Netcool/Security Manager Administration Guide 1.2 - e IBM Tivoli ...

frontmatter.fm February 9, 2005 

Netcool®/Security ManagerTM 1.2 

Administration Guide

© 2005 Micromuse Inc., Micromuse Ltd. 

All rights reserved. No part of this work may be reproduced in any form or by any 

person without prior written permission of the copyright owner. This document is 

proprietary and confidential to Micromuse, and is subject to a confidentiality 

agreement, as well as applicable common and statutory law. 

Micromuse Disclaimer of Warranty and Statement of Limited Liability 

Micromuse provides this document "as is", without warranty of any kind, either 

express or implied, including, but not limited to, the implied warranties of 

merchantability, fitness for a particular purpose or non-infringement. This 

document may contain technical inaccuracies or typographical errors. Micromuse 

may make improvements and changes to the programs described in this document 

or this document at any time without notice. Micromuse assumes no responsibility 

for the use of the programs or this document except as expressly set forth in the 

applicable Micromuse agreement(s) and subject to terms and conditions set forth 

therein. Micromuse does not warrant that the functions contained in the programs 

will meet your requirements, or that the operation of the programs will be 

uninterrupted or error-free. Micromuse shall not be liable for any indirect, 

consequential or incidental damages arising out of the use or the ability to use the 

programs or this document. 

Micromuse specifically disclaims any express or implied warranty of fitness for high 

risk activities. 

Micromuse programs and this document are not certified for fault tolerance, and 

are not designed, manufactured or intended for use or resale as on-line control 

equipment in hazardous environments requiring fail-safe performance, such as in 

the operation of nuclear facilities, aircraft navigation or communication systems, 

air traffic control, direct life support machines, or weapons systems ("High Risk 

Activities") in which the failure of programs could lead directly to death, personal 

injury, or severe physical or environmental damage. 

Compliance with Applicable Laws; Export Control Laws 

Use of Micromuse programs and documents is governed by all applicable federal, 

state and local laws. All information therein is subject to U.S. export control laws 

and may also be subject to the laws of the country where you reside. 

All Micromuse programs and documents are commercial in nature. Use, 

duplication or disclosure by the United States Government is subject to the 

restrictions set forth in DFARS 252.227-7015 and FAR 52.227-19. 

Trademarks and Acknowledgements 

Micromuse and Netcool are registered trademarks of Micromuse. 

Other Micromuse trademarks include but are not limited to: Netcool/OMNIbus, 

Netcool/OMNIbus for Voice Networks, Netcool/Reporter, Netcool/Internet 

Service Monitors, Netcool/ISM, Netcool/ISM Global Perspective, Netcool/NT 

Service Monitors, Netcool/Wireless Service Monitors, Netcool/WSM, 

Netcool/Usage Service Monitors, Netcool/USM, Netcool/Telco Service 

Monitors, Netcool/TSM, Netcool/Fusion, Netcool/Data Center Monitors, 

Netcool DCM, Netcool/Impact, Netcool/Visionary, Netcool/Precision, Netcool 

Probes & Monitors, Netcool Desktops, Netcool Gateways, Netcool Impact/Data 

Source Adaptors, Netcool EventList, Netcool Map, Netcool Virtual Operator, 

Netcool/Precision for IP Networks, Netcool/Precision for Transmission 

Networks, Netcool/Firewall, Netcool/Wave, Netcool/Webtop, Netcool TopoViz, 

Netcool/SM Operations, Netcool/SM Configuration, Netcool/OpCenter, 

Netcool/System Service Monitors, Netcool/SSM, Netcool/Application Service 

Monitors, Netcool/ASM, Netcool/ISM WAM, Netcool/SM Reporter, Netcool 

for Asset Management, Netcool/Realtime Active Dashboards, 

Netcool/Dashboards, Netcool/RAD, Netcool for Voice over IP, Netcool for 

Security Management, Netcool Security Manager, Netcool/Portal 2.0 Premium 

Edition, Netcool ObjectServer, Netcool/RAD, Netcool/Software Developers Kit, 

Micromuse Alliance Program, Micromuse Channel Partner, Authorized Netcool 

Reseller, Netcool Ready, Netcool Solutions, Netcool Certified, Netcool Certified 

Consultant, Netcool Certified Trainer, Netcool CCAI Methodology, Micromuse 

University, Microcorrelation, Acronym, Micromuse Design, Integration Module 

for Netcool, The Netcool Company, VISIONETCOOL, and Network Slice. 

Micromuse acknowledges the use of I/O Concepts Inc. X-Direct 3270 terminal 

emulators and hardware components and documentation in Netcool/Fusion. 

X-Direct ©1989-1999 I/O Concepts Inc. X-Direct and Win-Direct are 

trademarks of I/O Concepts Inc. 

Netcool/Fusion contains IBM Runtime Environment for AIX®, Java 

Technology Edition Runtime Modules © Copyright IBM Corporation 1999. All 

rights reserved. 

Micromuse acknowledges the use of MySQL in Netcool/Precision for IP 

Networks. Copyright © 1995, 1996 TcX AB & Monty Program KB & Detron 

HB Stockholm SWEDEN, Helsingfors FINLAND and Uppsala SWEDEN. All 

rights reserved. 

Micromuse acknowledges the use of the UCD SNMP Library Netcool/ISM. 

Copyright © 1989, 1991, 1992 by Carnegie Mellon University. Derivative Work 

- Copyright © 1996, 1998, 1999, 2000 The Regents of the University of 

California. All rights reserved. 

Portions of the Netcool/ISM code are copyright ©2001, Cambridge Broadband 

Ltd. All rights reserved. 

Portions of the Netcool/ISM code are copyright © 2001, Networks Associates 

Technology, Inc. All rights reserved. 

Micromuse acknowledges the use of Viador Inc. software and documentation for 

Netcool/Reporter. Viador © 1997-1999 is a trademark of Viador Inc. 

Micromuse acknowledges the use of software developed by the Apache Group for 

use in the Apache HTTP server project. Copyright © 1995-1999 The Apache 

Group. Apache Server is a trademark of the Apache Software Foundation 

(http://www.apache.org/). All rights reserved. 

Micromuse acknowledges the use of software developed by Edge Technologies, 

Inc. 2003 Edge Technologies, Inc. and Edge enPortal are trademarks or registered 

trademarks of Edge Technologies Inc. All rights reserved. 

Micromuse acknowledges the use of Merant drivers. Copyright © MERANT 

Solutions Inc., 1991-1998. 

The following product names are trademarks of Tivoli Systems or IBM 

Corporation: AIX, IBM, OS/2, RISC System/6000, Tivoli Management 

Environment, and TME10. 

IBM, NetView/6000, Domino, Lotus, Lotus Notes, and WebSphere are either 

trademarks or registered trademarks of IBM Corporation. VTAM is a trademark 

of IBM Corporation. 

Omegamon is a trademark of Candle Corporation. 

Netspy is a trademark of Computer Associates International Inc. 

The Sun logo, Sun Microsystems, SunOS, Solaris, SunNet Manager, Java are 

trademarks of Sun Microsystems Inc. 

SPARC is a registered trademark of SPARC International Inc. Programs bearing 

the SPARC trademark are based on an architecture developed by Sun 

Microsystems Inc. SPARCstation is a trademark of SPARC International Inc., 

licensed exclusively to Sun Microsystems Inc. 

UNIX is a registered trademark of the X/Open Company Ltd. 

Sybase is a registered trademark of Sybase Inc. Adaptive Server is a trademark of 

Sybase Inc. 

Action Request System and Remedy are registered trademarks of Remedy 

Corporation. 

Peregrine System and ServiceCenter are registered trademarks of Peregrine Systems 

Inc. 

HP, HP-UX and OpenView are trademarks of Hewlett-Packard Company. 

InstallShield is a registered trademark of InstallShield Software Corporation. 

Microsoft, Windows 95/98/Me/NT/2000/XP are either registered trademarks or 

trademarks of Microsoft Corporation.

Microsoft Internet Information Server/Services (IIS), Microsoft Exchange Server, 

Microsoft SQL Server, Microsoft perfmon and Microsoft Cluster Service are 

registered trademarks of Microsoft Corporation. 

BEA and WebLogic are registered trademarks of BEA Systems Inc. 

FireWall-1 is a registered trademark of Check Point Software Technologies Ltd. 

Netscape and Netscape Navigator are registered trademarks of Netscape 

Communications Corporation in the United States and other countries. 

Netscape's logos and Netscape product and service names are also trademarks of 

Netscape Communications Corporation, which may be registered in other 

countries. 

Micromuse acknowledges the use of Xpm tool kit components. 

SentinelLM is a trademark of Rainbow Technologies Inc. 

GLOBEtrotter and FLEXlm are registered trademarks of Globetrotter Software 

Inc. 

Red Hat, the Red Hat "Shadow Man" logo, RPM, Maximum RPM, the RPM 

logo, Linux Library, PowerTools, Linux Undercover, RHmember, RHmember 

More, Rough Cuts, Rawhide and all Red Hat-based trademarks and logos are 

trademarks or registered trademarks of Red Hat Inc. in the United States and other 

countries. 

Linux is a registered trademark of Linus Torvalds. 

Nokia is a registered trademark of Nokia Corporation. 

WAP Forum and all trademarks, service marks and logos based on these 

designations (Trademarks) are marks of Wireless Application Protocol Forum Ltd. 

Micromuse acknowledges the use of InstallAnywhere software in Netcool/WAP 

Service Monitors. Copyright © Zero G Software Inc. 

Orbix is a registered trademark of IONA Technologies PLC. Orbix 2000 is a 

trademark of IONA Technologies PLC. 

Micromuse acknowledges the use of Graph Layout Toolkit in Netcool/ Precision 

for IP Networks. Copyright © 1992 - 2001, Tom Sawyer Software, Berkeley, 

California. All rights reserved. 

Portions of Netcool/Precision for IP Networks are © TIBCO Software, Inc. 

1994-2003. All rights reserved. TIB and TIB/Rendezvous are trademarks of 

TIBCO Software, Inc. 

Portions of Netcool/Precision for IP Networks are Copyright © 1996-2003, 

Daniel Stenberg, . 

Micromuse acknowledges the use of Digital X11 in Netcool/Precision for IP 

Networks. Copyright 1987, 1988 by Digital Equipment Corporation, Maynard, 

Massachusetts, All Rights Reserved. DIGITAL DISCLAIMS ALL 

WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL 

IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN 

NO EVENT SHALL DIGITAL BE LIABLE FOR ANY SPECIAL, INDIRECT 

OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER 

RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN 

AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS 

ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 

PERFORMANCE OF THIS SOFTWARE. 

Netcool/SM Operations, Netcool/SM Configuration and Netcool/OpCenter 

include software developed by the OpenSSL Project for use in the OpenSSL 

Toolkit (http://www.openssl.org/). 

Micromuse acknowledges the use of software developed by ObjectPlanet. ©2003 

ObjectPlanet, Inc, Ovre Slottsgate, 0157 Oslo, Norway. 

Micromuse acknowledges the use of Expat in Netcool/ASM. Copyright 1998, 

1999, 2000 Thai Open Source Software Center Ltd and Clark Cooper. Copyright 

2001, 2002 Expat maintainers. THE EXPAT SOFTWARE IS PROVIDED 

HEREUNDER "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 

OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES 

OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND 

NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR 

COPYRIGHT HOLDERS OF THE EXPAT SOFTWARE BE LIABLE FOR 

ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN 

ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 

OUT OF OR IN CONNECTION WITH THE EXPAT SOFTWARE OR 

THE USE OR OTHER DEALINGS IN THE SOFTWARE. Expat explicitly 

grants its permission to any person obtaining a copy of any Expat software and 

associated documentation files (the "Expat Software") to deal in the Expat 

Software without restriction, including without limitation the rights to use, copy, 

modify, merge, publish, distribute, sublicense, and/or sell copies of the Expat 

Software. Expat's permission is subject to the following conditions: The above 

copyright notice and this permission notice shall be included in all copies or 

substantial portions of the Expat Software. Except as set forth hereunder, all 

software provided by Micromuse hereunder is subject to the applicable license 

agreement. 

