Roadmap for setting up the portal server to use an LDAP user registry and single sign-on

IBM Tivoli Monitoring > Version 6.3 Fix Pack 2 > Administrator's Guide > Enable user authentication > LDAP user authentication through the portal server
IBM Tivoli Monitoring, Version 6.3 Fix Pack 2

Roadmap for setting up the portal server to use an LDAP user registry and single sign-on

After the user IDs available for single sign-on (SSO) have been established in the LDAP user registry, enable SSO by completing the tasks in this topic.

Verify that all prerequisites for enabling authentication and single sign-on have been met.

Define Tivoli Enterprise Portal user accounts. (This can also be done after LDAP authentication and SSO have been configured.)

Configure LDAP authentication and SSO through the portal server.

Exchange LTPA keys with participating SSO applications.

Map Tivoli Enterprise Portal user IDs to LDAP distinguished names.

Roadmap
Use the following scenario roadmap to help you set up the portal server to use an LDAP user registry and single sign-on.

Roadmap for setting up the portal server to use an LDAP user registry and single sign-on

Step Task Where to find information
1 Configure the portal server to use an LDAP user registry and specify the realm name and domain used for single sign-on.
To configure the portal server to use LDAP, you can use the following options:

IBM Manage Tivoli Enterprise Monitoring Services utility

itmcmd command line interface on Linux and UNIX

TEPS/e administration console

You use either IBM Manage Tivoli Enterprise Monitoring Services or the itmcmd command to enable LDAP user validation for the portal server. You can also use these utilities to configure the LDAP connection parameters unless:

You want to use a server besides Microsoft Active Directory or Tivoli Directory Server

You want to configure TLS/SSL between the portal server and the LDAP server

You need to specify advanced LDAP configuration parameters
For these scenarios, you specify the type of Other when configuring the portal server and then use the TEPS/e administration console to complete the LDAP connection configuration.
You can also export the portal server's LTPA key or import the LTPA key from another application at the same time as configuring LDAP user authentication or you can perform these steps after you have verified the portal server's LDAP authentication is working.
See Prerequisites for configuring LDAP authentication on the portal server.
Then, use the instructions in one of the following topics to enable LDAP user validation on the portal server:

Use Manage Tivoli Enterprise Monitoring Services to configure the portal server for LDAP authentication

Use the Linux or UNIX command line to configure the portal server for LDAP authentication

Then, follow the instructions in Use the TEPS/e administration console if you specified an LDAP server type of Other when enabling LDAP user validation for the portal server.

Usage notes:
If you are using Microsoft Active Directory, see LDAP user authentication using Microsoft Active Directory for planning and configuration information specific to this type of LDAP server.
If you are using Tivoli Directory Server, see Understanding single sign-on between IBM Tivoli Monitoring and Tivoli Integrated Portal using Tivoli Directory Server in the IBM Tivoli Monitoring Wiki. These instructions explain how to map entries configured in Tivoli Directory Server to the information configured using the TEPS/e administration console. Ignore the steps provided for Tivoli Integrated Portal.
2 Configure the other participating SSO applications to use the same LDAP user registry, realm, and Internet or intranet domain name as the portal server and enable SSO.
Also, verify that the date, time, and time zone on the portal server computer and the computers of the participating SSO applications are correctly set and relative to Coordinated Universal Time (UTC).
If you are using single sign-on with Dashboard Application Services Hub, see the "Configuring Jazz for Service Management for a central user registry" and "Configuring SSO on the application server" topics in the Jazz for Service Management Configuration Guide on the Jazz for Service Management Information Center.
For other applications, refer to their product documentation to determine how to configure them to use the LDAP user registry, to enable SSO, and how to specify the realm name and domain name as the portal server.
3 Map Tivoli Enterprise Portal user IDs to LDAP distinguished names. Map Tivoli Enterprise Portal user IDs to LDAP distinguished names
4 Reconfigure the Tivoli Enterprise Portal browser client for SSO if it will be launched by another application on the same computer as the portal server. Reconfigure the browser client for SSO
5 Verify the Tivoli Enterprise Portal users can launch the portal client and successfully login.
The portal client users must specify the value of their relative distinguished name when they login. For example, if their relative distinguished name is cn=John Doe then they must specify John Doe when prompted for their credentials.
If the Tivoli Enterprise Portal users cannot log into the Tivoli Enterprise Portal, review the TEPS/e log for diagnostic information. This is the SystemOut.log located on the computer where the portal server is installed at install_dir\CNPSJ\profiles\ITMProfile\logs; install_dir/Platform/iw/profiles/ITMProfile/log.
If you encounter authentication errors and cannot resolve them, you can disable LDAP authentication by following the steps in Disable LDAP authentication on the portal server.
6 Configure TLS/SSL between the portal server and LDAP server if you want to secure this communication. Configure TLS/SSL communication between the portal server and the LDAP server
7 Verify the Tivoli Enterprise Portal users can still login. N/A
8 You must ensure the following applications are using the same LTPA key as the portal server:

A web-based or web-enabled application that launches the Tivoli Enterprise Portal

A web-based or web-enabled application that can be launched from the Tivoli Enterprise Portal client

IBM Dashboard Application Services Hub when it uses the dashboard data provider component of the portal server to retrieve monitoring data

Another application such as Tivoli Integrated Portal that uses the IBM Tivoli Monitoring charting web service
Determine which application will be the source of the LTPA key for all of the other participating SSO applications and export its LTPA key. The key file and the password used to encrypt the key must be provided to the administrators of the other participating applications.
If you decide that the portal server will be source of the LTPA key, export its LTPA key using the export instructions in Import and export LTPA keys.
If you are using IBM Dashboard Application Services Hub for monitoring dashboards and it will be the source of the LTPA key, see "Exporting LTPA keys" in the Jazz for Service Management Configuration Guide on the Jazz for Service Management Information Center.
Otherwise, refer to the documentation of the application whose LTPA key will be exported to determine how to perform the export operation.
9 The administrators of the other participating SSO applications must import the LTPA key that was exported in the previous step. They need the key file and the password that was used to encrypt the key. To import an LTPA key into the portal server, see the import instructions in Import and export LTPA keys.
To import an LTPA key into IBM Dashboard Application Services Hub see "Importing LTPA keys" in the Jazz for Service Management Configuration Guide on the Jazz for Service Management Information Center.
See the documentation for the other participating SSO applications for instructions on importing the LTPA key.
10 Verify that single sign-on is working between the portal server and each participating SSO application by performing the following tasks that apply to your SSO environment:

Verify that other application can launch the Tivoli Enterprise Portal and users are not prompted for their credentials.

Verify that Tivoli Enterprise Portal can be used to launch another application and that the user is not prompted to re-enter their credentials.

Verify that monitored resources can be displayed in monitoring dashboards of Dashboard Application Services Hub after a data provider connection has been created and configured for SSO.

Verify that another application can use the IBM Tivoli Monitoring charting web service to retrieve monitoring data.

When accessing the web interface of an application that supports SSO, enter the fully qualified hostname when specifying the URL of the application. The application servers participating in SSO check the LTPA tokens to verify that the request is coming from a server in the same Internet or Intranet domain.
N/A
11 Create Tivoli Enterprise Portal user IDs when new users are added in the LDAP user registry. Manage new LDAP users

