DSXchange: DataStage and IBM Websphere Data Integration Forum
View next topic
View previous topic
Add To Favorites
This topic has been marked "Resolved."
Author Message
kirankumarreddydesireddy
Participant



Joined: 11 Jan 2010
Posts: 107

Points: 1951

Post Posted: Wed Dec 21, 2011 6:51 am Reply with quote    Back to top    

DataStage® Release: 8x
Job Type: Server
OS: Windows
Hi

We have installed Infosphere 8.5 server edition on Windows 2008 server.We have configured Infsophere 8.5 to use LDAP user registry.

We have created 4 global AD Domain groups

DataStage Developers
DataStage Managers
DataStage Operators
DataStage Testers


We have added a user named "testuser" to the one of the AD groups that is to "DataStage Developers"

Now that we had assigned roles to the particulars group (DataStage Developers) in the Infosphere admin console (Administration tab and then in Users and groups and then in groups tab "Assign roles").

What we felt initially was, this set up(since "test user was part of AD Datastage Developers group and this group was assigned suite roles to login to Designer) was enough for the user "testuser" to login to Datastage designer.

However we received the below error

No Engine credentials were found on the Services Tier for the specified user ('testuser') on Information Server Engine 'servername'

However when I mapped the user "testuser" in Domain management (Engine cedentials),I was able to successfully login to Datastage Designer


Since this was my first experience in Datastage admnistration,
My question was Do we need to also map user credentials for "testuser"(in Domain management Engine credentials) even though "testuser" is part of DataStage Developers group that are assigned required roles?

What we felt was,it will become very hard to map all users (for example : "50 users") in Domain management Engine credentials rather than adding this 50 users to "DataStage Developers" AD group and then assign this group the required suite roles.


Can you please provide any info on this.



Thanks
Kiran
samdsx



Group memberships:
Premium Members

Joined: 18 Aug 2010
Posts: 19

Points: 97

Post Posted: Wed Dec 21, 2011 1:57 pm Reply with quote    Back to top    

you can select all 50 user and map their crediantials at once, it might be hard initially but will get used to it Very Happy .
Rate this response:  
Not yet rated
ray.wurlod

Premium Poster
Participant

Group memberships:
Premium Members, Inner Circle, Australia Usergroup, Server to Parallel Transition Group

Joined: 23 Oct 2002
Posts: 51925
Location: Sydney, Australia
Points: 281946

Post Posted: Wed Dec 21, 2011 3:08 pm Reply with quote    Back to top    

Were you actually successful in switching to LDAP authentication? Miss just one OK, Save or Apply click and the whole thing doesn't work, even though it appears to test successfully. Open the WAS ad ...

_________________
RXP Services Ltd
Melbourne | Canberra | Sydney | Hong Kong | Hobart | Brisbane
currently hiring: Sydney and Melbourne
Rate this response:  
Not yet rated
kirankumarreddydesireddy
Participant



Joined: 11 Jan 2010
Posts: 107

Points: 1951

Post Posted: Thu Dec 22, 2011 12:44 am Reply with quote    Back to top    

Hi Ray,

Do you mean we haven't set up LDAP correctly in WAS admnistrator ?and hence do you think that is the reason "testuser" is not able to access Datastage designer even though "testuser" is part of DataStage Developers AD groups that are assigned required suite roles?

How do you think we can test it once again?because when we enter all the required credentials for setting up LDAP in WAS administrator appeared the conection test is succesfull.

And also do you agree with the stattement,it is not required to set up individual user (example "testuser" in this case or suppose 50 users) engine credentials in Domain management in Infosphere Information server console as they are part of AD groups which were assigned required suite roles?




Thanks
Kiran
Rate this response:  
Not yet rated
kirankumarreddydesireddy
Participant



Joined: 11 Jan 2010
Posts: 107

Points: 1951

Post Posted: Fri Dec 23, 2011 12:33 am Reply with quote    Back to top    

Hi Ray,

Can you please provide any inputs on the above points we mentioned.



Thanks
Kiran
Rate this response:  
Not yet rated
ray.wurlod

Premium Poster
Participant

Group memberships:
Premium Members, Inner Circle, Australia Usergroup, Server to Parallel Transition Group

Joined: 23 Oct 2002
Posts: 51925
Location: Sydney, Australia
Points: 281946

Post Posted: Fri Dec 23, 2011 2:46 am Reply with quote    Back to top    

Re-open the WAS console and examine global security to see which method is actually in use.

_________________
RXP Services Ltd
Melbourne | Canberra | Sydney | Hong Kong | Hobart | Brisbane
currently hiring: Sydney and Melbourne
Rate this response:  
Not yet rated
kirankumarreddydesireddy
Participant



Joined: 11 Jan 2010
Posts: 107

Points: 1951

Post Posted: Fri Dec 23, 2011 3:36 am Reply with quote    Back to top    

It is pointing to "Standalone LDAP registry" only in the Current realm definition, in the Global security tab in WAS console.

Do you agree with the statement,it is not required to set up individual user (example "testuser" in this case or suppose 50 users) engine credentials in Domain management in Infosphere Information server console as they are part of AD groups which were assigned required suite roles?



Thanks
Kiran
Rate this response:  
Not yet rated
ray.wurlod

Premium Poster
Participant

Group memberships:
Premium Members, Inner Circle, Australia Usergroup, Server to Parallel Transition Group

Joined: 23 Oct 2002
Posts: 51925
Location: Sydney, Australia
Points: 281946

Post Posted: Fri Dec 23, 2011 9:35 pm Reply with quote    Back to top    

I certainly hope so. I'm about to set up a system with more than 30,000 Business Glossary users.

