Help
Security
Compuware Enterprise Services provides the ability to secure access to Compuware web products, product functions, administrative functions, and REST endpoints. With security enabled, a user must provide credentials to access Compuware web products. By default, administrative functions are restricted and users will only have access to the base web product functions. Restricted functions do not display in the user interface and REST endpoints will be inaccessible.
The Security page has five tabs:
Personal Access Tokens tab
Security tab
Users tab
Groups tab
Roles tab
Personal Access Tokens tab
The Personal Access Tokens tab allows you to manage personal access tokens. Personal access tokens are used in place of your credentials when performing ISPW operations using the ISPW API. Personal access tokens are a widespread standard used across well-known organizations and services.
A personal access token is required to authenticate with ISPW when using the ISPW API.
When accessing the Personal Access Tokens tab, a list of configured personal access tokens are displayed which show the user name, generated token, host, and port. The number of personal access tokens displayed in the list at a given time can be changed by selecting a different value in the option field below the list. The default is 25 entries per page but can be changed to 10, 25, 50, 100, 500, or all.
To access a Personal Access Token
In Compuware Enterprise Services, select Administration >Security, and then select the Personal Access Tokens tab.
To add a Personal Access Token
From the Personal Access Tokens tab, click Add.
Complete each of the required fields. If you choose to create a secure host connection, be sure that the port used is already defined as a secure port on the host mainframe.
User Name – The RACF login name that will be associated with the token.
Token – A generated token used when making API requests.
Host Connection – z/OS host system name or IP address that is running ISPW.
When complete, click OK to add the personal access token to the list of personal access tokens.
To edit a Personal Access Token
From the Personal Access Tokens tab, select the personal access token to be edited by clicking on it, and then click Edit.
Modify the content of the field(s) as needed. If you choose to create a secure host connection, be sure that the port used is already defined as a secure port on the host mainframe. You may also modify the password.
When complete, click OK. The personal access token has been edited and returned to the list of personal access tokens.
To remove a Personal Access Token
From the Personal Access Tokens tab, select the Personal Access Token to be removed. You may remove more than one at a time.
Click Remove. The selected Personal Access Token is removed from the list.
Security tab
The Security tab allows you to enable secure access to administrative functions of Compuware Enterprise Services.
User authentication is achieved through the use of Compuware Enterprise Services internal authentication system, or by utilizing your existing LDAP, X.509, or Kerberos enterprise authentication system. By enabling security, you are able to manage Users, Groups, and Roles.
Although you are not required to secure access to Compuware web products, you should consult with the network security group at your site to determine whether or not to enable security for Compuware Web Products.
To access security settings in Compuware Enterprise Services, select Administration >Security, and then select the Security tab.
Authentication Mode
The authentication mode provides the ability to enable or disable security, configure settings that apply to all authentication systems, and configure an authentication system. To enable security, set the authentication mode switch to On.
To support older versions of integrated Compuware products that do not support Compuware Enterprise Services security, options are available to disable security for those specific products. By default, security is disabled (Off) for all of the integrated Compuware products to ensure that these integrations continue to work with Compuware Enterprise Services. Security can be enabled (On) for those Compuware products which have a release version compatible with Compuware Enterprise Services security.
Require CMSC authentication requires CMSC to authenticate via a preshared key. To enable CMSC authentication, set the switch to On.
Require Topaz Workbench user authentication requires Topaz Workbench to authenticate using any of the four authentication modes. Without this enabled, Topaz users authenticate anonymously. To enable Topaz Workbench user authentication, set the switch to On.
Disable Abend-AID Viewer Find and Fix requests Abend-AID Viewer does not support authentication. To disable Abend-AID Viewer Find and Fix requests, set the switch to On.
You may choose to enable the use of LDAP Groups:
Use LDAP Groups When enabled, this function allows CES groups to be mapped to LDAP configured groups. Set the switch to On.
Attribute for group membership The LDAP attribute at a user object to return information about group memberships. Enter an attribute in this field.
