TrueSight Middleware Administrator integration options

During the installation of the TrueSight Middleware and Transaction Monitor (TMTM) product, you choose the method in which to integrate the product with TrueSight Middleware Administrator (TSMA). The integration of the two products enables you to administer the same queue managers shown in the TMTM object repository from the TSMA console. Before installing the TMTM product, you must determine the security and queue manager integration options for your environment. 

Refer to the following sections to view the different options so that you can plan for the integration and gather the information that you will need during the installation process.

BMC recommends that you install, but not configure, the TSMA product before starting the TMTM installation (you cannot use the TSMA Monitor Edition until the TMTM installation has completed and TMTM Services are running). Following the successful installation of TMTM, the product automatically configures TSMA by installing the execution key, filling in the security fields, and by adding the administrator user and group when you start the services.

If you do not follow the recommended process, you must manually configure the integration between TSMA and TMTM using the mqtool utility.

Note

In order to use the HTTP Request Header verification security feature of MVMA 9.0, TMTM Fix Pack D or later must be applied. Otherwise, refer to the MVMA documentation for information on how to disable this feature.

Related topics

Planning

Preparing-for-installation

Preparing-to-upgrade-the-core-components

Installing

Managing-integration-with-TrueSight-Middleware-Administrator-with-the-CLI

Default-users-and-groups

Tip

The planning information on this page corresponds to the "Configuring Integration with TrueSight Middleware Administrator" screens in the TMTM installation wizard. To log your decisions, download the Installation-worksheet.

Upgrading from an earlier version?

TSMA Monitor Edition replaces Configuration Manager.

Note that TSMA was rebranded MVMA for version 9.0. TMTM 8.1 supports both TSMA 8.2 and MVMA 9.0.

Determining the TSMA product to integrate with TMTM


When you purchase the TMTM product license, you are also entitled to download and install the Monitor Edition of TSMA, which enables you to administer all of the queue managers in the TMTM object repository from the TSMA consoles. Depending on your licensing, you might also be entitled to install a separately-licensed version of TSMA, which provides additional features. Before starting the TMTM installation, you must know whether your installation of the TMTM product will integrate with the Monitor Edition or the separately-licensed version of TSMA.

When integrating with the Monitor Edition of TSMA or a newly installed separately-licensed version of TSMA that will use the same security as TMTM you will install TSMA first and start TSMA. TMTM will configure the TSMA for you when the TMTM services are started.

  • When installing the Monitor Edition of TSMA, you should always select WebSphere MQ Install Set. Note that the Monitor Edition does not support administering TIBCO EMS. Picking Full Administration Install Set will not enable that feature. During the TMTM installation you must select Monitor Edition.
  • When installing a separately-licensed version of TSMA choose the install set for which you are licensed. During the TMTM installation you must select New separately licensed installation.
    • When using a separately-licensed TSMA installation, the license must support the administration of the same or greater number of queue managers that exist in the TMTM object repository.
    • If the separately-licensed TSMA product does not adequately support the queue managers in the TMTM repository, install and integrate TSMA Monitor Edition with TMTM. You can then install the separately-licensed TSMA product to administer selected queue managers. In this case, the separately-licensed instance of TSMA will not be integrated with TMTM, as shown in the following illustration.

When integrating with an existing install of a separately-licensed version of TSMA or a new install of a separately-licensed version of TSMA that does not use the same security as TMTM then it is recommended you install and start TSMA as necessary before installing TMTM. When installing a separately-licensed version of TSMA choose the install set for which you are licensed. During the TMTM installation you must select  Existing separately licensed installation.


Note that when working with the Monitor Edition of TSMA, you cannot administer TIBCO EMS with the Monitor Edition license.


twoTSMAS.png

User authentication options

TMTM and TSMA support the following user authentication options:

Note

The TMTM and TSMA products use LDAP as the underlying security method for all user authentications. In the documentation, LDAP refers to this underlying security method, not an external LDAP directory service, otherwise known as a Directory System Agent. Connecting to a Directory System Agent is not supported.  

