Enabling Maximo 7 to use LDAP with WebSphere is a fairly simple task once you have your Active Directory setup and long as you understand the concepts behind it to set it up. I love how Maximo 7’s system administration guide is absolutely useless in helping you setup WebSphere for LDAP authentication. Here is what the document says:
For information about configuring WebSphere Application Server to use
WebSphere security and LDAP security, see IBM’s WebSphere Application Server,
Version 6.1 Information Center, and search for WebSphere Active Directory:
After you complete the procedure to configure WebSphere Application Server to
use LDAP security, follow these steps: […]
Really? You can just tell us how to setup LDAP in your own product? We have to go an find out how ourselves, and that link isn’t even useful because you can’t even find the information you need. Well this tutorial will show you how to setup Microsoft Active Directory, then configure LDAP in WebSphere and lastly, configure Maximo to use LDAP.
Setting up Microsoft Active Directory
There are some prerequisites that we need to have in order to configure Maximo to use LDAP. The first is to setup your AD and to add the 3 main users for Maximo to function properly. Those users are: MAXADMIN, MXINTADM, and MAXREG. Since we are using the demo data provided by Maximo, we will also add WINSTON.
First, we have to create an organization unit (OU). You can click on your root server and click on the icon in the toolbar to create a new OU. Let’s name it MAXIMO. In this OU, we can add the new users: MAXADMIN, MXINTADM, MAXREG, and WINSTON. *Please note that the first three users need to be administrative users.
Next, in the MAXIMO organization unit, we need to create a group called ‘maximousers’. Once you create this group, assign the users we just created to this group. Once you are done, it should look something like this:
Now we need to create an administrative user to WebSphere. Create a new user under the ‘users’ folder and name it ‘wasadmin’ and set the password. This is the user that we will use to be the WebSphere admin user login in the next step.
Configure WebSphere for Active Directory
Login to WebSphere and go to Security -> Secure administration, applications, and infrastructure. Click on ‘Security Configuration Wizard’ to setup your LDAP. In the first step, ensure that the check the box for ‘Enable application security’ is checked. Click next. Step 2, select ‘Standalone LDAP registry’ and click next. In step 3, this is where it gets a bit tricky. In the field ‘Primary administrative user name’, enter the value for the ‘wasadmin’ user we created in ‘Setting up Microsoft Active Directory’. It has to be in a format such as this:
This says that we are looking for the user ‘wasadmin’ in the ‘users’ folder which is in the domain controller (dc) of ‘InterPro.local’. Your domain will probably be different than mine, but you can see in the screenshot above, in the top left corner, what our domain controller value is. Next field, select ‘Microsoft Active Directory’. For the host field, enter the IP or fully qualified name of your LDAP server. For the ‘Base distinguished name (DN)’, enter:
This is your domain controller value. Next, in the ‘Bind distinguished name (DN)’, enter:
This is binding the MAXADMIN user we created above under the OU of ‘maximo’. Lastly, enter the password for MAXADMIN and click next. Once you finished, your WebSphere should now be ready for LDAP and you should now be able to logout and log back in as ‘wasadmin’ user from your AD. You may need a server restart as well.
Configure Maximo to use LDAP
This part is fairly simple and can be found in the admin guide but I will walk you through it because there are some things that need to be pointed out. To configure MAXIMO to use application server security, follow these steps:
In the system properties file, add the property ‘mxe.useAppServerSecurity’. Set the value of the property to 1 and save the file.
In applications/maximo/maximouiweb/webmodule/WEB-INF/web.xml, uncomment the following lines:
<!-- <login-config> <auth-method>BASIC</auth-method> <realm-name>MAXIMO Web Application Realm</realm-name> </login-config> -->
In this file, set the useAppServerSecurity setting to 1.
In the same file, uncomment the following lines:
<!-- <security-constraint> <web-resource-collection> <web-resource-name>MAXIMO UI pages</web-resourcename> <description>pages accessible by authorised users</description> <url-pattern>/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <description>Roles that have access to MAXIMO UI</description> <role-name>maximouser</role-name> </auth-constraint> <user-data-constraint> <description>data transmission guarantee</description> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint> -->
Edit the applications/maximo/mboweb/webmodule/WEB-INF/web.xml file, anduncomment the following lines:
<!-- <security-constraint> <web-resource-collection> <web-resource-name>MAXIMO Report Tool</web-resourcename> <description>pages accessible by authorised users</description> <url-pattern>/reporttool/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <description>Roles that have access to MAXIMO Report Tool</description> <role-name>maximouser</role-name> </auth-constraint> <user-data-constraint> <description>data transmission gaurantee</description> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name>MAXIMO Web Application Realm</realm-name> </login-config> -->
Set the useAppServerSecurity setting to 1:
<env-entry> <description>Indicates whether to use Application Server security or not</description> <env-entry-name>useAppServerSecurity</env-entryname> <env-entry-type>java.lang.String</env-entry-type> <env-entry-value>1</env-entry-value> </env-entry>
Lastly, rebuild maximo.ear and redploy it.
Setting up MAXIMO LDAP users
Now that we have everything setup, we just need to add the users to will be authenticated to the Maximo application. After you have deployed the maximo.ear file, in WebSphere go to Applications -> Enterprise Applications and click on your MAXIMO application, which is probably MAXIMO. Find the link for ‘Security role to user/group mapping’. Here you should see a row for the role ‘maximouser’. Everytime you redeploy maximo.ear, you have to setup your users. You can click on the check box and then click on ‘Look up users’. This will bring you to a screen where you can select which users will be authenticated in the Maximo application. To find users, first click on the ‘Search’ button. Then from the list of available users, select them and click on the ‘>>’ button to enable them. Click OK and don’t forget to save to master configuration.
Another easier way is to authenticate all AD users for Maximo. To do that, go back to the ‘Security role to user/group mapping’ screen, and next to the ‘maximouser’ role, there is a column call ‘All authenticated?’. Check this box and all users in the AD will be authenticated for Maximo. But one thing to remember is that, in order for that AD user to actually login into MAXIMO, he has to be a user the MAXIMO database. By default, we know that MAXADMIN is already in MAXIMO so we will be able to log in. If you are using the demo data, and you created an AD user of WINSTON, then you should also be able to login as him as well.
Now that you have LDAP configured for Maximo, the next logical step is to setup the LDAP sync…