You can use Manage Tivoli® Enterprise Monitoring Services to
enable LDAP user authentication and single sign-on in the portal server,
and optionally, to configure the LDAP server connection details.
You
can use this utility to configure the LDAP server connection information,
if all the following conditions are met:
- You are using Microsoft Active
Directory Server or Tivoli Directory
Server for your LDAP server.
- You do not plan to configure TLS/SSL between the portal server
and the LDAP server.
- You do not need to configure any LDAP configuration parameters
besides those listed in the Table 1 table.
For all other scenarios, use
Manage Tivoli Enterprise Monitoring Services to
enable LDAP user validation and SSO for the portal server and specify
server type of
Other. Then use the
TEPS/e administration
console to complete the
LDAP configuration.
Configuring the portal
server to use an LDAP user registry involves adding LDAP information
such as the bind ID and port number to the portal server configuration.
At the same time, best practice is to enable single sign-on by specifying
the realm name and Internet or intranet domain name used by the other
applications participating SSO. For more information about these parameters,
see Prerequisites for configuring LDAP authentication on the portal server.
You can also export
the portal server's LTPA key or import the LTPA key from a participating
SSO application if you have already decided which application will
be the source of the LTPA key. (All participating SSO applications
must use the same key). The export or import steps can also be performed
at a later time if you want to concentrate on getting LDAP user authentication
working or you don't have an LTPA key to import.
Before you begin
Have the configuration information for the LDAP server
at hand, as well as the realm and Internet or intranet domain name
for SSO.
If you want to export or import LTPA keys, ensure that
the portal server is running before beginning configuration. You will
get a message that the portal server will be stopped during configuration,
but the server is stopped only at the end of the configuration procedure
after you click OK to close the last dialog.
If you are importing an LTPA key, you need the key file and the password
that was used when the key file was generated.
About this task
Take these steps to reconfigure the portal server
for user validation with an LDAP registry, enable SSO, and optionally
export or import LTPA keys.
Procedure
- Start Manage Tivoli Enterprise Monitoring Services on
the computer where the portal server is installed:
- Click Start
→ Programs →IBM® Tivoli Monitoring → Manage Tivoli Enterprise Monitoring Services.
- Where install_dir is
the IBM Tivoli Monitoring installation
directory, change to the install_dir/bin directory
and run ./itmcmd manage [-h install_dir].
- Right-click Tivoli Enterprise Portal Server:
- Click Reconfigure,
and click OK to accept the existing configuration
and go to the second TEP Server Configuration window.
- Click Configure.
- In the LDAP Security area, select Validate
User with LDAP?. On Linux and UNIX,
the LDAP Security area is on the TEMS Connection tab.
- Optional: If you plan to use SSO,
select Enable Single Sign On?.
- Select the LDAP
type from the list:
- AD2000 for Active Directory Server
2000
- AD2003 for Active Directory Server
2003
- AD2008 for Active Directory
Server 2008
- IDS6 for IBM Tivoli Directory Server Version 6.x.
- Other if your
LDAP server is not one of those listed, you intend to customize the
LDAP configuration for the Active Directory Server or Tivoli Directory Server, or you are configuring
SSL communications to the LDAP server. After completing this procedure,
start the TEPS/e administration
console to
complete the LDAP server configuration. See Using the TEPS/e administration console.
Important: If you think you might need to edit the configuration
of the Active Directory Server or Tivoli Directory
Server at a later time, such as to configure TLS/SSL communications
to the LDAP server, be sure to select
Other and
use the
TEPS/e administration
console to
configure the server (skip step
6). Otherwise,
any customization done in the
TEPS/e administration
console is lost the next
time you reconfigure the portal server.
- If you selected AD2000, AD2003,
or IDS6 as the LDAP type,
complete the other fields to specify the LDAP server:
- LDAP base is the distinguished name
(DN) for the base entry in the LDAP registry.
It is the starting
point for user searches in the LDAP server. For example, for a user
with a distinguished name of cn=John Doe,ou=Rochester,o=IBM,c=US,
specify ou=Rochester,o=IBM,c=US for this parameter.
- LDAP DN base entry is typically set
to the distinguished name of the base entry in the LDAP registry for
portal server users. For example, for a user with a distinguished
name of cn=John Doe,ou=Rochester,o=IBM,c=US, specify
ou=Rochester,o=IBM,c=US for this parameter.
However,
when multiple LDAP repositories are being configured for the portal
server, use this field to define an additional distinguished name
(DN) that uniquely identifies the set of LDAP users from this LDAP
server. For example, the
LDAP1 registry and the
LDAP2 registry
might both use
o=ibm,c=us as their base entry. In
this case, use this parameter to uniquely specify a different base
entry for each LDAP server. For example, specify
o=ibm1,c=us when
configuring the
LDAP1 registry and
o=ibm2,c=us when
configuring the
LDAP2 registry.
Note: If you have
multiple LDAP registries, they cannot contain any overlapping user
names.
The value of this parameter is displayed in the Tivoli Enterprise Portal Administer
Users dialog when you list the distinguished names that can be mapped
to Tivoli Enterprise Portal user
IDs.
- LDAP bind ID is
the LDAP user ID for bind authentication, in LDAP notation, and must
be authorized to search for LDAP users. The bind ID can be omitted
if an anonymous user can search for LDAP users.
- LDAP bind password is
the LDAP user password for LDAP bind authentication. This value can
be omitted if an anonymous user can bind to your LDAP server. This
value is encrypted by the installer.
- LDAP port number that
the LDAP server is listening on. This value can be omitted if the
port is 389.
- LDAP host name, which can be omitted if the LDAP server is on the same
computer as the portal server. Default: localhost.
- Click OK.
- If you selected Enable Single Sign On?,
the Single Sign On dialog is displayed with Realm name and Domain
name fields and Import Keys and Export
Keys buttons.
- If you are not enabling single sign-on at this
time, click OK to close any other portal server
configuration dialogs and go to step 12
- For SSO, specify the realm and
domain in the Single Sign On dialog:
- Realm name is a parameter shared across applications participating
in SSO. Applications configured for the same domain name, but for
a different realm name will not work as a part of the same SSO infrastructure.
- Domain name is the Internet or Intranet domain for which SSO
is configured, for example mycompany.com. Only applications available
in this domain or its sub-domains are enabled for SSO.
- At this time, you can export the portal server's
LTPA key if you want it to be the key used by all other participating
SSO applications. Click Export Keys and complete
the following steps:
- Navigate to the directory where
you want to create the file or change the file type, or both. The directory displayed initially, on Windows, is ITM_dir\InstallITM;
and on Linux and UNIX, it is the Root directory.
- Type a name for the file that the
LTPA key should be placed in and click Save.
- In the Export keys window, type
a password to use to encrypt the file, and click OK. You see a console window while the file is created and
encrypted, and then you are returned to the Single Sign On window.
Note: After the LDAP configuration is complete,
provide the key file and password to the administrators of the applications
that launch Tivoli Enterprise Portal,
use the dashboard data provider in IBM Dashboard
Application Services Hub, or use the IBM Tivoli Monitoring charting
web service.
- If another participating SSO application is
providing the LTPA key, you can import it now if you have the key
file and the password that was used to encrypt the key. Click Import
Keys and complete the following steps:
- In the Open window
that is displayed, navigate to the directory where the key file is
located. The directory displayed initially, on Windows, is ITM_dir\InstallITM;
and on Linux and UNIX, it is the Root directory.
- Type the name of the file that you
want to import, and click Open. You see a console window while the file is created and
encrypted, and then you are returned to the Single Sign On window.
Repeat the import process to import keys from additional participating
servers.
- Type the password required to decrypt
the file, and click OK. You
see a console window while the file is created and encrypted, and
then you are returned to the Single Sign On window.
- Repeat the import process to import
keys from additional participating servers.
- Click OK.
- If you are prompted to reconfigure the warehouse connection
information, answer No. After some processing
of the configuration settings, the Common Event Console Configuration
window is displayed. Sometimes this window does not open in the foreground
and is hidden by other windows. If processing seems to be taking longer
than expected, minimize other windows and look for the configuration
window. When the Common Event Console Configuration window is displayed,
click OK.
- If necessary, recycle the portal server by selecting Tivoli Enterprise Portal Server and
clicking Recycle or
by stopping, then starting the portal server.
What to do next
If you
chose Other as the LDAP type, the LDAP configuration
must be completed in the TEPS/e administration
console. See Using the TEPS/e administration console.
Otherwise, for all other
LDAP types, follow steps 1 and 2 in the procedure above to check if Validate
User with LDAP? is still selected. If it is not selected
then an error occurred when the configuration utility attempted to
connect to the LDAP server and LDAP validation was disabled. If it
is disabled, check the install_dir/logs/ConfigureLDAPRepo.log
file.
Once the LDAP registry
is completely configured, you can map the Tivoli Enterprise Portal user
IDs to the LDAP distinguished names to complete the LDAP configuration.
You must log on to the Tivoli Enterprise Portal with
the sysadmin user ID or a user ID that has the same administrative
authority and is not an LDAP user. See Mapping Tivoli Enterprise Portal user IDs to LDAP distinguished names.
If you enabled SSO, you will need to export
or import LTPA keys. Refer back to the Roadmap for setting up the portal server to use an LDAP user registry and single sign-on to
determine when to perform these steps.