TEC593939: How to implement CA EEM and LDAP for Authentication and Authorization of CA APM

Document created by Mary_Clark Employee on May 26, 2016Last modified by SamCreek on May 26, 2016
Version 2Show Document
  • View in full screen mode

Document ID:  TEC593939
Last Modified Date:  6/24/2013

Author: Mary_Clark

  • Products
    • CA Application Performance Management
  • Components
    • INTROSCOPE

 

 

 

Description:

Using CA EEM, CA Embedded Entitlements Manager, in conjunction with a supported LDAP Server, it is possible to eliminate manual updates to CA APM configuration files every time you need to add a new user, change a password or update access permissions.

CA EEM allows you to utilize a supported LDAP server for authentication while it controls authorization policies for LDAP users and groups. If you do not use LDAP, EEM can even perform authentication duties using the secure, proprietary CA Directory, which is included.

CA EEM is bundled with CA APM and is available from the APM Product Downloads Page on support.ca.com. It can be installed on the same or a separate server as the Enterprise Manager.. CA EEM supports many CA products, serving as a single point of control for authentication and authorization.

Solution:

How to Integrate CA EEM with CA APM

Step 1: Configure the IntroscopeEnterpriseManager.properties file to provide CA EEM log messages.

Edit [EM-Home]/config/IntroscopeEntrerpriseManager.properties

Add these properties to the IntroscopeEntrerpriseManager.properties file:

log4j.logger.Manager.EemRealm=DEBUG

log4j.logger.additivity.Manager.EemRealm=false

Save and close the IntroscopeEntrerpriseManager.properties file.

Step 2: Configure the APM realms.xml file to add the EEM security Realm.

A sample realms.eem.xml configuration file is located in [EM_Home]/examples/authentication

Make a backup of your current [EM_HOME]/config/realms.xml.

Copy the sample realms.eem.xml to [EM_HOME]/config

Rename realms.eem.xml to realms.xml and edit as necessary.

If this is a cluster, copy the new realms.xml file to every Collector in the cluster.

Be sure to restart all EMs for changes to realms.xml to take effect and to be able to successfully register the APM application with EEM.

Failure to restart EMs will cause EEM registration to fail.

Here is an example realms.xml file configured for both EEM and fall-back local authentication should you need to access APM if EEM or your LDAP server are unavailable for any reason.

Realms.xml: <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <realms xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="0.1" xsi:noNamespaceSchemaLocation="realms0.1.xsd"> <realm descriptor="EEM Realm" id="EEM" active="true"> <property name="username"> <value>EiamAdmin</value> </property> <property name="host"> <value>[fully-qualified host name of the EEM server]</value> </property> <property name="appname"> <value>APM</value> </property> <property name="plainTextPasswords"> <value>true</value> </property> <property name="enableAuthorization"> <value>true</value> </property> <property name="password"> <value>EiamAdmin</value> </property> </realm> <realm descriptor="Local Users and Groups Realm" id="Local Users and Groups" active="true"> <property name="usersFile"> <value>users.xml</value> </property> </realm> </realms> 

 

Step 3: Configure EEM to connect to an LDAP Server.

Open the EEM Manager Console in a browser.
http://[EEM Server Name]:5250/spin

Login as EiamAdmin/EiamAdmin (the default userid and password)

Click the Configure tab

 

Figure 1

Select User Store

 

Figure 2

Select: Reference from an external LDAP Directory
Select: Basic LDAP Directory if your LDAP Server is Sun ONE

 

Figure 3

Add the Sun ONE Directory Server as the LDAP Directory.
Attribute Map: Sun ONE Directory
Host: The Sun ONE Host
Port: The Sun ONE directory Port
Protocol: LDAP
Base DN: dc=ca, dc=com (for example)
User DN: uid=admin, ou=Administrators, ou=TopologyManagement, o=netscapeRoot
Password = [Sun ONE Administrator password]

 

Figure 4

Keep in mind that when the CA EEM server is connected to an external user directory, such as LDAP or SiteMinder, you cannot create or add global users in CA EEM. If your CA EEM server is integrated with an LDAP or SiteMinder server for authentication, you can either set up users and groups in LDAP or SiteMinder, but not in CA EEM.

 

Step 4: On the EEM Server, run the safex scripts to register the APM application with EEM.

Copy eem.register.app.xml and eem.add.global.identities.xml to [EEM_HOME]\bin.

On a Windows platform the default location of EEM_HOME is C:\Program Files\CA\SC\EmbeddedEntitlementsManager .

These 2 files are provided with the Enterprise Manager in [EM_HOME]/examples/authentication and must be copied to the EEM Server if it is remote from the Enterprise Manager.

Execute the safex command on the EEM Server:

[EEM_HOME]\bin>safex.exe -h localhost -u EiamAdmin -p EiamAdmin -f eem.register.app.xml

Example Output:

Setting Translation file:safex.tr
Setting back end to "localhost"
Setting locale to "en_us"
OK:Successfully Authenticated
OK: action[Attach] with ApplicationInstance label[]
Current XML file location: line 106 column 25
error: action[Register] object[none] ApplicationInstance label[APM] already exists
OK: action[Detach] from ApplicationInstance label[]
OK: action[Attach] with ApplicationInstance label[APM]
OK: action[Add] performed on object[Folder] name[/APM]
OK: action[Add] performed on object[UserGroup] name[/Admin]
OK: action[Add] performed on object[UserGroup] name[/Guest]
OK: action[Add] performed on object[UserGroup] name[/CEM System Administrator]
OK: action[Add] performed on object[UserGroup] name[/CEM Tenant Administrator]
OK: action[Add] performed on object[UserGroup] name[/CEM Configuration Administrator]
OK: action[Add] performed on object[UserGroup] name[/CEM Analyst]
OK: action[Add] performed on object[UserGroup] name[/CEM Incident Analyst]
OK: action[Add] performed on object[User] name[/APM/guest]
OK: action[Add] performed on object[User] name[/APM/cemadmin]
OK: action[Add] performed on object[User] name[/APM/admin]
OK: action[Add] performed on object[User] name[/APM/SaasAdmin]
OK: action[Add] performed on object[User] name[/APM/cemconfigadmin]
OK: action[Add] performed on object[User] name[/APM/cemanalyst]
OK: action[Add] performed on object[User] name[/APM/cemincanalyst]
OK: action[Add] performed on object[Policy] name[/Policies/Domain Admin]
OK: action[Add] performed on object[Policy] name[/Policies/Domain Guest]
OK: action[Add] performed on object[Policy] name[/Policies/Server Admin]
OK: action[Add] performed on object[Policy] name[/Policies/WebService allow]
OK: action[Add] performed on object[Policy] name[/Policies/UserGroup write]
OK: action[Add] performed on object[Policy] name[/Policies/System Security Settings write]
OK: action[Add] performed on object[Policy] name[/Policies/Tenant System Security Settings write]
OK: action[Add] performed on object[Policy] name[/Policies/System Configuration Settings write]
OK: action[Add] performed on object[Policy] name[/Policies/Tenant System Configuration Settings write]
OK: action[Add] performed on object[Policy] name[/Policies/System Configuration Settings capture comprehensive defect details]
OK: action[Add] performed on object[Policy] name[/Policies/Tenant System Configuration Settings capture comprehensive defect details]
OK: action[Add] performed on object[Policy] name[/Policies/System Administrative Settings write]
OK: action[Add] performed on object[Policy] name[/Policies/Report write]
OK: action[Add] performed on object[Policy] name[/Policies/Incident write]
OK: action[Add] performed on object[Policy] name[/Policies/Business Service read sensitive data]
OK: action[Add] performed on object[Policy] name[/Policies/Business Service read]
OK: action[Add] performed on object[Policy] name[/Policies/Business Service read and write]
OK: action[Add] performed on object[Policy] name[/Policies/Business Service all permissions]
OK: action[Add] performed on object[Policy] name[/Policies/Business Application write]
OK: action[Add] performed on object[Policy] name[/Policies/Access Policy all permissions]
OK: action[Detach] from ApplicationInstance label[APM] Encountered [1] error(s) processing XML data.
OK:Total objects Added 35
OK:Total objects Modified 0
OK:Total objects Removed 0
OK:Total objects Skipped 0
OK:Total objects Exported 0

 

C:\Program Files\CA\SC\EmbeddedEntitlementsManager\bin>

NOTE: Registering the APM application failed in this example because it had already been registered before. This is not a problem in this case and can be ignored. If this is your first execution of the safex scripts, however, you should watch for errors.

