Configuring Tivoli Netcool/OMNIbus to use LDAP for external authentication

Tivoli Netcool/OMNIbus supports external authentication of ObjectServer users whose passwords are stored in a Lightweight Directory Access Protocol (LDAP) compliant repository.

Before you begin

Obtain the following LDAP configuration data from your LDAP administrator:
  • If all users that require access to Tivoli Netcool/OMNIbus belong to the same organizational unit, request the distinguished name template for that organizational unit from your LDAP administrator. The template provides the value of the DistinguishedName property in the Tivoli Netcool/OMNIbus LDAP properties file.

    For example, in the template cn=%s,ou=Development,o=ABCcorp, the base distinguished name that all users belong to is ou=Development,o=ABCcorp and the cn field maps to a user name in the ObjectServer user repository. When a user logs in to the ObjectServer, the ObjectServer replaces the %s variable with the user name and submits the entire string to the LDAP server for authentication.

  • If the users belong to multiple organizational units, you must configure the ObjectServer to do an LDAP search for each user's distinguished name. Request the following information from your LDAP administrator:
    • The distinguished name of the root organizational unit for all users or a list of the organizational units that each user belongs to.

      The distinguished name or list of organizational units provides the value of the LDAPSearchBase property in the Tivoli Netcool/OMNIbus LDAP properties file.

    • A template to generate an LDAP search filter for each Tivoli Netcool/OMNIbus user.

      The template (for example: (cn=%s)) provides the value of the LDAPSearchFilter property in the Tivoli Netcool/OMNIbus LDAP properties file.

  • Confirm whether a bind distinguished name is required for write operations, to obtain user and group information, or to perform searches.
    • If a bind distinguished name is required, you must specify values for the LDAPBindDn and LDAPBindPassword properties in the Tivoli Netcool/OMNIbus LDAP properties file. The ObjectSever uses these values to make a persistent connection to the LDAP server and to issue authentication bind requests and searches.
    • Functionality delivered in fix pack
23If the LDAPBindPassword property needs to be updated periodically, the Props.LiveUpdate property can be included in the file and set to TRUE. If this flag is set, the ObjectServer rereads the property file and uses the updated password without the need to stop or restart the ObjectServer.
    • If a bind distinguished name is not required, remove or comment out the LDAPBindDn and LDAPBindPassword properties in the Tivoli Netcool/OMNIbus LDAP properties file. The ObjectServer then binds to LDAP anonymously.
  • Review the Tivoli Netcool/OMNIbus LDAP properties file settings and request any other information that you require, such as the LDAP server host name and port number.
  • Use the ldapsearch utility to test your configuration before implementing it in the ObjectServer.
Note: When the ObjectServer connects to an LDAP server over an SSL connection, it acts as a client when it initiates the SSL connection. If you configure an SSL connection, the ObjectServer must verify the signature on the certificate that is presented by the LDAP server and it requires the public key of the issuing certificate authority (CA) to do this. Work with your LDAP administrator to obtain the self-signed root certificate that is issued by the CA. You must add this certificate to the ObjectServer key database.

CA certificates for all LDAP servers that the ObjectServer will connect to must be listed in the keystore.

For more information about setting up LDAP configuration of the ObjectServer, see this technote: https://www.ibm.com/support/pages/example-netcool-omnibus-objectserver-ldap-configuration External link

If you configured Tivoli Netcool/OMNIbus to operate in FIPS 140-2 mode with SSL, the LDAP interface must also be configured for FIPS 140-2 operation. Consult your LDAP administrator to verify that the required encryption support is in place for FIPS 140-2 operation.

About this task

You can configure the ObjectServer to act as an LDAP client so that users that connect to the ObjectServer have their passwords authenticated in an LDAP server. You can use a single LDAP server to authenticate all Tivoli Netcool/OMNIbus users, including users who access the desktop components.

User details are stored in the ObjectServer user repository and user entries are configured to authenticate externally. User passwords are not stored in the ObjectServer. When a user logs in to the ObjectServer, the ObjectServer locates the user entry in its repository and binds to the LDAP repository to authenticate the user.

