Addmi 06-security mgmt


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Note default administrative users: admin, system The system user cannot be deleted
  • It’s a good idea not to edit the default groups. It is better to add a new group and select the permissions needed.
  • To add a new group scroll to the bottom and click add and complete the “add group form”
  • LDAP provides: Centrally managed user authentication Single unified logon
  • You will have to work with your LDAP administrator
  • Normally the Search Template can be left at default, consult the LDAP admin to see if any changes are needed.
  • For Microsoft Active Directory and SunONE Directory Server Foundation can set the other group configuration attributes and these are the fully supported configurations. If Other is chosen then the other group configuration attributes can be set in consultation with the LDAP admin. For reference: Group Attribute on User node The LDAP attribute name to search for when running a group query. The attribute is on the User node, and provides a list of distinguished names of groups that the user belongs to Group Query The LDAP query that is used to find Group objects. It is usual to match the nodes' Object Class, for example: (objectclass=group). Membership Attribute on Group node The LDAP attribute name to search for to determine whether an individual is a member of a group. The attribute is on the Group nodes, and provides a list of names of users.
  • Useful CLI test to show data from LDAP server Example: ldapsearch -b dc=bmc,dc=com -D –W -H ldap://adserver:389 -x '('
  • the “Disabled Accounts can be reactivated” setting as this is how to allow locked or blocked acct to be reset from the UI (shown on slide 5)
  • This slide is included as many users are not sure of where such text will be displayed. Of course the field can be used for things other than legal notices and can be usefully used to identify what multiple appliances are being used for; especially useful for admins that have to login to a number. Note also that the Foundation Version and Appliance Name are displayed bottom right; it is good practise to set a reasonable Appliance Name.
  • If the user has followed best practise of *not* using the system account for general use they shouldn’t get to this situation. Note also that it is important that the CLI password is treated as a high level password and not general known.
  • Optionally you may wish to complete the labs that have been prepared to accompany this module. Please download the lab zip file that should be available where you accessed this module. Make sure you have access to a running appliance before attempting the labs. It is best to use the training demo VA provided as it is set up to work with the labs. You may need to review tutorial material in order to work out the solutions.
  • Addmi 06-security mgmt

    1. 1. Security Management User Administration and System Security
    2. 2. Security Management Outline <ul><li>User Management </li></ul><ul><ul><li>Users </li></ul></ul><ul><ul><li>Groups </li></ul></ul><ul><ul><li>Account and password management </li></ul></ul><ul><li>LDAP Authentication </li></ul><ul><ul><li>Uses </li></ul></ul><ul><ul><li>Typical Configuration </li></ul></ul><ul><li>Security Policy </li></ul><ul><ul><li>Login page </li></ul></ul><ul><ul><li>Auditing </li></ul></ul><ul><li>Security at the CLI </li></ul>
    3. 3. User Management
    4. 4. Security Administration: Overview <ul><li>Administration > Security </li></ul><ul><li>User management </li></ul><ul><li>Authentication setup and management </li></ul><ul><li>View active sessions </li></ul><ul><li>UI audit log searching </li></ul>
    5. 5. Security Administration: Adding Users <ul><li>Set the username and password </li></ul><ul><li>Select groups to assign to users </li></ul><ul><li>Permissions are additive </li></ul>
    6. 6. Security Administration: Managing Users <ul><li>Unlock, unblock, deactivate, delete, edit and set a new password </li></ul>
    7. 7. Security Administration: Default Groups <ul><li>Default groups: </li></ul><ul><li>admin </li></ul><ul><li>appmodel </li></ul><ul><li>cmdb-export-administrator </li></ul><ul><li>discovery </li></ul><ul><li>public </li></ul><ul><li>readonly </li></ul><ul><li>system </li></ul><ul><li>unlocker </li></ul>
    8. 8. Security Administration: Adding Groups <ul><li>Can make custom groups </li></ul><ul><li>Choose a name for the group </li></ul><ul><li>Select the permissions to add to the group </li></ul>
    9. 9. LDAP Integration
