System capabilities related to security

This topic describes the capabilities of the TrueSight Server Automation system that can be used for security purposes. It includes the following sections:

• Authentication profiles
• Environment variables
• Keytab files
• RBAC role selection
• Single sign-on session credentials

Authentication profiles

To facilitate single sign-on, TrueSight Server Automation clients use authentication profiles, which are collections of information that a TrueSight Server Automation client application needs to log into the TrueSight Server Automation Authentication Service.

About authentication profiles

An authentication profile identifies the following:

• Application Server host name
• Listening port for the Authentication Service hosted by the Application Server
• Authentication protocol: SRP, LDAP, SecurID, PKI, AD/Kerberos, or Domain Authentication
• Information specific to individual authentication protocols, such as the distinguished name template for LDAP

A user can define multiple authentication profiles. For example, an organization might employ three instances of TrueSight Server Automation — one for Operations, one for QA, and one for Development. If a user wants to connect to all three from the same client application, he or she would need three different authentication profiles, each pointing to a different instance of TrueSight Server Automation. In another example, if a user plans to log into the Application Server using various authentication mechanisms, he or she would need an authentication profile for each mechanism.

For TrueSight Smart Reporting for Server Automation, users do not define authentication profiles. Instead, when logging on, users simply specify an authentication type. Each reports server always accesses the same Authentication Service, so a user does not have to specify an Application Server or listening port.

Using authentication profiles

When a user launches a TrueSight Server Automation client application (except TrueSight Smart Reporting for Server Automation), he or she must specify an authentication profile. The client application looks in its cache of session credentials to determine if it holds a current credential that was acquired under the conditions defined by the authentication profile. Each authentication profile specifies an Application Server hosting an Authentication Service, the port used to access the Authentication Service, and an authentication mechanism. If a cached session credential includes information matching these specifications, the client application establishes a connection to the service listed in the session credential. If the client application does not possess an appropriate session credential, the TrueSight Server AutomationConsole prompts the user to log into the Authentication Service identified by the specified authentication profile. In Network Shell or BLCLI, establishment of the client/server session is aborted if the session credential cache does not contain a session credential matching the requirements specified in the authentication profile. The BLCLI or Network Shell user can use the TrueSight Server AutomationConsole or the blcred utility to obtain and cache the appropriate SSO session credential.

The TrueSight Server Automation Console provides a dialog box that allows users to add or delete authentication profiles as well as select an authentication profile for the purpose of logging in. The blcred utility also can be used to add or delete authentication profiles. The TrueSight Server Automation command line applications provide various options for identifying an authentication profile by name. The following table summarizes these options. Note that TrueSight Smart Reporting for Server Automation does not require authentication profiles so it is not listed in the table.

For more information about setting up authentication profiles for the TrueSight Server Automation Console, see the Setting-up-an-authentication-profile. For more information about using blcred, see Using the blcred utility. For more information about using environment variables, see Environment variables.

Authentication profiles are stored in a single XML file. Within that file, each authentication profile must have a unique name. The XML file resides at a default location, but you can modify that location, as described in Setting-override-locations-for-client-SSO-files.

_{Back to top}

Environment variables

TrueSight Server Automation provides environment variables that can be used to pass configuration data to the command line client applications (BLCLI and Network Shell) and the blcred utility. BLCLI and blcred also provide command line options for providing the same data. The command line options take precedence over environment variable settings.

To set an environment variable, use a procedure like the following:

% BL_SSO_CRED_CACHE_FILE=<userHomeDirectory>\bladelogic_alt\bl_sesscc
% export BL_SSO_CRED_CACHE_FILE

The following table details the environment variables that can be used with single sign-on functionality.

_{Back to top}

Keytab files

If you are using SRP authentication, keytab files are useful when running unattended automation scripts that make use of Network Shell proxy services or make calls to the BLCLI. Keytab files provide the blcred utility with long-term user credentials that can be used to authenticate a user.

For single sign-on, TrueSight Server Automation only supports a keytab file for SRP authentication. The SRP keytab file is called user_info.dat. For instructions about setting up user_info.dat, see Generating-a-user-information-file.

Note that TrueSight Server Automation also employs a keytab file for its AD/Kerberos implementation. Procedures for the AD/Kerberos implementation explain the use of a keytab file in that context.

Because of their sensitive nature, access to keytab files should be tightly controlled.

RBAC role selection

When a session is established, a user must be assigned to an RBAC role. If a user is authorized for only one role, he or she is assigned to that role after logging into an application. If a user is authorized for multiple roles, the user can interactively select a role while logging into a TrueSight Server Automation client application. When using Network Shell or BLCLI, the role might be specified through an environment variable. Network Shell also provides a command calledchrole, which lets you change roles after a Network Shell session is established.

When a user is authorized for multiple roles, TrueSight Server Automation command line applications can specify a role using a command line option or an environment variable. The following table summarizes the options available to specifying a role.

_{Back to top}

Single sign-on session credentials

When an Authentication Service authenticates a user, it issues a session credential to the client application. The TrueSight Server Automation Console lets users choose to cache session credentials. The blcred utility always caches any session credential it obtains from the Authentication Service.

TrueSight Server Automation clients use session credentials to establish secure sessions with Application Servers and Network Shell proxy servers.

A session credential contains the following information:

• TrueSight Server Automation user name
• Protocol used to authenticate user: SRP, LDAP, SecurID, AD/Kerberos, or Domain Authentication
• Service URL, which identifies the Authentication Service that issued the session credential, its host address, and its port.
• Expiration time for session credential
• Maximum lifetime for session credential
• Client system's IP address
• Authorized roles for user
• Service URLs of TrueSight Server Automation services that the credential can be used to access, such as Application Services and Network Shell Proxy Services. Each of these URLs specifies the type of service, its host address, and its port.

Session credentials are digitally signed by the issuing Authentication Service. A TrueSight Server Automation service, upon being presented with a session credential, verifies the digital signature to ensure the credential's authenticity and integrity. SSO session credentials are cached in a file on the client host. TrueSight Server Automation relies on system access controls to restrict access to the session credential cache. The session credential cache file resides at a default location, but you can modify that location, as described in Setting-override-locations-for-client-SSO-files.

On both Windows and UNIX, the credential cache can hold a maximum of one session credential at any time. This restriction will be relaxed in a future release. File system access controls only allow the user for whom the credential was issued to access the credential cache.

Unlike other TrueSight Server Automation system components, the reports server does not cache the session credential on the client's system. Each time a user logs into the reports server from a browser, the user provides data required for authentication. The reports server relays this information to the Authentication Service and obtains a session credential for the user. The reports server can potentially hold the user's session credential even after the user's connection with the reports server terminates. This allows users to schedule recurring report jobs. TrueSight Smart Reporting for Server Automation can automatically renew the user's session credential without requiring the user to re-authenticate.