IBM Support

Maximo and LDAP - Configuration from Start to Finish

Technical Blog Post


Abstract

Maximo and LDAP - Configuration from Start to Finish

Body

Security is more important than ever, and securing applications is a priority to every company. Many clients ask for documentation on configuring Maximo for LDAP authentication. You end up having to review many different articles to address a single topic, this document will lay out a basic LDAP configuration that uses WebSphere 7 and Maximo 7.5.0.5. This document walks through connecting WebSphere to your domain right down to the synchronization process and hopefully give a clearer understanding of the configuration process. For this blog were going to discuss this configuration with Microsoft Active Directory (MSAD or AD). However, these steps can be applied with Tivoli Directory Server as well.

So, where do you start?

Your first thoughts will be who needs access to Maximo and how are we going to filter just these users into the environment. For our purpose here, we're going to restrict all users with the memberOf attribute, and make sure our Maximo users are members of a maximousers group that are filtered on.

For a new Maximo implementation, we need three users to exist in the directory

  • maxadmin – default administrative user
  • maxreg – default user registration security user
  • mxintadm – default integration framework user

If your environment is already running and your admin users have different IDs, you can replace the admin users with your own users. If they are in the database and the LOGINID from your database matches the Common Name (CN) or uid from the directory server. Add these users to your maximousers group along with the rest of your base Maximo users.

Now to get started with your configuration. When configuring Maximo for LDAP, there are three parts.

  1. Configure WebSphere to connect and authenticate against your directory server

  2. Enable Maximo to authenticate logins with the Federated Repository, the user database maintained in WebSphere Application Server)

  3. Configure Maximo to synchronize users from the Federated Repository configured in WebSphere, which contains the users that are brought over from Active Directory.

Step 1: Configuring WebSphere

  1. From the WebSphere Console, expand Security in the left frame and click Global Security. From the Global Security page, choose Federated Repository as your available realm definitions and click configure.

Global Security

2. Once you click Configure, you are in the federated repositories page. This page will show the current repositories configured with WebSphere. By  default the repository called InternalFileRepository exists. This repository contains the wasadmin user and its group. For the purpose of this tutorial we are going to leave this intact so that the wasadmin DOES NOT need to be added to the directory server. Click Manage Repositories to configure your realm.

Note – if wasadmin exists on your directory server you need to remove the file-based realm or remove wasadmin from the realm.

Realm name

  1. From the Manage Repositories screen, click Add

Add repository

  1. Once you click add you are brought to the properties page to configure your directory server. From the drop-down menu, choose your directory type; here we chose Active Directory. Enter the hostname and port of your directory server and your principal user to make the connection between WebSphere and your directory. I created a user named “principal” for this purpose.

image 12694

For Active Directory, we changed the login property to uid. The WebSphere uid property maps to sAMAccountName in Active Directory. This would be left as uid for IBM Directory Services. Once done, click Apply and Save to the master configuration.

  1. Once you have saved to the master configuration you are brought back to the Manage Repositories screen that shows your newly created repository. From here head back to the main configuration screen for the repository by clicking on “Federated Repositories.”

Manage repositories

  1. Now we need to configure our base entries. This repository is the container that WebSphere looks in on your directory for users and groups. You can configure multiple entries on this screen, but we are just going to point our realm to the top of the directory. To start click Add Base Entry to Realm.

Repositories in the realm

  1. From the Add Base Entry screen enter the DN you want WebSphere to look in, as mentioned earlier we are going to pull in the entire domain and filter at the Maximo level. So I've entered dc=mxeam13, dc=torolab, dc=ibm, dc=com for the top level of the domain. Once done click apply and save to your master configuration.

Repository reference

  1. Once you have your Base entries configured you need to enable application security for WebSphere. You do this on the main Global Security page. Check 'Enable Application Security' and click 'Set as current' so your Current Realm Definition becomes Federated Repositories. Then apply and save to the master configuration.

Enable application security

  1. Now that your configuration is complete for WebSphere, you need to do a full node synchronization and restart your Deployment Manager (dmgr) and Node (nodeagent) Windows services before continuing to the Maximo configuration.

  2. Once you have restarted your services, log in to the WebSphere Console. On the left side, expand Users and Groups and click Manage Users. Search for a known directory user to confirm that your configuration is correct

Manage users

Step 2: Enabling Maximo authenticate against your directory server

Once WebSphere is configured for LDAP authentication we need to configure Maximo. This is done by enabling LDAP security in 4 XML files as well as the maximo.properties file or the maxpropvalue table.

  1. The first XML file we modify is the maximouiweb web.xml. By default, you find it in \ibm\smp\maximo\applications\maximo\maximouiweb\webmodule\WEB-INF\web.xml.

We first want to search for the <security-constraint> tag and uncomment to the bottom of </login-config> as seen below:

remove security-constraint

  1. In the same file search for useAppServerSecurity and change the value from false to 1 as seen below.

useAppServerSecurity

  1. If you want to keep the BASIC authentication method, you can now save the file. If you want Maximo to display the normal login screen, you need to update the file to use FORM authentication, by commenting out the BASIC login config and uncommenting the FORM login-config. Text in green below is the commented-out section:

Use FORM authentication method

  1. Repeat this step without the auth-method in the following 3 web.xml files – that is, uncomment the <security-constraint> sections and change useAppServerSecurity=1:

  • IBM\SMP\maximo\applications\maximo\mboweb\webmodule\WEB-INF
  • IBM\SMP\maximo\applications\maximo\meaweb\webmodule\WEB-INF
  • IBM\SMP\maximo\applications\maximo\maxrestweb\webmodule\WEB-INF
  1. Now that your web.xml files are configured for LDAP we need to update the maximo.properties or the maxpropvalue table for application security.

If you want to set this in the database you can update the value with the following statement in an SQL tool connected to your database as the schema owner (default maximo):

update maxpropvalue set propvalue=1 where propname='mxe.useAppServerSecurity';

Once your file changes are made you can rebuild and redeploy your ear files

  1. Before starting your application, you need to map the security role to the group of users you want to authenticate. Our users are part of the maximousers group, so we have already mapped that role. If you don't have a specific group, you may choose “All Authenticated in Applications realm” to give all authenticated directory users the ability to connect to Maximo.

To map your role from the WebSphere console, click Enterprise Applications then on your Maximo ear. Under Detail properties click security role to user/group mapping. Then click Map Groups to map the groups your users are contained in.

Mapped groups

3. Configure Maximo to synchronize users from your repository.

Our final step is to set up the VMMSYNC crontask to bring users in to Maximo from the directory server.

  1. Open System Configuration - > Platform Configuration and click Crontask Set up. From here filter for VMMSYNC.

  2. Enter the principal user that can access the repository to bring users into Maximo as well as the password for this user in the credential field.

Cron Task Parameters

  1. Once your credentials are set up, you can set up your group mapping to sync the groups you want into Maximo.

  2. Between the <basedn></basedn> tags specify the path on your directory to where your groups reside. In our case it is in the SWG OU, see the example below.

<basedn>ou=SWG, dc=mxeam13, dc=torolab, dc=ibm, dc=com</basedn>

Next, we need to do the same for our users, however at the same time we are just bringing in users that are members of the maximousers group.

<basedn>ou=SWG, dc=mxeam13, dc=torolab, dc=ibm, dc=com</basedn>
<filter>PersonAccount' and memberof='cn=maximousers, ou=SWG, ou=maximo groups, dc=torolab, dc=ibm, dc=com</filter>
  1. Once these changes are done, activate your crontask and reload its configuration. If you are having problems with the memberOf filter, it is likely because it doesn't exist as a property under the PersonAccount entity in the repository. You can add it using the instructions below.

Adding the memberof to the PersonAccount entity to VMM

From IBM\WebSphere\AppServer\bin run wsadmin.bat

Once the wsadmin command line displays, run the following command

$AdminTask addIdMgrPropertyToEntityTypes {-name memberof -dataType string -entityTypeNames PersonAccount}

-name: This value is the name of the attribute on the directory server, for this example it is memberof
-dataType: This is the database for the field, in our case string 

After running the command, your attribute was successfully added

4) Synchronize your node and restart the services.

Your synchronization is now able to use memberof as a filter.

[{"Line of Business":{"code":"LOB59","label":"Sustainability Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSLKT6","label":"IBM Maximo Asset Management"},"ARM Category":[{"code":"a8m50000000CbCJAA0","label":"System->Application Server Security"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.5.0;7.6.0;7.6.1"}]

UID

ibm11133001