Configuring Oracle TSAM Plus Manager

Configuring Oracle TSAM Plus Manager

This chapter describes configuration tasks made on Oracle TSAM Plus Manager after you have configured standalone TSAM Plus Agent as described in the first chapter.

This chapter contains the following topics:

•

Overview

•

Configuring Oracle TSAM Plus Data Server

•

Configuring Oracle TSAM Plus Manager

•

Configuring Security

Overview

The Oracle TSAM Plus Manager is the data manipulation and representation component of Oracle TSAM Plus. It is a J2EE application. The Oracle TSAM Plus Manager provides the following functionality:

•

Communicates with the Oracle TSAM Plus Agent for performance metrics, configuration information and other utility messages.

•

Provides a Web console for Oracle TSAM Plus administration, monitored data presentation and alerts management.

Configuring Oracle TSAM Plus Data Server

The Oracle TSAM Plus Data Server is the communication interface to Oracle TSAM Plus. It accepts requests from LMS and metrics query requests from web browser. For each LMS, the URL of the data server must be configured correctly. The format is as follows:

CLOPT="-A -- -l host:port/tsam"

•

host is the box where the web application deployed.

•

port is the port number of the java server.

•

tsam is the Oracle TSAM Plus URL.

Note:

From an HTTP perspective, the Oracle TSAM Plus Agent LMS is the HTTP client, and the Oracle TSAM Plus Manager is the HTTP server. If a firewall is deployed between the Oracle TSAM Plus Manager and Tuxedo applications, the firewall must allow the LMS to issue HTTP requests to the Oracle TSAM Plus Manager.

Configuring Oracle TSAM Plus Manager

Oracle TSAM Plus Manager provides some global parameters for tuning purpose. They are available at the Data Management/Global Parameters page. For more information, see Oracle TSAM Plus User Guide.

Configuring Security

Authentication

Specifying the Authentication Type

There are two kinds of authentication types, Database first and LDAP only. The user information can be stored in the Oracle TSAM Plus database or an existing LDAP server. The authentication type Database first supports both. LDAP only exclusively supports LDAP authentication.

You can specify the authentication type during TSAM Plus installation process. For more information, refer to Choose Authentication Type in Installing Oracle TSAM Plus Manager Using GUI-Mode Installation.

You can also specify the authentication type from Oracle TSAM Plus monitoring console following these steps:

1.

Login to Oracle TSAM Plus console.

2.

From the top menu bar, click Management and select Global Parameters from the drop-down list.

3.

In the Global Parameters page, click TSAM Plus Manager Properties.

4.

Specify Authentication Type.

Configuring Database Authentication

The default administrator admin is created during installation or deployment.

For information of creating "admin" during installation, refer to Set Admin Password in Installing Oracle TSAM Plus Manager Using GUI-Mode Installation.

For information of creating "admin" during database deployment, refer to the parameter -adminpassword in Oracle TSAM Plus Manager Database Server Deployment.

For reserting "admin" during database deployment, refer to the parameter -resetpassword yes in Oracle TSAM Plus Manager Database Server Deployment.

You can also add or edit a user from Oracle TSAM Plus monitoring console following these steps:

1.

Login to Oracle TSAM Plus console.

2.

From the top menu bar, click Management and select User Management from the drop-down list.

3.

Create, edit or delete a user.

For more information, refer to User Management.

Configuring LDAP Authentication

Specifying the Group ID

If you use LDAP authentication, the Group ID must be the same as the one of the corresponding user in the LDAP server. For more information, refer to Group Management.

Deploying LDAP Configuration File

You can specify an LDAP configuration file during installation process. For more information, refer to LDAP Configuration in Installing Oracle TSAM Plus Manager Using GUI-Mode Installation.

You can also update the LDAP configuration information in the tsam.ear file (located at <TSAM_DIR>/deploy) using the following LDAP deployment utilities:

•

Unix/Linux LDAP Deployment: LDAPDeployer.sh

•

Windows LDAP Deployment: LDAPDeployer.cmd

Listing 2‑1 and Listing 2‑2 show Unix/Linux and Windows LDAP Deployment utility examples accordingly.

