STEP 5. Configuring IBM AD File Service
Follow the configuration steps that are needed to have up and running IBM® AD File
Service:
1. Configure the parameters that are present in the conf.yaml file
Important: The configuration of the following parameters is not mandatory.
It is recommended to follow below steps only in case that you had previously configured these
parameters and you performed an upgrade to the latest version of IBM AD product.
On the machine where IBM AD File Service is installed, go
to <IBM ADDI Installation Folder>/IBM Application Discovery File
Service/conf/ and make sure that the conf.yaml is present. If the
conf.yaml file is not present in the /conf folder, go to
<IBM ADDI Installation Folder>/IBM Application Discovery File
Service/sample-conf/ and copy the conf.yaml file in the
/conf folder. Open the conf.yaml file by using a text
editor and enter the desired values for the parameters that are detailed below.
Note: The parameters
are represented in YAML as mappings that consist of a parameter key and the
value that is associated to that key. The format of the mapping is the parameter key represented by
a string, which is terminated by a trailing colon that is followed by a space. The value for that
parameter key is represented by a string that follows the key's colon and space.
Example:
my_parameter: my_value
- Set the https parameter as follows:
- If the https parameter is set to
false, a non-secured communication is
used.
#if true, tls information (key, cert) must be specified https: false
- If the https parameter is set to true,
a secured communication is used.Note: This step implies the use of certificates. If you want to set the communication to be secured, make sure that a certificate authority issues a signed certificate (.crt) and a private key for the certificate (.key).
#if true, tls information (key, cert) must be specified https: true
- If the https parameter is set to
false, a non-secured communication is
used.
- If the https parameter is set to true
and the TLS certificate for IBM AD File Service are generated, enter the paths of the
certificate(.crt) and the key(.key) files. If the
https parameter is set to false leave blank the following
lines. Example:
#mandatory if https: true tls: key: C:\certs\file.service.key cert: C:\certs\file.service.crt
- Leave blank the line where the authSrv
parameter is present if Authentication Server (DEX)
is not needed.
Otherwise, set the authSrv parameter as follows:#authentication server URL authSrv:
- If the value of the https parameter is set to
true, add the URL of Authentication Server (DEX) where authSrv
parameter is present. Authentication Sever (DEX) that belongs
to the IBM AD package is used. For more information, see STEP 4. (Optional) Configuring Authentication Server (DEX).
Example:
#authentication server URL authSrv: https://WIN-ASK7V692EKB.ferdinand2.com:7600/dex
- If the value of the https parameter is set to
false and the Authorization and Authentication feature is
enabled, add the URL of Authentication Server (DEX). Example:
#authentication server URL authSrv: http://WIN-ASK7V692EKB.ferdinand2.com:7600/dex
- If the value of the https parameter is set to
true, add the URL of Authentication Server (DEX) where authSrv
parameter is present. Authentication Sever (DEX) that belongs
to the IBM AD package is used. For more information, see STEP 4. (Optional) Configuring Authentication Server (DEX).
Example:
- The caseSensitive parameter can be set to true or false. Through this parameter,
you set the mapping type (case-sensitive) of the folders under which the resources are
located.
caseSensitive: false
- The default value of the disableAuth parameter
is true. Leave the default value if Authentication Server (DEX) is not
needed.
Otherwise, set the disableAuth parameter to false. The false value keeps enabled the authentication.#disable authentication/authorization. allow all files to be sent disableAuth: true
#enable authentication/authorization. allow all files to be sent disableAuth: false
-
If DEX is not used, and you want to authorize users but not groups that exist in the Active Directory, set the matchUsers parameter to be true. Then, you can manually add individual users in the Configuration Dashboard and allocate the added users to a group with a name that is wanted by the administrator, and afterwards allocate the added users to a group that has access to some projects. For more information, see Adding a User.
matchUsers: true
If DEX is used, the default value of the matchUsers parameter is false, which means that the matching is made by group names. You only need to ensure that the groups names are added in the Configuration Dashboard and the group names in the Configuration Dashboard match the group names that are defined in LDAP. Then, all the LDAP users that are contained in those groups will have the access in the Analyze Client.matchUsers: false
Note: It is not recommended to import the list of users in IBM AD Configuration Server because it might be time consuming to keep the list synchronized with the one from Secure Storage. - To use groups in Application Discovery when DEX is used, you must ensure that a perfect match exists to the groups in the Active Directory, which means that the group names in Application Discovery are case-sensitive with respect to the corresponding LDAP group names. If a user is added to a group in the Dashboard, the same group name also must exist in Active Directory and contain the user so that the user can be authenticated and authorized in the Analyze Client.
2. Make IBM AD File Service available in IBM AD Configuration Server
The access rights of users or users' groups are mapped to a certain folder that contains the source files. A user can start the analysis on the source files if it has read access rights.
After IBM AD File Service is up and running, go to
IBM AD Configuration Server and make IBM AD File Service available for the other IBM AD components as follows:
- Access File Service settings page is displayed. , and go to . The
- In the Mappings section, click the Add button to add a new mapping and enter the
following information:
- Remote - add the remote path that can be used to query this service, for example, a UNC path or a local path where the resources/projects reside.
- Local - add the local path that mirrors the remote path. If missing, it is identical to
Remote.Note:
- In case you have multiple physical folders that reside resources or projects, an entry for each folder needs to be added in the mapping section.
-
In order to see Flow Chart analysis in IBM AD Analyze Client for a specific project, you need to add the path of the project folder or the path of the folder that contains all projects.
Examples:- \\9.20.128.222\Projects - path to all projects.
- \\9.20.128.222\ADProject - path to a specific project.
- Define which User Groups can access the related mapping folders.Note: If no User Groups are defined, all users will have access to the related mapping folders.
- Click Save.
- In the Group Settings section, enter the following information:
- Session Timeout - add the session timeout to determine how long the service needs to remain connected to IBM AD Configuration Server before it must perform a new connection. The value format must be a whole number followed by 's' for seconds, 'm' for minutes or 'h' for hours.
- Groups Polling - add the refresh time to check periodically the groups that are present in IBM AD Configuration Server. The value format must be a whole number followed by 's' for seconds, 'm' for minutes or 'h' for hours.
- Click Save.
3. Restart IBM AD File Service
- On Windows
- Once the configuration is done, go to the Dashboard tab, in IBM AD
Configuration Server, click the menu button of File Service,
and select Restart Service.Note: Wait until the service is restarted, this can take a few minutes to complete.
- If the service does not start, check the .log file under <IBM ADDI Installation Folder>/IBM Application Discovery File Service/ folder.
- Once the configuration is done, go to the Dashboard tab, in IBM AD
Configuration Server, click the menu button of File Service,
and select Restart Service.