• Share
  • ?
  • Profiles ▼
  • Communities ▼
  • Apps ▼

Blogs

  • My Blogs
  • Public Blogs
  • My Updates

This community can have members from outside your organization. Netcool Tips

  • Log in to participate

▼ Tags

▼ Similar Entries

Configuring SPNEGO S...

Blog: The GRC Power...
Brian Laskey 270003US2W
Updated
0 people like thisLikes 0
No CommentsComments 0

Unexpected DB2LUW h...

Blog: Thoughts from...
Biswarup(Bis)Mukherjee 120000HKTY
Updated
0 people like thisLikes 0
No CommentsComments 0

Enabling and disabli...

Blog: Network and S...
Chris Jerrold 100000V51Q
Updated
1 people likes thisLikes 1
No CommentsComments 0

Bring industry stand...

Blog: IBM Data Repl...
Deepthi N 270005NCRR
Updated
0 people like thisLikes 0
No CommentsComments 0

ITCAM for Transactio...

Blog: Application P...
ericmtn 1000009W88
Updated
0 people like thisLikes 0
No CommentsComments 0

▼ Archive

  • March 2014
  • September 2013
  • April 2013
  • February 2013
  • June 2012
  • April 2012
  • March 2012
  • September 2011
  • July 2011
  • May 2011
  • October 2010
  • September 2010
  • June 2010
  • May 2010
  • April 2010

▼ Links

  • Configuring Controlled Failbac...
  • Enhancing the IBM Tivoli Netco...

▼ Blog Authors

Netcool Tips

View All Entries
Clicking the button causes a full page refresh. The user could go to the "Entry list" region to view the new content.) Entry list

Configuring PAM authentication for OMNIBus Gateways

Yulei.Liu.AU 270001E5WU | | Tags:  gateways netcool omnibus tivoli pam authentication | 2 Comments | 10,549 Views

 

There are three server component in OMNIBus that can be configured to use PAM authentication, Process Agent, Objectserver and Gateways.information about how to configure PAM authentication for Process Agent (nco_pad) and Objectserver (nco_objserv) are very well documented in OMNIBus Administration Guide, however, if you follow the Gateway documentation and try to configure PAM for Gateways, you will end up with no success.

The general configuration steps for this task are:

1. Configure Gateway to use PAM authentication.

2. Create PAM module for Gateway.

The first step is documented in the Gateway and Probe Guide. What you need to do is to configure following two properties in gateway propsfile:

Gate.UnixAdminGrp: 'ncoadmin' # STRING (UNIX authentication admin group name.)

Gate.UsePamAuth: FALSE # BOOLEAN (Use PAM as authentication system.)

or use command line options:

-unixadmingrp UNIX authentication admin group name. (default: 'ncoadmin')

-usepamauth Use PAM as authentication system. (default: 'FALSE')

The second step is not mentioned by Objectserver Gateway Guide(pre 7.3), or with wrong information(7.3).

Common sense applies here, as we know from PA and Objectserver need to have their PAM module configured, we must need similar thing for Gateway. the PAM module for PA and Objectserver are 'netcool' and 'nco_objserv' respectfully, but what's the PAM module for gateways?

OMNIBus 7.3 Gateway and Probe Guide says it uses module 'netcool', that means no extra configuration is needed as this module should already be configured when we configure PA. However, when we try to login into gateway using nco_sql we get an authentication failure.

To find out which PAM module does a gateway use, we can use strace on linux(or truss on Solaris/AIX).

following are steps I used on linux in order to find the exact module name used by a particular gateway:

1. Configure the gateway to use PAM authentication, start the gateway as normal, find the PID of the gateway.

----------------------------------

[netcool@dlvomn01 bin]$ ps -ef|grep nco_g

netcool 3706 3245 0 03:59 ? 00:00:00 /opt/IBM/tivoli/netcool/omnibus/bin/linux2x86/nco_g_tivoli_eif -propsfile /opt/IBM/tivoli/netcool/omnibus/etc/D_BABG_TEC_GATE.props

netcool 3747 3245 0 03:59 ? 00:00:03 /opt/IBM/tivoli/netcool/omnibus/platform/linux2x86/bin/nco_g_objserv_bi -propsfile /opt/IBM/tivoli/netcool/omnibus/etc/D_BABG_BI_GATE.props

