There are three server component in OMNIBus that can be configured to use PAM authentication, Process Agent, Objectserver and Gateways.information about how to configure PAM authentication for Process Agent (nco_pad) and Objectserver (nco_objserv) are very well documented in OMNIBus Administration Guide, however, if you follow the Gateway documentation and try to configure PAM for Gateways, you will end up with no success.
The general configuration steps for this task are:
1. Configure Gateway to use PAM authentication.
2. Create PAM module for Gateway.
The first step is documented in the Gateway and Probe Guide. What you need to do is to configure following two properties in gateway propsfile:
Gate.UnixAdminGrp: 'ncoadmin' # STRING (UNIX authentication admin group name.)
Gate.UsePamAuth: FALSE # BOOLEAN (Use PAM as authentication system.)
or use command line options:
-unixadmingrp UNIX authentication admin group name. (default: 'ncoadmin')
-usepamauth Use PAM as authentication system. (default: 'FALSE')
The second step is not mentioned by Objectserver Gateway Guide(pre 7.3), or with wrong information(7.3).
Common sense applies here, as we know from PA and Objectserver need to have their PAM module configured, we must need similar thing for Gateway. the PAM module for PA and Objectserver are 'netcool' and 'nco_objserv' respectfully, but what's the PAM module for gateways?
OMNIBus 7.3 Gateway and Probe Guide says it uses module 'netcool', that means no extra configuration is needed as this module should already be configured when we configure PA. However, when we try to login into gateway using nco_sql we get an authentication failure.
To find out which PAM module does a gateway use, we can use strace on linux(or truss on Solaris/AIX).
following are steps I used on linux in order to find the exact module name used by a particular gateway:
1. Configure the gateway to use PAM authentication, start the gateway as normal, find the PID of the gateway.
----------------------------------
[netcool@dlvomn01 bin]$ ps -ef|grep nco_g
netcool 3706 3245 0 03:59 ? 00:00:00 /opt/IBM/tivoli/netcool/omnibus/bin/linux2x86/nco_g_tivoli_eif -propsfile /opt/IBM/tivoli/netcool/omnibus/etc/D_BABG_TEC_GATE.props
netcool 3747 3245 0 03:59 ? 00:00:03 /opt/IBM/tivoli/netcool/omnibus/platform/linux2x86/bin/nco_g_objserv_bi -propsfile /opt/IBM/tivoli/netcool/omnibus/etc/D_BABG_BI_GATE.props
----------------------------------
2. run strace as root, attach to the PID of the gateway
----------------------------------
[root@dlvomn01 ~]# strace -f -o /tmp/gateway.trace -p 3706
Process 3706 attached with 21 threads - interrupt to quit
----------------------------------
3. try login into the gateway using nco_sql
----------------------------------
[netcool@dlvomn01 bin]$ pwd
/opt/IBM/tivoli/netcool/omnibus/bin
[netcool@dlvomn01 bin]$ ./nco_sql -server D_BABG_BI_GATE -user netcool -password 'netcool'
Failed to connect
Error: Failed to get login token
----------------------------------
4. stop the strace.
5. check the trace file.
The trace file looks very complicated unless you are a programmer, however we don't need to understand every bit of it to do some basic trouble shooting. In this case we know that we are trouble shooting a pam issue and on linux the pam configuration files are in /etc/pam.d/ directory.
---------------------------------
[root@dlvomn01 pam.d]# grep pam /tmp/gateway.trace
18223 stat64("/etc/pam.d", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
18223 open("/etc/pam.d/nco_g_objserv_bi", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
18223 open("/etc/pam.d/other", O_RDONLY|O_LARGEFILE) = 19
18223 open("/lib/security/pam_deny.so", O_RDONLY) = 20
---------------------------------
we can see that the bi-directional gateway tried to open file /etc/pam.d/nco_g_objserv_bi and failed with error message "-1 ENOENT (No such file or directory)", from this we can guess that the PAM module for the bi-directional objectserver gateway is nco_g_objserv_bi, which is different with documentation.
This technique can be used on any
Netcool Gateways, for example I find the PAM module for EIF gateway
is called nco_g_tivoli_eif using exactly the same technique.so far we can guess that the PAM module name is same as the gateway binary name.
6. once we find the exact name of the PAM module for the gateway, we can just create the module by copying passwd module, make sure the netcool user can read this file:
---------------------------------
[root@dlvomn01 pam.d]# cp /etc/pam.d/login /etc/pam.d/nco_g_objserv_bi
[root@dlvomn01 pam.d]# ls -lart /etc/pam.d/nco_g_objserv_bi
-rw-r--r-- 1 root root 643 Apr 21 13:13 /etc/pam.d/nco_g_objserv_bi
---------------------------------
7. restart the gateway and you should be able to login into the gateway using your PAM credentials.
---------------------------------
[netcool@dlvomn01 bin]$ ./nco_sql -server D_BABG_BI_GATE -user netcool -password "netcool"
1>
---------------------------------
Now you can login into the gateway, the immediate benefit of this in production is that you can change messagelevel on the fly without restarting the gateway:
---------------------------------
[netcool@dlvomn01 bin]$ ./nco_sql -server D_BABG_BI_GATE -user netcool -password "netcool"
1> set log level to debug;
2> go
Previous Level Current Level
-------------------- -----------
debug debug
(1 row affected)
---------------------------------
Anyone with active Support contract can now raise an APAR against the gateway documentation with above information.
To sum it up, following are what you need to do to configure your gateway to use PAM authentication on linux:
1. Configure Gateway to use PAM authentication, using following two properties in gateway propsfile:
Gate.UnixAdminGrp: 'ncoadmin' # STRING (UNIX authentication admin group name.)
Gate.UsePamAuth: FALSE # BOOLEAN (Use PAM as authentication system.)
or use command line options:
-unixadmingrp UNIX authentication admin group name. (default: 'ncoadmin')
-usepamauth Use PAM
as authentication system. (default: 'FALSE')
-----------------------------------------
[root@dlvomn01 pam.d]# cp /etc/pam.d/login /etc/pam.d/nco_g_objserv_bi
------------------------------------------
3. restart gateway.
