Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Project Experiences
Document:
Owner:
Marc Purnell
Connecting Maximo TPAE to LDAP - Project Experiences
Date: 31.10.2011
Version: V1.1
Status: Final
Page 1 of 73
Document History
Document Location
This is a snapshot of an on-line document. Paper copies are valid only on the day they are printed. Refer
to the author if you are in any doubt about the currency of this document.
The source of the document will be found in Document2
Revision History
Date of this revision: 31.10.2011
(date)
Changes
marked
(N)
N
N
Approvals
This document requires following approvals. Signed approval forms are filed in the Quality section of the
PCB.
Name
(name)
Title
(title)
Distribution
This document has been distributed to
Name
(name)
Title
(title)
Document:
Owner:
Marc Purnell
Connecting Maximo TPAE to LDAP - Project Experiences
Date: 31.10.2011
Version: V1.1
Status: Final
Page 2 of 73
Contents
1.
Introduction ............................................................................................................. 5
1.1
1.2
1.3
2.
2.2
3.
3.1.1
3.1.2
3.1.3
3.1.4
3.2
3.2.1
3.2.2
3.2.3
3.2.4
3.2.5
3.2.6
3.2.7
3.3
3.3.1
Using LDAP filters to retrieve a specific set of users and groups only .................................. 23
3.3.2
3.3.3
3.3.4
3.3.5
3.3.6
3.4
3.4.1
3.4.2
3.5
3.5.1
3.5.2
3.6
Configuration ................................................................................................................................. 54
3.6.1
Document:
Owner:
Marc Purnell
Connecting Maximo TPAE to LDAP - Project Experiences
Date: 31.10.2011
Version: V1.1
Status: Final
Page 3 of 73
4.
4.2
4.2.1
4.2.2
Error in LDAPSYNC/VMMSYNC when assigning more than 1000 users to a security group57
4.3
4.4
4.5
4.5.1
4.5.2
4.5.3
5.
Appendix A ........................................................................................................... 61
5.1
5.1.1
5.1.2
6.
Appendix B ........................................................................................................... 73
6.1
Document:
Owner:
Marc Purnell
Connecting Maximo TPAE to LDAP - Project Experiences
Date: 31.10.2011
Version: V1.1
Status: Final
Page 4 of 73
1. Introduction
The challenge:
The product ships with a default support for a connection to a LDAP system. This works well, but the
challenge is to get the RIGHT DATA into the Maximo TPAE system. The team that has written this
document collected experience in a double digit number of projects facing new challenges in every
single one of these projects regarding this topic.
The intention of this document is to collect this combined knowledge in one place and to share this
information to a wider audience.
Frank Nees is IT Architect at IBM ITS with the main focus Service Management. He designed numerous
service management solutions based on various tools, in last years with the focus Tivoli Maximo. The
scope includes all disciplines of the Service Management like Service Request including Service Catalog,
Incident, Problem, Change, Release, Asset, CMDB, SLA etc.
In the most cases Frank also acted as project leader of the implementation.
Document:
Owner:
Marc Purnell
Connecting Maximo TPAE to LDAP - Project Experiences
Date: 31.10.2011
Version: V1.1
Status: Final
Page 5 of 73
Bernhard Binzen is an IBM Certified IT Specialist at IBM Software Group, Tivoli Services Germany.
He started his IT career and joined IBM in 1996. After spending several years in service projects (OS/2,
Windows, Unix, Tivoli Framework products amongst others), he joined IBM Software Group in 2007.
Bernhard is an IBM Certified Deployment Professional TADDM and is responsible for the
implementation of IBM Service Management infrastructure environments (TADDM, ITIC, TPAE
infrastructure, Deployers Workbench, Configuration Management).
Hubertus Dapper is an IBM Certified IT Specialist at IBM Software Group and joined Tivoli Services
Germany in 2000. He is responsible for services in the Tivoli Workload Automation area. In addition he
was assigned to services for reporting and service level solutions based on Tivoli Data Warehouse and
Tivoli Service Level Advisor before moving to the Tivoli ISM team where he is responsible for TADDM,
CCMDB, ITIC and TPAE Infrastructure in services projects.
Document:
Owner:
Marc Purnell
Connecting Maximo TPAE to LDAP - Project Experiences
Date: 31.10.2011
Version: V1.1
Status: Final
Page 6 of 73
Why do you want to connect Maximo TPAE to LDAP (what do you want to achive)?
What is your LDAP architecture (single directory / multiple directory / meta directory)?
Do you need personal data from all persons in LDAP in Maximo TPAE or only from a subset?
Is Single-Sign-On required?
Which method suites best your requirements to load/replicate the LDAP data into your Maximo
TPAE environment (VMMSYNC or LDAPSYNC)
If only a subset of LDAP users is required, what is the criteria to identify the ones you need?
Which LDAP attributes do you require to use in Maximo TPAE? Are they mapped by default?
How do you manage organisational and personal changes in LDAP? Which key attributes are
changed? What is your expectation about Maximo TPAE to reflect these changes?
Where do you want to store the Maximo TPAE technical users (e.g. maxadmin) in your regular
LDAP data store?
Do you require different rights / passwords for these users in your different Maximo TPAE
environments (Development / Test / Production)?
Where do you want to assign users to groups (in Maximo TPAE or in LDAP)?
Document:
Owner:
Marc Purnell
Connecting Maximo TPAE to LDAP - Project Experiences
Date: 31.10.2011
Version: V1.1
Status: Final
Page 7 of 73
During installation of your Maximo TPAE product you choose the used authentication method. You can
switch from local to LDAP authentication and vice versa after installation. This will be described later in
this document.
Useful for small and medium environments / customers, where no LDAP is available
Please notice that using local authentication does not mean that LDAP cannot be integrated with your
Maximo TPAE environment. It is still possible to synchronize user and group information like contact data
from a LDAP environment.
Owner:
Marc Purnell
Connecting Maximo TPAE to LDAP - Project Experiences
Date: 31.10.2011
Version: V1.1
Status: Final
Page 8 of 73
If you decide to use this method, the technical users wasadmin, maxadmin, mxintadm and maxreg can
automatically be created during the installation by the Maximo installer. Notice that the bind user
configured in the WebSphere VMM needs write access to LDAP in this case.
If it is not allowed to automatically create the required users, they have to be created manually in LDAP
before. In this case you have to deselect the option Create the required users in the appropriate installer
window.
URL: <server>/maximo
WebServices access
URL: <server>/meaweb
To achieve this behaviour the web.xml files have to be modified (to set the authentication method) and
the WAS SPNEGO Filter had to be used to separate the UI from the WebServices traffic.
Document:
Owner:
Marc Purnell
Connecting Maximo TPAE to LDAP - Project Experiences
Date: 31.10.2011
Version: V1.1
Status: Final
Page 9 of 73
See:
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp?topic=/com.ibm.websphere.express.doc/i
nfo/exp/ae/rsec_SPNEGO_tai_attribs.html
Details about the web.xml files for this example are attached to this document in chapter 5.1.
3.2
VMMSYNC
WAS
LDAP
TPAE
LDAPSYNC
Tivoli
Database
LDAP
Whereas VMMSYNC is connected to WAS, LDAPSYNC has direct access to LDAP repository. This has
the following impact:
LDAPSYNC can only be used as an interface for transferring user records to TPAE. Even if you
dont need to add new users in TPAE, the user administration is still active in TPAE. This includes
also the password administration, since the password will not be transferred from the LDAP.
Hence the user authentication will be still done by TPAE.
However, the security group assignment can be done within the LDAP repository.
VMMSYNC is very similar to LDAPSNC, but has one big difference: If you want to use
VMMSYNC, you need to switch to the LDAP authentication method. This means the user
administration in TPAE is disabled. You can not add any user in TPAE, and the user
authentication will be done by WAS VMM (using the password in LDAP).
Document:
Owner:
Marc Purnell
Connecting Maximo TPAE to LDAP - Project Experiences
Date: 31.10.2011
Version: V1.1
Status: Final
Page 10 of 73
basedn Setting: A base DN can be specified here and will be mapped against
WebSphere VMM. A subtree of the WAS base DN might be specified.
Filter: You can specify a person filter to retrieve a subset of persons instead of all
persons. Common filters are real persons entries which contain a valid email address
in VMM or a group filter: e.g. all persons which are member of the group TIVOLIUSERS.
The recommendation is to use the LDAP Filter in WAS instead of the VMMSYNC Task.
But this filter is useful if you plan to setup multiple VMMSYNC Tasks for different
purposes and for a different set of users. See Chapter 3.3.1.2
The second section describes the VMM attributes which will be mapped in the next section to the
MBO attributes.
For each attribute line: first the name of the MBO attribute is stated followed by the
mapped name of the VMM attribute name
Owner:
Marc Purnell
Connecting Maximo TPAE to LDAP - Project Experiences
Date: 31.10.2011
Version: V1.1
Status: Final
Page 11 of 73
Document:
Owner:
Marc Purnell
Connecting Maximo TPAE to LDAP - Project Experiences
Date: 31.10.2011
Version: V1.1
Status: Final
Page 12 of 73
Since all three attributes in LDAP are unique, there is actually any combination possible. But you should
take notice about some things in order to prevent later problems:
1) First of all, userid and personid should always be the same value. There is not really a need for
that, but normally there is no reason to use different values. That applies especially to the LDAP
interface, since every user record has its person record.
