Important

   

Starting version 8.9.03, BMC Server Automation is renamed to TrueSight Server Automation. This space contains information about BMC Server Automation 8.9.02 and previous versions. For TrueSight Server Automation 8.9.03 and later releases, see TrueSight Server Automation 8.9.

System capabilities related to security

This topic describes the capabilities of the BMC Server Automation system that can be used for security purposes. It includes the following sections:

 

Authentication profiles

To facilitate single sign-on, BMC Server Automation clients use authentication profiles, which are collections of information that a BMC Server Automation client application needs to log into the BMC Server Automation Authentication Service.

About authentication profiles

An authentication profile identifies the following:

  • Application Server host name
  • Listening port for the Authentication Service hosted by the Application Server
  • Authentication protocol: SRP, LDAP, SecurID, PKI, AD/Kerberos, or Domain Authentication
  • Information specific to individual authentication protocols, such as the distinguished name template for LDAP

A user can define multiple authentication profiles. For example, an organization might employ three instances of BMC Server Automation — one for Operations, one for QA, and one for Development. If a user wants to connect to all three from the same client application, he or she would need three different authentication profiles, each pointing to a different instance of BMC Server Automation. In another example, if a user plans to log into the Application Server using various authentication mechanisms, he or she would need an authentication profile for each mechanism.

For BMC BladeLogic Decision Support for Server Automation, users do not define authentication profiles. Instead, when logging on, users simply specify an authentication type. Each reports server always accesses the same Authentication Service, so a user does not have to specify an Application Server or listening port.

Using authentication profiles

When a user launches a BMC Server Automation client application (except BMC BladeLogic Decision Support for Server Automation), he or she must specify an authentication profile. The client application looks in its cache of session credentials to determine if it holds a current credential that was acquired under the conditions defined by the authentication profile. Each authentication profile specifies an Application Server hosting an Authentication Service, the port used to access the Authentication Service, and an authentication mechanism. If a cached session credential includes information matching these specifications, the client application establishes a connection to the service listed in the session credential. If the client application does not possess an appropriate session credential, the BMC Server Automation Console prompts the user to log into the Authentication Service identified by the specified authentication profile. In Network Shell or BLCLI, establishment of the client/server session is aborted if the session credential cache does not contain a session credential matching the requirements specified in the authentication profile. The BLCLI or Network Shell user can use the BMC Server Automation Console or the blcred utility to obtain and cache the appropriate SSO session credential.

The BMC Server Automation Console provides a dialog box that allows users to add or delete authentication profiles as well as select an authentication profile for the purpose of logging in. The blcred utility also can be used to add or delete authentication profiles. The BMC Server Automation command line applications provide various options for identifying an authentication profile by name. The following table summarizes these options. Note that BMC BladeLogic Decision Support for Server Automation does not require authentication profiles so it is not listed in the table.

ApplicationMechanisms to Identify Authentication ProfilePrecedence
BMC Server Automation Consolelogon dialog box 
Network Shell (in proxy mode)environment variable: BL_AUTH_PROFILE_NAMETakes precedence over secure file setting
secure file setting: auth_profile 
BLCLIcommand line option: 
-v <authenticationProfileName>
Takes precedence over environment variable
environment variable: BL_AUTH_PROFILE_NAME 

For more information about setting up authentication profiles for the BMC Server Automation Console, see the Setting up an authentication profile. For more information about using blcred, see Using the blcred utility. For more information about using environment variables, see Environment variables.

Authentication profiles are stored in a single XML file. Within that file, each authentication profile must have a unique name. The XML file resides at a default location, but you can modify that location, as described in Setting override locations for client SSO files.

Back to top

Environment variables

BMC Server Automation provides environment variables that can be used to pass configuration data to the command line client applications (BLCLI and Network Shell) and the blcred utility. BLCLI and blcred also provide command line options for providing the same data. The command line options take precedence over environment variable settings.

To set an environment variable, use a procedure like the following:

% BL_SSO_CRED_CACHE_FILE=<userHomeDirectory>\bladelogic_alt\bl_sesscc
% export BL_SSO_CRED_CACHE_FILE

The following table details the environment variables that can be used with single sign-on functionality.

