Job Aid: LDAP or VMM Synch

Similar documents
Tivoli Access Manager for Enterprise Single Sign-On

Tivoli Access Manager for Enterprise Single Sign-On

Tivoli Access Manager for Enterprise Single Sign-On

Version 1.2 Tivoli Integrated Portal 2.2. Tivoli Integrated Portal Customization guide

Migrating Classifications with Migration Manager

Tivoli Access Manager for Enterprise Single Sign-On

IBM Directory Server 4.1 Release Notes

Release Notes. IBM Tivoli Identity Manager Rational ClearQuest Adapter for TDI 7.0. Version First Edition (January 15, 2011)

IBM Software. Maximo Asset Management Version 7 Releases. Enabling Enterprise Mode for Internet Explorer. Maximo Report Designer/Architect.

Tivoli Access Manager for Enterprise Single Sign-On

iscsi Configuration Manager Version 2.0

Release Notes. IBM Tivoli Identity Manager Universal Provisioning Adapter. Version First Edition (June 14, 2010)

Lotus Forms Designer 3. What s New

Setting Up Swagger UI for a Production Environment

IBM Tivoli Access Manager for Enterprise Single Sign-On: Authentication Adapter Version 6.00 September, 2006

Integrated use of IBM WebSphere Adapter for Siebel and SAP with WPS Relationship Service. Quick Start Scenarios

Setting Up Swagger UI on WebSphere

IBM WebSphere Sample Adapter for Enterprise Information System Simulator Deployment and Testing on WPS 7.0. Quick Start Scenarios

Workplace Designer. Installation and Upgrade Guide. Version 2.6 G

Build integration overview: Rational Team Concert and IBM UrbanCode Deploy

Networking Bootstrap Protocol

IBM Maximo for Service Providers Version 7 Release 6. Installation Guide

Tivoli Access Manager for Enterprise Single Sign-On

Release Notes. IBM Tivoli Identity Manager Oracle PeopleTools Adapter. Version First Edition (May 29, 2009)

Release Notes. IBM Security Identity Manager GroupWise Adapter. Version First Edition (September 13, 2013)

IBM UrbanCode Cloud Services Security Version 3.0 Revised 12/16/2016. IBM UrbanCode Cloud Services Security

Limitations and Workarounds Supplement

IBM Maximo Spatial Asset Management Version 7 Release 5. Installation Guide

CONFIGURING SSO FOR FILENET P8 DOCUMENTS

Platform LSF Version 9 Release 1.1. Migrating on Windows SC

IBM Tivoli Directory Server Version 5.2 Client Readme

IBM VisualAge for Java,Version3.5. External Version Control

IBM Tivoli Identity Manager Authentication Manager (ACE) Adapter for Solaris

Development tools System i5 Debugger

IBM Rational Synergy DCM-GUI

Platform LSF Version 9 Release 1.3. Migrating on Windows SC

IBM Security QRadar Version Customizing the Right-Click Menu Technical Note

IBM Maximo for Aviation MRO Version 7 Release 6. Installation Guide IBM

Release Notes. IBM Tivoli Identity Manager I5/OS Adapter. Version First Edition (January 9, 2012)

IBM Maximo Calibration Version 7 Release 5. Installation Guide

Release Notes. IBM Tivoli Identity Manager GroupWise Adapter. Version First Edition (September 13, 2013)

Tivoli Access Manager for Enterprise Single Sign-On

IBM Tivoli Monitoring for Databases. Release Notes. Version SC

System i. Networking RouteD. Version 5 Release 4

IBM Directory Integrator 5.1.2: Readme Addendum

Printing Systems Division. Infoprint Manager for AIX NLV Release Notes

IBM BladeCenter Chassis Management Pack for Microsoft System Center Operations Manager 2007 Release Notes

Version 9 Release 0. IBM i2 Analyst's Notebook Premium Configuration IBM

Using application properties in IBM Cúram Social Program Management JUnit tests

IBM Integration Designer Version 8 Release 5. Hello World for WebSphere DataPower Appliance IBM

IBM Netcool/OMNIbus 8.1 Web GUI Event List: sending NodeClickedOn data using Netcool/Impact. Licensed Materials Property of IBM

IBM. Tivoli Usage and Accounting Manager (ITUAM) Release Notes. Version GI

Installation and User s Guide

IBM Maximo Spatial Asset Management Version 7 Release 6. Installation Guide IBM

Rational Focal Point Technical Overview 2(15)

