Sunday, 6 September 2020

How to configure SSO( Single Sign On) with Maximo 7.6

 For testing purpose, you can setup Maximo 7.6 with SSO configuration.

There are 3 parts to configure SSO.

-  Part 1 : Install DNS (Domain Name System)  Server and AD (Active Directory) Service

-  Part 2 : Install Maximo with Middleware

-  Part 3 : Configure SSO using SPNEGO

 

 

Part 1 :  Install DNS Server and Active Directory.

1. Prepare two physical machines (  you can use 2 VM instances )  having 2012 OS.

One for the DNS Server where AD and Maximo will be installed.

The other for client machine which will belong to the same domain.

** Important point :  DNS Server and Client machine should have static IP address.

 

2. IP setting for two machines.

- IP setting for DNS Server

image

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

- IP setting for Client machine

*  Perferred DNS Server will be DNS Server IP.

image

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

3. Install  DNS Server and Active Directory Service on the DNS Server machine.

- Open Add Roles and Features

image

 

 

 

 

 

 

 

 

 

- Click  'Role-based or feature-based installation'

image 

 

 

 


 

 

 

 

 

 

 

 

-  Select 'Active Directory Domain Services' and 'DNS Server'

image

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

-  After installing,  you will get  'Post-deployment Configuration' Message for Active Directory Domain Service.

image

 

 

 

 

 

-  Click 'Post-deployment Configuration'

-  Click 'Add a new forest' .  You can set  Root domain name as what you want to use. ex. domain.com

image

 

 

 

 

 

 

 

 

 

 

- Type password for the Directory Services Restore Mode password. ex. Maximo01

image

 

 

 

 

 

 

 

 

 

 

 

 

 

 

- NetBios domain name will be set as DOMAIN which is coming from the Root domain name (domain.com)

image

 

 

 

 

 

 

 

 

 

 

- Finish. You need to restart machine.

 

Then, you can realize that your machine belongs to 'domain.com' domain.

image

 

 

 

 

 

 

 

 

 

 

 

 

 

4. Configure Active Directory structure.

In Active Directory Users and Computers, right-click the domain and go to New → Organizational Unit

Create Maximo, Groups, Users OU like below screenshot.

image

 

 

 

 

 

 

 

 

 

 

 

 

In Groups OU,   add two groups. (  maximousers, maximononusers )

image

 

 

 

 

 

 

 

 

 

 

 

 

In Users OU,  add 3 users ( maxadmin, maxreg, mxintadm)  belonging to maximousers group , Domain User group.

image

 

 

 

 

 

 

 

 

It allows 3 users ( maxadmin, maxreg, mxintadm)  to log in the computer which is belonging to the domain (DOMAIN).

Now. DNS Server and Active Directory configuration is completed.

 

5. Configure the client machine in order to make it belong to the same domain (domain.com)

- Log in to the client machine.

- Open Computer/Properties - System properties - Click 'Change' button.   Change 'Member of Domain' to 'domain.com'.  Restart this client machine.

image

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Now,  DNS Server and Client machine was configured.  They are in the same domain.

- DNS Server( AD ) :  dnsserver.domain.com

- Client : ssoclient.domain.com

* Domain users (maxadmin, mxintadm, maxreg) can log into this client machine( ssoclient.domain.com) like below screenshot.

image

 

 

 

 

 

 

 

 

 

 

 

 

Part 2 :  Now,  Install Maximo 7.6 with middleware ( Websphere and DB2 ) on the server machine where DNS Server and AD was installed.

