How to configure CEM with LDAP authentication using your own LDAP groups?

From documentation > security section:

"for CA CEM, you must create users and all four default security groups on the LDAP server. For example, on the LDAP server you create the cemadmin user and the CEM System Administrator security group. Then you assign cemadmin as a member of the CEM System Administrator security group, thus providing cemadmin with CEM System Administrator security group permissions."

Release: CEMUGD00200-9.7-Introscope to CA Application-Performance Management-Upgrade Main
Component:

If you would like to use your own LDAP groups, you must use CA EEM as described in the below example:

a) custom LDAP groups:

ABC_CEM_ANALYSTS
ABC_CEM_CONADMINS
ABC_CEM_INCIDENTS
ABC_CEM_SYSADMINS
ABC_CEM_TENANT
ABC_INT_ADMIN
Guest

b) We use the default apm users: admin, cemadmin, guest, etc.

c) Each user has been assigned to the its corresponding APM group using the same user structure as the one provided in the users.xml as below:

<Please see attached file for image>

src="/servlet/servlet.FileDownload?file=0150c000004AKB0AAO" alt="1.png" width="636" height="298">

<Please see attached file for image>

src="/servlet/servlet.FileDownload?file=0150c000004AKBBAA4" alt="2.png" width="627" height="310">

<Please see attached file for image>

src="/servlet/servlet.FileDownload?file=0150c000004AKBFAA4" alt="3.png" width="636" height="327">

<Please see attached file for image>

src="/servlet/servlet.FileDownload?file=0150c000004AKBGAA4" alt="4.png" width="635" height="344">

<Please see attached file for image>

src="/servlet/servlet.FileDownload?file=0150c000004AKBHAA4" alt="5.png" width="647" height="350">

<Please see attached file for image>

src="/servlet/servlet.FileDownload?file=0150c000004AKBIAA4" alt="6.png" width="657" height="322">

 

NOTE: The name or number of LDAP groups is not important as long as you properly allocate the LDAP user or groups to the correct APM policies as documented below:

Step 1: Install and configure EEM with Introscope EM as per KB TEC593939 - How to implement CA EEM and LDAP for Authentication and Authorization of CA APM: http://www.ca.com/us/support/ca-support-online/product-content/knowledgebase-articles/tec593939.aspx

Step 2:  Once you finish uploading the safex script, configuring EEM with your LDAP server and reconfiguring your realms.xml in the Introscope EM, you need to update the predefined APM EEM policies with your custom LDAP groups as below:

2a) login to the EEM APM application

<Please see attached file for image>

src="/servlet/servlet.FileDownload?file=0150c000004AKBJAA4" alt="7.png" width="538" height="222">
 
2b) Go to the Manage Access Policies > You will see all the APM policies that have been created when you executed the APM safex scripts.

2c) Update all the APM Policies with your own Global Groups (LDAP groups):

Here is an example when updating the Access Policy:

<Please see attached file for image>

src="/servlet/servlet.FileDownload?file=0150c000004AKBKAA4" alt="8.png" width="841" height="468">

Below a quick summary view to all the policies:

<Please see attached file for image>

src="/servlet/servlet.FileDownload?file=0150c000004AKBLAA4" alt="9.png" width="1044" height="148">

<Please see attached file for image>

src="/servlet/servlet.FileDownload?file=0150c000004AKB1AAO" alt="10.png" width="1034" height="201">

<Please see attached file for image>

src="/servlet/servlet.FileDownload?file=0150c000004AKB2AAO" alt="11.png" width="1034" height="200">

<Please see attached file for image>

src="/servlet/servlet.FileDownload?file=0150c000004AKB3AAO" alt="12.png" width="1026" height="164">

<Please see attached file for image>

src="/servlet/servlet.FileDownload?file=0150c000004AKB4AAO" alt="13.png" width="1030" height="174">

<Please see attached file for image>

src="/servlet/servlet.FileDownload?file=0150c000004AKB5AAO" alt="14.png" width="1027" height="166">

<Please see attached file for image>

src="/servlet/servlet.FileDownload?file=0150c000004AKB6AAO" alt="15.png" width="1024" height="142">

<Please see attached file for image>

src="/servlet/servlet.FileDownload?file=0150c000004AKB7AAO" alt="16.png" width="1019" height="132">

<Please see attached file for image>

src="/servlet/servlet.FileDownload?file=0150c000004AKB8AAO" alt="17.png" width="1017" height="173">

<Please see attached file for image>

src="/servlet/servlet.FileDownload?file=0150c000004AKB9AAO" alt="18.png" width="1021" height="138">

<Please see attached file for image>

src="/servlet/servlet.FileDownload?file=0150c000004AKBAAA4" alt="19.png" width="1027" height="147">

<Please see attached file for image>

src="/servlet/servlet.FileDownload?file=0150c000004AKBCAA4" alt="20.png" width="1022" height="139">

Step 3: Restart the Introscope EM

Step 4: Login to the CEM console

<Please see attached file for image>

src="/servlet/servlet.FileDownload?file=0150c000004AKBDAA4" alt="21.png" width="768" height="449"> 

You can also verify the results in the log

<Please see attached file for image>

src="/servlet/servlet.FileDownload?file=0150c000004AKBEAA4" alt="22.png" width="766" height="475">