IBM. IBM i2 Enterprise Insight Analysis Understanding the Deployment Patterns. Version 2 Release 1 BA

Version 9 Release 0. IBM i2 Analyst's Notebook Configuration IBM

IBM Maximo Calibration Version 7 Release 6. Installation Guide

IBM Maximo Asset Management Report Update Utility Version x releases

Using Client Security with Policy Director

Version 2 Release 1. IBM i2 Enterprise Insight Analysis Understanding the Deployment Patterns IBM BA

IBM License Metric Tool Enablement Guide

IBM Cognos Dynamic Query Analyzer Version Installation and Configuration Guide IBM

IBM Copy Services Manager Version 6 Release 1. Release Notes August 2016 IBM

IBM emessage Version 8.x and higher. Account Startup Overview

IBM Storage Driver for OpenStack Version Installation Guide SC

Installing Watson Content Analytics 3.5 Fix Pack 1 on WebSphere Application Server Network Deployment 8.5.5

Rational Developer for IBM i (RDI) Distance Learning hands-on Labs IBM Rational Developer for i. Maintain an ILE RPG application using.

IBM. Cúram JMX Report Generator Guide

Limitations and Workarounds Supplement

Configuring IBM Rational Synergy to use HTTPS Protocol

Maximo 76 Cognos Dimensions

IBM Storage Driver for OpenStack Version Release Notes

IBM Cloud Object Storage System Version Time Synchronization Configuration Guide IBM DSNCFG_ K

IBM Control Desk 7.5.3

Integrated Management Module (IMM) Support on IBM System x and BladeCenter Servers

Tivoli Access Manager for Enterprise Single Sign-On

Release 6.2 Installation Guide

XCLI Utility User Manual

COBOL for AIX. Source conversion utility (scu)

IBM Storage Driver for OpenStack Version Installation Guide SC

IBM Tivoli OMEGAMON XE for R/3

Version 4 Release 1. IBM i2 Enterprise Insight Analysis Data Model White Paper IBM

IBM Spectrum LSF Process Manager Version 10 Release 1. Release Notes IBM GI

IBM Maximo Spatial Asset Management Version 7 Release 5. Installation Guide

IBM Watson IoT Maximo Asset Management. Maximo Report Toolbar Access Guide

Chapter 1. Fix Pack 0001 overview

IBM. Release Notes November IBM Copy Services Manager. Version 6 Release 1

Patch Management for Solaris

Printing Systems Division. Infoprint Manager for Windows NLV Release Notes

Integrating IBM Rational Build Forge with IBM Rational ClearCase and IBM Rational ClearQuest

Performance Toolbox for AIX Version 3.1

Best practices. Starting and stopping IBM Platform Symphony Developer Edition on a two-host Microsoft Windows cluster. IBM Platform Symphony

ServeRAID-MR10i SAS/SATA Controller IBM System x at-a-glance guide

Netcool/Impact Version Release Notes GI

IBM Operational Decision Manager Version 8 Release 5. Configuring Operational Decision Manager on Java SE

IBM OpenPages GRC Platform Version 7.0 FP2. Enhancements

White Paper: Configuring SSL Communication between IBM HTTP Server and the Tivoli Common Agent

IBM Tivoli OMEGAMON DE for Distributed Systems

IBM Maximo for Service Providers Version 7 Release 6. Installation Guide IBM

Transcription:

Job Aid: LDAP or VMM Synch Tivoli Service Request Manager, Change and Configuration Management Database, Asset Management for IT Document version 1.0

Copyright International Business Machines Corporation 2010. All rights reserved. US Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. ii

CONTENTS Revision History...4 Overview...5 Definitions...5 Question 1...5 Question 2...6 Question 3...6 Question 4...7 To use these documents go to...8 How-to Documents...8 Troubleshooting Documents...9 References...9 iii

