Authentication

Authentication is the process of verifying the identity claimed by a system entity. Often that entity is a user, but in some situations the entity is a service. For example, when a user starts the TrueSight Server Automation Console, he or she must authenticate with the TrueSight Server Automation Authentication Service (one of the services hosted by a TrueSight Server Automation Application Server) before establishing a client/server session. On the other hand, when an Application Server establishes an authenticated connection with an agent, the identity to be verified is the server hosting the Application Service.

TrueSight Server Automation uses different approaches for authentication, depending on the communication leg. For communication between most client tier applications (the TrueSight Server Automation Console, Network Shell, or BLCLI) and middle tier applications (Application Server or Network Shell proxy server), TrueSight Server Automation employs a two-step process.

  • First, client users authenticate with the Authentication Service and acquire a TrueSight Server Automation single sign-on (SSO) session credential.
  • Then the client uses that session credential to establish an application session with middle tier services.

Written into the session credential are service URLs, which are the identities and addresses of the Application Services and Network Shell Proxy Services that can be accessed using the session credential. For more information about single sign-on, see Single-sign-on.

TrueSight Server Automation client applications can cache SSO session credentials obtained from the Authentication Service, allowing client users to re-establish new application sessions without re-authenticating. In this way a user's context can easily be passed between TrueSight Server Automation client applications.

For example, a user can launch the TrueSight Server Automation Console and authenticate. If the user's session credential is cached and the credential has not expired, the user can then exit the console and start a BLCLI session without authenticating again.

For any entity that communicates directly with agents-including Network Shell clients that access agents without going through a Network Shell proxy server-authentication relies on the TLS protocol's support for client authentication using client-side X.509 certificates.

Note

Be aware of the following documentation conventions:

  • TrueSight Server Automation supports both transport layer security (TLS) and its predecessor, SSL. For the sake of simplicity, this site refers only to TLS.
  • When Network Shell connects to a Network Shell proxy server, this site refers to that state as Network Shell operating in proxy mode.

Authentication for different communication legs

Authentication can be configured differently for the various communication legs within the TrueSight Server Automation system. For more information, see Security-for-different-communication-legs.

More information on authentication

For more conceptual information on authentication, see the following topics:

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*