Configuring the Active Directory security mode with the Security Configuration tool
TrueSight Middleware and Transaction Monitor provides the following forms of security for user authentication:
- Internal Security – provided by an internal directory server.
- Active Directory Delegate Mode Security – combines Active Directory Authentication (user identification and password checking) and Internal LDAP authorization.
You can run the Security Configuration tool during installation or you can run it from the command line, and you can run the security config wizard on either a GUI console or on a text-only console. The security config tool can only be run while TMTM services are down.
Note
The Active Directory Only mode (also known as Legacy mode) security configuration that was available in earlier versions of the product is no longer supported for new installations or upgrades.
Before you begin
- The securityconfig tool requires access to TCP ports 389 and 636 on the Active Directory domain controllers.
- If you use segregated VLANs, for example, TMTM may not be on the same network segment as domain controllers. Additional configuration may then be needed to allow visibility of the domain controllers.
Delegate Mode Security considerations
For Delegate Mode Security the following information is needed:
Information | Notes |
---|---|
The Active Directory Domain Name | This information should be readily available from the Activey Directory Administrator. |
The network ports on which to run the internal LDAP server. | The default ports are 15008 for LDAP and 15011 for LDAPS. |
Active Directory Security Transport Type | The type of Active Directory communications. You can choose from SSL, SASL, or SSL and SASL. Both SSL and SASL require some configuration by the Active Directory Network Administrator. |
Base Active Directory Fully Qualified Domain Name | The base Active Directory Fully Qualified Domain Name, if different than the Active Directory domain used (i.e., if the Domain to be used is a sub-domain). |
TSMA administrator credentials | The user must exist and the password must match that in Active Directory |
Common Name (CN) Credentials | The common name of a user which can read entries in the directory. This value is not required when using an existing fully licensed version of TSMA that does not use the same security as TMTM. |
LDAP User Search Base | The base DN from which searches for user information occurs. This value is not required when using an existing fully licensed version of TSMA that does not use the same security as TMTM. |
LDAP User Search Filter | The search filter used to identify users. This value is not required when using an existing fully licensed version of TSMA that does not use the same security as TMTM. |
LDAP Users Search Filter | The search filter used to find users within the directory. This value is not required when using an existing fully licensed version of TSMA that does not use the same security as TMTM. |
LDAP User Name Attribute | This is used to identify the text to use as the username. This value is not required when using an existing fully licensed version of TSMA that does not use the same security as TMTM. |
LDAP Group Search Base | This is the base DN used to search for groups. Groups should be somewhere down the sub tree rooted by this DN. This value is not required when using an existing fully licensed version of TSMA that does not use the same security as TMTM. |
LDAP Group Search Filter | This is the search filter expression used to find groups by name. This value is not required when using an existing fully licensed version of TSMA that does not use the same security as TMTM. |
LDAP Group Member Search Filter | This is the search filter expression used to determine members of groups. This value is not required when using an existing fully licensed version of TSMA that does not use the same security as TMTM. |
LDAP Groups Search Filter | This is the search filter expression that returns group names. This value is not required when using an existing fully licensed version of TSMA that does not use the same security as TMTM. |
LDAP Group Name Attribute | This is the attribute that represents the name of a group. This value is not required when using an existing fully licensed version of TSMA that does not use the same security as TMTM. |
LDAP Group Member Attribute | This is the attribute that represents a member of a group. This value is not required when using an existing fully licensed version of TSMA that does not use the same security as TMTM. |
LDAP Max Nested Group Recursion Level | Limits the amount of recursion used to find nested groups. This value is not required when using an existing fully licensed version of TSMA that does not use the same security as TMTM. |
The type of domain controller list specification |
When more than one domain controller is explicitly or implicitly listed, the priority is automatically managed based on domain controller response times. |
Certificates | If using SSL, a set of security certificates might be needed to verify the Domain Controller. The security certificates can be configured in the following ways:
Password for the security certificate keystore.
|
To configure Active Directory Delegate Mode security
From the command line, go to the TMTM installation directory, and type:
securityconfig
The securityconfig wizard opens and displays a welcome message, followed by a dialog box requesting the type of security configuration wanted. If the security type has already been set, that type is displayed as the default, which you can override.- Select Active Directory Security, and click Next.
- Select Active Directory (Delegate Mode), enter the Active Directory Domain Name, select either SSL, SASL, or SSL/SASL, and enter port numbers to be used for the internal LDAP server, and then click Next.
- The security configuration wizard then queries an Active Directory Domain Controller (which might take a few seconds) and displays the base Active Directory Fully Qualified Domain Name that the controller returned. If required, you can change the name displayed. Then click Next.
- You are prompted to enter the TSMA Administrator user credentials. Enter a user and password. Click Next.
- You may be prompted to enter the CN credentials. Enter a CN and password. Click Next.
- You may be prompted to review and alter TSMA security settings. You may use the substitution values to avoid repeating text string or you may enter the full values. When the values have been modified to your satisfaction, click Next.
- You are prompted to choose how to select the list of Domain Controllers. Select from Automatic Configuration, Choose From a List of Generated Domain Controllers, or Specify Domain Controllers. Then click Next.
- In the displayed list of Domain Controllers (note that if you selected to specify the list of Domain Controllers you now need to enter their names, separating names with a space),select the relevant Controllers, and then click Next.
Define how you would like to handle Active Directory Domain Controller security certificates by selecting one of the following:
Capture Current Set of SSL Certificates (If you select this option, the security config wizard takes a few moments (depending on the length of the list and response times) to query each domain controller; you also need to update the certificates in the keystore file manually if your domain controller certificates are revoked.)
Import Certificate from your Active Directory Administrator (If you select this option, you are prompted to enter one or more security certificate file names and certificate alias; enter an alias (name for documentary purposes) for the certificate and the location of the certificate file, and then click Next).Note
If this is a new installation, you are prompted for the new keystorepassword (Enter the password, and click Next to continue).The product cannot connect to the domain controllers using expired certificates. If the used certificates expire (default is one year), you must renew the certificates accordingly using the Security Configuration tool.Allow any SSL Security Certificates (If you select this option you will need to manually import any active directory certificates required into the TSMA truststore)
- Review the verification of the security settings, as shown in the following image, and then click Next.
- In the Configuration Review screen, verify the information is correct and click Next.
At this point, the service.cfg file is re-written with changes reflecting your configuration decisions. - Click Done to exit the wizard.
To configure Internal security
From the command line, go to the TMTM installation directory, and type:
securityconfig
The securityconfig wizard opens and displays a welcome message, followed by a dialog box requesting the type of security configuration wanted. If the security type has already been set, that type is displayed as the default, which you can override.- Select Internal Security, and click Next.
- Enter a port number to be used for the internal LDAP server, and click Next to display the Configuration Review screen.
- After reviewing the information, click Next. The service.cfg file is re-written with changes reflecting your configuration decisions.
Click Done to exit the wizard.
Comments
Log in or register to comment.