IBM Support

Log Analysis - Using the ObjectServer for authentication, authorization and single sign-on.

General Page

Use the following instructions to configure the OMNIbus ObjectServer to provide authentication, authorization, and single sign-on for IBM Operations Analytics Log Analysis.

 This enhancement provides two benefits:
  • Log Analysis user authentication and user authorization are provided by the ObjectServer.
    Without this enhancement, Log Analysis cannot authenticate users with the ObjectServer, due to OAuth being enabled in Log Analysis.
  • SSO for WebGUI and LogAnalysis is performed using the ObjectServer.
    Without this enhancement, single sign-on (SSO) cannot be performed between WebGUI and Log Analysis without the use of a supported external LDAP server. This creates a prerequisite to install and maintain an LDAP server, which must be one of MS Active Directory, IBM Tivoli Directory Server or OpenLDAP.
Note: This enhancement is only suitable for Log Analysis 1.3.6.1 or higher.
Procedure
Extract LAomnibusAuthentication-1.0.0.2.esa, and then copy it to any directory on your Log Analysis server, for example /tmp.

2) Install LAomnibusUserRegistry.
Use Liberty's featureManager to install the LAomnibusUserRegistry with the following command:
<LA_HOME>/wlp/bin/featureManager install /tmp/LAomnibusAuthentication-1.0.0.2.esa
3) Provide the ObjectServer connection details.
Create an omnibus.xml file and supply values for your own ObjectServer primaryHost, primaryPort, username and password.
<server>
  <featureManager>
    <feature>usr:LAomnibusUserRegistry-1.0.0</feature>
  </featureManager>
  <objectServerRegistry name="AUTH:LAOBJ"
    primaryHost="9.x.x.x" 
    primaryPort="4100" 
    backupHost=""
    backupPort=""
    username="root"
    password="*********"
    sslEnabled="false"
    realm="netcoolObjectServerRepository"
    userFilter="uid"
    groupFilter="cn"
    baseDN="o=netcoolObjectServerRepository"
  />
  <federatedRepository>
    <primaryRealm name="defaultWIMFileBasedRealm" delimiter="@" allowOpIfRepoDown="true">
      <participatingBaseEntry name="o=netcoolObjectServerRepository"/>
      <userSecurityNameMapping outputProperty="displayName" inputProperty="displayName"/>
      <userDisplayNameMapping outputProperty="displayName" inputProperty="displayName"/>
    </primaryRealm>
  </federatedRepository>
  <authentication id="Basic" cacheEnabled="true"/>
</server>
If the ObjectServer is SSL enabled, then perform the following extra steps:
  • Copy /opt/IBM/tivoli/netcool/etc/security/keys/cacert.arm from the ObjectServer to /tmp on the Log Analysis server, and then run the following command to import it into the Log Analysis keystore, 
    <LA_HOME>/ibm-java/bin/keytool -import -keystore <LA_HOME>/wlp/usr/servers/Unity/resources/security/key.jks –
storepass loganalytics -file /tmp/cacert.arm -alias omnikey
    where /opt/IBM/tivoli/netcool/etc/security/keys/cacert.arm is the certificate file created using the nc_gskcmd while enabling the SSL for ObjectServer.
  • Set sslEnabled="true" in omnibus.xml.
If you want to encrypt the password in omnibus.xml, use the securityUtility tool to encode the password.
<LA_HOME>/wlp/bin/securityUtility encode <myPassw0rd>

4) Modify server.xml to use the OMNIbus connection details.
Modify <LA_HOME>/wlp/usr/servers/Unity/server.xml to use the omnibus.xml file that you created in the previous step.
  • Comment out this line to disable the use of the unityUserRegistry for authentication. 
    <include optional="true" location="${server.config.dir}/unityUserRegistry.xml"/>
  • Add this line to enable the use of the ObjectServer for authentication. 
    <include optional="true" location="${server.config.dir}/omnibus.xml"/>
5) Configure the Log Analysis user and groups in the OMNIbus Server.
Log in to the Netcool/OMNIbus NCO Configuration UI (nco_config) and then configure the following.
  • Add the groups UnityUsers and UnityAdmins.
  • Add the user unityadmin, and assign the group UnityAdmins to it. If required, add other groups for this user.
  • Assign the UnityUsers and UnityAdmins groups to other users who need access to Log Analysis.
If you do not want to create the UnityUsers and UnityAdmins groups, and want to use existing users' groups, for example Normal and Administrators, then add these groups to the security-role entries in unityConfig.xml, and then add 
<special-subject type="ALL_AUTHENTICATED_USERS" />
 to the <oauth-roles> section. As you do not have the UnityUsers and UnityAdmins groups in your ObjectServer, then ensure that those group names are removed from unityConfig.xml as shown in the following example. 
<server>
  <application type="war" id="Unity" name="Unity" location="${server.config.dir}/apps/Unity.war">
    <application-bnd>
      <security-role name="UnityUser">
        <group name="Normal"/>
        <group name="Administrators"/>
      </security-role>
      <security-role name="UnityAdmin">
        <group name="Administrators"/>
      </security-role>
    </application-bnd>
  </application>

  <oauth-roles>
    <authenticated>
      <special-subject type="ALL_AUTHENTICATED_USERS" />
    </authenticated>
  </oauth-roles>
</server>
6) Configure SSO between Log Analysis and DASH.
  • Export the Lightweight Third-Party Authentication (LTPA) keys file from DASH to the Log Analysis server. For more information, see Exporting LTPA keys.
  • Copy the LTPA keys file that you exported in the previous step to <LA_HOME>/IBM/LogAnalysis/wlp/usr/servers/Unity/resources/security directory on the Log Analysis server. The folder contains a default keys file. Do not change this file. Use a different name for your own key file.
  • Go to the <LA_HOME>/IBM/LogAnalysis/wlp/usr/servers/Unity directory.
  • To add the SSO tag to the IBM Operations Analytics Log Analysis server, add the following line to server.xml before the final server tag:
  • <webAppSecurity ssoRequiresSSL="true" ssoDomainNames="<SSO Domain>"/>
  • where <SSO Domain> is the SSO domain, for example example.com. This value must match the SSO domain that is used by the Jazz for Service Management server. Specify the same value as the one that is entered in the Domain name field on the Jazz for Service Management UI.
  • Edit server.xml, and add a <ltpa> key entry before the final server tag:
  • <ltpa keysFileName="${server.output.dir}/resources/security/<ltpa_key_file>" keysPassword="<keysPassword>" expiration="120" />
  • where <ltpa_key_file> is the LTPA key file, and <keysPassword> is the LTPA password that you entered in step 1 when you exported the LTPA key and created the LTPA key file.
7) Restart Log Analysis. 
<LA_HOME>/IBM/LogAnalysis/utilities/unity.sh -restart

Verification
Verify that ObjectServer authentication is working.
Add a user in the ObjectServer, and then assign the new user to the unityUsers group. You are able to log in to Log Analysis with the new user.

Verify that ObjectServer authorization is working.
Verify that the newly added user does not have administrative access. Then, add the new user to the unityAdmins group, and relogin. You now have administrative access.
Verify that SSO is working.
Log in to DASH and then open a new tab in the browser for IBM Operations Analytics Log Analysis. If you are not prompted for any further credentials, then the SSO connection is set up correctly.

[{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSPFMY","label":"IBM Operations Analytics - Log Analysis"},"ARM Category":[{"code":"a8m3p000000h9x2AAA","label":"Log Analysis-\u003EThird Party Components-\u003ELDAP-\u003EObjectServer"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]

Document Information

Modified date:
04 November 2022

UID

ibm16381830

Page Feedback