HCL Workload Automation, Version 9.4

Configuring authentication using the WebSphere Administrative Console

About this task

The WebSphere Administrative Console is the administrative user interface of the Dynamic Workload Console and it is installed automatically with every instance of the WebSphere Application Server.

Note: If you create the repository using the WebSphere Administrative Console, the showSecurityProperties wastool might not show data for the repository.
Use WebSphere Administrative Console to configure authentication as follows:
  1. Backup the configuration

    Backup the WebSphere Application Server configuration using the command backupConfig.

  2. Access the WebSphere Administrative Console
    To access the WebSphere Administrative Console, use one of the following URLs using the current WebSphere Application Server administration credentials:
    https://<Hostname>:<adminSecurePort>//console/
    hcl
    http://<Hostname>:<adminPort>/hcl/console/
    where:
    Hostname
    The fully qualified hostname or the IP address of the computer.
    adminSecurePort
    If you connect with HTTPS, supply the WebSphere Application Server Administration secure port, the default value of which is 31124.
    adminPort
    If you connect with HTTP, supply the WebSphere Application Server Administration port, the default value of which is 31123.
    Example
    https://mypc:31124/hcl/console/
  3. Login to the console

    Log into the console using the WebSphere Application Server credentials. You supplied these when you installed the component on this system (they might have been modified since then).

  4. Navigate to the security section

    Select Security ► Global security

  5. Configure your required authentication mechanism or mechanisms.

    In the User account repository section you see the default Federated repositories option selected. Click the adjacent Configure button. Use the WebSphere Administrative Console to configure your authentication mechanism or mechanisms. When you modify the rows in the Repositories in the realm table, the value InternalFileRepository corresponding to the Repository Identifier column must not be deleted.

    For example, click Add Base entry to Realm ... > Add Repository... to add a new repository, such as LDAP.

    Note: Do not delete the twaPAM entry from the repository until you have completed all the configuration steps.

    Use the built-in context-sensitive help to understand what information to supply in each field.

    In addition, all the key/value pairs output by the showSecurityProperties tool are documented in Security properties: reference. Each key/value pair corresponds to a field or concept expressed in the GUI of the WebSphere Administrative Console; the keys are mnemonic, to help you make the correspondence.

    Note: If you plan to configure the Dynamic Workload Console version 9.1 in Single Sign-On with HCL Workload Automation prior to 9.1, in the Global Security window, specify the same value in both the Distinguished name of a base entry... fields.

    See the following panel as example of a configuration with z/OS Integrate Security Service LDAP Server

    Global security panel

  6. Save the modified configuration

    Click Save to save the new configuration.

  7. Then, you can modify the LDAP entity types for this repository. Under Additional Properties section, select Supported entity types > Group
  8. In the Entity type field, enter the distinguished name of a base entry in the repository. This entry determines the default location in the repository where entities of this type are placed on write operations by user and group management.
  9. Click Apply > Save to save current changes and return to previous panel.
  10. You can specify the Relative Distinguished Name properties by entering the relative distinguished name (RDN™) properties for the specified entity type. Possible values are cn for Group, uid or cn for PersonAccount, and o, ou, dc, and cn for OrgContainer. Delimit multiple properties for the OrgContainer entity with a semicolon (;).
  11. Click OK > Save to save the changes. While exiting you are be asked to set the base entry for this repository; the first name is mandatory and is a name of your choice that uniquely identify the repository in the federation. The second name is optional and depends on how the LDAP server is configured. See the following panel as an example:
    Federated repository properties
  12. Restart the server

    Stop the application server using the command stopappserver, as described in the HCL Workload Automation: User's Guide and Reference. To stop the server, use the original WebSphere administrator credentials.

    Restart the server using the command startappserver, as described in the HCL Workload Automation: User's Guide and Reference.

  13. This step is applicable to Dynamic Workload Console only. Log into the Dynamic Workload Console :
    http://dynamic_workload_console_system:http_port/DASH_context_root 
    https://dynamic_workload_console_system:https_port/DASH_context_root 
    where,
    DASH_context_root
    It is the Dashboard Application Services Hub context root defined at installation time. The context root determines the URL of a deployed application and by default is identical with the application directory or archive structure. In this case, the default is ibm/console.
    Use the WebSphere Application Server credentials (the original administrative user) and assign the following roles to the primary administrative user name (the new administrative user).
    • Iscadmins
    • TDWBAdministrator
    • TWSWEBUIAdministrator
    • chartAdministrator
    See Configuring roles to access the Dynamic Workload Console for details.

Now, you can log into the Dynamic Workload Console as the new administrative user and, optionally, delete the twaPAM entry from the repository, if you do not need it anymore.