Maximo and LDAP - Configuration from Start to Finish

Maximo and LDAP - Configuration from Start to Finish

Body

Security is more important than ever, and securing applications is a priority to every company. Many clients ask for documentation on configuring Maximo for LDAP authentication. You end up having to review many different articles to address a single topic, so I've decided to lay out a basic LDAP configuration using WebSphere 7 and Maximo 7.5.0.5. This will walk through connecting WebSphere to your domain right down to the synchronization process and hopefully give a more clear understanding of the configuration process. For the purpose of this blog were going to discuss this configuration with Microsoft Active Directory (MSAD or AD). However these steps can be applied with Tivoli Directory Server (TDS) as well.

So, where do you start?

Your first thoughts should be who needs access to Maximo and how are we going to filter just these users into the environment. For our purpose here, we're going to restrict all users by using the memberOf attribute, and make sure our Maximo users are members of a maximousers group that will be filtered on.

For a new Maximo implementation, we need three users to exist in the directory

maxadmin – default administrative user

maxreg – default user registration security user

mxintadm – default integration framework user

If your environment is already running and your admin users have different IDs, you can replace the above with your own users as long as they are in the database and the LOGINID from your database matches the Common Name (CN) from the directory server. Add these users to your maximousers group along with the rest of your base Maximo users.

Now to get started with your configuration. When configuring Maximo for LDAP there are three parts.

1. Configure WebSphere to connect and authenticate against your directory server
2. Enable Maximo to authenticate logins with the Federated Repository, the user database maintained in WAS)
3. Configure Maximo to synchronize users from the Federated Repository configured in WebSphere which contains the users that are brought over from Active Directory.

Step 1: Configuring WebSphere

1. From the WebSphere Console, Expand Security in the left hand frame and click on Global Security. From the Global Security page choose Federated Repository as your available realm definitions and click configure.

     2. Once you click Configure you will be brought to the federated repositories page, this will show the current repositories configured with WebSphere. By   default the repository called InternalFileRepository will exist. This repository contains the wasadmin user and its group. For the purpose of this tutorial we are going to leave this intact so that the wasadmin DOES NOT need to be added to the directory server. Click on Manage Repositories to configure your realm.

Note – if wasadmin exists on your directory server you will need to remove the file-based realm or remove wasadmin from the realm.

3. From the Manage Repositories screen, click Add

4. Once you click add you will be brought to the properties page to configure your directory server. From the drop down menu, choose your directory type; here we chose Active Directory. Enter the hostname and port of your directory server and your principal user to make the connection between WebSphere and your directory. I created a user named “principal” for this purpose.

For Active Directory, we changed the login property to CN. This would be left as UID for TDS. Once done, click Apply and Save to the master configuration.

5. Once you have saved to the master configuration you will be brought back to the Manage Repositories screen that will show your newly created repository. From here head back to the main configuration screen for the repository by clicking on “Federated Repositories.”

6. Now we need to configure our base entries. This will be the container that WebSphere looks in on your directory for users and groups. You can configure multiple entries on this screen, but we are just going to point our realm to the top of the directory. To start click Add Base Entry to Realm.

7. From the Add Base Entry screen enter the DN you want WebSphere to look in, as mentioned earlier we are going to pull in the entire domain and filter at the Maximo level. So I've entered dc=mxeam13, dc=torolab, dc=ibm, dc=com for the top level of the domain. Once done click apply and save to your master configuration.

8. Once you have your Base entries configured you need to enable application security for WebSphere. You do this on the main Global Security page. Check 'Enable Application Security' and click on 'Set as current' so your Current Realm Definition becomes Federated Repositories. Then apply and save to the master configuration.

9. Now that your configuration is complete for WebSphere ,you will need to do a full node synchronization and restart your Deployment Manager (dmgr) and Node (nodeagent) Windows services before continuing to the Maximo configuration.
10. Once you have restarted your services, log into the WebSphere Console. On the left hand side, expand Users and Groups and click on Manage Users. Search for a known directory user to confirm that your configuration is correct

Step 2: Enabling Maximo authenticate against your directory server

Once WebSphere is configured for LDAP authentication we need to configure Maximo. This is done by enabling LDAP security in 4 XML files as well as the maximo.properties file or the maxpropvalue table.

1. The first XML file we will modify is the maximouiweb web.xml. By default, you will find it in \ibm\smp\maximo\applications\maximo\maximouiweb\webmodule\WEB-INF\web.xml.

