Four simple steps for integrating Webtop with an LDAP Server.

by This email address is being protected from spambots. You need JavaScript enabled to view it.

How many distinct User IDs have you been issued by your employer? Probably too many to remember reliably. As businesses continue to move their employee’s daily tasks and services on-line the number and hence maintenance of those details increases not only for the users but also for the administrators. Luckily LDAP does provide some solace, offering a central repository for user details, a panacea with the hope of one user id for all your business applications.

Many of the Tivoli solutions integrate with LDAP servers of varying technologies, including Microsoft Active Directory and IBM Directory Server. This article focuses on the basic process to enable Netcool/Webtop 2.2 users and administrators to authenticate using their global user IDs.

The basic steps are:

  • Understand the LDAP server and directory structure
  • Update the Federated repository used by Webtop
  • Assign Webtop roles to the LDAP groups
  • Replicate LDAP users to the Netcool/OMNIbus ObjectServer database

Each of these steps is described below.

Note: The technique for integrating the WebGUI supplied with OMNIbus v7.3 is almost identical, but is made slightly less complex due to the default settings of the WebGUI.

The LDAP Server and Directory Structure

This example is based on the IBM LDAP server IBM Directory Server v6.1. A simple scenario with a single LDAP server running the system with hostname LDAP01 and listening on the default port, 389.

The directory structure will be unique to each company, in this scenario the users exist within the realm WTRealm, identified by cn=wtrealm,ou=admins,o=tivoli,c=edu.

ids2

Users definitions within this realm include the attribute uid that will be utilised for the Webtop user IDs.

ids4

Finally, Webtop operators and administrators will be a assigned to the LDAP groups WTOperators and WTAdmins, respectively.

ids5

Update the Webtop Federated repository

Once the LDAP Server set-up and properties are understood, the federated repository used by Webtop can be updated.

Webtop is a web application running within the Tivoli Integrated Portal, itself based on Embedded WebSphere Application Server, hence these steps are not specific to the Webtop application itself. It is the underlying authentication engine of the TIP that is updated during these steps.

The basic installation for Webtop 2.2 enables a file based repository located on the TIP, i.e Tivoli Integrate Portal. The default administrator user tipadmin is defined within that repository. This example will add the LDAP server to the federated repository so that Webtop can authenticate both file and LDAP based users.

The administrator must log-on with a user id that has TIP administration rights to complete the federated repository update and navigate through a number of pages:

  • Security->Secure administration, application and infrastructure
  • Select Available Realm Definitions: Federated Repositories and click Configure
  • Select Add Base Entry to Realm
  • Click Add Repository…

At this point the administrator can add the details of the new repository, the LDAP Server or servers. The minimum properties are:

  • Identifier: IDS01 (alias for the LDAP servers)
  • Directory type: IBM Directory Server v6 (The LDAP server type and version)
  • Primary Hostname and port: LDAP01+389 (connection details to the LDAP Server)
  • Bind Distinguished Name and password: cn=root (LDAP authentication details used by the TIP)
  • Login properties: uid (the LDAP user attribute utilised as the Webtop log-in ID)

wt1

Optionally, the administrator could define failover LDAP servers and SSL connectivity details. This is outside the scope of this article.

On applying the repository definition dialogue, the user is prompted to add details on the distinguished name of the base entry, the value cn=wtrealm,ou=admins,o=tivoli,c=edu is used for these properties, as identified from analysis of the LDAP Server. THis configuration is demonstrated in the figure below.

wt2

Finally, on clicking OK, the updated repository details will be displayed, and the administrator will be prompted to save the updates.

wt3

TIP will need to be restarted for the updates to take affect. To restart TIP use the standard commands:

$TIPHOME/profiles/TIPProfile/bin/stopServer.sh server1 –username < admin_user> -password <admin_password>
$TIPHOME/profiles/TIPProfile/bin/startServer.sh server1

Assigning Webtop Roles to the LDAP Groups

On restarting TIP, the administrator will be able to view the LDAP groups and users from the TIP navigator Users and Groups options Manage Users and Manage Groups, demonstrated below.

wt5

To grant Webtop access to the LDAP users, Administrative Group Roles must be defined for the LDAP Groups. Click Add from the navigator Users and Groupsà Administrative Group Roles and type the LDAP Group name (case sensitive) in the Group Name entry box and highlight the relevant roles, as demonstrated below.

wt6

Apply and save these changes.

