Tivoli Enterprise Portal security

Access to the Tivoli Enterprise Portal (authorization) is controlled by user accounts (IDs) defined to the portal server. Authentication of users is controlled through either the hub Tivoli Enterprise Monitoring Server or the Tivoli Enterprise Portal Server.

In addition to defining the user IDs that are authorized to log on to the Tivoli Enterprise Portal, these accounts define the permissions that determine the Tivoli® Enterprise Portal features a user is authorized to see and use, the monitored applications the user is authorized to see, and the Navigator views (and the highest level within a view) the user can access. An initial sysadmin user ID with full administrator authority is provided during installation so you can log in to the Tivoli Enterprise Portal and add more user accounts. No password is required to log on to the Tivoli Enterprise Portal, unless user authentication is enabled.

The hub Tivoli Enterprise Monitoring Server can be configured to authenticate, or validate, user IDs using either the local system registry or an external LDAP-enabled registry. The Tivoli Enterprise Portal Server can be configured to authenticate through an external LDAP registry. If authentication is not enabled through either the monitoring server or the portal server, no authentication is performed and no password is required to log on to the Tivoli Enterprise Portal.

User IDs that have to make SOAP Server requests (including user IDs that issue CLI commands that invoke SOAP server methods) can be authenticated only through the hub monitoring server. User IDs that require the ability to share credentials with other web-enabled Tivoli applications (single sign-on capability, or SSO) must be authenticated through the portal server and mapped to unique user identifiers in an LDAP registry shared by all SSO-eligible Tivoli applications.

Do not enable user authentication before completing and testing at least a basic installation of Tivoli Management Services components and monitoring agents. The first time you configure the hub monitoring server, do not enable security. Complete the following steps before you reconfigure the hub to enable security:

1. Configure all products and verify that they are operating correctly.
2. If you choose a third-party security package, verify that it is installed and configured correctly for your site.
3. Create user IDs in the Tivoli Enterprise Portal, and authorize the users to access resources.
4. Create the user IDs and passwords on the system hosting the hub monitoring server.

You do not have to define and authorize additional user IDs before you enable security, but you must define and authorize the sysadmin user ID.

As part of your preparation for deployment, determine which users require access to the Tivoli Enterprise Portal and which features, applications, and views the users must access.

Also determine which users you want to authorize to issue Take Action commands from the Tivoli Enterprise Portal. You can have the issuers of z/OS® console commands authorized by IBM Z NetView (see Configuring IBM Z NetView authorization of z/OS commands). Monitoring agents can have product-specific requirements for authentication. Consult the documentation for each monitoring agent for more information.

For instructions on enabling authentication on a hub monitoring server on Windows, UNIX, and Linux® operating systems, managing user accounts and permissions, or enabling the Tivoli Enterprise Portal Server for single sign-on, see the IBM Tivoli Monitoring: Administrator's Guide. For instructions on enabling authentication on a hub monitoring server on a z/OS system, see Enabling security validation on a z/OS hub.