Enabling Active Directory authentication on TrueSight Network Automation
This topic describes the prerequisites and the procedure to configure TrueSight Network Automation to enable Active Directory (AD) authentication without rerunning the installation program.
Before you begin
Ensure that you have met the following prerequisites:
- AD server is named appropriately.
- LDAP uses an available port.
- At least one AD domain account is created. This account acts as the TrueSight Network Automation administrator because the default system administrator account, sysadmin cannot log on after TrueSight Network Automation is configured for AD authentication.
- TrueSight Network Automation system administrator account is created in the OU “Service Accounts” in the root of the LDAP directory because TrueSight Network Automation searches for user accounts recursively. In this case, it searches recursively from the root of AD.
- The Automatically Add New Users As system parameter is enabled. For more information, see Security section (external mode user authentication).
- All existing TrueSight Network Automation user accounts in AD are recreated to continue using them. They will retain their existing rights and roles within TrueSight Network Automation.
To enable AD authentication
- Stop the TrueSight Network Automation server.
Open the global.properties file with a text editor located in the BCAN_DATA directory and change the authentication mechanism to activeDirectory as shown in the following code snippet:
# Indicates the type of authentication being used.
# Default is local authentication where username and password information
# reside in the TrueSight Network Automation database. Others are remote authenticators
# configured as a Realm in the server.xml file.
# Allowed options: local/activeDirectory/ldap/radius/tacacs/sso
# Default = local
userAuthMode=activeDirectory- Invoke the TrueSight Network Automation maintenance utility from the BCAN_HOME\utility directory, by using the following command:
- (Windows) BcanMaintenanceTool.bat
- (Linux) ./BcanMaintenanceTool.sh
- Encrypt the AD root user password as shown in the following figure:
- Navigate to the BCAN_HOME\tomcat\conf directory and open the Tomcat server configuration file (server.xml) file with a text editor.
Search the file for a section similar to the following one and comment the section, which represents the local authentication.
<Realm className="com.bmc.bcan.catalina.realm.BNAJDBCRealm"
driverName="org.postgresql.Driver"
connectionURL="${bna.jdbcRealm.connectionURL}"
connectionName="${bna.jdbcRealm.connectionUsername}"
connectionPassword="${bna.jdbcRealm.connectionPassword}"
userTable="usr"
userNameCol="user_name"
userCredCol="encrypted_password"
userRoleTable="usr"
roleNameCol="realm_role_name">
<CredentialHandler className="org.apache.catalina.realm.MessageDigestCredentialHandler"
algorithm="SHA-256" />
</Realm>Below the commented section, add the following section to enable the active directory authentication:
<Realm className="com.bmc.bcan.catalina.realm.BNAJNDIRealm"
connectionURL="${bna.jndiRealm.connectionURL}"
connectionName="${bna.jndiRealm.principal},${bna.jndiRealm.baseDN}"
connectionPassword="${bna.jndiRealm.connectionPassword}"
userBase="${bna.jndiRealm.userBase}${bna.jndiRealm.baseDN}"
userSearch="${bna.jndiRealm.userSearch}"
userSubtree="${bna.jndiRealm.userSubtree}"
referrals="${bna.jndiRealm.referrals}"/>The Sample server.xml file section shows a sample server.xml file.
- Save the file.
In the BCAN_HOME\tomcat\conf directory, open the catalina.properties file with a text editor and populate the following parameters with the details of your AD server:
- bna.jndiRealm.connectionURL
- bna.jndiRealm.alternateURL
- bna.jndiRealm.principal
- bna.jndiRealm.baseDN
- bna.jndiRealm.connectionPassword
- bna.jndiRealm.userSearch
- bna.jndiRealm.userBase
- bna.jndiRealm.userSubtree
- bna.jndiRealm.referrals
The Sample catalina.properties file section shows a sample catalina.properties file.
- Save the file.
- Restart the TrueSight Network Automation server.
