Chapter
6
Using AR Server for
authentication
The following topics are provided:
! Setting up AR to use for authentication (page 52) ! Configuring the AR module (page 52)
! Enabling AR authentication (page 53) ! Enabling the AR data store (page 54)
Setting up AR to use for authentication
The Action Request (AR) authentication module allows BMC Atrium SSO to use the user accounts within an BMC Remedy AR System server for authentication. This module is normally used in conjunction with the AR data store to retrieve group information and other user attributes from the AR server.
To use AR for authentication
1 Configure the AR module.
2 Enable AR authentication. 3 Enable AR data store.
Configuring the AR module
The AR authentication module allows BMC Atrium SSO to use user accounts within an BMCAR Server for authentication purposes. This module should be used in conjunction with the AR data store.
To configure the AR module
1 Navigate to the Authentication tab:
Access Control > BmcRealm link > Authentication
2 Click the Module Instances link.
3 Click the ARlink.
4 Enter the AR configuration information and Save.
AR configuration parameters
AR configuration information is entered on the AR Server Realm Attributes page. The AR page has the following options:
! Save to save your modifications
! Reset to remove your modifications and stay on the AR page. ! Back to Authentication to navigate back to the Authentication tab.
Chapter 6 Using AR Server for authentication 53 Enabling AR authentication
Enabling AR authentication
After the AR module is configured, specify that the AR module be used for user authentication. This task involves specifying the AR Chain as the organizational choice for authentication.
1 On the BmcRealm Authentication page, select AR Chain from the Organization Authentication Configuration drop down menu.
2 On the BmcRealm Authentication page, select AR Chain from the Administrator Authentication Configuration drop down menu.
3 Click Save.
4 On the BmcRealm Authentication tab, click All Core Settings.
A new page is displayed. At the top of this new page are a series of radio buttons which are used to select how the user profile is handled when a user is
authenticated.
5 In the User Profile field, click either Dynamic or Ignored.
! Dynamic specifies that a local SSO user profile is created after a successful authentication, if it does not already exist.
Table 6-1: AR module parameters
Parameters Description
AR Server Host Name (Required) Provide the Full Qualified Domain Name (FQDN) for the server where AR Server is located
The full host name includes the domain name of the computer and the individual name of the server. For example, the domain is
bmc.com and the host name is sample.
AR Server Port Number (Required) AR Server Port Number is the location where the AR Server is listening.
Note:Enter a value of 0 if the AR Server is using port mapping. Default Authentication String This string is only used when the AR module is placed downstream
in a chain from another authentication module which prompts the user only for a name and password.
In this scenario, this value is used to authenticate the user by re- using the credentials provided by the user along with this authentication string.
Allow AR Guests If enabled, allows unknown or invalid users to authenticate as guests to the AR Server.
Authentication Level (Required) Authentication Level is used to identify the level of authentication provided by the AR module. In normal BMC Atrium SSO usage, this value is ignored and should be left with the default value 0.
! Dynamic with User Alias specifies that a local SSO user profile and user alias is created for each successful authentication.
! Ignored specifies that no local SSO user profile is created or required for authentication.
! Required specifies that a local SSO user profile with the same user ID is required for authentication to be successful.
6 Click Save.
Enabling the AR data store
The AR data store plug-in allows group information associated with AR Server users to be retrieved and provided to BMC products. The data store is designed to be used with the AR authentication module because it provides additional information for users authenticated against the AR Server.
NOTE
The AR data store provides read-only access to AR Server. The data store provides the following capabilities:
! Read-only access to the user information stored in AR Server. ! Displays user and group lists and memberships.
The following capabilities are not provided: ! User management functionality
! Assigning group information that is retrieved from the AR Server to users that exist in another data store (for example, the internal data store)
! Saving changes involving information retrieved from the AR Server
Accessing the AR data store configuration page
To configure the AR data store, you must have the server location and an administrator account.
