Implementing Single-Sign-On(SSO) for APM UI

Similar documents
Lotus Connections 2.5 Install

User Registry Configuration in WebSphere Application Server(WAS)

Entrust GetAccess 7.0 Technical Integration Brief for IBM WebSphere Portal 5.0

IBM InfoSphere Information Server Single Sign-On (SSO) by using SAML 2.0 and Tivoli Federated Identity Manager (TFIM)

Jazz for Service Management Version 1.1 FIx Pack 3 Beta. Configuration Guide Draft

Lotus Learning Management System R1

IBM WebSphere Developer Technical Journal: Expand your user registry options with a federated repository in WebSphere Application Server V6.

C IBM. IBM WebSphere App Server Network Deployment V8.0- Core Admin

Installation and Setup of IBM Lotus Sametime From Zero to Hero The Next Generation

Installing ITDS WebAdmin Tool into WebSphere Application Server Network Deployment V7.0

Show 201 Installation and Setup of IBM Lotus Sametime From Zero to Hero The Next Generation

SAML-Based SSO Configuration

IBM Network Performance Insight Document Revision R2E1. Integrating IBM Tivoli Netcool/OMNIbus IBM

Integrating SPNEGO with IBM Lotus Sametime

Federated Identity Manager Business Gateway Version Configuration Guide GC

Actual4Test. Actual4test - actual test exam dumps-pass for IT exams

Jazz for Service Management Version 1.1. Offering Guide

Contents Upgrading BFInventory iii

Tivoli Common Reporting V Cognos report in a Tivoli Integrated Portal dashboard

Configuring ILMT/TAD4d security to use Active Directory.

WebSphere Process Server Change The User Registry From Standalone LDAP To Virtual Member Manager. A step by step guide

CLI users are not listed on the Cisco Prime Collaboration User Management page.

TIM TAM Integration. Planning to install the Tivoli Access Manager Combo Adapter

IBM Intelligent Operations Center Password Management

Host Access Management and Security Server Administrative Console Users Guide. August 2016

Contents Overview... 5 Downloading Primavera Gateway... 5 Primavera Gateway On-Premises Installation Prerequisites... 6

Realms and Identity Policies

CLI users are not listed on the Cisco Prime Collaboration User Management page.

IBM Security Access Manager Version December Release information

Realms and Identity Policies

Architecture Assessment Case Study. Single Sign on Approach Document PROBLEM: Technology for a Changing World

BLUEPRINT TEAM REPOSITORY. For Requirements Center & Requirements Center Test Definition

V7.0. cover. Front cover. IBM Connections 4.5 Deployment Scenarios. Deployment Scenarios ERC 1.0

IBM Single Sign On for Bluemix Version December Identity Bridge Configuration topics

Lotus Domino and Extended Products. Version Administrator's Guide G

Configuring SAML-based Single Sign-on for Informatica Web Applications

IBM A Assessment- IBM WebSphere Appl Server ND V8.0, Core Admin.

SOA Software Policy Manager Agent v6.1 for WebSphere Application Server Installation Guide

Configuring a basic authentication in WebSEAL to access SmartCloud Control Desk

Setup domino admin client by providing username server name and then providing the id file.

SAML-Based SSO Configuration

Authenticating and Importing Users with AD and LDAP

WebSphere Application Server 6.1 Virtual member manager

Realms and Identity Policies

IBM SECURITY PRIVILEGED IDENTITY MANAGER

Lotus Sametime. Installation Guide. Version 7.0 G

Unified Task List. IBM WebSphere Portal V7.0 Review the hardware and software requirements Review the product documentation

WebSphere Application Server V7: Administration Consoles and Commands

BusinessObjects Enterprise XI

Security Permissions in TCR 2.x

Administration Guide. Lavastorm Analytics Engine 6.1.1

VMware Identity Manager Cloud Deployment. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager

Lotus Learning Management System R1

CounterACT User Directory Plugin

VMware Identity Manager Cloud Deployment. Modified on 01 OCT 2017 VMware Identity Manager

Contents. Index iii

How to Configure Authentication and Access Control (AAA)

MICROSTRATEGY PLATFORM ON AWS MARKETPLACE. Quick start guide to use MicroStrategy on Amazon Web Services - Marketplace

Lotus IBM WebShere Portal 6 Deployment and Administration.

