Configure single sign-on (SSO) between WebGUI and Operations Analytics - Log
Analysis so that users
can switch between the two products without having to log in each time. SSO can be configured by
using LDAP or the OMNIbus ObjectServer.
Before you begin
To configure the OMNIbus ObjectServer to provide authentication, authorization and SSO for IBM® Operations Analytics Log Analysis, see https://www.ibm.com/support/pages/node/6381830.
To configure SSO with LDAP, use the following procedure.
Procedure
- Ensure that the following requirements are met:
- All server instances are in same domain; for example,
domain_name.uk.ibm.com.
- LTPA keys are the same across all server instances.
- The LTPA cookie name that is used in Operations Analytics - Log
Analysis must contain the
string
ltpatoken
.
- Create dedicated users in your LDAP directory, which must be used by both WebGUI and Operations Analytics - Log
Analysis for user
authentication.
- Configure the SSO connection with the steps in the table.
Table 1. Configuring single
sign-on
Step |
Action |
More information |
1.
|
Create the dedicated users and groups in your LDAP directory. For example,
- Create an Organization Unit (OU) named NetworkManagement.
- Under the NetworkManagement OU, create a new group named webguildap.
- Under the NetworkManagement OU, create the following new users: webgui1, webgui2, webgui3, and
webgui4.
- Add the new users to the webguildap group.
|
The LDAP groups that you want to use in WebGUI must have roles
that WebGUI
recognizes. For more information, see the following topic: Configuring user authentication for
WebGUI against an LDAP
directory.
|
2.
|
In the WebGUI, assign the
ncw_admin and ncw_user roles to the webguildap group that you created in step 1.
|
For more information, see the following topics:
|
3.
|
Configure Dashboard Application Services
Hub and
Operations Analytics - Log
Analysis to use
the same LDAP directory for authentication.
|
For more information on configuring these products to use LDAP, see the following topics:
|
4. |
Configure Dashboard Application Services
Hub for single
sign-on. This enables users to access all of the applications that are running in Dashboard Application Services
Hub by logging in only once.
|
For more information, see Configuring Dashboard Application Services
Hub for single
sign-on.
|
5. |
Configure the SSO connection from the Operations Analytics - Log Analysis product to the Dashboard Application Services
Hub instance in which the WebGUI is
hosted. The following steps of the Operations Analytics - Log Analysis SSO configuration are important:
- Export LTPA keys from the Jazz® for Service
Management server.
- Update the LA ldapRegistryHelper.properties file.
- Run the LA ldapRegistryHelper.sh script.
- Configure LTPA on the Liberty Profile for WebSphere® Application Server (copy LTPA keys from Jazz)
|
For more information, see Configuring SSO for Operations Analytics - Log
Analysis with Jazz for Service
Management
|
6. |
Assign Operations Analytics - Log
Analysis roles to the users and groups that you created in step 1.
|
|
7. |
In the
$SCALAHOME/wlp/usr/servers/Unity/server.xml/server.xml file,
ensure that the <webAppSecurity> element has an
httpOnlyCookies="false" attribute.
Add this line before the closing </server> element. For
example, <webAppSecurity ssoDomainNames="hostname" httpOnlyCookies="false"/>
</server>
Where the httpOnlyCookies="false" attribute disables the httponly
flag on the cookie that is generated by Operations Analytics - Log
Analysis, and is needed
to enable SSO with the WebGUI
|
|