IBM Tivoli Monitoring, Version 6.3

Setting up a monitoring dashboard environment with single sign-on and with per user authorization controls

Setup an advanced dashboard environment if you want to use IBM® Dashboard Application Services Hub with monitoring dashboard applications such as IBM Infrastructure Management Dashboards for Servers and IBM Infrastructure Management Dashboards for VMware or with custom dashboards, using single sign-on and permissions that control what monitoring resources a user can access in the dashboards.

By using single sign-on, your IBM Dashboard Application Services Hub users can launch the Tivoli® Enterprise Portal browser client without entering credentials when the portal browser client is started. You can use either authorization policies or Tivoli Enterprise Portal permissions to control what managed systems and managed system groups individual users or members of user groups can access in the dashboards and whether they can display situation events.

To use single sign-on, you must install and configure an LDAP user registry that will contain the credentials of users who will login to IBM Dashboard Application Services Hub and the portal server. Then you configure IBM Dashboard Application Services Hub and the portal server to use the same LDAP user registry to authenticate users and to perform single sign-on using Lightweight Third Party Authentication (LTPA) tokens. You can also use the same LDAP user registry to authenticate users of other applications such as Netcool/OMNIbus WebGUI or Tivoli Business Service Manager if those users will launch the portal client browser or Dashboard Application Services Hub.

Next you configure a dashboard data provider connection from the Dashboard Application Services Hub to the portal server and indicate that single sign-on should be used. The Dashboard Application Services Hub uses a HTTP or HTTPS connection to the dashboard data provider component of the portal server to retrieve monitoring data. Real-time monitoring data is retrieved from the hub monitoring server and monitoring agents and historical monitoring data is retrieved from the Tivoli Data Warehouse. Not all monitoring dashboard applications support retrieving historical data from the Tivoli Data Warehouse.

Dashboard Application Services Hub uses roles, for users or user groups, to control what pages a user can access. However, the dashboard data provider performs the authorization of the monitoring resources that are displayed in those pages. You have two options for authorizing the monitoring resources that can be accessed by dashboard users:

Use the Tivoli Authorization Policy Server and tivcmd Command-Line Interface for Authorization Policy to create roles and permissions, which are collectively called authorization policies.
These authorization policies control which managed systems and managed system groups a dashboard user can access. Roles are created for job functions with permissions to view specific managed systems or managed system groups. Users acquire permissions based on the role (or roles) that user belongs to. Users can be assigned to roles directly or the user groups that they are members of can be assigned to roles. The permissions also specify the type of object that can be accessed for a managed system or managed system group. The supported object types are event (for situation events) and attribute group (for monitoring data retrieved from an agent).

OR
Use Tivoli Enterprise Portal authorization permissions and monitored application assignments for your dashboard users. This is the default authorization method if authorization policies are not enabled in the portal server configuration.
With this option, you create Tivoli Enterprise Portal users for each of your dashboard users using the Tivoli Enterprise Portal User Administration dialog. Using the same dialog, you can grant a user permission to view events and assign the user one or more monitored applications that they can view. These steps can also be performed using the tacmd CLI.

Tivoli Enterprise Portal authorization is less granular than authorization policies. While authorization policies allow you to grant a dashboard user permission to view only specific managed systems or members of specific managed system groups, Tivoli Enterprise Portal authorization is at the monitored application level. In other words, a user is assigned permission to view all managed systems of a particular agent application type, for example all Windows OS agents.

Authorization polices only control which monitored resources can be accessed in monitoring dashboards. If your dashboard users will also use the Tivoli Enterprise Portal client then Tivoli Enterprise Portal permissions and agent application assignments will control what monitored resources can be accessed in the portal client. The set of monitored resources that users can view in dashboards might be different than the monitored resources they can view in the Tivoli Enterprise Portal client. This can occur if the permissions are inconsistent or if the authorization policies are more restrictive.

Example of more restrictive authorization policies: Assume the user is granted permission to view a subset of Windows OS agents in Dashboard Application Services Hub using authorization policies and the user is assigned the Windows OS application type in their Tivoli Enterprise Portal permissions. In this scenario, the user will only see the authorized Windows OS agents in the dashboards but they will see all Windows OS agents when they access the Tivoli Enterprise Portal client.
Example of inconsistent permissions: Assume the user is granted permission to view a subset of Windows OS agents in Dashboard Application Services Hub using authorization policies but the user is not assigned the Windows OS application type in their Tivoli Enterprise Portal permissions. In this scenario, the user will see their authorized Windows OS agents in the dashboards but they will not see any Windows OS agents when they access the Tivoli Enterprise Portal client.