We first want to search for the <security-constraint> tag and uncomment to the bottom of </login-config> as seen below:

2. In the same file search for useAppServerSecurity and change the value from false to 1 as seen below.

3. If you wish to keep the BASIC authentication method, you can now save the file. If you want Maximo to display the normal login screen, you will need to update the file to use FORM authentication, by commenting out the BASIC login config and uncommenting the FORM login-config. Text in green below is the commented-out section:

4. Repeat the above step without the the auth-method in the following 3 web.xml files – that is, uncomment the <security-constraint> sections and change useAppServerSecurity=1:

• IBM\SMP\maximo\applications\maximo\mboweb\webmodule\WEB-INF
• IBM\SMP\maximo\applications\maximo\meaweb\webmodule\WEB-INF
• IBM\SMP\maximo\applications\maximo\maxrestweb\webmodule\WEB-INF

5. Now that your web.xml files are configured for LDAP we need to update the maximo.properties or the maxpropvalue table for application security.

If you want to set this in the database you can update the value with the following statement in a SQL tool connected to your database as the schema owner (default maximo):

update maxpropvalue set propvalue='1' where propname='mxe.useAppServerSecurity'

If you want to set this in your maximo.properties you will need to add the line mxe.useAppServerSecurity=1 to the properties file and save it If choosing this method you will need to re-encrypt before building your ear.

See http://www.ibm.com/support/docview.wss?uid=swg21314942 for complete information on modifying maximo.properties.

6. Once your file changes are made you can rebuild and redeploy your ear files
7. Before starting your application, you need to map the security role to the group of users you wish to authenticate. Our users are part of the maximousers group, so we have already mapped that role. If you don't have a specific group, you may choose “All Authenticated in Applications realm” to give all authenticated directory users the ability to connect to Maximo.

To map your role from the WebSphere console, click on Enterprise Applications then on your Maximo ear. Under Detail properties click security role to user/group mapping. Then click Map Groups to map the groups your users are contained in.

3. Configure Maximo to synchronize users from your repository.

Our final step is to setup the VMMSYNC crontask to bring users in to Maximo from the directory server.

1. Open System Configuration - > Platform Configuration and click on Crontask Setup. From here filter for VMMSYNC.
2. Enter the principal user that can access the repository to bring users into Maximo as well as the password for this user in the credential field.

3. Once you credentials are setup, you can set up your group mapping to sync the groups you want into Maximo.

4. Between the <basedn></basedn> tags specify the path on your directory to where your groups reside. In our case it will be in the SWG OU, see the example below.

         <basedn>ou=SWG, dc=mxeam13, dc=torolab, dc=ibm, dc=com</basedn>

5. Next, we need to do the same for our users, however at the same time we will be just bringing in users that are members of the maximousers group.

        <basedn>ou=SWG, dc=mxeam13, dc=torolab, dc=ibm, dc=com</basedn>

        <filter>PersonAccount' and memberof='cn=maximousers, ou=SWG, ou=maximo groups, dc=torolab, dc=ibm, dc=com</filter>

6. Once these changes are done, activate your crontask and reload it's configuration. If you are having problems with the memberOf filter, it is likely because it doesn't exist as a property under the PersonAccount entity in the repository. You can add it using the instructions below

Adding the memberof to the PersonAccount entity to VMM

1) From IBM\WebSphere\AppServer\bin run wsadmin.bat

2) Once the wsadmin command line displays run the following command

$AdminTask addIdMgrPropertyToEntityTypes {-name memberof -dataType string -entityTypeNames PersonAccount}

-name : This value is the name of the attribute on the directory server, for this example it will be  memberof

-dataType  : This is the database for the field, in our case string

3) After running the command you will see that your attribute was successfully added

4) Synchronize your node and restart the services.

You synchronization will now be able to use memberof as a filter.

Maximo Anywhere and LDAP

Maximo Anywhere and LDAP

Body

I took a bit of a hiatus from blogging during the month of February being out for a large portion of it at the IBM Interconnect Conference. But I'm back in the full swing of things now and want to share a bit of knowledge on Authenticating to your LDAP secured Maximo environment. This may be common knowledge to some as it is documented by other means. However for those who haven't ventured into configuring Maximo Anywhere to authenticate with LDAP, you need not worry as there isn't much to it!

To get started we have one prerequisite and that's that your current Maximo environment is configured to authenticate users via LDAP. If you need more information on this please see my previous blog Maximo and LDAP - Configuration from Start to Finish. Now that Maximo is configured for LDAP, what else needs to be done to configure Maximo Anywhere to authenticate with LDAP? Unlike the LDAP blog above this will be short and sweet as we only have two modifications to make to achieve this functionality.

Configuring Maximo Anywhere to authenticate with LDAP

1. The first change to make is to your \ibm\smp\maximo\applications\maximo\maximouiweb\webmodule\web-inf\web.xml file. We want to search for security-constraint and along with the UI pages ensure the OSLC section of the constraint is not commented.

Once the comments are removed (if not already removed during your original LDAP implementation) rebuild and redeploy the maximo.ear file

2. The second step to take, is to modify the \ibm\AnywhereWorkManager\server\conf\worklight.properties file. Search the file for si.auth.type and change this to match the authentication method used by Maximo (defined in the web.xml).  So if your using normal Maximo authentication your property should remain 'maximo', if using form based ldap authentication change this to 'form' and if using basic authentication (network prompt), then set this to 'basic'. In our test we are using form authentication for LDAP on the base Maximo side, so we set this property to 'form'.

Once done, save the file, then finish up by running the build all command and then redeploy your worklight.war using the config tool. 

Now that everything is redeployed and started up, you should now be able to authenticate to your Maximo environment via the Maximo Anywhere application using your LDAP credentials.

That's all for now. As always, any questions, comments or concerns please post below.

Clearing WebSphere temporary file caches for Maximo Asset Management

This document shows the correct directories to delete to clear the WebSphere 7.0, 8.0, 8.5.5 and 9.0 Maximo application server cache.

Symptom

New changes, such as Fix Pack, Interim Fix Pack, LAFIX/hot fix or XML changes do not take effect after deploying a new maximo.ear file.

Resolving The Problem

Follow the steps below to clear the WebSphere application server cache when deploying the maximo.ear.
Add this procedure of clearing WebSphere cache every time you rebuild and redeploy the ear files.

---

Note: If you are not going to redeploy the MAXIMO.ear, skip steps 3 and 5 through 7.

1. Log into the WebSphere Integrated Solutions Console.

2. Shut down the Maximo application server (default name MXServer).

3. Under Applications > Application Types > WebSphere enterprise applications, select and uninstall the Maximo enterprise application (maximo.ear) completely.

4. Delete cached files from temp and wstemp and, optionally, logs directories:

Windows (where the WebSphere location is C:\Program Files\IBM\WebSphere\AppServer, the application server profile is called ctgAppSrv01, the node is called ctgNode01, and the Maximo server is called MXServer). *.* means contents of the named directory:

• C:\Program Files\IBM\WebSphere\AppServer\profiles\ctgAppSrv01\temp\ctgNode01\MXServer\*.*
  C:\Program Files\IBM\WebSphere\AppServer\profiles\ctgAppSrv01\wstemp\*.*
  (optional) C:\Program Files\IBM\WebSphere\AppServer\profiles\ctgAppSrv01\logs\MXServer\*.*

Unix (where the WebSphere location is /opt/IBM/WebSphere/AppServer/profiles/ctgAppSrv01, the application server profile is called ctgAppSrv01, the node is called ctgNode01, and the Maximo server is called MXServer). *.* means contents of the named directory:

• /opt/IBM/WebSphere/AppServer/profiles/ctgAppSrv01/temp/ctgNode01/MXServer/*.*
  /opt/IBM/WebSphere/AppServer/profiles/ctgAppSrv01/wstemp/*.*
  (optional) /opt/IBM/WebSphere/AppServer/profiles/ctgAppSrv01/logs/MXServer/*.*

5. Delete MAXIMO.ear from /installedApps, both the contents of the directory and the directory itself:

Windows (locations as above):

• C:\Program Files\IBM\WebSphere\AppServer\profiles\ctgAppSrv01\installedApps\ctgCell01\MAXIMO.ear

Unix (locations as above):

• /opt/IBM/WebSphere/AppServer/profiles/ctgAppSrv01/installedApps/ctgCell01/MAXIMO.ear

You do not need to delete MXIEHS.ear directory.

6. Deploy the Maximo enterprise application. If using LDAP server authentication, make sure that the security permissions are set as previously for the MAXIMO Enterprise Application.