----------------------------------

2. run strace as root, attach to the PID of the gateway

----------------------------------

[root@dlvomn01 ~]# strace -f -o /tmp/gateway.trace -p 3706

Process 3706 attached with 21 threads - interrupt to quit

----------------------------------

3. try login into the gateway using nco_sql

----------------------------------

[netcool@dlvomn01 bin]$ pwd

/opt/IBM/tivoli/netcool/omnibus/bin

[netcool@dlvomn01 bin]$ ./nco_sql -server D_BABG_BI_GATE -user netcool -password 'netcool'

Failed to connect

Error: Failed to get login token

----------------------------------

4. stop the strace.

5. check the trace file.

The trace file looks very complicated unless you are a programmer, however we don't need to understand every bit of it to do some basic trouble shooting. In this case we know that we are trouble shooting a pam issue and on linux the pam configuration files are in /etc/pam.d/ directory.

---------------------------------

[root@dlvomn01 pam.d]# grep pam /tmp/gateway.trace

18223 stat64("/etc/pam.d", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0

18223 open("/etc/pam.d/nco_g_objserv_bi", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)

18223 open("/etc/pam.d/other", O_RDONLY|O_LARGEFILE) = 19

18223 open("/lib/security/pam_deny.so", O_RDONLY) = 20

---------------------------------

we can see that the bi-directional gateway tried to open file /etc/pam.d/nco_g_objserv_bi and failed with error message "-1 ENOENT (No such file or directory)", from this we can guess that the PAM module for the bi-directional objectserver gateway is nco_g_objserv_bi, which is different with documentation.

This technique can be used on any Netcool Gateways, for example I find the PAM module for EIF gateway is called nco_g_tivoli_eif using exactly the same technique.so far we can guess that the PAM module name is same as the gateway binary name.

6. once we find the exact name of the PAM module for the gateway, we can just create the module by copying passwd module, make sure the netcool user can read this file:

---------------------------------

[root@dlvomn01 pam.d]# cp /etc/pam.d/login /etc/pam.d/nco_g_objserv_bi

[root@dlvomn01 pam.d]# ls -lart /etc/pam.d/nco_g_objserv_bi

-rw-r--r-- 1 root root 643 Apr 21 13:13 /etc/pam.d/nco_g_objserv_bi

---------------------------------

7. restart the gateway and you should be able to login into the gateway using your PAM credentials.

---------------------------------

[netcool@dlvomn01 bin]$ ./nco_sql -server D_BABG_BI_GATE -user netcool -password "netcool"

1>

---------------------------------

Now you can login into the gateway, the immediate benefit of this in production is that you can change messagelevel on the fly without restarting the gateway:

---------------------------------

[netcool@dlvomn01 bin]$ ./nco_sql -server D_BABG_BI_GATE -user netcool -password "netcool"

1> set log level to debug;

2> go

Previous Level Current Level

-------------------- -----------

debug debug

(1 row affected)

---------------------------------

Anyone with active Support contract can now raise an APAR against the gateway documentation with above information.

To sum it up, following are what you need to do to configure your gateway to use PAM authentication on linux:


1. Configure Gateway to use PAM authentication, using following two properties in gateway propsfile:

Gate.UnixAdminGrp: 'ncoadmin' # STRING (UNIX authentication admin group name.)

Gate.UsePamAuth: FALSE # BOOLEAN (Use PAM as authentication system.)

or use command line options:

-unixadmingrp UNIX authentication admin group name. (default: 'ncoadmin')

-usepamauth Use PAM as authentication system. (default: 'FALSE')


2. create a pam module for your gateway:

-----------------------------------------
[root@dlvomn01 pam.d]# cp /etc/pam.d/login /etc/pam.d/nco_g_objserv_bi
------------------------------------------

3. restart gateway.




  • Add a Comment Add a Comment
  • Edit
  • More Actions v
  • Quarantine this Entry
Notify Other People
notification

Send Email Notification

+

Quarantine this entry

deleteEntry
duplicateEntry

Mark as Duplicate

  • Previous Entry
  • Main
  • Next Entry
Feed for Blog Entries | Feed for Blog Comments | Feed for Comments for this Entry