When you are initially setting up your monitoring and dashboard environment, best practice is that you start with Tivoli Enterprise Portal permissions and monitored application assignments. After you are able to see monitoring data in Dashboard Application Services Hub and your administrators have created authorization policies, then reconfigure the portal server if you want to start using authorization policies.

Note: Tivoli Enterprise Portal permissions and authorization policies only control access to monitored resources in the dashboards. They do not control access to monitored resources displayed in reports using Tivoli Common Reporting.

Prerequisites

Install and configure the base IBM Tivoli Monitoring monitoring server, portal server, and portal client components using the instructions in the IBM Tivoli Monitoring Installation and Setup Guide. When configuring the portal server, enable the dashboard data provider.
Install and configure the monitoring agents whose data will be displayed in the monitoring dashboards. Install their application support in the monitoring servers, portal server, and desktop portal client if it is being used, using the instructions in the IBM Tivoli Monitoring Installation and Setup Guide.
Install and configure Dashboard Application Services Hub and your dashboard monitoring applications, see "Required software and memory requirements for a dashboard environment" in the IBM Tivoli Monitoring Installation and Setup Guide. Also see "Installing and configuring the IBM Infrastructure Management Dashboards for Servers" in the IBM Tivoli Monitoring Installation and Setup Guide, if you will be installing that dashboard application.
Determine if you will use authorization policies or Tivoli Enterprise Portal authorization for your dashboard users. If you plan to use authorization policies, install and configure the Tivoli Authorization Policy Server and tivcmd Command-Line Interface for Authorization Policy components using the instructions in the "Installing and configuring the Tivoli Authorization Policy Server and tivcmd Command-Line Interface for Authorization Policy" topic in the IBM Tivoli Monitoring Installation and Setup Guide.

Roadmap

Use the following roadmap to help you get started:

