Enabling Active Directory authentication on BMC Network Automation
This topic describes the prerequisites and the procedure to configure BMC Network Automation to enable Active Directory (AD) authentication without rerunning the installation program.
Before you begin
Ensure that you have met the following prerequisites:
- AD server is named appropriately.
- LDAP uses an available port.
- At least one AD domain account is created. This account acts as the BMC Network Automation administrator because the default system administrator account, sysadmin cannot log on after BMC Network Automation is configured for AD authentication.
- BMC Network Automation system administrator account is created in the OU “Service Accounts” in the root of the LDAP directory because BMC Network Automation searches for user accounts recursively. In this case, it searches recursively from the root of AD.
- The Automatically Add New Users As system parameter is enabled. For more information, see Security section (external mode user authentication).
- All existing BMC Network Automation user accounts in AD are recreated to continue using them. They will retain their existing rights and roles within BMC Network Automation.
To enable AD authentication
- Stop the BMC Network Automation server.
Open the global.properties file with a text editor located in the BCAN_DATA directory and change the authentication mechanism to activeDirectory as shown in the following code snippet:
# Indicates the type of authentication being used.
# Default is local authentication where username and password information
# reside in the BCA-Networks database. Others are remote authenticators
# configured as a Realm in the server.xml file.
# Allowed options: local/activeDirectory/ldap/radius/tacacs
# Default = local
userAuthMode=activeDirectory- Invoke the BMC Network Automation maintenance utility from the BCAN_HOME\utility directory, by using the following command:
- (Windows) BcanMaintenanceTool.bat
- (Linux) ./BcanMaintenanceTool.sh
- Encrypt the AD root user password as shown in the following figure:
- Navigate to the BCAN_HOME\tomcat\conf directory and open the Tomcat server configuration file (server.xml) file with a text editor.
Search the file for a section similar to the following one and comment the section, which represents the local authentication.
<Realm className="com.bmc.bcan.catalina.realm.BBNAJDBCRealm"
driverName="org.postgresql.Driver"
connectionURL="${bna.jdbcRealm.connectionURL}"
connectionName="${bna.jdbcRealm.connectionUsername}"
connectionPassword="${bna.jdbcRealm.connectionPassword}"
userTable="usr"
userNameCol="user_name"
userCredCol="encrypted_password"
userRoleTable="usr"
roleNameCol="realm_role_name"
digest="SHA-256"/>Below the commented section, add the following section to enable the active directory authentication:
<Realm className="com.bmc.bcan.catalina.realm.BBNAJNDIRealm"
connectionURL="${bna.jndiRealm.connectionURL}"
connectionName="${bna.jndiRealm.principal},${bna.jndiRealm.baseDN}"
connectionPassword="${bna.jndiRealm.connectionPassword}"
userBase="${bna.jndiRealm.userBase}${bna.jndiRealm.baseDN}"
userSearch="${bna.jndiRealm.userSearch}"
userSubtree="${bna.jndiRealm.userSubtree}"
referrals="${bna.jndiRealm.referrals}"/>The Sample server.xml file section shows a sample server.xml file.
- Save the file.
In the BCAN_HOME\tomcat\conf directory, open the catalina.properties file with a text editor and populate the following parameters with the details of your AD server:
- bna.jndiRealm.connectionURL
- bna.jndiRealm.alternateURL
- bna.jndiRealm.principal
- bna.jndiRealm.baseDN
- bna.jndiRealm.connectionPassword
- bna.jndiRealm.userSearch
- bna.jndiRealm.userBase
- bna.jndiRealm.userSubtree
- bna.jndiRealm.referrals
The Sample catalina.properties file section shows a sample catalina.properties file.
- Save the file.
- Restart the BMC Network Automation server.
Sample server.xml file
The following code snippet shows a sample server.xml file with the active directory authentication:
<Server port="-1">
<!-- above port=-1 means the shutdown port is disabled -->
<!-- Security listener. Documentation at /docs/config/listeners.html -->
<!-- <Listener className="org.apache.catalina.security.SecurityListener" /> -->
<!-- JMX Support for the Tomcat server. Documentation at /docs/non-existent.html -->
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
<Service name="Catalina">
<!-- Define a SSL Http11NioProtocol Connector on port 443. The keystore attribute assumes -->
<!-- the .keystore file will be located in the $CATALINA_BASE directory -->
<!-- Handles HTTPS traffic -->
<Connector port="${bna.connector.sslPort}"
protocol="org.apache.coyote.http11.Http11NioProtocol"
SSLEnabled="true"
maxThreads="${bna.connector.maxThreads}"
scheme="https"
secure="true"
server="BMC Network Automation Server"
clientAuth="false"
sslEnabledProtocols="${bna.connector.sslEnabledProtocols}"
maxHttpHeaderSize="${bna.connector.maxHttpHeaderSize}"
connectionTimeout="${bna.connector.connectionTimeout}"
maxParameterCount="${bna.connector.maxParameterCount}"
disableUploadTimeout="true"
keystorePass="${bna.connector.keystorePass}"
sslImplementationName="com.bmc.bcan.catalina.net.ssl.BBNASSLImplementation"
ciphers="${bna.connector.ciphers}"
URIEncoding="UTF-8"/>
<!-- Handles HTTP traffic (without redirecting it to HTTPS connector)
<Connector port="${bna.connector.port}"
protocol="org.apache.coyote.http11.Http11NioProtocol"
SSLEnabled="false"
maxThreads="${bna.connector.maxThreads}"
scheme="http"
secure="false"
clientAuth="false"
maxHttpHeaderSize="${bna.connector.maxHttpHeaderSize}"
connectionTimeout="${bna.connector.connectionTimeout}"
maxParameterCount="${bna.connector.maxParameterCount}"
disableUploadTimeout="true"
URIEncoding="UTF-8" />
-->
<!-- Note that for the terminal session functionality what we want is a
persistent http connection in the form of a never-loading page with
regular flushes to the response buffer, the compression="on"
attribute does not let you do this, it only lets you flush the
response buffer when the entire page has loaded, so this
option has been removed from the Connector element.
compression="on"
compressableMimeType="text/html,text/xml,text/css,text/javascript"
-->
<!-- Define a non-SSL Http11NioProtocol Connector on port 80 which will redirect to 443 -->
<Connector port="${bna.connector.port}"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="${bna.connector.maxThreads}"
connectionTimeout="${bna.connector.connectionTimeout}"
redirectPort="${bna.connector.sslPort}"/>
<Engine name="Catalina"
defaultHost="localhost">
<!-- The request dumper valve dumps useful debugging information about
the request and response data received and sent by Tomcat.
Documentation at: /docs/config/valve.html -->
<!--
<Valve className="org.apache.catalina.valves.RequestDumperValve"/>
-->
<!-- BEGIN: BCA-Networks realm configured by InstallShield -->
<Realm className="com.bmc.bcan.catalina.realm.BNALockOutRealm"
failureCount="${bna.lockOutRealm.failureCount}"
lockOutTime="${bna.lockOutRealm.lockOutTime}"
cacheSize="${bna.lockOutRealm.cacheSize}"
cacheRemovalWarningTime="${bna.lockOutRealm.cacheRemovalWarningTime}">
<!-- <Realm className="com.bmc.bcan.catalina.realm.BBNAJDBCRealm"
driverName="org.postgresql.Driver"
connectionURL="${bna.jdbcRealm.connectionURL}"
connectionName="${bna.jdbcRealm.connectionUsername}"
connectionPassword="${bna.jdbcRealm.connectionPassword}"
userTable="usr"
userNameCol="user_name"
userCredCol="encrypted_password"
userRoleTable="usr"
roleNameCol="realm_role_name"
digest="SHA-256"/> -->
<Realm className="com.bmc.bcan.catalina.realm.BBNAJNDIRealm"
connectionURL="${bna.jndiRealm.connectionURL}"
connectionName="${bna.jndiRealm.principal},${bna.jndiRealm.baseDN}"
connectionPassword="${bna.jndiRealm.connectionPassword}"
userBase="${bna.jndiRealm.userBase}${bna.jndiRealm.baseDN}"
userSearch="${bna.jndiRealm.userSearch}"
userSubtree="${bna.jndiRealm.userSubtree}"
referrals="${bna.jndiRealm.referrals}"/>
</Realm>
<!-- END: BCA-Networks realm configured by InstallShield -->
<Host name="localhost"
appBase="webapps"
unpackWARs="true"
autoDeploy="false">
</Host>
</Engine>
</Service>
</Server>
<!-- above port=-1 means the shutdown port is disabled -->
<!-- Security listener. Documentation at /docs/config/listeners.html -->
<!-- <Listener className="org.apache.catalina.security.SecurityListener" /> -->
<!-- JMX Support for the Tomcat server. Documentation at /docs/non-existent.html -->
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
<Service name="Catalina">
<!-- Define a SSL Http11NioProtocol Connector on port 443. The keystore attribute assumes -->
<!-- the .keystore file will be located in the $CATALINA_BASE directory -->
<!-- Handles HTTPS traffic -->
<Connector port="${bna.connector.sslPort}"
protocol="org.apache.coyote.http11.Http11NioProtocol"
SSLEnabled="true"
maxThreads="${bna.connector.maxThreads}"
scheme="https"
secure="true"
server="BMC Network Automation Server"
clientAuth="false"
sslEnabledProtocols="${bna.connector.sslEnabledProtocols}"
maxHttpHeaderSize="${bna.connector.maxHttpHeaderSize}"
connectionTimeout="${bna.connector.connectionTimeout}"
maxParameterCount="${bna.connector.maxParameterCount}"
disableUploadTimeout="true"
keystorePass="${bna.connector.keystorePass}"
sslImplementationName="com.bmc.bcan.catalina.net.ssl.BBNASSLImplementation"
ciphers="${bna.connector.ciphers}"
URIEncoding="UTF-8"/>
<!-- Handles HTTP traffic (without redirecting it to HTTPS connector)
<Connector port="${bna.connector.port}"
protocol="org.apache.coyote.http11.Http11NioProtocol"
SSLEnabled="false"
maxThreads="${bna.connector.maxThreads}"
scheme="http"
secure="false"
clientAuth="false"
maxHttpHeaderSize="${bna.connector.maxHttpHeaderSize}"
connectionTimeout="${bna.connector.connectionTimeout}"
maxParameterCount="${bna.connector.maxParameterCount}"
disableUploadTimeout="true"
URIEncoding="UTF-8" />
-->
<!-- Note that for the terminal session functionality what we want is a
persistent http connection in the form of a never-loading page with
regular flushes to the response buffer, the compression="on"
attribute does not let you do this, it only lets you flush the
response buffer when the entire page has loaded, so this
option has been removed from the Connector element.
compression="on"
compressableMimeType="text/html,text/xml,text/css,text/javascript"
-->
<!-- Define a non-SSL Http11NioProtocol Connector on port 80 which will redirect to 443 -->
<Connector port="${bna.connector.port}"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="${bna.connector.maxThreads}"
connectionTimeout="${bna.connector.connectionTimeout}"
redirectPort="${bna.connector.sslPort}"/>
<Engine name="Catalina"
defaultHost="localhost">
<!-- The request dumper valve dumps useful debugging information about
the request and response data received and sent by Tomcat.
Documentation at: /docs/config/valve.html -->
<!--
<Valve className="org.apache.catalina.valves.RequestDumperValve"/>
-->
<!-- BEGIN: BCA-Networks realm configured by InstallShield -->
<Realm className="com.bmc.bcan.catalina.realm.BNALockOutRealm"
failureCount="${bna.lockOutRealm.failureCount}"
lockOutTime="${bna.lockOutRealm.lockOutTime}"
cacheSize="${bna.lockOutRealm.cacheSize}"
cacheRemovalWarningTime="${bna.lockOutRealm.cacheRemovalWarningTime}">
<!-- <Realm className="com.bmc.bcan.catalina.realm.BBNAJDBCRealm"
driverName="org.postgresql.Driver"
connectionURL="${bna.jdbcRealm.connectionURL}"
connectionName="${bna.jdbcRealm.connectionUsername}"
connectionPassword="${bna.jdbcRealm.connectionPassword}"
userTable="usr"
userNameCol="user_name"
userCredCol="encrypted_password"
userRoleTable="usr"
roleNameCol="realm_role_name"
digest="SHA-256"/> -->
<Realm className="com.bmc.bcan.catalina.realm.BBNAJNDIRealm"
connectionURL="${bna.jndiRealm.connectionURL}"
connectionName="${bna.jndiRealm.principal},${bna.jndiRealm.baseDN}"
connectionPassword="${bna.jndiRealm.connectionPassword}"
userBase="${bna.jndiRealm.userBase}${bna.jndiRealm.baseDN}"
userSearch="${bna.jndiRealm.userSearch}"
userSubtree="${bna.jndiRealm.userSubtree}"
referrals="${bna.jndiRealm.referrals}"/>
</Realm>
<!-- END: BCA-Networks realm configured by InstallShield -->
<Host name="localhost"
appBase="webapps"
unpackWARs="true"
autoDeploy="false">
</Host>
</Engine>
</Service>
</Server>
Sample catalina.properties file
The following code snippet shows a sample catalina.properties file with the active directory authentication:
#######################################################################
# BMC Network Automation
# Configuration settings for the tomcat server.xml configuraiton
# file. These settings will be maintained between BNA upgrades. For
# more information on any of these settings, visit the tomcat
# documentation.
#######################################################################
#
# This is the number of failed authentication attempts allowed before user gets locked.
# Default=5
#
bna.lockOutRealm.failureCount=5
#
# The time period in second for which the locked out user will remain locked unless
# administrator unlocks in the meantime. After elapsing this time the user will
# automatically gets unlocked.
# Default=86400 (24 hours)
#
bna.lockOutRealm.lockOutTime=86400
#
# Number of users that have failed authentication to keep in cache.
# Default=1000
#
bna.lockOutRealm.cacheSize=1000
#
# If a failed user is removed from the cache because the cache is too big before
# it has been in the cache for at least this period of time (in seconds) a
# warning message will be logged.
# Default=3600 (1 hour)
#
bna.lockOutRealm.cacheRemovalWarningTime=3600
#
# JDBC realm database connection URL
# Used only for local authentication mode
# Default=(blank)
#
bna.jdbcRealm.connectionURL=jdbc:postgresql://localhost:15432/bcan
#
# JDBC realm database connection user name
# Used only for local authentication mode
# Default=(blank)
#
bna.jdbcRealm.connectionUsername=bcan
#
# JDBC realm database connection password (encrypted)
# Used only for local authentication mode
# Default=(blank)
#
bna.jdbcRealm.connectionPassword=96a2d24873043579a0c5ce59a8125fbc
#
# JNDI realm connection URL
# Used only for LDAP or AD authentication mode
# Default=(blank)
#
bna.jndiRealm.connectionURL=ldap://ad.lab.local:389
#
# JNDI realm alternate/secondary connection URL
# Used only for LDAP or AD authentication mode
# Default=(blank)
#
bna.jndiRealm.alternateURL=
#
# JNDI realm username (principal) to use when establishing a connection to
# the directory for search operations, for non-anonymous bind
# Used only for LDAP or AD authentication mode
# Default=(blank)
#
bna.jndiRealm.principal=cn=Administrator,ou=Service Accounts
#
# JNDI realm base directory name, for non-anonymous bind
# Used only for LDAP or AD authentication mode
# Default=(blank)
#
bna.jndiRealm.baseDN=ou=Service Accounts,dc=lab,dc=local,dc=com
#
# JNDI realm connection password (encrypted), for non-anonymous bind
# Used only for LDAP or AD authentication mode
# Default=(blank)
#
bna.jndiRealm.connectionPassword=5cc915f58d57996a8fd9e65cb6d76c40
#
# JNDI realm pattern for searching user names
# Used only for LDAP or AD authentication mode
# Default=(blank)
#
bna.jndiRealm.userSearch=(sAMAccountName={0})
#
# JNDI realm directory element (not including the Base DN) in which user
# accounts are defined. If present, must end in a comma, since it will
# be prepended to the baseDN value.
# Used only for LDAP or AD authentication mode
# Default=(blank)
#
bna.jndiRealm.userBase=ou=Service Accounts,
#
# JNDI realm pattern for field containing subtree search
# Used only for LDAP or AD authentication mode
# Default=(blank)
#
bna.jndiRealm.userSubtree=true
#
# JNDI realm indicator for action to take on referrals
# Used only for LDAP or AD authentication mode
# Default=follow
#
bna.jndiRealm.referrals=follow
# BMC Network Automation
# Configuration settings for the tomcat server.xml configuraiton
# file. These settings will be maintained between BNA upgrades. For
# more information on any of these settings, visit the tomcat
# documentation.
#######################################################################
#
# This is the number of failed authentication attempts allowed before user gets locked.
# Default=5
#
bna.lockOutRealm.failureCount=5
#
# The time period in second for which the locked out user will remain locked unless
# administrator unlocks in the meantime. After elapsing this time the user will
# automatically gets unlocked.
# Default=86400 (24 hours)
#
bna.lockOutRealm.lockOutTime=86400
#
# Number of users that have failed authentication to keep in cache.
# Default=1000
#
bna.lockOutRealm.cacheSize=1000
#
# If a failed user is removed from the cache because the cache is too big before
# it has been in the cache for at least this period of time (in seconds) a
# warning message will be logged.
# Default=3600 (1 hour)
#
bna.lockOutRealm.cacheRemovalWarningTime=3600
#
# JDBC realm database connection URL
# Used only for local authentication mode
# Default=(blank)
#
bna.jdbcRealm.connectionURL=jdbc:postgresql://localhost:15432/bcan
#
# JDBC realm database connection user name
# Used only for local authentication mode
# Default=(blank)
#
bna.jdbcRealm.connectionUsername=bcan
#
# JDBC realm database connection password (encrypted)
# Used only for local authentication mode
# Default=(blank)
#
bna.jdbcRealm.connectionPassword=96a2d24873043579a0c5ce59a8125fbc
#
# JNDI realm connection URL
# Used only for LDAP or AD authentication mode
# Default=(blank)
#
bna.jndiRealm.connectionURL=ldap://ad.lab.local:389
#
# JNDI realm alternate/secondary connection URL
# Used only for LDAP or AD authentication mode
# Default=(blank)
#
bna.jndiRealm.alternateURL=
#
# JNDI realm username (principal) to use when establishing a connection to
# the directory for search operations, for non-anonymous bind
# Used only for LDAP or AD authentication mode
# Default=(blank)
#
bna.jndiRealm.principal=cn=Administrator,ou=Service Accounts
#
# JNDI realm base directory name, for non-anonymous bind
# Used only for LDAP or AD authentication mode
# Default=(blank)
#
bna.jndiRealm.baseDN=ou=Service Accounts,dc=lab,dc=local,dc=com
#
# JNDI realm connection password (encrypted), for non-anonymous bind
# Used only for LDAP or AD authentication mode
# Default=(blank)
#
bna.jndiRealm.connectionPassword=5cc915f58d57996a8fd9e65cb6d76c40
#
# JNDI realm pattern for searching user names
# Used only for LDAP or AD authentication mode
# Default=(blank)
#
bna.jndiRealm.userSearch=(sAMAccountName={0})
#
# JNDI realm directory element (not including the Base DN) in which user
# accounts are defined. If present, must end in a comma, since it will
# be prepended to the baseDN value.
# Used only for LDAP or AD authentication mode
# Default=(blank)
#
bna.jndiRealm.userBase=ou=Service Accounts,
#
# JNDI realm pattern for field containing subtree search
# Used only for LDAP or AD authentication mode
# Default=(blank)
#
bna.jndiRealm.userSubtree=true
#
# JNDI realm indicator for action to take on referrals
# Used only for LDAP or AD authentication mode
# Default=follow
#
bna.jndiRealm.referrals=follow
Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*