Chapter 6 Using AR Server for authentication 55 Enabling the AR data store 2 Configure the AR data store.
3 Click Save.
If a data store does not exist
1 Click New.
2 In the Name field, enter a name for a new data store.
3 In the Type field, click AR Server as the data store type.
4 To configure the data store, click Next.
5 Click Finish.
Configuring the AR data store
The AR Data Store configuration page is used for both editing an existing data store’s parameters and for creating a new AR data store.
The AR Data Stores configuration page has the following options: ! Save to save your modifications
! Reset to remove your modifications and stay on the LDAP page. ! Back to Data Stores to navigate back to the Authentication tab.
After configuration is finished, the data store is immediately available to provide group information to users who are authenticating with the AR Authentication module.
Table 6-2: AR data store parameters
Parameters Description
AR Server Host Name (Required) Provide the Fully Qualified Domain Name (FQDN) of the AR Server host server.
The full host name includes the domain name of the machine along with the individual name of the server. In this example, the domain is
bmc.com and the host name is sample.
AR Server Port Number (Required) Provide the port number where the AR Server is listening. Enter a value of 0 if the AR Server is using port mapping.
Administrator Name (Required) Provide the user name of an AR Server account that has administrator privileges, the password for the AR Server administrator account, and the password confirmation.
Note:Empty or blank passwords for the AR administrator are not supported, however, a single space character can be used. For example, the default AR administrator account is Demo with no password.
Authentication Provide the authentication string that is needed when the Administrator account is used to connect with the AR Server.
Pool Size (Required) The Pool Size is the maximum number of connections the data store uses to service data requests for the AR Server.
New data store configuration example
Figure 6-1: New Data Store configuration example
Linger Time (Required) Linger Time is the amount of time (in milliseconds) that a connection is allowed to remain unused in the pool before being closed. AR Server Plug-in (Required) The AR Server Plug-in parameter is the class that
implements this plug-in and must not be changed.
Note:Do not change the AR Server Plug-in parameter.
Table 6-2: AR data store parameters
Chapter 6 Using AR Server for authentication 57 Troubleshooting AR System module
The following are common errors associated with your AR System authentication module:
! “User has no profile in this organization” ! “Error saving user or group edits”
User has no profile in this organization
If the User Profile for the BmcRealm is set to Required instead of Dynamic or Ignored, the following error message occurs when logging into a BMC product: User has no profile in this organization
To modify the User Profile setting, see “Enabling AR authentication”.
Error saving user or group edits
An exception error occurs when you try to update user attributes or assign groups to users with information that was retrieved from the AR Server. The AR Server data store provides read-only access to the user and group information.
Chapter 7 Using Active Directory for authentication 59
Chapter
7
Using Active Directory for
authentication
The following topics are provided:
! Setting up Active Directory for authentication (page 60) ! Configuring the Active Directory module (page 60) ! Enabling Active Directory authentication (page 63)
Setting up Active Directory for authentication
The BMC Atrium SSO system provides support for using external Active Directory (AD) servers for authentication.
To set up Active Directory to use for authentication
1 Configure the Active Directory module.
2 If you enabled SSL Access to Active Directory Server on the Active Directory configuration page, import the certificates and restart the Tomcat server before enabling Active Directory authentication. See “Using CA certificates” for more information.
3 Enable Active Directory authentication.
Configuring the Active Directory module
The configuration and use of the Active Directory module is described for a single BMC Atrium SSO server. By default, a single Active Directory module is created and configured as part of the Active Directory chain. The Active Directory module must be configured for the enterprise environment.
To configure the Active Directory module
1 Navigate to the Authentication tab:
Access Control > BmcRealm link > Authentication tab
2 Click the Module Instanceslink
3 Click the ActiveDirectorylink.
4 Enter Active Directory configuration information and Save.
Active Directory configuration information
Active Directory configuration information is entered on the Active Directory Realm Attributes page.
