TrueSight Middleware Administrator integration options

During the installation of the TrueSight Middleware and Transaction Monitor (TMTM) product, you choose the method in which to integrate the product with TrueSight Middleware Administrator (TSMA). The integration of the two products enables you to administer the same queue managers shown in the TMTM object repository from the TSMA console. Before installing the TMTM product, you must determine the security and queue manager integration options for your environment. 

Refer to the following sections to view the different options so that you can plan for the integration and gather the information that you will need during the installation process.

BMC recommends that you install, but not configure, the TSMA product before starting the TMTM installation (you cannot use the TSMA Monitor Edition until the TMTM installation has completed and TMTM Services are running). Following the successful installation of TMTM, the product automatically configures TSMA by installing the execution key, filling in the security fields, and by adding the administrator user and group when you start the services.

If you do not follow the recommended process, you must manually configure the integration between TSMA and TMTM using the mqtool utility.

Note

In order to use the HTTP Request Header verification security feature of MVMA 9.0, TMTM Fix Pack D or later must be applied. Otherwise, refer to the MVMA documentation for information on how to disable this feature.

Tip

The planning information on this page corresponds to the "Configuring Integration with TrueSight Middleware Administrator" screens in the TMTM installation wizard. To log your decisions, download the Installation worksheet.

Upgrading from an earlier version?

TSMA Monitor Edition replaces Configuration Manager.

Note that TSMA was rebranded MVMA for version 9.0. TMTM 8.1 supports both TSMA 8.2 and MVMA 9.0.

Determining the TSMA product to integrate with TMTM


When you purchase the TMTM product license, you are also entitled to download and install the Monitor Edition of TSMA, which enables you to administer all of the queue managers in the TMTM object repository from the TSMA consoles. Depending on your licensing, you might also be entitled to install a separately-licensed version of TSMA, which provides additional features. Before starting the TMTM installation, you must know whether your installation of the TMTM product will integrate with the Monitor Edition or the separately-licensed version of TSMA.

When integrating with the Monitor Edition of TSMA or a newly installed separately-licensed version of TSMA that will use the same security as TMTM you will install TSMA first and start TSMA. TMTM will configure the TSMA for you when the TMTM services are started.

  • When installing the Monitor Edition of TSMA, you should always select WebSphere MQ Install Set. Note that the Monitor Edition does not support administering TIBCO EMS. Picking Full Administration Install Set will not enable that feature. During the TMTM installation you must select Monitor Edition.
  • When installing a separately-licensed version of TSMA choose the install set for which you are licensed. During the TMTM installation you must select New separately licensed installation.
    • When using a separately-licensed TSMA installation, the license must support the administration of the same or greater number of queue managers that exist in the TMTM object repository.
    • If the separately-licensed TSMA product does not adequately support the queue managers in the TMTM repository, install and integrate TSMA Monitor Edition with TMTM. You can then install the separately-licensed TSMA product to administer selected queue managers. In this case, the separately-licensed instance of TSMA will not be integrated with TMTM, as shown in the following illustration.

When integrating with an existing install of a separately-licensed version of TSMA or a new install of a separately-licensed version of TSMA that does not use the same security as TMTM then it is recommended you install and start TSMA as necessary before installing TMTM. When installing a separately-licensed version of TSMA choose the install set for which you are licensed. During the TMTM installation you must select  Existing separately licensed installation.


Note that when working with the Monitor Edition of TSMA, you cannot administer TIBCO EMS with the Monitor Edition license.


twoTSMAS

User authentication options

TMTM and TSMA support the following user authentication options:

Note

The TMTM and TSMA products use LDAP as the underlying security method for all user authentications. In the documentation, LDAP refers to this underlying security method, not an external LDAP directory service, otherwise known as a Directory System Agent. Connecting to a Directory System Agent is not supported.  

When both products use the same authentication method, you can specify the authentication method during the TMTM installation, and the configuration will occur automatically after you start the TMTM services. However, when you choose to configure different authentication methods for the two products, you will specify the authentication mode for the TMTM product during the installation, and you cannot administer the queue manager from the TSMA console.

Note that when installing the Monitor Edition, its authentication mode must match that of the TMTM product. 