2) For the userid (and personid) you consider the following:
a. Since the userid is key value in Maximo TPAE, you should use an attribute in LDAP
which will be changed very rarely. CN und Mail often contains the name of the person,
and if the person name is changed, the ID changes as well. But in some environments
the samAccountName will be changed even more often.
b. Even if CN and sAMAccountName are unique in one single LDAP, they are not
necessarily unique in the whole environment. That means, when you plan to connect
several LDAP repositories to TPAE, you need an attribute which is unique in general, this
is often only the mail address.
c.
The samAccountName is often a meaningless string. If you want to use this string as
userid, you should consider that this string is displayed and used in many panels in
Maximo TPAE. This may result in problems with the user acceptance.
Hint:
If you choose CN or email address for the userid, you most likely need to increase the field length of the
userid in TPAE
personid
(1)
sAMAccountName
mail
loginid
(1)
(1)
(2)
(2)
(2)
Example 1:
Assumptions: Single environment, CN contains the person name and changes only rarely
Impact: Userid is a meaningful value and login is familiar to the user (equal to the Windows AD login).
Example:2:
Document:
Owner:
Marc Purnell
Connecting Maximo TPAE to LDAP - Project Experiences
Date: 31.10.2011
Version: V1.1
Status: Final
Page 13 of 73
Assumptions: Large environment with several LDAP repositories, mail address is the only really unique
attribute.
Impact: Userid is a reasonable value, but users need to familiarize to use their mail address for login.
First of all you need to know is that VMMSYNC or LDAPSYNC perform always an Insert/Update Action.
This means, if the userid is not found in TPAE the user record will be inserted, whereas the userid already
exists the user record will be updated.
The first idea is often to delete the old user record, but this is not a product supported method
All you can do is to setup a mechanism to set the status to inactive (both, user and person
record)
In addition, you need to get rid of the existing unique values of the old user record
a. loginid (only in case it is not renamed as well)
b. email address (only in case it is not renamed as well)
The easiest way to do this is to setup an escalation, but again, there are many things you need to pay
attention:
1) Actually you want to perform the actions only for the old user records, but for this you need a flag.
There are three options:
a. The best way would be that the flag would be transferred via VMMSYNC/LDAPSYNC
from LDAP. But this is possible only when for instance, a record in LDAP is disabled, in
our case the record doesnt exist anymore.
b. You can set the flag indirect yourself
c.
i.
ii.
iii.
Afterward all users flagged with yes dont exist in LDAP anymore
Dont use a flag, just perform the action for all users (just exclude some technical users
like maxadmin)
Document:
Owner:
Marc Purnell
Connecting Maximo TPAE to LDAP - Project Experiences
Date: 31.10.2011
Version: V1.1
Status: Final
Page 14 of 73
2) You can not clear the loginid since it is a mandatory field, likewise you can not set a fix value
since it is an unique field. Thus you have to overwrite the loginid with another unique value you
have: If you use the sAMAccountName for the loginid and CN for the userid, you can use the
userid to overwrite the loginid.
In following there are two examples for an escalation: (assumption: userid/personid is CN, loginid is
sAMAccountName)
EXAMPLE 1 (the simple but rough method, only applicable when VMMSYNC/LDAPSYNC runs each
night)
Field
Value
Status change
status
inactive
Set field
loginid
userid
Status change
Person.status
inactive
Set field
Person.primarymail
userid
Important note:
The escalation must run very shortly before VMMSYNC/LDAPSYNC, in between all users are inactive.
Additionally ensure that VMMSYNC/LDAPSYNC has run, otherwise all users are inactive the next
morning.
EXAMPLE 2 (the softer way, applicable when VMMSYNC/LDAPSYNC runs several times per day)
This example uses a flag to indicate which users should be inactivated, you can choose an existing and
not used field or you can create a new one. In the example we call the flag ACTIONFLAG
Field
Value
Status change
status
inactive
Set field
loginid
userid
Document:
Owner:
Marc Purnell
Connecting Maximo TPAE to LDAP - Project Experiences
Date: 31.10.2011
Version: V1.1
Status: Final
Page 15 of 73
Status change
Person.status
inactive
Set field
Person.primarymail
userid
Escalation Point 2:
SQL Condition: USERID NOT IN (MAXADMIN,)
Actions:
Type
Field
Value
Set field
actionflag
Important notes:
The escalation must always run between VMMSYNC/LDAPSYNC runs, never two times direct
consecutively, otherwise all users are inactivated
In VMMSYNC/LDAPSYNC you need to map the actionflag to the fix value 0
Problem:
In Maximo the supervisor field is a link within the person table and must be populated exactly with the
personid of the manager record. Instead in Active Directory the manager attribute is populated neither
with CN nor with sAMAccountName but with the distinguishedName of manager record in AD (The
distinguishedName is a kind of key in Active Directory). This means we cannot take the straight way to
map the LDAP manager attribute to Maximo supervisor attribute.
The following chapter shows a possible way to transfer the manager attribute from LDAP to Maximo.
Alternatively you can also ask the customer to add an additional manager field in LDAP and to fill it with
the corresponding value (CN, sAMAccountName or mail), but very likely he will refuse this.
Additionally it is very important this new manager field contains a valid personid and the person record
already exists in Maximo when you try to load that field.
Owner:
Marc Purnell
Connecting Maximo TPAE to LDAP - Project Experiences
Date: 31.10.2011
Version: V1.1
Status: Final
Page 16 of 73
Table
Attribute
Type
Length
PERSON
DISTINGUISHEDNAME (1)
ALN
150 (2)
PERSON
MANAGER
ALN
150
Owner:
Marc Purnell
Connecting Maximo TPAE to LDAP - Project Experiences
Date: 31.10.2011
Version: V1.1
Status: Final
Page 17 of 73
Since the field businessCategory is defined as propertiesNotSupported name, you need to delete the line.
<config:propertiesNotSupported name="businessCategory"/>
After this the fields distinguishedName and manager are available in the VMMSYNC Crontask.
If you dont like to use meaningless names, you can also modify the file wimdomain.xsd. But for this you
need the appropriate WAS skill, and as mentioned before it is not really necessary.
In the upper section <attributes> in the UserMapping add the following lines:
<attribute>localityName</attribute>
<attribute>businessCategory</attribute>
After you have ensured that both fields are transferred to Maximo you can continue with step 2.
Relation
Where Clause
Child Object
PERSON
MANAGER (1)
DISTINGUISHEDNAME =
:MANAGER
PERSON
Document:
Owner:
Marc Purnell
Connecting Maximo TPAE to LDAP - Project Experiences
Date: 31.10.2011
Version: V1.1
Status: Final
Page 18 of 73
Now you should test the relation. Add the field manager.personid temporarily for test purposes in the
application person (List or Details).
The field manager.personid should be filled in most cases, however in some cases it could be empty.
This could have one of the following reasons:
The manager person record does not exist in Maximo for some reason
Document:
Owner:
Marc Purnell
Connecting Maximo TPAE to LDAP - Project Experiences
Date: 31.10.2011
Version: V1.1
Status: Final
Page 19 of 73
The escalation should run after each VMMSYNC run, in most cases this means once a day.
Short Description
uid
UserID
givenName
First Name
sn
Surname
displayName
street
Street
telephoneNumber
Telephone number
E-Mail address
st
State
postalCode
Zip code
Country
City
Important: If you want to map additional attributes, you have to take care of these two activities:
1. Map the attribute of your LDAP directory to a VMM attribute
2. Map the additional VMM attributes to your MBO attribute in the VMMSYNC task
<config:attributeConfiguration>
<config:attributes defaultValue="544" name="userAccountControl">
<config:entityTypes>PersonAccount</config:entityTypes>
</config:attributes>
<config:attributes name="samAccountName" propertyName="uid">
<config:entityTypes>PersonAccount</config:entityTypes>
</config:attributes>
<config:attributes name="streetAddress" propertyName="street">
<config:entityTypes>PersonAccount</config:entityTypes>
</config:attributes>
<config:attributes name="physicalDeliveryOfficeName" propertyName="postalAddress">
<config:entityTypes>PersonAccount</config:entityTypes>
</config:attributes>
Document:
Owner:
Marc Purnell
Connecting Maximo TPAE to LDAP - Project Experiences
Date: 31.10.2011
Version: V1.1
Status: Final
Page 20 of 73
Second, the VMMSYNC task has to be modified to map the required fields to the database tables. Add
the two attributes to attributes section and map them to the database attributes in the person table:
<attributes>
<attribute>uid</attribute>
<attribute>givenName</attribute>
<attribute>sn</attribute>
<attribute>displayName</attribute>
<attribute>street</attribute>
<attribute>telephoneNumber</attribute>
<attribute>mail</attribute>
<attribute>st</attribute>
<attribute>postalCode</attribute>
<attribute>c</attribute>
<attribute>l</attribute>
<attribute>description</attribute>
<attribute>postalAddress</attribute>
</attributes>
<table name="PERSON">
<keycolumn name="PERSONID" type="UPPER">uid</keycolumn>
<column name="FIRSTNAME" type="ALN">givenName</column>
<column name="LASTNAME" type="ALN">sn</column>
<column name="DISPLAYNAME" type="ALN">description</column>
<column name="ADDRESSLINE1" type="ALN">street</column>
<column name="ADDRESSLINE2" type="ALN">postalAddress</column>
<column name="STATEPROVINCE" type="ALN">st</column>
<column name="CITY" type="ALN">l</column>
<column name="POSTALCODE" type="ALN">postalCode</column>
<column name="COUNTRY" type="ALN">c</column>
<column name="PERSONUID" type="INTEGER">{:uniqueid}</column>
</table>
Document:
Owner:
Marc Purnell
Connecting Maximo TPAE to LDAP - Project Experiences
Date: 31.10.2011
Version: V1.1
Status: Final
Page 21 of 73
quite dynamically; therefore an automated management of these records was required in a customer
project.
