DX NetOps

Expand all | Collapse all

Spectrum 10.4.1 and EEM

  • 1.  Spectrum 10.4.1 and EEM

    Posted 3 days ago
    We currently have a Spectrum setup which we would like to integrate with EEM (in a multi-domain setup).

    Questions:
    1. Once we setup Spectrum authentication to be handled by EEM will we continue to login to OneClick with the local Super Users?
    2. In case of rollback (disabling EEM integration) what will happen to the current local users? Will their passwords be preserved?

    Any help would be appreciated.

    José Carlos


  • 2.  RE: Spectrum 10.4.1 and EEM

    Posted 2 days ago
    I stopped using EEM for provided for authentication for Spectrum, as you'll not be able to login to Spectrum if EEM fails. The failback mechanism for authentication on OneClick allows login using Spectrum stored password, if the LDAP is not available.

    I am using EEM but just as a proxy to the LDAP domains to be queried. There's a procedure for enabling LDAP on the underlying CA Directory in EEM. Basically you're querying the LDAP on CA Directory that points to the rest of the LDAP domains. In case of any LDAP failure, at least the SuperUsers will be able to login to the system.

    I was not able to find the legacy technical document, but I was able to find a local copy that I had. This is the content of the document. It relates to CA Service Desk, but it applies to any tool that uses CA EEM.
    ---
    Document ID:    TEC468463
    Tech Document
    Title:  If we are not have a LDAP server in our environment, like Active Directory, may we use EEM (eIAM) as the LDAP server for Service Desk? We would like to use it for both authentication and to share contact data with Service Desk.

    Description:

    This solution offers a method to use eIAM as the LDAP server for Service Desk.

    Solution:

    Service Desk can use EEM(eIAM) for authentication by running Service Desk Configuration and selecting the checkbox for "Use EIAM Authentication".

    For syncing contact data using the Service Desk - LDAP integration configured in Service Desk Options Manager, EEM may be used if it is using its own internal store.
    More information on the LDAP Integration options is available in the online Help documentation, including integrating Service Desk with EEM.
    The following list a sample of how the options should be configured, this may differ in your environment based on your configuration:

    Prior to configuring Service Desk, you must modify the following file:
    CA\eTrust Directory\dxserver\config\knowledge\iTechPoz-<hostname>-Router.dxc
    Change:
    address = tcp localhost port 1684
    To:
    address = tcp localhost port 1684, tcp "<hostname>" port 1684
    Where <hostname> is the host name of the eIAM server.
    Recycle the following Windows Services or Unix Daemons:
    eTrust Directory - iTechPoz-<hostname>
    eTrust Directory - iTechPoz-<hostname>-Router
    eTrust Directory SSL daemon - iTechPoz-Server
    iTechnology iGateway 4.2

    Note: EEM is configured "out of box" to allow for Anonymous connections for ldap queries, so do not install the "ldap_dn" and "ldap_pwd" options.
    "ldap_host" = <your EEM server hostname or IP address>
    "ldap_enable" = <optional - see help on this option for more details>
    "ldap_port" = 1684
    "ldap_search_base" = cn=Users,cn=Entities,cn=iTechPoz
    "ldap_service_type" = eIAM
    "ldap_user_object_class" = "pozObject"

    Other LDAP options are not used.
    To test the integration will work prior to recycling Service Desk, run "ldap_test -a *.
    It should return output like the following:

    ldap_test -a *
    Starting ldap_test...
    LDAP service type=eiam
    Service Desk platform=windows
    Using search base=cn=Users,cn=Entities,cn=iTechPoz
    Using filter=(objectClass=pozObject)
    ldap_init(141.202.148.131,1684): (Success)
    ldap_bind_s() (Success)
    LDAP API Verion 3
    ANSI Code Page 1252

    4 LDAP records found...

    DN: cn=Administrator,cn=Users,cn=Entities,cn=iTechPoz
    objectClass(9)(0): pozObject
    userPassword(33)(0): {SHA}tTd/ny3WDbB41i6XUiWPpc8Nvls=
    cn(13)(0): Administrator
    pozClass(5)(0): O_E_U
    pozId(37)(0): 857643be-walsh04wiki47bc847d-895b28-e
    pozGeneration(1)(0): 1
    pozLocation(24)(0): /iTechPoz/Entities/Users
    pozLabel(8)(0): PozAdmin
    pzPasswordChangeDate(10)(0): 1203537094
    pzSuspended(5)(0): false
    pzOverridePasswordPolicy(5)(0): false
    pzChangePasswordNextLogin(5)(0): false
    pzIncorrectLoginCount(1)(0): 0
    pzUserName(13)(0): Administrator
    pzDisableDate(1)(0): 0
    pzPasswordTimeToWarn(5)(0): false
    pzPasswordExpireTime(1)(0): 0
    pzPasswordDigest(32)(0): 70039654eihrbwJwHBi/02d+Uztbww==
    pzEnableDate(1)(0): 0
    pzSuspendedDate(1)(0): 0
    pzLastName(13)(0): Administrator

    If ldap_test is successful, recycle the Service Desk Daemon Server service in Windows or Daemon in Unix.

    Functionality achieved:

    1. Users will authenticate through EEM, an external LDAP Directory server like Active Directory or Sun One is no longer required

    2. If a contact exists in EEM, but not in Service Desk, when logging in to Service Desk, their contact record will be created automatically ("ldap_enable_auto" option).

    3. Contacts may be updated with details from EEM by running "ldap_sync".

    4. When editing a contact in Service Desk, it is now possible to use the "Merge Ldap" button to update the individual contact with data from EEM
    ----
    To answer your questions:
    a) No. If the EEM is not available nobody is able to login.
    b) All local users have their own password setup, when you create the users. That the local password.

    ------------------------------
    Senior Consultant
    SolvIT Networks
    ------------------------------