Local authentication for TMTM and TSMA

The following diagram illustrates TMTM and TSMA using TMTM's security. Although shown as two separate hosts, TMTM and TSMA can reside on the same host computer. sharedTMTM_security

External authentication for TMTM and TSMA

The following diagram illustrates TMTM and TSMA using TMTM's Active Directory for external authentication. Although shown as two separate hosts, TMTM and TSMA can reside on the same host computer. activeDirectoryTSMA_TMTM

TMTM and TSMA using separate authentication

Although shown as two separate hosts, TMTM and TSMA can reside on the same host computer. ownSecurityTMTM_TSMA

Users and security

There are three types of users involved with the TMTM and TSMA integration.

  • TSMA Integration Administrator: A user with the “TSMA Integration Configuration” permission is allowed to use the mqtool utility, use the three TSMA options in the Object Repository tab, and execute the Create WMQ Connection policy action. In addition, all groups with that permission are added as a TSMA Administrator when integration is configured or reconfigured (for example, changing user IDs, passwords, license keys, etc.). The credentials for a single user with this permission is preserved in the TMTM services.cfg file to log into and configure TSMA as needed. If the user or the user’s password must be changed it is recommended you use the mqtool utility to do so. You may change that user’s password on login to the Management Console or via the Security tab. However, do not use mqsusertool, which updates the password directly in the security service. When using Active Directory, you should first change the password in Active Directory. In between the time the password was changed in Active Directory and the mqtool utility was executed any attempts to create additional or update WMQ Connections or synchronize groups will fail.

    In addition to the “TSMA Integration Configuration” permission others are required for certain operations. For example, the “Access Object Repository” permission is required for using the TSMA options in the Management Console Object Repository tab. There are also several MQ actions required to create the server connection channel or query MQ information. The “TSMA Administrators” group is provided with the product with all required permissions for TSMA integration enabled. It is recommended you add users who need to perform these duties to this group in case new permissions are added or required in the future. 
  • TSMA User: This user is a non-administrative user with access to a TSMA project.  Groups with the “TSMA Project Access” or "Enable MQ Actions" permissions may be added to the project when the project is initially created the first time a WMQ Connection is created or when synchronizing WMQ Connections.   
    • Synchronization of WMQ Connections is enabled and occurs every five minutes by default.  For more details on synchronization see Creating the WMQ Connection server connection channel.
    • Synchronization of groups is enabled when choosing the Monitor Edition or New separately licensed installation.  For convenience, the “TSMA Users” group is provided with the product and may be assigned members for users who need access to the TSMA project.
    • Synchronization of mq groups is enabled on upgrade installations when choosing the Monitor Edition or New separately licensed installation.   Groups which used to have the "Run CM" permission now have the "Enable MQ Actions" permission after upgrade so that all users which previously had MQ administrative abilities using the Configuration Manager will have similar abilities using TSMA.  If you do not wish this you may either disable synchronization of mq groups or synchronization of groups entirely.

See Managing integration with TrueSight Middleware Administrator with the CLI for details if synchronization of groups, synchronization of mq groups or the synchronization interval need to be changed.  Disabling synchronization of groups using the CLI will disable synchronization of mq groups.  However, if you need to re-enable this migration feature you must change the value directly in services.cfg.  See the [Admin] section in services.cfg for more details.  
 

  • LDAP User: Credentials that gives TSMA access to the security server to authenticate users and retrieve user and group information.  The credentials are preserved in the TMTM services.cfg file to configure TSMA as needed. If the credentials must be changed it is recommended you use the mqtool utility to do so.
    • Local Authentication/Internal LDAP:  The credentials are for a user that requires no permission for other activity in TMTM and does not need to belong to any group.  In addition to mqtool, you can change that user’s password on login to the Management Console or via the Security tab. However, do not use mqsusertool which updates the password directly in the security service.
    • External Authentication/Active Directory (Delegate Mode): The credentials are for a common name (CN).  When changing the CN's password you must first use the mqtool utility to change the password used by TSMA and then change the password in Active Directory. In between the time the mqtool utility was executed and the password is changed in Active Directory, users will be unable to log into TSMA. 

Note

When using Active Directory, the TMTM pre-configured groups added during installation for TSMA administrator or user project access may not exist in Active Directory. You can remove those groups from TMTM and TSMA to avoid the possible risk where a group is added to your AD and happens to match the TMTM group name (which would result in unintended access to either TMTM or TSMA). If you remove them from TMTM and synchronization of groups is enabled, the removed groups will also be removed from the TSMA project. If you remove an administrative group you will need to use the mqtool utility with the --reconfigure option, or manually remove it from within TSMA.

Integration properties

When you choose to integrate the two products during the installation or upgrade, you must first install the TSMA product and know the following information about the TSMA installation:

RequirementNotes
License key for TSMALicense key that was provided when you purchased the license.
Location of TSMA

Host name or IP address where TSMA is installed

TSMA project

TSMA project that will contain discovered queue managers from TMTM

HTTPS trust store

For TMTM to connect securely to TSMA using HTTPS, the TSMA certificate must be installed into a TMTM trust store.  BMC recommends that you choose a unique trust store for this purpose so it can be easily recreated without losing other certificates.

If the trust store file does not exist, you can use any password. If it already exists, you must know the password of the existing trust store file. You will need this password to access or add additional certificates in the future.

The TMTM installation program will attempt to fetch the certificate from your running TSMA installation.

Local AuthenticationInternal LDAP
TSMA administrator credentialsThis user defaults to admin_user and a password is generated.
LDAP user credentialsThis user defaults to ldap_user and a password is generated.
External Authentication

Active Directory (Delegate Mode)

You may need to obtain this information from your Active Directory Administrator. For additional details see Configuring the Active Directory security mode with the Security Configuration tool v8.1.

Active Directory Domain NameActive Directory domain name.
Active Directory Security Transport TypeSSL, SASL or SSL/SASL
Base Active Directory Fully Qualified Domain NameThe base activey directory fully qualified domain name.
TSMA administrator credentialsThe user must exist and the password must match that in Active Directory; the user must also be a member of an AD group that has been defined in the TMTM Security tab.
Common Name (CN) CredentialsThe common name of a user which can read entries in the directory. This value is not required when using an existing fully licensed version of TSMA that does not use the same security as TMTM.
LDAP User Search BaseThe base DN from which searches for user information occurs. This value is not required when using an existing fully licensed version of TSMA that does not use the same security as TMTM.
LDAP User Search FilterThe search filter used to identify users. This value is not required when using an existing fully licensed version of TSMA that does not use the same security as TMTM.
LDAP Users Search FilterThe search filter used to find users within the directory. This value is not required when using an existing fully licensed version of TSMA that does not use the same security as TMTM.
LDAP User Name AttributeThis is used to identify the text to use as the username. This value is not required when using an existing fully licensed version of TSMA that does not use the same security as TMTM.
LDAP Group Search BaseThis is the base DN used to search for groups. Groups should be somewhere down the sub tree rooted by this DN. This value is not required when using an existing fully licensed version of TSMA that does not use the same security as TMTM.
LDAP Group Search FilterThis is the search filter expression used to find groups by name. This value is not required when using an existing fully licensed version of TSMA that does not use the same security as TMTM.
LDAP Group Member Search FilterThis is the search filter expression used to determine members of groups. This value is not required when using an existing fully licensed version of TSMA that does not use the same security as TMTM.
LDAP Groups Search FilterThis is the search filter expression that returns group names. This value is not required when using an existing fully licensed version of TSMA that does not use the same security as TMTM.
LDAP Group Name AttributeThis is the attribute that represents the name of a group. This value is not required when using an existing fully licensed version of TSMA that does not use the same security as TMTM.
LDAP Group Member AttributeThis is the attribute that represents a member of a group. This value is not required when using an existing fully licensed version of TSMA that does not use the same security as TMTM.
LDAP Max Nested Group Recursion LevelLimits the amount of recursion used to find nested groups. This value is not required when using an existing fully licensed version of TSMA that does not use the same security as TMTM.
List of domain controllersThe list may be able to be discovered or you may specify the list.
CertificatesYou may capture certificates from selected domain controllers or import them. Obtain certificates to import from your active directory administrator.


Best Practice

When integrating TSMA with TMTM, BMC recommends that you provide the TSMA properties during the installation of TMTM and let the installation program configure the installation.