Solution outline:
Use the VMMSYNC task to create the entries additional to the PERSON and MAXUSER table in the
LABOR and LABORCRAFTRATE table.
Challenges:
A record had to be created in the table LABOR and in the LABOR child-table
LABORCRAFTRATE.
These entries should be created only for a certain user group and not for all users: Only users
which belong to the group MAXIMOUSERS
Solution:
Create a second VMMSYNC tasks and specify a filter in order that these entries will be created
for this subset of users only (see filter specification below).
Additionally, the original VMMSYNC task is still executed for all users
The new VMMSYNC task (User Mapping) had to be expanded to contain new table mappings for
the two tables LABOR and LABORCRAFTRATE (see specification below).
Additionally new relationships between the MAXUSER and LABOR table (named LABOR) and
between the MAXUSER and LABORCRAFTRATE table (named LABORCRAFTRATE) had to be
created.
Hint: Creation of a new user and the LABOR and LABORCRAFTRATE in one transaction will fail
due to an insert error: The parent does not exist when creating the child entry.
Solution: Make sure, that the regular VMMSYNC Tasks (the one which creates/updates all
users) runs before the new Labor-VMMSYNC Task runs (which will create the additional
LABOR and LABORCRAFTRATE records only).
Example: The regular VMMSYNC Tasks runs at 11 PM, the Labor-VMMSYNC Task runs at
11:30 PM
Filter setting for the new VMMSYNC tasks (User Mapping) to limit the scope to the persons which belong
to the group MAXIMOUSERS:
<filter>PersonAccount' and
memberOf='CN=MAXIMOUSERS,OU=TIVOLI,OU=Spezial,DC=AREA01,DC=intern,DC=cust</filter>
This section was added to the new VMMSYNC task (User Mapping) below of the email mapping:
<table allowdelete="true" name="LABOR">
<keycolumn name="PERSONID" type="UPPER">uid</keycolumn>
<keycolumn name="LABORCODE" type="UPPER">uid</keycolumn>
</table>
<table allowdelete="true" name="LABOR">
<keycolumn name="PERSONID" type="UPPER">uid</keycolumn>
<keycolumn name="LABORCODE" type="UPPER">uid</keycolumn>
</table>
<table allowdelete="true" name="LABORCRAFTRATE">
Document:
Owner:
Marc Purnell
Connecting Maximo TPAE to LDAP - Project Experiences
Date: 31.10.2011
Version: V1.1
Status: Final
Page 22 of 73
3.3
3.3.1 Using LDAP filters to retrieve a specific set of users and groups
only
If WAS is connected to a LDAP Repository, then by default all users belonging to the specified base DN
will be available in WAS and Maximo TPAE.
It is important to understand that there is a hierarchy in the access to the LDAP data:
1. WAS to LDAP
The access to the LDAP system is configured in the WAS System.
Users and groups are retrieved from LDAP and are available in WAS VMM (Virtual Member
Manager).
2. TPAE to WAS VMM
The TPAE VMMSYNC task connects to the WAS VMM, but it does not connect to the LDAP
System directly. Therefore only the users and groups in WAS VMM are visible for TPAE.
Filters may be specified at both levels of this cascaded architecture in order to retrieve the required set
of users and groups, only.
Document:
Owner:
Marc Purnell
Connecting Maximo TPAE to LDAP - Project Experiences
Date: 31.10.2011
Version: V1.1
Status: Final
Page 23 of 73
Search results:
Document:
Owner:
Marc Purnell
Connecting Maximo TPAE to LDAP - Project Experiences
Date: 31.10.2011
Version: V1.1
Status: Final
Page 24 of 73
Document:
Owner:
Marc Purnell
Connecting Maximo TPAE to LDAP - Project Experiences
Date: 31.10.2011
Version: V1.1
Status: Final
Page 25 of 73
Document:
Owner:
Marc Purnell
Connecting Maximo TPAE to LDAP - Project Experiences
Date: 31.10.2011
Version: V1.1
Status: Final
Page 26 of 73
Group Mapping:
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE ldapsync SYSTEM "ldapgroup.dtd">
<ldapsync>
<group>
<basedn>OU=TIVOLI,DC=ORG,DC=intern,DC=adns</basedn>
<filter>Group</filter>
<scope>subtree</scope> <attributes>
User Mapping:
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE ldapsync SYSTEM "ldapuser.dtd">
<ldapsync>
<user>
<basedn>DC=intern,DC=adns</basedn>
<filter>PersonAccount' and
memberOf!='CN=MAXIMOUSERS,OU=TIVOLI,DC=ORG,DC=intern,DC=adns</filter>
<scope>subtree</scope>
Passthrough Authentication has to be configured in the ITDS System (which serves an user
repository for the TPAE system)
The user must exist (with password) in the LDAP server the Passthrough Authentication is
pointing to.
Document:
Owner:
Marc Purnell
Connecting Maximo TPAE to LDAP - Project Experiences
Date: 31.10.2011
Version: V1.1
Status: Final
Page 27 of 73
Example:
dn: cn=Configuration
ibm-slapdPtaEnabled: true
dn: cn=Passthrough Server1, cn=Passthrough Authentication, cn=Configuration
changetype: add
cn: passthrough Server1
ibm-slapdPtaURL: ldap://msad.net.de:389
ibm-slapdPtaSubtree: ou=users,ou=itsm,o=it,c=de
ibm-slapdPtaMigratePwd: false
ibm-slapdPtaAttrMapping: uid $ cn
ibm-slapdPtaSearchBase: ou=org,dc=it,dc=de
ibm-slapdPtaBindDN: CN=LDAP_ITSM,OU=ORGUSERS,OU=ORG,DC=IT,DC=DE
ibm-slapdPtabindPW: maximo4msad
objectclass: top
objectclass: ibm-slapdConfigEntry
objectclass: ibm-slapdPta
objectclass: ibm-slapdPtaExt
Description of the configuration line (see above, ITDS is the TPAE user repository, MSAD is the remote
user repository which is the target of PTA):
dn: cn=Configuration
ibm-slapdPtaEnabled: true
dn: cn=Passthrough Server1, cn=Passthrough Authentication, cn=Configuration
changetype: add
cn: passthrough Server1
ibm-slapdPtaURL: ldap://msad.net.de:389
Enter MSAD address here
ibm-slapdPtaSubtree: ou=users,ou=itsm,o=it,c=de
Enter ITDS hierarchy here
ibm-slapdPtaMigratePwd: false
ibm-slapdPtaAttrMapping: uid $ cn
Mapping of key values uid/ITDS to cn/MSAD
ibm-slapdPtaSearchBase: ou=org,dc=it,dc=de
User search base in MSAD
ibm-slapdPtaBindDN: CN=LDAP_ITSM,OU=ORGUSERS,OU=ORG,DC=IT,DC=DE
previous line: User in MSAD used for authentication
ibm-slapdPtabindPW: maximo4msad
Password of this user in MSAD
objectclass: top
objectclass: ibm-slapdConfigEntry
objectclass: ibm-slapdPta
objectclass: ibm-slapdPtaExt
Hint: PTA is configured in ITDS only. The PTA configuration is not visible for WAS VMM. WAS VMM will
not notice if PTA is used in the ITDS system or not.
Document:
Owner:
Marc Purnell
Connecting Maximo TPAE to LDAP - Project Experiences
Date: 31.10.2011
Version: V1.1
Status: Final
Page 28 of 73
Important Hint: WAS VMM will not accept duplicate users in the LDAP. The result is, that the user(s) with
the duplicate entries will not be able to log in. In case your META Directory does not take care of this
issue the WAS LDAP filter can be used to filter the correct userid (see chapter 3.3.1 for details).
Add repository as described in the TPAE product manuals (e.g. CCMDB 7.2.1 - Planning and
Installation Guide Chapter 8: Manually configuring the J2EE Server Manually configuring
WebSphere Application Server Network Deployment - Manually configuring Virtual Member
Manager on WebSphere Application Server Network Deployment page 228 topics 1 -23)
Example:
Document:
Owner:
Marc Purnell
Connecting Maximo TPAE to LDAP - Project Experiences
Date: 31.10.2011
Version: V1.1
Status: Final
Page 29 of 73
Document:
Owner:
Marc Purnell
Connecting Maximo TPAE to LDAP - Project Experiences
Date: 31.10.2011
Version: V1.1
Status: Final
Page 30 of 73
When you add one single LDAP repository it is recommended to use the same entries for both the base
DN in the realm and the DN of the base entry in the repository (see screenshot). This configuration is
easier to handle later, e.g. when adding the base DN to the VMMSYNC task in Maximo.
If not already done, add the WAS built-in repository to the VMM realm by clicking on Use
built-in repository
Ok
Save
Document:
Owner:
Marc Purnell
Connecting Maximo TPAE to LDAP - Project Experiences
Date: 31.10.2011
Version: V1.1
Status: Final
Page 31 of 73
5. Create technical users in local WAS repository using the WebSphere user and group
management
Create
Create users maxadmin, mxintadm and maxreg as described above. You do not need to
create the user wasadmin, because the user is already included in the WAS built-in
repository.
.
6. Restart WebSphere Deployment Manager
You can check your configuration by opening the users application again and press the 'Search' button.
All users (both the four technical users and the LDAP users) should appear.
Document:
Owner:
Marc Purnell
Connecting Maximo TPAE to LDAP - Project Experiences
Date: 31.10.2011
Version: V1.1
Status: Final
Page 32 of 73
Since you can use a global catalog like any other LDAP repository, this would be the easiest and
smartest way to connect TPAE to multiple LDAP Servers. However, if there is no global catalog and the
costumer tries to avoid this effort, you can connect the individual LDAP repositories.
Document:
Owner:
Marc Purnell
Connecting Maximo TPAE to LDAP - Project Experiences
Date: 31.10.2011
Version: V1.1
Status: Final
Page 33 of 73
Make sure that Available realm definition is configured to Federated repositories. Press Configure to
configure the individual LDAP repositories.
Document:
Owner:
Marc Purnell
Connecting Maximo TPAE to LDAP - Project Experiences
Date: 31.10.2011
Version: V1.1
Status: Final
Page 34 of 73
For the realm name you can choose any name, to add a LDAP repository press Add Base entry to
Realm.
Populate both fields with the base DN of your repository and press Add Repository to configure the
server.
Give your repository a name and choose the directory type, for instance Microsoft Windows Server 2003
Active Directory. Define the primary host with the corresponding port, at last specify your LDAP user to
access the LDAP in the Security section.
Hint:
Document:
Owner:
Marc Purnell
Connecting Maximo TPAE to LDAP - Project Experiences
Date: 31.10.2011
Version: V1.1
Status: Final
Page 35 of 73
Before you start to configure your VMMSYNC Task, you should check under User and Group / Manage
users whether you can see the users from your various LDAP repositories. If necessary, you need to do
some manual changes in the wimconfig.xml.
First set up one VMMSYNC instance for one repository. Make sure that you specify the correct
principal and base DN. Afterwards run a test.
Duplicate the VMMSYNC instance, and change at least principal and base DN.
As mentioned before, for userid and loginid you need key values which are unique across all
repositories. This often is only the mail address.
Document:
Owner:
Marc Purnell
Connecting Maximo TPAE to LDAP - Project Experiences
Date: 31.10.2011
Version: V1.1
Status: Final
Page 36 of 73
Unfortunately you can not use the same security group names in each repository. The reason is
the behaviour of the VMMSYNC Task. In each run, all users of a security group are removed in
TPAE first, and afterwards are newly assigned. The result is that a security group contains the
users from one the last scheduled - repository only. You need to define different names to avoid
this, for instance different prefixes or suffixes. Of course then you have several sets of security
groups in TPAE.
3.3.4.1 Switch TDS base distinguished name from default to customer defined
This task consists of the following steps which were executed in a CCMDB 7.1.1 environment.
The DN ou=SWG,o=ibm,c=us should be changed to
ou=ccmdb,ou=prod,ou=sysman,ou=unit,o=customer,c=de.
Document:
Owner:
Marc Purnell
Connecting Maximo TPAE to LDAP - Project Experiences
Date: 31.10.2011
Version: V1.1
Status: Final
Page 37 of 73
VMM provides you with the ability to access and maintain user data in multiple repositories, and federate
that data into a single virtual repository. The federated repository consists of a single named realm, which
is a set of independent user repositories. Each repository may be an entire external repository or, in the
case of LDAP, a subtree within that repository. The root of each repository is mapped to a base entry
within the federated repository, which is a starting point within the hierarchical namespace of the virtual
realm.
Note that if you intend to configure VMM to use SSL with a federated LDAP repository, it must be done
only after a successful CCMDB installation. If VMM is configured to use SSL with a federated LDAP
repository prior to completing the CCMDB installation, the installation will fail. Do not configure a
WebSphere VMM LDAP federated repository to use SSL with a LDAP directory prior to installing
CCMDB. Configure SSL after the CCMDB installation program has completed successfully.
To add a LDAP directory to the VMM virtual repository, you must first add the LDAP directory to the list of
repositories available for configuration for the federated repository and then add the root of baseEntries to
a search base within the LDAP directory. Multiple base entries can be added with different search bases
for a single LDAP directory.
Important: Before you begin this procedure, ensure you have a wasadmin user created in your LDAP
repository.
To add the IBM Tivoli Directory Server to VMM, complete the following steps:
1. Login to the admin console, then navigate to Security -> Secure administration, applications,
and infrastructure.
2. Locate the User account repository section and pick Federated repositories from Available
realm definition, and then click Configure.
3. Click Manage repositories, located under Related Items.
4. Click Add to create new repository definition under the current default realm.
5. Enter the following values, and then click Apply and the click Save.
Repository identifier
Enter customer.
Directory type
Select the directory type IBM Ticoli Directory Server Version 6.
Primary host name
Enter the fully-qualified host name or IP address of the IBM Tivoli Directory Server.
Port
Enter 389.
Support referrals to other LDAP servers
Set this to ignore.
Bind distinguished name
Enter cn=root
Bind password
Enter the password for the bind distinguished name.
Login properties
Leave this value blank.
Certificate mapping
Select EXACT_DN
6. Return to the Federated repositories page by clicking Security -> Secure administration,
applications, and infrastructure, selecting Federated repositories from the Available realm
definitions drop-down list, and then clicking Configure.
7. Locate the Repositories in the realm section and click Add Base entry to Realm.
Note that if there is an existing file repository entry in the Repositories in the realm table, you
must select it click Remove, and save the change, after creating the new entry.
8. Enter the following values, and then click Apply and then click Save.
Repository
Document:
Owner:
Marc Purnell
Connecting Maximo TPAE to LDAP - Project Experiences
Date: 31.10.2011
Version: V1.1
Status: Final
Page 38 of 73
Select customer.
Distinguished name of a base entry that uniquely identifies this set of entries in the realm
ou=ccmdb,ou=prod,ou=sysman,ou=unit,o=customer,c=de
Distinguished name of a base entry in this repository
ou=ccmdb,ou=prod,ou=sysman,ou=unit,o=customer,c=de
9. From the Federated repositories configuration page, enter the following values and then click
Apply and then click Save:
Realm name
Enter ISMRealm.
Primary administrative user name
Enter wasadmin. This value should be a valid user from the configured LDAP repository.
Server user identity
Select Automatically generated server identity.
Ignore case for authorization
Select this check box.
10. Click Supported entity types, and then click PersonAccount.
11. From the PersonAccount configuration page, enter the following values:
Entity type
Verify that the value is PersonAccount.
Base entry for the default parent
Enter ou=users,ou=ccmdb,ou=prod,ou=sysman,ou=unit,o=customer,c=de
Relative Distinguished Name properties
Enter uid.
12. Click OK and then click Save
13. Click Supported entity types, and then click Group.
14. From the Group configuration page, enter the following values:
Entity type
Verify that the value is Group.
Base entry for the default parent
Enter ou=groups,ou=ccmdb,ou=prod,ou=sysman,ou=unit,o=customer,c=de
Relative Distinguished Name properties
Enter cn.
15. Click Supported entity types, and then click OrgContainer.
16. From the OrgContainer configuration page, enter or verify the following values:
Entity type
Verify that the value is OrgContainer.
Base entry for the default parent
Enter ou=prod,ou=sysman,ou=unit,o=customer,c=de
Relative Distinguished Name properties
Enter o;ou;dc;cn.
17. Click OK and then click Save
18. Navigate to Security > Secure administration, applications, and infrastructure.
19. From the Secure administration, applications, and infrastructure configuration page, complete
the following:
a. Enable administrative security.
b. Enable application security.
c. Deselect Use Java 2 security to restrict application access to local resources.
d. From Available realm definition, select Federated repositories.
e. Click Set as current.
20. Click Apply, and then click Save.
21. Restart WebSphere and the managed nodes:
Document:
Owner:
Marc Purnell
Connecting Maximo TPAE to LDAP - Project Experiences
Date: 31.10.2011
Version: V1.1
Status: Final
Page 39 of 73
/<instdir>/WebSphere/AppServer/profiles/ctgAppSrv01/bin/stopServer.sh MXServer
-username wasadmin -password <pwd>
/<instdir>/WebSphere/AppServer/profiles/ctgAppSrv01/bin/stopNode.sh
-username wasadmin -password <pwd>
/<instdir>/WebSphere/AppServer/profiles/ctgDmgr01/bin/stopManager.sh
-username wasadmin -password <pwd>
/<instdir>/HTTPServer/bin/apachectl stop
/<instdir>/HTTPServer/bin/apachectl start
/<instdir>/WebSphere/AppServer/profiles/ctgDmgr01/bin/startManager.sh
/<instdir>/WebSphere/AppServer/profiles/ctgAppSrv01/bin/startNode.sh
/<instdir>/WebSphere/AppServer/profiles/ctgAppSrv01/bin/startServer.sh MXServer
Document:
Owner:
Marc Purnell
Connecting Maximo TPAE to LDAP - Project Experiences
Date: 31.10.2011
Version: V1.1
Status: Final
Page 40 of 73
If you have problems to login to WebSphere or to CCMDB restore the wimconfig.xml file from the
backup file wimconfig.xml.IBM.
