Configuring IMPACT to Authenticate against the ObjectServer

Impact can be configured to use the ObjectServer to authenticate and authorise users. This tip outlines the steps needed to accomplish this.

Stop the embedded WebSphere Application Server

$NCHOME/bin/ewas.sh stop -username wasadmin -password netcool

Install the Virtual Member Manager (VMM)

The install-vmm4ncos.sh script is used to install the VMM. The usage of this script is:

install-vmm4ncos.sh <ObjectServer_user> <ObjectServer_password> <ObjectServer_host:port>

You can specify multiple ObjectServers (a failover pair for example). To do so the list must be quoted so it is passed to the script as a single argument e.g. “carl:4100 lenny:4100”

sh $NCHOME/etc/tivoli-vmm4ncos/bin/install-vmm4ncos.sh root "" carl:4100

Restart the embedded WebSphere Application Server

$NCHOME/bin/ewas.sh start

Create ObjectServer groups to control authorisation

Impact defines 3 roles available for users – IMPACT_USER, NETCOOL_ADMIN and OPVIEW_USER. A group for each role should be created in the ObjectServer. In the screenshot below you can see that I have created the groups ImpactUser, NetcoolAdmin and OpViewUser:

os groups2

Edit the VMM configuration file

The group to role mapping information is maintained in the file $NCHOME/etc/tivoli-vmm4ncos/guiserver.settings. The role setting information is at the bottom of the file. Uncomment the role.XXXXX.group lines and add the names of the groups just created.

role.IMPACT_USER.user=admin
role.IMPACT_USER.group=ImpactUser

role.NETCOOL_ADMIN.user=admin
role.NETCOOL_ADMIN.group=NetcoolAdmin

role.OPVIEW_USER.user=admin
role.OPVIEW_USER.group=OpViewUser

Update the role information

Note that this command will prompt for the embedded WAS admin user and password, so make sure you have a valid DISPLAY set. You must be in the $NCHOME/etc/tivoli-vmm4ncos directory for the update-impact-roles.sh command to work.

cd $NCHOME/etc/tivoli-vmm4ncos/bin
sh $NCHOME/etc/tivoli-vmm4ncos/bin/update-impact-roles.sh

You should now be able to add users to the groups in Omnibus.

It looks like Impact does some caching of group information as it can take 30 minutes or so for group changes to be detected. Re-running the update-impact-roles.sh script forces the changes to take effect.

Visits: 356