When both products use the same authentication method, you can specify the authentication method during the TMTM installation, and the configuration will occur automatically after you start the TMTM services. However, when you choose to configure different authentication methods for the two products, you will specify the authentication mode for the TMTM product during the installation, and you cannot administer the queue manager from the TSMA console.

Note that when installing the Monitor Edition, its authentication mode must match that of the TMTM product. 

Local authentication for TMTM and TSMA

The following diagram illustrates TMTM and TSMA using TMTM's security. Although shown as two separate hosts, TMTM and TSMA can reside on the same host computer.

sharedTMTM_security.png


External authentication for TMTM and TSMA

The following diagram illustrates TMTM and TSMA using TMTM's Active Directory for external authentication. Although shown as two separate hosts, TMTM and TSMA can reside on the same host computer.

activeDirectoryTSMA_TMTM.png

TMTM and TSMA using separate authentication

Although shown as two separate hosts, TMTM and TSMA can reside on the same host computer.

ownSecurityTMTM_TSMA.png

Users and security

There are three types of users involved with the TMTM and TSMA integration.

  • TSMA Integration Administrator: A user with the “TSMA Integration Configuration” permission is allowed to use the mqtool utility, use the three TSMA options in the Object Repository tab, and execute the Create WMQ Connection policy action. In addition, all groups with that permission are added as a TSMA Administrator when integration is configured or reconfigured (for example, changing user IDs, passwords, license keys, etc.). The credentials for a single user with this permission is preserved in the TMTM services.cfg file to log into and configure TSMA as needed. If the user or the user’s password must be changed it is recommended you use the mqtool utility to do so. You may change that user’s password on login to the Management Console or via the Security tab. However, do not use mqsusertool, which updates the password directly in the security service. When using Active Directory, you should first change the password in Active Directory. In between the time the password was changed in Active Directory and the mqtool utility was executed any attempts to create additional or update WMQ Connections or synchronize groups will fail.

    In addition to the “TSMA Integration Configuration” permission others are required for certain operations. For example, the “Access Object Repository” permission is required for using the TSMA options in the Management Console Object Repository tab. There are also several MQ actions required to create the server connection channel or query MQ information. The “TSMA Administrators” group is provided with the product with all required permissions for TSMA integration enabled. It is recommended you add users who need to perform these duties to this group in case new permissions are added or required in the future. 
  • TSMA User: This user is a non-administrative user with access to a TSMA project.  Groups with the “TSMA Project Access” or "Enable MQ Actions" permissions may be added to the project when the project is initially created the first time a WMQ Connection is created or when synchronizing WMQ Connections.   
    • Synchronization of WMQ Connections is enabled and occurs every five minutes by default.  For more details on synchronization see Creating-the-WMQ-Connection-server-connection-channel.
    • Synchronization of groups is enabled when choosing the Monitor Edition or New separately licensed installation.  For convenience, the “TSMA Users” group is provided with the product and may be assigned members for users who need access to the TSMA project.
    • Synchronization of mq groups is enabled on upgrade installations when choosing the Monitor Edition or New separately licensed installation.   Groups which used to have the "Run CM" permission now have the "Enable MQ Actions" permission after upgrade so that all users which previously had MQ administrative abilities using the Configuration Manager will have similar abilities using TSMA.  If you do not wish this you may either disable synchronization of mq groups or synchronization of groups entirely.

See Managing-integration-with-TrueSight-Middleware-Administrator-with-the-CLI for details if synchronization of groups, synchronization of mq groups or the synchronization interval need to be changed.  Disabling synchronization of groups using the CLI will disable synchronization of mq groups.  However, if you need to re-enable this migration feature you must change the value directly in services.cfg.  See the Admin section in services.cfg for more details.  
 

  • LDAP User: Credentials that gives TSMA access to the security server to authenticate users and retrieve user and group information.  The credentials are preserved in the TMTM services.cfg file to configure TSMA as needed. If the credentials must be changed it is recommended you use the mqtool utility to do so.
    • Local Authentication/Internal LDAP:  The credentials are for a user that requires no permission for other activity in TMTM and does not need to belong to any group.  In addition to mqtool, you can change that user’s password on login to the Management Console or via the Security tab. However, do not use mqsusertool which updates the password directly in the security service.
    • External Authentication/Active Directory (Delegate Mode): The credentials are for a common name (CN).  When changing the CN's password you must first use the mqtool utility to change the password used by TSMA and then change the password in Active Directory. In between the time the mqtool utility was executed and the password is changed in Active Directory, users will be unable to log into TSMA. 