Table 1. Roadmap for setting up a monitoring dashboard environment with single sign-on and with per user authorization controls
Step	Description	Where to find information
1 (required)	Setup an LDAP server such as Tivoli Directory Server or Microsoft Active Directory to authenticate Dashboard Application Services Hub and portal server users and add your users to this registry.	See Prerequisites for configuring LDAP authentication on the portal server, then refer to the documentation for your LDAP server.
2 (required)	Ensure the time is synchronized to UTC on your portal server and Dashboard Application Services Hub.	For more information and for planning considerations for using single sign-on, see About single sign-on.
3 (required)	Use the WebSphere® Administrator Console of IBM Dashboard Application Services Hub to configure the Dashboard Application Services Hub application server to use the LDAP user registry to authenticate users and to enable single sign-on. Note: During the configuration, specify a realm name and a domain name. These same values must be specified when configuring the portal server and any other applications that perform single sign-on with the portal server or the dashboard server. The domain name is the Internet or Intranet domain for which SSO is configured, for example mycompany.com. Only applications available in this domain or its sub-domains are enabled for SSO. A realm identifies a set of federated repositories used by the portal server and other application servers. You can choose your own realm name, but this value must be the same across all applications that are configured for SSO within the specified domain.	Refer to the Jazz for Service Management Configuration Guide in the Jazz for Service Management Information Center for details on configuring Jazz™ for Service Management to use a central user registry, configuring SSO, configuring the LTPA token timeout values, and configuring a TLS/SSL connection to the LDAP server.
4 (required)	Configure the portal server to use an LDAP user registry and specify the realm name and domain used for single sign-on. To configure the portal server to use LDAP, you can use the following options: IBM Manage Tivoli Enterprise Monitoring Services utility itmcmd command line interface on Linux and UNIX TEPS/e administration console You use either IBM Manage Tivoli Enterprise Monitoring Services or the itmcmd command to enable LDAP user validation for the portal server. You can also use these utilities to configure the LDAP connection parameters unless: You want to use a server besides Microsoft Active Directory or Tivoli Directory Server You want to configure TLS/SSL between the portal server and the LDAP server You need to specify advanced LDAP configuration parameters For these scenarios, you specify the type of Other when configuring the portal server and then use the TEPS/e administration console to complete the LDAP connection configuration. Note: You can also export the portal server's LTPA key or import the LTPA key from another application at the same time as configuring LDAP user authentication or you can perform these steps after you have verified the portal server's LDAP authentication is working.	Use the instructions in one of the following topics to enable LDAP user validation on the portal server: Using Manage Tivoli Enterprise Monitoring Services to configure the portal server for LDAP authentication Using the Linux or UNIX command line to configure the portal server for LDAP authentication Then, follow the instructions in Using the TEPS/e administration console if you specified an LDAP server type of Other when enabling LDAP user validation for the portal server. Usage notes: If you are using Microsoft Active Directory, see LDAP user authentication using Microsoft Active Directory for planning and configuration information specific to this type of LDAP server. If you are using Tivoli Directory Server, see Understanding single sign-on between IBM Tivoli Monitoring and Tivoli Integrated Portal using Tivoli Directory Server in the IBM Tivoli Monitoring Wiki. These instructions explain how to map entries configured in Tivoli Directory Server to the information configured using the TEPS/e administration console. Ignore the steps provided for Tivoli Integrated Portal.
5 (required)	Login to the Tivoli Enterprise Portal client as sysadmin, then map your existing Tivoli Enterprise Portal user IDs to LDAP distinguished names except for sysadmin. If you do not have any Tivoli Enterprise Portal user IDs besides `sysadmin`, create a Tivoli Enterprise Portal user ID for at least one of your LDAP users and, when creating the user ID, enter the user's LDAP distinguished name. You will login as one of your LDAP users in a later task to verify that data can be displayed in your monitoring dashboards. Use the Tivoli Enterprise Portal client to assign this user the monitoring applications that will be displayed in the dashboards and permission to view events if situation event data is displayed in the dashboard.	If you have existing Tivoli Enterprise Portal users, see Mapping Tivoli Enterprise Portal user IDs to LDAP distinguished names. If you need to create a new Tivoli Enterprise Portal user ID, see Adding a user ID. See Administer Users for details on assigning monitoring applications and permissions to Tivoli Enterprise Portal users. See Reconfiguring the browser client for SSO if Dashboard Application Services Hub and the portal server are on the same computer.
6 (optional best practice)	Verify that you can login to the Tivoli Enterprise Portal client as an LDAP user who has been mapped to a Tivoli Enterprise Portal user ID.	N/A
7 (optional best practice)	Configure a TLS/SSL connection between the portal server and LDAP server if you want to secure this communication.	Configuring TLS/SSL communication between the portal server and the LDAP server
8 (optional best practice)	Verify that you can login to the Tivoli Enterprise Portal client as an LDAP user who has been mapped to a Tivoli Enterprise Portal user ID.	N/A
9 (required)	You must ensure the following applications are using the same LTPA key as the portal server: A web-based or web-enabled application that launches the Tivoli Enterprise Portal A web-based or web-enabled application that can be launched from the Tivoli Enterprise Portal client IBM Dashboard Application Services Hub Another application such as Tivoli Integrated Portal that uses the IBM Tivoli Monitoring charting web service Determine which application will be the source of the LTPA key for all of the other participating SSO applications and export its LTPA key. The key file and the password used to encrypt the key must be provided to the administrators of the other participating applications.	If you decide that the portal server will be the source of the LTPA key, export its LTPA key using the export instructions in Importing and exporting LTPA keys. If IBM Dashboard Application Services Hub will be the source of the LTPA key, see "Exporting LTPA keys" in the Jazz for Service Management Configuration Guide on the Jazz for Service Management Information Center. Otherwise, refer to the documentation of the application whose LTPA key will be exported to determine how to perform the export operation.