Create a new user in TDS and check if you can see it in WebSphere.
Check if the VMMSYNC cron task is running in CCMDB and if the new user is mapped to the CCMDB
user repository.
But what to do if your organisation is using a LDAP System different to the named ones? WAS VMM
supports more LDAP systems as the ones which are tested with TPAE.
Install/configure your TPAE System with ITDS (is shipped free for use with TPAE)
Backup your WAS VMM configuration: wimconfig.xml - (will be used for PMR handling or during
upgrades only)
Configure WAS VMM to connect to your (not supported) LDAP system and test that the required
users/groups are visible in the WAS Admin Console Manage Users/Groups section
Most likely, you will need to modify the field mapping in the wimconfig.xml file in order to get the
required data into the required field in TPAE.
In case you are asked during a PMR process by the IBM support to recreate the issue without your
non-supported LDAP configuration (did not happen with multiple customers so far) you just need to
replace your wimconfig.xml file with the one corresponding to your ITDS server and restart the WAS cell.
Enable SSL
Select TrustStore
Get the security certificate from your LDAP admin or the appropriate signer certificate.
Document:
Owner:
Marc Purnell
Connecting Maximo TPAE to LDAP - Project Experiences
Date: 31.10.2011
Version: V1.1
Status: Final
Page 41 of 73
maximouiweb\webmodule\web-inf\web.xml
Owner:
Marc Purnell
Connecting Maximo TPAE to LDAP - Project Experiences
Date: 31.10.2011
Version: V1.1
Status: Final
Page 42 of 73
maxrestweb\webmodule\web-inf\web.xml
mboweb\webmodule\web-inf\web.xml
Document:
Owner:
Marc Purnell
Connecting Maximo TPAE to LDAP - Project Experiences
Date: 31.10.2011
Version: V1.1
Status: Final
Page 43 of 73
meaweb\webmodule\web-inf\web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>App Service Servlet</web-resource-name>
<description>App Service Servlet (HTTP POST) accessible by authorized
users</description>
<url-pattern>/ss/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<description>Roles that have access to App Service Servlet (HTTP POST)</description>
<role-name>maximouser</role-name>
</auth-constraint>
<user-data-constraint>
<description>data transmission gaurantee</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Workflow Service Servlet</web-resource-name>
<description>Workflow Service Servlet (HTTP POST) accessible by authorized
users</description>
<url-pattern>/wf/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
Document:
Owner:
Marc Purnell
Connecting Maximo TPAE to LDAP - Project Experiences
Date: 31.10.2011
Version: V1.1
Status: Final
Page 44 of 73
<security-constraint>
<web-resource-collection>
<web-resource-name>Object Structure Service Servlet</web-resource-name>
<description>Object Structure Service Servlet (HTTP POST) accessible by authorized
users</description>
<url-pattern>/os/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<description>Roles that have access to Object Structure Service Servlet (HTTP
POST)</description>
<role-name>maximouser</role-name>
</auth-constraint>
<user-data-constraint>
<description>data transmission gaurantee</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Integration Web Services</web-resource-name>
<description>Integration Web Services accessible by authorized users</description>
<url-pattern>/services/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<description>Roles that have access to Integration Web Services</description>
<role-name>maximouser</role-name>
</auth-constraint>
<user-data-constraint>
<description>data transmission gaurantee</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-role>
<description>MAXIMO Application Users</description>
<role-name>maximouser</role-name>
</security-role>
-->
Comment the following section and set env-entry-value to 0:
<!-<env-entry>
Document:
Owner:
Marc Purnell
Connecting Maximo TPAE to LDAP - Project Experiences
Date: 31.10.2011
Version: V1.1
Status: Final
Page 45 of 73
Now only the technical users maxadmin, mxintadm and maxreg are available in Maximo.
Tip: You can decide to either use form-based or basic login to Maximo.
For using form-based login comment the BASIC login-config section and uncomment the FORM loginconfig section in all web.xml files.
<!-<login-config>
<auth-method>BASIC</auth-method>
<realm-name>MAXIMO Web Application Realm</realm-name>
</login-config>
-->
<login-config>
<auth-method>FORM</auth-method>
<realm-name>MAXIMO Web Application Realm</realm-name>
<form-login-config>
<form-login-page>/webclient/login/login.jsp?appservauth=true</form-login-page>
<form-error-page>/webclient/login/loginerror.jsp</formerror-page>
</form-login-config>
</login-config>
In order to use basic login, uncomment the BASIC login-config section and comment the FORM loginconfig section in all web.xml files.
Document:
Owner:
Marc Purnell
Connecting Maximo TPAE to LDAP - Project Experiences
Date: 31.10.2011
Version: V1.1
Status: Final
Page 46 of 73
maximouiweb\webmodule\web-inf\web.xml
Owner:
Marc Purnell
Connecting Maximo TPAE to LDAP - Project Experiences
Date: 31.10.2011
Version: V1.1
Status: Final
Page 47 of 73
maxrestweb\webmodule\web-inf\web.xml
mboweb\webmodule\web-inf\web.xml
meaweb\webmodule\web-inf\web.xml
Owner:
Marc Purnell
Connecting Maximo TPAE to LDAP - Project Experiences
Date: 31.10.2011
Version: V1.1
Status: Final
Page 48 of 73
</web-resource-collection>
<auth-constraint>
<description>Roles that have access to Enterprise Service Servlet (HTTP
POST)</description>
<role-name>maximouser</role-name>
</auth-constraint>
<user-data-constraint>
<description>data transmission gaurantee</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>App Service Servlet</web-resource-name>
<description>App Service Servlet (HTTP POST) accessible by authorized
users</description>
<url-pattern>/ss/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<description>Roles that have access to App Service Servlet (HTTP POST)</description>
<role-name>maximouser</role-name>
</auth-constraint>
<user-data-constraint>
<description>data transmission gaurantee</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Workflow Service Servlet</web-resource-name>
<description>Workflow Service Servlet (HTTP POST) accessible by authorized
users</description>
<url-pattern>/wf/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<description>Roles that have access to Workflow Service Servlet (HTTP
POST)</description>
<role-name>maximouser</role-name>
</auth-constraint>
<user-data-constraint>
<description>data transmission gaurantee</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Object Structure Service Servlet</web-resource-name>
Document:
Owner:
Marc Purnell
Connecting Maximo TPAE to LDAP - Project Experiences
Date: 31.10.2011
Version: V1.1
Status: Final
Page 49 of 73
<security-constraint>
<web-resource-collection>
<web-resource-name>Integration Web Services</web-resource-name>
<description>Integration Web Services accessible by authorized users</description>
<url-pattern>/services/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<description>Roles that have access to Integration Web Services</description>
<role-name>maximouser</role-name>
</auth-constraint>
<user-data-constraint>
<description>data transmission gaurantee</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-role>
<description>MAXIMO Application Users</description>
<role-name>maximouser</role-name>
</security-role>
Owner:
Marc Purnell
Connecting Maximo TPAE to LDAP - Project Experiences
Date: 31.10.2011
Version: V1.1
Status: Final
Page 50 of 73
Tip: You can decide to either use form-based or basic login to Maximo.
For using form-based login comment the BASIC login-config section and uncomment the FORM loginconfig section in all web.xml files.
<!-<login-config>
<auth-method>BASIC</auth-method>
<realm-name>MAXIMO Web Application Realm</realm-name>
</login-config>
-->
<login-config>
<auth-method>FORM</auth-method>
<realm-name>MAXIMO Web Application Realm</realm-name>
<form-login-config>
<form-login-page>/webclient/login/login.jsp?appservauth=true</form-login-page>
<form-error-page>/webclient/login/loginerror.jsp</formerror-page>
</form-login-config>
</login-config>
In order to use basic login, uncomment the BASIC login-config section and comment the FORM loginconfig section in all web.xml files.
#com.collation.security.usermanagementmodule=file
Document:
Owner:
Marc Purnell
Connecting Maximo TPAE to LDAP - Project Experiences
Date: 31.10.2011
Version: V1.1
Status: Final
Page 51 of 73
com.collation.security.usermanagementmodule=vmm
#com.collation.security.auth.websphereHost=
com.collation.security.auth.websphereHost=<washostname>
#com.collation.security.auth.webspherePort=
com.collation.security.auth.webspherePort=9809
#com.collation.security.auth.VMMAdminUsername=
com.collation.security.auth.VMMAdminUsername=wasadmin
#com.collation.security.auth.VMMAdminPassword=
com.collation.security.auth.VMMAdminPassword=<password>
#authnServiceURL=http://localhost:9080/TokenService/services/Trust
authnServiceURL=http:// <washostname>:9080/TokenService/services/Trust
#com.ibm.CORBA.securityServerHost=
com.ibm.CORBA.securityServerHost=<washostname>
#com.ibm.CORBA.securityServerPort=
com.ibm.CORBA.securityServerPort=9809
#com.ibm.CORBA.loginUserid=
com.ibm.CORBA.loginUserid=wasadmin
#com.ibm.CORBA.loginPassword=
com.ibm.CORBA.loginPassword=<password>
Document:
Owner:
Marc Purnell
Connecting Maximo TPAE to LDAP - Project Experiences
Date: 31.10.2011
Version: V1.1
Status: Final
Page 52 of 73
Below you will find how TADDM was configured for user authentication with the Microsoft Active Directory
directly.
