Active Directory security transport types


Active Directory allows several different transport methods to ensure the security of user credentials (username and password), including SSL, SASL, or a combination of SSL and SASL.

Note

The certificate trust policy (defined in the SSL Security Certificate Management screen of the Security Configuration tool) is independent of the security transport type (defined in the Active Directory Delegate Input screen of the Security Configuration tool).

SSL transport

SSL is an industry standard communication protocol that allows for the secure transfer of data. In this case, the data includes the initial user authentication, verifying users by the exchange of auseridand password, as well as the transfer of user information, such as user rights and properties.

By using SSL, the data is encrypted and not observable by a third party. SSL also ensures the identity of the server (Active Directory) by maintaining a set of security certificates. When TrueSight Middleware and Transaction Monitor contacts the Active Directory Domain Controller, the Domain Controller returns a security certificate that is then matched with the set of certificates on file in thekeystore. If the certificates do not match, the connection is rejected.

When setting up SSL, you need to supply TrueSight Middleware and Transaction Monitor with a copy of each security certificate for each domain controller, or a CA certificate that authorized the security certificates for those controllers. There is also the ability to capture SSL security certificates during configuration for use later during operations.

SASL transport

SASL is an industry standard communication protocol that allows for the secure authentication of a user without sending a user's password over the network. To do this, during the initial connection to the Domain Controller, the Domain Controller generates a random number string (a token) which it sends to TrueSight Middleware and Transaction Monitor, which then encrypts the token with the user's password and returns the encrypted token to the Domain Controller. The Domain Controller also encrypts the token with its copy of the user's password and compares its result with what was sent. If they match,useridentity is confirmed and the Domain Controller allows the connection to continue.

Although SASL secures the exchange of user credentials (useridand password), it does not secure the exchange of user information beyond that point.

Use of SASL in the Domain Controller is predicated on the fact that the Domain Controller has a copy of the user's password. To this end, the Active Directory administrator must have all TrueSight Middleware and Transaction Monitor users configured with "reversible password encryption." With SASL, Domain Controller names must be defined in the DNS and must match either the service principal name (SPN) or fully qualified domain name (FQDN) of the domain controller, which is the default configuration for most Active Directory configurations. If your configuration does not adhere to this convention, contact your Active Directory Network Administrator for assistance.

Some older Domain Controllers might not support SASL. You must verify that the Domain Controllers used by TrueSight Middleware and Transaction Monitor have the appropriate release and service pack levels.

SASL and SSL transport

SASL and SSL transport method provides a combination of both SASL and SSL communication protocols. It requires both SSL security certificates and the use of reversible password encryption.

Note that Microsoft has issued several fixes for SASL+SSL for their Domain Controllers. Ensure that you apply all fixes to your Domain Controllers.

No transport security

When using no transport security, information sent between TrueSight Middleware and Transaction Monitor and the Active Directory Domain Controller is not encrypted. For security reasons BMC does not recommend this option unless you are running an IPSec or differently encrypted tunnel, implemented with a third party network layer. Contact BMC Support if no transport security should be implemented. 

Note

When selecting Allow any SSL Security Certificates in the SSL Security Certificate Management screen of the Security Configuration tool, a policy of “trustAll” is set; when selecting either of the other options (Capture Current Set of SSL Certificates or Import Certificate from your Active Directory Administrator), a policy of "trustNone" is set.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*