Recommendation
BMC recommends that you perform custom changes to already defined properties in the custom/pronet.conf file to retain the changes for upgrades.
This topic lists security considerations and recommendations that ensure maximum security while using BMC ProactiveNet.
To disable HTTP interface and run BMC ProactiveNet over HTTPS, configure the Apache configuration file httpd.conf and remove entries for port 80. httpd.conf is located in the following directories, depending on your operating system:
This is not available in the current BMC ProactiveNet release.
User names and passwords are stored in the database on BMC ProactiveNet Server. All passwords are kept in encrypted format. Only database users with administrative privileges have access to user name and password information.
You can set password strength by modifying the following entries in the pronet.conf file:
pronet.login.minLength=6 pronet.login.maxLength=15 pronet.login.numericChars=1
BMC ProactiveNet does not lock user accounts. However, all logon failures are recorded in ProactiveNet.log. To lock accounts, you can write a script to delete the account based on the log file entries.
By default, inactive users are logged out of the Operations Console after 24 hours. However, you can customize BMC ProactiveNet globally for all users:
pronet.html.globalsession.timeout
property in the pronet.conf file located in the InstallationDirectory/pw/custom/conf directory.If you change this property, make sure to set the same log out period in the Tomcat configuration file InstallationDirectory/pw/tomcat/conf/web.xml (line 321).
<session-config> <session-timeout>1440</session-timeout> </session-config>
Restart the BMC ProactiveNet server by running the command:
pw system start
Note
When the BMC ProactiveNet server is restarted, all users will be logged out.
Add the entry SSLProtocol +SSLv3
just above the directive SSLEngine on
, in the Apache httpd-ssl.conf configuration file. httpd-ssl.conf is located in the following directories, depending on your operating system:
Currently not supported.
For example, NTLM (legacy windows authentication method), Kerberos (current windows authentication method), and Siteminder (cross platform SSO tool used by internet facing platforms) are not supported.
Use the following property in pronet.conf:
pronet.apps.agent.authorizedcontrolleraddress=<ipaddress>
Set the following property in the custom/pronet.conf file:
pronet.apps.agentcontroller.useIPForAgentConnection=<ipaddress>
If the server's computer has more than one IP (more than one NIC), set this property to the IP address that the agent controller will present while connecting to the agent.