Security Considerations
This topic lists security considerations and recommendations that ensure maximum security while using BMC ProactiveNet.
- BMC ProactiveNet Server security considerations
- Running BMC ProactiveNet over HTTPS interface
- Setting BMC ProactiveNet to use PAM (Pluggable Authentication Modules) to access computer level credentials
- Changing BMC ProactiveNet user names and passwords
- Changing the BMC ProactiveNet password policy
- Location of the HTTPS/SSL private key on BMC ProactiveNet Server
- Automatically locking user accounts after certain number of failed logon attempts
- Setting automatic log out of users after a certain period of inactivity
- Configuring Apache server to accept only SSL v3 requests
- Kerberos authentication to Active Directory
- Mixed Authentication modes
- BMC ProactiveNet Integration Service security
- BMC ProactiveNet Server security considerations
BMC ProactiveNet Server security considerations
Running BMC ProactiveNet over HTTPS interface
To disable HTTP interface and run BMC ProactiveNet over HTTPS, configure the Apache configuration file httpd.conf and remove entries for port 80. httpd.conf is located in the following directories, depending on your operating system:
- (Solaris or Linux): InstallationDirectory/pw/apache/conf
- (Microsoft Windows): InstallationDirectory\pw\ApacheGroup\Apache
Setting BMC ProactiveNet to use PAM (Pluggable Authentication Modules) to access computer level credentials
This is not available in the current BMC ProactiveNet release.
Changing BMC ProactiveNet user names and passwords
User names and passwords are stored in the database on BMC ProactiveNet Server. All passwords are kept in encrypted format. Only database users with administrative privileges have access to user name and password information.
Changing the BMC ProactiveNet password policy
You can set password strength by modifying the following entries in the pronet.conf file:
pronet.login.maxLength=15
pronet.login.numericChars=1
Location of the HTTPS/SSL private key on BMC ProactiveNet Server
- (Solaris or Linux): InstallationDirectory/pw/apache/conf/
Read only by the root user (BMC ProactiveNet Install User) - (Windows): InstallationDirectory\pw\ApacheGroup\Apache which can be read only by the root (BMC ProactiveNet install User) user.
Automatically locking user accounts after certain number of failed logon attempts
BMC ProactiveNet does not lock user accounts. However, all logon failures are recorded in ProactiveNet.log. To lock accounts, you can write a script to delete the account based on the log file entries.
Setting automatic log out of users after a certain period of inactivity
By default, inactive users are logged out of the Operations Console after 24 hours. However, you can customize BMC ProactiveNet globally for all users:
- Set the pronet.html.globalsession.timeout property in the pronet.conf file located in the InstallationDirectory/pw/custom/conf directory.
If you change this property, make sure to set the same log out period in the Tomcat configuration file InstallationDirectory/pw/tomcat/conf/web.xml (line 321).
<session-config>
<session-timeout>1440</session-timeout>
</session-config>Restart the BMC ProactiveNet server by running the command:
pw system start
Configuring Apache server to accept only SSL v3 requests
Add the entry SSLProtocol +SSLv3 just above the directive SSLEngine on, in the Apache httpd-ssl.conf configuration file. httpd-ssl.conf is located in the following directories, depending on your operating system:
- (Solaris or Linux): InstallationDirectory/pw/apache/conf
- (Microsoft Windows): InstallationDirectory\pw\ApacheGroup\Apache
Kerberos authentication to Active Directory
Currently not supported.
Mixed Authentication modes
For example, NTLM (legacy windows authentication method), Kerberos (current windows authentication method), and Siteminder (cross platform SSO tool used by internet facing platforms) are not supported.
BMC ProactiveNet Integration Service security
Restricting the Integration Service to receive connections from a specific IPAddress
Use the following property in pronet.conf:
pronet.apps.agent.authorizedcontrolleraddress=<ipaddress>
Configuring agent controller to present a specific IP Address to an Integration Service if server has more than one NIC
Set the following property in the custom/pronet.conf file:
pronet.apps.agentcontroller.useIPForAgentConnection=<ipaddress>
If the server's computer has more than one IP (more than one NIC), set this property to the IP address that the agent controller will present while connecting to the agent.