Mappings are done on the CES Group Configuration Screen. Once mapped, users retain Group membership, even when Use LDAP Groups is switched off.
CES Groups and LDAP groups have a one-to-one relationship.
Internal
With security mode set to Internal
When security is enabled with the Internal authentication mode, Compuware Enterprise Services manages authenticating users, as well as managing user names and passwords. This mode is appropriate when do not have an enterprise authentication system, or you do not wish integrate with an enterprise authentication system. This mode replaces previous functionality in Compuware Enterprise Services and iStrobe where passwords were required for administrator access. It also replaces the functionality in iStrobe that required authentication with a user name only.
From the Security window in Administration, toggle the Authentication Mode to On.
Select the Internal option.
To allow new users to self register when they authenticate for the first time in a Compuware web product, toggle Allow new users to self register to On.
Enter a user name and password for the main administrator of Compuware Enterprise Services.
Click Apply to save and apply the security settings. Compuware Enterprise Services will restart to implement the changes to the security settings.
LDAP
To configure and enable security using LDAP
When security is enabled with an LDAP authentication server, Compuware web products will authenticate users with that LDAP server. This mode offers better user management since user accounts are stored in a centralized LDAP server. Valid LDAP users are registered with Compuware Enterprise Services during the users initial login to a Compuware web product.
From the Security window in Administration, toggle the Authentication Mode to On.
Select the LDAP option.
Enter the following required information in each of the fields:
LDAP server URL
LDAP server port number
Bind with, either Search filter or User DN
Distinguished Name (DN)
Password for DN (only required when binding with a search filter)
Search base (only required when binding with a search filter)
Search filter (only required when binding with a search filter)
Administrator(s). Do not include the domain name in this field
Click LDAP Server Connection Test. If an LDAP server connection is available, you will be able to apply this security configuration.
Click Apply to save and apply the security settings. Compuware Enterprise Services will restart to implement the changes to the security settings.
Kerberos
To configure and enable security using Kerberos
Enabling security with Kerberos single sign on offers additional advantages over LDAP, such as faster and more secure authentication, as well as users being automatically authenticated when accessing a Compuware web product.
From the Security window in Administration, toggle the Authentication Mode to On.
Select the Kerberos option.
Enter the following required information in each of the fields:
Service principal
Keytab location
Administrator(s)
Click Kerberos login test. If you are able to log in, you will be able to apply this security configuration.
Click Apply to save and apply the security settings. Compuware Enterprise Services will restart to implement the changes to the security settings.
Client Certificate
To configure and enable security using a client certificate (X.509)
When security is enabled with a client certificate (X.509), it uses an SSL client certificate to authenticate users. Compuware Enterprise Services must be configured to use HTTPS when using Client certificate as the authentication mode.
From the Security window in Administration, toggle the Authentication Mode to On.
Select the Client certificate option.
Enter the following required information in the field:
X.509 mask – The X.509 mask is a regular expression used to extract the user name from the X.509 certificate. The user name extracted is used to log into Compuware Web Products. The default mask, as shown below, extracts the contents of the Common Name (CN) field from the certificate.
CN=(.*?),
Click Apply to save and apply the security settings. Compuware Enterprise Services will restart to implement the changes to the security settings.
Users tab
The Users tab allows you to manage the users that have access to the Compuware web applications. When accessing the users tab, a list of configured users are displayed showing the name of the user, the email address associated with that user, the groups to which the user is assigned, and the individual roles assigned to that user.
You can create and delete users and assign roles to users. Users can also be granted permissions individually by selecting an individual user and editing.
The list of users can be filtered by clicking the filter icon above the list and entering the filter criteria. For example, to filter the list to only those users having the iStrobe User role, click the filter icon and type iStrobe User. If you wanted to further filter the list to those users who also have the ISPW User role, you would type iStrobe User ISPW User into the filter.
The number of users displayed in the list at a given time can be changed by selecting a different value in the option field below the list. The default is 25 entries per page but can be changed to 10, 25, 50, 100, 500, or all.
