Configure TWS/TDWC 9.X to use LDAP authentication

1. Introduction

Tivoli Dynamic Workload Console 9.X (DWC) integrates the Jazz for Service Management (JazzSM) and the WebSphere Application Server (WAS). Their common default installation is configured to use as Security Registry the Federated Repository. The same user cannot exist simultaneously in multiple repositories. Furthermore the WebSphere Primary Administrator (the one that is able to start/stop the WAS) must at any time be a valid user account (also during the change of configuration). Finally, the JazzSM Administrator role (that with the default installation is granted only to the WebSphere Primary Administrator) must be not lost: there should at any time an user that has the JazzSM Administrator role - that is, that can grant roles to other users in JazzSM/DWC - also during the change of the configuration.

The TWS (MDM/BKM) does not include JazzSM, and then it is not affected by the issue of the “double” Administrator, and then its configuration is a little bit more simple.

You can find more information about this in the official TWS documentation:

No duplicate User IDs

You can define any number of user registries in a Federated User Registry. However, no user ID must be present in more than one registry (this prohibits using both Local OS and PAM as a joint authentication mechanism) and no user ID must be present twice in the same registry. Thus, if you configure multiple user registries it is because you have users in different non-inclusive groups that use different user registries and which need to access Tivoli Workload Scheduler.

Reserved registry IDs

The WebSphere® Application Server tools use some specific IDs to recognize the registries and these are thus reserved keywords that you cannot use to create your own registries, whichever method you use to configure them:

twaLocalOS

Identifies the custom user registry bridge adapter configured for local operating system users

twaPAM

Identifies the custom user registry bridge adapter configured to use the Pluggable Authentication Module (PAM) with Tivoli Workload Scheduler – it is not available on Windows operating systems

twaLDAP

Identifies the user registry bridge configured for LDAP users

defaultWIMFileBasedRealm

Identifies the default embedded WebSphere Application Server File Registry

Note: the TDWC 9.X configures the Federates Repository to include only the File Based repository, while the TWS configures it to include File Based plus either LocalOS (on Windows) or Custom/PAM (on UNIX). The selected TWSUser (that is for WebSphere the Primary Administrator) is created for the TDWC in the File Repository (it is NOT created on the machine!!!!), while for the TWS it is created on the LocalOS.

This document provides the steps to correctly configure the LDAP for both TDWC and TWS in 9.X releases.

2. LDAP Configuration for the TDWC

Let's discuss in detail the TDWC configuration:

2.1. Create a backup

Before applying any change to your working DWC environment, create a backup of the working configuration:

/opt/IBM/TWAUI/wastools> ./backupConfig.sh -username twsnp -password ****

ADMU0116I: Tool information is being logged in file

/opt/IBM/TWSMDM/eWAS/profiles/TIPProfile/logs/backupConfig.log

ADMU0128I: Starting tool with the TIPProfile profile

ADMU5001I: Backing up config directory

/opt/IBM/TWSMDM/eWAS/profiles/TIPProfile/config to file

/opt/IBM/TWSMDM/wastools/WebSphereConfig_2013-02-01.zip

ADMU0505I: Servers found in configuration:

ADMU0506I: Server name: server1

ADMU2010I: Stopping all server processes for node TIPNode

ADMU0510I: Server server1 is now STOPPED

......

ADMU5002I: 1,491 files successfully backed up

2.2. Configure LDAP as directed in the video available on youtube

The steps to configure the TDWC 9.X in LDAP are described in this sections, but if you would like you could also take a look at the following video on youtube, that described the steps for 8.6. The steps are not so much different.

Here the details of the steps

1. Log-in into the TDWC

  1. Launch the WebSphere Administrative Console

3. The following Panel is displayed

3. Go in the Security -> Global Security

4. Click on “Configure” of the “Federated Repositories” (Available realm definitions)


  1. Add new Repository and select “New Repository” => LDAP Repository

6. Insert the information of your LDAP in the next Panel. When you save the Connection to the LDAP Server is tested.



  1. Add the Repository to the Federation, selecting from the drop-down the repository identifier you specified in the previous panel and a base entry available in the LDAP.

2.3. Recycle WebSphere:

Restart the DWC, running the wastool command stopWAs.sh -user ****-password *****

and after startWAS.sh

After this procedure your TDWC is configured to have in addition to the File Based Repository also the LDAP Repository. If you would like that the WebSphere Primary Administrator and the JazzSM Administrator are also LDAP account you must follow also the next steps, but they are not required.

You can start now to login to the TDWC console and grant to the LDAP accounts the required roles and start to work with the TDWC.

2.4. Switch the WAS Primary Admin and JazzSM Admin to LDAP (optional)

1. On the TDWC, select “Roles”


  1. Search for the account that must become the new WAS Primary Administrator and the new JazzSM Administrator, and click Search.
  2. Click on the “User ID” in the table in the Panel.
  1. The following Panel will open:

  1. Click on “Select all” check box in the up left of the panel and click save.
  2. Log-In on the WebSphere Administrative Console, and click “Security” => “Global Security”

  1. Click on “Configure” close to the “Federated Repository” Drop down menu The Following Panel is displayed:
  1. In the panel change the values of “Primary Administrative User Name”, “Server Identity stored in the Repository” and “Password”
  2. Save the changes
  3. Stop the TDWC (the old WebSphere Administrator must be used)
  4. Run the wastool updateWAS.sh to update the WebSphere Administrator credentials in the soap.client.props (on Windows if a service is created you should also run the updateWasService.sh)
  5. Restart the TDWC
  1. (Optional) you can now log-in again to the WebSphere Administrative Console and delete the Old WebSphere Administrator, selecting “User and Groups” => “Manage Users”


  1. Write in the “Search for” the ID of the Old WebSphere Administrator, and click “Search”.
  2. Select the check-box at its left and click “delete”

3. Configure TWS in LDAP

The TWS default configuration is different from the TDWC one. Even if TWS does not include JazzSM, and then is not affected by the issue of the “double Administrator” as the TDWC, it is by default configured with LocalOS (or PAM on UNIX) as member of the Federated Repository. This default Configuration can lead to problems when configuring LDAP.

The LocalOS Repository is able to simultaneously authenticate both user ID that are local to the machine, but also Domain accounts (defined in the Active Directory LDAP).

The PAM Repository, if the PAM is configured on the machine, and the PAM is configured to authenticate LDAP users is able to authenticate LDAP users.

This means that if simultaneously the WebSphere configuration contains the Windows LocalOS or the UNIX PAM Repository, we can break the requirement of the user ID uniqueness.

The standard approach is to switch temporary the authentication of WebSphere from the default (LocalOS or Custom/PAM) to the File Based one (the same as the TDWC 9.X) and then apply the same procedure described before for the TDWC. Obviously, because the TWS does not include the JazzSM component, we can ignore the role assignments described for TDWC.

3.1 Change the TWS Configuration to File Based (temporary)

1. Log-in to the WebSphere Administrative Console and Click on “User and Groups” => “Manage Users”


  1. Click on “Create”:


  1. Insert the data of an account that does not exist in both the Local machine and in the LDAP Repository, and click “Create”
  2. Click on “Security” => “Global Security”.
  3. Click the “Configure” Button close to the “Federated Repository” Drop-down menu.
  4. Change the value of the of “Primary Administrative User Name”, “Server Identity stored in the Repository” and “Password” to the value of the user you just created
  5. Save the changes
  1. Stop the TWS (the old WebSphere Administrator must be used)
  2. Run the wastool updateWAS.sh to update the WebSphere Administrator credentials in the soap.client.props; On Windows also the updateWasService.bat wastool must be used to update the Windows Service.
  3. Restart the WebSphere Application Server.
  4. Log-in Again to the WebSphere Administrative Console, and click “Security” => “Global Security”
  5. Click “Configure” close to the “Federated Repository” drop-down menu
  6. Select the check-box at the left of the twaLocalOS (Windows) or twaPAM (UNIX) repository and click “Remove”.
  7. Stop and Restart the TWS WebSphere Application Server

Now the TWS WebSphere is configured as the TDWC 9.X is configured. You can start from the step listed at the second chapter of this document to configure it in LDAP.

© Copyright IBM Corporation, 2014 – Tivoli Software

Configure TWS/TDWC 9.X to use LDAP authentication