Note:

The LDAP information in the tsam.ear file is overwritten after you run the LDAP Deployment utility. You must redeploy the tsam.ear file on the application server.

Listing 2‑1 Unix/Linux LDAP Deployment Utility Example

cd <TSAM_DIR>/deploy
./LDAPDeployer.sh tpgauth

Listing 2‑2 Windows LDAP Deployment Utility Example

cd <TSAM_DIR>\deploy
LDAPDeployer.cmd c:\tpgauth

TSAM Plus LDAP Configuration File

The Oracle TSAM Plus LDAP configuration file is similar to the Oracle Tuxedo GAUTHSVR configuration file.

Although the default values for the LDAP configuration file are usually sufficient, you can choose to configure it with different names. Therefore, you should be aware of the following requirements for the LDAP configuration file:

•

The LDAP configuration file is a plain text file.

•

Keywords are case-sensitive, but their order does not matter. The keyword format is keyword=value.

•

Blank lines or lines starting with a # sign are treated as comments, and are ignored.

•

The upper limit of a line is 255 characters. If a line exceeds this upper limit, it is truncated.

•

The Principal must have privileges to access the LDAP database (usually the LDAP administrator).

Table 2‑1 lists the LDAP configuration file keywords.

Table 2‑1 LDAP Configuration File Keywords

Configuration Keyword

Value Type

Description

Host

string

The host name or IP address of the LDAP server.The default value is localhost.

Port

numeric

The port number on which the LDAP server is listening.The default value is 389.

Principal

The Distinguished Name (DN) of the LDAP user that is used to connect to the LDAP server.

Credential

The credential (generally a password) used to authenticate the LDAP user that is defined in the Principal attribute.

UserObjectClass

string

The LDAP object class that stores users. The default is person.

UserBaseDN

string

The base distinguished name (DN) of the tree in the LDAP directory that contains users. The default is ou=people, o=example.com

UserFromNameFilter

string

An LDAP search filter for finding a user given the name of the user. The default is (&(cn=%u)(objectclass=person))

UserUIDAttrName

string

The attribute name of an LDAP user object that specifies the UID of the user or the UID and GID of the user in a fixed format. The default value is userid.

UserGroupAttrNames

string

The attribute names of an LDAP user object that specify the groups the user belongs to. This attribute can contain three types of values: GID, group CN and group DN. One type of value for each configuration. More names are separated by comma. The default value is usergroups.

RetrieveUIDAndGID

boolean

It should always be "true"

UIDAttrValueType

string

It should always be "UIDAndGID"

UseZOSRACF

boolean

Specifies whether the LDAP server is z/OS RACF LDAP server. The default is false.

SSLEnabled

boolean

Specifies that SSL is used to connect to the LDAP server

ConnectTimeout

numeric

The maximum number of seconds to wait for the LDAP connection to be established. If set to 0, there is no maximum time limit.

The default value is 0.

TuxedoUIDKey

string

Used to identify the Tuxedo UID.

The default value is TUXEDO_UID.

TuxedoGIDKey

string

Used to identify the Tuxedo GID.

The default value is TUXEDO_GID.

Weblogic Embedded LDAP Server LDAP Configuration File Example

Listing 2‑3 shows a Weblogic embedded LDAP server LDAP configuration file example.

Listing 2‑3 Weblogic Embedded LDAP Server LDAP Configuration File Example

Host = localhost
Port = 7001
Principal = cn=Admin
Credential = aaa
UserObjectClass = person
UserBaseDN = ou=people,ou=myrealm,dc=base_domain
UserFromNameFilter = (&(uid=%u)(objectclass=person))
UserUIDAttrName = description
UserGroupAttrNames=wlsMemberOf
RetrieveUIDAndGID = true
UIDAttrValueType = UIDAndGID
UseZOSRACF=false
SSLEnabled=false
ConnectTimeout=5

Using tpmigldif to Migrate User Information

You can use the tpmigldif command utility to migrate TSAM Plus user and group information to LDAP servers in LDAP Interchange Format (LDIF). In order to use tpmigldif, you must create a migration template.