Sample server.xml file
The following code snippet shows a sample server.xml file with the active directory authentication:
<?xml version='1.0' encoding='utf-8'?>
<Server port="-1"> <!-- shutdown port is disabled -->
<Listener className="org.apache.catalina.startup.VersionLoggerListener" />
<!-- Prevent memory leaks due to use of particular java/javax APIs
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
-->
<!-- Security listener. Documentation at /docs/config/listeners.html
<Listener className="org.apache.catalina.security.SecurityListener" />
-->
<Service name="Catalina">
<!-- Note that a non-default threadPriority can be specified in connectors. Bumping up thread
priority on Windows (e.g. to 10) is recommended if your UI performance degrades considerably
when jobs are running in the background. On Linux threadPriority doesn't seem to be very
effective (see comments on bna.connector.threadPriority in catalina.properties). -->
<!-- Redirects HTTP traffic to HTTPS -->
<Connector port="${bna.connector.port}"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="${bna.connector.maxThreads}"
threadPriority="${bna.connector.threadPriority}"
connectionTimeout="${bna.connector.connectionTimeout}"
redirectPort="${bna.connector.sslPort}"
URIEncoding="UTF-8"/>
<!-- Handles HTTPS traffic -->
<Connector port="${bna.connector.sslPort}"
protocol="org.apache.coyote.http11.Http11NioProtocol"
SSLEnabled="true"
maxThreads="${bna.connector.maxThreads}"
threadPriority="${bna.connector.threadPriority}"
scheme="https"
secure="true"
server="TrueSight Network Automation Server"
clientAuth="false"
sslEnabledProtocols="${bna.connector.sslEnabledProtocols}"
maxHttpHeaderSize="${bna.connector.maxHttpHeaderSize}"
connectionTimeout="${bna.connector.connectionTimeout}"
maxParameterCount="${bna.connector.maxParameterCount}"
disableUploadTimeout="true"
keystorePass="${bna.connector.keystorePass}"
ciphers="${bna.connector.ciphers}"
URIEncoding="UTF-8"/>
<!-- Note that for the terminal session functionality what we want is a
persistent http connection in the form of a never-loading page with
regular flushes to the response buffer, the compression="on"
attribute does not let you do this, it only lets you flush the
response buffer when the entire page has loaded, so this
option has been removed from the Connector element.
compression="on"
compressableMimeType="text/html,text/xml,text/css,text/javascript"
-->
<Engine name="Catalina" defaultHost="localhost">
<!-- BEGIN: BCA-Networks realm configured by InstallShield -->
<Realm className="com.bmc.bcan.catalina.realm.BNALockOutRealm"
failureCount="${bna.lockOutRealm.failureCount}"
lockOutTime="${bna.lockOutRealm.lockOutTime}"
cacheSize="${bna.lockOutRealm.cacheSize}"
cacheRemovalWarningTime="${bna.lockOutRealm.cacheRemovalWarningTime}">
<!-- <Realm className="com.bmc.bcan.catalina.realm.BNAJDBCRealm"
driverName="org.postgresql.Driver"
connectionURL="${bna.jdbcRealm.connectionURL}"
connectionName="${bna.jdbcRealm.connectionUsername}"
connectionPassword="${bna.jdbcRealm.connectionPassword}"
userTable="usr"
userNameCol="user_name"
userCredCol="encrypted_password"
userRoleTable="usr"
roleNameCol="realm_role_name">
<CredentialHandler className="org.apache.catalina.realm.MessageDigestCredentialHandler"
algorithm="SHA-256" />
</Realm> -->
<Realm className="com.bmc.bcan.catalina.realm.BNAJNDIRealm"
connectionURL="${bna.jndiRealm.connectionURL}"
alternateURL="${bna.jndiRealm.alternateURL}"
connectionName="${bna.jndiRealm.principal},${bna.jndiRealm.baseDN}"
connectionPassword="${bna.jndiRealm.connectionPassword}"
userBase="${bna.jndiRealm.userBase}${bna.jndiRealm.baseDN}"
userSearch="${bna.jndiRealm.userSearch}"
userSubtree="${bna.jndiRealm.userSubtree}"
referrals="${bna.jndiRealm.referrals}"/>
</Realm>
<!-- END: BCA-Networks realm configured by InstallShield -->
<!-- The request dumper valve dumps useful debugging information about
the request and response data received and sent by Tomcat.
