authentication through the hub monitoring server
- User IDs authenticated through the hub monitoring server can be authenticated by either the local operating system registry or an external LDAP-enabled central user registry.
- User IDs that use the tacmd commands which send requests to the hub monitoring server or that make SOAP server requests, must be authenticated through the hub monitoring server.
- Limitations:
- LDAP authentication is not supported for hub monitoring servers on z/OS.
- The Tivoli Directory Server LDAP client used by the Tivoli Enterprise Monitoring Server does not support LDAP referrals, such as those supported by Microsoft Active Directory.
- When the hub monitoring server is installed on a distributed operating system and is used to authenticate Tivoli Enterprise Portal users, the Tivoli Enterprise Portal user IDs must be 10 characters or less. However, for SOAP client users and tacmd CLI users that are authenticated by the hub monitoring server, the user IDs can be up to 15 characters.
- When the hub monitoring server is installed on z/OS, the user ID length is limited to 8 characters if authentication uses the RACF (Resource Access Control Facility) security for z/OS.
- LDAP authentication through the portal server
- The portal server authenticates Tivoli Enterprise Portal users, Dashboard Application Services Hub users who access monitoring data, IBM Tivoli Monitoring charting web service users, and tacmd CLI users who use commands that send requests to the portal server.
- By default, the portal server contacts the hub monitoring server to perform the authentication. However, it is best practice to configure the portal server to perform its own authentication through a federated LDAP user registry for these scenarios:
- The Tivoli Enterprise Portal is launched from other web-based applications and you don't want users to re-enter their credentials.
- The Tivoli Enterprise Portal is used to launch other web-based or web-enabled applications and you don't want users to re-enter their credentials.
- IBM Dashboard Application Services Hub is used to display monitoring data retrieved using the dashboard data provider component of the portal server. Best practice is to use single sign-on in this case, so that dashboard users can launch the Tivoli Enterprise Portal and user don't have to re-enter their credentials. Additionally, single sign-on must be used if you want to control authorization to monitored resources on a per user basis.
- The IBM Tivoli Monitoring charting web service is being used by another application such as Tivoli Integrated Portal.
- When the portal server is configured to authenticate with an LDAP server, users login to Tivoli Enterprise Portal using their LDAP relative distinguished name (which normally maps to the cn= or uid= value) and not their Tivoli Enterprise Portal user ID. Because the portal server uses Tivoli Enterprise Portal user IDs to control permissions, you must map LDAP distinguished names to Tivoli Enterprise Portal user IDs. Although the Tivoli Enterprise Portal user IDs are limited to 10 characters, the LDAP distinguished names can be much longer.
- You can configure the portal server to use an LDAP user registry using the Manage Tivoli Enterprise Monitoring Services utility, the itmcmd command line interface on Linux and UNIX, or the TEPS/e administration console (ISCLite). If you configure LDAP using the TEPS/e administration console, you must manually restart ISCLite through the Manage Tivoli Enterprise Monitoring Services after each portal server restart.
- Authentication through the hub monitoring server and the portal server
- The hub monitoring server and portal server can connect to the same LDAP server if you have users who need login access to both servers. You can use the same user ID to log on to the Tivoli Enterprise Portal client that you use for the tacmd login command. To do this, you must go to Administer Users in the portal client to map the Tivoli Enterprise Portal user ID to the distinguished name used by the portal server's LDAP user registry which, by default, uses o=ITMSSOEntry and not the distinguished name that uses o=DEFAULTWIMITMBASEDREALM.
- Migrate LDAP authentication from the hub to the portal server
- If your hub Tivoli Enterprise Monitoring Server has already been configured to authenticate users to an LDAP user registry, and you now want to configure the portal server to use an LDAP user registry, you must change the Distinguished Name that is set for the user IDs in the Administer Users window of the Tivoli Enterprise Portal.
Roadmap for user authentication
Use the following roadmap to get you started with user authentication.
Roadmap for user authentication
Task Where to find information Setup user authentication through the hub monitoring server using either the local operating system user registry or an LDAP user registry. User authentication through the hub monitoring server Setup the portal server to use an LDAP user registry to authenticate users when single sign-on is used with IBM Dashboard Application Services Hub or other applications. If the hub monitoring server is not using an LDAP user registry, see LDAP user authentication through the portal server. If the hub monitoring server is using an LDAP user registry, see Migrate LDAP authentication from the monitoring server to the portal server.
Setup the Tivoli Enterprise Monitoring Automation Server and its Performance Monitoring service provider to authenticate HTTP GET requests from OSLC clients. Authentication through the Tivoli Enterprise Monitoring Automation Server
See
- User authentication through the hub monitoring server
- LDAP user authentication through the portal server
- Migrate LDAP authentication from the monitoring server to the portal server
- Authentication through the Tivoli Enterprise Monitoring Automation Server
- LDAP user authentication using Microsoft Active Directory