    10. 10. LDAP Why Use It? <ul><li>Configuring a large number of Atrium Discovery UI users can be tedious and error prone </li></ul><ul><li>Most organisations already have a LDAP capable authentication system </li></ul>
    11. 11. LDAP Authentication Requirements <ul><li>Supported LDAP Capabilities and Systems </li></ul><ul><ul><li>Official support for Microsoft AD and SunONE DS </li></ul></ul><ul><ul><li>Also will work with other LDAP servers (eg Novell) </li></ul></ul><ul><ul><li>May (optionally) support client side certificate authentication </li></ul></ul><ul><li>Commissioning Tasks </li></ul><ul><ul><li>Configure Foundation’s connection to your LDAP system </li></ul></ul><ul><ul><li>Map LDAP defined groups to Atrium Discovery groups </li></ul></ul>
    12. 12. LDAP User Configuration <ul><li>Administration ->LDAP ->LDAP </li></ul><ul><li>Setup the connection: </li></ul><ul><ul><li>Server URI: Specify server name and port eg ldap:// </li></ul></ul><ul><ul><li>Bind Username/Password </li></ul></ul>
    13. 13. LDAP Search Configuration <ul><li>Search Base </li></ul><ul><ul><li>Where in the directory to start searching for users </li></ul></ul><ul><li>Search Template </li></ul><ul><ul><li>Search “query” to find a user node given the username entered on the Atrium Discovery login screen </li></ul></ul>
    14. 14. LDAP Group Configuration <ul><li>Group Mode </li></ul><ul><ul><li>Select Microsoft Active Directory, SunONE Directory Server or Other as appropriate for your LDAP server </li></ul></ul><ul><li>If Other is chosen you will need to provide further configuration </li></ul><ul><ul><li>Refer to our online documentation </li></ul></ul>
    15. 15. LDAP Configuration: Example
    16. 16. LDAP Group Mapping (1) <ul><li>Without Group Mapping the appliance will expect the users in the LDAP directory to be assigned to LDAP Groups that exactly match the default groups </li></ul><ul><li>Much more convenient to map existing LDAP Groups to the appliance groups </li></ul>admin public admin public TWF LDAP admin public root users all
    17. 17. LDAP Group Mapping (2) <ul><li>Administration ->LDAP -> Group Mapping </li></ul>
    18. 18. Security Policy
    19. 19. Security Policy: Accounts and Passwords <ul><li>Admin > Security Policy > Accts & Passwords </li></ul><ul><li>Change setting to suit customer policies </li></ul>
    20. 20. Security Policy: Login Page Configuration <ul><li>Admin > Security Policy > Login Page </li></ul>
    21. 21. Security Policy: Plain Login Page <ul><li>Used if your organization requires a plain unbranded login screen </li></ul><ul><li>Any Legal Notice text will still be displayed </li></ul>
    22. 22. Security Policy: Login Page Legal Notice <ul><li>Used if your organization requires a legal notice displayed to users prior to login </li></ul>
    23. 23. Security Administration: Active Sessions <ul><li>Administration > Security > Active Sessions </li></ul><ul><li>Monitor who is currently using the appliance </li></ul><ul><li>Good Practise to check this page before restarting </li></ul>
    24. 24. Security Administration: Audit <ul><li>Administration > Security > Audit > Audit Logs </li></ul><ul><li>Search audit logs </li></ul><ul><ul><li>Logins </li></ul></ul><ul><ul><li>Actions </li></ul></ul><ul><ul><li>Configuration Changes </li></ul></ul><ul><ul><li>Search queries </li></ul></ul><ul><ul><li>etc </li></ul></ul><ul><li>Use the form to help narrow the search </li></ul>
    25. 25. UI Accounts at the CLI
    26. 26. Security Warning <ul><li>The appliance CLI accounts should be treated as a root level account </li></ul><ul><ul><li>Keep knowledge of the password to a minimum of people </li></ul></ul><ul><ul><li>Comply with your organisation’s policy on root or super user passwords </li></ul></ul><ul><ul><li>Change the password when people leave the team </li></ul></ul>
    27. 27. Unlocking the system account <ul><li>The ‘system’ account can become locked with the default settings and you may end up with no other admin level account to unlock it </li></ul><ul><li>The ‘system’ account can be unlocked from the CLI </li></ul><ul><ul><li>Login to the Appliance CLI as the user ‘tideway’ </li></ul></ul><ul><ul><li>Run ‘tw_upduser --active system’ </li></ul></ul>
    28. 28. <ul><li>Online Documentation: </li></ul><ul><ul><li> </li></ul></ul>Further Information Tideway Foundation Version 7.2 Documentation Title
    29. 29. <ul><li>OpenLDAP Online Documentation: </li></ul><ul><ul><li> </li></ul></ul>Further Information Tideway Foundation Version 7.2 Documentation Title
    30. 30. Security Management Exercises