Configuring Tivoli Workload Scheduler Security

advertisement
TWS Education + Training
April 29-May 3, 2012
Hyatt Regency Austin
Austin, Texas
Click
to add
text
TWSd
Configuring
Tivoli
Workload Scheduler Security
1of3
3202
Wednesday, May 2, 2012
Overview
•Architecture
•Authentication
•Authorization
•Accounting
Architecture
 TWS security components
 Active Directory – LDAP registry
 WAS/eWAS
 DB
 WebUI - TDWC
 CLI
Architecture
Distributed Installation
eWebSphere
Application
Server
Master
Domain
Manager
Tier 1
BKDM
Engine
Active Directory
LDAP registry
DB2 or Oracle
RDBMS
WebUI/
TDWC
MDM
Engine
WebUI/
TDWC
Fault Tolerant Agent
CLI
FTA1
FTA2
FTA3
UNIXLOCL
XA
UNIXSSH
XA
SAP
XA
External
WebSphere
Application
Server
Authentication
 Confirming your identity - Are you who you say you are?
 Authentication Registries
 LocalOS
 LDAP
 CUSTOM – PAM (LDAP and LocalOS)
 Active Directory - LDAP
 TWS TDWC and CLI users Authenticate against the AD domain
 How?
 On startup, the websphere application server connects to the LDAP
(Windows AD) using a LDAP bind user
 The User is presented with the WebUI (TDWC) login screen and needs to
enter his AD user and Password
 eWAS presents these credentials to the LDAP for authentication
 The user group member ship is identified and if the group is defined in the
eWAS registry, the user is allowed access into the TDWC on successful
authentication
Authorization




What are you allowed to see and do?
Authorization model
 The TWS user’s group membership in AD LDAP determines what authorization they are
allowed
 Authorization can be assigned at Group or User level
 TWS access groups can be mapped to roles in the WebUI and in the Security file
 Group level authorization – means less user administration
 Read Only access may be added for any domain user that is authenticated, but not defined in
a TWS access group
Where is the authorization defined? – on two levels
 In the WebUI (TDWC) registery on a user and/or group level (What can you see and work with
in the WebUI)
 In the TWS Security file on the Master Domain Manager server (What are you allowed to do)
How?
 During authentication, the users group member ship is identified and if the group is defined in
the eWAS registry, the user is allowed access according to what is defined
 The TWS security file will manage what a user/group is allowed to do in the Engine and
Database
 The security file on the engine determines Authorization.
Authorization (Cont.)
 Advantages
 All authentication against a single repository
• Each environment has its own access configured (Dev, QA and PROD)
using the same authentication group
• Application Groups can have update access in Dev and QA , but read only
access in Prod
• Production Support has update access in Dev, QA and PROD
• Operations support have Operator access PROD (and QA where required)
• CLI – User authentication against AD using the User/password stored in the
.TWS/uid_useropts file (UNIX/Linux)



Granular user control can be implemented if required
No individual user management is required from the TWS admin
TWS access Group membership is determined by the Application
Owner – Business determines access
 Disadvantages
 Bind user is a single point of failure – locking the bind user, stops all
access to TDWC
Authorization – WebUI registry
Authorization – TWS Security File
Authorization – Access Matrix example
Accounting
 How do we track updates on TWS Plan and
Database?
 Switch on AUDIT using “optman” (0=off 1=on)

enDbAudit / da = 1
• Optman chg da = 1

enPlanAudit / pa = 1
• Optman chf pa = 1

The files can be found in /$TWSHOME/audit/plan
or /$TWSHOME/audit/database
 Now you can see who did what and when
Simple Problem Determination

Unable to log into the WEBUI (TWS url)
LocalOS
 User id locked on unix/windows
LDAP/AD
Does the user id belong to you authentication AD domain?
 The user id may require a password change?
 The user id may be locked?
 The user is not defined in a TWS group (only if all_authenticated user login is not
allowed)
 TWS bind is locked – all user logins will fail
User does not have view/modify access on WEBUI
 Users group roles do not allow view/modify access
User gets no access allowed when working on the WEBUI and clicking on a modify
task
 This user group may not have the access defined in TWS Security file for update
access, or is not allowed modify access in the group stanza



Download