REVISION HISTORY Date Version Comments 09/21/10 1.0 First version 4

Overview As a project gets underway for implementing IBM Tivoli Service Request Manager, IBM Tivoli Change and Configuration Management Database (CCMDB), or IBM Tivoli Asset Management for IT, customers need to make the decision for using LDAP or VMM to synchronize the users, and person data into Service Request Manager, Asset Management for IT, or CCMDB. This decision can be confusing, as VMM sync is provided a part of the standard installation steps. While VMM is provided it does not always align to the requirements that the customer has for the synchronization process. The following information in this document can aid the customer in the decision as to which synchronization process is the best technology for their business. The document is structured in the form of questions that the customer may have or have been asked of a consultant about VMM or LDAP. Additionally provided are technical support documents that can be referenced and links to troubleshooting ideas for both technologies. Definitions Lightweight Directory Access Protocol or LDAP is an application protocol for querying and modifying data using directory services running over TCP/IP. Thus a directory is a set of objects with attributes organized in a logical and hierarchical manner. It is typically used for organizing person data with in an organization. Virtual Member Manager or VMM. WebSphere Application Server V6.1 offers a federated user repository feature that makes it easy to access and maintain user data in multiple repositories. Question 1 Which tool should be used to authenticate users to Tivoli, SRM, CCMDB, or AMIT? If the client uses any tool that is not Active Directory it would likely be best to use VMMSync, If using ITF Lotus then VMM sync. If the client has a mixed environment many structures then again this would encourage the use of VMMSync 5

VMMsync always brings over all information so it can be a performance concern. If client uses Active Directory this would lend the implementation to use LDAPSync. If the environment is using WebLogic then it must use LDAPSync. If the business has very large directories then again this would lend well to the LDAP sync file process. LDAPSync after the first run only brings over changes, which can be an ease on Performance. *There are standard LDAP integrations with both Microsoft Active Directory and IBM Tivoli Directory Server. Question 2 How does VMM authorization work within Tivoli process automation engine tools? 1. Authentication will first happen thru VMM. 2. Authorization happens after a user has been authenticated. 3 The list of users and groups memberships shown on the GUI is obtained from VMM. 4. Once successful authentication happens access control is based on users and the groups they are member of. After a successful authentication, the user is authorized (case sensitive) to access particular access collections based on policy. Users and groups will be listed in the UI with the case returned from VMM. In order to determine what case is used to define an authorization policy for the user, can be done by looking at the authorization policy files. Note: VMM is used to federate one or more user repositories and sort of act like an abstracted LDAP. Once authenticated, authorization on the tool is handled by Tivoli tools (Maximo ) Security Group s framework. ESS provides authentication and token service (generation and validation) to support various SSO scenarios. Question 3 How does LDAP authorization work within Tivoli s process automation engine tools? 1. LDAP Lightweight Directory Access Protocol - used to maintain a central directory of username/passwords for authentication of different network products. GN GivenName - typically used to store the first name of the user - For example, this could be the user s first name and middle initial. 6

SN SurName - typically used to store the last name of the user For example, this could be the user s last name followed by a comma. CN CommonName - used to refer to the individual user. Concatenating GivenName and SurName typically creates this. OU OrganizationalUnit - Used to logically segment the LDAP for purposes within and organization. DC DomainContent - used to define each section of the address to the LDAP server (EXAMPLE "ladpserver.mro.com would be "DC=ldapserver, DC=mro, DC=com") DN DistinguishedName - used to identify an object in the LDAP directory. Each object must have a unique name. Adding CN, OU and DC attributes together typically makes up DN. SamAccountName SAM is part of a specification developed by Microsoft to maintain compatibility between LDAP and older NT4 platforms which used SAM Databases for security 2. Security and identification is driven by three identifiers in the tables: 1) Loginid used for authentication into the system 2) Userid typically the same as loginid 3) Personid name of the user as it will be displayed in the Start Center 3. Setup procedures for synchronizing Active Directory CN accounts with the tables for authentication. When setting this up, the ID used for authentication in the LDAP directory is the ID that should be synchronized to the loginid and userid fields. In the case of CN, it may also be the value populated in the personid field. Question 4 Can a client use LDAPSYNC instead of VMMSYNC for Synchronization - Active Directory Only? The version 7 installer defaults to using the VMMSYNC cron task to synchronize users from WebSphere to Maximo when WebSphere is used. Active Directory does not require the WebSphere LDAP interface component and can use the direct LDAPSYNC instead. These steps only work with Active Directory as LDAPSYNC is an Active Directory synchronizer. 1. The LDAPSYNC process was developed to copy user data from the Active Directory LDAP server to the table structures and enable authentication to Tivoli process automation engine tool set. This tool communicates directly with the 7