Policy Manager for IBM WebSphere DataPower 7.2: Configuration Guide

IBM Network Performance Insight Document Revision R2E1. Configuring Network Performance Insight IBM

IBM Lotus Sametime Media Manager Cluster Deployment Walk-through Part VI- Bandwidth Manager IBM Corporation

Enhancing cloud applications by using external authentication services. 2015, 2016 IBM Corporation

Setting Up Resources in VMware Identity Manager (SaaS) Modified 15 SEP 2017 VMware Identity Manager

Automation Anywhere Enterprise 10 LTS

Deployment Scenario: WebSphere Portal Mashup integration and page builder

Oracle Fusion Middleware

IBM Tivoli Federated Identity Manager Version Installation Guide GC

High Availability Guide for Distributed Systems

IBM SmartCloud Analytics - Log Analysis Version Installation and Administration Guide

SAML-Based SSO Solution

software Learning Management System R1

IBM Tivoli Directory Server

VMware Identity Manager Administration

Creating Basic Custom Monitoring Dashboards by

Integrating IBM Security Privileged Identity Manager with ObserveIT Enterprise Session Recording

Authenticating and Importing Users with AD and LDAP

C examcollection.premium.58q

Active Directory 2000 Plugin Installation for Cisco CallManager

Automated Sign-on for Mainframe Administrator Guide

LDAP Configuration Guide

IBM Smart Cloud Entry Hosted Trial Guide 3.2

VMware Identity Manager Connector Installation and Configuration (Legacy Mode)

Expand Your IBM Case Manager System - Integrating with IBM Sametime

Lotus IBM WebSphere Portal 6.1 Deployment and Administration. Download Full Version :

software Learning Management System R1

Shared Session Management Administration Guide

Authenticating and Importing Users with Active Directory and LDAP

ArcGIS Enterprise Administration

WP710 Language: English Additional languages: None specified Product: WebSphere Portal Release: 6.0

WebSphere Portal Security Configuration

SAML-Based SSO Solution

ACS 5.x: LDAP Server Configuration Example

Table of Contents Chapter 1: Migrating NIMS to OMS... 3 Index... 17

AWS Remote Access VPC Bundle

SAS Web Infrastructure Kit 1.0. Administrator s Guide

Deliver and manage customer VIP POCs. The lab will be directed and provide you with step-by-step walkthroughs of key features.

Connecting to System i System i Access for Web

Installation Guide Worksoft Certify Execution Suite

IBM IBM Tivoli Monitoring Express V6.1 Specialist. Download Full Version :

Transcription:

Implementing Single-Sign-On(SSO) for APM UI 1.Introduction...2 2.Overview of SSO with LTPA...3 3.Installing and configuring TDS...5 3.1.Installing TDS 6.3...5 3.2.Changing the administrator password (Optional)...7 3.3.Adding the TDS server...8 3.4.Managing TDS services...9 3.5.Creating an LDAP user for SSO...14 4.Configuring Tivoli Enterprise Portal Server...19 4.1.Enabling TEPS/e administrative console...19 4.2.Configuring a federated repository and enabling SSO...20 4.3.Exporting LTPA keys...24 4.4.Adding the LDAP user to Tivoli Enterprise Portal Server...26 5.Configuring TIP for SSO...28 5.1.Configuring a federated repository and enabling SSO...28 5.2.Importing keys...29 6.Conclusion...30 7.Reference...30

1.Introduction The IBM SmartCloud Application Performance Management User Interface (APM UI) is an application deployed on IBM Tivoli Integrated Portal (TIP). It provides customizable dashboards for SmartCloud Application Performance Management, IBM Tivoli Monitoring, and IBM Tivoli Composite Application Manager products. Users generally need to drill down from APM UI to Tivoli Enterprise Portal Server (portal server) for detailed monitoring information for analysis and diagnosis. When a user wants to access the Tivoli Enterprise Portal from APM UI, the user must enter the user name and password again. It is not convenient. To resolve this problem, you can configure single sign-on (SSO) to integrate the APM UI and the portal server, which are both built on WebSphere Application Server (ewas) servers. Remember that all the ewas instances must point to the central user registry, such as LDAP server. With SSO support, TIP users need to authenticate only once when they want to access the applications on both TIP and the portal server running on different ewas servers. The purpose of this article is to introduce the procedure of SSO configuration between TIP and the portal server by using Lightweight Third-Party Authentication (LTPA). The described environment has the following products installed: IBM Tivoli Integrated Portal Version 2.2.0.7 IBM Tivoli Monitoring Version 6.2.3 Fix Pack 1 IBM Tivoli Directory Server Version 6.3