Documentation at: /docs/config/valve.html -->
<!--
<Valve className="org.apache.catalina.valves.RequestDumperValve"/>
-->
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="false">
<!-- Uncomment to enable the Access Log -->
<!--
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="localhost_access_log" suffix=".txt"
pattern="%h %l %u %t "%r" %s %b" />
-->
</Host>
</Engine>
</Service>
</Server>
<Server port="-1"> <!-- shutdown port is disabled -->
<Listener className="org.apache.catalina.startup.VersionLoggerListener" />
<!-- Prevent memory leaks due to use of particular java/javax APIs
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
-->
<!-- Security listener. Documentation at /docs/config/listeners.html
<Listener className="org.apache.catalina.security.SecurityListener" />
-->
<Service name="Catalina">
<!-- Note that a non-default threadPriority can be specified in connectors. Bumping up thread
priority on Windows (e.g. to 10) is recommended if your UI performance degrades considerably
when jobs are running in the background. On Linux threadPriority doesn't seem to be very
effective (see comments on bna.connector.threadPriority in catalina.properties). -->
<!-- Redirects HTTP traffic to HTTPS -->
<Connector port="${bna.connector.port}"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="${bna.connector.maxThreads}"
threadPriority="${bna.connector.threadPriority}"
connectionTimeout="${bna.connector.connectionTimeout}"
redirectPort="${bna.connector.sslPort}"
URIEncoding="UTF-8"/>
<!-- Handles HTTPS traffic -->
<Connector port="${bna.connector.sslPort}"
protocol="org.apache.coyote.http11.Http11NioProtocol"
SSLEnabled="true"
maxThreads="${bna.connector.maxThreads}"
threadPriority="${bna.connector.threadPriority}"
scheme="https"
secure="true"
server="TrueSight Network Automation Server"
clientAuth="false"
sslEnabledProtocols="${bna.connector.sslEnabledProtocols}"
maxHttpHeaderSize="${bna.connector.maxHttpHeaderSize}"
connectionTimeout="${bna.connector.connectionTimeout}"
maxParameterCount="${bna.connector.maxParameterCount}"
disableUploadTimeout="true"
keystorePass="${bna.connector.keystorePass}"
ciphers="${bna.connector.ciphers}"
URIEncoding="UTF-8"/>
<!-- Note that for the terminal session functionality what we want is a
persistent http connection in the form of a never-loading page with
regular flushes to the response buffer, the compression="on"
attribute does not let you do this, it only lets you flush the
response buffer when the entire page has loaded, so this
option has been removed from the Connector element.
compression="on"
compressableMimeType="text/html,text/xml,text/css,text/javascript"
-->
<Engine name="Catalina" defaultHost="localhost">
<!-- BEGIN: BCA-Networks realm configured by InstallShield -->
<Realm className="com.bmc.bcan.catalina.realm.BNALockOutRealm"
failureCount="${bna.lockOutRealm.failureCount}"
lockOutTime="${bna.lockOutRealm.lockOutTime}"
cacheSize="${bna.lockOutRealm.cacheSize}"
cacheRemovalWarningTime="${bna.lockOutRealm.cacheRemovalWarningTime}">
<!-- <Realm className="com.bmc.bcan.catalina.realm.BNAJDBCRealm"
driverName="org.postgresql.Driver"
connectionURL="${bna.jdbcRealm.connectionURL}"
connectionName="${bna.jdbcRealm.connectionUsername}"
connectionPassword="${bna.jdbcRealm.connectionPassword}"
userTable="usr"
userNameCol="user_name"
userCredCol="encrypted_password"
userRoleTable="usr"
roleNameCol="realm_role_name">
<CredentialHandler className="org.apache.catalina.realm.MessageDigestCredentialHandler"
algorithm="SHA-256" />
</Realm> -->
<Realm className="com.bmc.bcan.catalina.realm.BNAJNDIRealm"
connectionURL="${bna.jndiRealm.connectionURL}"
alternateURL="${bna.jndiRealm.alternateURL}"
connectionName="${bna.jndiRealm.principal},${bna.jndiRealm.baseDN}"
connectionPassword="${bna.jndiRealm.connectionPassword}"
userBase="${bna.jndiRealm.userBase}${bna.jndiRealm.baseDN}"
userSearch="${bna.jndiRealm.userSearch}"
userSubtree="${bna.jndiRealm.userSubtree}"
referrals="${bna.jndiRealm.referrals}"/>
</Realm>
<!-- END: BCA-Networks realm configured by InstallShield -->
<!-- The request dumper valve dumps useful debugging information about
the request and response data received and sent by Tomcat.
