You can configure SSO authentication between the Tivoli® Integrated Portal and IBM® Operations Analytics - Log Analysis.
Before you begin
- The Tivoli Integrated
Portal server and the IBM Operations Analytics - Log Analysis server
must use the same LDAP server for authentication.
- The Tivoli Integrated
Portal server must use a Lightweight Directory Access Protocol (LDAP)
server for authentication.
- You must configure SSO for the Tivoli Integrated
Portal. To configure SSO:
- Log in to the Tivoli Integrated
Portal server
- In the Security area, click Global
security.
- In the Authentication area, click Single-sign
on (SSO).
- Ensure that the Enabled check box is selected.
- The domain value that you must have to complete step 4 is displayed
in the Domain name field. If this field is
blank, enter the domain name and click Apply.
Procedure
- To export the Lightweight Third-Party Authentication (LTPA)
keys file from the Tivoli Integrated
Portal, complete the following steps:
- Log on to the Tivoli Integrated
Portal as an administrator.
- In the Security area, click Global
security.
- In the Authentication area, click LTPA.
- In the Cross-cell single sign on area,
enter a password for the keys file in the Password field.
Confirm the password.
- Create a blank plain text file to use as the keys file. Note the
directory that you store the file in.
- Enter the location where the keys file that you created in the
previous step is stored in the Fully qualified key file
name field. The value must point to the properties file
that contains the keys that you want to export. For example, for a Windows operating system, enter C:\keys.properties.
For a Unix-based operating system, enter <tip_home_dir>/profiles/TIPProfile.
- Click Export keys.
- Add the Tivoli Integrated
Portal LDAP realm to the IBM Operations Analytics - Log Analysis LDAP
configuration. Ensure that the LDAP realm that is specified here is
the same as the one used by Tivoli Integrated
Portal. To specify the realm, edit the ldap_realm_property property
in the ldapRegistryHelper.properties file:
ldap_realm_property=<LdapRegistryRealm>
where <LdapRegistryRealm> is
the realm that is used by the Tivoli Integrated
Portal. To find this value:- Log on to the Tivoli Integrated
Portal.
- In the Security area, click Global
security.
- In the User account repository area, click Configure.
- The LDAP realm value is displayed in the Realm name field.
You specify this same value in the ldapRegistryHelper.properties file.
- To add the updated realm to the LDAP configuration for IBM Operations Analytics - Log Analysis and
to enable LDAP authentication, run the ldapRegistryHelper.sh script.
For more information, see ldapRegistryHelper.sh command.
- Configure LTPA on the Liberty Profile for the WebSphere® Application Server:
- Copy the LTPA keys file that you exported from the Tivoli Integrated Portal server in step 1
to the <HOME>/IBM/LogAnalysis/wlp/usr/servers/Unity/resources/security directory
on the IBM Operations Analytics - Log Analysis server.
The folder contains a default keys file. Do not change this file.
Use a different name for your own key file.
- Go to the <HOME>/IBM/LogAnalysis/wlp/usr/servers/Unity directory.
- To add the SSO tag to the IBM Operations Analytics - Log Analysis server,
add the following line to the server.xml file
before the final server tag:
<webAppSecurity ssoDomainNames="<SSO_domain>" />
where <SSO_domain> is
the SSO domain, for example example.com. This
value must match the SSO domain that is used by the Tivoli Integrated Portal server. Specify the
same value as the one that is entered in the Domain name field
on the Tivoli Integrated
Portal UI.
- To add the LTPA tag to the IBM Operations Analytics - Log Analysis server,
add the following line to the server.xml file
before the final server tag:
<ltpa keysFileName="${server.output.dir}/resources/security/<ltpa_key_file>"
keysPassword="<keysPassword>" expiration="120" />
- where <ltpa_key_file> is the LTPA key file,
for example example_ltpa.keys.
- <keysPassword> is the LTPA password that
you entered in step 1 when you created the LTPA key file on the Tivoli Integrated Portal server.
(Optional) You can use the unity_securityUtility command
that is in the <HOME>/IBM/LogAnalysis/wlp/bin/ directory
to generate an encrypted password. After you generate the encrypted
password, enter it as the value for the keysPassword parameter.
- Restart the IBM Operations Analytics - Log Analysis server
and verify that the SSO connection between the two servers is working.
Results
To verify that the SSO connection is correctly set up,
log in to the Tivoli Integrated
Portal server. Open a new tab page in the browser and log in to IBM Operations Analytics - Log Analysis.
If you are not prompted for the user name and password, the SSO connection
is set up correctly. If you are prompted for the login details, the
SSO connection is not configured correctly.