7. Synchronize nodes. System Administration > Nodes, check the node to synchronize, then click the Synchronize button.
[Use Full resynchronize if you have made manual file edits on the node. Deploying a Maximo ear does not make manual file edits on the node, so it should not be necessary to use this function. Full synchronize can take a much longer to complete. If Synchronize fails immediately, manual synchronization will be necessary.]

8. Restart MXServer.

Note: In WebSphere 8.0 and 8.5.5 on Windows, the default installation directories may be in C:\Program Files (x86)\IBM rather than C:\Program Files\IBM.

See also the WebSphere Java SDK technote on how to clear the WebSphere class caches . Clearing the WAS class and OSGi caches may resolve class mismatch problems.

How to clear the WebSphere class caches

Problem

Instructions on clearing the java class caches in IBM WebSphere Application Server. Both the JVM's shared class cache and WebSphere Application Server's OSGi class cache.

Resolving The Problem

IBM Support may ask you to clear the class cache. There are several reasons for this. After an upgrade, it is possible that the class cache's are still holding onto previous versions of classes. It is also possible that the caches became corrupted.

Please remember there are two caches that will need to be cleared, the JVM's cache and the OSGi cache. The server has to be stopped before clearing the cache.

To clear the OSGi class cache:

• For UNIX platforms, run the following script in each profile:
  <WebSphere_HOME>/profiles/profile_name/bin/osgiCfgInit.sh
  
  For Windows platforms, run the following script in each profile:
  <WebSphere_HOME>\profiles\profile_name\bin\osgiCfgInit.bat

To clear the JVM's class cache (Linux, AIX, z/OS and Windows):

• For UNIX and z/OS platforms, run the following script:
  <WebSphere_HOME>/bin/clearClassCache.sh
  
  For Windows platforms, run the following script:
  <WebSphere_HOME>\bin\clearClassCache.bat
  
  And clear the following directory contents:
  <WinUsers_home>\Local Settings\ApplicationData\javasharedresources\
  
  where WinUsers_home is either C:\Documents and Settings\DefaultUser OR C:\Users depending on your current version of Windows.
  
  Please note:
  
  1. You should not delete the cache while any of the JVM's are running and using the cache. The server has to be stopped before clearing the cache.
  
  2. You must be logged in as the user who started WebSphere Application Server.
  
  3. For Windows the clearClassCache.bat may not work if you are using Windows Services. Please follow these steps:
  
  Clear the following directory contents:
  
  For Windows XP/Windows 2003:
  
  C:\Documents and Settings\DefaultUser\Local Settings\ ApplicationData\javasharedresources\
  
  For Window Vista/Windows 7/Windows 2008:
  
  C:\Users\[WSAS_User]\AppData\Local\javasharedresources\
   

       For Windows 2008/Windows 2012/Windows 2016:

       C:\Windows\System32\config\systemprofile\AppData\Local\javasharedresources
       or
       C:\Windows\SysWOW64\config\systemprofile\AppData\Local\javasharedresources

Maximo Health Check Report

Is your Maximo database in good health?

Maximo Health Check report is a utility for IBM Maximo that can help identify and analyze issues, errors, or incorrect configurations that can lead to unsatisfying system performances.
Adding more JVMs to your application server cluster seldom solves Maximo performance issues. In our experience, the most effective performance improvement techniques are on the database side.

• Data archiving – After several years of usage, Maximo systems may become slow because of the volume of data accumulated. Moving unnecessary data out of the main Maximo tables can greatly improve overall system performances.
• Database indexes optimization – Adding the right indexes and removing the wrong ones is a complex activity that requires deep skills but can produce outstanding results in many cases.
• SQL queries optimization – SQL queries are everywhere in Maximo: start center portlets, application queries, escalations and reports. Those SQL statements are seldom optimized and can lead to slow response times and increased system load.
• Database tuning – Last chance is to fine tune the database server with the support of experienced DBAs. The Maximo Best Practices for System Performance document describes the main settings for supported databases but sometimes specific tuning may be needed.

Installation instructions

• Download MxDevReports.zip file and extract it in a folder of your choice.
• Open Administration > Report Administration application and create a new record.
• Enter the following information:
  • Report file name: mxdev_healthcheck.rptdesign
  • Description: Health Check (MxDev)
  • Application: CONFIGUR (Database Configuration)
• Save the record.
• Select Import Report action from the menu and import CONFIGUR/mxdev_healthcheck.rptdesign file.
• Click on Generate Request Page and then on Preview to test the report.

