Authentication is the process of verifying the identity claimed by a system entity. Often that entity is a user, but in some situations the entity is a service. For example, when a user starts the BMC Server Automation Console, he or she must authenticate with the BMC Server Automation Authentication Service (one of the services hosted by a BMC Server Automation Application Server) before establishing a client/server session. On the other hand, when an Application Server establishes an authenticated connection with an agent, the identity to be verified is the server hosting the Application Service.
BMC Server Automation uses different approaches for authentication, depending on the communication leg. For communication between most client tier applications (the BMC Server Automation Console, Network Shell, or BLCLI) and middle tier applications (Application Server or Network Shell proxy server), BMC Server Automation employs a two-step process.
- First, client users authenticate with the Authentication Service and acquire a BMC Server Automation single sign-on (SSO) session credential.
- Then the client uses that session credential to establish an application session with middle tier services.
Written into the session credential are service URLs, which are the identities and addresses of the Application Services and Network Shell Proxy Services that can be accessed using the session credential. For more information about single sign-on, see Single sign-on.
BMC Server Automation client applications can cache SSO session credentials obtained from the Authentication Service, allowing client users to re-establish new application sessions without re-authenticating. In this way a user's context can easily be passed between BMC Server Automation client applications.
For example, a user can launch the BMC Server Automation Console and authenticate. If the user's session credential is cached and the credential has not expired, the user can then exit the console and start a BLCLI session without authenticating again.
For any entity that communicates directly with agents-including Network Shell clients that access agents without going through a Network Shell proxy server-authentication relies on the TLS protocol's support for client authentication using client-side X.509 certificates.
Be aware of the following documentation conventions:
- BMC Server Automation supports both transport layer security (TLS) and its predecessor, SSL. For the sake of simplicity, this site refers only to TLS.
- When Network Shell connects to a Network Shell proxy server, this site refers to that state as Network Shell operating in proxy mode.
Authentication for different communication legs
Authentication can be configured differently for the various communication legs within the BMC Server Automation system. For more information, see Security for different communication legs.
More information on authentication
For more conceptual information on authentication, see the following topics: