Configuring Web authentication settings

BMC Discovery supports a number of web authentication plug-ins. You can view and configure these on the Web Authentication Methods Page.

The following web authentication methods are supported:

SSL Client Certificate Verification—The client's SSL Certificate is verified by the web server. The user name is extracted from the certificate and used for authorization via LDAP. Requires LDAP support.
SSL Certificate Lookup—The user is authenticated by looking up custom parts of the client's SSL Certificate via LDAP. The certificate is not verified, but it must be valid. Requires LDAP support.
RSA SecurID Authentication—Authentication is performed by the RSA Authentication Agent. The username is used for authorization via LDAP. Requires HTTPS and LDAP support.

RSA SecurID Authentication is deprecated and will be removed in a future release.
HTTP Header—BMC Discovery is integrated with Single Sign-On (SSO) technologies to authenticate users through custom HTTP headers such as CA SiteMinder. Requires LDAP support.
Standard BMC Discovery Web Authentication—The user is authenticated by entering a user name and password via the Login page. Supports authentication via LDAP, if LDAP support is enabled.

To configure the web authentication settings:

From the main menu, click the Administration icon.
The Administration page opens.
In the Security section, click Single Sign On.
Select the Web Authentication tab.

On the Web Authentication page, you can enable, disable, and configure each method. The Standard Atrium Discovery Web Authentication module is a special case (it cannot be disabled and acts as the fail safe login).

For each authentication module (except for the Standard Atrium Discovery Web Authentication module), the following controls are provided:

Disable—Click this link to disable the module. When a module is disabled, the link is replaced with an Enable link.
Configure—Click this link to open a dialog box to configure the module. These dialogs are described in the following sections:

The page also provide links to the configuration pages for HTTPS and LDAP.

Configuring SSL client certificate verification

This module verifies the client SSL certificate with the web server. If the certificate is valid, the user name is extracted and used for LDAP authorization.

To configure SSL client certificate verification:

Click Configure in the SSL Client Certificate Verification row.
Enter the extract key in the single editable field.
The Extract Key that is used to extract the user name. It can be any value in the Distinguished Name (DN) of the supplied X.509 certificate or an X.509 extension value. The default is emailAddress which is used when the email address is the user name.
If the user name is not the email address, enter a new extract key to get the user name. This must match the search template used in in the LDAP settings.
Click Apply.

In 9.0 SP1 and later you can extract values from X.509 certificate extensions. The extension name subjectAltName is used as the extract key. The extension name is split into parts. The parts that you can extract are determined by the content of the certificate. For example you can refer to:

subjectAltName—The entire extension name
subjectAltName.emailAddress—Email address (as defined in RFC 822; for example, timothy_taylor@bmc.com "Taylor, Timothy")

Note

A colon is assumed to delimit fields in the subjectAltName value so the string will not be split correctly if a value contains a colon.

SSL certificate lookup

This module extracts information from the client SSL certificate and verifies it against the LDAP server.

Click Configure in the SSL Certificate Lookup row.

Enter the lookup expression.
The lookup expression must be a valid LDAP query. It can contain any values from the supplied X.509 certificate or an X.509 extension value. The variables you can use are:

`HTTPS`	`SSL_PROTOCOL`	`SSL_SESSION_ID`
`SSL_CIPHER`	`SSL_CIPHER_EXPORT`	`SSL_CIPHER_USEKEYSIZE`
`SSL_CIPHER_ALGKEYSIZE`	`SSL_VERSION_INTERFACE`	`SSL_VERSION_LIBRARY`
`SSL_CLIENT_M_VERSION`	`SSL_CLIENT_M_SERIAL`	`SSL_CLIENT_S_DN`
`SSL_CLIENT_S_DN_x509`	`SSL_CLIENT_I_DN`	`SSL_CLIENT_I_DN_x509`
`SSL_CLIENT_V_START`	`SSL_CLIENT_V_END`	`SSL_CLIENT_A_SIG`
`SSL_CLIENT_A_KEY`	`SSL_CLIENT_CERT`	`SSL_CLIENT_CERT_CHAINn`
`SSL_CLIENT_VERIFY`	`SSL_CLIENT_SAN_OTHER_msUPN_0`	`SSL_SERVER_M_VERSION`
`SSL_SERVER_M_SERIAL`	`SSL_SERVER_A_SIG`	`SSL_SERVER_A_KEY`
`SSL_SERVER_S_DN`	`SSL_SERVER_S_DN_x509`	`SSL_SERVER_I_DN`
`SSL_SERVER_I_DN_x509`	`SSL_SERVER_V_START`	`SSL_SERVER_V_END`
`SSL_SERVER_CERT`

These are the Apache mod_ssl variables. See the Apache website for more information.

Enter the LDAP Attribute against which to check the user name.
Click Apply.

To configure RSA SecurID authentication

RSA SecurID Authentication is deprecated and will be removed in a future release.

BMC Discovery can use an RSA SecurID server to perform authentication. To do so, you must first install the RSA Authentication Agent 7.1 for Web for Apache Web Server on the appliance, configure it to access your RSA Authentication Manager, and test to ensure that it is working. See the RSA documentation for instructions.

Note

Installation of software using RPM packages

You must avoid installing software using RPM commands. In addition to installing the third party software, these are very likely to update system libraries which may be incompatible with those currently used, or when the operating system or the BMC Discovery application are updated later.

Cannot use system and other standard users

You cannot access the system user and the other standard users unless they have an exactly corresponding RSA/LDAP user. You must create an RSA/LDAP user with permissions exactly corresponding to any default users that you use.

To configure RSA SecurID authentication:

Log in to the BMC Discovery UI using an LDAP account with permissions equivalent to the system user. Ensure you can access the Administration > Web authentication page while logged in as this user.
Click Configure in the RSA SecurID Authentication row.
There is a single editable field in the configure page, this is the Logout URL which is required to logout via the web authentication framework. The default is /webauthentication?logoff?referrer=/ui.
Log out of the BMC Discovery UI.
Install and configure the RSA Authentication Manager according to the instructions in the documentation contained in the download.
- During the configuration of RSA SecurID, "Use RSA Token for Cross-Site Request Forgery Protection" must be set to disabled otherwise logging out from the BMC Discovery UI will fail.
- The installation requires that some environment variables are configured. These variables should be appended to /etc/sysconfig/httpd. A typical entry looks like this:
```
# RSA enablement
export VAR_ACE=/var/ace
export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/etc/httpd/rsawebagent 
```
- If the appliance is a virtual machine and you use VMware snapshots, you should ensure that you update the snapshot after configuring the RSA Authentication Manager. Rolling back to an earlier snapshot removes the shared secret and prevents subsequent log ins. See the RSA Authentication Manager documentation for more information.
Navigate to the BMC Discovery URL. You are presented with the RSA SecurID login page.
Log in using the same LDAP account with permissions equivalent to the system user.
You are now presented with the standard BMC Discovery login page.
Log in to BMC Discovery with the same LDAP account as you used in the previous step.
Navigate to the Administration > Web authentication page and enable the RSA SecurID integration.
If you cannot access the Administration > Web authentication page, you must log out of BMC Discovery, log back in as the system user, and grant sufficient permissions to the RSA/LDAP user to access that page.

After RSA SecurID Authentication is enabled in BMC Discovery, the BMC Discovery login screen is no longer displayed. To log in, enter your username, password, and code from the SecurID token in the RSA SecurID login screens. You are authenticated against the RSA Authentication Manager and then logged in to BMC Discovery using the same username.

If RSA SecurID Authentication is not enabled, the normal BMC Discovery login page is displayed, even after successfully logging in using the RSA Authentication Agent. If RSA SecurID Authentication is enabled in ADDM, but the RSA Authentication Agent is not installed or is installed incorrectly, the normal BMC Discovery login page is also displayed.

Configuring user authentication using HTTP Header

This section contains instructions for integrating BMC Discovery with single sign-on (SSO) technologies, which provide authentication using custom HTTP headers such as CA SiteMinder.

The HTTP header plug-in scans each HTTP request for a specific HTTP Header. If the HTTP header is present and contains a valid user ID, the user is authenticated; if not, the user is not authenticated. The header is assumed to contain the username or user ID which is used in an LDAP query to obtain authorization. The LDAP query uses LDAP group mapping.

HTTP headers with underscores no longer permitted

BMC Discovery 11.3 no longer permits underscores in HTTP headers. If you upgrade to BMC Discovery 11.3 and your HTTP Header authentication scheme permits underscores, it will no longer work. You must update the single sign-on provider and reconfigure authentication using HTTP headers.

Warning

HTTP header authentication is a simple authentication mechanism which requires additional protection.

HTTPS must be enabled with HTTP redirection.
LDAP support must be enabled
A reverse proxy must be used, and BMC Discovery configured only to accept HTTP requests from the IP address or addresses of the proxy.
Enabling HTTP header authentication without securing the appliance in this manner leaves the appliance vulnerable to attack.

Example HTTP headers

The SSO application inserts a custom header into each HTTP request; for example:

Big Corp Inc. uses BIGUID: 123456
Little Corp Inc. uses LITTLEUSER: fbloggs

To configure SSO using HTTP header

Before configuring and enabling HTTP header authentication ensure that you understand the potential security implications of this authentication mechanism. To configure HTTP header authentication:

From the main menu, click the Administration icon.
The Administration page opens.
In the Security section, click Single Sign On.
Click Web Authentication.
In the HTTP Header row, click Configure.
Ensure that you understand the potential security implications of this authentication mechanism.
In the HTTP Header field, enter the name of the header to use for authentication.
This is the header that the SSO application must populate with a valid user ID. BMC Discovery uses the value of this header to do a lookup in the LDAP server for authentication and for authorization via LDAP group mapping.
To complete the configuration, click Apply.
To enable HTTP header authentication, click Enable.

Standard BMC Discovery web authentication

No configuration is required for the Standard Atrium Discovery Web Authentication section, it is the fail-safe method of logging in to the system. This authentication method uses local users created on the appliance.