×
 
 
  •  
$helper.renderConfluenceMacro('{bmc-global-announcement:$space.key}')
BMC TrueSight IT Data Analytics 11.0 ... Planning Security considerations

Security planning

The product architecture handles and provides security at various levels, as described in the following sections:

Related topics

Configuring a secured connection

Architecture

Data transfer

The product can securely transfer data:

  • Between various product components
  • From product components to external system components. External systems include all products integrated with TrueSight IT Data Analytics (or IT Data Analytics) and PATROL for IT Data Analytics. For more information about the supported external systems, see Integrating.

Data flow

When encrypted
Browser to IT Data Analytics serverWhen HTTPS is configured in the IT Data Analytics server
Console Server to Collection Station
CLI to IT Data Analytics serverWhen HTTPS is configured in the IT Data Analytics server and in the CLI client
IT Data Analytics server to Search componentWhen HTTPS is configured in the Search component and the IT Data Analytics server client
Collection Agent to Collection StationWhen HTTPS is configured in Collection Station and encryption in Payload Service
Collection Station to target hostsWhen SSH remote collection is used
SMTP send for emailWhen SMTP is configured with credentials, TLS is used

ProactiveNet to get and send data

When HTTPS connection type is used to configure ProactiveNet configuration

For more information about the default communication ports and protocols, see Communication ports and protocols.

User authentication and authorization

  • Users assigned an administrator role can configure user authentication and role-based access control (RBAC) from the IT Data Analytics Console. For more information, see User roles and permissions.
  • User authorization is defined by the data access control setting that allows granular control over functions and data access for different users. For more information, see Managing user groups in IT Data Analytics.

Credentials

The following types of credentials are stored in encrypted form:

  • IT Data Analytics user credentials
  • SMTP email credentials
  • ProactiveNet (or TrueSight Infrastructure Management) server credentials
  • Credentials specified as part of credential profile creation and data collector creation

Credentials used for data collection are stored in encrypted form and are decrypted by the Collection Station or the Collection Agent just before passing the credentials to the external system for authentication. The product does not store or transfer the password in plain text. But the password is not encrypted when passed from the browser to the Console Server; to ensure complete security you need to enable security for the Console Server. For more information, see Enabling security for the Console Server and Search components.

Note

The encryption and decryption keys are pre-configured in the product components. These keys are not visible to administrators and cannot be customized.

Cross-site request forgery (CSRF) checks

IT Data Analytics prevents CSRF attacks by checking the HTTP header, called as Referer, of the incoming HTTP request. This header is present in the requests that come from browsers. All invalid requests return a HTTP 403 response. The CSRF check is controlled by the check.csrf property in the olaengiveService.properties file. 

Note

The product cannot be accessed by using an iPv6 address. To enable the access, you must configure the system. For more information, see Configuring access URLs.

By default, the CSRF checks do not filter out the following requests from accessing the product:

  • Requests that are generated by CLI commands.

  • Requests that are generated by typing the URL in the address bar of the browser.

  • Requests in which the Referer matches the IT Data Analytics server host name.

  • Browser requests in which Referer matches any of the following regular expressions: 

    Regular expressionDescription
    ^http(s)?://127.0.0.1:(9797|9443)/.*

    Any HTTP or HTTPS referrer with IPV4 loopback address as 127.0.0.1

    and

    Port is either 9797 or 9443

    ^http(s)?://\[::1\]:(9797|9443)/.*

    Any HTTP or HTTPS referrer with IPv6 loopback address as ::1

    and

    Port is either 9797 or 9443

    ^http(s)?://localhost:(9797|9443)/.*

    Any HTTP or HTTPS referrer with localhost

    and

    Port is either 9797 or 9443

Was this page helpful? Yes No Submitting... Thank you
Last modified by Sonali Deshmukh on Dec 05, 2017
planning deployment requirements authorization security collection_station cli console_server search itda_server collection_agent

Comments

Log in or register to comment.

Security considerations
Roles and permissions
© Copyright 2014-2017 BMC Software, Inc
Legal notices

Powered by Atlassian Confluence and Scroll Viewport

© Copyright 2005-2024 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.