Environment variable

Description

For more information

BL_SSO_TRUSTED_CERT_KEYSTORE_FILE

Specifies location of file storing trusted certificates

Trusted keystore

BL_RBAC_ROLE

Specifies RBAC role

RBAC role selection

BL_SSO_CRED_CACHE_FILE

Specifies location of session credential cache file

Session credential cache file

BL_AUTH_PROFILES_FILE

Provides location of file containing authentication profile definitions

Authentication profile file

BL_AUTH_PROFILE_NAME

Identifies authentication profile to use when authenticating

Using authentication profiles

Back to top

Keytab files

If you are using SRP authentication, keytab files are useful when running unattended automation scripts that make use of Network Shell proxy services or make calls to the BLCLI. Keytab files provide the blcred utility with long-term user credentials that can be used to authenticate a user.

For single sign-on, BMC Server Automation only supports a keytab file for SRP authentication. The SRP keytab file is called user_info.dat. For instructions about setting up user_info.dat, see Generating a user information file.

Note that BMC Server Automation also employs a keytab file for its AD/Kerberos implementation. Procedures for the AD/Kerberos implementation explain the use of a keytab file in that context.

Because of their sensitive nature, access to keytab files should be tightly controlled.

RBAC role selection

When a session is established, a user must be assigned to an RBAC role. If a user is authorized for only one role, he or she is assigned to that role after logging into an application. If a user is authorized for multiple roles, the user can interactively select a role while logging into a BMC Server Automation client application. When using Network Shell or BLCLI, the role might be specified through an environment variable. Network Shell also provides a command calledchrole, which lets you change roles after a Network Shell session is established.

When a user is authorized for multiple roles, BMC Server Automation command line applications can specify a role using a command line option or an environment variable. The following table summarizes the options available to specifying a role.

ApplicationMechanisms to specify a rolePrecedence
BMC Server Automation ConsoleGUI dialog box, if multiple roles are defined 
BLCLIinteractive prompts from command line dialog box 
command line option: -r <roleName>Takes precedence over environment variable
environment variable: BL_RBAC_ROLE 
Network Shell (in proxy mode)interactive prompts from command line dialog box 
environment variable: BL_RBAC_ROLE

Back to top

Single sign-on session credentials

When an Authentication Service authenticates a user, it issues a session credential to the client application. The BMC Server Automation Console lets users choose to cache session credentials. The blcred utility always caches any session credential it obtains from the Authentication Service.

BMC Server Automation clients use session credentials to establish secure sessions with Application Servers and Network Shell proxy servers.

A session credential contains the following information:

  • BMC Server Automation user name
  • Protocol used to authenticate user: SRP, LDAP, SecurID, AD/Kerberos, or Domain Authentication
  • Service URL, which identifies the Authentication Service that issued the session credential, its host address, and its port.
  • Expiration time for session credential
  • Maximum lifetime for session credential
  • Client system's IP address
  • Authorized roles for user
  • Service URLs of BMC Server Automation services that the credential can be used to access, such as Application Services and Network Shell Proxy Services. Each of these URLs specifies the type of service, its host address, and its port.

Session credentials are digitally signed by the issuing Authentication Service. A BMC Server Automation service, upon being presented with a session credential, verifies the digital signature to ensure the credential's authenticity and integrity. SSO session credentials are cached in a file on the client host. BMC Server Automation relies on system access controls to restrict access to the session credential cache. The session credential cache file resides at a default location, but you can modify that location, as described in Setting override locations for client SSO files.

On both Windows and UNIX, the credential cache can hold a maximum of one session credential at any time. This restriction will be relaxed in a future release. File system access controls only allow the user for whom the credential was issued to access the credential cache.

Unlike other BMC Server Automation system components, the reports server does not cache the session credential on the client's system. Each time a user logs into the reports server from a browser, the user provides data required for authentication. The reports server relays this information to the Authentication Service and obtains a session credential for the user. The reports server can potentially hold the user's session credential even after the user's connection with the reports server terminates. This allows users to schedule recurring report jobs. BMC BladeLogic Decision Support for Server Automation can automatically renew the user's session credential without requiring the user to re-authenticate.

Was this page helpful? Yes No Submitting... Thank you

Comments