Active Directory and uses straight Active Directory queries and filters to find data to be copied. 2. Version 7 of process automation engine expands on LDAP compatibility by leveraging existing technology in WebSphere to communicate with LDAP servers. By using the WebSphere tools, the LDAP data is essentially normalized to a single format regardless of the LDAP server it is connected to. 3. VMMSYNC is designed to synchronize users by communicating with the normalized WebSphere directory. To do this, queries and filters that would normally work for Active Directory must be modified to use the WebSphere structure. The VMMSYNC process introduces a new layer of technology and complexity to the synchronization process since now both WebSphere and VMMSYNC must be configured to map the data correctly. 4. If Active Directory is the LDAP server that will be used with process automation engine 7, administrators can disable the VMMSYNC cron task and enable the LDAPSYNC cron task. The LDAPSYNC cron task will communicate directly with Active Directory. The following Development and Technical notes are stored on the IBM Support site for LDAP and VMM To use these documents go to http://www- 947.ibm.com/support/entry/portal/Overview/Software/Software_support_(general) When there enter the exact wording noted here and the article will be shown from support. The first set of support documents are focused on how to set up authentication, the second set are available to assist in trouble shooting issues that can come up. How-to Documents - Master Document - LDAP Configurations Flow Chart - Understanding the Maximo Implementation of LDAP - Understanding LDAPSYNC synchronization using the Global Catalog - Using LDAPSYNC instead of VMMSYNC for Synchronization - Active Directory Only - Modifying the LDAP group used for Authentication with Web Logic and Maximo - Maximo/WebLogic Active Directory Integration - VMMSYNC GroupMapping and UserMapping XML filter definition syntax 8

- MustGather: Maximo LDAP Configuration - Modifying the Standard Mappings in the ldapsync.xml File with Active Directory - Virtual Member Manager (VMM) authentication - LDAP error: Failed to perform user synchronization - Configuring CCMDB to use Microsoft Active Directory - LDAP Mapping for Phone and Email Types in Maximo 6 - Information to collect when researching LDAP / VMM Synch questions - LDAP Synch and required fields - LDAP and VMM Sync using business object validation as of 7.1.1.4 - Disabling "Remember my password" in Internet Explorer when LDAP is enabled Troubleshooting Documents - Not a Valid Data Type error in LDAP/VMM Synch 7.1.1.4 - Error adding a security group when LDAP is enabled - Failed to store synchronization parameters in database - LDAP - Maximo does not require Re-Authentication after Time-out - Error synchronizing users javax.naming.partialresultexception - BMXAA4222E - USERMAPPING or GROUPMAPPING XML invalid - LDAP re-authentication when session times out or multiple sessions running - LDAP synchronization errors in Maximo for fields not required - Retrieve attributes from Active Directory. - LDAP overwrites the attribute values. - LDAP Cron Tasks appears to run but do not sync any users. - Cannot find mxe.ldapgroupmgmt System Property - Using the viewqueue and deletequeue Utilities in an LDAP Environment - LDAP login causes a "401 -- Unauthorized" browser error - LDAP server authenticates user References Here is the general link to locate several redbooks on Security http://www.redbooks.ibm.com/cgibin/searchsite.cgi?query=maximo+and+deployment Here is a specific link to the redbook that certainly has security http://www.redbooks.ibm.com/abstracts/sg247640.html?open Trademarks 9

IBM, Lotus, Maximo, Service Request Manager, Tivoli, and WebSphere are trademarks or registered trademarks of IBM Corporation in the United States, other countries, or both. Microsoft is a trademark or registered trademark of Microsoft Corporation in the United States, other countries, or both. Other company, product, and service names may be trademarks or service marks of others. Copyright IBM Corporation 2010 IBM United States of America Produced in the United States of America All Rights Reserved The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. Information in this paper as to the availability of products (including portlets) was believed accurate as of the time of publication. IBM cannot guarantee that identified products (including portlets) will continue to be made available by their suppliers. This information could include technical inaccuracies or typographical errors. Changes may be made periodically to the information herein; these changes may be incorporated in subsequent versions of the paper. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this paper at any time without notice. Any references in this document to non-ibm Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing IBM Corporation North Castle Drive Armonk, NY 10504-1785 U.S.A. 10

For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to: IBM World Trade Asia Corporation Licensing 2-31 Roppongi 3-chome, Minato-ku Tokyo 106-0032, Japan 11

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback