addmi 06-security mgmt
DESCRIPTION
TRANSCRIPT
© 2009 BMC Educational Services
Security Management
User Administration and System Security
© 2010 BMC Educational Services
Security Management Outline
User Management Users Groups Account and password management
LDAP Authentication Uses Typical Configuration
Security Policy Login page Auditing
Security at the CLI
© 2009 BMC Educational Services
User Management
© 2010 BMC Educational Services
Security Administration: Overview
Administration > Security
User management Authentication setup and management View active sessions UI audit log searching
© 2010 BMC Educational Services
Security Administration: Adding Users
Set the username and password Select groups to assign to users Permissions are additive
© 2010 BMC Educational Services
Security Administration: Managing Users
Unlock, unblock, deactivate, delete, edit and set a new password
© 2010 BMC Educational Services
Security Administration: Default Groups
Default groups:
admin appmodel cmdb-export-
administrator discovery public readonly system unlocker
© 2010 BMC Educational Services
Security Administration: Adding Groups
Can make custom groups Choose a name for the group Select the permissions to add to the group
© 2009 BMC Educational Services
LDAP Integration
© 2010 BMC Educational Services
LDAP Why Use It?
Configuring a large number of Atrium Discovery UI users can be tedious and error prone
Most organisations already have a LDAP capable authentication system
© 2010 BMC Educational Services
LDAP Authentication Requirements
Supported LDAP Capabilities and Systems Official support for Microsoft AD and SunONE DS Also will work with other LDAP servers (eg Novell) May (optionally) support client side certificate authentication
Commissioning Tasks Configure Foundation’s connection to your LDAP system Map LDAP defined groups to Atrium Discovery groups
© 2010 BMC Educational Services
LDAP User Configuration
Administration ->LDAP ->LDAP
Setup the connection: Server URI: Specify server name and port eg
ldap://10.0.0.1:3268/ Bind Username/Password
© 2010 BMC Educational Services
LDAP Search Configuration
Search Base Where in the directory to start searching for users
Search Template Search “query” to find a user node given the username entered on the
Atrium Discovery login screen
© 2010 BMC Educational Services
LDAP Group Configuration
Group Mode Select Microsoft Active Directory, SunONE Directory Server or Other as
appropriate for your LDAP server
If Other is chosen you will need to provide further configuration Refer to our online documentation
© 2010 BMC Educational Services
LDAP Configuration: Example
© 2010 BMC Educational Services
LDAP Group Mapping (1)
Without Group Mapping the appliance will expect the users in the LDAP directory to be assigned to LDAP Groups that exactly match the default groups
Much more convenient to map existing LDAP Groups to the appliance groups
admin
public
admin
public
TWFLDAP
admin
public
root users
all
© 2010 BMC Educational Services
LDAP Group Mapping (2)
Administration ->LDAP -> Group Mapping
© 2009 BMC Educational Services
Security Policy
© 2010 BMC Educational Services
Security Policy: Accounts and Passwords
Admin > Security Policy > Accts & Passwords
Change setting to suit customer policies
© 2010 BMC Educational Services
Security Policy: Login Page Configuration
Admin > Security Policy > Login Page
© 2010 BMC Educational Services
Security Policy: Plain Login Page
Used if your organization requires a plain unbranded login screen
Any Legal Notice text will still be displayed
© 2010 BMC Educational Services
Security Policy: Login Page Legal Notice
Used if your organization requires a legal notice displayed to users prior to login
© 2010 BMC Educational Services
Security Administration: Active Sessions
Administration > Security > Active Sessions
Monitor who is currently using the appliance Good Practise to check this page before restarting
© 2010 BMC Educational Services
Security Administration: Audit
Search audit logs Logins Actions Configuration Changes Search queries etc
Use the form to help narrow the search
Administration > Security > Audit > Audit Logs
© 2009 BMC Educational Services
UI Accounts at the CLI
© 2010 BMC Educational Services
Security Warning
The appliance CLI accounts should be treated as a root level account
Keep knowledge of the password to a minimum of people Comply with your organisation’s policy on root or super
user passwords Change the password when people leave the team
© 2010 BMC Educational Services
Unlocking the system account
The ‘system’ account can become locked with the default settings and you may end up with no other admin level account to unlock it
The ‘system’ account can be unlocked from the CLI Login to the Appliance CLI as the user ‘tideway’ Run ‘tw_upduser --active system’
© 2010 BMC Educational Services
Online Documentation: http://www.tideway.com/confluence/display/81/Managing+System+Users
Tideway Foundation
Version 7.2
DocumentationTitle
Further Information
© 2010 BMC Educational Services
OpenLDAP Online Documentation: http://www.openldap.org/software/man.cgi?
query=ldapsearch&apropos=0&sektion=0&manpath=OpenLDAP+2.3-Release&format=html
Tideway Foundation
Version 7.2
DocumentationTitle
Further Information
© 2009 BMC Educational Services
Security Management Exercises