Micromuse acknowledges that Netcool Security Manager includes Hypersonic 

SQL. Copyright (c) 2001-2002, The HSQL Development Group. All rights 

reserved. 

JABBER® is a registered trademark and its use is granted under a sublicense from 

the Jabber Software Foundation. 

Micromuse acknowledges the use of MySQL in Netcool/Precision for IP 

Networks and in Netcool/Precision for Transmission Networks. Copyright © 

1995, 1996 TcX AB & Monty Program KB & Detron. 

Micromuse acknowledges the use of Cryptix in Netcool/Precision IP. Copyright 

(c) 1995-2004 The Cryptix Foundation Limited. All rights reserved. 

Redistribution and use in source and binary forms, with or without modification, 

are permitted provided that the following conditions are met: 

1. Redistributions of source code must retain the copyright notice, this list of 

conditions and the following disclaimer. 

2. Redistributions in binary form must reproduce the above copyright notice, this 

list of conditions and the following disclaimer in the documentation and/or other 

materials provided with the distribution. 

THIS SOFTWARE IS PROVIDED BY THE CRYPTIX FOUNDATION 

LIMITED AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR 

IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 

IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A 

PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 

CRYPTIX FOUNDATION LIMITED OR CONTRIBUTORS BE LIABLE 

FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, 

OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 

TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS 

OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 

HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 

WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 

(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 

OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 

POSSIBILITY OF SUCH DAMAGE. 

All other trademarks, registered trademarks and logos are the property of their 

respective owners. 

Micromuse Inc., 139 Townsend Street, San Francisco, USA CA 94107 

www.micromuse.com 

Document Version Number: 1.1 - February 2005

Contents 

Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 

Audience. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 

About the Netcool/Security Manager 1.2 Administration Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 

Associated Publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 

Netcool/Security Manager Online Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 

Netcool/Security Manager Release Notes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 

Typographical Notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 

Note, Tip, and Warning Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 

Syntax and Example Subheadings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 

Operating System Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 

Chapter 1: Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 

Contents 

About the Netcool Security Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 

What Is the Security Manager? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 

How Do I Set Up the Security Manager?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 

How Do I License the Security Manager? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 

How Do I Run the Security Manager?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 

Can I Run the Security Manager Under Process Control? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 

How Do I Administer the Security Manager? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 

System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 

Operating Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 

Java Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 

ObjectServer Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 

License Server Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 

Web Browser Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 

Hardware Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 

Exceed Limitations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 

Netcool/Security Manager 1.2 Administration Guide i

Contents 

ii 

Security Manager Components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 

Security Manager Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 

Security Manager Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 

Authentication Architecture. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 

Authentication Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 

Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 

Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 

Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 

Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 

Authentication Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 

ObjectServer Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 

NIS Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 

LDAP Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 

Native Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 

Chapter 2: Setting Up the Security Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 

Installing the Security Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 

Running the Installer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 

Setting the NCSM_HOME Environment Variable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 

Synchronizing Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 

Reading the Installation Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 

Licensing the Security Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 

Licensing Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 

Configuring Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 

Quorum Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 

Upgrading the Security Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 

Upgrading on UNIX Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 

Upgrading on Windows Platforms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 

Troubleshooting Installation Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 

ObjectServer Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 

Windows User Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 

Netcool/Security Manager 1.2 Administration Guide

Contents 

Chapter 3: Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 

Running the Security Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 

Starting the Security Manager on UNIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 

Stopping the Security Manager on UNIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 

Viewing the Security Manager Status on UNIX. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 

Starting the Security Manager on Windows. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 

Stopping the Security Manager on Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 

Logging into the Security Manager GUI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 

The Security Manager GUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 

Navigation Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 

Main Work Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 

Chapter 4: Working with Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 

About Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 

Viewing Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 

Creating Domains. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 

Editing Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 

Deleting Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 

Chapter 5: Working with Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 

About Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 

Viewing Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 

Creating Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 

Creating Users Automatically. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 

Synchronizing Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 

Manually Creating Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 

Editing Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 

Deleting Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 

Netcool/Security Manager 1.2 Administration Guide iii

Contents 

iv 

Chapter 6: Working with Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 

About Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 

Viewing Roles in a Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 

Adding and Removing User Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 

Adding and Removing Group Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 

Chapter 7: Working with Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 

About Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 

Viewing Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 

Creating Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 

Editing Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 

Deleting Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 

Setting Up Default Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 

Example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 

Chapter 8: External Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 

Setting Up ObjectServer Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 

Setting Up NIS Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 

Installing the NIS Plug-In . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 

Configuring the Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 

Editing the Plug-In Properties File. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 

Setting Up LDAP Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 

Installing the LDAP Plug-In . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 

Configuring the Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 

Synchronizing Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 


Contents 

Appendix A: Supplementary Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 

Configuring the Refresh Interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 

Security Manager Port Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 

Backing Up the Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 

Restoring the Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 

Security Manager Failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 

Setting Up Security Manager Failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 

Running the Security Manager in a Failover Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 

SSL and the Security Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 

Setting Up SSL Between the Security Manager and Netcool Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 

Setting Up SSL Between the Security Manager and an LDAP Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 

Contact Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 

Netcool/Security Manager 1.2 Administration Guide v

Contents 

vi 


Preface.fm February 9, 2005 

Preface 

This guide describes how to install, administer, and use Netcool/Security Manager. The following chapters 

and appendices describe each functional area, and task-oriented examples are provided to assist users and 

administrators in configuring and using the application. 

This preface contains the following sections: 

• Audience on page 2 

About the Netcool/Security Manager 1.2 Administration Guide on page 3 

Associated Publications on page 4 

Typographical Notation on page 5 

Operating System Considerations on page 8 

Netcool/Security Manager 1.2 Administration Guide 1

Preface 

Audience 

2 

This guide is intended for administrators who are responsible for setting up and running Netcool/Impact, 

Netcool/RAD, and other applications that use the Netcool Security Manager. 


Netcool/Security Manager 1.2 Administration Guide 

About the Netcool/Security Manager 1.2 Administration Guide 

About the Netcool/Security Manager 1.2 Administration Guide 

This book is organized as follows: 

Chapter 1: Introduction on page 9. This chapter contains overview information about the Netcool 

Security Manager. 

Chapter 2: Setting Up the Security Manager on page 21. This chapter contains instructions on setting 

up the Security Manager, including installing and licensing the Security Manager and 

troubleshooting the installation. 

Chapter 3: Getting Started on page 35. This chapter contains instructions on getting started with the 

Netcool Security Manager, including starting and stopping it and using the GUI. 

Chapter 4: Working with Domains on page 47. This chapter contains instructions on working with 

domains, including viewing, creating, editing, and deleting them. 

Chapter 5: Working with Users on page 55. This chapter contains instructions on working with users, 

including viewing, creating, editing, and deleting them. 

Chapter 7: Working with Groups on page 73. This chapter contains instructions on working with 

groups, including viewing, creating, editing, and deleting them. It also explains how to set up default 

groups. 

Chapter 6: Working with Roles on page 67. This chapter contains instructions on working with roles, 

including viewing them and assigning them to users and groups. 

Chapter 8: External Authentication on page 83. This chapter contains instructions on setting up 

external authentication. 

Appendix A: Supplementary Information on page 93. This appendix contains supplementary 

information about the Netcool Security Manager, including information about setting refresh 

intervals, port usage, failover, and backing up the database. 

3

Preface 

Associated Publications 

4 

Netcool Security Manager 1.2 provides the following additional documentation: 

Netcool Security Manager Online Help 

Netcool Security Manager Release Notes 

Netcool/Security Manager Online Help 

This online help system provides information on using the Security Manager GUI. It contains conceptual 

information about the software and instructions on working with domains, roles, users, and groups. It also 

contains information on setting up external authentication. 

Netcool/Security Manager Release Notes 

This guide contains information on new and updated features in this release of the Security Manager. It also 

contains information on known issues with the product. 


Typographical Notation 



Table 1 shows the typographical notation and conventions used to describe commands, SQL syntax, and 

graphical user interface (GUI) features. This notation is used throughout this book and other Netcool ® 

publications. 

Table 1: Typographical Notation and Conventions (1 of 2) 

Example Description 

Monospace The following are described in a monospace font: 

Commands and command line options 

Screen representations 

Source code 

Object names 

Program names 

SQL syntax elements 

File, path, and directory names 

Italicized monospace text indicates a variable that the user must populate. For example, -password 

password. 

Bold The following application characteristics are described in a bold font style: 

Buttons 

Frames 

Text fields 

Menu entries 

A bold arrow symbol indicates a menu entry selection. For example, File→Save. 

Italic The following are described in an italic font style: 

An application window name; for example, the Login window 

Information that the user must enter 

The introduction of a new term or definition 

Emphasized text 

5

Preface 

6 

Table 1: Typographical Notation and Conventions (2 of 2) 

Example Description 

[1] Code or command examples are occasionally prefixed with a line number in square brackets. For 

example: 

[1] First command... 

[2] Second command... 

[3] Third command... 

{ a | b } In SQL syntax notation, curly brackets enclose two or more required alternative choices, separated by 

vertical bars. 

[ ] In SQL syntax notation, square brackets indicate an optional element or clause. Multiple elements or 

clauses are separated by vertical bars. 

| In SQL syntax notation, vertical bars separate two or more alternative syntax elements. 

... In SQL syntax notation, ellipses indicate that the preceding element can be repeated. The repetition is 

unlimited unless otherwise indicated. 

,... In SQL syntax notation, ellipses preceded by a comma indicate that the preceding element can be 

repeated, with each repeated element separated from the last by a comma. The repetition is unlimited 

unless otherwise indicated. 

a In SQL syntax notation, an underlined element indicates a default option. 

( ) In SQL syntax notation, parentheses appearing within the statement syntax are part of the syntax and 

should be typed as shown unless otherwise indicated. 

Many Netcool commands have one or more command line options that can be specified following a hyphen 

(-). 

Command line options can be string, integer, or BOOLEAN types: 

A string can contain alphanumeric characters. If the string has spaces in it, enclose it in quotation 

(") marks. 

An integer must contain a positive whole number or zero (0). 

A BOOLEAN must be set to TRUE or FALSE. 

SQL keywords are not case-sensitive, and may appear in uppercase, lowercase, or mixed case. Names of 

ObjectServer objects and identifiers are case-sensitive. 

Note, Tip, and Warning Information 

The following types of information boxes are used in the documentation: 


! 



Note: Note is used for extra information about the feature or operation that is being described. Essentially, 

this is for extra data that is important but not vital to the user. 

Tip: Tip is used for additional information that might be useful for the user. For example, when describing 

an installation process, there might be a shortcut that could be used instead of following the standard 

installation instructions. 

Warning: Warning is used for highlighting vital instructions, cautions, or critical information. Pay close 

attention to warnings, as they contain information that is vital to the successful use of our products. 

Syntax and Example Subheadings 

The following types of constrained subheading are used in the documentation: 

Syntax 

Syntax subheadings contain examples of ObjectServer SQL syntax commands and their usage. For example: 

CREATE DATABASE database_name; 

Example 

Example subheadings describe typical or generic scenarios, or samples of code. For example: 

[1] 

[2] 

[6] 

7

Preface 

Operating System Considerations 

8 

All command line formats and examples are for the standard UNIX shell. UNIX is case-sensitive. You must 

type commands in the case shown in the book. 

Unless otherwise specified, command files are located in the $OMNIHOME/bin directory, where 

$OMNIHOME is the UNIX environment variable that contains the path to the Netcool/Security Manager 

home directory. 

On Microsoft Windows platforms, replace $OMNIHOME with %OMNIHOME% and the forward slash (/) 

with a backward slash (\). 


01_Introduction.fm February 9, 2005 5:21 pm 

Chapter 1: Introduction 

This chapter contains an introduction to the Netcool Security Manager 1.2. 

It contains the following sections: 

About the Netcool Security Manager on page 10 

System Requirements on page 13 

Security Manager Components on page 15 

Authentication Architecture on page 16 

Authentication Model on page 17 

Authentication Types on page 19 



1.1 About the Netcool Security Manager 

This section contains overview information about the Netcool Security Manager. 

It contains the following topics: 

What Is the Security Manager? 

How Do I Set Up the Security Manager? 

How Do I License the Security Manager? 

How Do I Run the Security Manager? 

Can I Run the Security Manager Under Process Control? 

How Do I Administer the Security Manager? 

What Is the Security Manager? 

The Netcool Security Manager is a standalone server component that provides user authentication for 

applications such as Netcool/Impact and Netcool/RAD. You must install and configure the Security 

Manager before you install these applications. This version of the Security Manager is compatible with 

Netcool/Impact 3.1 and Netcool/RAD 2.0. 

The Security Manager consists of two sub-components: the Security Manager server and the Security 

Manager database. The server provides the core functionality for the authentication system. The database 

stores users and other information used by the server. For more information, see Security Manager 

Components on page 15. 

The Security Manager provides an authentication model that consists of users, groups, roles, and domains. 

This model allows you to control the access that each user, or group of users, has over different features of 

different software products. For more information on the authentication model, see Authentication Model 

on page 17. 

The Security Manager allows you to use native authentication, in which account information is stored 

locally in the Security Manager database, or to use account information already defined in a 

Netcool/OMNIbus ObjectServer, a Network Information Service (NIS), or an LDAP directory. For more 

information, see Authentication Types on page 19. 

How Do I Set Up the Security Manager? 

Before you set up the Security Manager, you must first obtain the installation files from the Micromuse 

Product CD-ROM or as a download from the Micromuse Support Site. The installation files include the 

Security Manager installer and a README file. 

10 Netcool/Security Manager 1.2 Administration Guide

About the Netcool Security Manager 

To install the Security Manager, you run the installer program and follow the on-screen prompts. The 

installer sets all of the required configuration properties. On UNIX platforms, you must set the required 

environment variables after installation. The installer creates an installation log that you can view to see if 

the process completed successfully. 

After you have installed the Security Manager, you can change the configuration at any time by manually 

editing its properties files. 

For more information, see Installing the Security Manager on page 22. 

How Do I License the Security Manager? 

The Security Manager requires a Security Manager server license. The license server code for the server is 

cro_ncsm_server. Unlike version 1.0, this version of the Security Manager does not require DSA 

licenses for the ObjectServer or LDAP authentication. 

You must obtain the required license and install it in your license server before running the Security 

Manager. When you install the Security Manager, you specify the host and port for this license server. 

For more information, see Licensing the Security Manager on page 26. 

How Do I Run the Security Manager? 

On UNIX platforms, the Security Manager provides a set of administration scripts that you can use to start 

and stop the Security Manager server. On Windows platforms, you start and stop the Security Manager 

using the Windows services administration tools. For more information, see Running the Security Manager 

on page 36. 

Can I Run the Security Manager Under Process Control? 

You can run the Security Manager under process control with no special considerations. The Security 

Manager runs as a “non-pa aware” application. Previous versions of the security manager required you to 

take additional steps in starting and stopping the Security Manager database, which was a specially 

customized version of PostgreSQL. These steps are no longer necessary. You can run the Security Manager 

under process control in the same way you run any other application. 



How Do I Administer the Security Manager? 

The Security Manager provides a web-based GUI that you can use to perform all of the required 

administration tasks. When used with Netcool/RAD, this GUI runs in standalone mode. When used with 

Netcool/Impact, it runs as an application instance in the Netcool GUI Server. The Security Manager GUI 

allows you to manage all aspects of user authentication. 

For more information, see The Security Manager GUI on page 39. 


1.2 System Requirements 

System Requirements 

Make sure that the target system fulfills the following requirements before installing the Netcool Security 

Manager. 

Operating Systems 

The Security Manager is supported on the following operating systems: 

Sun Microsystems Solaris 7, 8, and 9 

Red Hat Linux 9.0 and Enterprise Server 3.0 

Microsoft Windows 2000 Server, Windows XP and Windows 2003 Server 

IBM AIX 5L (5.1 and 5.2) 

Hewlett-Packard HP-UX 11.11 

Note: If you intend to install the Security Manager on a Linux platform, Micromuse recommends that you 

use Red Hat Enterprise Server 3.0. Red Hat no longer officially supports version 9.0. 

Java Support 

The Security Manager uses version 1.4.2 of the Java Runtime Environment (JRE). The JRE is installed 

automatically when you install the Security Manager. You do not need to install the JRE separately or 

configure the Security Manager to use the appropriate JRE installation. 

ObjectServer Support 

The Security Manager requires an instance of the Netcool/OMNIbus ObjectServer. The Security Manager 

is compatible with versions 3.5, 3.6, and v7. 

License Server Support 

The Security Manager is compatible with the Netcool Common License Server version 1.0b21 and later. 



Web Browser Support 

The Netcool/Impact GUI runs on the following web browsers: 

Microsoft Internet Explorer 5.5 and later 

Netscape 6 and later 

Mozilla 1.7 and later 

Hardware Support 

Hardware requirements for the Security Manager vary depending on your environment. For 

recommendations on hardware sizing for the Security Manager, contact your Micromuse account manager 

or Micromuse Technical Support. 

Exceed Limitations 

Micromuse does not recommend the use of Hummingbird Exceed with the Netcool Security Manager 

installer program. Under some conditions, the license agreement text displayed by the installer program is 

not legible when viewed inside Exceed. You must read the full text of the license agreement and accept the 

terms of the agreement before installing this software. 


1.3 Security Manager Components 

The Netcool Security Manager consists of the following sub-components: 

Security Manager server 

Security Manager database 

Security Manager Server 

Security Manager Components 

The Security Manager server provides the core functionality for the authentication system. During runtime, 

it performs authentication for Netcool applications using account information stored in the Security 

Manager database. It also serves the Security Manager GUI, which is a web-based GUI that you can use to 

manage users, groups, roles, and domains. 

On UNIX platforms, the Security Manager server is a runnable application that you start and stop from the 

command line using the server administration scripts. On Windows platforms, the server is a Windows 

service named Netcool Security Manager that you start and stop using the Windows Services 

Administration tools. 

Security Manager Database 

The Security Manager database stores users and other information used by the Security Manager server. The 

database is an embedded instance of Hypersonic SQL that has been customized and prepared for use with 

the Security Manager. The Security Manager uses Hypersonic SQL 1.7.2. 

You do not need to install this database separately or start or stop it independently of the Security Manager 

server. For more information on Hypersonic SQL, see the software home page at 

http://hsqldb.sourceforge.net/. 

Unlike previous versions, the Security Manager does not use an instance of the PostgreSQL database. 



1.4 Authentication Architecture 

The following figure shows the relationship between Netcool applications, the Netcool Security Manager 

and authentication sources. 

Netcool Applications Authentication 

Sources 

Netcool/ 

RAD 


Impact 

Other 

Netcool 

Applications 

Figure 1: Authentication Architecture 

Netcool Security 

Manager 

Security 


Server 

Security 


Database 


OMNIbus 

ObjectServer 

NIS 

Server 

LDAP 

Directory 

Server 


1.5 Authentication Model 

Domains 

Users 

Groups 

The Netcool Security Manager authentication model consists of the following components: 

Domains 

Users 

Groups 

Roles 

Authentication Model 

Domains are sets of users and groups that represent a product or collection of products that share the same 

real-world users and access privileges. 

You can use the Security Manager GUI to view, create, edit, and delete domains. All Micromuse products 

use a domain named Micromuse Netcool Applications. You do not need to create a new 

domain for use with Netcool/Security Manager or other products in the Netcool suite. 

Users are real-world users in your environment. You should create one user for each real-world user that 

requires access to a domain protected by the Netcool Security Manager. 

The Security Manager provides three default users, root, admin, and guest, that you can use to 

perform initial setup tasks. The admin user is a native authentication user with administration privileges 

for the Security Manager. The root user is an ObjectServer authentication user that also has administration 

privileges. The password for the admin user is an empty string. The password for the root user is defined 

in the ObjectServer. 

You can use the Security Manager GUI to view, create, edit, and delete native authentication users. External 

authentication users are automatically imported into the Security Manager database the first time users log 

in. 

Groups are real-world groups of users that share the same set of access privileges. You can create custom 

groups or use the default groups provided by the Security Manager. Some applications, such as 

Netcool/Impact and Netcool/RAD, create custom groups and add them to the Security Manager database. 

Possible examples of custom groups are Administrators, Operators and Remote_Users. 

You can use the Security Manager GUI to view, create, edit, and delete groups. 



Roles 

The following table shows the default groups provided by the Security Manager: 

Table 2: Netcool Security Manager Default Groups 

Group Name Description 

All Domain Users Virtual group that contains all users in a particular domain. 

Administrator Group for users who require read and write access to Security Manager domains, 

users, and groups. 

ReadOnlyUser Sample user group that demonstrates users, groups, and roles. 

Roles are sets of access privileges that can be assigned to a user or a group. Roles are installed automatically 

by applications that use the Security Manager, such as Netcool/Impact and Netcool/RAD. Unlike users and 

groups, roles are independent of domains. You can use a single role across more than one domain, if 

necessary. You cannot create, edit or delete roles using the Security Manager GUI. 


1.6 Authentication Types 

The Netcool Security Manager supports the following authentication types: 

ObjectServer authentication 

NIS authentication 

LDAP authentication 

Native authentication 

Authentication Types 

Version 1.0 of the Security Manager only allowed you to use a single type of external authentication 

(ObjectServer, NIS, or LDAP) at one time. This version allows you to use multiple types simultaneously. 

ObjectServer Authentication 

ObjectServer authentication is a scheme in which users and groups are stored in a Netcool/OMNIbus 

ObjectServer. This information is accessed in real time from the ObjectServer when the Security Manager 

authenticates a user. The Security Manager supports ObjectServer versions 3.4, 3.4.1, 3.5, 3.6, and v7. 

You can use ObjectServer authentication immediately upon installation of the Security Manager. No 

additional configuration is required. 

Note: In this version of the Security Manager, ObjectServer authentication is the default authentication 

scheme. In version 1.0, native authentication was the default. You are required to configure the Security 

Manager to work with an existing ObjectServer at installation. 

NIS Authentication 

NIS authentication is a scheme in which users and groups are derived from user information defined in a 

Network Information Service (NIS). This information is accessed in real time from the NIS when the 

Security Manager authenticates a user. The Security Manager supports NIS version 2. NIS+ is not 

supported. 

For more information, see Setting Up NIS Authentication on page 85. 



LDAP Authentication 

LDAP authentication is a scheme in which users and groups are stored in an Lightweight Directory Access 

Protocol (LDAP) server. This information is accessed in real time from the LDAP authentication source 

when the Security Manager authenticates a user. The Security Manager supports versions 2 and 3 of the 

LDAP protocol. 

For more information, see Setting Up LDAP Authentication on page 89. 

Native Authentication 

Native authentication is a scheme in which users are created and stored in the Security Manager database. 

Native authentication does not require an external authentication source, such as NIS or a 

Netcool/OMNIbus ObjectServer, in order to manage users and access permissions. 


02_Setting_Up.fm February 9, 2005 5:21 pm 

Chapter 2: Setting Up the Security Manager 

This chapter contains instructions on setting up the Security Manager. 


Installing the Security Manager on page 22 

Licensing the Security Manager on page 26 

Upgrading the Security Manager on page 28 

Troubleshooting Installation Problems on page 33 



2.1 Installing the Security Manager 

To install the Security Manager, you do the following: 

Run the Security Manager installer 

Set the NCSM_HOME environment variable (UNIX only) 

Synchronize users (optional) 

After you have finished installing the Security Manager, you can read the installation log to verify that the 

software has been installed correctly, or to troubleshoot installation errors. 

Running the Installer 

The Security Manager installer copies the program files to the target system and sets the minimum required 

configuration properties. 

Note: You can run the Security Manager GUI as an application instance in the Netcool GUI Server or in 

standalone mode. If you want to run the GUI as an application instance in the GUI server, you must answer 

Yes when asked by the installer if you want to use an application registry. You must also provide the 

hostname of the system where the GUI server is installed and other configuration information related to the 

GUI server application registry. If you want to run the GUI in standalone mode, answer, No when asked by 

the installer about the application registry. 

The Security Manager installer prompts you for the following information: 

Table 3: Netcool Security Manager Installation Prompts (1 of 2) 

Prompt Description 

Installation directory Directory where you want to install the Security Manager. The default is 

/opt/netcool/security on UNIX platforms and 

C:\Program Files\Netcool\Security on Windows. 

HTTP listener port Port used by the Security Manager when listening to SOAP calls from the Netcool 

GUI Server. The default is 8077. This is the same port number you specify when 

you install the GUI Server. 

