Configuring Web authentication settings
BMC Atrium Discovery supports a number of web authentication plugins. You can view and configure these on the Web Authentication Methods Page.
The following web authentication methods are supported:
- SSL Client Certificate Verification: The client's SSL Certificate is verified by the web server. The user name is extracted from the certificate and used for authorization via LDAP. Requires LDAP support.
- SSL Certificate Lookup: The user is authenticated by looking up custom parts of the client's SSL Certificate via LDAP. The certificate is not verified, but it must be valid. Requires LDAP support.
- RSA SecurID Authentication: Authentication is performed by the RSA Authentication Agent. The username is used for authorization via LDAP. Requires HTTPS and LDAP support. This is available in BMC Atrium Discovery 9.0 SP1 and later.
- HTTP Header: BMC Atrium Discovery is integrated with Single Sign-On (SSO) technologies to authenticate users through custom HTTP headers such as CA SiteMinder. Requires LDAP support.
- Standard Atrium Discovery Web Authentication: The user is authenticated by entering a user name and password via the Login page. Supports authentication via LDAP, if LDAP support is enabled.
To configure the web authentication settings:
- From the Security section of the Administration page, select Single Sign On .
- Select the Web Authentication tab.
On the Web Authentication page, you can choose the order in which the methods will be attempted, and you can enable, disable, and configure each one. The Standard Atrium Discovery Web Authentication module is a special case (it cannot be disabled and acts as the fail safe login).
For each authentication module (except for the Standard Atrium Discovery Web Authentication module), the following controls are provided:
- Disable — click this link to disable the module. When a module is disabled, the link is replaced with an Enable link.
- Configure — click this link to open a dialog box to configure the module. These dialogs are described in the following sections:
- Ordering controls: click the up or down arrow to move the module up or down. Click the barred up or down arrow to move the module to the top or bottom.
The page also provide links to the configuration pages for HTTPS and LDAP.
Configuring SSL client certificate verification
This module verifies the client SSL certificate with the web server. If the certificate is valid, the user name is extracted and used for LDAP authorization.
To configure SSL client certificate verification:
- Click Configure in the SSL Client Certificate Verification row.
- Enter the extract key in the single editable field.
The Extract Key which is used to extract the user name. It can be any value in the Distinguished Name (DN) of the supplied X.509 certificate or an X.509 extension value. The default is emailAddress which is used when the email address is the user name.
- If the user name is not the email address, enter a new extract key to get the user name. This must match the search template used in in the LDAP settings.
- Click Apply to apply the changes.
In 9.0 SP1 and later you can extract values from X.509 certificate extensions. The extension name
subjectAltName is used as the extract key. The extension name is split into parts. The parts that you can extract are determined by the content of the certificate. For example you can refer to:
subjectAltName— the entire extension name
subjectAltName.emailAddress— email address (as defined in RFC 822 — for example, firstname.lastname@example.org "Taylor, Timothy"
A colon is assumed to delimit fields in the
subjectAltName value so the string will not be split correctly if a value contains a colon.
SSL certificate lookup
This module extracts information from the client SSL certificate and verifies it against the LDAP server.
- Click Configure in the SSL Certificate Lookup row.
- Enter the lookup expression.
The lookup expression must be a valid LDAP query. It can contain any values from the supplied X.509 certificate or an X.509 extension value. The variables you can use are:
These are the Apache mod_ssl variables. See the Apache website for more information.
- Enter the LDAP Attribute against which to check the user name.
- Click Apply to apply the changes.
To configure RSA SecurID authentication
BMC Atrium Discovery can use an RSA SecurID server to perform authentication. To do this you must first install the RSA Authentication Agent 7.1 for Web for Apache Web Server on the appliance, configure it to access your RSA Authentication Manager, and test to ensure that it is working. See the RSA documentation for instructions on how to do this.
Cannot use system and other standard users
You cannot access the system user and the other standard users unless they have an exactly corresponding RSA/LDAP user. You must create an RSA/LDAP user with permissions exactly corresponding to any default users that you use.
To configure RSA SecurID authentication:
- Log in to the BMC Atrium Discovery UI using an LDAP account with permissions equivalent to the system user. Ensure you can access the Administration -> Web authentication page while logged in as this user.
- Click Configure in the RSA SecurID Authentication row.
There is a single editable field in the configure page, this is the Logout URL which is required to logout via the web authentication framework. The default is
- Log out of the BMC Atrium Discovery UI.
- Install and configure the RSA Authentication Manager according to the instructions in the documentation contained in the download.
- During the configuration of RSA SecurID, "Use RSA Token for Cross-Site Request Forgery Protection" must be set to disabled otherwise logging out from the BMC Atrium discovery UI will fail.
- The installation requires that some environment variables are configured. These variables should be appended to
/etc/sysconfig/httpd. A typical entry looks like this:
- If the appliance is a virtual machine and you use VMware snapshots, you should ensure that you update the snapshot after configuring the RSA Authentication Manager. Rolling back to an earlier snapshot removes the shared secret and prevents subsequent log ins. See the RSA Authentication Manager documentation for more information.
- Navigate to the BMC Atrium Discovery URL. You are presented with the RSA SecurID login page.
- Log in using the same LDAP account with permissions equivalent to the system user.
You are now presented with the standard BMC Atrium Discovery login page.
- Log in to BMC Atrium Discovery with the same LDAP account as you used in the previous step.
- Navigate to the Administration -> Web authentication page and enable the RSA SecurID integration.
If you cannot access the Administration -> Web authentication page, you must log out of BMC Atrium Discovery, log back in as the system user, and grant sufficient permissions to the RSA/LDAP user to access that page.
Once RSA SecurID Authentication is enabled in BMC Atrium Discovery, the BMC Atrium Discovery login screen is no longer displayed. To login, enter your username, password, and code from the SecurID token in the RSA SecurID login screens. You are authenticated against the RSA Authentication Manager, and once authenticated you are logged into BMC Atrium Discovery using the same username.
If RSA SecurID Authentication is not enabled, the normal BMC Atrium Discovery login page is displayed, even after successfully logging in using the RSA Authentication Agent. If RSA SecurID Authentication is enabled in ADDM, but the RSA Authentication Agent is not installed or is installed incorrectly, the normal BMC Atrium Discovery login page is also displayed.
Configuring user authentication using HTTP Header
This section contains instructions on how to integrate BMC Atrium Discovery with single sign on (SSO) technologies which provide authentication using custom HTTP headers such as CA SiteMinder.
The HTTP header plugin scans each HTTP request for a specific HTTP Header. If the HTTP header is present and contains a valid user ID, the user is authenticated; if not, the user is not authenticated. The header is assumed to contain the username or user ID which is used in an LDAP query to obtain authorization. The LDAP query uses LDAP group mapping.
HTTP header authentication is a simple authentication mechanism which requires additional protection.
- HTTPS must be enabled with HTTP redirection.
- LDAP support must be enabled
- A reverse proxy must be used, and BMC Atrium Discovery configured only to accept HTTP requests from the IP address or addresses of the proxy.
Enabling HTTP header authentication without securing the appliance in this manner leaves the appliance vulnerable to attack.
Example HTTP headers
The SSO application inserts a custom header into each HTTP request. For example:
- Big Corp Inc. uses
- Little Corp Inc. uses
To configure SSO using HTTP header
Before configuring and enabling HTTP header authentication ensure that you understand the potential security implications of this authentication mechanism. To configure HTTP header authentication:
- On the appliance, click Administration > Single Sign On.
- Click Web Authentication.
- In the HTTP Header row, click Configure.
- Ensure that you understand the potential security implications of this authentication mechanism.
- In the HTTP Header field, enter the name of the header to use for authentication.
This is the header that the SSO application must populate with a valid user ID. BMC Atrium Discovery uses the value of this header to do a lookup in the LDAP server for authentication and for authorization via LDAP group mapping.
- To complete the configuration, click Apply.
- To enable HTTP header authentication, click Enable.
Standard Atrium Discovery web authentication
No configuration is required for the Standard Atrium Discovery Web Authentication section, it is the fail-safe method of logging in to the system. This authentication method uses local users created on the appliance.