10 (required)	The administrators of the other participating SSO applications must import the LTPA key that was exported in the previous step. They need the key file and the password that was used to encrypt the key.	To import an LTPA key into the portal server, see the import instructions in Importing and exporting LTPA keys. To import an LTPA key into IBM Dashboard Application Services Hub see "Importing LTPA keys" in the Jazz for Service Management Configuration Guide on the Jazz for Service Management Information Center. See the documentation for the other participating SSO applications for instructions on importing the LTPA key.
11 (required)	Login to IBM Dashboard Application Services Hub as an LDAP user who is also a dashboard hub administrative user and create a dashboard data provider connection.	Creating a connection to the IBM Tivoli Monitoring dashboard data provider When creating your connection, select the box Use the credentials of the user (requires SSO Configuration).
12 (required)	While logged into IBM Dashboard Application Services Hub as an administrative user, create a role that controls access to your dashboard application pages and assign dashboard users or user groups to the role. Note: Some dashboard applications such as IBM Infrastructure Management for VMware automatically create a role for its pages when the dashboard application is installed. However, other dashboard applications such as IBM Infrastructure Management Dashboards for Servers do not create a role during installation so you must create one or assign the dashboard pages to an existing role.	Refer to the Jazz for Service Management Administrator's Guide in the Jazz for Service Management Information Center for details on how to work with roles that control access to dashboard pages.
13 (optional best practice)	Login to IBM Dashboard Application Services Hub as an LDAP user who has permission to view your dashboard pages and who has a Tivoli Enterprise Portal user ID that is assigned monitoring applications and permissions to view events. Then launch the dashboard applications, and verify data is displayed.	See your dashboard application's user guide for details on how to launch and use the dashboard. Tip: First select System Status and Health > Dashboard Health Checks to verify your environment is working correctly. Then if you are using Infrastructure Management Dashboards for Servers, select System Status and Health > Server Dashboards. For more information on using Infrastructure Management Dashboards for Servers, see the OS agent user's guides.
14 (optional best practice)	If you want to use HTTPS between Dashboard Application Services Hub and the dashboard data provider, perform these tasks:
	1. Configure TLS/SSL between the dashboard hub and data provider.	Configuring TLS/SSL communication between Dashboard Application Services Hub and the dashboard data provider
	2. Login to IBM Dashboard Application Services Hub as an administrative user who has been assigned the `administrator` and `iscadmins` roles and delete the dashboard data provider connection that you previously created.	Refer to the IBM Dashboard Application Services Hub online help and the Jazz for Service Management Integration Guide in the Jazz for Service Management Information Center for details on how to work with data provider connections.
	3. While still logged into IBM Dashboard Application Services Hub as an administrative user, create the connection again and this time specify HTTPS as the protocol.	Creating a connection to the IBM Tivoli Monitoring dashboard data provider When creating your connection, select the box Use the credentials of the user (requires SSO Configuration).
	4. Login to IBM Dashboard Application Services Hub as a user who has permission to view your dashboard pages, then launch the dashboard application again and verify data is displayed.	See your dashboard application's user guide for details on how to launch and use the dashboard. Tip: First select System Status and Health > Dashboard Health Checks to verify your environment is working correctly. Then if you are using Infrastructure Management Dashboards for Servers, select System Status and Health > Server Dashboards. For more information on using Infrastructure Management Dashboards for Servers, see the OS agent user's guides.
15 (optional)	If you want to use authorization policies, perform these tasks:
	1. Use the tivcmd CLI to assign authorization policy administrators, assign a user permission to distribute authorization policies, and create authorization policies to control which monitored resources your dashboard users can access. Note: After you have verified that you can use the tivcmd CLI to login to the Authorization Policy Server, configure TLS/SSL between the tivcmd CLI and the Authorization Policy Server so that subsequent commands are secured.	Preparing to enable authorization policies and Configuring TLS/SSL communication with the Authorization Policy Server
	2. Enable authorization policy checking in the portal server. Note: Once this task is performed, only dashboard users who are assigned an authorization policy role will be able to view monitored resources in your dashboards.	Enabling authorization policies in the portal server
	3. Login to IBM Dashboard Application Services Hub as an LDAP user who has permission to view your dashboard pages and who has been assigned one or more authorization policy roles that give the user permission to view attribute group data, situation event data, or both for the managed systems or managed system groups that they can be displayed in your dashboard pages. Launch the dashboard pages and verify that the user can only see the monitored resources that they have been authorized for.	See your dashboard application's user guide for details on how to launch and use the dashboard. Tip: First select System Status and Health > Dashboard Health Checks to verify your environment is working correctly. Then if you are using Infrastructure Management Dashboards for Servers, select System Status and Health > Server Dashboards. For more information on using Infrastructure Management Dashboards for Servers, see the OS agent user's guides.
	4. Configure the portal server to use TLS/SSL when retrieving authorization policies from the Dashboard Application Services Hub where the Authorization Policy Server is installed.	Configuring TLS/SSL communication with the Authorization Policy Server