#com.collation.security.usermanagementmodule=file
com.collation.security.usermanagementmodule=ldap
#com.collation.security.auth.ldapAuthenticationEnabled=false
com.collation.security.auth.ldapAuthenticationEnabled=true
#com.collation.security.auth.ldapHostName=ldap.eng.collation.net
com.collation.security.auth.ldapHostName=<msadfqdn>
#com.collation.security.auth.ldapBaseDN=ou=People,dc=Collation,dc=net
com.collation.security.auth.ldapBaseDN=DC=<one>,DC=<two>,DC=<three>
com.collation.security.auth.ldapBindDN=CN=servicenetcool,OU=Users,OU=DomainManagement,DC=<one>,DC=<two>,DC=<three>
com.collation.security.auth.ldapBindPassword=<password>
#com.collation.security.auth.ldapUserObjectClass=person
com.collation.security.auth.ldapUserObjectClass=user
#com.collation.security.auth.ldapUIDNamingAttribute=cn
com.collation.security.auth.ldapUIDNamingAttribute=sAMAccountName
#com.collation.security.auth.ldapGroupObjectClass=groupofuniquenames
com.collation.security.auth.ldapGroupObjectClass=group
#com.collation.security.auth.ldapGroupNamingAttribute=cn
com.collation.security.auth.ldapGroupNamingAttribute=sAMAccountName
For activating file-based authentication you need to copy collation.properties.filebased to collation.properties and restart TADDM.
Within the file-based authentication configuration the following users were created:
Table 1: TADDM User
User
administrator
supervisor
Role
administrator
administrator
supervisor
Group
admin_users
admin_users
supervisor_users
Document:
Owner:
Marc Purnell
Connecting Maximo TPAE to LDAP - Project Experiences
Date: 31.10.2011
Version: V1.1
Status: Final
Page 53 of 73
operator
supervisor
operator
supervisor_users
operator_users
When changing authentication to LDAP users can login to TADDM if they have an Active Directory
account using their AD password.
Successfully authenticated users will have TADDM authorisation according to their configured TADDM
roles. Users which do not have a TADDM role configured do have operator authorisation by default.
3.6 Configuration
3.6.1 Saving the old configuration (maxdb71 & wimconfig.xml)
Before modifying authentication and synchronization methods you should save your existing
configuration.
This includes the following tasks:
Backup database
Document:
Owner:
Marc Purnell
Connecting Maximo TPAE to LDAP - Project Experiences
Date: 31.10.2011
Version: V1.1
Status: Final
Page 54 of 73
Document:
Owner:
Marc Purnell
Connecting Maximo TPAE to LDAP - Project Experiences
Date: 31.10.2011
Version: V1.1
Status: Final
Page 55 of 73
Log on to TPAE
Add the loggers LDAPSYNC / VMMSYNC using the New Row button
Modify the log level using the magnifier icon right to the log level (choose DEBUG for the
maximum of information)
Optionally you can configure a dedicated file for the output (instead of SystemOut.log). For this
you can configure the appender Rolling.
Save the configuration and apply the settings via the Select Action menu
Per default the loggers will send their output to the SystemOut.log of the MXServer
Document:
Owner:
Marc Purnell
Connecting Maximo TPAE to LDAP - Project Experiences
Date: 31.10.2011
Version: V1.1
Status: Final
Page 56 of 73
Important note:
Unfortunately this works only up to 5000 assignments. Even if it is possible to set the parameter
MaxValRange higher than 5000, the current versions of MS AD have a limitation that
LDAPSYNC/VMMSYNC can only assign up to 5000 users to a security group.
This means, if you have more than 5000 users in a group, you need to split them in groups with up to
5000 users. This is certainly not a perfect solution, but at this time the only practicable workaround.
Document:
Owner:
Marc Purnell
Connecting Maximo TPAE to LDAP - Project Experiences
Date: 31.10.2011
Version: V1.1
Status: Final
Page 57 of 73
Document:
Owner:
Marc Purnell
Connecting Maximo TPAE to LDAP - Project Experiences
Date: 31.10.2011
Version: V1.1
Status: Final
Page 58 of 73
Check whether the user is available in WAS, check under User and Group / Manage
users whether you can find the user. If not, check your filter you have defined in WAS
VMM.
Document:
Owner:
Marc Purnell
Connecting Maximo TPAE to LDAP - Project Experiences
Date: 31.10.2011
Version: V1.1
Status: Final
Page 59 of 73
Check in TPAE whether the user name or better the loginID exists.
If not, configure the logger for your LDAPSYNC / VMMSYNC cron tasks to see whether there is a
problem with that user.
If no user record is replicated to TPAE by LDAPSYNC / VMMSYNC, check whether the defined
principal has the appropriate rights in WAS. For this login to the WebSphere administration
console and check the following:
Document:
Owner:
Marc Purnell
Connecting Maximo TPAE to LDAP - Project Experiences
Date: 31.10.2011
Version: V1.1
Status: Final
Page 60 of 73
5. Appendix A
5.1 web.xml Files
5.1.1 MAXIMOUIWEB web.xml for SSO
<?xml version="1.0" encoding="UTF-8"?><web-app xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="WebApp_1165873169281" version="2.4"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
<display-name>MAXIMO Web Application</display-name>
<context-param>
<param-name>loginpage</param-name>
<param-value>../jsp/common/system/login.jsp</param-value>
</context-param>
<!--ADDCONTEXTPARAMHERE-->
<filter>
<filter-name>HttpMaxAgeFilter</filter-name>
<filter-class>psdi.webclient.system.filter.HttpMaxAgeFilter</filter-class>
<init-param>
<param-name>Cache-Control</param-name>
<param-value>max-age=2764800</param-value>
</init-param>
<init-param>
<param-name>Pragma</param-name>
<param-value>max-age=2764800</param-value>
</init-param>
</filter>
<!-- Uncomment this line for Maximo Activity Dashboard
<filter>
<filter-name>PerfMon</filter-name>
<filter-class>psdi.webclient.system.filter.PerformanceMonitor</filter-class>
</filter>
-->
<!-- Uncomment this line for Calling into TIP for context menus
<filter>
<filter-name>TIPCMSFilter</filter-name>
<filter-class>psdi.webclient.system.filter.TIPCMSFilter</filter-class>
</filter>
-->
<!-- Uncomment this line for Cross Site Scripting Problem -->
<filter>
<filter-name>HttpCrossSiteScriptingSecurity</filter-name>
<filter-class>psdi.webclient.system.filter.HttpCrossSiteScriptingSecurity</filter-class>
<init-param>
<param-name>script</param-name>
<param-value>script</param-value>
</init-param>
</filter>
Owner:
Marc Purnell
Connecting Maximo TPAE to LDAP - Project Experiences
Date: 31.10.2011
Version: V1.1
Status: Final
Page 61 of 73
<param-name>output-filename</param-name>
<param-value>c:\merlin\HttpThroughputFilter.txt</param-value>
</init-param>
</filter>
-->
<!-- Uncomment these lines to enable the modified new byte count filter. Change "saveoutput" value to "false" if desire is
to see output in dos window.
<filter>
<filter-name>HttpAppThroughputFilter</filter-name>
<filter-class>psdi.webclient.system.filter.HttpAppThroughputFilter</filter-class>
<init-param>
<param-name>output-filename</param-name>
<param-value>c:\harrier\HttpAppThroughputFilter.csv</param-value>
</init-param>
<init-param>
<param-name>saveoutput</param-name>
<param-value>true</param-value>
</init-param>
</filter>
-->
<!--ADDFILTERHERE-->
<filter-mapping>
<filter-name>HttpMaxAgeFilter</filter-name>
<url-pattern>/webclient/javascript/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>HttpMaxAgeFilter</filter-name>
<url-pattern>/webclient/images/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>HttpMaxAgeFilter</filter-name>
<url-pattern>/webclient/login/images/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>HttpMaxAgeFilter</filter-name>
<url-pattern>/webclient/css/*</url-pattern>
</filter-mapping>
Document:
Owner:
Marc Purnell
Connecting Maximo TPAE to LDAP - Project Experiences
Date: 31.10.2011
Version: V1.1
Status: Final
Page 62 of 73
</filter-mapping>
<filter-mapping>
<filter-name>HttpThroughputFilter</filter-name>
<url-pattern>/webclient/javascript/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>HttpThroughputFilter</filter-name>
<url-pattern>/webclient/images/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>HttpThroughputFilter</filter-name>
<url-pattern>/webclient/controls/*/*.css</url-pattern>
</filter-mapping>
-->
<!-- Uncomment these lines to enable the new byte counting of http requests
<filter-mapping>
<filter-name>HttpAppThroughputFilter</filter-name>
<url-pattern>/ui/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>HttpAppThroughputFilter</filter-name>
<url-pattern>/webclient/javascript/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>HttpAppThroughputFilter</filter-name>
<url-pattern>/webclient/images/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>HttpAppThroughputFilter</filter-name>
<url-pattern>/webclient/css/*.css</url-pattern>
</filter-mapping>
-->
<!--ADDFILTERMAPPINGHERE-->
<servlet>
<description>Scheduler Servlet</description>
<display-name>Scheduler Servlet</display-name>
<servlet-name>SchedulerServlet</servlet-name>
<servlet-class>com.ibm.tivoli.maximo.skd.servlet.SKDServlet</servlet-class>
</servlet><servlet>
<servlet-name>ipcsystem</servlet-name>
<servlet-class>psdi.webclient.servlet.IpcClientServlet</servlet-class>
</servlet>
<servlet>
<servlet-name>wfmapservlet</servlet-name>
<servlet-class>psdi.webclient.servlet.WFMapServlet</servlet-class>
</servlet>
<servlet>
<servlet-name>webclient</servlet-name>
<servlet-class>psdi.webclient.servlet.WebClientServlet</servlet-class>
<init-param>
<!-- The character encoding the servlet will use for all http requests and
request responses. -->
<param-name>char_encoding</param-name>
<param-value>UTF-8</param-value>
</init-param>
</servlet>
<servlet>
<description>This servlet is used for secure attachment link</description>
<servlet-name>secureprovider</servlet-name>
<servlet-class>psdi.webclient.servlet.RedirectServlet</servlet-class>
<init-param>
<!-- The character encoding the servlet will use for all http requests and
request responses. -->
<param-name>char_encoding</param-name>
<param-value>UTF-8</param-value>
</init-param>
</servlet>
<servlet>
Document:
Owner:
Marc Purnell
Connecting Maximo TPAE to LDAP - Project Experiences
Date: 31.10.2011
Version: V1.1
Status: Final
Page 63 of 73
<servlet>
<servlet-name>intdownload</servlet-name>
<servlet-class>psdi.webclient.servlet.IntegrationFileDownloadServlet</servlet-class>
</servlet>
<!-- BIRT REPORT SERVLETS BEGIN -->
<servlet>
<description>Starts and sets up Report platform</description>
<display-name>Report Web Application Startup Servlet</display-name>
<servlet-name>ReportWebAppStartupServlet</servlet-name>
<servlet-class>com.ibm.tivoli.maximo.report.birt.servlet.ReportWebAppStartupServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet>
<description>Report Bridge Servlet</description>
<display-name>Report Bridge Servlet</display-name>
<servlet-name>ReportBridgeServlet</servlet-name>
<servlet-class>com.ibm.tivoli.maximo.report.birt.bridge.launcher.BridgeServlet</servlet-class>
<init-param>
<param-name>frameworkLauncherClass</param-name>
<paramvalue>com.ibm.tivoli.maximo.report.birt.servlet.MXWebAppOSGiFrameworkLauncher</param-value>
</init-param>
<load-on-startup>2</load-on-startup>
</servlet>
<servlet>
<description>Processes all report requests</description>
<display-name>Report Request Process Servlet</display-name>
<servlet-name>ReportRequestProcessServlet</servlet-name>
<servlet-class>com.ibm.tivoli.maximo.report.birt.servlet.ReportRequestProcessServlet</servlet-class>
<init-param>
<param-name>bridgeservletmap</param-name>
Document:
Owner:
Marc Purnell
Connecting Maximo TPAE to LDAP - Project Experiences
Date: 31.10.2011
Version: V1.1
Status: Final
Page 64 of 73
<param-value>/bridge/</param-value>
</init-param>
<load-on-startup>3</load-on-startup>
</servlet>
<servlet>
<description>Allows the executed report contents to be downloaded</description>
<display-name>Report Download Process Servlet</display-name>
<servlet-name>ReportDownloadProcessServlet</servlet-name>
<servlet-class>com.ibm.tivoli.maximo.report.birt.servlet.ReportDownloadProcessServlet</servlet-class>
<init-param>
<param-name>bridgeservletmap</param-name>
<param-value>/bridge/</param-value>
</init-param>
<load-on-startup>4</load-on-startup>
</servlet>
<servlet>
<description>Allows the executed report contents to be extracted</description>
<display-name>Report Extract Process Servlet</display-name>
<servlet-name>ReportExtractProcessServlet</servlet-name>
<servlet-class>com.ibm.tivoli.maximo.report.birt.servlet.ReportExtractProcessServlet</servlet-class>
<init-param>
<param-name>bridgeservletmap</param-name>
<param-value>/bridge/</param-value>
</init-param>
<load-on-startup>4</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>SchedulerServlet</servlet-name>
<url-pattern>/skd/*</url-pattern>
</servlet-mapping><servlet-mapping>
<servlet-name>ReportBridgeServlet</servlet-name>
<url-pattern>/bridge/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>ReportRequestProcessServlet</servlet-name>
<url-pattern>/report/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>ReportDownloadProcessServlet</servlet-name>
<url-pattern>/download/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>ReportDownloadProcessServlet</servlet-name>
<url-pattern>/output/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>ReportExtractProcessServlet</servlet-name>
<url-pattern>/extract/*</url-pattern>
</servlet-mapping>
<!-- BIRT REPORT SERVLETS END -->
<servlet-mapping>
<servlet-name>webclient</servlet-name>
<url-pattern>/ui/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>secureprovider</servlet-name>
<url-pattern>/servlet/secureprovider</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>ControlInterfaceServlet</servlet-name>
<url-pattern>/ControlInterfaceServlet/*</url-pattern>
Document:
Owner:
Marc Purnell
Connecting Maximo TPAE to LDAP - Project Experiences
Date: 31.10.2011
Version: V1.1
Status: Final
Page 65 of 73
</servlet-mapping>
<servlet-mapping>
<servlet-name>wfmapservlet</servlet-name>
<url-pattern>/wfmap/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>ipcsystem</servlet-name>
<url-pattern>/servlet/ipcsystem</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>chartservlet</servlet-name>
<url-pattern>/servlet/chartservlet</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>sessionservlet</servlet-name>
<url-pattern>/servlet/sessionservlet</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>recordimageservlet</servlet-name>
<url-pattern>/recordimage/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>SilentPrintServlet</servlet-name>
<url-pattern>/servlet/SilentPrintServlet</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>migration</servlet-name>
<url-pattern>/migration/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>intdownload</servlet-name>
<url-pattern>/intdownload/*</url-pattern>
</servlet-mapping>
<session-config>
<!-- The session-timeout element defines the default session timeout
interval for all sessions created in this web application. The
specified timeout must be expressed in a whole number of minutes. -->
<session-timeout>30</session-timeout>
</session-config>
<mime-mapping>
<extension>xls</extension>
<mime-type>application/vnd.ms-excel</mime-type>
</mime-mapping>
<!-- The welcome-file-list contains an ordered list of welcome files
elements. -->
<welcome-file-list>
<!-- The welcome-file element contains file name to use as a default
welcome file, such as index.html -->
<welcome-file>/ui/maximo.jsp?welcome=true</welcome-file>
</welcome-file-list>
<security-constraint>
<web-resource-collection>
<web-resource-name>MAXIMO UI pages</web-resource-name>
<description>pages accessible by authorised users</description>
Document:
Owner:
Marc Purnell
Connecting Maximo TPAE to LDAP - Project Experiences
Date: 31.10.2011
Version: V1.1
Status: Final
Page 66 of 73
<url-pattern>/ui/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<web-resource-collection>
<web-resource-name>MAXIMO UI utility pages</web-resource-name>
<description>pages accessible by authorised users</description>
<url-pattern>/webclient/utility/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<description>Roles that have access to MAXIMO UI</description>
<role-name>maximouser</role-name>
</auth-constraint>
<user-data-constraint>
<description>data transmission gaurantee</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<!-<login-config>
<auth-method>BASIC</auth-method>
<realm-name>MAXIMO Web Application Realm</realm-name>
</login-config>
Uncomment this login-config if you want to use form authentication and make
sure the BASIC based login-config above is commented out. NOTE: You still need the
security-constraint about uncommented too.
