No Engine credentials were found on the Services Tier

A forum for discussing DataStage<sup>®</sup> basics. If you're not sure where your question goes, start here.

Moderators: chulett, rschirm, roy

kirankumarreddydesireddy
Participant
Posts: 110
Joined: Mon Jan 11, 2010 4:22 am

No Engine credentials were found on the Services Tier

Post by kirankumarreddydesireddy »

Hi

We have installed Infosphere 8.5 server edition on Windows 2008 server.We have configured Infsophere 8.5 to use LDAP user registry.

We have created 4 global AD Domain groups

DataStage Developers
DataStage Managers
DataStage Operators
DataStage Testers


We have added a user named "testuser" to the one of the AD groups that is to "DataStage Developers"

Now that we had assigned roles to the particulars group (DataStage Developers) in the Infosphere admin console (Administration tab and then in Users and groups and then in groups tab "Assign roles").

What we felt initially was, this set up(since "test user was part of AD Datastage Developers group and this group was assigned suite roles to login to Designer) was enough for the user "testuser" to login to Datastage designer.

However we received the below error

No Engine credentials were found on the Services Tier for the specified user ('testuser') on Information Server Engine 'servername'

However when I mapped the user "testuser" in Domain management (Engine cedentials),I was able to successfully login to Datastage Designer


Since this was my first experience in Datastage admnistration,
My question was Do we need to also map user credentials for "testuser"(in Domain management Engine credentials) even though "testuser" is part of DataStage Developers group that are assigned required roles?

What we felt was,it will become very hard to map all users (for example : "50 users") in Domain management Engine credentials rather than adding this 50 users to "DataStage Developers" AD group and then assign this group the required suite roles.


Can you please provide any info on this.



Thanks
Kiran
samdsx
Premium Member
Premium Member
Posts: 19
Joined: Wed Aug 18, 2010 8:48 pm

Re: No Engine credentials were found on the Services Tier

Post by samdsx »

you can select all 50 user and map their crediantials at once, it might be hard initially but will get used to it :D .
ray.wurlod
Participant
Posts: 54607
Joined: Wed Oct 23, 2002 10:52 pm
Location: Sydney, Australia
Contact:

Post by ray.wurlod »

Were you actually successful in switching to LDAP authentication? Miss just one OK, Save or Apply click and the whole thing doesn't work, even though it appears to test successfully. Open the WAS admin console again and check.
IBM Software Services Group
Any contribution to this forum is my own opinion and does not necessarily reflect any position that IBM may hold.
kirankumarreddydesireddy
Participant
Posts: 110
Joined: Mon Jan 11, 2010 4:22 am

Post by kirankumarreddydesireddy »

Hi Ray,

Do you mean we haven't set up LDAP correctly in WAS admnistrator ?and hence do you think that is the reason "testuser" is not able to access Datastage designer even though "testuser" is part of DataStage Developers AD groups that are assigned required suite roles?

How do you think we can test it once again?because when we enter all the required credentials for setting up LDAP in WAS administrator appeared the conection test is succesfull.

And also do you agree with the stattement,it is not required to set up individual user (example "testuser" in this case or suppose 50 users) engine credentials in Domain management in Infosphere Information server console as they are part of AD groups which were assigned required suite roles?




Thanks
Kiran
kirankumarreddydesireddy
Participant
Posts: 110
Joined: Mon Jan 11, 2010 4:22 am

Post by kirankumarreddydesireddy »

Hi Ray,

Can you please provide any inputs on the above points we mentioned.



Thanks
Kiran
ray.wurlod
Participant
Posts: 54607
Joined: Wed Oct 23, 2002 10:52 pm
Location: Sydney, Australia
Contact:

Post by ray.wurlod »

Re-open the WAS console and examine global security to see which method is actually in use.
IBM Software Services Group
Any contribution to this forum is my own opinion and does not necessarily reflect any position that IBM may hold.
kirankumarreddydesireddy
Participant
Posts: 110
Joined: Mon Jan 11, 2010 4:22 am

Post by kirankumarreddydesireddy »

It is pointing to "Standalone LDAP registry" only in the Current realm definition, in the Global security tab in WAS console.

Do you agree with the statement,it is not required to set up individual user (example "testuser" in this case or suppose 50 users) engine credentials in Domain management in Infosphere Information server console as they are part of AD groups which were assigned required suite roles?



Thanks
Kiran
ray.wurlod
Participant
Posts: 54607
Joined: Wed Oct 23, 2002 10:52 pm
Location: Sydney, Australia
Contact:

Post by ray.wurlod »

I certainly hope so. I'm about to set up a system with more than 30,000 Business Glossary users.
IBM Software Services Group
Any contribution to this forum is my own opinion and does not necessarily reflect any position that IBM may hold.
kirankumarreddydesireddy
Participant
Posts: 110
Joined: Mon Jan 11, 2010 4:22 am

Post by kirankumarreddydesireddy »

Thanks Ray.