There are four ways to add users to the list of users:
Migrating from a previous release, existing users will be automatically migrated to CES. There are several special cases to be aware of when coming from a previous release.
Existing CES or iStrobe installs may have the 'Require administrative password' checkbox enabled. CES will be placed in the 'Internal' mode security on upgrade. In this case, a 18.2.1 CES user will be created called 'CESAdmin' or 'iStrobeAdmin' with the password that was defined in the previous releases user interface.
Existing iStrobe customers that have the 'Require user login' option selected will be upgraded to the 'Internal' mode security and asked to define a password to be used with the user ID on the upgrade to 18.2.1.
Enabling LDAP, Kerberos, or Client Certificates authentication mode which will cause any authenticated user to be automatically added to the list. Any authenticated user will be automatically created in CES. The users will inherit the permissions of any groups that have Automatic-Assign' option checked.
Enabling Internal authentication mode as well as enabling the 'Allow users to self-register' option. This allows users to register themselves and will add those users to the list.
Manually adding users to the list.
To manually add a user
From the Users tab, click Add.
Complete each of the required fields.
- Name: The name of the user.
- Password:Add a temporary password assigned to the user. When the user first logs in they will be required to change their password.
- Email: An email address associated with the user.
- Roles: This list of roles that can be assigned to the user. To assign a role to a user, click the toggle to On.
Click OK. The user appears in the Users table.
To edit a user
From the Users tab, select a user from the list and click Edit.
Modify the content of the field(s) as needed. If you edit a user that is not yourself and change their password, that user will be required to change their password at their next login. Changes to any roles assigned to the user will not take effect until their next login. When you've completed editing the user, click OK to update the user in the list of users.
To remove a user
From the Users tab, select a user to be removed by clicking on the user name in the table. You may remove more than one at a time. You cannot remove yourself from the list of users.
Click Remove.
When prompted, click Yes to remove the user.
To modify the roles assigned to a user
From the Users tab, select a user by clicking on the user name in the table.
Click Edit.
Edit the roles assigned to the user as is appropriate.
Click OK to apply those roles to that user.
Groups tab
The Groups tab allows you to manage security groups. Groups provide the ability to easily assign roles to many users at a time as well as automatically assign roles to new users. Groups can also be associated with host connections to restrict user access to specific host connections. When accessing the groups tab, a list of configured groups are displayed which show the name of the group, a description of the group, the roles associated with the group, and whether or not new users are auto assigned to the group. The group is also expandable to show the list of users that belong to that group.
The list of groups can be filtered by clicking the filter icon above the list and entering the filter criteria. For example, to filter the list to only those groups that have the iStrobe User role, you would click the filter icon and type iStrobe User. If you wanted to further filter the list to the users that also have the ISPW User role, you would type iStrobe User ISPW User into the filter.
The number of groups displayed in the list at a given time can be changed by selecting a different value in the option field below the list. The default is 25 entries per page but can be changed to 10, 25, 50, 100, 500, or all.
To add a group
From the Groups tab, click Add.
Under Group Name, add the name of the group, and optionally add a description for the group.
Under Roles,click the toggle switch to On for those roles you would like assigned to the group.
Under User Assignment, click the toggle switch to On for those users you would like assigned to the group. To automatically assign new users to the group, click the Auto assign users toggle switch to On.
Click OK to create the group and save the settings. The group appears in the Groups table.
To edit a group
From the Groups tab, select a group by clicking on the group name to highlight it in the table.
Click Edit to reveal the attributes of the group, including the users.
Under User Assignment, click the toggle switch to On for those users you would like added to the group.
Click OK to save the settings for the group.
To remove a group
From the Groups tab, select a group by clicking on the group name to highlight it in the table.
Click Remove. The group is deleted from the table.
To remove a user from a group
From the Groups tab, expand the group from which you would like to delete a user by clicking the plus sign next to the group name.
Click Edit.
Under User Assignment, click the toggle switch to Off for the user you would like removed from the group. The user is deleted from the group.
Roles tab
The Roles tab allows you to manage security roles. Roles control the access rights to Compuware web products and functionality. By default, a number of roles are provided to cover most situations. You can customize many of the existing roles or create new roles to suit your security needs. When accessing the roles tab, a list of configured roles are displayed which show the name of the role, and a description of the role.
The Compuware Enterprise Services Administrator and the Super Administrator roles cannot be edited or removed.
The number of roles displayed in the list at a given time can be changed by selecting a different value in the option field below the list. The default is 25 entries per page but can be changed to 10, 25, 50, 100, 500, or all.
Product Roles and Rights
Product |
Default Roles |
Description |
Access/Rights |
| Compuware Enterprise Services (CES) | CES Administrator | Users assigned this role have access to Compuware Enterprise Services configuration settings for Database, Host Connections, Licensing, Issue Tracking, Update Center, Security and Web Server. |
|
| Super Admin | Users assigned this role have access to administrative functionality for all Compuware web products. |
|
|
| Personal Access Tokens Administrator | Users assigned to this role have the ability to add, edit, and delete Personal Access tokens. |
|
|
| Topaz Team Profile Exporter | Users assigned this role have the ability to export Topaz team profiles to any group of which they are a member. |
|
|
| Topaz Team Profile Administrator | Users assigned this role have the ability to view, add, and delete Topaz team profiles for all groups. |
|
|
| iStrobe | iStrobe Administrator | Users assigned to this role have the ability to use the functions in iStrobe Administration to configure and control access to iStrobe content. |
|
| iStrobe Performance Tracker | Users assigned this role have access to use iStrobe Performance Tracker functionality. |
|
|
| iStrobe User | User assigned this role have access to Submit Strobe Measurements and create Folders in iStrobe. |
|
|
| ISPW | ISPW Administrator | Users assigned this role have access to manage ISPW server connections for use in the ISPW Web Interface. |
|
| ISPW User | Users assigned this role have access to the ISPW web Deployment application as well as the ISPW Mobile and Web applications. |
|
|
| ISPW Approver | Users assigned this role have access to the ISPW Mobile and Web applications |
|
|
| Fault Analytics | Fault Analytics Administrator | Users assigned this role have access to Abend-Aid Fault Analytics' Administration, Preferences and Reports screens. |
|
| Fault Analytics User | Users assigned this role have access to Abend-Aid Fault Analytics' Preferences and Reports screens. |
|
|
| Topaz for Java Performance (TJP) | Topaz for Java Performance User | Users assigned this role have full access to Topaz for Java Performance. |
|
| Topaz for Total Test (TTT) | Total Test Administrator | Users assigned to this role have access to administer the Total Test web client. An administrator has read/write/delete permissions to all test artifacts in the repository. Only selected users should have this role. |
|
| Total Test User | Users assigned to this role can access and use the Total Test web client, as well as functionality from Topaz and the CLI that requires information from the repository. Most users who are allowed to use Total Test should have this role. |
|
|
| Application Audit | Application Audit User | Users assigned this role have full access to Application Audit. |
|
To add a role
From the Roles tab, click Add. The role appears in the Roles box. You can rename the role by clicking it and typing a new name in the Roles field.
Complete each of the required fields.
Name: The name of the role.
Description: An optional description of the role.
Rights: The list of rights that can be assigned to the role listed by Compuware web product. To assign a right to a role, click the toggle to On.
When the appropriate rights have been selected for a role, click OK. The role is saved with the given name and associated functions.
To modify functions assigned to a role
From the Roles tab, select the role to be modified by clicking it, and then click Edit.
Modify the functions assigned to the role by resetting toggle switches for various functions.
Click OK. The role is modified with the associated functions.
To delete a role
From the Roles tab, select the role to be deleted by clicking it.
Click Remove next to the role name. When prompted, click Yes to delete the role.