Server port Port used by the Security Manager server. The default is 1275. 

Database port Port used by the Security Manager database. The default is 5600. 

ObjectServer host Name of the system where the ObjectServer used for authentication is running. The 

local system is the default. 


Table 3: Netcool Security Manager Installation Prompts (2 of 2) 


ObjectServer port Port used by the ObjectServer. The default is 4100. 

Running the Installer on UNIX Platforms 

Installing the Security Manager 

ObjectServer user Default ObjectServer user. The Security Manager uses this user to perform queries 

on the ObjectServer. Default is root. 

ObjectServer password Password for the ObjectServer user. 

Use application registry? If you want to run the Security Manager GUI as an application instance in the 

Netcool GUI Server, answer yes. 

Registry name Name used to identify the Security Manager in the application registry. 

Registry host Hostname or IP address of the system where the application registry is located. In 

most cases, this is the system where the Netcool GUI Server is installed. 

Registry port Port used by the application registry. The default is 8080. 

Registry location Path where the application registry is located. If you are using the application 

registry that is installed with the Netcool GUI server, the default is 

/registry/services. 

Registry username Name of the registry administration user. If you are using the application registry 

that is installed with the Netcool GUI server, the default is admin. 

Registry password Password for the registry admin user. If you are using the application registry that is 

installed with the Netcool GUI server, the default is netcool. 

License server host Hostname or IP address of the license server to be used by the Security Manager. 

Default is localhost. 

License server port Port of the license server to be used by the Security Manager. The default is 27000. 

On UNIX platforms, the installer is named security.bin and is located in the arch/VM directory of 

the Security Manager tar file, where arch is the name of the operating system. 

You can run the installer in GUI mode or in console mode. In GUI mode, the installer presents a series of 

graphical dialog boxes that guide you through the installation process. In console mode, the installer 

prompts you for required information from the command line. If you are installing the Security Manager 

remotely using telnet or another command line application, you must run the installer in console mode. 



Note: Micromuse recommends that you run the installer in console mode on versions of Linux other than 

Red Hat 9. Some default configurations of Linux do not have the operating system packages required to 

support a GUI mode installation. 

You cannot run the installer as user root. You can run the installer as any other user that has read, write, 

and execute permissions to the target directory on the system. 

To run the Security Manager installer: 

1. At a command line prompt, change the current directory to the path where the installer is located. 

2. To run the installer in GUI mode, enter the following: 

./security.bin 

To run the installer in console mode, enter the following: 

./security.bin -i console 

3. Follow the on-screen prompts. 

Running the Installer on Windows Platforms 

On Windows platforms, the installer is named security.exe and is located in the root-level directory 

of the Security Manager zip file. The installer presents a series of graphical dialog boxes that guide you 

through the installation process. 

1. Extract the contents of the Security Manager zip file to a temporary directory. 

2. Open the temporary directory in Windows Explorer. 

3. Double-click the security.exe icon to launch the installer. 


Setting the NCSM_HOME Environment Variable 

On UNIX platforms, you must set the NCSM_HOME environment variable to the directory where you 

installed the Security Manager. By default, this directory is 

/opt/netcool/security. 


The following example shows how to set NCSM_HOME using sh or bash: 

NCSM_HOME=/opt/netcool/security; export NCSM_HOME 

The following example shows how to set NCSM_HOME using csh: 

setenv NCSM_HOME /opt/netcool/security 

Synchronizing Users 

Installing the Security Manager 

The Security Manager provides a script that you can use to synchronize users between the ObjectServer (or 

any other external authentication source) and the Security Manager database. 

You can run this tool after installation in order to import external users and perform initial setup tasks that 

you require, such as assigning user roles and organizing users by groups. Using the synchronization script is 

an optional step. 

The synchronization script is named ncsm_syncusers and is located in the 

$NCSM_HOME/bin directory. For more information on this script, see Synchronizing Users on page 92. 

Reading the Installation Log 

The Security Manager installation log is named 

Netcool_Security_Manager_Install_Log.log and is located in the $NCSM_HOME 

directory. The installation log contains runtime messages generated during the installation process. You can 

use this log to verify that you have installed the Security Manager successfully. You can also use it to 

troubleshoot installation problems. 



2.2 Licensing the Security Manager 

This section contains information on licensing the Netcool Security Manager. 

It contains information on: 

Licensing requirements 

Configuring licensing 

Quorum licensing 

Licensing Requirements 

The Security Manager requires a Security Manager server license. The license server code for the server is 

cro_ncsm_server. Unlike version 1.0, this version of the Security Manager does not require DSA 

licenses for the ObjectServer, LDAP or PostgreSQL. 

You must obtain the required license and install it in your license server before running the Security 

Manager. When you install the Security Manager, you specify the host and port for this license server. 

Configuring Licensing 

Licensing properties are located in the license properties file. This file is named 

license.props and is located in the $NCSM_HOME/etc directory. The licensing properties are set 

automatically when you install the Security Manager. However, you can manually edit the license properties 

file at any time to change the configuration. If you manually edit the properties file, you must stop and 

restart the Security Manager before the change takes effect. 

The following table shows the license properties for the Security Manager: 

Table 4: Netcool Security Manager License Properties 

Property Description 

license.server.host Hostname or IP address of the license server to be used by the Security Manager. Default 

is localhost. 

license.server.port Port of the license server to be used by the Security Manager. Default is 27000. 

Quorum Licensing 

To use the Security Manager with a quorum licensing configuration, you must manually edit the contents 

of the license properties file so that it contains the hostnames and port numbers of the License Server 

instances. 


To edit the license properties file: 

1. Remove all properties currently defined in the file. This includes the 

impact.license.host and impact.license.port properties. 

2. Add the following property to the file: 

impact.license.server=port@host_01,port@host_02,port@host_03 

Licensing the Security Manager 

where host_01, host_02 and host_03 are the primary, secondary and tertiary instances of the 

License Server and port is the port number used by the servers (by default, 27000). You must specify 

the License Servers in the order that they appear in the license file. 



2.3 Upgrading the Security Manager 

Micromuse provides a set of packages that allow you to upgrade the Security Manager from versions 1.0 and 

1.1 to version 1.2. You must obtain these packages from Micromuse separately from the main Security 

Manager installer. 

Upgrading on UNIX Platforms 

To upgrade the Security Manager on UNIX platforms, follow the instructions below: 

1. Shut down the 1.0 or 1.1 version of the Security Manager server and database. 

2. Install Security Manager 1.2 in a new directory on the target system, following the instructions in 

Installing the Security Manager on page 22. 

Note: Do not overwrite the previous Netcool/Security Manager version. 

3. Log into to Security Manager 1.2 to ensure that it was installed successfully. 

4. Shut down the Security Manager 1.2 server and database. 

5. To set the NCSM_HOME environment variable, follow the instructions in Setting the NCSM_HOME 

Environment Variable on page 24. 

6. Change directories to NCSM_HOME. 


7. Start the Database Manager utility using the following command: 

Upgrading the Security Manager 

$NCSM_HOME/platform//j2re/bin/java -cp lib3p/ncsm3p2004Aug24.jar 

org.hsqldb.util.DatabaseManager -url jdbc:hsqldb:db/security 

Figure 2: Data Manager GUI 

8. Enter the following SQL query in the text box, as shown in Figure 2: 

SHUTDOWN SCRIPT 

9. Click the Execute button. 

10. Select File→Exit from the toolbar to exit the GUI. 

You are now ready to run the upgrade operation. 

1. Obtain the uppgrade tar file from Micromuse and extract its contents to a temporary directory. The 

name of the file is either ncsm10To12Upgrade.tar or ncsm11To12Upgrade.tar. 

2. Using either tsch or csh, run the upgrade script and follow the on-screen prompts. The hame of 

the upgrade script is either upgrade10To12 or upgrade11To12. 

Note: Make sure that no version of Netcool Security Manager is running when you run the upgrade 

script. 



After you upgrade, you can configure your Netcool applications to use the new version of the Security 

Manager, as required. 

Upgrading on Windows Platforms 

To upgrade Security Manager 1.0 or 1.1 to 1.2 on Windows platforms, follow the instructions below: 

1. From the Control Panel, select Administrative Tools→Services. 

2. In the Services window, select the 1.0 or 1.1 version of the Security Manager server and click the 

Shutdown button. Do not shut down the Security Manager Database server at this point. You need 

to back up this database before you install Netcool/Security Manager 1.2. 

3. In NCSM_HOME\platform\win32\pgsql\bin, type the following command to back up 

your database:. 

pg_dump D -a -h localhost -p SMdatabaseport security > 

c:\tempdirectory\backupfilename. 

where: 

– SMdatabaseport is the port used by the Security Manager server. 

– tempdirectory is the directory where you stored your database backup file. 

– backupfilename is the name of your backupfile. 

4. In the Services window, shut down your Security Manager 1.0 or 1.1 database. 

5. Uninstall Netcool Security Manager 1.0 or 1.1. 

6. Install Security Manager 1.2 in a new directory on the target system, following the instructions in 

Running the Installer on Windows Platforms on page 24. 

7. Log on to Security Manager 1.2 to ensure it was installed successfully. 

8. Shut down the Security Manager 1.2 server. 


Upgrading the Security Manager 

9. Change directories to $NCSM_HOME and type the following command to open the Database 

Manager GUI: 

platform\win32\j2re\bin\java -cp lib3p\ncsm3p2004Aug24.jar 

org.hsqldb.util.DatabaseManager -url jdbc:hsqldb:db/security 

Figure 3: Database Manager GUI 

10. Enter the following SQL query in the text box, as shown in Figure 3: 

SHUTDOWN SCRIPT 

11. Click the Execute button. 

12. Select File→Exit from the toolbar to exit the GUI. 

You are now ready to run the upgrade operation. 

1. Obtain the upgrade zip file from Micromuse and extract its contents to a temporary directory. The 

name of this zip file is either ncsm10To12Upgrade.zip or ncsm11To12Upgrade.zip. 

2. Unzip the file. 

You now need to copy your backup database file from your temporary direcotry to netcool Security 

Manager 1.2. 

3. In a text editor, create a new file called SM12DBData. 

4. Copy all the insert statements from the backup database file into this new file. 



5. Change to the directory where you stored your upgrade file. 

6. Enter the following commands: 

type schema.12 backupfilename > SM12DBData 

cp SM12DBData C:\SM1.2 NCSM_HOME\db\security.script 

7. Now that you have saved your database to Netcool Security Manager 1.2 you should delete the 

following files from C:\SM1.1$\NCSM_HOME\db\: 

– security.backup 

– security.data 

– security.lck 

– security.log 

8. Start your Security Manager 1.2 server. 

After you upgrade, you can configure your Netcool applications that used Security Manager 1.0 or 1.1 to 

use the new version of the Security Manager, as required. 


2.4 Troubleshooting Installation Problems 

Troubleshooting Installation Problems 

Micromuse recommends that you check the following when troubleshooting an installation: 

ObjectServer authentication 

Windows user password 

ObjectServer Authentication 

This version of the Security Manager requires access to an instance of the Netcool/OMNIbus ObjectServer 

in order to work. 

During installation, the installer prompts you for the hostname and port of this ObjectServer. The installer 

also prompts you for the name of an ObjectServer user with root-level access privileges (for example, the 

root user) and the corresponding password. This information must be correct in order for the Security 

Manager to operate successfully. 

If you are having problems with the initial login to the Security Manager, check the ObjectServer-related 

configuration properties in the server properties file to make sure that they are specified correctly. The file 

is named smParentType_NCOMS.type and it is stored in the $NCSM_HOME/etc directory. 

Windows User Password 

At install, the Windows version of the Security Manager installer prompts you for the password of the user 

currently logged into the system. If you do not supply the correct password, the Security Manager will not 

operate successfully. You can check the password setting by looking at the Security Manager database 

properties using the Windows services administration tools. 




03_Getting_Started.fm February 9, 2005 5:21 pm 

Chapter 3: Getting Started 

This chapter contains instructions on getting started with the Netcool Security Manager. 