2.Overview of SSO with LTPA SSO capabilities on ewas servers are supported only when LTPA is used as the authentication mechanism. When SSO is enabled, a cookie that contains the LTPA token is created and is inserted into the HTTP response. When the user accesses other Web resources, which is portlet in this article, in any other ewas server processes within the same DNS domain, the cookie is sent in the request. Then the LTPA token is extracted from the cookie and validated. If the request is between different cells of embedded WebSphere Application Servers, the user must share the LTPA keys and the user registry between the cells to get SSO work. The realm names on each system in the SSO domain are case sensitive and must exactly match. LTPA is an implementation of SSO authentication technology that is used by IBM WebSphere Application Server and WebSphere Application Server Express. When a user successfully logs into an application server that is configured for LTPA, a session cookie containing the LTPA token is written to the browser. After the user receives the LTPA token and accesses another server with the same SSO configuration, the user is automatically authenticated and will not be prompted for a user name and password. LTPA provides the following capabilities: Forwardable credentials and single sign-on. Cryptographic keys to encrypt, digitally sign, and securely transmits authenticationrelated data between servers. The same key is used to decrypt the data after it is received. The following table lists the LTPA single sign-on configuration items. Realm Name Alias for the user registry that is used. Federated Repository LDAP or custom user repository. SSO Domain Name The domain or site value for the LTPA cookie. All cookies have a restriction that the value must contain at least two dots. For example, a value of.ibm.com allows the cookie to pass between servers whose URL contains.ibm.com, such as machinea.tivlab.austin.ibm.com and machineb.raleigh.rtp.ibm.com. LTPA Key The LTPA key that is exported from one

server in the SSO configuration and imported into all the other servers participating in SSO. Tivoli Directory Server (TDS) is one type of the LDAP servers. In this article, TDS 6.3 is used. Other LDAP servers can also be used. You can refer to this article for their configuration. In the following sections, how to set up TDS 6.3 as the LDAP server is described.

3. Installing and configuring TDS The following table lists the the LDAP information that is used in the example here: LDAP Host name MyLDAPSrv.cn.ibm.com LDAP Port 389 LDAP Type IBM Tivoli directory server LDAP Bind ID cn=root LDAP Bind Password password 3.1. Installing TDS 6.3 To install the TDS 6.3, complete the following steps: 1. Log on to the system as an administrator. 2. Start the installation program by double-clicking the installation file (tdsv6.3\tds\install_tds.exe). 3. Select the language that you want to use during the installation and click OK. 4. On the Welcome window, click Next. 5. Accept the software license agreement to proceed and click Next. 6. Any supported versions of previously installed components and their corresponding version levels are displayed. Click Next. 7. Specify the installation directory or accept the default (C:\Program Files\IBM\LDAP\V6.3), and click Next. 8. Select Typical and click Next. 9. If a supported version of DB2 is not installed, DB2 will be installed. A window is displayed for specifying a user ID and password for the DB2 system ID. 10. A window summarizing the components to be installed and configured is displayed. To start the installation, click Install. 11. Create the default directory server instance, which is named dsrdbm01. A window is displayed requesting passwords and an encryption seed. Specify the passwords and encryption seed. You will need the password to log on to TEPS/e administrative console later in section 4.

12. When the installation is complete, the default directory server instance has been created. Click Finish. The TDS server named dsrdbm01 is installed.

3.2. Changing the administrator password (Optional) To change the administrator password, complete the following steps: 1. Launch the Web Administration Tool. On a Windows system, the application is started automatically after installation, you can also start it from the start menu as follows or launch it from the following address: http://localhost:12100/idswebapp/ 2. Log in as the console administrator (superadmin). 3. In the navigator tree, to change the password, click Change console administrator password.

