×
 
 
  •  
$helper.renderConfluenceMacro('{bmc-global-announcement:$space.key}')
TrueSight Middleware and Transaction Monitor 8.1 ... Administering Defining user access and security settings Configuring Active Directory security

Configuring the Active Directory security mode with the Security Configuration tool

TrueSight Middleware and Transaction Monitor provides the following forms of security for user authentication:

  • Internal Security – provided by an internal directory server.
  • Active Directory Delegate Mode Security – combines Active Directory Authentication (user identification and password checking) and Internal LDAP authorization.

You can run the Security Configuration tool during installation or you can run it from the command line, and you can run the security config wizard on either a GUI console or on a text-only console. The security config tool can only be run while TMTM services are down. 

Note

The Active Directory Only mode (also known as Legacy mode) security configuration that was available in earlier versions of the product is no longer supported for new installations or upgrades.

Related topics

Sample Active Directory configuration settings for Delegate mode

Configuring Active Directory security

Post core component installation and configuration

Before you begin

  • The securityconfig tool requires access to TCP ports 389 and 636 on the Active Directory domain controllers.
  • If you use segregated VLANs, for example, TMTM may not be on the same network segment as domain controllers. Additional configuration may then be needed to allow visibility of the domain controllers.

Delegate Mode Security considerations

For Delegate Mode Security the following information is needed:

InformationNotes
The Active Directory Domain NameThis information should be readily available from the Activey Directory Administrator.
The network ports on which to run the internal LDAP server.The default ports are 15008 for LDAP and 15011 for LDAPS.
Active Directory Security Transport Type

The type of Active Directory communications. You can choose from SSL, SASL, or SSL and SASL. Both SSL and SASL require some configuration by the Active Directory Network Administrator.

Base Active Directory Fully Qualified Domain Name

The base Active Directory Fully Qualified Domain Name, if different than the Active Directory domain used (i.e., if the Domain to be used is a sub-domain).

TSMA administrator credentialsThe user must exist and the password must match that in Active Directory
Common Name (CN) CredentialsThe common name of a user which can read entries in the directory. This value is not required when using an existing fully licensed version of TSMA that does not use the same security as TMTM.
LDAP User Search BaseThe base DN from which searches for user information occurs. This value is not required when using an existing fully licensed version of TSMA that does not use the same security as TMTM.
LDAP User Search FilterThe search filter used to identify users. This value is not required when using an existing fully licensed version of TSMA that does not use the same security as TMTM.
LDAP Users Search FilterThe search filter used to find users within the directory. This value is not required when using an existing fully licensed version of TSMA that does not use the same security as TMTM.
LDAP User Name AttributeThis is used to identify the text to use as the username. This value is not required when using an existing fully licensed version of TSMA that does not use the same security as TMTM.
LDAP Group Search BaseThis is the base DN used to search for groups. Groups should be somewhere down the sub tree rooted by this DN. This value is not required when using an existing fully licensed version of TSMA that does not use the same security as TMTM.
LDAP Group Search FilterThis is the search filter expression used to find groups by name. This value is not required when using an existing fully licensed version of TSMA that does not use the same security as TMTM.
LDAP Group Member Search FilterThis is the search filter expression used to determine members of groups. This value is not required when using an existing fully licensed version of TSMA that does not use the same security as TMTM.
LDAP Groups Search FilterThis is the search filter expression that returns group names. This value is not required when using an existing fully licensed version of TSMA that does not use the same security as TMTM.
LDAP Group Name AttributeThis is the attribute that represents the name of a group. This value is not required when using an existing fully licensed version of TSMA that does not use the same security as TMTM.
LDAP Group Member AttributeThis is the attribute that represents a member of a group. This value is not required when using an existing fully licensed version of TSMA that does not use the same security as TMTM.
LDAP Max Nested Group Recursion LevelLimits the amount of recursion used to find nested groups. This value is not required when using an existing fully licensed version of TSMA that does not use the same security as TMTM.
The type of domain controller list specification
  • Automatic – The list of Domain Controllers are automatically discovered (recommended).
  • Choose from a list – The list of Domain Controllers is automatically discovered and you can select which Domain Controllers to use.
  • Specify a list – Either type or paste a space-delimited list of Domain Controllers.

When more than one domain controller is explicitly or implicitly listed, the priority is automatically managed based on domain controller response times.

CertificatesIf using SSL, a set of security certificates might be needed to verify the Domain Controller. The security certificates can be configured in the following ways:
  • Capture the current set of security certificates. With this option, the securityconfig tool attempts to connect to each Domain Controller to capture the certificate sent. These captured certificates are saved and used in future connections to verify the authenticity of the Domain Controller. This method is more secure but still runs some risk that the newly-discovered Domain Controller is malevolent.
  • Import security certificates. This option enables the Active Directory network administrator to import private certificates from a certificate authority.
  • Allow any SSL connection, ignoring any security identification. This configuration is the least secure, but easiest to install.

Password for the security certificate keystore. 

  • During an upgrade, the keystore password from the previous installation is used. 
  • During a new installation, the new keystore password is requested. Keep this password in a safe place for future reference.

To configure Active Directory Delegate Mode security

  1. From the command line, go to the TMTM installation directory, and type: securityconfig

    The securityconfig wizard opens and displays a welcome message, followed by a dialog box requesting the type of security configuration wanted. If the security type has already been set, that type is displayed as the default, which you can override.

  2. Select Active Directory Security, and click Next. 
  3. Select Active Directory (Delegate Mode), enter the Active Directory Domain Name, select either SSLSASL, or SSL/SASL, and enter port numbers to be used for the internal LDAP server, and then click Next.


  4. The security configuration wizard then queries an Active Directory Domain Controller (which might take a few seconds) and displays the base Active Directory Fully Qualified Domain Name that the controller returned. If required, you can change the name displayed. Then click Next.
  5. You are prompted to enter the TSMA Administrator user credentials. Enter a user and password. Click Next.
  6. You may be prompted to enter the CN credentials.  Enter a CN and password. Click Next.
  7. You may be prompted to review and alter TSMA security settings.  You may use the substitution values to avoid repeating text string or you may enter the full values.  When the values have been modified to your satisfaction, click Next.
  8. You are prompted to choose how to select the list of Domain Controllers. Select from Automatic Configuration, Choose From a List of Generated Domain Controllers, or Specify Domain Controllers. Then click Next.
  9. In the displayed list of Domain Controllers (note that if you selected to specify the list of Domain Controllers you now need to enter their names, separating names with a space),select the relevant Controllers, and then click Next.

  10. Define how you would like to handle Active Directory Domain Controller security certificates by selecting one of the following: 

    Capture Current Set of SSL Certificates     (If you select this option, the security config wizard takes a few moments (depending on the length of the list and response times) to query each domain controller; you also need to update the certificates in the keystore file manually if your domain controller certificates are revoked.)

    Import Certificate from your Active Directory Administrator     (If you select this option, you are prompted to enter one or more security certificate file names and certificate alias; enter an alias (name for documentary purposes) for the certificate and the location of the certificate file, and then click Next).

    Note

    If this is a new installation, you are prompted for the new keystorepassword (Enter the password, and click Next to continue).
    The product cannot connect to the domain controllers using expired certificates. If the used certificates expire (default is one year), you must renew the certificates accordingly using the Security Configuration tool.

    Allow any SSL Security Certificates (If you select this option you will need to manually import any active directory certificates required into the TSMA truststore)

  11. Review the verification of the security settings, as shown in the following image, and then click Next.


  12. In the Configuration Review screen, verify the information is correct and click Next.
    At this point, the     service.cfg file is re-written with changes reflecting your configuration decisions.
  13. Click Done to exit the wizard.

To configure Internal security

  1. From the command line, go to the TMTM installation directory, and type: securityconfig

    The securityconfig wizard opens and displays a welcome message, followed by a dialog box requesting the type of security configuration wanted. If the security type has already been set, that type is displayed as the default, which you can override. 

  2. Select Internal Security, and click Next. 
  3. Enter a port number to be used for the internal LDAP server, and click Next to display the Configuration Review screen. 
  4. After reviewing the information, click Next. The service.cfg file is re-written with changes reflecting your configuration decisions. 

  5. Click Done to exit the wizard.


Was this page helpful? Yes No Submitting... Thank you
Last modified by Ashley Pearson on Feb 05, 2018
administration security task access_control active_directory

Comments

Log in or register to comment.

Configuring Active Directory child domains
Obtaining and installing an Active Directory server private certificate on a client system
© Copyright 2015 BMC Software, Inc.
© Copyright 2019 BMC Software, Inc.
Legal notices

Powered by Atlassian Confluence and Scroll Viewport

© Copyright 2005-2024 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.