Security planning for Presentation Server
The TrueSight Operations Management solution can comprise several components. The following diagram provides an overview of the communication paths among the core TrueSight Operations Management components. For more detailed descriptions about the architectural diagrams, see TrueSight Operations Management architecture.
This topic addresses the ways in which sensitive data and user information are secured among the TrueSight Operations Management components.
User authentication and authorization
The TrueSight Operations Management system uses Remedy Single Sign-On to authenticate and
manage users and user groups
. BMC Remedy Single Sign-On supports authentication with traditional systems, such as Active Directory, LDAP, SAMLv2, and others systems, and supports integration into existing single sign-on systems.
Following system installation and configuration, users
access the TrueSight console
from the TrueSight Presentation Server. Role-based access to the TrueSight Operations Management components is then managed by
authorization profiles
, which are maintained by the Solution Administrator. Users cannot directly access any of the components.
Plan to change the out-of-the-box credentials
You must change the out-of-the-box credentials at your first log in for both Remedy SSO Server and Presentation Server. This document explains the steps to change the default passwords as part of the relevant installation procedures.
Remedy Single Sign-On
Planning the Remedy Single Sign-On Server deployment
Migrating internal user data from Atrium Single Sign-On to Remedy Single Sign-On
Configuring user authentication for the Presentation Server in Remedy SSO
Role-based user access overviews
TrueSight Infrastructure Management security
Security standards
TrueSight Operations Management supports the following security standards.
Standard | Component | Remarks |
---|---|---|
HTTPS protocol | TrueSight Presentation Server | Applicable when the TrueSight App Visibility Manager server sends events to the TrueSight Infrastructure Management component. Uses packaged self-signed certificate, which exists on the TrueSight Presentation Server and TrueSight App Visibility Manager server. To replace the self-signed certificates with signed certificates, see the following: |
TrueSight App Visibility Manager server | ||
TrueSight Infrastructure Impact Client API | TrueSight App Visibility Manager server | Applicable when the TrueSight App Visibility Manager server sends events to the TrueSight Infrastructure Management component. |
Multiple | TrueSight Infrastructure Management | For details, see Security planning for Infrastructure Management. |
Remedy Single Sign-On | TrueSight Presentation Server | Applicable when users log on to the TrueSight Presentation Server and launch TrueSight Infrastructure Management from the TrueSight console. To review the security standards used in the BMC Remedy Single Sign-On product, see
Key concepts
|
Location of security certificates and Java KeyStore files
During installation of the TrueSight App Visibility Manager component, self-signed certificates are created in the following locations to handle authentication between the components. If you prefer to use your own certificates, follow the procedures detailed in
Applying private certificates between the App Visibility portal and the Presentation Server
. For information about the security certificates used in the TrueSight Infrastructure Management server, see Location of the HTTPS/SSL private key on BMC TrueSight Infrastructure Management Server.
Security certificates on TrueSight Presentation Server
- Location of the keystore files for TrueSight App Visibility Manager component on the TrueSight Presentation Server
- Windows
- %TRUESIGHTPSERVER_HOME%\truesightpserver\conf\secure\adopskeystore.jks
- %TRUESIGHTPSERVER_HOME%\truesightpserver\conf\secure\adopstruststore.jks
- Linux
- $TRUESIGHTPSERVER_HOME/truesightpserver/conf/secure/adopskeystore.jks
- $TRUESIGHTPSERVER_HOME/truesightpserver/conf/secure/adopstruststore.jks
- Configuration file: tspsInstallationDirectory/conf/appVisCertificates.xml
- Windows
- Location of keystore file that secures communication between clients (browser) and the TrueSight Presentation Server
- Windows
%TRUESIGHTPSERVER_HOME%\conf\secure\loginvault.ks - Linux
$TRUESIGHTPSERVER_HOME/conf/secure/loginvault.ks
- Windows
Security certificates on TrueSight App Visibility Manager server components and TrueSight App Visibility Manager agents
Most App Visibility components require two-way authentication, requiring a network of certificates in keystores and truststores.
The following diagram illustrates an environment where you use a different custom certificate for each component. The truststore on each component requires a certificate for each component that communicates with it. Additionally, the diagram indicates the properties file for each component that you must update with the file names for the custom certificates. The arrows represent communication between the components.
Tip
The example in the diagram presents a different certificate on each component, but you can simplify your system by generating one file of each file type and using copies of the same certificates for all components: portal, collector, proxy, and agents. These same files have the same values on all the components:
keystoreFileName.jks
,
truststoreFileName.jks
,
encryptedPassword
, and
keystoreAlias
.
The examples in this topic use the same values for each component.
For more information, see
Applying private certificates to App Visibility components
.
Security certificates on Synthetic TEA Agents
You can use custom certificates for the BMC Synthetic Transaction Execution Adapter (TEA) Agents for authentication with App Visibility Manager. You can update certificates before installing your TEA Agents, or you can update certificates on TEA Agents that are already installed. The TEA Agent installation files include a tool to help replace the certificates. For more information, see
Applying private certificates to Synthetic TEA Agents
.
Data security
For more information about maintaining TrueSight App Visibility Manager data security, see
Changing the App Visibility database password
.
Open ports
For a complete list of ports used by the TrueSight Operations Management solution, see Network ports.
Comments
Log in or register to comment.