From the Select Action drop-down list, choose Reload Request, and confirm by selecting OK for the instance reload request

Because VMMSYNC is configured to run every 5 minutes, wait for 5 minutes and check whether the users and groups from the LDAP repository have been populated into the Maximo tables. Perform these steps to check the MAXUSER table:

1. Navigate to Go To→ Security→ Users.

2. Press Enter to see all of the users that have been defined in the LDAP server.

Figure 4-34 on page 92 shows an example.

Figure 4-34 Example of a list of users in the MAXUSER table

Perform these steps to check the PERSON table:

1. Navigate to Go To→ Administrator→ Resources→ People.

2. Press Enter to see all of the persons as defined in the LDAP server.

Perform these steps to check the MAXGROUP table:

1. Navigate to Go To→ Security→ Security Groups.

2. Press Enter to see all of the groups that have been defined in the LDAP server.

4.5 IBM Tivoli Application Dependency Discovery Manager security setup

In this section, we discuss the IBM Tivoli Application Dependency Discovery Manager security configuration. Figure 4-35 on page 93 shows the IBM Tivoli

Figure 4-35 IBM Tivoli Application Dependency Discovery Manager security components

You perform most of the required configurations by configuring key-value pairs in the collation.properties file. It is located in the $COLLATION_HOME/dist/etc directory on the IBM Tivoli Application Dependency Discovery Manager server.

In the collation.properties file, you must set the user management module to vmm to define that IBM Tivoli Application Dependency Discovery Manager will use Virtual Member Manager to get access to the users and groups that are defined in LDAP:

com.collation.security.usermanagementmodule=vmm

In the Federated Repositories section of the collation.properties file, set the attributes as shown in Example 4-3 on page 94.

taddm.itso.ral.ibm.com

Example 4-3 Federated repositories settings

#==============================

# Federated Repositories/ESS

# Authentication & SSO

#==============================

# FQDN of the machine hosting WebSphere,

# Federated Repositories and ESS

com.collation.security.auth.websphereHost=ccmdb.itso.ral.ibm.com

# WebSphere system port (default = 2809) com.collation.security.auth.webspherePort=9809

You must restart the IBM Tivoli Application Dependency Discovery Manager server for the changes to take effect. Restarting IBM Tivoli Application Dependency Discovery Manager also encrypts any password fields within the collation.properties file that were written in clear text.

The configuration is the communication between the authentication service client on the IBM Tivoli Application Dependency Discovery Manager server to the authentication service implementation on the WebSphere Application Server. On the IBM Tivoli Application Dependency Discovery Manager server, edit the ibmessclientauthncfg.properties file in the $COLLATION_HOME/dist/etc directory. Change the authnServiceURL parameter to point to the authentication server, which is the machine where the IBM Tivoli Change and Configuration Management Database is installed, as shown in Example 4-4.

Example 4-4 Authentication server in ibmessclientauthncfg.properties file

# This is the URL for the ESS Authentication Service

authnServiceURL=http://ccmdb.itso.ral.ibm.com:9080/TokenService/service s/Trust

The authentication service client on IBM Tivoli Application Dependency Discovery Manager server uses this URL to call back to the Security Token Service on the WebSphere Application Server to authenticate an IBM Tivoli Application Dependency Discovery Manager user or to validate the LTPA token that IBM Tivoli Application Dependency Discovery Manager receives.

Configure the parameters in the sas.client.props file, which is located in the

$COLLATION_HOME/dist/etc directory. You need to set the parameters as shown in Example 4-5 to validate your WebSphere session authentication.

Example 4-5 The sas.client.props file

com.ibm.CORBA.securityServerHost=ccmdb.itso.ral.ibm.com

4.6 IBM Tivoli Netcool products LDAP configuration

We discuss the following topics for the IBM Tivoli Netcool products:

򐂰 4.6.1, “IBM Tivoli Netcool/OMNIbus LDAP configuration” on page 95

򐂰 4.6.2, “Configuring Tivoli Integrated Portal LDAP” on page 103

򐂰 4.6.3, “IBM Tivoli Netcool/Impact LDAP Configuration” on page 114

4.6.1 IBM Tivoli Netcool/OMNIbus LDAP configuration

You can configure IBM Tivoli Netcool/OMNIbus to authenticate using LDAP by configuring the Process Agent and Object Server through the Pluggable Authentication Modules authentication on UNIX. Pluggable Authentication Modules (PAM) is a UNIX-provided authentication framework. The Process Agent manages the Object Server and other processes, automatically restarts the processes, and runs external procedures from the Object Server. The Process Agent by default uses system authentication, but you can configure it to authenticate using LDAP by configuring PAM authentication. The Object Server users authenticate to the IBM Tivoli Netcool/OMNIbus Object Server Database by default. You can also configure the Object Server to authenticate using LDAP by configuring PAM authentication. On Windows, because PAM is not available, the Process Agent can only authenticate using system authentication and the Object Server can only authenticate to the Object Server database.

With PAM, we can configure the Object Server to authenticate using third-party PAM modules to multiple authentication sources. In this book, we look

specifically at configuring Process Agent and Object Server PAM authentication

using the Red Hat Enterprise Linux 4-provided pam_ldap.so module to an IBM Tivoli Directory Server V6.1. The discussion includes these topics: