Académique Documents
Professionnel Documents
Culture Documents
1 CCMDB Security..............................................................................................................3
1.1 WebSphere Application Server authentication..........................................................3
1.1.1 New user cannot login........................................................................................3
1.2 VMMSync configuration...........................................................................................5
1.2.1 Partial Sync ........................................................................................................5
1.2.2 New users/groups missing..................................................................................7
1.2.3 User attributes missing........................................................................................9
1.3 CCMDB Authorization............................................................................................13
1.3.1 403 Authorization error.....................................................................................13
1.3.2 Start Center Authorization................................................................................13
2 Tivoli Application Dependency Discovery Manager (TADDM) Security (VMM option)
............................................................................................................................................13
2.1 TADDM Authentication..........................................................................................13
2.1.1 Administrator login failure...............................................................................14
2.1.2 User login failure..............................................................................................14
2.2 TADDM Authorization............................................................................................16
2.2.1 User without TADDM role can login...............................................................16
2.2.2 TADDM Security Upgrade Issues....................................................................17
3 CCMDB Eco-System Integration...................................................................................17
3.1 TADDM Single Sign-On.........................................................................................17
3.1.1 LTPA token issues............................................................................................17
3.2 TADDM SSO authorization issues..........................................................................18
3.2.1 SSO successful but authorization error.............................................................18
3.3 TADDM Authorization Synchronization................................................................18
3.3.1 Collection fails to save......................................................................................19
1 CCMDB Security
Background:
Change and Configuration Management Database (CCMDB) is installed with
application-server security turned on. The task of authenticating the user is
delegated to WebSphere Application Server. When a user is successfully
authenticated by WebSphere Application Server, CCMDB creates a security profile
for the user in order to make authorization decisions. In order for CCMDB to create
a security profile, the user record must be present in database repository. In other
words, even if the user is successfully authenticated, in order to log in to the start
center the user record needs to be created in the Maximo database. This task is
accomplished by configuring the VMMSync crontask to query relevant system
users using VMM runtime APIs and create their records in the Maximo database.
For more information about authentication, authorization, and configuring security,
refer to the CCMDB information center.
Condition 1:
User was added to directory information tree (DIT) that is not configured under VMM.
Message in SystemOut.log:
Fix:
Make sure the user is created under proper location in the directory server or federate an
addition subtree under VMM.
Condition 2:
CCMDB is setup to require membership to J2EE role (default: maximouser) before
allowing a user to login into the system.
Browser message
Internet Explorer – HTTP 403 Forbidden
Exception in SystemOut.log
4/8/07 18:51:52:937 CDT] 00000038 WebCollaborat A SECJ0129E: Authorization
failed for maxadmin while invoking GET on maximo_host:/maximo/ui/login,
Authorization failed, Not granted any of the required roles: maximouser
Fix
Assign the proper group to the user in the directory server (in this case maximouser) or
map the J2EE role to “All authenticated”. In order for modified J2EE role mapping to be
effective MXServer should be restarted.
*Note: CCMDB (7.1&7.11) the install maps this role to “All authenticated” by default.
Condition 1:
Duplicate email ids:
Exception is SystemOut.log
[4/8/07 13:42:18:640 CDT] 0000006b SystemOut O 08 Apr 2007 13:42:14:125 [ERROR] Failed to
initialize the VMMSyncCronTask. This message will be repeated if the initialization fails again when the
task is run the next time.
psdi.security.vmm.VMMSyncException: Failed to perform VMM user synchronization.
at psdi.security.vmm.VMMSynchronizer.syncVMMUsers(VMMSynchronizer.java:654)
at psdi.security.vmm.VMMSynchronizer.performSync(VMMSynchronizer.java:345)
at psdi.security.vmm.VMMSyncTask.performTask(VMMSyncTask.java:348)
at psdi.security.vmm.VMMSyncCronTask.cronAction(VMMSyncCronTask.java:190)
at psdi.server.CronTaskManager.callCronMethod(CronTaskManager.java:1338)
at psdi.server.CronTaskManager.access$300(CronTaskManager.java:83)
at psdi.server.CronTaskManager$CronThread.run(CronTaskManager.java:1750)
Caused by:
psdi.security.vmm.VMMSyncException: Failed to synchronize VMM user data to database.
at psdi.security.vmm.DefaultVMMSyncAdapter.syncUser(DefaultVMMSyncAdapter.java:86)
at psdi.security.vmm.VMMSynchronizer.syncVMMUsers(VMMSynchronizer.java:623)
... 6 more
Caused by:
com.ibm.db2.jcc.b.SqlException: One or more values in the INSERT statement, UPDATE statement, or
foreign key update caused by a DELETE statement are not valid because the primary key, unique constraint
or unique index identified by "2" constrains table "MAXIMO.EMAIL" from having duplicate values for
the index key.
at com.ibm.db2.jcc.b.sf.d(sf.java:1396)
at com.ibm.db2.jcc.c.jb.l(jb.java:367)
at com.ibm.db2.jcc.c.jb.a(jb.java:64)
at com.ibm.db2.jcc.c.w.a(w.java:48)
at com.ibm.db2.jcc.c.dc.b(dc.java:302)
at com.ibm.db2.jcc.b.tf.cb(tf.java:1719)
at com.ibm.db2.jcc.b.tf.d(tf.java:2319)
at com.ibm.db2.jcc.b.tf.Y(tf.java:540)
at com.ibm.db2.jcc.b.tf.executeUpdate(tf.java:523)
at
psdi.security.vmm.DefaultVMMSyncAdapter.insertRecord(DefaultVMMSyncAdapter.java:843)
at psdi.security.vmm.DefaultVMMSyncAdapter.syncUser(DefaultVMMSyncAdapter.java:80)
Fix: Make sure that no 2 users have same email ids in the directory server .
Condition 2:
User(s) has mail attribute set to a null value in the directory server .
Exception in SystemOut.log
Fix:
Make sure that the attribute is removed from the directory server or a value is provided
for email.
Condition 3:
Condition 1:
VMM component cache is turned on and is timeout are greater than VMMSync schedule.
Fix:
Update VMMSync schedule so that VMM cache expires before next sync or disable
VMM cache for each directory server federated under VMM.
Condition 2:
VMMSync crontask usermapping or groupmapping attributes were updated to point to a
new location in directory information tree (DIT).
A new crontask instance was added for a multiple user directory setup.
Fix:
In order for any of the above changes to take affect MXServer needs to be restarted.
1.2.3 User attributes missing
Once the sync is completed users have firstname and display name attributes missing in
Maximo user application. The directory server user attributes and queried by VMMSync
crontask from the directory server and mapped to user columns in the Maximo database
repository. The LDAP attribute to user column mapping is defined in the VMMSync
configuration under usermapping parameter.
CCMDB (7.1 & 7.11) ships with following mapping:
<table name="PERSON">
<keycolumn name="PERSONID" type="UPPER">uid</keycolumn>
Condition 1:
Attributes not present in directory server.
Fix 1:
Make sure that user objects have the ‘displayname’ and ‘givenname’ attributes.
Fix 2:
If you decide not to introduce the additional attribute for the user object the problem can
also be addressed by modifying the mapping to an attribute that is already present in the
directory server . Remember to restart MXServer after updating the usermapping
parameter.
Fix:
Make sure that user in question has membership to proper security group in CCMDB.
Users are assigned group membership in directory server and should wait for a successful
sync before they can use the system. Consult CCMDB Infocenter for group membership
required for various permissions.
As such TADDM relies on VMM and authentication service (both hosted on CCMDB) to
be properly up and running in order to provide appropriate security function. Further
TADDM has to be correctly configured so as to exploit these remote services.
Condition 1:
Provided TADDM was properly installed and configured with the VMM option the
administrator login might fail because the administrator user was not created in the
directory server .
Fix:
This user is not automatically created during install and needs to be added manually post
install.
Condition 1:
Authentication service is not started.
Error in TADDM trace.log
[4/8/07 19:47:32:609 CDT] 00000025 security E Login failed:CTGES0008E
The Authentication Client received a fault from the Authentication
Service. Fault reason: "(404)Not Found"
Fix:
Make sure that the authentication service (authensvc_ctges application) is properly
installed and started.
Condition 2:
TADDM authentication client is misconfigured and cannot connect to authentication
service. Confirm that following parameters specified in TADDM authentication client
properties file (ibmessclientauthncfg.properties) are correct.
authnServiceURL=http://stwin2003.austin.ibm.com:9080/TokenService/servi
ces/Trust
Condition 3:
TADDM user repository module is misconfigured and cannot connect to remote VMM
interfaces. Confirm that following parameters specified in the TADDM properties file
(collation.properties) are correct.
com.collation.security.auth.websphereHost=stwin2003.austin.ibm.com
com.collation.security.auth.webspherePort=9809
Condition 4:
Following error messages will be posted in TADDM trace.log (trace set at DEBUG level)
TADDM and WAS servers system time (system clock) causes the TADDM received an
expired token.
Fix:
Make sure the clocks for WAS and TADDM servers are synchronized.
Fix:
Set com.collation.security.enabledatalevelsecurity to true in
collation.properties. Mare sure that TADDM server is restarted for the change to take
effect.
2.2.2 TADDM Security Upgrade Issues
If TADDM is installed with local file-based repository option and later reconfigured to
use VMM option, depending on customer setup following issues can be encountered:
Condition 1:
This occurs because the old file-based repository authorization file is still present on the
system. So even though TADDM security was reconfigured to use VMM the security
manager component is still enforcing the older authorization policy created in the older
setup.
Fix:
Make sure that old policy files are deleted from
<TADDM_HOME>\dist\var\policy\ibmsecauthz\policy\rolemapping\AuthorizationMana
gerPolicyContextId_role.
Fix:
Make sure that LTPA token is exported from Authentication service and imported into
WebSphere Application Server. Refer to CCMDB install guide for detailed instructions.
3.2 TADDM SSO authorization issues
3.2.1 SSO successful but authorization error
This occurs when login is successful but no TADDM role is assigned to the SSO user.
Fix:
Make sure the SSO user has proper TADDM role-level authorization. If the SSO is being
performed as part of launch-in-context make sure the CI being launched is part of
collection(s) and the user has access to that collection. Refer next section for further
details.
This occurs when the CCMDB server cannot properly connect to TADDM server due to
any of the following conditions:
Condition 1:
Incorrect hostname or port information.
Condition 2:
Incorrect username or password information.
Message returned on the browser.
Fix:
Make sure the hostname and port information provided on the TADDMEP endpoint is
correct.
Condition 3:
If you are using SSL transport (port 9531 instead of 9530) to connect to TADDM and
haven’t downloaded java certificate on to the CCMDB node, the connection will result in
failure.
Fix:
Make sure the certificate is downloaded from the TADDM machine and copy to proper
location on CCMDB node. Refer to Infocenter for details.
*Note: similar issue can arise when assigning a collection to a security group if any of the
information discussed above is not correctly provided.