The Active Directory page has the following options: ! Save to save your modifications
Chapter 7 Using Active Directory for authentication 61 Configuring the Active Directory module
Table 7-1: Active Directory module parameters
Parameters Description
Primary Active Directory
Server
(Required) Enter the host’s Full Qualified Domain Name (FQDN) for the primary Active Directory server is required.
If the Active Directory server is not listening on the default port (389), suffix the host name value with a colon (:) and port number that the Active Directory server is using:
hostnameValue(FQDN):port
Secondary Active Directory
Server
The secondary Active Directory server is only used when the primary server is not available. It is not used in parallel or when a user fails to authenticate with the primary server.
If the secondary server is not listening on the default Active Directory port, suffix the host name with a colon (:) and the port that is being used.
hostnameValue(FQDN):port
The amount of time that the server uses the secondary server before attempting to re-connect with the primary server can be configured. DN to Start User Search The search DNs should be as specific as possible for performance
reasons. The depth of the search that is performed can be
configured. If an Object search is specified, then the DN should be the DN of the node containing the users.
Enter the starting locations within the Active Directory directory for performing user searches. For each starting point, enter the login name (DN).
DN for Root User Bind (Required) The DN is the login name that is used to connect to the Active Directory server.
A root user must have privileges to perform searches on the primary and secondary Active Directory servers.
Enter the DN for the root user, the password, and the password confirmation.
Attributes Used to Retrieve User Profile
Attributes can be specified to retrieve user profiles. Attributes Used to Search for a
User to be Authenticated
(Required) Attributes are used to identify the DN to be used for
authentication within the Active Directory servers. The attributes specified are used to search for the DN for the user to be authenticated.
Enter an attribute to identify user names in the Active Directory servers. The default attribute is uid, but if a different value is used (such as
givenname), then update this value to the environment-specific attribute.
More than one attribute can be used to uniquely identify a user. For example, along with a unique user ID, the user's phone number or e-mail address could also be used. In this way, users could use their phone numbers or email accounts when authenticating, instead of relying solely upon a user ID.
User Search Filter The attribute-value pairs further refines the user search for authentication. This field can be left blank (default).
Search Scope (Required) The Search Scope determines the level that the Active Directory directory searches for users to authenticate.
A search scope level must be selected.
! OBJECT level searches the contents of the nodes specified in the search list.
! ONELEVEL level searches the specified nodes and one level below.
! SUBTREE level searches the specified nodes and all sub-levels (default). SSL Access to Active Directory
Server
The SSL Access to Active Directory Server field is enabled to use SSL to connect to the Active Directory servers.
In addition, before communications can be established, the certificates for the Active Directory servers (primary and secondary) must be loaded into the JVM truststore and the BMC Atrium SSO Tomcat truststore.
If client authentication is required, the BMC Atrium SSO server’s certificate might need to be imported into the Active Directory server’s truststore. For more information on the default truststore location, see Locating the keystore and truststores (page 38).
If you are using CA signed certificates for all servers, then the root certificate, and any intermediate signer certificates, can be used to complete the trust relationships instead of the server's certificates.
Note:BMC recommends that the certificates be configured before enabling Active Directory authentication. See “Using CA certificates” for more information.
Return User DN To DataStore If the external Active Directory server uses the same structure as the internal data store, the Return User DN to Data is enabled. This condition is atypical so this option is normally not checked.
Active Directory Server Check Interval
When a primary Active Directory server is unavailable, authentication is switched to the secondary Active Directory server. The interval specifies the delay before the primary Active Directory status is re-checked for availability.
Enter the number of minutes before the primary Active Directory status is re-checked. The default is 15 minutes.
! If the interval delay value is too low, performance issues occur if BMC Atrium SSO continuously tries to reconnect (unsuccessfully).