Troubleshooting or other information

If the only purpose for this trust store is for TSMA accessibility you can always remove the file and recreate it using the mqtool utility.

If your TSMA service is not currently running, this installer will be unable to retrieve the certificate, as the certificate is only available when TSMA is running.  In that event, you will have to run the command line utility "mqtool --reconfigure" at a later time. 

Queue Manager and WQM connection considerations

A queue manager in TSMA is represented as a WMQ Connection, which contains the necessary information to connect to the queue manager as a client. TMTM can assist in creating the WMQ Connections as agent and WebSphere MQ extension packages are deployed and configured or immediately after an upgrade for existing installations. The following three options are supported:

  • TMTM agent and WebSphere MQ extension using local MQ bindings (ie. residing on the same machine as the queue manager).
  • TMTM agentless configuration where TMTM and TSMA connect to a queue manager using different server conn channels.
  • TMTM agentless configuration where the TMTM agent and WebSphere MQ extension reside on the same machine as TSMA and connect to a queue manager using the same server connection channel. Because TSMA might require more permissions than TMTM for administrative purposes (with TSMA being an MQ client connection it may require more queue manager permissions or authority to perform MQ related administrative tasks than TMTM and its MQ client connection), BMC does not recommend this configuration.

Note

Configuring the WQM connection is a post-installation task. For details, see Creating the WMQ Connection server connection channel

When integrating with TrueSight Middleware Administrator, queue statistics are collected via the "Reset Queue Statistics" command in TrueSight Middleware Administrator. This command, however, resets those statistics to zero so they are no longer available to other (monitoring) applications, such as TrueSight Middleware and Transaction Monitor. In order to prevent this, configuration settings can be modified; see How to prevent TrueSight Middleware Administrator from resetting WebSphere MQ queue statistics.

TMTM monitoring with local agent

In this setup, TSMA uses its own server connection channel to connect to the queue manager and you can set up channel authentication. TMTM has a local bindings connection to the queue manager. tmtmWLocalAgent

TMTM agentless monitoring with separate channels

In this setup, each connection to the queue manager uses its own server connection channel, which enables you to restrict connections to those from Host A or Host B, respectively.

Because each channel can specify different authentication, BMC recommends this configuration when TMTM uses an agentless configuration on the queue manager host server. agentlessSeparateChannel

TMTM agentless monitoring with shared channel 

In this configuration, each connection to the queue manager shares the same server connection channel and the same channel authentication.

Because you might want different authentication for TMTM and TSMA, BMC does not recommend this configuration when TMTM uses an agentless configuration on the queue manager host computer. agentlessSharedChannel


Feature comparison

The following table compares the features in the licensed version of TSMA that are not fully supported in the TSMA Monitor Edition. Any features not listed are fully supported in the TSMA Monitor Edition (see the TSMA documentation for further information on the full functionality of the product).

Note

When standard TSMA functionality is not available for the Monitor Edition users, an "Access restricted by licensing" message is displayed for the selected feature in the User/Admin Console.


Console/
Sub-component 
FeatureTSMATSMA Monitor
Edition
Admin Console
Global Actions barEvents+Not supported
Options+Limited
Navigation panelUsers+Not supported
Groups+Not supported
Filters+Not supported
Settings+Not supported
Security+Limited
EMS Connections+Not supported
WorkspaceUsers+Not supported
Groups+Not supported
Projects+Limited
Filters Summary+Not supported
Filter Properties+Not supported
Security+Limited
Settings+Not supported
EMS Connections Summary+Not supported
WMQ Connections Summary+Limited
WMQ Connection Properties+Limited
User Console
Global Actions barEvents+Not supported
Options+Limited
Navigation panelTags Tab+Not supported
Layout Editor+Not supported
All Queue Manager Connections+Not supported
Queue Statistics+Not supported
Scheduled Tasks+Not supported
Archives+Not supported
Import/Export+Limited
Manage Objects+Not supported
Dashboard+Not supported
WorkspaceScheduling Operations+Not supported
Tagging Objects+Not supported
Manage Layouts+Not supported

Was this page helpful? Yes No Submitting... Thank you

Comments