_________________
RXP Services Ltd
Melbourne | Canberra | Sydney | Hong Kong | Hobart | Brisbane
currently hiring: Sydney and Melbourne
Rate this response:  
Not yet rated
kirankumarreddydesireddy
Participant



Joined: 11 Jan 2010
Posts: 107

Points: 1951

Post Posted: Sat Dec 24, 2011 10:37 am Reply with quote    Back to top    

Thanks Ray.

We are not sure why we are unable to connect to Designer through "testuser" however this is part of AD group.we are able to connect only when we define "testuser" in Engine credentials in Domain management in Information server web console.

Do you think any problem with the AD groups we defined in LDAP?


Thanks
Kiran
Rate this response:  
Not yet rated
ray.wurlod

Premium Poster
Participant

Group memberships:
Premium Members, Inner Circle, Australia Usergroup, Server to Parallel Transition Group

Joined: 23 Oct 2002
Posts: 51925
Location: Sydney, Australia
Points: 281946

Post Posted: Sat Dec 24, 2011 1:35 pm Reply with quote    Back to top    

Do you have default Engine credentials defined? That is, a login that is used for users without specific credentials?

_________________
RXP Services Ltd
Melbourne | Canberra | Sydney | Hong Kong | Hobart | Brisbane
currently hiring: Sydney and Melbourne
Rate this response:  
Not yet rated
kirankumarreddydesireddy
Participant



Joined: 11 Jan 2010
Posts: 107

Points: 1951

Post Posted: Mon Dec 26, 2011 1:02 am Reply with quote    Back to top    

Thanks Ray,

As mentioned by you,We had defined the default credentials(i.e primary administrative name defined in WAS) in Domain management :Engine credentials:Open configuration in Infosphere server web console

Then,we just added the "test user" to AD group and we haven't mapped user credentials in Domain management :Engine credentials and it worked.

We are able to login to datastage designer now.

We assume the "test user" will have access only to the roles assigned by the AD group.(i.e the AD group in which "testuser" is defined) and we guess we should not assign "Datastage and Qualitystage administrator" role to this group since we have primary administrative name(which was defined in WAS) for all administrative purpose.

please correct us if it is not the primary administrative name defined in WAS that we need define in Domain management :Engine credentials:Open configuration in Infosphere server web console?



Thanks
Kiran
Rate this response:  
Not yet rated
ray.wurlod

Premium Poster
Participant

Group memberships:
Premium Members, Inner Circle, Australia Usergroup, Server to Parallel Transition Group

Joined: 23 Oct 2002
Posts: 51925
Location: Sydney, Australia
Points: 281946

Post Posted: Mon Dec 26, 2011 4:33 am Reply with quote    Back to top    

When you first convert to LDAP authentication you run the AppServerAdmin script to assign the initial administrative user which, since it's the only one extant, tends to be the WAS administrator. Bes ...

_________________
RXP Services Ltd
Melbourne | Canberra | Sydney | Hong Kong | Hobart | Brisbane
currently hiring: Sydney and Melbourne
Rate this response:  
Not yet rated
kirankumarreddydesireddy
Participant



Joined: 11 Jan 2010
Posts: 107

Points: 1951

Post Posted: Mon Dec 26, 2011 5:03 am Reply with quote    Back to top    

Hi Ray,

Actually we had installed Infosphere Server 8.5v server edition on Windows 2008 server and we are not aware of AppServerAdmin script you have mentioned.


What we did was :

We had installed Infosphere Server 8.5v server edition on Windows 2008 server with a service account.(say "testadmin") and this was the only purpose "testadmin" account is used.

We had then converted into LDAP and configured primary administrative user(say "etladmin") in WAS console and mapped "etladmin" credentials in Domain management Engine credentials in Information server web console.We are using the "etladmin" user for all the administrative purposes(say loging into Information server web console and assigning suite roles to AD groups we defined) and hence we thought that "etladmin" will have all the administrative priviliges for the suite we installed.


Once it is done,we thought of giving access to individaul users in the team and hence as you suggested to define default credentails(say "etladmin") to avoid inidividual mapping to all say 50 users,it worked and we are adding the required users in the team to AD group(say Datastage developers) and assign the roles to this group in Information server web console.
and we thought,it is is the way it works.

Please correct us if you think we are not following the best practices?
(we had no earlier datastage 8.5 admin experience and we just learnt from here)


Thanks
Kiran
Rate this response:  
Not yet rated
kirankumarreddydesireddy
Participant



Joined: 11 Jan 2010
Posts: 107

Points: 1951

Post Posted: Tue Dec 27, 2011 2:56 am Reply with quote    Back to top    

Hi Ray,


Can you please provide any inputs on the above points we mentioned.



Thanks
Kiran
Rate this response:  
Not yet rated
ray.wurlod

Premium Poster
Participant

Group memberships:
Premium Members, Inner Circle, Australia Usergroup, Server to Parallel Transition Group

Joined: 23 Oct 2002
Posts: 51925
Location: Sydney, Australia
Points: 281946

Post Posted: Tue Dec 27, 2011 3:39 pm Reply with quote    Back to top    

There are four different scenarios around how you can set up engine credentials - shared/non-shared, default/no default. All are well described in the Administration manual. Authentication, whic ...

_________________
RXP Services Ltd
Melbourne | Canberra | Sydney | Hong Kong | Hobart | Brisbane
currently hiring: Sydney and Melbourne
Rate this response:  
Not yet rated
Display posts from previous:       

Add To Favorites
View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



Powered by phpBB © 2001, 2002 phpBB Group
Theme & Graphics by Daz :: Portal by Smartor
All times are GMT - 6 Hours