Login access to the Tivoli® Enterprise Portal client
is controlled by user accounts that are defined to the Tivoli Enterprise Portal Server.
Password authentication is controlled by a registry, either the operating
system user registry of the hub monitoring server or an external LDAP
user registry that is configured at the hub monitoring server or at
the portal server.
tacmd CLI login access and SOAP client requests to
the hub Tivoli Enterprise Monitoring Server are
controlled by user accounts that are defined to the hub monitoring
server using either the operating system registry of the monitoring
server or an external LDAP server that is configured at the hub monitoring
server.
Login access to the IBM® Dashboard
Application Services Hub is controlled
by the operating system user registry, an LDAP user registry, or a
custom standalone user registry. If you plan to use monitoring dashboard
applications or custom monitoring dashboards in IBM Dashboard
Application Services Hub then you
must configure the Tivoli Enterprise Portal Server and Dashboard
Application Services Hub to use a
federated LDAP user registry and single sign-on, if you want your
dashboard users to launch the Tivoli Enterprise Portal client
without being prompted for their credentials and if you want to control
authorization to monitored resources on a per user basis. See the
roadmaps in Preparing your dashboard environment to determine if you want to use a federated LDAP
user registry and single sign-on.
Login access to the Open Services Lifecycle
Collaboration Performance Monitoring service provider
component of the Tivoli Enterprise Monitoring Automation Server is
controlled by an LDAP user registry and using the Security Services
component of Jazz™ for Service Management.
- The sysadmin user ID
- An initial sysadmin user ID with full administrator
authority is provided at installation so that you can log on to the Tivoli Enterprise Portal client
and add more user accounts. No password is required to log on to the
portal client unless the hub monitoring server was configured to enable Security:
Validate User.
- Tivoli Enterprise Portal user
profile
- To login using a Tivoli Enterprise Portal client,
a user must be authenticated by the portal server and have a Tivoli Enterprise Portal user
ID. Each user ID that is defined in the Tivoli Enterprise Portal is
assigned a set of permissions that determine the portal client features
the user is authorized to see and use, the monitored applications
the user is authorized to see, and the Navigator views (and the highest
level within a view) the user can access.
- User IDs that will have the same permissions can
be organized into user groups so that changes to the permissions are
applied to all member user IDs.
- When the Dashboard
Application Services Hub and portal
server are configured for single sign-on, a Tivoli Enterprise Portal user
ID must exist for each monitoring dashboard user. The first time a dashboard user accesses
monitoring data, a Tivoli Enterprise Portal user
ID is automatically created for the user if there is not already a
user ID mapped to the user's LDAP distinguished name. In this case,
the Tivoli Enterprise Portal user
ID is a randomly generated ID and the user is not assigned any permissions.
If Tivoli Enterprise Portal permissions
are being used to control access to monitored resources in the dashboards
instead of authorization policies, or if the dashboard user can launch
the Tivoli Enterprise Portal,
assign the user ID permissions and the monitored applications that
can be accessed.
- For more information on assigning Tivoli Enterprise Portal permissions
and monitoring applications, see Using Tivoli Enterprise Portal user authorization.
- Authentication through the hub monitoring server
- User IDs authenticated through the hub monitoring server can be
authenticated by either the local operating system registry or an
external LDAP-enabled central user registry.
- User IDs that use the tacmd commands
which send requests to the hub monitoring server or that make SOAP
Server requests, must be authenticated through the hub monitoring
server.
- Limitations:
- LDAP authentication is not supported for hub monitoring servers
on z/OS®.
- The Tivoli Directory Server LDAP
client used by the Tivoli Enterprise Monitoring Server does
not support LDAP referrals, such as those supported by Microsoft Active Directory.
- When the hub monitoring server is installed on a distributed
operating system and is used to authenticate Tivoli Enterprise Portal users,
the Tivoli Enterprise Portal user
IDs must be 10 characters or less. However, for SOAP client users
and tacmd CLI users that are authenticated by the
hub monitoring server, the user IDs can be up to 15 characters.
- When the hub monitoring server is installed on z/OS, the user ID length is limited
to 8 characters if authentication uses the RACF® (Resource Access Control Facility) security
for z/OS.
- LDAP authentication through the portal server
- The portal server authenticates Tivoli Enterprise Portal users,
Dashboard
Application Services Hub users
who access monitoring data, IBM Tivoli Monitoring charting
web service users, and tacmd CLI users who use
commands that send requests to the portal server.
- By default, the portal server contacts the hub monitoring server
to perform the authentication. However, it is best practice to configure
the portal server to perform its own authentication through a federated
LDAP user registry for these scenarios:
- The Tivoli Enterprise Portal is
launched from other web-based applications and you don't want users
to re-enter their credentials.
- The Tivoli Enterprise Portal is
used to launch other web-based or web-enabled applications and you
don't want users to re-enter their credentials.
- IBM Dashboard
Application Services Hub is used to
display monitoring data retrieved using the dashboard data provider component
of the portal server. Best practice is to use single sign-on in this
case, so that dashboard users can launch the Tivoli Enterprise Portal and
user don't have to re-enter their credentials. Additionally, single
sign-on must be used if you want to control authorization to monitored
resources on a per user basis.
- The IBM Tivoli Monitoring charting
web service is being used by another application such as Tivoli Integrated Portal.
- When the portal server is configured to authenticate with an LDAP
server, users login to Tivoli Enterprise Portal using
their LDAP relative distinguished name (which normally maps to the cn= or uid= value)
and not their Tivoli Enterprise Portal user
ID. Because the portal server uses Tivoli Enterprise Portal user
IDs to control permissions, you must map LDAP distinguished names
to Tivoli Enterprise Portal
user IDs. Although the Tivoli Enterprise Portal user
IDs are limited to 10 characters, the LDAP distinguished names can
be much longer.
- You can configure the portal server to use an LDAP user registry
by using the Manage Tivoli Enterprise Monitoring Services utility,
the itmcmd command line interface on Linux and UNIX,
or the TEPS/e administration console (ISCLite). If you configure LDAP
using the TEPS/e administration console, you must manually restart
ISCLite through the Manage Tivoli Enterprise Monitoring Services after
each portal server restart.
- Authentication through the hub monitoring server and the portal
server
- The
hub monitoring server and portal server can connect to the same LDAP
server if you have users who need login access to both servers. You
can use the same user ID to log on to the Tivoli Enterprise Portal client
that you use for the tacmd login command. To do
this, you must go to Administer Users in
the portal client to map the Tivoli Enterprise Portal user
ID to the distinguished name used by the portal server's LDAP user
registry which, by default, uses o=ITMSSOEntry and not the
distinguished name that uses o=DEFAULTWIMITMBASEDREALM.
- Migrating LDAP authentication from the hub to the portal server
- If your hub Tivoli Enterprise Monitoring Server has
already been configured to authenticate users to an LDAP user registry,
and you now want to configure the portal server to use an LDAP user
registry, you must change the Distinguished Name that is set for the
user IDs in the Administer Users window of the Tivoli Enterprise Portal.
Roadmap for user authentication
Use
the following roadmap to get you started with user authentication.