4. Provide the required confidential information and click OK. 3.3. Adding the TDS server To add the TDS server, complete the following steps: 1. Launch the Web Administration Tool. 2. In the navigation area, expand the Console administration item. 3. Click Manage console servers. A table listing the server host names and port numbers is displayed. 4. Click Add. 5. Specify the server name, host name, and the port number of the server to be added.

6. Select the Admin daemon supported check box to enable the administration port control. 7. Specify the port numbers or accept the defaults. 8. Click OK to apply the changes. 3.4. Managing TDS services To manage the TDS services, complete the following steps: 1. Launch the Instance Administration Tool.

2. Make sure that the directory server instance is stopped. 3. Select the server instance and click Manage.

4. From the task list on the left, click Manage suffixes. 5. In the Manage suffixes window, type the suffix that you want to add in the Suffix DN field (dc=ibm.dc=com), click Add, and then OK. 6. Open the TDS web configuration tool. Go to the following address and provide the required authentication information: http://localhost:12100/idswebapp/idsjsp/login.jsp 7. Click Directory Management -> Add an entry. 8. Select domain from the Structural object classes list, and click Next.

9. For Auxiliary Object Classes, use the default setting, and click Next. 10. Specify the relative distinguished name and required attributes (dc=ibm,dc=com, dc = ibm, keep Parent DN as blank) as follows and click Next.

11. Keep the optional attributes as default, and click Finish.

You will get the successful result similar to the following one. 3.5. Creating an LDAP user for SSO 1. Launch the TDS Web configuration tool. 2. Click Directory management -> Manage entries, and add a new entry. 3. Select groupofnames from the Structural object classes list. 4. For auxiliary object classes, use the default setting, and click Next.

5. Specified the required attributes as follows and click Next. The user_name is the one that will be used for SSO. Relative DN: cn=users Parent DN: dc=ibm,dc=com cn: users member: uid=user_rname,cn=users,dc=ibm,dc=com 6. Keep the default settings of optional attributes, and click Finish.

7. In Manage entries area, select the dc=ibm,dc=com entry that was just added, and click Expand. 8. Select the entry of cn=users, and click Add to add a new entry.

9. Select inetorgperson from the Structural object classes list and click Next. 10. For Auxiliary Object Classes, use the default setting, and click Next.

11. Specify the required attributes as follows and click Next. Relative DN: uid=user_name cn: user_name sn: user_name 12. For optional properties, set uid to user_name and set the user password that will be used for SSO. You need to remember this password; however, the users do not need to know it. Click Finish.

4.Configuring Tivoli Enterprise Portal Server To enable SSO, you need to configure the portal server embedded ewas. After that, add the user of SSO with Tivoli Enterprise Portal user administration. 4.1. Enabling TEPS/e administrative console To configure ewas, you must access the Tivoli Enterprise Portal Server extension server (TEPS/e) administrative console. It is disabled by default. To enable the administrative console, perform the following procedure: 1. Start the Manage Tivoli Enterprise Monitoring Services utility by running the./itmcmd manage command from the IBM Tivoli Monitoring installation directory. 2. If the portal server is not started, start it. 3. Right-click the Tivoli Enterprise Portal Server and click TEPS/e Administration --> Enable TEPS/e Administration. 4. If this is the first time that you enable the TEPS/e console, right-click the Tivoli Enterprise Portal Server and click TEPS/e Administration --> Update TEPS Extension Password.

4.2.Configuring a federated repository and enabling SSO 1. Go to http://< TEPS hostname/ip>:15205/ibm/console and log on to the TEPS/e administrative console as wasadmin. The password is what you have specified in Section 3.1 Installing TDS 6.3. 2. In the navigation tree, click Security -> Global security. 3. From the Available realm definitions list, select Federated repositories. And click Set as current to make sure that federated repositories is the current realm definition.

4. Click Configure. 5. Click Add Base entry to Realm. 6. Click Add Repository.

7. Complete the following properties: Repository identifier: SSOLDAP. Bind distinguished name: The administrator DN that you have specified when you configure the LDAP server. Bind password: The password for the administrator DN. Directory type: The version of IBM Tivoli Directory Server that you are using. (It is IBM Tivoli Directory Server in this example here.) Primary host name: The name of the IBM Tivoli Directory Server host.

