If you expect to use a secured environment, enable security
before you configure dashboards. However, if needed, you can enable
security manually later. To turn on security for dashboards you
must enable both application security and administrative security
for the Business Space component.
Before you begin
Before you complete this task, you
must have completed the following tasks:
- Check that your user ID is registered in the user registry for
your product.
About this task
The Business Space component
is preconfigured to ensure authentication and authorization of access.
Users are prompted to authenticate when accessing dashboard URLs.
Unauthenticated users are redirected to a login page.
The Business Space component is
configured to be accessed by HTTPS by default. If you prefer HTTP
because dashboard is
already behind a firewall, you can switch to HTTP by running the configBSpaceTransport.py script.
The configBSpaceTransport.py script has parameters
to switch to either HTTP or HTTPS if you want to change from a previous
setting. See Designating HTTP or HTTPS settings for dashboards.
To enable
authenticated access to dashboards, you must have a user registry configured
and application security enabled. Authorization to spaces and page
content is handled internally as part of managing spaces.
Procedure
- For complete instructions on security, see the security
documentation for your product.
- For the Business Space application,
on the Global security administrative console
page, select both Enable administrative security and Enable
application security.
- If you want to enable or remove security after you have
configured the Business Space component
with your IBM® Business Monitor profile,
you must modify the noSecurityAdminInternalUserOnly property
in the ConfigServices.properties file.
The noSecurityAdminInternalUserOnly property
specifies the administrator ID for dashboards when security is disabled.
By default, Business Space configuration sets the property to BPMAdministrator if
security is disabled. When security is enabled, by default this property
is set to the application server admin ID. If you want to enable or
remove security after you have configured the Business Space component,
use the application server admin ID.
- Modify the ConfigServices.properties file noSecurityAdminInternalUserOnly property
to set it to the application server admin ID. The ConfigServices.properties file
is located at profile_root\BusinessSpace\node_name\server_name\mm.runtime.prof\config\ConfigService.properties for
a stand-alone server or deployment_manager_profile_root\BusinessSpace\cluster_name\mm.runtime.prof\config\ConfigService.properties for
a cluster.
- Run the updatePropertyConfig command
using the wsadmin scripting client.
Important: For
Windows, the value for the propertyFileName parameter
must be the full path to the file, and all backslashes must be double,
for example: AdminTask.updatePropertyConfig('[-serverName server_name -nodeName node_name -propertyFileName
"profile_root\\BusinessSpace\\node_name\\server_name\\mm.runtime.prof\\config\\ConfigService.properties"
-prefix "Mashups_"]').
- For a stand-alone server:
The following example uses Jython:
AdminTask.updatePropertyConfig('[-serverName server_name -nodeName node_name
-propertyFileName "profile_root\BusinessSpace\node_name\server_name
\mm.runtime.prof\config\ConfigService.properties" -prefix "Mashups_"]')
AdminConfig.save()
The
following example uses Jacl:
$AdminTask updatePropertyConfig {-serverName server_name -nodeName node_name
-propertyFileName "profile_root\BusinessSpace\node_name\server_name
\mm.runtime.prof\config\ConfigService.properties" -prefix "Mashups_"}
$AdminConfig save
- For a cluster:
The following example uses Jython:
AdminTask.updatePropertyConfig('[-clusterName cluster_name -propertyFileName
"deployment_manager_profile_root\BusinessSpace\cluster_name\mm.runtime.prof\
config\ConfigService.properties" -prefix "Mashups_"]')
AdminConfig.save()
The following example uses Jacl:
$AdminTask updatePropertyConfig {-clusterName cluster_name -propertyFileName
"deployment_manager_profile_root\BusinessSpace\cluster_name\mm.runtime.prof\
config\ConfigService.properties" -prefix "Mashups_"}
$AdminConfig save
- Restart the server.
- Log in to dashboards and reassign the owners of the default
spaces to the new administrator ID.
What to do next
- After the administrative security and application security are
turned on, you receive a prompt for a user ID and password when you
log in to dashboards.
You must use a valid user ID and password from the selected user registry
in order to log on. After you turn on administrative security, whenever
you return to the administrative console, you must log in with the
user ID that has administrative authority.
- If you want to change the user account repository from the default
for your product profile, follow the steps in Selecting the user repository for dashboards.
- If you have a cross-cell environment where dashboards are remote from where IBM Business Monitor is
running, and the nodes are not in the same cell, set up single-sign-on
(SSO) and Secure Sockets Layer (SSL) certificates. Follow the instructions
in Setting up SSO and SSL for dashboards.
- To designate who can perform administrator actions in the dashboard environment,
see Assigning the superuser role.