Note

When using Active Directory, the TMTM pre-configured groups added during installation for TSMA administrator or user project access may not exist in Active Directory. You can remove those groups from TMTM and TSMA to avoid the possible risk where a group is added to your AD and happens to match the TMTM group name (which would result in unintended access to either TMTM or TSMA). If you remove them from TMTM and synchronization of groups is enabled, the removed groups will also be removed from the TSMA project. If you remove an administrative group you will need to use the mqtool utility with the --reconfigure option, or manually remove it from within TSMA.

Integration properties

When you choose to integrate the two products during the installation or upgrade, you must first install the TSMA product and know the following information about the TSMA installation:


Best practice
When integrating TSMA with TMTM, BMC recommends that you provide the TSMA properties during the installation of TMTM and let the installation program configure the installation.


Troubleshooting or other information

If the only purpose for this trust store is for TSMA accessibility you can always remove the file and recreate it using the mqtool utility.

If your TSMA service is not currently running, this installer will be unable to retrieve the certificate, as the certificate is only available when TSMA is running.  In that event, you will have to run the command line utility "mqtool --reconfigure" at a later time. 

Queue Manager and WQM connection considerations

A queue manager in TSMA is represented as a WMQ Connection, which contains the necessary information to connect to the queue manager as a client. TMTM can assist in creating the WMQ Connections as agent and WebSphere MQ extension packages are deployed and configured or immediately after an upgrade for existing installations. The following three options are supported:

  • TMTM agent and WebSphere MQ extension using local MQ bindings (ie. residing on the same machine as the queue manager).
  • TMTM agentless configuration where TMTM and TSMA connect to a queue manager using different server conn channels.
  • TMTM agentless configuration where the TMTM agent and WebSphere MQ extension reside on the same machine as TSMA and connect to a queue manager using the same server connection channel. Because TSMA might require more permissions than TMTM for administrative purposes (with TSMA being an MQ client connection it may require more queue manager permissions or authority to perform MQ related administrative tasks than TMTM and its MQ client connection), BMC does not recommend this configuration.

Note

Configuring the WQM connection is a post-installation task. For details, see Creating-the-WMQ-Connection-server-connection-channel

When integrating with TrueSight Middleware Administrator, queue statistics are collected via the "Reset Queue Statistics" command in TrueSight Middleware Administrator. This command, however, resets those statistics to zero so they are no longer available to other (monitoring) applications, such as TrueSight Middleware and Transaction Monitor. In order to prevent this, configuration settings can be modified; see How-to-prevent-TrueSight-Middleware-Administrator-from-resetting-WebSphere-MQ-queue-statistics.

TMTM monitoring with local agent

In this setup, TSMA uses its own server connection channel to connect to the queue manager and you can set up channel authentication. TMTM has a local bindings connection to the queue manager.

tmtmWLocalAgent.png


TMTM agentless monitoring with separate channels

In this setup, each connection to the queue manager uses its own server connection channel, which enables you to restrict connections to those from Host A or Host B, respectively.

Because each channel can specify different authentication, BMC recommends this configuration when TMTM uses an agentless configuration on the queue manager host server.

agentlessSeparateChannel.png


TMTM agentless monitoring with shared channel 

In this configuration, each connection to the queue manager shares the same server connection channel and the same channel authentication.

Because you might want different authentication for TMTM and TSMA, BMC does not recommend this configuration when TMTM uses an agentless configuration on the queue manager host computer.

agentlessSharedChannel.png


Feature comparison

The following table compares the features in the licensed version of TSMA that are not fully supported in the TSMA Monitor Edition. Any features not listed are fully supported in the TSMA Monitor Edition (see the TSMA documentation for further information on the full functionality of the product).

Note

When standard TSMA functionality is not available for the Monitor Edition users, an "Access restricted by licensing" message is displayed for the selected feature in the User/Admin Console.


 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*