Note: The default behavior of the ObjectServer when it is authenticating a user is to assume that a plaintext password is used. If a login fails with a plaintext password, the ObjectServer assumes an encrypted password and attempts to decrypt it and reauthenticate the user. When a password is invalid, this can result in two failed login attempts. If you want to avoid a second login attempt to LDAP when the first attempt fails, modify the ObjectServer WTPasswordCheck property to suit your setup.
Restriction:
  • Tivoli Netcool/OMNIbus is not intended to be used to manage user accounts in LDAP, and so does not provide the capability to change passwords in an LDAP server.
  • The LDAP module that is used by the ObjectServer connects to a single LDAP server instance. The Web GUI component, which is deployed in the Tivoli® Integrated Portal, can connect to multiple LDAP repositories.

Procedure

To set up LDAP authentication, follow the instructions in the following table.
For each step, links are provided to requisite tasks that describe how to perform each step, or to topics that contain more information.
Table 1. Steps for configuring the product to use an LDAP
Action More information
1. Configure the Tivoli Netcool/OMNIbus LDAP properties file ($NCHOME/omnibus/etc/ldap.props) with the settings that you obtained from your LDAP administrator.

If authorization performance is a concern, and all the required users belong to a single organizational unit, use the DistinguishedName property to create a direct bind to LDAP. Otherwise, use the LDAPSearchBase and LDAPSearchFilter properties to perform a search for distinguished names.

LDAP properties

2. Configure the ObjectServer to use LDAP authentication by setting the Sec.ExternalAuthentication property to LDAP. Authorization is managed in the ObjectServer. ObjectServer properties and command-line options
3. SSL only: If a key database does not exist on the ObjectServer host, create one. About the key database files

Creating a key database

4. SSL only: Ensure that the public CA certificates for all LDAP servers that the ObjectServer will connect to are added to the certificate key database. These certificates are required so that the ObjectServer can validate its connection to the LDAP server(s).

Adding certificates from CAs
5. SSL only: Ensure that the following SSL properties are set in the ldap.props file:
SLLEnabled
Set this property to TRUE.
SSLport
Specify a port number on which the LDAP server listens for LDAP connections.
SSLKeyStoreLabel
Specify the label of the certificate that the ObjectServer presents to the LDAP server. This step is only required if the LDAP server has been set up to require a certificate as part of the authentication process.
LDAP properties
6. Configure each Tivoli Netcool/OMNIbus external user for external authentication. Use Netcool/OMNIbus Administrator (nco_config) for this task or, in the SQL interactive interface, use the CREATE USER command or the ALTER USER command.
If you use Netcool/OMNIbus Administrator, complete the following details in the User Details pane:
Username
Type a user name that is identical to the name stored in the external authentication repository.
Password
Leave this field blank. Passwords are stored in the external repository.
Verify
Leave this field blank
External Authentication
Select this check box.

If you use the SQL interactive interface, ensure that the user name is identical to the name stored in the external authentication repository, that no password is specified, and that the PAM keyword is set to TRUE.

Creating and editing users

CREATE USER command

ALTER USER command

7. Optional: Use the nco_keygen utility and then nco_aes_crypt utility to encrypt the LDAP password.
After you have encrypted the password, reedit the ldap.props file by setting the following properties:
  • ConfigCryptoAlg: Set this property to AES.
  • Hostname
  • ConfigKeyFile
  • LDAPBindPassword
  • LDAPBindDN
Setting up property value encryption

LDAP properties

8. If Web GUI user accounts are created in the ObjectServer by the synchronization process with the LDAP server, and these users need access to desktop tools (such as the Conductor and the event list), perform the following tasks:
  • Enable the users in the ObjectServer.
  • Add the users to the Normal group to ensure that they have sufficient permissions to display and manipulate alerts in the event list, create filters and views, and run standard tools on alerts.
To edit the user details in Netcool/OMNIbus Administrator, access the User Details window, select the User Enabled check box on the Settings tab, and then use the Groups tab to assign the user to the Normal group. Alternatively, from the SQL interactive interface, run the ALTER USER command with ENABLED set to TRUE, and then run the ALTER GROUP command with the ASSIGN MEMBERS setting.
Creating and editing users

ALTER USER command

9. Optional: Test the connection between the LDAP server and the ObjectServer by using an ldapsearch utility. The following technote describes options for using ldapsearch:
http://www-01.ibm.com/support/docview.wss?uid=swg21579907