Using tpmigldif Command Line Options

Table 2‑2 lists the command line options for the tpmigldif utility. The order of the command line options does not matter.

Table 2‑2 tpmigldif Command Line Options

Command Line Option

Option Argument

Default Value

Usage

-t

user|group

user

Specifies migration type.

-f

template filename

tpusr-template (when type is user), or tpgrp-template(when type is group)

Specifies the template file name.

-o

o (output filename)

console/stdout

Specifies the output file name.

-u

full path name

tpusr

The full directory path for the tpusr file.

-g

full path name

tpgrp

The full directory path for the tpgrp file.

tpusr and tpgrp File Format

Listing 2‑4 shows a tpusr file with five fields separated by a colon:

name:password(encrypted):user id:group id:client name::

Listing 2‑4 Example tpusr File

user1:EI4xxxjrCc:16668:601:TPCLTNM,client::
user2:EI4xxxjrCc:16669:602:TPCLTNM,client::

Listing 2‑5 shows a tpgrp file with three fields separated by a colon:

name::group id:

Listing 2‑5 Example tpgrp File

group1::601:
group2::602:

Assigning New Passwords for the tpusr File (Optional)

Before migrating the user and group information, the administrator could assign new passwords for each user so the generated LDIF output contains correct password for each user. This step is required because the passwords in the tpusr file are encrypted with one-way encryption; therefore, it is impossible to retrieve the original password from the file.

Using a text-editor, there are two methods you can use to modify tpusr file passwords:

•

Modify the tpusr file password field to change the user password for each user in the file. The password field is the second field in the tpusr file. Each user is entered on a separate line in the tpusr file. See listing Listing 2‑4, for original tpusr file example.

user1:pwd1:16668:601:TPCLTNM,client::
user2:pwd2:16669:602:TPCLTNM,client:

•

Add a new password to the last tpusr file field

user1:EI4xxxjrCc:16668:601:TPCLTNM,client::pwd1:
user2:EI4xxxjrCc:16669:602:TPCLTNM,client::pwd2:

Creating a Migration Template

The migration template is a text file used by the tpmigldif command utility to translate the tpusr or tpgrp file into an LDIF output file.

Listing 2‑6 shows a tpusr-template migration file example. <%n> refers to a tpusr file field, where n starts at 1.

Note:

Use <%gn> for group field in tpgrp file for given user.

Listing 2‑6 tpusr-template

dn: CN=<%1>,CN=Users,DC=tuxdev,DC=bea,dc=com
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: user
cn: <%1>
description: Tuxedo User, TUXEDO_UID=<%3> TUXEDO_GID=<%4>
password: <%7>

Listing 2‑7 shows the LDIF output from the tpusr-template.

Listing 2‑7 LDIF Output

dn: CN=user1,CN=Users,DC=tuxdev,DC=bea,dc=com
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: user
cn: user1
description: Tuxedo User, TUXEDO_UID=16668 TUXEDO_GID=601
password: pwd1

dn: CN=user2,CN=Users,DC=tuxdev,DC=bea,dc=com
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: user
cn: user2
description: Tuxedo User, TUXEDO_UID=16669 TUXEDO_GID=602
password: pwd2

Supported LDAP Server Template Example

Oracle Tuxedo provides an example template for supported LDAP servers. The files are listed in Table 2‑3.