We are not sure why we are unable to connect to Designer through "testuser" however this is part of AD group.we are able to connect only when we define "testuser" in Engine credentials in Domain management in Information server web console.

Do you think any problem with the AD groups we defined in LDAP?


Thanks
Kiran
ray.wurlod
Participant
Posts: 54607
Joined: Wed Oct 23, 2002 10:52 pm
Location: Sydney, Australia
Contact:

Post by ray.wurlod »

Do you have default Engine credentials defined? That is, a login that is used for users without specific credentials?
IBM Software Services Group
Any contribution to this forum is my own opinion and does not necessarily reflect any position that IBM may hold.
kirankumarreddydesireddy
Participant
Posts: 110
Joined: Mon Jan 11, 2010 4:22 am

Post by kirankumarreddydesireddy »

Thanks Ray,

As mentioned by you,We had defined the default credentials(i.e primary administrative name defined in WAS) in Domain management :Engine credentials:Open configuration in Infosphere server web console

Then,we just added the "test user" to AD group and we haven't mapped user credentials in Domain management :Engine credentials and it worked.

We are able to login to datastage designer now.

We assume the "test user" will have access only to the roles assigned by the AD group.(i.e the AD group in which "testuser" is defined) and we guess we should not assign "Datastage and Qualitystage administrator" role to this group since we have primary administrative name(which was defined in WAS) for all administrative purpose.

please correct us if it is not the primary administrative name defined in WAS that we need define in Domain management :Engine credentials:Open configuration in Infosphere server web console?



Thanks
Kiran
ray.wurlod
Participant
Posts: 54607
Joined: Wed Oct 23, 2002 10:52 pm
Location: Sydney, Australia
Contact:

Post by ray.wurlod »

When you first convert to LDAP authentication you run the AppServerAdmin script to assign the initial administrative user which, since it's the only one extant, tends to be the WAS administrator. Best practice, however, is not to use that user as the Information Server administrator but, instead, to create one or more separate identities for the Information Server administrator. Even more best practice is to create at least one of these with a non-expiring password ("service account").
IBM Software Services Group
Any contribution to this forum is my own opinion and does not necessarily reflect any position that IBM may hold.
kirankumarreddydesireddy
Participant
Posts: 110
Joined: Mon Jan 11, 2010 4:22 am

Post by kirankumarreddydesireddy »

Hi Ray,

Actually we had installed Infosphere Server 8.5v server edition on Windows 2008 server and we are not aware of AppServerAdmin script you have mentioned.


What we did was :

We had installed Infosphere Server 8.5v server edition on Windows 2008 server with a service account.(say "testadmin") and this was the only purpose "testadmin" account is used.

We had then converted into LDAP and configured primary administrative user(say "etladmin") in WAS console and mapped "etladmin" credentials in Domain management Engine credentials in Information server web console.We are using the "etladmin" user for all the administrative purposes(say loging into Information server web console and assigning suite roles to AD groups we defined) and hence we thought that "etladmin" will have all the administrative priviliges for the suite we installed.


Once it is done,we thought of giving access to individaul users in the team and hence as you suggested to define default credentails(say "etladmin") to avoid inidividual mapping to all say 50 users,it worked and we are adding the required users in the team to AD group(say Datastage developers) and assign the roles to this group in Information server web console.
and we thought,it is is the way it works.

Please correct us if you think we are not following the best practices?
(we had no earlier datastage 8.5 admin experience and we just learnt from here)


Thanks
Kiran
kirankumarreddydesireddy
Participant
Posts: 110
Joined: Mon Jan 11, 2010 4:22 am

Post by kirankumarreddydesireddy »

Hi Ray,


Can you please provide any inputs on the above points we mentioned.



Thanks
Kiran
ray.wurlod
Participant
Posts: 54607
Joined: Wed Oct 23, 2002 10:52 pm
Location: Sydney, Australia
Contact:

Post by ray.wurlod »

There are four different scenarios around how you can set up engine credentials - shared/non-shared, default/no default. All are well described in the Administration manual.

Authentication, which is separate, can be done in at least three ways; internal, operating system or LDAP.

So far, therefore, we have twelve options. There's no "best practice" - you choose "appropriate to site" practice. If you have something that both works and meets your needs, that's appropriate.
IBM Software Services Group
Any contribution to this forum is my own opinion and does not necessarily reflect any position that IBM may hold.
Post Reply