TWSd Configuring Tivoli Workload Scheduler Security

1of33202

Wednesday, May 2, 2012

TWS Education + Training April 29-May 3, 2012Hyatt Regency Austin

Austin, Texas

•Architecture•Authentication•Authorization•Accounting

Overview

Architecture

TWS security components Active Directory – LDAP registry WAS/eWAS DB WebUI - TDWC CLI

Architecture

Distributed Installation

Tier 1

FTA1 FTA2

MDMEngine

Fault Tolerant Agent

eWebSphere Application

Server

Master Domain Manager

FTA3

DB2 or Oracle RDBMS

CLI

WebUI/TDWC

BKDMEngine

Active DirectoryLDAP registry

WebUI/TDWC

External WebSphere Application

ServerUNIXSSHXA

UNIXLOCLXA

SAPXA

Authentication

Confirming your identity - Are you who you say you are? Authentication Registries

LocalOS LDAP CUSTOM – PAM (LDAP and LocalOS)

Active Directory - LDAP TWS TDWC and CLI users Authenticate against the AD domain

How? On startup, the websphere application server connects to the LDAP

(Windows AD) using a LDAP bind user The User is presented with the WebUI (TDWC) login screen and needs to

enter his AD user and Password eWAS presents these credentials to the LDAP for authentication The user group member ship is identified and if the group is defined in the

eWAS registry, the user is allowed access into the TDWC on successful authentication

Authorization

What are you allowed to see and do? Authorization model

The TWS user’s group membership in AD LDAP determines what authorization they are allowed

Authorization can be assigned at Group or User level TWS access groups can be mapped to roles in the WebUI and in the Security file Group level authorization – means less user administration Read Only access may be added for any domain user that is authenticated, but not defined in

a TWS access group Where is the authorization defined? – on two levels

In the WebUI (TDWC) registery on a user and/or group level (What can you see and work with in the WebUI)

In the TWS Security file on the Master Domain Manager server (What are you allowed to do) How?

During authentication, the users group member ship is identified and if the group is defined in the eWAS registry, the user is allowed access according to what is defined

The TWS security file will manage what a user/group is allowed to do in the Engine and Database

The security file on the engine determines Authorization.

Authorization (Cont.)

Advantages All authentication against a single repository

• Each environment has its own access configured (Dev, QA and PROD) using the same authentication group

• Application Groups can have update access in Dev and QA , but read only access in Prod

• Production Support has update access in Dev, QA and PROD• Operations support have Operator access PROD (and QA where required)• CLI – User authentication against AD using the User/password stored in

the .TWS/uid_useropts file (UNIX/Linux) Granular user control can be implemented if required No individual user management is required from the TWS admin TWS access Group membership is determined by the Application

Owner – Business determines access Disadvantages

Bind user is a single point of failure – locking the bind user, stops all access to TDWC

Authorization – WebUI registry

Authorization – TWS Security File

Authorization – Access Matrix example

Accounting

How do we track updates on TWS Plan and Database?

Switch on AUDIT using “optman” (0=off 1=on) enDbAudit / da = 1

• Optman chg da = 1 enPlanAudit / pa = 1

• Optman chf pa = 1 The files can be found in /$TWSHOME/audit/plan

or /$TWSHOME/audit/databaseNow you can see who did what and when

Simple Problem Determination

Unable to log into the WEBUI (TWS url)LocalOS User id locked on unix/windows

LDAP/AD Does the user id belong to you authentication AD domain? The user id may require a password change? The user id may be locked? The user is not defined in a TWS group (only if all_authenticated user login is not

allowed) TWS bind is locked – all user logins will fail

User does not have view/modify access on WEBUI Users group roles do not allow view/modify access

User gets no access allowed when working on the WEBUI and clicking on a modify task

This user group may not have the access defined in TWS Security file for update access, or is not allowed modify access in the group stanza