It contains the following topics: 

Running the Security Manager on page 36 

Logging into the Security Manager GUI on page 38 

The Security Manager GUI on page 39 



3.1 Running the Security Manager 

On UNIX platforms, the Netcool Security Manager provides a set of administration scripts that you can use 

to start and stop the software components. On Windows platforms, you use the Windows services 

administration tools. 

Note: In previous versions of the Security Manager, you were required to start and stop the server and 

database separately. In this version, the Security Manager database is started automatically when you start 

the server. 

Starting the Security Manager on UNIX 

You can start the Security Manager server and database by running the server startup script. This script is 

named ncsm_server and is located in the $NCSM_HOME/bin directory. 

To start the Security Manager server, enter the following at a command prompt: 

$NCSM_HOME/bin/ncsm_server 

Stopping the Security Manager on UNIX 

You can stop the Security Manager server and database by running the server shutdown script. This script 

is named ncsm_shutdown and is located in the $NCSM_HOME/bin directory. 

To stop the Security Manager server, enter the following at a command prompt: 

$NCSM_HOME/bin/ncsm_shutdown 

Viewing the Security Manager Status on UNIX 

You can view the status of the Security Manager server and the Security Manager database by running the 

status script. This script is named ncsm_status and is located in the 

$NCSM_HOME/bin directory. 

To run the status script, enter the following at a command prompt: 

$NCSM_HOME/bin/ncsm_status 

The following example shows typical output from the status script: 

Netcool/SecurityManager license server is running (pid= ) 

Netcool/SecurityManager database is running (pid=3487 ) 

Netcool/SecurityManager Server is running 


Starting the Security Manager on Windows 

To start the Security Manager on Windows platforms: 

1. In the Start Menu, select Control Panel →Administrative Tools → Services. 

2. In the Services window, right-click on Netcool Security Manager and select Start. 

Stopping the Security Manager on Windows 

To stop the Security Manager on Windows platforms: 

1. In the Start Menu, select Control Panel → Administrative Tools → Services. 

2. In the Services window, right-click on Netcool Security Manager and select Stop. 

Running the Security Manager 



3.2 Logging into the Security Manager GUI 

Before you perform any security administration tasks, you must log into the Security Manager GUI. 

The first time you log into the Security Manager GUI, you can use the default admin or root users. The 

password for the admin user is netcool. The root user is an ObjectServer user whose password is 

defined in the ObjectServer database. 

To log into the Security Manager GUI: 

1. Start your web browser. 

2. Open the URL of the Netcool Security Manager Login page. The URL is in the format 

http://hostname:port, where hostname is the name of the system where you installed the 

Netcool GUI Server and port is the HTTP port. The default URL is 

http://localhost:8077. 

3. The Login page appears in the web browser. 

Figure 4: Security Manager GUI Login Page 

4. Enter a username in the Username field. 

5. Enter a password in the Password field. 

6. Click Log In. 


3.3 The Security Manager GUI 

The Security Manager GUI 

The Netcool Security Manager GUI is a web-based graphical user interface that you use to perform security 

administration tasks. These tasks include working with domains, users, groups, and roles. 

Figure 5 shows the Security Manager GUI. 

Figure 5: Security Manager GUI 

The Security Manager GUI consists of two frames, the Navigation panel and the Main Work panel. 

Navigation Panel 

The Navigation panel appears in the left hand side of the Security Manager GUI. You use this frame to 

navigate between security management tasks. 



Figure 6 shows the Navigation panel. 

Figure 6: Security Manager GUI Navigation Panel 

The Navigation panel contains two task panes, the Domain and Group task panes. 

Domain Task Pane 

The Domain task pane contains a list box that lists all of the currently defined domains. It also contains 

buttons that allow you to create, edit and delete domains. 

Figure 7 shows the Domain task pane. 

Figure 7: Security Manager GUI Domain Task Pane 

Group Task Pane 

The Group task pane contains a table that lists all of the currently defined groups. It also contains buttons 

that allow you to create, edit and delete groups. 


Figure 8 shows the Group task pane. 

Figure 8: Security Manager GUI Group Task Pane 

Main Work Panel 

The Main Work panel appears in the right hand side of the Security Manager GUI. 

Figure 9 shows a typical view of the Main Work panel. 

Figure 9: Security Manager GUI Main Work Panel 


The Main Work panel is a workspace that provides the space for one or more tabs. Each tab is associated 

with a dialog box called an editor. You click on the tab to view an editor. To close an editor, you click the 

Close Tab button. 



Figure 10 shows an image of a typical tab. 

Figure 10: Security Manager GUI Main Work Panel Tab 

The Main Work panel has the following editors: 

Domain Editor 

User List Editor 

User Editor 

Group Editor 

Domain Editor 

The Domain Editor is the dialog box that you use to create and edit domains. This editor is displayed when 

you click the New Domain button in the Domain task pane. It is also displayed when you select a domain 

from the Domain task pane and click the Edit Domain button. 


Figure 11 shows the Domain Editor as displayed inside the Main Work panel. 

Figure 11: Security Manager GUI Domain Editor 

Group Editor 


The Group Editor is the dialog box that you use to create and edit groups. This editor is displayed when you 

click the New Group button in the Group task pane. It is also displayed when you click any Edit Group 

button in the task pane. 

The Group Editor has two tabs, the Group Properties tab and the Group Roles tab. 



Figure 12 shows the Group Editor as displayed inside the Main Work panel. 

Figure 12: Security Manager GUI Group Editor 

User List Editor 

The User List Editor is the dialog box that shows the users that belong to a group. This editor is displayed 

when you select a group from the Group task pane. You use this editor to create, edit and delete users. 


Figure 13 shows the User List Editor as displayed inside the Main Work panel. 

Figure 13: Security Manager GUI User List Editor 

User Editor 


The User Editor is the dialog box that you use to edit users. This editor is displayed when you click the New 

User button in the Group Editor. It is also displayed when you select a user from any Group Editor and click 

the Edit Group button. 

The User Editor has two tabs, the User Details tab and the User Roles tab. 



Figure 14 shows the User Editor as displayed inside the Main Work panel. 

Figure 14: Security Manager GUI User Editor 


04_Domains.fm February 9, 2005 5:21 pm 

Chapter 4: Working with Domains 

This chapter contains instructions on working with domains. 


About Domains on page 48 

Viewing Domains on page 49 

Creating Domains on page 50 

Editing Domains on page 51 

Deleting Domains on page 54 



4.1 About Domains 

Domains are sets of users and groups that represent a product or collection of products and its related users. 

You can use the Security Manager GUI to view, create, edit, and delete domains. 

Note: You do not need to create a domain for use with Netcool/Impact and Netcool/RAD. These products 

use the Micromuse Netcool Applications domain, which is shipped with the Security Manager 

by default. 

You can do the following with domains: 

View domains 

Create domains 

Edit domains 

Delete domains 


4.2 Viewing Domains 

Viewing Domains 

You can use the Security Manager GUI to view currently defined domains. The domains are displayed in 

the Domains drop-down list. 

To view the currently defined domain: 

1. In the Navigation panel, click the Domains list box. 

Figure 15: Security Manager GUI Domain List 

The drop-down list contains all of the currently defined domains. 



4.3 Creating Domains 

You can use the Security Manager GUI to create new domains. You do not need to create domains in order 

to manage user authentication for Micromuse products. All Micromuse products use a domain named 

Micromuse Netcool Applications. 

To create a domain: 

1. In the Navigation panel, click the New Domain button in the Domain task pane. 

Figure 16: Security Manager GUI Domain Task Pane 

Figure 17: Security Manager GUI New Domain Button 

The Domain Editor appears in the Main Work panel. 

2. Follow the instructions in the following section to set the domain configuration properties. 

3. Click the Save button. 

The domain appears in the Domain drop-down list. 


4.4 Editing Domains 

Editing Domains 

You can use the Security Manager GUI to edit the configuration properties for a domain. You must edit a 

domain when it is created in order to set its required properties, such as the domain name and the session 

and password expiration times. You can also edit the domain any other time you need to change its 

configuration. 

Table 5 shows the configuration properties for a domain. 

Table 5: Security Manager Domain Configuration Properties 


Domain Name Name for the domain. 

External Authentication Policy Used for ObjectServer, NIS, and LDAP authentication. 

External Authentication Group Policy Used for ObjectServer, NIS, and LDAP authentication. 

External Authentication User Policy Used for ObjectServer, NIS, and LDAP authentication. 

Session Expiration Number of minutes of inactivity before login sessions expire in this domain. 

Default is 30 minutes. For sessions that never expire, enter 0. 

Password Expiration Number of days after creation or reset that passwords automatically expire. 

Password Minimum Length Minimum number of characters for passwords. Optional. 

Password Maximum Length Maximum number of characters for passwords. Optional. 

Forbidden Characters Characters that cannot be used for passwords. Optional. 

First Character Requirement for the first character in passwords. Options are No 

Restrictions, Must Be a Number and Must Be a Letter. 

For more information on setting the configuration properties for external authentication, see 

Chapter 8: External Authentication on page 83. 



To edit a domain: 

1. In the Navigation panel, select the domain you want to edit from the Domain list. 

Figure 18: Security Manager GUI Domains List 

2. Click the Edit Domain button. 

Figure 19: Security Manager GUI Edit Domain Button 


The Domain Editor dialog appears in the Main Work panel. 


3. Enter or modify the desired configuration properties. 


Editing Domains 



4.5 Deleting Domains 

You can use the Security Manager GUI to delete domains. You must be careful when you delete a domain, 

as there is no way to restore it once it has been deleted. If you delete the Micromuse Netcool 

Applications domain, user authentication is disabled for all Netcool products that use the Security 

Manager. 

To delete a domain: 

1. In the Navigation panel, select the domain that you want to delete from the Domain list. 

Figure 21: Security Manager GUI Domain List 

2. Click the Delete Domain button. 

Figure 22: Security Manager GUI Delete Domain Button 

The domain is removed from the Domain drop-down list. 


05_Users.fm February 9, 2005 5:21 pm 

Chapter 5: Working with Users 

This chapter contains instructions on working with users. 


About Users on page 56 

Viewing Users on page 57 

Creating Users on page 58 

Editing Users on page 61 

Deleting Users on page 64 



5.1 About Users 

Users are real-world users in your environment. You should create one user for each real-world user that 

requires access to a domain protected by the Netcool Security Manager. 

The Security Manager provides three default users, admin, root, and guest, that you can use to 

perform initial setup tasks. The admin user is a native authentication user with administration privileges 

for the Security Manager. The root user is an ObjectServer authentication user that also has administration 

privileges. The password for the admin user is an empty string. The password for the root user is defined 

in the ObjectServer. 

You can use the Security Manager GUI to do the following with native authentication users: 

View users 

Create users 

Edit users 

Delete users 

External authentication users are automatically imported into the Security Manager database the first time 

they are used to log into a Netcool product. 


5.2 Viewing Users 

Viewing Users 

You can use the Security Manager GUI to view currently defined users. The users are displayed in the User 

List Editor. 

To view the currently defined users, n the Navigation panel, click the name of a group in the Group task 

pane. 


Figure 24: Security Manager GUI List Users Button 

The User List Editor appears in the Main Work panel and displays all the users in the group. 




5.3 Creating Users 

The Security Manager allows the following types of user creation: 

Automatic 

Synchronized 

Manual 

Creating Users Automatically 

External authentication users are created in the Security Manager database automatically the first time they 

are used to log into a Netcool product. At initial login, the Security Manager server authenticates the user 

against the external source (for example, an ObjectServer). If the username and password are valid, it creates 

an equivalent user in the Security Manager database. After the user has been created, you can manage it just 

as you do any other user. 

Synchronizing Users 

You can synchronize users with an external authentication source using the 

ncsm_syncusers script. This script imports all users in the authentication source into the Security 

Manager database. For more information on this script, see Synchronizing Users on page 92. 

Manually Creating Users 

You can use the Security Manager GUI to manually create users. Manually created users exist only in the 

Security Manager database. 


To manually create a user: 

Creating Users 

1. In the Navigation panel, click any List Users button in the Group task pane. The user you create will 

be a member of the corresponding group by default. 







2. Click the New User button. 

Figure 29: Security Manager GUI New User Button 

The User Editor appears in the Main Work panel. 

3. Follow the instructions in the following section to set the user configuration properties. 


The user appears in the User List Editor. 


5.4 Editing Users 

Editing Users 

You can use the Security Manager GUI to edit the configuration properties for a user. You must edit a user 

when it is created in order to set its required properties, such as the username and password. You can also 

edit the user any other time you need to change its configuration. 

The following table shows the configuration properties for a user: 

Table 6: Security Manager User Configuration Properties 


Username Username for the user. 

First Name First name of the user. Optional. 

Last Name Last name of the user. Optional. 

Password Password for the user. The password must conform to the password rules defined in the 

domain configuration. 

Confirm Password Password confirmation. 

Primary Group Primary group membership for the user. The configuration settings for this group override 

that of all other groups. 

Authenticate Externally Set automatically by the Security Manager when it creates an external authentication user. 

Active Select this option to make the user available to the authentication system. 



To edit a user: 

1. In the Navigation panel, click the List Users button for the Default (All Domain Users) 

group the Group task pane. 



The User List Editor appears in the Main Work panel and displays all the users in the domain. 


2. Click the name of the user you want to edit. 


The User Editor appears in the Main Work panel. 


3. Enter or modify the required configuration properties. 

Editing Users 

4. Use the User Roles tab to specify the roles for the user. For information on roles required by the user, 

see the documentation for the individual Netcool products (for example, Netcool/Impact and 

Netcool/RAD). 



5.5 Deleting Users 

You can use the Security Manager GUI to delete users from the Security Manager database. You must be 

careful when you delete a user, as there is no way to restore it once it has been deleted. When you delete an 

external authentication user, only the cached copy in the database is deleted. 

To delete a user: 

1. In the Navigation panel, click any List Users button in the Group task pane. 


Figure 35 shows the List Users button. 





2. Choose the user you want to delete by selecting the option box next to the name of the user. 

3. Click Delete. 

The user is deleted and removed from the User List editor. 

Deleting Users 




07_Roles.fm February 9, 2005 5:21 pm 

Chapter 6: Working with Roles 

This chapter contains instructions on working with roles. 


About Roles on page 68 

Viewing Roles in a Domain on page 69 

Adding and Removing User Roles on page 70 

Adding and Removing Group Roles on page 72 



6.1 About Roles 

Roles are sets of access privileges that can be assigned to a user or a group. Roles are installed automatically 

by applications that use the Security Manager, such as Netcool/Impact and Netcool/RAD. 

Note: Roles in Netcool/RAD operate on global and per instance levels. When you manage Netcool/RAD 

roles in the Security Manager GUI (for example, applying roles to users and groups), you are specifying 

global roles. Per instance roles are managed in the Netcool/RAD GUI. For more information, see the 

Netcool/RAD Administration Guide. 

You can do the following with roles in the Security Manager GUI: 

View all the roles in a domain 

Add and remove user roles 

Add and remove group roles 


6.2 Viewing Roles in a Domain 

To view all the roles currently defined in a domain: 

1. In the Navigation Frame, select the domain you want to edit from the Domain list. 

Figure 37: Security Manager GUI Navigation Frame 



3. Click the All Roles tab in the Domain Editor that opens. 


Viewing Roles in a Domain 



6.3 Adding and Removing User Roles 

To add and remove roles associated with a user: 

1. In the Navigation Frame, click the List Users button for the Default (All Domain Users) 

group. 

Figure 40: Security Manager GUI Group Panel 

2. Click the Edit User button for the user you want to edit in the User List Editor that appears. 



3. Click the User Roles tab in the User Editor that appears. 


4. Use the Add button and the Remove button to add and remove roles for the user. 

5. Click the Save button in the editor toolbar. 

Adding and Removing User Roles 



6.4 Adding and Removing Group Roles 

To add and remove roles associated with a group: 

1. In the Navigation Frame, click the name of the group whose roles you want to add or remove. 

Figure 43: Security Manager GUI Group Panel 

2. Click the Group Roles tab in the Group Editor that appears. 


3. Use the Add button and the Remove button to add and remove roles for the group. 

4. Click the Save button in the editor toolbar. 


06_Groups.fm February 9, 2005 5:21 pm 

Chapter 7: Working with Groups 

This chapter contains instructions on working with groups. 

It contain the following sections: 

About Groups on page 74 

Viewing Groups on page 75 

Creating Groups on page 76 

Editing Groups on page 78 

Deleting Groups on page 81 

Setting Up Default Groups on page 82 



7.1 About Groups 

Groups are real-world groups of users that share the same set of access privileges. You can create custom 

groups or use the default groups provided by the Security Manager. Some applications, such as 

Netcool/Impact and Netcool/RAD, create custom groups and add them to the Security Manager database. 

Possible examples of custom groups are Administrators, Operators and Remote_Users. 

You can use the Security Manager GUI to do the following with groups: 

View groups 

Create groups 

Edit groups 

Delete groups 


7.2 Viewing Groups 

Viewing Groups 

You can use the Security Manager GUI to view the currently defined groups. The groups are displayed in 

the Group task pane of the Navigation panel. 




7.3 Creating Groups 

To create a group: 

1. In the Navigation panel, click the New Group button in the Group task pane. 


Figure 47: Security Manager GUI New Group Button 

2. The Group Editor appears in the Main Work panel. 



3. Follow the instructions in the following section to set the group configuration properties. 


The group appears in the Group task pane. 

Creating Groups 



7.4 Editing Groups 

You can use the Security Manager GUI to edit the configuration properties for a native authentication 

group. You must edit a group when it is created in order to set the required properties, such as the group 

name and display name. You can also edit the group any other time you need to change the its configuration. 

The following table shows the group configuration properties. 

Table 7: Security Manager Group Configuration Properties 


Group Name Internal name for the group. 

Display Name Name for the group as it appears in the Security Manager GUI. 

External 

Authentication Name 

If this group is used to map against a group defined in an ObjectServer, LDAP or NIS 

authentication source, you must enter the name of the external group here. 


To edit a group: 

1. In the Navigation panel, click the name of the group in the Group task pane. 


The Group Editor appears in the Main Work panel. 


Editing Groups 



2. Enter or modify the required configuration properties. 

3. Use the Group Roles tab to specify the roles for the group. For information on roles required by the 

user, see the documentation for the individual Netcool products (for example, Netcool/Impact and 

Netcool/RAD). 


7.5 Deleting Groups 

Deleting Groups 

You can use the Security Manager GUI to delete groups. You must be careful when you delete a group, as 

there is no way to restore it once it has been deleted. 

To delete a group: 

1. In the Navigation panel, click the Delete button for the group in the Group task pane. 


Figure 52: Security Manager GUI Delete User Button 

The group is deleted and removed from the Group task pane. 



7.6 Setting Up Default Groups 

Example 

This version of the Security Manager allows you to specify one or more default groups. New external 

authentication users automatically become part of the default groups on creation. Both internal and external 

groups can be used as defaults. 

Default groups are specified in the Security Manager server properties file. This file is named 

SM_server.props and is located in the $NCSM_HOME/etc directory. The following table shows the 

properties used to specify default groups: 

Table 8: Default Groups Properties 


impact.security.externalauth.userrecords. 

addtodefaultgroup 

impact.security.externalauth.userrecords. 

defaultgroup.n 

Specifies whether to add new external authentication 

users to default groups. Possible values are true and 

false. 

Security Manager internal name for a default group, 

where n is an integer that identifies the group. You must 

use integers in ascending order from 1. 

The following example shows how to specify default groups in the server properties file. In this example, the 

default groups are RADUsers and RADViewAllInstanceUsers. 

impact.security.externalauth.userrecords.addtodefaultgroup=true 

impact.security.externalauth.userrecords.defaultgroup.1=RADUsers 

impact.security.externalauth.userrecords.defaultgroup.2=RADViewAllInstanceUsers 


08_External_Authentication.fm February 9, 2005 5:21 pm 

Chapter 8: External Authentication 

This chapter contains instructions on setting up external authentication. 


Setting Up ObjectServer Authentication on page 84 

Setting Up NIS Authentication on page 85 

Setting Up LDAP Authentication on page 89 

Synchronizing Users on page 92 



8.1 Setting Up ObjectServer Authentication 

ObjectServer authentication is a scheme in which users are derived from user information stored in a 

Netcool/OMNIbus ObjectServer. This information is accessed in real time from the ObjectServer when the 

Security Manager server authenticates a user. The Security Manager supports ObjectServer versions 3.4, 

3.4.1, 3.5, 3.6, and v7. 

You can use ObjectServer authentication immediately upon installation of the Security Manager. No 

additional configuration is required. 


8.2 Setting Up NIS Authentication 

Setting Up NIS Authentication 

NIS authentication is a scheme in which users are derived from user information stored in a Network 

Information System. This information is accessed in real time from NIS when the Security Manager server 

authenticates a user. The Security Manager supports version NIS version 2. NIS+ is not supported. 

To set up NIS authentication, you do the following: 

Install the NIS plug-in 

Configure the domain 

Edit the plug-in properties file 

After you have set up NIS authentication, you can change the configuration at any time by manually editing 

the plug-in properties file. 

Installing the NIS Plug-In 

To install the NIS plug-in, you run the install script. This script is named ncsm_NIS_config and is 

located in the $NCSM_HOME/install directory. You must stop the Security Manager server before 

running the install script. You can safely restart the server immediately after installation. 

The install script prompts you for the following information. 

Table 9: NIS Plug-In Installer Prompt 


Network domain name The network domain name for NIS authentication. 

To run the install script: 

1. Stop the Security Manager server by entering the following at a command prompt: 


2. Enter the following: 

$NCSM_HOME/install/ncsm_NIS_config 




4. Restart the Security Manager server by entering the following: 


Configuring the Domain 

After you have installed the NIS plug-in, you must configure the domain using the Security Manager GUI. 

To configure the domain: 

1. Log into the Security Manager GUI. 

2. In the Navigation panel, select the domain that you want to configure from the Domains list. The 

domain used by Micromuse products is called Micromuse Netcool Applications. 







4. Click the External Authentication Sources tab. 

5. Click the New Authentication Source button. 

Setting Up NIS Authentication 

6. In the dialog box that opens, enter smNISAuthentication in the External Authentication 

Policy field. 

7. Enter smGetNISGroups in the External Authentication Group Policy field. 

8. Enter smGetNISUsers in the External Authentication User Policy field. 

9. Click Apply. 

10. Click Save. 



Editing the Plug-In Properties File 

You can change the NIS plug-in configuration at any time after installation by manually editing the plug-in 

properties file. This file is named sm_nisdomain.props and is located in the $NCSM_HOME/etc 

directory. 

The plug-in properties file contains a property called impact.nisprovider.url. This property 

specifies the network domain name for the NIS server. The format for the property name is 

nis:///name, where name is the network domain name. 

You must stop and restart the Security Manager server in order for the configuration changes to take effect. 


8.3 Setting Up LDAP Authentication 

Setting Up LDAP Authentication 

LDAP authentication is a scheme in which users are derived from information in an LDAP directory server. 

This information is accessed in real time from LDAP when the Security Manager server authenticates a user. 

The Security Manager supports versions 2 and 3 of the LDAP protocol. 

To set up LDAP authentication, you do the following: 

Install the LDAP plug-in 

Configure the domain 

After you have set up LDAP authentication, you can change the configuration at any time by manually 

editing the authentication type file. 

Installing the LDAP Plug-In 

To install the LDAP plug-in, you run the install script. This script is named 

ncsm_ldap_config and is located in the $NCSM_HOME/install directory. You must stop the 

Security Manager server before running the install script. You can safely restart the server immediately after 

installation. 

The install script prompts you for the following information. 

Table 10: LDAP Plug-In Installer Prompts 


LDAP server hostname Hostname or IP address of the system where the LDAP server is running. 

LDAP server port Port used by the LDAP server. The default is 389. 

Fully-qualified DN of an LDAP user Fully qualified dn of an LDAP user that has permissions to browse users and 

groups in the directory. 

LDAP user password Password for the LDAP user. 

LDAP user ID attribute Name of the LDAP attribute defined as a unique user ID in the LDAP server 

schema. Default is uid. 

LDAP user base context Base context for LDAP users. 

LDAP group attribute Name of the LDAP attribute to use as a group in the authentication model. Default 

is cn. 

LDAP group base context Base context for LDAP groups. 