Table 2‑3 Supported LDAP Server Template Example¹

LDAP Server

GAUTHSVR

Configuration

User Migration Template

Group Migration Template

WebLogic Server

tpgauth

tpusr-template

tpgrp-template

Active Directory²

tpgauth-ad

tpusr-template-ad

tpgrp-template-ad

IPlanet

tpgauth-iplanet

tpusr-template-iplanet

tpgrp-template-iplanet

z/OS LDAP, with RACF backend

tpgauth-racf

tpusr-template-racf

tpgrp-template-racf

1

All files are available under $TUXDIR/udataobj;

2

For Active Directory user’s password cannot be added on creation. For help on how to change or reset it, please refer to Microsoft support document, http://support.microsoft.com/kb/269190, http://support.microsoft.com/kb/263991, etc;

Authorization

TSAM Plus supports role-based authorization.

Group Management

You can specify the ID of default groups "Administrator" and "Viewer" during TSAM Plus installation or deployment process. For more information, refer to Set Groups ID in Installing Oracle TSAM Plus Manager Using GUI-Mode Installation and Oracle TSAM Plus Manager Database Server Deployment.

You can also add, edit, or remove groups from Oracle TSAM Plus monitoring console by doing these steps:

1.

Login to Oracle TSAM Plus console.

2.

From the top menu bar, click Management and select User Management from the drop-down list.

3.

Click the Group List button to enter the Group List menu bar.

4.

Specify the group ID when creating a group.

For more information, refer to User Management.

Group/User Privileges

Refer to Oracle TSAM Plus Group/User Privileges.

Configuration Keyword	Value Type	Description
Host	string	The host name or IP address of the LDAP server.The default value is localhost.
Port	numeric	The port number on which the LDAP server is listening.The default value is 389.
Principal		The Distinguished Name (DN) of the LDAP user that is used to connect to the LDAP server.
Credential		The credential (generally a password) used to authenticate the LDAP user that is defined in the Principal attribute.
UserObjectClass	string	The LDAP object class that stores users. The default is person.
UserBaseDN	string	The base distinguished name (DN) of the tree in the LDAP directory that contains users. The default is ou=people, o=example.com
UserFromNameFilter	string	An LDAP search filter for finding a user given the name of the user. The default is (&(cn=%u)(objectclass=person))
UserUIDAttrName	string	The attribute name of an LDAP user object that specifies the UID of the user or the UID and GID of the user in a fixed format. The default value is userid.
UserGroupAttrNames	string	The attribute names of an LDAP user object that specify the groups the user belongs to. This attribute can contain three types of values: GID, group CN and group DN. One type of value for each configuration. More names are separated by comma. The default value is usergroups.
RetrieveUIDAndGID	boolean	It should always be "true"
UIDAttrValueType	string	It should always be "UIDAndGID"
UseZOSRACF	boolean	Specifies whether the LDAP server is z/OS RACF LDAP server. The default is false.
SSLEnabled	boolean	Specifies that SSL is used to connect to the LDAP server
ConnectTimeout	numeric	The maximum number of seconds to wait for the LDAP connection to be established. If set to 0, there is no maximum time limit. The default value is 0.
TuxedoUIDKey	string	Used to identify the Tuxedo UID. The default value is TUXEDO_UID.
TuxedoGIDKey	string	Used to identify the Tuxedo GID. The default value is TUXEDO_GID.

Command Line Option	Option Argument	Default Value	Usage
-t	user\|group	user	Specifies migration type.
-f	template filename	tpusr-template (when type is user), or tpgrp-template(when type is group)	Specifies the template file name.
-o	o (output filename)	console/stdout	Specifies the output file name.
-u	full path name	tpusr	The full directory path for the tpusr file.
-g	full path name	tpgrp	The full directory path for the tpgrp file.

LDAP Server	GAUTHSVR Configuration	User Migration Template	Group Migration Template
WebLogic Server	tpgauth	tpusr-template	tpgrp-template
Active Directory²	tpgauth-ad	tpusr-template-ad	tpgrp-template-ad
IPlanet	tpgauth-iplanet	tpusr-template-iplanet	tpgrp-template-iplanet
z/OS LDAP, with RACF backend	tpgauth-racf	tpusr-template-racf	tpgrp-template-racf