NOTE 2: The first time safex was executed it failed to add any users or policies, though it did successfully register the APM application. This was because the Enterprise Manager had not been restarted after modifying realms.xml to use the EEM Realm.

You do not need to execute the second safex script to add global identities if you have integrated EEM with your LDAP server. This is because all user and group identities will be provided by LDAP; but, if you are using EEM in stand-alone mode without an LDAP server, you can execute the safex script eem.add.global.identities.xml to populate sample users.

To execute eem.add.global.identities.xml:

[EEM_HOME]\bin>safex.exe -h localhost -u EiamAdmin -p EiamAdmin -f eem.add.global.identities.xml

 

Step 5: Validate that the APM Application was added to EEM.

If the APM application was registered successfully, it will be available to select as an Application on the login screen of EEM.

Open the EEM Manager Console in a browser.

http://[EEM Server Name]:5250/spin

Select APM in the Application dropdown list.

Login as EiamAdmin/EiamAdmin (the default userid and password)

 

Figure 5

Step 6: Grant Authorizations to LDAP Groups for APM

In this example, the group MyGroup is defined in the LDAP server.

To grant Full permissions to users in MyGroup:

From EEM Home, select Manage Access Policies.
Show policies matching name "*"
Click Go

 

Figure 6

The entire policy table for the APM application will be displayed.

During registration of the APM application with safex, a set of default access policies for APM and CEM (Customer Experience Manager) were loaded into EEM. You can scroll through the policy table to see the entire list.

 

Figure 7

Add MyGroup to the Domain Admin Policy. This will grant full access to SuperDomain for all members of MyGroup.

Right now, only the Admin User Group imported from APM has full permissions to the SuperDomain.

Click on the Domain Admin policy to bring up the Policy editor.

 

Figure 8

Policy Editor:

 

Figure 9

Search for the Global (LDAP) Group MyGroup.

 

Figure 10

Add MyGroup to the Selected Identities for this policy.

 

Figure 11

Scroll down to verify the Access Policy Configuration for the Domain Admin Policy, where you can see that any group that has the Domain Admin Access Policy has Full Authorization to the APM SuperDomain.

 

Figure 12

Click Save.

 

Figure 13

Step 7: Verify the new policy settings for members of the group you just added

In the example LDAP Server, the user halma12 is a member of MyGroup.

Open the APM Workstation and login as halma12.

 

Figure 14

The user is authenticated by LDAP and APM authorization is established by EEM.
This account can view everything in SuperDomain and can create new objects like Management Modules, Alerts, etc. since it has Full access

 

Figure 15

 

Step 8: Test Authorizations for a member of a Read-Only LDAP Group.

Create a new group called ReadOnlyGroup in your LDAP server.

Add a new user, ReadOnly, to this group.

Login to EEM with the APM application selected from the dropdown on the login page, and select Manage Access Policies.

Click on Domain Guest to add the new readOnlyGroup to the Domain Guest policy.

 

Figure 16

Search for the Global Group "ReadOnlyGroup" and add it to the Domain Guest Policy.

 

Figure 17

Click Save.

Login to the APM Workstation as ReadOnly.

 

Figure 18

Notice that while logged in as ReadOnly, you can view all objects in SuperDomain, but cannot create a new Simple Alert because you cannot choose a Management Module to put it in. With read-only access, users cannot create new objects in APM.

 

Figure 19

 

 

Search the Entire CA APM Knowledge Base

 

search-kb.jpg

 

Attachments

    Outcomes