LDAP group attributes filter LDAP filter that specifies which group a user belongs to. 



To run the install script: 

1. Stop the Security Manager server by entering the following at a command prompt: 


2. Enter the following: 

$NCSM_HOME/install/ncsm_ldap_config 




Configuring the Domain 

After you have installed the LDAP plug-in, you must configure the domain using the Security Manager 

GUI. 

To configure the domain: 

1. Log into the Security Manager GUI. 

2. In the Navigation panel, select the domain that you want to configure from the Domains list. The 

domain used by Micromuse products is called Micromuse Netcool Applications. 







4. Click the External Authentication Sources tab. 

5. Click the New Authentication Source button. 

Setting Up LDAP Authentication 

6. In the dialog box that opens, enter smLDAPAuth in the External Authentication Policy field. 

7. Enter smGetLDAPGroups in the External Authentication Group Policy field. 

8. Enter smGetLDAPUsers in the External Authentication User Policy field. 

9. Click Apply. 

10. Click Save. 



8.4 Synchronizing Users 

The Security Manager provides a script that you can use to synchronize users from an external 

authentication source with users stored in the Security Manager database. The script is named 

ncsm_syncusers and is located in the $NCSM_HOME/bin directory. 

This script is optional, as the Security Manager automatically imports users into the database the first time 

they are used to log into a Netcool product. This script is most useful for importing all users from an external 

authentication source at one time before organizing them into groups and adding any required roles. 

Note: The Security Manager must be running when you start the synchronization script. 

The syntax for the synchronization script is as follows: 

$NCSM_HOME/bin/ncsm_syncusers ObjectServer | NIS | LDAP 

For example, to synchronize ObjectServer users with the Security Manager database, you enter the following 

at a command prompt: 

$NCSM_HOME/bin/ncsm_syncusers ObjectServer 


09_Appendix.fm February 9, 2005 5:21 pm 

Appendix A: Supplementary Information 

This appendix contains supplementary information about the Netcool Security Manager. 


Configuring the Refresh Interval on page 94 

Security Manager Port Usage on page 95 

Backing Up the Database on page 96 

Security Manager Failover on page 97 

SSL and the Security Manager on page 100 



A.1 Configuring the Refresh Interval 

This version of the Security Manager allows you to configure the interval at which user, group, and role 

information is refreshed from the database. In previous versions, end users were required to log out and log 

back in when changes to the authentication setup were made. In this version, changes are refreshed 

automatically at intervals you define. 

You configure the refresh interval by setting properties in the server properties file. This file is named 

SM_server.props and is located in the $NCSM_HOME/etc directory. 

The following table shows the refresh interval configuration properties: 

Table A1: Refresh Interval Configuration Properties 

Property Definition 

security.refresh.timeinsec Number of seconds between each attempt to refresh from the 

authentication source. Default is 30. 

security.refresh.maxretries Maximum number of times to retry a refresh after failing to 

connect to the authentication source. Default is 10. 


A.2 Security Manager Port Usage 

The following table shows the default TCP ports used by the Security Manager. 

Table A2: Security Manager TCP Ports 

Security Manager Port Usage 

Description Default Port 

HTTP port. This port is used by the Security Manager for SOAP communication with other 

Netcool products. You also use this port to access the standalone GUI from a web browser. If you 

want to make the GUI available outside a firewall, you must expose this port. 

Server port. This port is used internally by the Security Manager server to communicate with 

other application components. 

Database port. This port is used internally by the Security Manager database to communicate 

with other application components. 

Note: You specify these ports when you install the Security Manager or when you edit the server properties 

file. If a specified port is not available, the Security Manager will not operate successfully. 

Netcool/Security Manager 1.2 Administration Guide 95 

8077 

1275 

5600


A.3 Backing Up the Database 

Micromuse recommends that you regularly back up the Security Manager database. You must stop the 

Security Manager before you back up or restore the database. 

To back up the database: 

1. Stop the Security Manager by entering the following at a command prompt: 


2. Back up the database by entering the following: 

$NCSM_HOME/bin/ncsm_db backup -backupfile filename 

where filename is the name of the file you want to use to store the backup data. 


$NSCM_HOME/bin/ncsm_server 

Restoring the Database 

To restore the database: 

1. Stop the Security Manager by entering the following at a command prompt: 


2. Restore the database by entering the following: 

$NCSM_HOME/bin/ncsm_db restore -backupfile filename 

where filename is the name of the file that contains the backup data. 


$NSCM_HOME/bin/ncsm_server 


A.4 Security Manager Failover 

Failover is a feature that helps you manage uptime and availability for the Security Manager. 

Security Manager Failover 

In a failover configuration, you install primary and secondary servers of the Security Manager on different 

systems in your environment. You then configure them in such a way that if the primary server fails, the 

secondary server takes over the role as primary. When the original primary server is restarted, is assumes the 

new secondary role. 

Security Manager data is replicated and synchronized at startup and during run time. 

Setting Up Security Manager Failover 

To set up Security Manager failover, you do the following: 

Install primary and secondary instances of the Security Manager 

Configure Netcool applications to use the failover configuration 

Configure Security Manager database properties 

Configure Security Manager primary and secondary type properties 

Configure Security Manager server properties 

Installing the Security Manager Instances 

The first step in setting up failover is to install primary and secondary instances of the Security Manager on 

different systems in your environment. To install the Security Manager, you can run the install script and 

follow the on screen prompts as described in Installing the Security Manager on page 22. There are no special 

considerations when installing the instances for failover. 

Configuring the Netcool Applications 

You must configure the Netcool applications that use the Security Manager (for example, Netcool/Impact, 

Netcool/RAD and the Netcool GUI Server) so that they are able to locate both instances of the Security 

Manager server. You configure them by setting properties in their respective server properties files. This file 

is named server.props or servername_server.props and is located in the etc directory of 

the product installation. For example, the default Netcool/Impact server properties file is 

$IMPACT_HOME/etc/NCI_server.props. 

To configure the applications, set the following in each server properties file: 

security.backup.host.1=hostname 

security.backup.port.1=port 

impact.security.backup.host.1=hostname 

impact.security.backup.port.1=port 



where hostname is the hostname of the system where the secondary Security Manager is running and 

port is the port. The default security manager port is 1275. The location of the primary Security Manager 

is described by other configuration properties that you set when you install the Netcool application. 

Configuring the Security Manager Databases 

You must also configure the primary and secondary instances of the Server Manager database so that they 

do not use localhost as the default server address. The server address property is located in the 

$NCSM_HOME/etc/db.properties file. 

To configure the security manager databases, comment out the server.address property in each 

db.properties file by inserting the # character at the beginning of the line. The resulting line should 

look like the following: 

# server.address=localhost 

Configuring Primary and secondary Type Properties 

You must configure both primary and secondary type properties. The properties files are located in the 

$NCSM_HOME/etc/smParentType.type file. You must modify these properties in order to enable 

data replication between the primary and secondary Security Manager instances. 

You must add or modify the contents of the primary type file so that it contains the following lines: 

smParentType.SQL.NUMDBPROPERTIES=1 

smParentType.SQL.DBPROPERTY.1.NAME=IMPACT_REPLICATE_CHANGES 

smParentType.SQL.DBPROPERTY.1.VALUE=true 

You must also modify the smParentType.sql.urls property. This property contains a set of JDBC 

connection strings. Each connection string is separated by the pipe character (|). 

For the primary Security Manager, add the following connection string to the property: 

jdbc:hsqldb:hsql://secondary_host:secondary_port/security 

where secondary_host is the hostname of the system where the primary Security Manager is running 

and secondary_port is the port used by the Security Manager database. The default port is 5600. 

The resulting property should resemble the following: 

smParentType.SQL.URLS=jdbc:hsqldb:hsql://host_primary:5600/security| 

jdbc:hsqldb:hsql://host_secondary:5600/security 

where host_primary is the hostname of the primary instance and host_secondary is the hostname 

of the secondary instance. 

For the secondary Security Manager, add a connection string representing the primary Security Manager to 

the property in the same way. 


The resulting property should resemble the following: 

smParentType.SQL.URLS=jdbc:hsqldb:hsql://host_secondary:5600/security| 

jdbc:hsqldb:hsql://host_primary:5600/security 

Security Manager Failover 

where host_primary is the hostname of the primary instance and host_secondary is the hostname 

of the secondary instance. 

Configuring the Security Manager Server 

The final step in setting up Security Manager failover is to configure the primary and secondary server 

instances. You configure each server by modifying the 

$NCSM_HOME/etc/SM_server.props file. 

To configure the primary Security Manager server, add the following lines to the file: 

impact.security.failover=true 

impact.security.controlport=port_primary_control 

impact.security.failover.other.host=host_secondary 

impact.security.failover.other.port=port_secondary_control 

impact.security.failover.ResyncRateInSec=10 

where port_primary_control is the control port for the primary server, 

host_secondary is the hostname of the system where the secondary server is running and 

port_secondary_control is the control port for the secondary server. The control port is used for 

communication between the primary and secondary server instances. You can specify any unused port for 

this property. 

To configure the secondary Security Manager server, add the following lines to the file: 

impact.security.failover=true 

impact.security.controlport=port_secondary_control 

impact.security.failover.other.host=host_primary 

impact.security.failover.other.port=port_primary_control 

impact.security.failover.ResyncRateInSec=10 

Running the Security Manager in a Failover Configuration 

To run the Security Manager in a failover configuration you start the primary server and then the secondary 

server using the server startup script. This script is named ncsm_server and is located in the 

$NCSM_HOME/bin directory. You start the server instances in the same way that you start a single server 

configuration of the security manager with no special considerations. You can shut down the server instances 

using the ncsm_shutdown script. 



A.5 SSL and the Security Manager 

The Security Manager supports Secure Socket Layer (SSL) communication at the following levels: 

Between the Security Manager server and Netcool/Impact, Netcool/RAD, and the Netcool GUI 

Server 

Between the Security Manager server and an LDAP server 

Setting Up SSL Between the Security Manager and Netcool Applications 

The Security Manager supports communication via SSL between the Security Manager server and 

Netcool/Impact, Netcool/RAD, and the Netcool GUI Server. When you enable SSL communication for 

the Security Manager, all Netcool applications that use the Security Manager for authentication must also 

be set up to use SSL. 

To set up SSL for use with the Security Manager and Netcool applications, you do the following: 

Create a server certificate 

Create client certificates 

Configure the Security Manager servlet service 

Configure the Security Manager server 

Configure the Netcool applications 

Note: When you create the client and server certificates, you are required to specify a password for the local 

keystore and the local truststore. Make sure to record the passwords that you specify. You will use them when 

you configure the Security Manager server and the Netcool applications for use with SSL. 

Creating the Server Certificate 

The first step in setting up SSL for use with the Security Manager is creating the server certificate. You create 

this certificate using the Java keytool utility. This utility is part of the Java Runtime Environment (JRE) 

and is located in the $NCSM_HOME/platform/arch/J2RE/bin directory, where arch is the name 

of the operating system where the Security Manager is installed. 

For more information on keytool, see the Java Runtime Environment documentation at 

http://java.sun.com. 


To create the server certificate: 

SSL and the Security Manager 

1. At a command prompt, change the current directory to the location that you will use to store the 

server certificate and create a subdirectory named ssl as follows: 

cd $NCSM_HOME 

mkdir ssl 

cd ssl 

2. Generate the server certificate using the keytool utility as follows: 

$NCSM_HOME/platform/arch/J2RE/bin/keytool -genkey -alias sm_svr -keyalg RSA 

-keypass keypassword -storepass storepassword -keystore keystore.jks 

where keypassword and storepassword are password strings of your choice. Passwords must 

be six characters or longer. 

The keytool utility prompts you for the information required to populate and sign the server 

certificate. You must enter the hostname of the system where the Security Manager is running in 

response to the first name and last name prompt. 

This command creates a file named keystore.jks in the current directory. 

3. Export the server certificate using the keytool utility as follows: 

$NCSM_HOME/platform/arch/J2RE/bin/keytool -export -alias sm_svr -storepass 

storepassword -file server.cer -keystore keystore.jks 

This command creates a file named server.cer in the current directory. This file contains the 

exported certificate. 