Documentation at: /docs/config/valve.html -->
<!--
<Valve className="org.apache.catalina.valves.RequestDumperValve"/>
-->
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="false">
<!-- Uncomment to enable the Access Log -->
<!--
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="localhost_access_log" suffix=".txt"
pattern="%h %l %u %t "%r" %s %b" />
-->
</Host>
</Engine>
</Service>
</Server>
Sample catalina.properties file
The following code snippet shows a sample catalina.properties file with the active directory authentication:
#######################################################################
# TrueSight Network Automation
# Configuration settings for the tomcat server.xml configuraiton
# file. These settings will be maintained between TrueSight Network Automation upgrades. For
# more information on any of these settings, visit the tomcat
# documentation.
#######################################################################
#
# Priority of connection threads (values range from 1 (lowest) to 10
# (highest). Running with a priority value of 10 is not advised, as this
# may be cause critical OS processes to starve. For thread priorities to be
# honored on Linux, one must pass "-XX:ThreadPriorityPolicy=1" to the JVM, when
# Tomcat is running as a root process.
#
# Running with a value of 9 here is recommended on Linux, in order to make the
# UI as responsive as possible when there are jobs running in the background.
# On Windows, a value of 9 does not lead to the same improvements in UI
# responsiveness for some reason, so a value of 5 is recommended on Windows.
#
# Default=9
#
bna.connector.threadPriority=5
#
# This is the number of failed authentication attempts allowed before user gets locked.
# Default=5
#
bna.lockOutRealm.failureCount=5
#
# The time period in second for which the locked out user will remain locked unless
# administrator unlocks in the meantime. After elapsing this time the user will
# automatically gets unlocked.
# Default=86400 (24 hours)
#
bna.lockOutRealm.lockOutTime=86400
#
# Number of users that have failed authentication to keep in cache.
# Default=1000
#
bna.lockOutRealm.cacheSize=1000
#
# If a failed user is removed from the cache because the cache is too big before
# it has been in the cache for at least this period of time (in seconds) a
# warning message will be logged.
# Default=3600 (1 hour)
#
bna.lockOutRealm.cacheRemovalWarningTime=3600
#
# JDBC realm database connection URL
# Used only for local authentication mode
# Default=(blank)
#
bna.jdbcRealm.connectionURL=
#
# JDBC realm database connection user name
# Used only for local authentication mode
# Default=(blank)
#
bna.jdbcRealm.connectionUsername=
#
# JDBC realm database connection password (encrypted)
# Used only for local authentication mode
# Default=(blank)
#
bna.jdbcRealm.connectionPassword=
#
# JNDI realm connection URL
# Used only for LDAP or AD authentication mode
# Default=(blank)
#
bna.jndiRealm.connectionURL=ldap://ab.Testlab.local:389
#
# JNDI realm alternate/secondary connection URL
# Used only for LDAP or AD authentication mode
# Default=(blank)
#
bna.jndiRealm.alternateURL=
#
# JNDI realm username (principal) to use when establishing a connection to
# the directory for search operations, for non-anonymous bind
# Used only for LDAP or AD authentication mode
# Default=(blank)
#
bna.jndiRealm.principal=cn=Administrator,ou=Service Accounts
#
# JNDI realm base directory name, for non-anonymous bind
# Used only for LDAP or AD authentication mode
# Default=(blank)
#
bna.jndiRealm.baseDN=ou=Service Accounts,dc=lab,dc=local,dc=com
#
# JNDI realm connection password (encrypted), for non-anonymous bind
# Used only for LDAP or AD authentication mode
# Default=(blank)
#
bna.jndiRealm.connectionPassword=5cc91dgf58d57996a8fd9e65cb6d76c40
#
# JNDI realm pattern for searching user names
# Used only for LDAP or AD authentication mode
# Default=(blank)
#
bna.jndiRealm.userSearch=(sAMAccountName={0})
