addmi 06-security mgmt

© 2009 BMC Educational Services

Security Management

User Administration and System Security


Security Management Outline

User Management Users Groups Account and password management

LDAP Authentication Uses Typical Configuration

Security Policy Login page Auditing

Security at the CLI


User Management


Security Administration: Overview

Administration > Security

User management Authentication setup and management View active sessions UI audit log searching


Security Administration: Adding Users

Set the username and password Select groups to assign to users Permissions are additive


Security Administration: Managing Users

Unlock, unblock, deactivate, delete, edit and set a new password


Security Administration: Default Groups

Default groups:

admin appmodel cmdb-export-

administrator discovery public readonly system unlocker


Security Administration: Adding Groups

Can make custom groups Choose a name for the group Select the permissions to add to the group


LDAP Integration


LDAP Why Use It?

Configuring a large number of Atrium Discovery UI users can be tedious and error prone

Most organisations already have a LDAP capable authentication system


LDAP Authentication Requirements

Supported LDAP Capabilities and Systems Official support for Microsoft AD and SunONE DS Also will work with other LDAP servers (eg Novell) May (optionally) support client side certificate authentication

Commissioning Tasks Configure Foundation’s connection to your LDAP system Map LDAP defined groups to Atrium Discovery groups


LDAP User Configuration

Administration ->LDAP ->LDAP

Setup the connection: Server URI: Specify server name and port eg

ldap://10.0.0.1:3268/ Bind Username/Password


LDAP Search Configuration

Search Base Where in the directory to start searching for users

Search Template Search “query” to find a user node given the username entered on the

Atrium Discovery login screen


LDAP Group Configuration

Group Mode Select Microsoft Active Directory, SunONE Directory Server or Other as

appropriate for your LDAP server

If Other is chosen you will need to provide further configuration Refer to our online documentation


LDAP Configuration: Example


LDAP Group Mapping (1)

Without Group Mapping the appliance will expect the users in the LDAP directory to be assigned to LDAP Groups that exactly match the default groups

Much more convenient to map existing LDAP Groups to the appliance groups

admin

public

admin

public

TWFLDAP

admin

public

root users

all


LDAP Group Mapping (2)

Administration ->LDAP -> Group Mapping


Security Policy


Security Policy: Accounts and Passwords

Admin > Security Policy > Accts & Passwords

Change setting to suit customer policies


Security Policy: Login Page Configuration

Admin > Security Policy > Login Page


Security Policy: Plain Login Page

Used if your organization requires a plain unbranded login screen

Any Legal Notice text will still be displayed


Security Policy: Login Page Legal Notice

Used if your organization requires a legal notice displayed to users prior to login


Security Administration: Active Sessions

Administration > Security > Active Sessions

Monitor who is currently using the appliance Good Practise to check this page before restarting


Security Administration: Audit

Search audit logs Logins Actions Configuration Changes Search queries etc

Use the form to help narrow the search

Administration > Security > Audit > Audit Logs


UI Accounts at the CLI


Security Warning

The appliance CLI accounts should be treated as a root level account

Keep knowledge of the password to a minimum of people Comply with your organisation’s policy on root or super

user passwords Change the password when people leave the team


Unlocking the system account

The ‘system’ account can become locked with the default settings and you may end up with no other admin level account to unlock it

The ‘system’ account can be unlocked from the CLI Login to the Appliance CLI as the user ‘tideway’ Run ‘tw_upduser --active system’


Online Documentation: http://www.tideway.com/confluence/display/81/Managing+System+Users

Tideway Foundation

Version 7.2

DocumentationTitle

Further Information


OpenLDAP Online Documentation: http://www.openldap.org/software/man.cgi?

query=ldapsearch&apropos=0&sektion=0&manpath=OpenLDAP+2.3-Release&format=html

Tideway Foundation

Version 7.2

DocumentationTitle

Further Information


Security Management Exercises

addmi 06-security mgmt

Technology