The report may be quite heavy to run on large production environments so we suggest to schedule the execution during non-work hours.

Maximo Health Check report has been tested on Maximo 7.5 and 7.6.
Support is not officially provided but you can post problems or enhancement requests in the community forums and we will do our best to help users get the most out of it.

Report Information

The report is divided in the following sections:

• Environment overview
• Sites breakdown
• Data Volume
• Data growth
• Reports
• Crontasks and escalations
• Users Activity

Here are few examples of charts available in the report.

Screenshots

Improved Automation Scripts application

Maximo automation scripts are a very useful tool to implement custom business logic for your customer. After time you may have many scripts to maintain and it may become hard to understand all the logic you have implemented on a specific object. I easy and useful trick I always use is to modify the Automation Scripts application to be able to display and filter script’s launch points.

You can see in this screenshot how easy it  to understand what scripts are running on each business object.

The Automation Scripts app can be modified in just few minutes and can be a lifesaver in many cases.

Open the Application Designer, search for AUTOSCRIPT application and make the following changes.

Remove the following table columns definitions:

• SCRIPTLANGUAGE – Typically you always use one scripting language so there is no need to search for this field.
• VERSION – I don’t think this is really helpful.
• USERDEFINED – Maximo has no built-in script and you probably use a project-specific prefix.

Add the following columns:

• SCRIPTLAUNCHPOINT.LAUNCHPOINTTYPE
• SCRIPTLAUNCHPOINT.OBJECTNAME
• SCRIPTLAUNCHPOINT.ATTRIBUTENAME

If you prefer to modify the application definition XML instead of using the graphical editor, here is is how the XML will look like.

<tablebody displayrowsperpage="20" filterable="true" filterexpanded="true" id="autoscript_results_showlist_tablebody">
  <tablecol dataattribute="autoscript" filterable="false" id="autoscript_results_showlist_column1" mxevent="toggleselectrow" mxevent_desc="Select Row {0}" sortable="false" type="event"/>
  <tablecol dataattribute="autoscript" id="autoscript_results_showlist_column2" mxevent="selectrecord" mxevent_desc="Go To %1" type="link"/>
  <tablecol dataattribute="description" id="autoscript_results_showlist_column3"/>
  <tablecol dataattribute="active" id="autoscript_results_showlist_column5"/>
  <tablecol dataattribute="SCRIPTLAUNCHPOINT.LAUNCHPOINTTYPE" id="mxd_LAUNCHPOINTTYPE"/>
  <tablecol dataattribute="SCRIPTLAUNCHPOINT.OBJECTNAME" id="mxd_OBJECTNAME"/>
  <tablecol dataattribute="SCRIPTLAUNCHPOINT.ATTRIBUTENAME" id="mxd_ATTRIBUTENAME"/>
  <tablecol filterable="false" id="autoscript_results_bookmark" mxevent="BOOKMARK" mxevent_desc="Add to Bookmarks" mxevent_icon="btn_addtobookmarks.gif" sortable="false" type="event"/>
</tablebody>

Scripting with Maximo

Today I am going to introduce you to the world of scripting with Maximo. Maximo scripting let you customize a slew of Maximo components. These components include these kinds of customizations:

• Customizing MBOs through save-point and initialization-point validations and actions and MBO field validations and actions.
• Customizing workflow, escalation, conditional UI, menus, and push-button actions via scripted actions and conditions.

It is important to understand that the Automation scripts are a server-side artifact, as opposed to a client-side one. So all your scripts are executed on the server side as opposed to say in the browser.

The cool part about scripting is that you can use it without writing a line of Java code, or without restarting the server or rebuilding the EAR file. We understand that sometimes you need to customize using MBO code or the Maximo SDK and the scripting framework does not remove that power. You still have access to all of Maximo APIs as well the MBO instances in context. You can use a MBO to access any related MBO or set and can call all public APIs, such as those to invoke a Web service or a send an email from a script.

As for languages, you can code the script in the language of your choice. Jython and JavaScript are enabled by default. However, you should be able to use any JSR-223 compliant scripting engine or language, provided that you add the java-engine.jar file to the Maximo classpath (either ear or system). So if you are a JRuby or Groovy geek, try the version of those languages that supports JSR-223 and start grooving in Maximo. Just so you know, Maximo Support supports questions about scripts written only in JavaScript and Jython.