1. Run launchpad64 -  Select  DB2, Websphere and IBM Maximo Asset Management 7.6 like below screenshot.

image

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

image

 

 

 

 

 

 

 

 

 

 

 

 

 

2. Accept the license agreements.

3. Confirm parameter and packages.

4. Enter DB2 Installation Information.

image

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

5.  Enter Web Server Configuration Information

image

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

6. Once Installation completed,  Tivoli's process automation suite configuration tool  screen is opened.image Click 'Prepare Websphere Application Server for Configuration'.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

7. Configure WebSphere Application Server

image

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

8.  Configure Application Server Profiles

image

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

9. Application Server Advanced Options

image

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

10. Configure Administrative Security

image

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

11. Apply Deployment Operations.

image

 

 

 

 

 

 

 

 

12.  Click Configure a New Deployment

image

 

 

 

 

 

 

 

 

 

 

13. Define Deployment Environment

- Check 'Create and Configure the database'

- Check 'Complete configuration of WebSphere for your product'

image

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

14. Configure General Product Information
image

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

15. Database Instance Information - Configure the DB2 Database

image

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

image

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

16. Configure the Application Server

image

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

17.  Configure Application Security

image

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

18.  Apply Deployment Operations.

image

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

19. Finish.  You can log into Maximo ( http://dnsserver.domain.com:9080/maximo)

 

Part 3 : SSO (Single Sign On) configuration usign SPNEGO

 

SPNEGO, or the Simple and Protected GSSAPI Negotiation Mechanism, enables a straightforward  single sign-on (SSO) mechanism for WebSphere in Kerberos environments.

The Windows client must be in the same Active Directory (AD) domain. If you will be configuring SPNEGO on a Windows system, you will still need a separate Windows client to surf from.

For whatever reason, SPNEGO does not work locally on a system.

 

1. Create a User ID for the Application Server

Please note that the ID you will be creating here is not the same, and cannot be the same as the  WebSphere administration ID that you use when you turn on WebSphere Security (usually ‘wasadmin’ in test environments).

The ID that we will be creating here is the ID that the instance of WebSphere itself uses to authenticate to Active Directory.

Ex) wasspnego@domain.com /Maximo01

image

 

 

 

 

 

 

 

 

 

 

 

* Set the password to never expire in your test environment. This will save you the need to regenerate keys (discussed next) because the password never needs changing.

Please remember that if you do change the password for the account, you will also need to regenerate the keys.

 

2. Assign the Service Principal Name and Create Key File

After the account has been created, we need to map this account to the Kerberos Service Principal Name (SPN) and create a key file that WebSphere can use to log into the domain with.
Please note that SPNs and keytabs are only required for the WebSphere Application Server instance, and not the Windows client users who will be logging in to the domain via the domain sign-on screen.

 

To create the key,

ktpass -out <keyfile name>  -princ HTTP/fully qualified hostname@AD DOMAIN NAME -mapuser <AD user> -pass <password> -ptype KRB5_NT_PRINCIPAL

Ex)

ktpass -out appserver1.keytab -princ HTTP/dnsserver.domain.com@DOMAIN.COM  -mapuser wasspnego -pass Maximo01 -ptype KRB5_NT_PRINCIPAL

 

* Please note that case is very important here. HTTP must be all in capital letters as well as the AD domain name. If you get this wrong, authentication will not work.

If  it runs successfully,  appserver1.keytab file is created and the Service Principal Name (SPN) is mapped to the AD user ‘wasspnego’.

The keytab file will get shipped to Websphere server which will use this key to authenticate itself in the AD domain as ‘wasspnego’.

Note the ‘User logon name’ field for wasspnego user . It now contains the Service Principal Name (or SPN) of the ID.

image

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

3. Set up Kerberos Configuration on the Application Server

- Copy appserver1.keytab to C:\IBM\WebSphere\AppServer\etc\krb5

- Run C:\IBM\WebSphere\AppServer\bin>wsadmin  ( wasadmin/Maximo1)

- Run

$AdminTask createKrbConfigFile {-krbPath C:\IBM\WebSphere\AppServer\etc\krb5\krb5.conf -realm DOMAIN.COM -kdcHost dnsserver.domain.com -dns domain.com -keytabPath C:\IBM\WebSphere\AppServer\etc\krb5\appserver1.keytab}

 

Then, appserver1.keytab  and krb5.conf  file will be existed in C:\IBM\WebSphere\AppServer\etc\krb5 folder.

 

4. Enable WebSphere Security :  When installing Maximo using J2EE Application Security,  it was already enabled.
Go to Websphere Console - Click Security / Global Security in the left panel.

