Unsupported content

 

This version of the documentation is no longer supported. However, the documentation is available for your convenience. You will not be able to leave comments.

SRP authentication

This topic describes the use of Secure Remote Password (SRP) Authentication.

For SRP, the BMC Server Automation Authentication Service authenticates client-tier users against a registry of authorized users. That registry is a user table in the database of the Application Server. Information in the user table is derived from the role-based access control (RBAC) utility of BMC Server Automation. Note that the BMC Decision Support for Server Automation user interface provides no capability to manage users. To add or delete users, change passwords, or specify security settings for users, you must use RBAC Manager in the BMC Server Automation Console or BMC Server Automation CLI (BLCLI).

SRP is default approach of BMC Server Automation for authentication. For users who authenticate with SRP, session credentials are always refreshed as long as those users have RBAC user accounts that have not been disabled or deleted.

The Authentication Service used by BMC Decision Support for Server Automation obtains its user information from the reports data warehouse. If you use RBAC to add, remove, or disable users, those user changes are not reflected in the reports data warehouse until the next time its data is updated. This delay means newly added users who are able to log on to other BMC Server Automation applications might not be able to log on to BMC Decision Support for Server Automation. Similarly, changes to SRP passwords do not take effect until the reports data warehouse is updated. Changes to user information for other authentication protocols are not subjected to the same delay because those changes are made to an external identity management system. However, note that no matter what authentication protocol is being used, BMC Decision Support for Server Automation can never be aware of changes to role authorizations until the reports data warehouse is updated.

The Authentication Service used by BMC Decision Support for Server Automation has a different account lockout implementation than the mechanism RBAC uses for SRP authentication. For SRP, administrators typically configure a threshold for failed logon attempts. After the threshold is reached, the SRP account is locked. The Authentication Service for BMC Decision Support for Server Automation locks users according to policies set at individual BMC Server Automation sites. However, updating the reports data warehouse overwrites all user status information, including the number of unsuccessful logon attempts or the time an account has been locked out. Consequently, overwriting can cause users to be reinstated unless that user is also locked out in the RBAC database.

Was this page helpful? Yes No Submitting... Thank you

Comments