System capabilities related to security
This topic describes the capabilities of the BMC Server Automation system that can be used for security purposes. It includes the following sections:
To facilitate single sign-on, BMC Server Automation clients use authentication profiles, which are collections of information that a BMC Server Automation client application needs to log into the BMC Server Automation Authentication Service.
About authentication profiles
An authentication profile identifies the following:
- Application Server host name
- Listening port for the Authentication Service hosted by the Application Server
- Authentication protocol: SRP, LDAP, SecurID, PKI, AD/Kerberos, or Domain Authentication
- Information specific to individual authentication protocols, such as the distinguished name template for LDAP
A user can define multiple authentication profiles. For example, an organization might employ three instances of BMC Server Automation — one for Operations, one for QA, and one for Development. If a user wants to connect to all three from the same client application, he or she would need three different authentication profiles, each pointing to a different instance of BMC Server Automation. In another example, if a user plans to log into the Application Server using various authentication mechanisms, he or she would need an authentication profile for each mechanism.
For BMC BladeLogic Decision Support for Server Automation, users do not define authentication profiles. Instead, when logging on, users simply specify an authentication type. Each reports server always accesses the same Authentication Service, so a user does not have to specify an Application Server or listening port.
Using authentication profiles
When a user launches a BMC Server Automation client application (except BMC BladeLogic Decision Support for Server Automation), he or she must specify an authentication profile. The client application looks in its cache of session credentials to determine if it holds a current credential that was acquired under the conditions defined by the authentication profile. Each authentication profile specifies an Application Server hosting an Authentication Service, the port used to access the Authentication Service, and an authentication mechanism. If a cached session credential includes information matching these specifications, the client application establishes a connection to the service listed in the session credential. If the client application does not possess an appropriate session credential, the BMC Server Automation Console prompts the user to log into the Authentication Service identified by the specified authentication profile. In Network Shell or BLCLI, establishment of the client/server session is aborted if the session credential cache does not contain a session credential matching the requirements specified in the authentication profile. The BLCLI or Network Shell user can use the BMC Server Automation Console or the
blcred utility to obtain and cache the appropriate SSO session credential.
The BMC Server Automation Console provides a dialog box that allows users to add or delete authentication profiles as well as select an authentication profile for the purpose of logging in. The
blcred utility also can be used to add or delete authentication profiles. The BMC Server Automation command line applications provide various options for identifying an authentication profile by name. The following table summarizes these options. Note that BMC BladeLogic Decision Support for Server Automation does not require authentication profiles so it is not listed in the table.
|Application||Mechanisms to Identify Authentication Profile||Precedence|
|BMC Server Automation Console||logon dialog box|
|Network Shell (in proxy mode)||environment variable: BL_AUTH_PROFILE_NAME||Takes precedence over secure file setting|
|secure file setting: auth_profile|
|BLCLI||command line option:
||Takes precedence over environment variable|
|environment variable: BL_AUTH_PROFILE_NAME|
For more information about setting up authentication profiles for the BMC Server Automation Console, see the Setting up an authentication profile. For more information about using
blcred, see Using the
blcred utility. For more information about using environment variables, see Environment variables.
Authentication profiles are stored in a single XML file. Within that file, each authentication profile must have a unique name. The XML file resides at a default location, but you can modify that location, as described in Setting override locations for client SSO files.
BMC Server Automation provides environment variables that can be used to pass configuration data to the command line client applications (BLCLI and Network Shell) and the
blcred utility. BLCLI and
blcred also provide command line options for providing the same data. The command line options take precedence over environment variable settings.
To set an environment variable, use a procedure like the following:
% export BL_SSO_CRED_CACHE_FILE
The following table details the environment variables that can be used with single sign-on functionality.
For more information
Specifies location of file storing trusted certificates
Specifies RBAC role
Specifies location of session credential cache file
Provides location of file containing authentication profile definitions
Identifies authentication profile to use when authenticating
If you are using SRP authentication, keytab files are useful when running unattended automation scripts that make use of Network Shell proxy services or make calls to the BLCLI. Keytab files provide the
blcred utility with long-term user credentials that can be used to authenticate a user.
For single sign-on, BMC Server Automation only supports a keytab file for SRP authentication. The SRP keytab file is called user_info.dat. For instructions about setting up user_info.dat, see Generating a user information file.
Note that BMC Server Automation also employs a keytab file for its AD/Kerberos implementation. Procedures for the AD/Kerberos implementation explain the use of a keytab file in that context.
Because of their sensitive nature, access to keytab files should be tightly controlled.
RBAC role selection
When a session is established, a user must be assigned to an RBAC role. If a user is authorized for only one role, he or she is assigned to that role after logging into an application. If a user is authorized for multiple roles, the user can interactively select a role while logging into a BMC Server Automation client application. When using Network Shell or BLCLI, the role might be specified through an environment variable. Network Shell also provides a command called
chrole, which lets you change roles after a Network Shell session is established.
When a user is authorized for multiple roles, BMC Server Automation command line applications can specify a role using a command line option or an environment variable. The following table summarizes the options available to specifying a role.
|Application||Mechanisms to specify a role||Precedence|
|BMC Server Automation Console||GUI dialog box, if multiple roles are defined|
|BLCLI||interactive prompts from command line dialog box|
|command line option:
||Takes precedence over environment variable|
|environment variable: BL_RBAC_ROLE|
|Network Shell (in proxy mode)||interactive prompts from command line dialog box|
|environment variable: BL_RBAC_ROLE|
Single sign-on session credentials
When an Authentication Service authenticates a user, it issues a session credential to the client application. The BMC Server Automation Console lets users choose to cache session credentials. The
blcred utility always caches any session credential it obtains from the Authentication Service.
BMC Server Automation clients use session credentials to establish secure sessions with Application Servers and Network Shell proxy servers.
A session credential contains the following information:
- BMC Server Automation user name
- Protocol used to authenticate user: SRP, LDAP, SecurID, AD/Kerberos, or Domain Authentication
- Service URL, which identifies the Authentication Service that issued the session credential, its host address, and its port.
- Expiration time for session credential
- Maximum lifetime for session credential
- Client system's IP address
- Authorized roles for user
- Service URLs of BMC Server Automation services that the credential can be used to access, such as Application Services and Network Shell Proxy Services. Each of these URLs specifies the type of service, its host address, and its port.
Session credentials are digitally signed by the issuing Authentication Service. A BMC Server Automation service, upon being presented with a session credential, verifies the digital signature to ensure the credential's authenticity and integrity. SSO session credentials are cached in a file on the client host. BMC Server Automation relies on system access controls to restrict access to the session credential cache. The session credential cache file resides at a default location, but you can modify that location, as described in Setting override locations for client SSO files.
On both Windows and UNIX, the credential cache can hold a maximum of one session credential at any time. This restriction will be relaxed in a future release. File system access controls only allow the user for whom the credential was issued to access the credential cache.
Unlike other BMC Server Automation system components, the reports server does not cache the session credential on the client's system. Each time a user logs into the reports server from a browser, the user provides data required for authentication. The reports server relays this information to the Authentication Service and obtains a session credential for the user. The reports server can potentially hold the user's session credential even after the user's connection with the reports server terminates. This allows users to schedule recurring report jobs. BMC BladeLogic Decision Support for Server Automation can automatically renew the user's session credential without requiring the user to re-authenticate.