Specifying an authentication mode
The Probe for Microsoft EWS supports Basic
and OAuth
authentication.
Basic
authentication can be used to connect to Exchange Server and Exchange
Online. From Q4 2020 onwards, OAuth
authentication is the preferred method to
connect to Exchange Online as Basic
authentication will be disabled. Connecting using Basic authentication
To connect using Basic
authentication mode, configure the following probe
properties:
- ServiceURL
The URL for the Exchange Server or Exchange Online service. For example:
ServiceURL : 'https://outlook.office365.com/EWS/Exchange.asmx'
If ServiceURL is not specified, the probe will perform
AutoDiscovery
to detect the service URL (Exchange Online only). - Username
The email address of the user whose mailbox will be accessed by the probe. For example:
Username : 'exampleuser@ewsprobe.microsoft.com'
- Password
The password of the user whose mailbox will be accessed by the probe. For example:
Password : 'password'
- TrustStore
The full path to the truststore used for TLS authentication (Exchange Server only). For example:
TrustStore : '/home/netcool/truststore.jks'
- TrustStorePassword
The password to access the truststore used for TLS authentication (Exchange Server only). For example:
TrustStorePassword : 'password'
- AuthenticationType
Set this property to
Basic
:AuthenticationType : 'Basic'
Connecting using OAuth authentication
To connect using OAuth
authentication mode, use the following steps:
- Configure Azure Active Directory:
-
Login to Azure Active Directory at
https://aad.portal.azure.com/
with the user account that is used for the probe. This user account must have the Global Administrator role for the Tenant. To determine the Tenant ID, go to Manage>Properties and copy the value for the Tenant ID. -
Select Azure Active Directory in the left-hand navigation, then select App registrations under Manage.
-
Select New registration. On the Register an application page, set the values as follows:
Set Name to a user-friendly name for your app.
Set Supported account types to the choice applicable to your scenario.
For Redirect URI, change the drop-down to Public client (mobile & desktop) and set the value to
urn:ietf:wg:oauth:2.0:oob
-
Choose Register. On the next page, copy the value of the Application (client) ID and save it, you will need it later.
-
Select API permissions in the left-hand navigation under Manage.
-
Click API permissions and go to Add a permission.
-
Click APIs my organization uses and search for Office 365 Exchange Online.
-
Select Office 365 Exchange Online and choose Application Permissions.
-
Under Other permissions, check full_access_as_app.
-
Click Add permissions.
-
Select Grant admin consent for org and accept the consent dialog.
-
Select Certificates & Secrets in the left-hand navigation under Manage.
-
To create a new Client Secret, select New client secret, enter a short description and select Add. Copy the value of the newly added Client Secret and save it.
-
To create a new Client Certificate, upload the certificate containing the public key of the probe server in either cer, pem or crt format.
-
- Configure the following properties for the probe:
- ServiceURL
The URL for the Exchange Server or Exchange Online service. For example:
ServiceURL : 'https://outlook.office365.com/EWS/Exchange.asmx'
If ServiceURL is not specified, the probe will perform
AutoDiscovery
to detect the service URL (Exchange Online only). - Username
The email address of the user whose mailbox will be accessed by the probe. For example:
Username : 'exampleuser@ewsprobe.microsoft.com'
- Password
The password of the user whose mailbox will be accessed by the probe. For example:
Password : 'password'
- AuthenticationType
Set this property to
OAuth2
:AuthenticationType : 'OAuth2'
- Authority
URL of the authority that will authenticate the probe to connect with Exchange Online. This is in the format:
https://login.microsoftonline.com/<Tenant Domain or Tenant Id>
. For example:Authority : ‘https://login.microsoftonline.com/ewsprobe.microsoft.com'
The
Tenant Id
can be obtained from the Azure Active Directory Admin Center by navigating to the Properties section of the Dashboard of the Tenant. - Scope
The scope of the authentication request. This is normally set to:
Scope : 'https://outlook.office.com/.default'
- ClientId
The Application (client) ID of the application registered in Azure Active Directory that represents the probe. For example:
ClientId : '12345678-90ab-cdef-1234-567890abcdef'
- ClientSecret
The secret string used by the probe to authenticate with Azure when requesting a token. If not specified, the probe will use ClientCertificate to authenticate. For example:
ClientSecret : 'abcdefghijklmnopqrstuvwxyz0123456789'
Note: ForOAuth2
Authentication, you must use eitherClientCertification
orClientSecret
, but not both. If both are specified, the probe will use theClientSecret
. - ClientCertificate
A keystore in the PKCS12 format that stores the probe server certificates (private and public keys). The public key in this keystore is the same as the one that was uploaded to Azure Active Directory earlier. For example:
ClientCertificate : '/home/netcool/keystore.p12'
Note: You will need to perform the following steps:-
Create a private key that will be used by probe properties:
/opt/IBM/tivoli/netcool/platform/linux2x86/jre64_1.8.0/jre/bin/keytool -genkey -alias win2019 -storetype PKCS12 -keyalg RSA -keystore keystore.p12
-
Convert the private key to
crt
type to be used by Office 365:openssl pkcs12 -in keystore.p12 -clcerts -nokeys -out keystore.crt
-
- ClientCertificatePassword
The password to access the PKCS12 keystore. For example:
ClientCertificatePassword : 'password’
- ServiceURL
The probe will authenticate using either Client Secret or Client Certificate. By default, the probe will use the Client Secret. To use the ClientCertificate, leave the ClientSecret property empty.
Compensating for Load Balancing
When a monitored mailbox is shuffled onto a different server for load balancing purposes (especially in the case of Exchange Online which is part of Office 365), this will cause the probe to lose connection to Exchange Server/Online. To compensate for this, set the RetryCount property to a value greater than zero to enable the probe to automatically restore the connection and continue monitoring the mailbox.
RetryCount : 3