#
# JNDI realm directory element (not including the Base DN) in which user
# accounts are defined. If present, must end in a comma, since it will
# be prepended to the baseDN value.
# Used only for LDAP or AD authentication mode
# Default=(blank)
#
bna.jndiRealm.userBase=ou=Service Accounts,
#
# JNDI realm pattern for field containing subtree search
# Used only for LDAP or AD authentication mode
# Default=(blank)
#
bna.jndiRealm.userSubtree=true
#
# JNDI realm indicator for action to take on referrals
# Used only for LDAP or AD authentication mode
# Default=follow
#
bna.jndiRealm.referrals=follow
# TrueSight Network Automation
# Configuration settings for the tomcat server.xml configuraiton
# file. These settings will be maintained between TrueSight Network Automation upgrades. For
# more information on any of these settings, visit the tomcat
# documentation.
#######################################################################
#
# Priority of connection threads (values range from 1 (lowest) to 10
# (highest). Running with a priority value of 10 is not advised, as this
# may be cause critical OS processes to starve. For thread priorities to be
# honored on Linux, one must pass "-XX:ThreadPriorityPolicy=1" to the JVM, when
# Tomcat is running as a root process.
#
# Running with a value of 9 here is recommended on Linux, in order to make the
# UI as responsive as possible when there are jobs running in the background.
# On Windows, a value of 9 does not lead to the same improvements in UI
# responsiveness for some reason, so a value of 5 is recommended on Windows.
#
# Default=9
#
bna.connector.threadPriority=5
#
# This is the number of failed authentication attempts allowed before user gets locked.
# Default=5
#
bna.lockOutRealm.failureCount=5
#
# The time period in second for which the locked out user will remain locked unless
# administrator unlocks in the meantime. After elapsing this time the user will
# automatically gets unlocked.
# Default=86400 (24 hours)
#
bna.lockOutRealm.lockOutTime=86400
#
# Number of users that have failed authentication to keep in cache.
# Default=1000
#
bna.lockOutRealm.cacheSize=1000
#
# If a failed user is removed from the cache because the cache is too big before
# it has been in the cache for at least this period of time (in seconds) a
# warning message will be logged.
# Default=3600 (1 hour)
#
bna.lockOutRealm.cacheRemovalWarningTime=3600
#
# JDBC realm database connection URL
# Used only for local authentication mode
# Default=(blank)
#
bna.jdbcRealm.connectionURL=
#
# JDBC realm database connection user name
# Used only for local authentication mode
# Default=(blank)
#
bna.jdbcRealm.connectionUsername=
#
# JDBC realm database connection password (encrypted)
# Used only for local authentication mode
# Default=(blank)
#
bna.jdbcRealm.connectionPassword=
#
# JNDI realm connection URL
# Used only for LDAP or AD authentication mode
# Default=(blank)
#
bna.jndiRealm.connectionURL=ldap://ab.Testlab.local:389
#
# JNDI realm alternate/secondary connection URL
# Used only for LDAP or AD authentication mode
# Default=(blank)
#
bna.jndiRealm.alternateURL=
#
# JNDI realm username (principal) to use when establishing a connection to
# the directory for search operations, for non-anonymous bind
# Used only for LDAP or AD authentication mode
# Default=(blank)
#
bna.jndiRealm.principal=cn=Administrator,ou=Service Accounts
#
# JNDI realm base directory name, for non-anonymous bind
# Used only for LDAP or AD authentication mode
# Default=(blank)
#
bna.jndiRealm.baseDN=ou=Service Accounts,dc=lab,dc=local,dc=com
#
# JNDI realm connection password (encrypted), for non-anonymous bind
# Used only for LDAP or AD authentication mode
# Default=(blank)
#
bna.jndiRealm.connectionPassword=5cc91dgf58d57996a8fd9e65cb6d76c40
#
# JNDI realm pattern for searching user names
# Used only for LDAP or AD authentication mode
# Default=(blank)
#
bna.jndiRealm.userSearch=(sAMAccountName={0})
#
# JNDI realm directory element (not including the Base DN) in which user
# accounts are defined. If present, must end in a comma, since it will
# be prepended to the baseDN value.
# Used only for LDAP or AD authentication mode
# Default=(blank)
#
bna.jndiRealm.userBase=ou=Service Accounts,
#
# JNDI realm pattern for field containing subtree search
# Used only for LDAP or AD authentication mode
# Default=(blank)
#
bna.jndiRealm.userSubtree=true
#
# JNDI realm indicator for action to take on referrals
# Used only for LDAP or AD authentication mode
# Default=follow
#
bna.jndiRealm.referrals=follow
Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*