 

image

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

5. Enable SSO

- Go to Websphere Console - Click Security / Global Security in the left panel
- Click Single Sign-on (SSO)
- Check 'Enabled'  and enter domain name as 'domain.com'
- Check 'web inbound security attribute propagation' and 'Set security cookies to HTTPOnly to help prevent cross-site scripting attacks'

image

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

6. Enable SPNEGO in WebSphere

- Go to Websphere Console - Click Security / Global Security in the left panel

- Click  SPNEGO web authentication

image

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

- Check  'Dynamically update SPNEGO'  and Enable SPNEGO checkbox

- Enter Kerberos configuration file  and keytab fine name with full path ( Reference step 3 )

image

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

-  Click New button to add a new SPNEGO Filter

image

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

-  Apply Changes  ( Double check MXServer/Security Domain/SPNEGO web authentication )

 

7.  Restart Websphere Server. 

Now that SPNEGO is enabled on the server.

 

8. Configure Browsers :   need to configure your browsers to send their Kerberos tokens to the server when challenged.

You need to change a couple of settings to the browsers running on your Windows client machines.

 

-  Log into the client machine (ssoclient.domain.com)  as  maxadmin domain user.

- Open IE browser- Internet options -  Security Tab- Local Intranet

-  Add  *.domain.com - OK

image

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

-  Click  Advanced Tab

-  Check 'Enable Integrated Windows Authentication*'

image

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

- OK

 

Now, In IE browser,  try to enter  http://dnsserver.domain.com:9080/maximo

Then, Maximo will be automatically logged as maxadmin user.

image

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

I hope it will be helpful for you to configure SSO with Maximo.

Sunday, 9 August 2020

TADDM 7.3.0 FP7 - Problems with discovery after installing Fix Pack 7

Problem

Unable to start discovery run after migrating to new TADDM fixpack

Symptom

When attempting to run a discovery on any of the Discovery Servers after migrating, the following error occurs:

MESSAGE OF ERROR:
=================
CTJOX0991E THE REQUESTED OPERATION CANNOT BE PERFORMED BECAUSE A
DATABASE MIGRATION IS IN PROGRESS.

Diagnosing The Problem

Check migration.log to ensure no errors occurred during the fixpack application. Check in the end of the migration.log for the following statement 'completed successfully'. If there are no error's and the migration did complete successfully, TADDM has only failed to move the 'in progress' status of the migration to 'COMPLETE'

Resolving The Problem

Run the following command to resolve the issue, according to the operating system, to change
the upgrade status to COMPLETED, which enables the TADDM processes to operate:
For Linux and UNIX systems:
/opt/IBM/taddm/dist/bin 
migration.sh -e
For Windows systems:
migration.bat -e

Saturday, 8 August 2020

mboSet() in Automation Script, getMboSet() vs getThisMboSet() | Maximo


Most of the time automation script creates an implicit variable "mbo". It represents the current record on which the script was triggered. 

let say we open one workorder: 123. in this case, our mbo is 123. 

what If we want to get the MboSet of this mbo. (like we are going back to the list tab :)
here you go. 

mboSet = mbo.getThisMboSet()

2. Most common way to call an mboset is using famous method , which is
mbo.getMboSet("PR")
where PR is the Relation Name already exists in database configuration from this record. 

3. or we can create at run time a new relation with WhereClause, like this:
 woSet = mbo.getMboSet("woSet ", "WORKORDER", "status = 'APPR' and siteid = 'BEDFORD'")

4th and last is get any MBO from the system, which is the least recommended if the things can be handled with first 3 methods.  
If the "mbo" implicit variable is not exists then you need this:
woSet = MXServer.getMXServer().getMboSet("WORKORDER", userInfo)

IBM Readme for IBM Maximo Asset Management 7.6.1.3 Fix Pack

  Fix Readme Abstract This fix pack updates IBM® Maximo® Asset Management version 7.6.1, 7.6.1.1, and 7.6.1.2 Content IBM Maximo Asset Manag...