-->
<login-config>
<auth-method>FORM</auth-method>
<realm-name>MAXIMO Web Application Realm</realm-name>
<form-login-config>
<form-login-page>/webclient/login/login.jsp?appservauth=true</form-login-page>
<form-error-page>/webclient/login/loginerror.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description>MAXIMO Application Users</description>
<role-name>maximouser</role-name>
</security-role>
<env-entry>
<description>Indicates whether to use Application Server security or not</description>
<env-entry-name>useAppServerSecurity</env-entry-name>
<env-entry-type>java.lang.String</env-entry-type>
<env-entry-value>1</env-entry-value>
</env-entry>
<env-entry>
<description>URL of the root of MAXIMO Application Help</description>
<env-entry-name>helpurl</env-entry-name>
<env-entry-type>java.lang.String</env-entry-type>
<env-entry-value>/maximohelp</env-entry-value>
</env-entry>
<ejb-ref id="EjbRef_1077125230246">
<description>Remote Access Token Provider</description>
<ejb-ref-name>ejb/maximo/remote/accesstokenprovider</ejb-ref-name>
<ejb-ref-type>Session</ejb-ref-type>
<home>psdi.security.ejb.AccessTokenProviderHomeRemote</home>
<remote>psdi.security.ejb.AccessTokenProviderRemote</remote>
</ejb-ref>
<ejb-local-ref id="EJBLocalRef_1077125215444">
<description>Local Access Token Provider</description>
<ejb-ref-name>ejb/maximo/local/accesstokenprovider</ejb-ref-name>
<ejb-ref-type>Session</ejb-ref-type>
<local-home>psdi.security.ejb.AccessTokenProviderHomeLocal</local-home>
Document:
Owner:
Marc Purnell
Connecting Maximo TPAE to LDAP - Project Experiences
Date: 31.10.2011
Version: V1.1
Status: Final
Page 67 of 73
<local>psdi.security.ejb.AccessTokenProviderLocal</local>
</ejb-local-ref>
</web-app>
Owner:
Marc Purnell
Connecting Maximo TPAE to LDAP - Project Experiences
Date: 31.10.2011
Version: V1.1
Status: Final
Page 68 of 73
<param-name>authurl</param-name>
<param-value>http://localhost:80/meaweb</param-value>
</init-param-->
<load-on-startup>5</load-on-startup>
</servlet>
<!-- End of Axis 2 servlet -->
<!-- Resource servlet commented fopr compilation purpose -->
<servlet>
<display-name>Integration Web Services Resource Servlet</display-name>
<servlet-name>IntegrationResourceServlet</servlet-name>
<servlet-class>psdi.iface.servlet.ResourceServlet</servlet-class>
<!--load-on-startup>5</load-on-startup-->
</servlet>
<!-- End MEA WebServices -->
<!-- Begin MEA Servlet Mappings -->
<servlet-mapping>
<servlet-name>IntegrationMaximoServlet</servlet-name>
<url-pattern>/esqueue/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>IntegrationMaximoServlet</servlet-name>
<url-pattern>/es/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>ActionServiceServlet</servlet-name>
<url-pattern>/ss/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>WFMaximoServlet</servlet-name>
<url-pattern>/wf/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>MOSServiceServlet</servlet-name>
<url-pattern>/os/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>VerificationServlet</servlet-name>
<url-pattern>/verify/*</url-pattern>
</servlet-mapping>
<!-- End MEA Servlet Mappings -->
<!-- Begin MEA WebService Mappings -->
<servlet-mapping>
<servlet-name>IntegrationResourceServlet</servlet-name>
<url-pattern>/wsdl/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>IntegrationResourceServlet</servlet-name>
<url-pattern>/schema/*</url-pattern>
</servlet-mapping>
<!-- Start of Axis 2 servlet mappings -->
<servlet-mapping>
<servlet-name>AxisServlet</servlet-name>
<url-pattern>/servlet/AxisServlet</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>AxisServlet</servlet-name>
<url-pattern>/services/*</url-pattern>
</servlet-mapping>
<session-config>
<session-timeout>30</session-timeout>
</session-config>
<mime-mapping>
<extension>wsdl</extension>
<mime-type>text/xml</mime-type>
</mime-mapping>
<mime-mapping>
<extension>xsd</extension>
<mime-type>text/xml</mime-type>
</mime-mapping>
Document:
Owner:
Marc Purnell
Connecting Maximo TPAE to LDAP - Project Experiences
Date: 31.10.2011
Version: V1.1
Status: Final
Page 69 of 73
<!--welcome-file-list>
<welcome-file>/axis2-web/index.jsp</welcome-file>
</welcome-file-list>
<error-page>
<error-code>404</error-code>
<location>/axis2-web/Error/error404.jsp</location>
</error-page>
<error-page>
<error-code>500</error-code>
<location>/axis2-web/Error/error500.jsp</location>
</error-page-->
<!-- End of Axis 2 servlet mappings -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Enterprise Service Servlet</web-resource-name>
<description>Enterprise Service Servlet (HTTP POST) accessible by authorized users</description>
<url-pattern>/es/*</url-pattern>
<url-pattern>/esqueue/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<description>Roles that have access to Enterprise Service Servlet (HTTP POST)</description>
<role-name>maximouser</role-name>
</auth-constraint>
<user-data-constraint>
<description>data transmission gaurantee</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>App Service Servlet</web-resource-name>
<description>App Service Servlet (HTTP POST) accessible by authorized users</description>
<url-pattern>/ss/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<description>Roles that have access to App Service Servlet (HTTP POST)</description>
<role-name>maximouser</role-name>
</auth-constraint>
<user-data-constraint>
<description>data transmission gaurantee</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Workflow Service Servlet</web-resource-name>
<description>Workflow Service Servlet (HTTP POST) accessible by authorized users</description>
<url-pattern>/wf/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<description>Roles that have access to Workflow Service Servlet (HTTP POST)</description>
<role-name>maximouser</role-name>
</auth-constraint>
<user-data-constraint>
<description>data transmission gaurantee</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
Document:
Owner:
Marc Purnell
Connecting Maximo TPAE to LDAP - Project Experiences
Date: 31.10.2011
Version: V1.1
Status: Final
Page 70 of 73
<security-constraint>
<web-resource-collection>
<web-resource-name>Object Structure Service Servlet</web-resource-name>
<description>Object Structure Service Servlet (HTTP POST) accessible by authorized users</description>
<url-pattern>/os/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<description>Roles that have access to Object Structure Service Servlet (HTTP POST)</description>
<role-name>maximouser</role-name>
</auth-constraint>
<user-data-constraint>
<description>data transmission gaurantee</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Integration Web Services</web-resource-name>
<description>Integration Web Services accessible by authorized users</description>
<url-pattern>/services/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<description>Roles that have access to Integration Web Services</description>
<role-name>maximouser</role-name>
</auth-constraint>
<user-data-constraint>
<description>data transmission gaurantee</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Integration Web Application Realm</realm-name>
</login-config>
<security-role>
<description>MAXIMO Application Users</description>
<role-name>maximouser</role-name>
</security-role>
<env-entry>
<description>Indicates whether to use Application Server security or not</description>
<env-entry-name>useAppServerSecurity</env-entry-name>
<env-entry-type>java.lang.String</env-entry-type>
<env-entry-value>1</env-entry-value>
</env-entry>
<ejb-ref id="EjbRef_entsrv">
<ejb-ref-name>ejb/maximo/remote/enterpriseservice</ejb-ref-name>
<ejb-ref-type>Session</ejb-ref-type>
<home>psdi.iface.gateway.MEAGatewayHome</home>
<remote>psdi.iface.gateway.MEAGateway</remote>
</ejb-ref>
<ejb-local-ref id="EjbRef_entsrvlocal">
<ejb-ref-name>ejb/maximo/local/enterpriseservice</ejb-ref-name>
<ejb-ref-type>Session</ejb-ref-type>
<local-home>psdi.iface.gateway.MEAGatewayHomeLocal</local-home>
<local>psdi.iface.gateway.MEAGatewayLocal</local>
</ejb-local-ref>
<ejb-ref id="EjbRef_actsrv">
<ejb-ref-name>ejb/maximo/remote/actionservice</ejb-ref-name>
<ejb-ref-type>Session</ejb-ref-type>
<home>psdi.iface.action.MAXActionServiceHome</home>
<remote>psdi.iface.action.MAXActionServiceRemote</remote>
</ejb-ref>
<ejb-local-ref id="EjbRef_actsrvlocal">
<ejb-ref-name>ejb/maximo/local/actionservice</ejb-ref-name>
Document:
Owner:
Marc Purnell
Connecting Maximo TPAE to LDAP - Project Experiences
Date: 31.10.2011
Version: V1.1
Status: Final
Page 71 of 73
<ejb-ref-type>Session</ejb-ref-type>
<local-home>psdi.iface.action.MAXActionServiceHomeLocal</local-home>
<local>psdi.iface.action.MAXActionServiceLocal</local>
</ejb-local-ref>
<ejb-ref id="EjbRef_mossrv">
<ejb-ref-name>ejb/maximo/remote/mosservice</ejb-ref-name>
<ejb-ref-type>Session</ejb-ref-type>
<home>psdi.iface.mos.MOSServiceHome</home>
<remote>psdi.iface.mos.MOSServiceRemote</remote>
</ejb-ref>
<ejb-local-ref id="EjbRef_mossrvlocal">
<ejb-ref-name>ejb/maximo/local/mosservice</ejb-ref-name>
<ejb-ref-type>Session</ejb-ref-type>
<local-home>psdi.iface.mos.MOSServiceHomeLocal</local-home>
<local>psdi.iface.mos.MOSServiceLocal</local>
</ejb-local-ref>
<ejb-ref id="EjbRef_wfsrv">
<ejb-ref-name>ejb/maximo/remote/wfservice</ejb-ref-name>
<ejb-ref-type>Session</ejb-ref-type>
<home>psdi.iface.workflow.WorkFlowServiceHome</home>
<remote>psdi.iface.workflow.WorkFlowServiceRemote</remote>
</ejb-ref>
<ejb-local-ref id="EjbRef_wfsrvlocal">
<ejb-ref-name>ejb/maximo/local/wfservice</ejb-ref-name>
<ejb-ref-type>Session</ejb-ref-type>
<local-home>psdi.iface.workflow.WorkFlowServiceHomeLocal</local-home>
<local>psdi.iface.workflow.WorkFlowServiceLocal</local>
</ejb-local-ref>
</web-app>
Document:
Owner:
Marc Purnell
Connecting Maximo TPAE to LDAP - Project Experiences
Date: 31.10.2011
Version: V1.1
Status: Final
Page 72 of 73
6. Appendix B
6.1 List of abbreviations
Abbreviation
Stands for
AD
Active Directory
CCMDB
CN (LDAP)
Common Name
DMGR
Deployment Manager
DN (LDAP)
Distinguished Name
IBM
ID
Identification
ISM
IT
Information Technology
ITDS
ITIC
ITIL
IT Infrastructure Library
LDAP
MBO
MSAD
PMR
PTA (ITDS)
Passthru Authentication
SPNEGO
SSL
SSO
Single Sign On
TADDM
TDS
TPAE
VMM
WAS
Document:
Owner:
Marc Purnell
Connecting Maximo TPAE to LDAP - Project Experiences
Date: 31.10.2011
Version: V1.1
Status: Final
Page 73 of 73