This documentation supports the 21.05 (12.2) version of BMC Discovery.

To view an earlier version of the product, select the version from the Product version menu.

Configuring Web authentication settings

BMC Discovery supports a number of web authentication plug-ins. You can view and configure these on the Web Authentication Methods Page.

The following web authentication methods are supported:

  • SSL Client Certificate Verification—The client's SSL Certificate is verified by the web server. The user name is extracted from the certificate and used for authorization via LDAP. Requires LDAP support.
  • SSL Certificate Lookup—The user is authenticated by looking up custom parts of the client's SSL Certificate via LDAP. The certificate is not verified, but it must be valid. Requires LDAP support.
  • HTTP Header—BMC Discovery is integrated with Single Sign-On (SSO) technologies to authenticate users through custom HTTP headers such as CA SiteMinder. Requires LDAP support.
  • Standard BMC Discovery Web Authentication—The user is authenticated by entering a user name and password via the Login page. Supports authentication via LDAP, if LDAP support is enabled.

To configure the web authentication settings:

  1. From the main menu, click the Administration icon 
    The Administration page opens.  
  2. In the Security section, click Single Sign On.
  3. Select the Web Authentication tab.

On the Web Authentication page, you can enable, disable, and configure each method. The Standard Atrium Discovery Web Authentication module is a special case (it cannot be disabled and acts as the fail safe login).

For each authentication module (except for the Standard Atrium Discovery Web Authentication module), the following controls are provided:

The page also provide links to the configuration pages for HTTPS and LDAP.

Configuring SSL client certificate verification

This module verifies the client SSL certificate with the web server. If the certificate is valid, the user name is extracted and used for LDAP authorization.

To configure SSL client certificate verification:

  1. Click Configure in the SSL Client Certificate Verification row.
  2. Enter the extract key in the single editable field.
    The Extract Key that is used to extract the user name. It can be any value in the Distinguished Name (DN) of the supplied X.509 certificate or an X.509 extension value. The default is emailAddress which is used when the email address is the user name.
  3. If the user name is not the email address, enter a new extract key to get the user name. This must match the search template used in in the LDAP settings.
  4. Click Apply.

In 9.0 SP1 and later you can extract values from X.509 certificate extensions. The extension name subjectAltName is used as the extract key. The extension name is split into parts. The parts that you can extract are determined by the content of the certificate. For example you can refer to:

  • subjectAltName—The entire extension name
  • subjectAltName.emailAddress—Email address (as defined in RFC 822; for example, timothy_taylor@bmc.com "Taylor, Timothy")

Note

A colon is assumed to delimit fields in the subjectAltName value so the string will not be split correctly if a value contains a colon.

SSL certificate lookup

This module extracts information from the client SSL certificate and verifies it against the LDAP server.

  1. Click Configure in the SSL Certificate Lookup row.
  2. Enter the lookup expression.
    The lookup expression must be a valid LDAP query. It can contain any values from the supplied X.509 certificate or an X.509 extension value. The variables you can use are:

    HTTPS

    SSL_PROTOCOL

    SSL_SESSION_ID

    SSL_CIPHER

    SSL_CIPHER_EXPORT

    SSL_CIPHER_USEKEYSIZE

    SSL_CIPHER_ALGKEYSIZE

    SSL_VERSION_INTERFACE

    SSL_VERSION_LIBRARY

    SSL_CLIENT_M_VERSION

    SSL_CLIENT_M_SERIAL

    SSL_CLIENT_S_DN

    SSL_CLIENT_S_DN_x509

    SSL_CLIENT_I_DN

    SSL_CLIENT_I_DN_x509

    SSL_CLIENT_V_START

    SSL_CLIENT_V_END

    SSL_CLIENT_A_SIG

    SSL_CLIENT_A_KEY

    SSL_CLIENT_CERT

    SSL_CLIENT_CERT_CHAINn

    SSL_CLIENT_VERIFY

    SSL_CLIENT_SAN_OTHER_msUPN_0

    SSL_SERVER_M_VERSION

    SSL_SERVER_M_SERIALSSL_SERVER_A_SIGSSL_SERVER_A_KEY

    SSL_SERVER_S_DN

    SSL_SERVER_S_DN_x509

    SSL_SERVER_I_DN

    SSL_SERVER_I_DN_x509

    SSL_SERVER_V_START

    SSL_SERVER_V_END

    SSL_SERVER_CERT




    These are the Apache mod_ssl variables. See the Apache website for more information.


  3. Enter the LDAP Attribute against which to check the user name.
  4. Click Apply.

Configuring user authentication using HTTP Header

This section contains instructions for integrating BMC Discovery with single sign-on (SSO) technologies, which provide authentication using custom HTTP headers such as CA SiteMinder.

The HTTP header plug-in scans each HTTP request for a specific HTTP Header. If the HTTP header is present and contains a valid user ID, the user is authenticated; if not, the user is not authenticated. The header is assumed to contain the username or user ID which is used in an LDAP query to obtain authorization. The LDAP query uses LDAP group mapping.

HTTP headers with underscores no longer permitted

BMC Discovery 11.3 no longer permits underscores in HTTP headers. If you upgrade to BMC Discovery 11.3 and your HTTP Header authentication scheme permits underscores, it will no longer work. You must update the single sign-on provider and reconfigure authentication using HTTP headers.


Warning

HTTP header authentication is a simple authentication mechanism which requires additional protection.

  • HTTPS must be enabled with HTTP redirection.
  • LDAP support must be enabled
  • A reverse proxy must be used, and BMC Discovery configured only to accept HTTP requests from the IP address or addresses of the proxy.
    Enabling HTTP header authentication without securing the appliance in this manner leaves the appliance vulnerable to attack.

Example HTTP headers

The SSO application inserts a custom header into each HTTP request; for example:

  • Big Corp Inc. uses BIGUID: 123456
  • Little Corp Inc. uses LITTLEUSER: fbloggs

To configure SSO using HTTP header

Before configuring and enabling HTTP header authentication ensure that you understand the potential security implications of this authentication mechanism. To configure HTTP header authentication:

  1. From the main menu, click the Administration icon 
    The Administration page opens.
  2. In the Security section, click Single Sign On.
  3. Click Web Authentication.
  4. In the HTTP Header row, click Configure.
  5. Ensure that you understand the potential security implications of this authentication mechanism.
  6. In the HTTP Header field, enter the name of the header to use for authentication.
    This is the header that the SSO application must populate with a valid user ID. BMC Discovery uses the value of this header to do a lookup in the LDAP server for authentication and for authorization via LDAP group mapping.
  7. To complete the configuration, click Apply.
  8. To enable HTTP header authentication, click Enable.

Standard BMC Discovery web authentication

No configuration is required for the Standard Atrium Discovery Web Authentication section, it is the fail-safe method of logging in to the system. This authentication method uses local users created on the appliance.

Was this page helpful? Yes No Submitting... Thank you

Comments