Web authentication

BMC Atrium Discovery supports a number of web authentication plugins. You can view and configure these on the Web Authentication Methods Page.
The following web authentication methods are supported:

  • SSL Client Certificate Verification: The client's SSL Certificate is verified by the web server. The user name is extracted from the certificate and used for authorization via LDAP. Requires HTTPS and LDAP support.
  • SSL Certificate Lookup: The user is authenticated by looking up custom parts of the client's SSL Certificate via LDAP. The certificate is not verified, but it must be valid. Requires HTTPS and LDAP support.
  • RSA SecurID Authentication: Authentication is performed by the RSA Authentication Agent. The username is used for authorization via LDAP. Requires HTTPS and LDAP support.
  • Standard Atrium Discovery Web Authentication: The user is authenticated by entering a user name and password via the Login page. Supports authentication via LDAP, if LDAP support is enabled.

To configure the web authentication settings

  1. From the Security section of the Administration tab, select Web Authentication.
  2. In the Web Authentication Methods page, you can choose the order in which the methods will be attempted, and you can enable, disable, and configure each one. The Standard Atrium Discovery Web Authentication module is a special case, it cannot be disabled and acts as the fail safe login.
  3. For each authentication module, except for the Standard Atrium Discovery Web Authentication module, the following controls are provided:
    • Disable link: click this link to disable the module. When a module is disabled, the link is replaced with an Enable link.
    • Configure link: click this link to open a dialog box to configure the module. These dialogs are described in the following sections.
    • Ordering controls: click the up or down arrow to move the module up or down. Click the barred up or down arrow to move the module to the top or bottom.
      The page also provide links to the configuration pages for HTTPS and LDAP.

To configure SSL client certificate verification

This module verifies the client SSL certificate with the web server. If the certificate is valid, the user name is extracted and used for LDAP authorization.

Click Configure in the SSL Client Certificate Verification row.
There is a single editable field in the configure page, this is the Extract Key which is used to extract the user name. The default is emailAddress which is used when the email address is the user name.

If the user name is not the email address, enter a new extract key to get the user name. This must match the search template used in in the LDAP settings.

SSL certificate lookup

This module extracts information from the client SSL certificate and verifies it against the LDAP server.

Click Configure in the SSL Certificate Lookup row.
There are two editable fields:

  • Lookup Expression: an LDAP search expression. The variables you can use are:

    HTTPS

    SSL_PROTOCOL

    SSL_SESSION_ID

    SSL_CIPHER

    SSL_CIPHER_EXPORT

    SSL_CIPHER_USEKEYSIZE

    SSL_CIPHER_ALGKEYSIZE

    SSL_VERSION_INTERFACE

    SSL_VERSION_LIBRARY

    SSL_CLIENT_M_VERSION

    SSL_CLIENT_M_SERIAL

    SSL_CLIENT_S_DN

    SSL_CLIENT_S_DN_x509

    SSL_CLIENT_I_DN

    SSL_CLIENT_I_DN_x509

    SSL_CLIENT_V_START

    SSL_CLIENT_V_END

    SSL_CLIENT_A_SIG

    SSL_CLIENT_A_KEY

    SSL_CLIENT_CERT

    SSL_CLIENT_CERT_CHAINn

    SSL_CLIENT_VERIFY

    SSL_SERVER_M_VERSION

    SSL_SERVER_M_SERIAL

    SSL_SERVER_S_DN

    SSL_SERVER_S_DN_x509

    SSL_SERVER_I_DN

    SSL_SERVER_I_DN_x509

    SSL_SERVER_V_START

    SSL_SERVER_V_END

    SSL_SERVER_A_SIG

    SSL_SERVER_A_KEY

    SSL_SERVER_CERT


    These are the Apache mod_ssl variables. See the Apache website for more information.

  • LDAP Attribute: the LDAP attribute against which to check the user name.

To configure RSA SecurID authentication (8.3 SP3 only)

BMC Atrium Discovery can use an RSA SecurID server to perform authentication. To do this you must first install the RSA Authentication Agent 7.1 for Web for Apache Web Server on the appliance, configure it to access your RSA Authentication Manager, and test to ensure that it is working. See the RSA documentation for instructions on how to do this.

Cannot use system and other standard users

You cannot access the system user and the other standard users unless they have an exactly corresponding RSA/LDAP user. You must create an RSA/LDAP user with permissions exactly corresponding to any default users that you use.

To configure RSA SecurID authentication:

  1. Log in to the BMC Atrium Discovery UI using an LDAP account with permissions equivalent to the system user. Ensure you can access the Administration -> Web authentication page while logged in as this user.
  2. Click Configure in the RSA SecurID Authentication row.
    There is a single editable field in the configure page, this is the Logout URL which is required to logout via the web authentication framework. The default is /webauthentication?logoff?referrer=/ui.
  3. Log out of the BMC Atrium Discovery UI.
  4. Install and configure the RSA Authentication Manager according to the instructions in the documentation contained in the download.
    • During the configuration of RSA SecurID, "Use RSA Token for Cross-Site Request Forgery Protection" must be set to disabled otherwise logging out from the BMC Atrium discovery UI will fail.
    • The installation requires that some environment variables are configured. These variables should be appended to /etc/sysconfig/httpd. A typical entry looks like this:

      # RSA enablement
      export VAR_ACE=/var/ace
      export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/etc/httpd/rsawebagent 
    • If the appliance is a virtual machine and you use VMware snapshots, you should ensure that you update the snapshot after configuring the RSA Authentication Manager. Rolling back to an earlier snapshot removes the shared secret and prevents subsequent log ins. See the RSA Authentication Manager documentation for more information.
  5. Navigate to the BMC Atrium Discovery URL. You are presented with the RSA SecurID login page.
  6. Log in using the same LDAP account with permissions equivalent to the system user.
    You are now presented with the standard BMC Atrium Discovery login page.
  7. Log in to BMC Atrium Discovery with the same LDAP account as you used in the previous step.
  8. Navigate to the Administration -> Web authentication page and enable the RSA SecurID integration.
    If you cannot access the Administration -> Web authentication page, you must log out of BMC Atrium Discovery, log back in as the system user, and grant sufficient permissions to the RSA/LDAP user to access that page.

Once RSA SecurID Authentication is enabled in BMC Atrium Discovery, the BMC Atrium Discovery login screen is no longer displayed. To login, enter your username, password, and code from the SecurID token in the RSA SecurID login screens. You are authenticated against the RSA Authentication Manager, and once authenticated you are logged into BMC Atrium Discovery using the same username.

If RSA SecurID Authentication is not enabled, the normal BMC Atrium Discovery login page is displayed, even after successfully logging in using the RSA Authentication Agent. If RSA SecurID Authentication is enabled in ADDM, but the RSA Authentication Agent is not installed or is installed incorrectly, the normal BMC Atrium Discovery login page is also displayed.

Standard Atrium Discovery web authentication

No configuration is required for the Standard Atrium Discovery Web Authentication section, it is the fail-safe method of logging in to the system. This authentication method uses local users created on the appliance.

Was this page helpful? Yes No Submitting... Thank you

Comments