TWS Education + Training April 29-May 3, 2012 Hyatt Regency Austin Austin, Texas Click to add text TWSd Configuring Tivoli Workload Scheduler Security 1of3 3202 Wednesday, May 2, 2012 Overview •Architecture •Authentication •Authorization •Accounting Architecture TWS security components Active Directory – LDAP registry WAS/eWAS DB WebUI - TDWC CLI Architecture Distributed Installation eWebSphere Application Server Master Domain Manager Tier 1 BKDM Engine Active Directory LDAP registry DB2 or Oracle RDBMS WebUI/ TDWC MDM Engine WebUI/ TDWC Fault Tolerant Agent CLI FTA1 FTA2 FTA3 UNIXLOCL XA UNIXSSH XA SAP XA External WebSphere Application Server Authentication Confirming your identity - Are you who you say you are? Authentication Registries LocalOS LDAP CUSTOM – PAM (LDAP and LocalOS) Active Directory - LDAP TWS TDWC and CLI users Authenticate against the AD domain How? On startup, the websphere application server connects to the LDAP (Windows AD) using a LDAP bind user The User is presented with the WebUI (TDWC) login screen and needs to enter his AD user and Password eWAS presents these credentials to the LDAP for authentication The user group member ship is identified and if the group is defined in the eWAS registry, the user is allowed access into the TDWC on successful authentication Authorization What are you allowed to see and do? Authorization model The TWS user’s group membership in AD LDAP determines what authorization they are allowed Authorization can be assigned at Group or User level TWS access groups can be mapped to roles in the WebUI and in the Security file Group level authorization – means less user administration Read Only access may be added for any domain user that is authenticated, but not defined in a TWS access group Where is the authorization defined? – on two levels In the WebUI (TDWC) registery on a user and/or group level (What can you see and work with in the WebUI) In the TWS Security file on the Master Domain Manager server (What are you allowed to do) How? During authentication, the users group member ship is identified and if the group is defined in the eWAS registry, the user is allowed access according to what is defined The TWS security file will manage what a user/group is allowed to do in the Engine and Database The security file on the engine determines Authorization. Authorization (Cont.) Advantages All authentication against a single repository • Each environment has its own access configured (Dev, QA and PROD) using the same authentication group • Application Groups can have update access in Dev and QA , but read only access in Prod • Production Support has update access in Dev, QA and PROD • Operations support have Operator access PROD (and QA where required) • CLI – User authentication against AD using the User/password stored in the .TWS/uid_useropts file (UNIX/Linux) Granular user control can be implemented if required No individual user management is required from the TWS admin TWS access Group membership is determined by the Application Owner – Business determines access Disadvantages Bind user is a single point of failure – locking the bind user, stops all access to TDWC Authorization – WebUI registry Authorization – TWS Security File Authorization – Access Matrix example Accounting How do we track updates on TWS Plan and Database? Switch on AUDIT using “optman” (0=off 1=on) enDbAudit / da = 1 • Optman chg da = 1 enPlanAudit / pa = 1 • Optman chf pa = 1 The files can be found in /$TWSHOME/audit/plan or /$TWSHOME/audit/database Now you can see who did what and when Simple Problem Determination Unable to log into the WEBUI (TWS url) LocalOS User id locked on unix/windows LDAP/AD Does the user id belong to you authentication AD domain? The user id may require a password change? The user id may be locked? The user is not defined in a TWS group (only if all_authenticated user login is not allowed) TWS bind is locked – all user logins will fail User does not have view/modify access on WEBUI Users group roles do not allow view/modify access User gets no access allowed when working on the WEBUI and clicking on a modify task This user group may not have the access defined in TWS Security file for update access, or is not allowed modify access in the group stanza