IBM Tivoli Monitoring > Version 6.3 Fix Pack 2 > Installation Guides > Installation Guide > Prepare for installation

IBM Tivoli Monitoring, Version 6.3 Fix Pack 2

---

Security options

User IDs and passwords sent between Tivoli Management Services components are encrypted by default. Other communication between components can be secured by configuring the components to use secure protocols.

Access to the Tivoli Enterprise Portal and tacmd commands that send requests to the portal server are controlled by user accounts (IDs) defined to the Tivoli Enterprise Portal Server.

The hub Tivoli Enterprise Monitoring Server can be configured to authenticate user IDs through either the local operating system registry or an external LDAP-enabled registry. Alternatively, authentication by an external LDAP registry can be configured through the Tivoli Enterprise Portal Server.

If authentication is not configured through either the monitoring server or the portal server, no password is required to log on to the Tivoli Enterprise Portal.

Users that execute tacmd commands that send SOAP requests to the hub monitoring server, or user IDs that require direct access to the SOAP server, must be authenticated through the hub monitoring server. If user authentication is not enabled on the hub monitoring server, anyone can make requests to the SOAP server. If user authentication is enabled on the hub, the SOAP server honors only requests from user IDs and passwords authenticated by the local or external registry. If the type of access is specified for specific users, only requests from those users for which access is specified are honored. See SOAP server security.

The user ID and passwords that are used to authenticate with the SOAP server must be 15 characters or less.

If you are using the Dashboard Application Services Hub with a monitoring dashboard application such as...

• IBM Infrastructure Management Dashboards for Servers
• IBM Infrastructure Management Dashboards for VMware
• IBM Infrastructure Management Capacity Planner for VMware
• IBM Infrastructure Management Capacity Planner for PowerVM
• custom dashboards

... you should configure Dashboard Application Services Hub and Tivoli Enterprise Portal Server to use a central LDAP registry and enable single sign-on. This ensures that the portal server can authenticate dashboard users when they request monitoring data and Dashboard Application Services Hub forwards the request to the dashboard data provider component of the portal server. If you have previously enabled authentication through the hub monitoring server and want to use LDAP authentication and single signon with the portal server.

Single sign-on should also be configured for the Tivoli Enterprise Portal Server if users will launch out of the Tivoli Enterprise Portal to other Tivoli Web-based or Web-enabled applications, or if they will launch into the Tivoli Enterprise Portal from other Web-based applications. Using single sign-on with a central LDAP registry allows users to move seamlessly between applications without having to re-enter their user IDs and passwords.

To have Performance Monitoring service providers authenticate HTTP requests from OSLC clients, configure the provider to use the Security Services component of Jazz for Service Management. Security Services is an optional Jazz for Service Management component that enables non-WebSphere based applications such as the Performance Monitoring service provider to participate in LTPA based single sign-on.

1. Tivoli Directory Server (TDS) LDAP client

   Used by the Tivoli Enterprise Monitoring Server. Does not support LDAP referrals, such as those supported by Microsoft Active Directory.

2. IBM Tivoli Monitoring Service Console

   Enables you to read logs and turn on traces for remote product diagnostics and configuration. Performs user authentication using the native operating system security facility. This means that if you use the Service Console on z/OS, your user ID and password are checked by the z/OS security facility (such as RACF/SAF). If you use the Service Console on Windows, you must pass the Windows workstation user ID and password prompt. A password is always required to access the Service Console. Even if a user ID is allowed to log into the operating system without a password, access to the Service Console will be denied. If necessary, you must create a password for the user ID that is being used to log in to the Service Console.

See

• Communication between components
  
• Authorization and authentication
  
• Single sign-on capability
  
• SOAP server security
  
• Global Security Toolkit
  

Parent topic:

Prepare for installation

---

+

Search Tips   |   Advanced Search