4. Create a trust store file and add the server certificate to the file as follows: 

$NCSM_HOME/platform/arch/J2RE/bin/keytool -import -v -trustcacerts -alias sm_svr 

-keypass keypassword -storepass storepassword -file server.cer -keystore 

cacerts.jks 

The keytool utility prompts you whether you want to trust this certificate. You must answer Yes. 

This command creates a file named cacerts.jks in the current directory. 

Creating Client Certificates 

After you have created the server certificate, you must create a client certificate for each Netcool application 

that uses the Security Manager for authentication. This includes Netcool/Impact, Netcool/RAD, and the 

Netcool GUI Server. 

Note: You must also create a client certificate for the Security Manager server itself, in addition to the server 

certificate that you created in the previous step. 



As with the server certificate, you generate client certificates using the Java keytool utility. This utility is 

located in the platform/arch/J2RE/bin directory of each Netcool application installation, where 

arch is the name of the platform where the application is installed. 

You must create the client certificates on the system where each application is installed. For example, when 

you generate the certificate for Netcool/Impact, you must run the keytool utility on the system where 

Netcool/Impact is located. 

To create a client certificate: 

1. At a command prompt, create a new directory named ssl in the home directory for the Netcool 

application. For example, if you are generating a client certificate for Netcool/Impact, create a new 

directory named $IMPACT_HOME/ssl. If you are generating a client certificate for the Netcool 

GUI Server, create a new directory called $GUI_HOME/ssl. 

2. Change the current directory to the ssl location you created above. 

3. Generate the client certificate using the keytool utility as follows: 

app_home/platform/arch/J2RE/bin/keytool -genkey -alias sm_clnt -keyalg RSA 

-keypass keypassword -storepass storepassword -keystore clntks.jks 

where app_home is $NCSM_HOME, $IMPACT_HOME, $GUI_HOME or $RAD_HOME and 

keypassword and storepassword are password strings of your choice. Passwords must be six 

characters or longer. 

The keytool utility prompts you for the information required to populate and sign the client 

certificate. You must enter the hostname of the system where the Security Manager is running in 

response to the first name and last name prompt. 

This command creates a file named clntks.jks in the current directory. 

4. Export the client certificate using the keytool utility as follows: 

app_home/platform/arch/J2RE/bin/keytool -export -alias sm_clnt -storepass 

storepassword -file client.cer -keystore clntks.jks 

This command creates a file named client.cer in the current directory. This file contains the 

exported certificate. 

5. Add the client certificate to the trust file as follows: 

app_home/platform/arch/J2RE/bin/keytool -import -v -trustcacerts -alias sm_clnt 

-keypass keypassword -storepass storepassword -file client.cer -keystore 

cacerts.jks 

The keytool utility prompts you whether you want to trust this certificate. You must answer Yes. 


Configuring the Security Manager Servlet Service 


The servlet service is an internal component of the Security Manager that runs the Security Manager GUI. 

To configure this service, you set configuration properties in the 

SM_servletservice.props file. This file is located in $NCSM_HOME/etc. 

To configure the servlet service, set the following properties in the 

SM_servletservice.props file: 

impact.http.ssl.enable=true 

impact.ssl.keystore=ncsm_home/ssl/keystore.jks 

impact.ssl.keypass=keypass_encrypt 

where ncsm_home is the directory where the Security Manager is installed and 

keypass_encrypt is the encrypted keystore password you specified when you created the 

keystore.jks file. You must use the ncsm_crypt tool to encrypt the keystore password. This tool 

is located in the $NCSM_HOME/bin directory. 

The following example shows typical values for these properties: 

impact.http.ssk.enable=true 

impact.ssl.keystore=/opt/netcool/security/ssl/keystore.jks 

impact.ssl.keypass=F7EA3A52059022B9F390AD2E9242E81A 


To configure the Security Manager server, set the following properties in the 

$NCSM_HOME/etc/SM_server.props file: 

security.protocol=https 

security.keystore=ncsm_home/ssl/clntks.jks 

security.keypass=keypass_encrypt 

security.truststore=ncsm_home/ssl/cacerts.jks 

security.trustpass=trustpass_encrypt 

where ncsm_home is the directory where the Security Manager is installed and 

keypass_encrypt and trustpass_encrypt are the encrypted keystore and truststore passwords 

that you specified when you created the client certificate on the system where the Security Manager resides. 

You must use the ncsm_crypt tool to encrypt the keystore password. This tool is located in the 

$NCSM_HOME/bin directory. 

The following example shows typical values for these properties: 


security.keystore=/opt/netcool/security/ssl/clntks.jks 

security.keypass=F7EA3A52059022B9F390AD2E9242E81A 

security.truststore=/opt/netcool/security/ssl/cacerts.jks 

security.trustpass=F7EA3A52059022B9F390AD2E9242E81A 



Configuring the Netcool Applications 

The final step in setting up SSL is configuring the Netcool applications. You must configure each 

application that uses the Security Manager for authentication. This includes Netcool/Impact, the Netcool 

GUI Server and Netcool/RAD. 

To configure the Netcool applications, set the properties specified in the above step in each server properties 

file. This file is named servername_server.props or server.props, where servername is 

the name of the server instance, and is located in the etc directory of the product installation. For example, 

the default server properties file for Netcool/Impact is named NCI_server.props and is located in the 

$IMPACT_HOME/etc directory. 

Note: Make sure that you have created client certificates for each of the applications that communicate with 

the Security Manager as described in Creating Client Certificates on page 101. 

The following example shows typical values for SSL properties in the Netcool/Impact server properties file: 


security.keystore=/opt/netcool/impact/ssl/clntks.jks 

security.keypass=F7EA3A52059022B9F390AD2E9242E81A 

security.truststore=/opt/netcool/impact/ssl/cacerts.jks 

security.trustpass=F7EA3A52059022B9F390AD2E9242E81A 

Setting Up SSL Between the Security Manager and an LDAP Server 

The Security Manager supports communication via SSL between the Security Manager server and an LDAP 

server that you are using as an authentication source. 

To set up SSL for use with the Security Manager and an LDAP server, you do the following: 

Configure the LDAP server for use with SSL 

Install the client certificate for the LDAP service in the keystore of the Java Runtime Environment 

(JRE) used by the Security Manager 

Configure the Security Manager Server 

Configuring the LDAP Server 

The first step in setting up SSL communication is to configure the LDAP server. Instructions for configuring 

the LDAP server vary according by product. Typically, you first obtain a server certificate from a certificate 

authority (CA) and install it on the platform used by the LDAP server. Then, you use tools provided by the 

LDAP vendor to enable SSL communication. For more information, see the LDAP server documentation. 


Installing the Client Certificate 


You must install the SSL client certificate in the keystore of the Java Runtime Environment (JRE) used by 

the Security Manager. You first obtain the client certificate from a CA according to the instructions provided 

by the LDAP server vendor. You then install the certificate using the Java keytool utility. This utility is 

located in the $NCSM_HOME/platform/arch/J2RE/bin directory, where arch is the name of the 

operating system where the Security Manager is installed. 

To install the client certificate, enter the following at a command prompt: 

$NCSM_HOME/platform/arch/J2RE/bin/keytool -import -v -trustcacerts -alias aliasname 

-file certname -keystore $NCSM_HOME/platform/arch/lib/cacerts/keystorename 

where aliasname is the alias of the server certificate, certname is the filename of the certificate file and 

keystorename is the name of the keystore file. 


To configure the Security Manager server, you edit the primary type properties file for the LDAP 

authentication source. This file is named smParentType_LDAP.type and is located in the 

$NCSM_HOME/etc directory. 

You must make the following changes to the primary type properties file: 

Set the value of the smParentType_LDAP.PROVIDERURL property to the hostname and SSL 

port used by the LDAP server 

Uncomment the smParentType_LDAP.LDAP.SECURITY.PROTOCOL property. 




NCSMAdm12IX.fm February 9, 2005 5:21 pm 

Index 

A 

authentication 10 

architecture 16 

domains 17 

groups 17 

LDAP 20 

native 20 

NIS 19 

ObjectServer 19 

roles 18 

users 17 

B 

back up the database 96 

C 

configure Netcool applications for failover 97 

configure Netcool applications for SSL 104 

configure primary type properties for failover 98 

configure Security Manager Databases for failover 98 

configure Security Manager server for failover 99 

configure Security Manager server for LDAP 105 

configure Security Manager server for SSL 103 

configure Security Manager servlet service for SSL 103 

create client certificates for SSL 101 

create server certificates for SSL 100 

D 

database 

back up 96 

restore 96 

databases 

configure 97 

default TCP ports, used by Security Manager 95 

domains 17, 48 

creating 50 

deleting 54 

editing 51 

viewing 49 


F 

failover 

about 97 

configure Netcool applications 97 

configure primary type properties 98 

configure Security Manager databases 98 

configure Security Manager server 99 

install instances 97 

set up 97 

set up instances 97 

G 

groups 17, 74 

creating 76 

deleting 81 

editing 78 

setting up defaults 82 

viewing 75 

I 

install client certificates for LDAP 105 

install instances for failover 97 

installing 

Security Manager 22 

instances, primary and secondary 97 

Index

Index 

108 

J 

Java support 13 

L 

LDAP authentication 20 

configuring domain 90 

installing plug-in 89 

setting up 89 

LDAP server configuration for SSL 104 

licensing 


N 

native authentication 20 

NCSM_HOME 24 

NIS authentication 19 

configuring domain 86 

editing plug-in properties file 88 

installing plug-in 85 

setting up 85 

O 

ObjectServer authentication 19 

setting up 84 

P 

port usage 95 

Q 

quorum licensing 26 

R 

refresh interval, configuring 94 

roles 18, 68 

adding and removing for groups 72 

adding and removing for users 70 

S 

viewing 69 

Secure Socket Layer 

configure Netcool applications 104 

set up between Security Manager and an LDAP server 104 

install client certificates 105 

Secure Socket layer 

setting up between Security Manager and an LDAP server 

configure LDAP server 104 


Secure Socket Layer (SSL) 100 


configure Security Manager servlet service 103 

create client certificates 101 

create server certificate 100 

set up between Security Manager and Netcool 

applications 100 


architecture 16 

components 15 

database 15 

environment variables 24 

GUI 39 

installing 22 

licensing 26 

logging in 38 

run in a failover configuration 99 

running 36 

server 15 

system requirements 13 

Security Manager failover 97 

SSL, see Secure Socket Layer 99 

start the Security Manager on UNIX 36 

stop the Security Manager on UNIX 36 

synchronizing users 92 

T 

TCP ports 95 


U 

upgrading 28 

users 17, 56 

creating 58 

deleting 64 

editing 61 

synchronizing 92 

viewing 57 


Index

Index 

110 


ackmatter.fm February 9, 2005 

Contact Information 

Corporate 

Region Address Telephone Fax World Wide Web 

USA Micromuse Inc. (HQ) 

139 Townsend Street 

San Francisco 

CA 94107 

USA 

EUROPE Micromuse Ltd. 

Disraeli House 

90 Putney Bridge Road 

London SW18 1DA 

United Kingdom 

ASIA-PACIFIC Micromuse Ltd. 

Level 2 

26 Colin Street 

West Perth 

Perth WA 6005 

Australia 

Technical Support 

1-800-Netcool (638 2665) 

+1 415 538 9090 

Region Telephone Fax 

USA 1-800-Netcool (800 638 2665) 

+1 415 538 9090 (San Francisco) 

+1 415 538 9091 http://www.micromuse.com 

+44 (0) 20 8875 9500 +44 (0) 20 8875 9995 http://www.micromuse.co.uk 

+61 (0) 8 9213 3400 +61 (0) 8 9486 1116 http://www.micromuse.com.au 

+1 415 538 9091 

EUROPE +44 (0) 20 8877 0073 (London, UK) +44 (0) 20 8875 0991 

ASIA-PACIFIC +61 (0) 8 9213 3470 (Perth, Australia) +61 (0) 8 9486 1116 

E-mail World Wide Web 

GLOBAL support@micromuse.com http://support.micromuse.com 

License Generation Team 

E-Mail World Wide Web 

licensing@micromuse.com http://support.micromuse.com/helpdesk/licenses 


Contact Information 

112

Netcool/Security Manager Administration Guide 1.2 - e IBM Tivoli ...

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?