Replicate LDAP users to the Netcool/OMNIbus ObjectServer database

This final step is required to ensure that Webtop users can successfully execute any available tools. By replicating LDAP user information to the ObjectServer database,  OMNIbus UIDs references can be added to alarms or journal entries. This feature was added with Webtop 2.2 Interim Fix 0004, and is included in Fix Pack 01 for Webtop 2.2. This synchronisation is enabled by default for the WebGUI shipped within Netcool/OMNIbus v7.3.

The synchronisation can be run as a one off task from the command line, or automated from the Webtop server.  All users added to the ObjectServer database will be subscribed to a group, by default vmmusers but this can be user defined.

To run a one-off synchronisation, firstly configure WAAPI. The key properties in the configuration file $TIPHOME/products/ncw/waapi/etc/waapi.init define the authentication details waapi.user and waapi.password. The defined user must have Webtop Administration rights. In it’s most basic (and unsecure!) form the file may include the following details:

waapi.host:localhost
waapi.port:16315
waapi.contextpath:/ibm/console/webtop
waapi.secureport:16316
waapi.user:wtadmin
waapi.password:mypassword
waapi.password.encryption:none
waapi.file:
waapi.timeoutsecs: 600
logfile: %%/log/waapi.log

Assuming the default wappi.init file has been updated, the synchronisation can then be run as demonstrated in the figure below.

cli1

A regular update can be enabled from the property users.credentials.sync in the file $TIPHOME/profiles/TIPProfile/etc/webtop/server.init. Additionally, the default ObjectServer group, vmmusers, can be changed with the property users.credentials.sync.groupname within the same file.

#VMM user synchronisation properties
users.credentials.sync: true
users.credentials.sync.groupname: LDAPUsers

Any changes to this file require a restart of the Webtop server, as described in the section “Update the Webtop Federated repository”. The synchronisation will run immediately on restarting the TIP. The figures below show the LDAP users and groups following a replication. Note the descriptions distinguish the LDAP and custom groups created by the synchronisation.

nc2

nc1

By default this synchronisation will occur every hour, but this frequency can be changed from the data sources definition file property ncwConfigCacheParameters resyncTime. The value is defined in seconds in the file $TIPHOME/profiles/TIPProfile/etc/webtop/datasources/ncwDataSourceDefinitions.xml. However, do note that this parameter does control the frequency of synchronisation of other OMNIbus objects, for example field conversions, and not just the user synchronisation. The default entry is as follows:

<ncwConfigCacheParameters resyncTime="3600"/>

Conclusions

The time required for user management within an enterprise environment can be significantly reduced through the use of a well designed LDAP server and the integration of the various business applications. The steps detailed within this article enable Webtop users to authenticate using existing LDAP users, reducing the number of user/password combinations they need to remember, reducing the Webtop/OMNIbus administration effort and centralising user maintenance. This basic example can be developed, with the TIP supporting fail-over LDAP Servers, SSL connections and referrals to other LDAP servers.

by This email address is being protected from spambots. You need JavaScript enabled to view it.

Twitter Feed

OrbData This week the @IBMMiddlewareUC put the spotlight on Orb Data's #IBM champion Pete Meechan. https://t.co/wORYKTE8DV
OrbData RT @alldisndat: This is Charlie. He's 11 & very very poorly. Wants to go to FA Cup before more brain surgery - read/share his story https:…

Address

Address:
100 Longwater Avenue, Green Park, Reading, RG2 6GP, U.K.
Tel:
+44 (0) 118 945 0130
E-Mail:
This email address is being protected from spambots. You need JavaScript enabled to view it.

markerFind on Google Maps

About Us

Orb Data brings together People, Process and Technology to deliver the cornerstone of business success: the management of IT infrastructure. At our heart are our people. We have unrivalled experience, helping us to achieve an enviable reputation for excellence in project delivery. Because we’re independent, we identify actual issues and help organisations resolve them –from spec to deployment, and beyond –providing the right solution in terms of best of breed technology and support. We offer a refreshingly simple approach to the way we conduct business. We take pride in our abilities to provide first class solutions to business problems, and to conduct working relationships with honesty and integrity.

Follow Us On:

JoomShaper