Table 7-1: Active Directory module parameters
Chapter 7 Using Active Directory for authentication 63 Enabling Active Directory authentication
Enabling Active Directory authentication
After the Active Directory module is configured, specify that the Active Directory module be used for authentication. This task involves specifying Active Directory Chain as the organizational choice for authentication.
NOTE
Configure only the BmcRealm to use external Active Directory servers.
IMPORTANT
If you enabled SSL Access to Active Directory Server on the Active Directory configuration page, import the certificates and restart the Tomcat server. See “Using CA certificates” for more information.
To configure Active Directory realm authentication
1 On the BmcRealm Authentication tab, click All Core Settings.
A new page is displayed. At the top of this new page are a series of radio buttons. The button are used to select how the user profile is handled when a user is authenticated.
2 In the User Profile field, click either Dynamic or Ignored.
! Dynamic specifies that a local SSO user profile is created after a successful authentication, if it does not already exist.
User Creation Attribute User creation attributes allows attributes from the external Active
Directory servers to be provided as attributes from the internal data store. By defining the mappings, user account data (such as telephone numbers or e-mail addresses) can be provided to BMC products.
The attribute mapping is created with an internal attribute, a vertical bar ('|'), and then the external attribute.
The following internal attributes are available for mapping:
! Email: The user’s email address
! Phonenumber: The user’s phone number
! Address: The user’s mailing address
! Firstname: The first name of the user
! Lastname: The last name of the user
Fullname: The full name of the user, usually including middle initial Authentication Level BMC Atrium SSO does not employ authentication levels.
Note:Do not change the Authentication Level (the default is 0) for the Active Directory Module.
Table 7-1: Active Directory module parameters
! Dynamic with User Alias specifies that a local SSO user profile and user alias is created for each successful authentication.
! Ignored specifies that no local SSO user profile is created or required for authentication.
! Required specifies that a local SSO user profile with the same user ID is required for authentication to be successful.
3 Click Save.
4 Click Back to Authentication.
5 On the BmcRealm Authentication page, select ActiveDirectory Chain from the Organization Authentication Configuration drop down menu.
6 On the BmcRealm Authentication page, select ActiveDirectory Chain from the Administrator Authentication Configuration drop down menu.
Chapter 8 Using RSA SecurID for authentication 65
Chapter
8
Using RSA SecurID for
authentication
The following topics are provided:
! Setting up SecurID to use for authentication (page 66) ! Specifying the sdconf.rec location (page 66)
! Enabling RSA SecurID authentication (page 67) ! Modifying the rsa_api.properties file (page 68)
Setting up SecurID to use for authentication
RSA SecurID provides a two-factor authentication scheme for user authentication. This approach uses a password that has a very short life span, typically one minute. By combining a passcode with a hardware generated token value, users are authenticated with this short-span password. This method of authentication narrows the opportunity for exploitation by anyone who manages to eavesdrop on the TLS confidential communications.
NOTE
After authentication, the combination passcode + token is no longer valid.
To use SecurID Chain for user authentication, the module must first be configured with information about the RSA Access Manager server. After being configured, SecurID Chain is enabled for authentication use.
To use SecurID for authentication
1 Specify the location of the sdconf.rec file.
2 Configure the SecurID module.
3 Enable SecurID authentication.
Specifying the sdconf.rec location
There two methods to specify the location for the sdconf.rec file which is used configure the SecurID module:
! Configure BMC Atrium SSO to rely on a RSA SecurID server for user authentication.
! Reconfigure the SecurID module to load the sdconf.rec file from another location.
Configuring to rely on an RSA SecurID server
To configure BMC Atrium SSO to rely on an RSA SecurID server for user
authentication
Chapter 8 Using RSA SecurID for authentication 67 Enabling RSA SecurID authentication
Reconfiguring the SecurID module
To reconfigure the SecurID module to load the sdconf.rec file from another
location
1 Copy the sdconf.rec file retrieved from the RSA SecurID server to the BMC