After you have the advanced dashboard monitoring environment setup, you might also need to perform the following tasks:

Table 2. Additional tasks required to setup your advanced monitoring environment with single sign-on and with per user authorization controls
Task	Where to find information
Create situation definitions for events that your dashboard users will monitor.	See Situations for event monitoring in the Tivoli Enterprise Portal User's Guide and also see the IBM Tivoli Monitoring Command Reference for information on the tacmd commands used to work with situations.
Create managed system groups that can be used to group managed systems for display in dashboard pages.	See Managing the environment in the Tivoli Enterprise Portal User's Guide and also see the IBM Tivoli Monitoring Command Reference for information on the tacmd commands used to work with system lists.
Configure historical data collection if you want to display historical data in your dashboard pages. Note: Not all monitoring dashboard applications support retrieving historical data from the Tivoli Data Warehouse.	Managing historical data
For each new dashboard user: Ensure the dashboard user has permission to access the dashboard pages that they will work with. Determine if the user can be added to an existing LDAP group that is assigned to a Dashboard Application Services Hub role. If there is not an existing LDAP group that the user can be assigned to, complete one of the following tasks: Best practice is to create a new LDAP group, add the user to the group, and then assign the group to a Dashboard Application Services Hub role that has permission to view the appropriate dashboard pages. OR Assign the dashboard user directly to a Dashboard Application Services Hub role that has permission to view the appropriate dashboard pages.	Refer to the Jazz for Service Management Administrator's Guide in the Jazz for Service Management Information Center for details on how to work with roles that control access to dashboard pages. See your LDAP server documentation for details on adding users to LDAP groups.
For each new dashboard user: If authorization polices are being used, ensure the dashboard user is assigned to one or more authorization policy roles that give the user permission to view attribute group data, situation event data, or both for the managed systems or managed system groups that they will be monitoring. Determine if the user can be added to an existing LDAP group that is already assigned authorization policy roles with the required permissions. If the user cannot be added to an existing LDAP group, complete one of the following tasks: Best practice is to create a new LDAP group, add the user to the group, and then assign the group to the authorization policy roles. OR Assign the dashboard user directly to the authorization policy roles.	See your LDAP server documentation for details on adding users to LDAP groups. See Policy management scenarios and the IBM Tivoli Monitoring Command Reference chapter on the tivcmd CLI for details on creating and working with authorization policies.
For each new dashboard user: If Tivoli Enterprise Portal authorization is being used to control what monitored resources can be accessed in your dashboards, or if the new dashboards user will use the Tivoli Enterprise Portal client, then ensure the Tivoli Enterprise Portal user has the correct permission. First ensure there is a Tivoli Enterprise Portal user ID mapped to the dashboard user's LDAP distinguished name. Then determine if the Tivoli Enterprise Portal user should be assigned to an existing Tivoli Enterprise Portal group that is assigned the permissions and monitoring applications required by the new dashboard user. If there is not an existing group that can be used, complete one of the following tasks: Best practice is to create a new Tivoli Enterprise Portal group, add the user to the group, and assign the group the appropriate permissions and application types. Assign the Tivoli Enterprise Portal user the appropriate permissions and monitoring applications directly. If a dashboard user will not use the Tivoli Enterprise Portal client, they only need permission to view events and should be assigned the monitoring applications that they will be monitoring in the dashboard pages. For example, if the dashboard user will be using the Infrastructure Management Dashboards for Servers then they need to be assigned one or more of these application types: Linux OS, UNIX OS, or Windows OS. If the dashboard user will also use the Tivoli Enterprise Portal client, they might need additional permissions.	See Managing user IDs for details on creating new Tivoli Enterprise Portal user IDs. See Managing user groups for details on adding Tivoli Enterprise Portal user IDs to groups. See Administer Users for details on assigning monitoring applications and permissions to Tivoli Enterprise Portal users and groups.
Create custom dashboard pages and ensure the dashboard users are assigned a Dashboard Application Services Hub role with permission to view the custom pages.	Creating custom dashboard pages that display monitoring data
Install a new monitoring dashboard application in Dashboard Application Services Hub, assign the dashboard's pages to a new or existing role, and assign LDAP users or user groups to the role that controls access to the pages. Note: Some dashboard applications automatically create a role for its pages when the dashboard application is installed. If authorization policies are being used, ensure the dashboard users that have access to the new pages are assigned to one or more authorization policy roles that give the users permission to view attribute group data, situation event data, or both for the managed systems or managed system groups that they will be monitoring using the new dashboard application. Assign the dashboard user's Tivoli Enterprise Portal user ID or group the monitoring applications that will be displayed in the new dashboard application, if the dashboard user will also use the Tivoli Enterprise Portal client, or if Tivoli Enterprise Portal authorization are being used instead of authorization policies. Note: The application support for the agent must be installed in the portal server and monitoring server before you can see the agent's data in the new dashboards. If the application support is installed using the self-describing agent function, the portal server must be restarted so that the dashboard data provider can use the new support package.	Follow the dashboard application's installation documentation. Then, refer to the Jazz for Service Management Administrator's Guide in the Jazz for Service Management Information Center for details on how to work with roles that control access to dashboard pages. See Using role-based authorization policies and the IBM Tivoli Monitoring Command Reference chapter on the tivcmd CLI for details on creating and working with authorization policies. Also see Administer Users for details on how to assign agent applications to a Tivoli Enterprise Portal user. The IBM Tivoli Monitoring Installation and Setup Guide includes information on how to install application support.
Determine if you want to control UISolutions imports. (New and updated dashboard applications automatically import their UISolutions definitions into the dashboard data provider.)	Controlling UISolutions imports

Feedback