8. Click Apply and when prompted click Save. 9. Complete the general properties. 10. Click Apply and when prompted click Save. 11. Return to the Global security page. In the Authentication area, expand Web security and click Single sign-on (SSO).

12. Make sure that the Enabled check box is selected. Enter cn.ibm.com in the Domain name field. 13. Click Apply and when prompted click Save. 14. Restart the Tivoli Enterprise Portal Server. 4.3. Exporting LTPA keys To support SSO in ewas across multiple WebSphere Application Server domains or cells, you must share the LTPA keys and the password among the domains.

Complete the following steps on the administrative console to export key files for LTPA so that they can be shared across domains. To export LTPA keys from the portal server ewas, perform the following procedure: 1. Log on to the TEPS/e administration console as wasadmin. 2. In the navigation tree, click Security -> Global security. 3. In the Authentication area, select LTPA. 4. In the Cross-cell single sign-on section, provide a password and the path to the key file, and then click Export Keys. Note that the password is used to encrypt the LTPA keys. Memorize the password so that you can use it later when the keys are imported into TIP.

4.4.Adding the LDAP user to Tivoli Enterprise Portal Server 1. Log on to Tivoli Enterprise Portal and click Edit-> Administer Users. 2. Click Create New User. 3. In the Create New User window, provide the user information and click OK. To search for a user, enter a keyword in Distinguished Name field and click Find.

5. Configuring TIP for SSO 5.1.Configuring a federated repository and enabling SSO This procedure is similar to Section 4.2, except that here you need to do it with the WebSphere administrative console instead of TEPS/e administrative console. To launch the WebSphere administrative console, complete the following steps: 1. Go to http://<tip Host/IP>:16310/ibm/console and log on to the TIP console as tipadmin. 2. In the navigation tree, expand Settings and click WebSphere Administrative Console. 3. Click Launch WebSphere administrative console. 4. With the WebSphere administrative console, repeat the step 2~10 that you have done with the TEPS/e administrative console in section 4.2. 5. Restart the TIP server.

5.2. Importing keys After you export LTPA keys from one cell, you must import these keys into another cell. To import keys, you must know the password for the exported key file to access the LTPA keys. Verify that key files are exported from one of the cells into a file. Note: Before you import LTPA keys, restart TIP servers to make sure that all configuration changes have taken effect. To export LTPA keys from the portal server ewas, perform the following procedure: 1. Go to http://<tip Host/IP>:16310/ibm/console and log on to the TIP console as tipadmin. 2. Launch the WebSphere administrative console. To do this, expand Settings in the navigation tree and click WebSphere Administrative Console. And click Launch WebSphere administrative console. 3. In the navigation tree, click Security -> Global security. 4. In the Authentication area, select LTPA.

5. Copy the key file from the portal server to a local temporary path. 6. In the Cross-cell single sign-on section, provide a password and the path to the copied key file, and then click Import Keys. 6. Conclusion After completing all the above procedures in Section 3 ~ 5, restart both ewas servers. You can test the SSO feature by logging on to TIP with a user account that was created on the LDAP and registered in both the portal server and TIP. If the SSO configuration is correct, you will not be prompted for the user name and password when you want to access the portal server from APM UI. 7. Reference Tivoli Directory Server Information center: http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/index.jsp? topic=/com.ibm.ibmds.doc/install.htm IBM Tivoli Monitoring 6.2.3.FP1 Information center: http://pic.dhe.ibm.com/infocenter/tivihelp/v15r1/index.jsp?topic= %2Fcom.ibm.itm.doc_6.2.3fp1%2Fwelcome.htm IBM Tivoli Monitoring LDAP SSO:

http://pic.dhe.ibm.com/infocenter/tivihelp/v30r1/index.jsp?topic= %2Fcom.ibm.itm.doc_6.2.2fp2%2Fitm_install08.htm Tivoli Integrate Portal SSO: http://publib.boulder.ibm.com/infocenter/tivihelp/v24r1/index.jsp?topic= %2Fcom.ibm.itcamfad.doc_7101%2FMS_install_guide %2FConfiguringLDAPUsingIBMTivoliDirectoryServer.html TBSM SSO configuration http://www.ibm.com/developerworks/wikis/download/attachments/143984644/quick+configur ation+guide+for+sso.pdf?version=3

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback