Configuring single sign-on for the event search capability

Configure single sign-on (SSO) between WebGUI and Operations Analytics - Log Analysis so that users can switch between the two products without having to log in each time. SSO can be configured by using LDAP or the OMNIbus ObjectServer.

Before you begin

To configure the OMNIbus ObjectServer to provide authentication, authorization and SSO for IBM® Operations Analytics Log Analysis, see https://www.ibm.com/support/pages/node/6381830.

To configure SSO with LDAP, use the following procedure.

Procedure

  1. Ensure that the following requirements are met:
    • All server instances are in same domain; for example, domain_name.uk.ibm.com.
    • LTPA keys are the same across all server instances.
    • The LTPA cookie name that is used in Operations Analytics - Log Analysis must contain the string ltpatoken.
  2. Create dedicated users in your LDAP directory, which must be used by both WebGUI and Operations Analytics - Log Analysis for user authentication.
  3. Configure the SSO connection with the steps in the table.
    Table 1. Configuring single sign-on
    Step Action More information

    1.

    Create the dedicated users and groups in your LDAP directory. For example,
    1. Create an Organization Unit (OU) named NetworkManagement.
    2. Under the NetworkManagement OU, create a new group named webguildap.
    3. Under the NetworkManagement OU, create the following new users: webgui1, webgui2, webgui3, and webgui4.
    4. Add the new users to the webguildap group.

    The LDAP groups that you want to use in WebGUI must have roles that WebGUI recognizes. For more information, see the following topic: Configuring user authentication for WebGUI against an LDAP directory.

    2.

    In the WebGUI, assign the ncw_admin and ncw_user roles to the webguildap group that you created in step 1.

    For more information, see the following topics:

    3.

    Configure Dashboard Application Services Hub and Operations Analytics - Log Analysis to use the same LDAP directory for authentication.

    For more information on configuring these products to use LDAP, see the following topics:
    4.

    Configure Dashboard Application Services Hub for single sign-on. This enables users to access all of the applications that are running in Dashboard Application Services Hub by logging in only once.

    For more information, see Configuring Dashboard Application Services Hub for single sign-on.

    5.
    Configure the SSO connection from the Operations Analytics - Log Analysis product to the Dashboard Application Services Hub instance in which the WebGUI is hosted. The following steps of the Operations Analytics - Log Analysis SSO configuration are important:
    • Export LTPA keys from the Jazz® for Service Management server.
    • Update the LA ldapRegistryHelper.properties file.
    • Run the LA ldapRegistryHelper.sh script.
    • Configure LTPA on the Liberty Profile for WebSphere® Application Server (copy LTPA keys from Jazz)

    For more information, see Configuring SSO for Operations Analytics - Log Analysis with Jazz for Service Management

    6.

    Assign Operations Analytics - Log Analysis roles to the users and groups that you created in step 1.

     
    7.

    In the $SCALAHOME/wlp/usr/servers/Unity/server.xml/server.xml file, ensure that the <webAppSecurity> element has an httpOnlyCookies="false" attribute.

    Add this line before the closing </server> element. For example,
    <webAppSecurity ssoDomainNames="hostname" 
    httpOnlyCookies="false"/> </server>
    Where the httpOnlyCookies="false" attribute disables the httponly flag on the cookie that is generated by Operations Analytics - Log Analysis, and is needed to enable SSO with the WebGUI