Parent topic:
LDAP user authentication through the portal server

+
Search Tips | Advanced Search

Step	Task	Where to find information
1	Configure the portal server to use an LDAP user registry and specify the realm name and domain used for single sign-on. To configure the portal server to use LDAP, you can use the following options: IBM Manage Tivoli Enterprise Monitoring Services utility itmcmd command line interface on Linux and UNIX TEPS/e administration console You use either IBM Manage Tivoli Enterprise Monitoring Services or the itmcmd command to enable LDAP user validation for the portal server. You can also use these utilities to configure the LDAP connection parameters unless: You want to use a server besides Microsoft Active Directory or Tivoli Directory Server You want to configure TLS/SSL between the portal server and the LDAP server You need to specify advanced LDAP configuration parameters For these scenarios, you specify the type of Other when configuring the portal server and then use the TEPS/e administration console to complete the LDAP connection configuration. You can also export the portal server's LTPA key or import the LTPA key from another application at the same time as configuring LDAP user authentication or you can perform these steps after you have verified the portal server's LDAP authentication is working.	See Prerequisites for configuring LDAP authentication on the portal server. Then, use the instructions in one of the following topics to enable LDAP user validation on the portal server: Use Manage Tivoli Enterprise Monitoring Services to configure the portal server for LDAP authentication Use the Linux or UNIX command line to configure the portal server for LDAP authentication Then, follow the instructions in Use the TEPS/e administration console if you specified an LDAP server type of Other when enabling LDAP user validation for the portal server. Usage notes: If you are using Microsoft Active Directory, see LDAP user authentication using Microsoft Active Directory for planning and configuration information specific to this type of LDAP server. If you are using Tivoli Directory Server, see Understanding single sign-on between IBM Tivoli Monitoring and Tivoli Integrated Portal using Tivoli Directory Server in the IBM Tivoli Monitoring Wiki. These instructions explain how to map entries configured in Tivoli Directory Server to the information configured using the TEPS/e administration console. Ignore the steps provided for Tivoli Integrated Portal.
2	Configure the other participating SSO applications to use the same LDAP user registry, realm, and Internet or intranet domain name as the portal server and enable SSO. Also, verify that the date, time, and time zone on the portal server computer and the computers of the participating SSO applications are correctly set and relative to Coordinated Universal Time (UTC).	If you are using single sign-on with Dashboard Application Services Hub, see the "Configuring Jazz for Service Management for a central user registry" and "Configuring SSO on the application server" topics in the Jazz for Service Management Configuration Guide on the Jazz for Service Management Information Center. For other applications, refer to their product documentation to determine how to configure them to use the LDAP user registry, to enable SSO, and how to specify the realm name and domain name as the portal server.
3	Map Tivoli Enterprise Portal user IDs to LDAP distinguished names.	Map Tivoli Enterprise Portal user IDs to LDAP distinguished names
4	Reconfigure the Tivoli Enterprise Portal browser client for SSO if it will be launched by another application on the same computer as the portal server.	Reconfigure the browser client for SSO
5	Verify the Tivoli Enterprise Portal users can launch the portal client and successfully login. The portal client users must specify the value of their relative distinguished name when they login. For example, if their relative distinguished name is cn=John Doe then they must specify John Doe when prompted for their credentials.	If the Tivoli Enterprise Portal users cannot log into the Tivoli Enterprise Portal, review the TEPS/e log for diagnostic information. This is the SystemOut.log located on the computer where the portal server is installed at install_dir\CNPSJ\profiles\ITMProfile\logs; install_dir/Platform/iw/profiles/ITMProfile/log. If you encounter authentication errors and cannot resolve them, you can disable LDAP authentication by following the steps in Disable LDAP authentication on the portal server.
6	Configure TLS/SSL between the portal server and LDAP server if you want to secure this communication.	Configure TLS/SSL communication between the portal server and the LDAP server
7	Verify the Tivoli Enterprise Portal users can still login.	N/A
8	You must ensure the following applications are using the same LTPA key as the portal server: A web-based or web-enabled application that launches the Tivoli Enterprise Portal A web-based or web-enabled application that can be launched from the Tivoli Enterprise Portal client IBM Dashboard Application Services Hub when it uses the dashboard data provider component of the portal server to retrieve monitoring data Another application such as Tivoli Integrated Portal that uses the IBM Tivoli Monitoring charting web service Determine which application will be the source of the LTPA key for all of the other participating SSO applications and export its LTPA key. The key file and the password used to encrypt the key must be provided to the administrators of the other participating applications.	If you decide that the portal server will be source of the LTPA key, export its LTPA key using the export instructions in Import and export LTPA keys. If you are using IBM Dashboard Application Services Hub for monitoring dashboards and it will be the source of the LTPA key, see "Exporting LTPA keys" in the Jazz for Service Management Configuration Guide on the Jazz for Service Management Information Center. Otherwise, refer to the documentation of the application whose LTPA key will be exported to determine how to perform the export operation.
9	The administrators of the other participating SSO applications must import the LTPA key that was exported in the previous step. They need the key file and the password that was used to encrypt the key.	To import an LTPA key into the portal server, see the import instructions in Import and export LTPA keys. To import an LTPA key into IBM Dashboard Application Services Hub see "Importing LTPA keys" in the Jazz for Service Management Configuration Guide on the Jazz for Service Management Information Center. See the documentation for the other participating SSO applications for instructions on importing the LTPA key.
10	Verify that single sign-on is working between the portal server and each participating SSO application by performing the following tasks that apply to your SSO environment: Verify that other application can launch the Tivoli Enterprise Portal and users are not prompted for their credentials. Verify that Tivoli Enterprise Portal can be used to launch another application and that the user is not prompted to re-enter their credentials. Verify that monitored resources can be displayed in monitoring dashboards of Dashboard Application Services Hub after a data provider connection has been created and configured for SSO. Verify that another application can use the IBM Tivoli Monitoring charting web service to retrieve monitoring data. When accessing the web interface of an application that supports SSO, enter the fully qualified hostname when specifying the URL of the application. The application servers participating in SSO check the LTPA tokens to verify that the request is coming from a server in the same Internet or Intranet domain.	N/A
11	Create Tivoli Enterprise Portal user IDs when new users are added in the LDAP user registry.	Manage new LDAP users