Configuring Domain Authentication

Use this procedure to configure TrueSight Server Automation so users can authenticate to the Authentication Service by providing an AD/Kerberos user name, domain, and password.

This topic includes the following sections:

The video at right demonstrates the process.

icon-play2x.png https://www.youtube.com/watch?v=XaHc4JrKg0A&feature=youtu.be

To configure Domain Authentication

The following is a master procedure. Each of the steps in this procedure references a subsection that describes another procedure.

Note

When you specify a domain name in any of the following steps, you must use uppercase letters. You might want to review the diagram in Sample-domain-structure for an overview of the domain names and host names used in the examples in this topic.

  1. Obtain the host names for Active Directory KDCs.
  2. Create the blappserv_krb5.conf file, which defines Active Directory domains and servers.
  3. Create the blappserv_login.conf file, which provides necessary authentication information.
  4. Configure the Authentication Service to support Domain Authentication.
  5. Add user names based on Kerberos naming conventions to the RBAC user database. See Cross-registering users in the TrueSight Server Automation database.
  6. Add users to built-in roles. See Logging on using default users and roles.
  7. Set up authentication profiles using Domain Authentication on the TrueSight Server Automation client. See System-capabilities-related-to-security and Managing-authorizations.

Locating Active Directory KDCs

Use this procedure to obtain the host names for Active Directory KDCs. Later in the configuration process, you need these host names.

From a command line, enter the following:

nslookup -type=srv _kerberos._tcp.<REALM>

where <REALM> is a Windows domain name.

Look up the KDCs for each realm against which users authenticate. If multiple realms are used, such as SUB1.DEV.MYCOMPANY.COM and SUB2.DEV.MYCOMPANY.COM, also look up the KDC for the parent realm (DEV.MYCOMPANY.COM). For example:

nslookup -type=srv _kerberos._tcp.SUB1.DEV.MYCOMPANY.COM
nslookup -type=srv _kerberos._tcp.SUB2.DEV.MYCOMPANY.COM
nslookup -type=srv _kerberos._tcp.DEV.MYCOMPANY.COM

The Active Directory KDC's host name is reported as the value of service (UNIX) or svr hostname (Windows). For example:

service = 0 100 88 kdc.sub2.dev.mycompany.com

Ignore the numbers before the host name.

Creating the blappserv_krb5.conf file

Use this procedure to create a blappserv_krb5.conf file. This file configures Kerberos so it can communicate with the Active Directory server or servers. Click here for a sample blappserv_krb5.conf file.

When you create a blappserv_krb5.conf file, you must define a default realm. When Domain Authentication users log on and they do not provide a fully qualified user name, they are authenticated as members of the default realm.

Note

When identifying servers in the blappserv_krb5.conf file, do not use IP addresses. The Application Server must be able to resolve Domain Name System (DNS) server names of Active Directory servers.

  1. Create a text file and add content to it as described below. The content varies depending on the domain functional level of the domain controller where Active Directory is running.
    Domain functional level set to Windows 2008 or later

    [libdefaults]
     ticket_lifetime = 6000
      default_realm = <USERS_REALM>

    [realms]
     <USERS_REALM> = {
        kdc = <USERS_REALM_KDC>:88
      }

    [domain_realm]
     .<USERS_DOMAIN> = <USERS_REALM>

    Domain functional level set to Windows 2003

    [libdefaults]
     ticket_lifetime = 6000
      default_realm = <USERS_REALM>
      default_tkt_enctypes = rc4-hmac
      default_tgs_enctypes = rc4-hmac

    [realms]
     <USERS_REALM> = {
        kdc = <USERS_REALM_KDC>:88
      }

    [domain_realm]
     .<USERS_DOMAIN> = <USERS_REALM>

    <USERS_REALM> is the realm where users are defined. <USERS_REALM_KDC> is the host name for the KDC servicing that realm. If multiple KDCs are running, list all of those KDCs. If users are defined in multiple realms, create a separate stanza for each realm.
    In the "domain_realm" section, <USERS_DOMAIN> provides DNS names. A period before a DNS name indicates you are mapping every system with a DNS name ending with that value to a corresponding Kerberos realm. For example:

    .sub1.dev.mycompany.com = SUB1.DEV.MYCOMPANY.COM
    .sub2.dev.mycompany.com = SUB2.DEV.MYCOMPANY.COM
    .dev.mycompany.com      = DEV.MYCOMPANY.COM

    To obtain a host name for any of the KDCs listed in this file, use the nslookup command as described in Locating Active Directory KDCs.

  2. Do one of the following:
    • (UNIX) Save the file to the <InstallDirectory>/NSH/br directory with the name:
      blappserv_krb5.conf
      For example, if TrueSight Server Automation is installed in the default location, the file should be located as follows:
      /opt/bmc/bladelogic/NSH/br/blappserv_krb5.conf
    • (Windows) Save the file to the <InstallDirectory>\NSH\br directory with the name:
      blappserv_krb5.conf
      For example, if TrueSight Server Automation is installed in the default location, the file should be located as follows:
      C:\Program Files\BMC Software\BladeLogic\NSH\br\blappserv_krb5.conf

Creating the blappserv_login.conf file

You must create a blappserv_login.conf file. This files provides necessary Kerberos authentication information.

  1. Create a text file and add the text shown below to this file.

    com.bladelogic.auth.service.ADKerberosPasswordLogin {
    com.sun.security.auth.module.Krb5LoginModule required
    doNotPrompt=false
    useTicketCache=false
    debug=false;
    };
  2. Do one of the following:
    • (UNIX) Save the file to the <InstallDirectory>/NSH/br directory with the name blappserv_login.conf. For example, if the Authentication Server is installed in the default location, the file should be located as follows:
      /opt/bmc/bladelogic/NSH/br/blappserv_login.conf
    • (Windows) Save the file to the <InstallDirectory>\NSH\br directory with the name blappserv_login.conf. For example, if the Authentication Server is installed in the default location, the file should be located as follows:
      C:\Program Files\BMC Software\BladeLogic\NSH\br\blappserv_login.conf

Defining Authentication Service settings for Domain Authentication

Use this procedure to define settings for the TrueSight Server Automation Authentication Service so it can use the Kerberos configurations you set up in previous procedures. To perform this procedure, you must use the Application Server Administration console.

  1. Start the Application Server Administration console by taking one of the following actions.

    Note

    If you are using multiple Application Servers and one functions as a Configuration Application Server, this procedure should target that server. In a such a situation you must modify the syntax of the blasadmin command so it targets the Configuration Application Server.

    • (UNIX) From the directory where TrueSight Server Automation is installed, enter the following:
      ./bin/blasadmin
    • (Windows) Do one of the following. Both options run the same command.
      • From the Start menu, select Programs > BMC Software > BladeLogic Server Automation Suite > Utilities > Application Server Administration.
      • From the directory where TrueSight Server Automation is installed, enter the following:
        \bin\blasadmin.bat
  2. To enable users to log on using Domain Authentication, enter the following:
    set AuthServer isDomainAuthEnabled true
    By default this value is set to false.
  3. To enable the blappserv_krb5.conf file, enter the following:
    set AuthServer AuthSvcKrb5Config <fileName>
    where <fileName> is the name of the blappserv_krb5.conf file. This file is essential for supporting Kerberos.
    By default AuthSvcKrb5Config is set to a value of blappserv_krb5.conf. You can skip this step unless you choose to use a different file name.
  4. To enable the blappserv_login.conf file, enter the following:
    set AuthServer AuthSvcKrb5LoginConfig <fileName>
    where <fileName> is the name of the blappserv_login.conf file. This file is essential for supporting Kerberos.
    By default AuthSvcKrb5LoginConfig is set to a value of blappserv_login.conf. You can skip this step unless you choose to use a different file name.
  5. Restart the Application Server.

Cross-registering users in the TrueSight Server Automation database

Users must be registered in both Active Directory and the TrueSight Server Automation RBAC-based user database. Cross-registration allows users to be authorized for RBAC roles.

Only users authorized to use TrueSight Server Automation should be entered into the TrueSight Server Automation database. Use RBAC to add users to the TrueSight Server Automation database. For information about adding users to RBAC, see Creating-users.

TrueSight Server Automation documentation assumes you know how to add users to Active Directory.

Requirements for User Names

When using AD/Kerberos to authenticate end users, you must ensure that domain user names stored in RBAC are fully qualified and that those names match the user names stored in the Active Directory.

Each TrueSight Server Automation user name must be in the form:

<USER>@<DOMAIN>

where <DOMAIN> is the domain the user is registered in.

For example, if you are using RBAC or the bladduser utility to add a new TrueSight Server Automation user, you would fill in the name field with a value such as:

mary@SUB1.DEV.MYCOMPANY.COM

rather than filling in the name field with a value such as:

mary

Note that the user name mary@SUB1.DEV.MYCOMPANY.COM is a different user name than than mary or mary@SUB3.DEV.MYCOMPANY.COM.

The user's TrueSight Server Automation user name must match the user's fully qualified Active Directory user name.

TrueSight Server Automation provides a BLCLI command, RBACRole:syncUsers, that you can use to synchronize group information in Active Directory with role information in RBAC. For more information about this command, see the BLCLI help.

Logging on using default users and roles

The TrueSight Server Automation user database comes preprovisioned with two default SRP users: RBACAdmin and BLAdmin. These default users are assigned to the default roles RBACAdmins and BLAdmins, respectively. If the TrueSight Server Automation administrator intends to support AD/Kerberos authentication exclusively and disable SRP user authentication, then, prior to disabling SRP, the administrator should log in as a user authorized for the RBACAdmins role and ensure that each of the four built-in roles — RBACAdmins, BLAdmins, GlobalReportViewers, and GlobalReportAdmins — has at least one registered domain user assigned to that role. Otherwise, when SRP authentication is disabled, no user will be able to access the built-in roles.

In a default installation, the RBACAdmins role has the authorizations necessary to manage users and roles. If you are using that default setup, you can assign a fully qualified domain user name (for example, RBACAdmin_ADK@SUB2.DEV.MYCOMPANY.COM) to the RBACAdmins role. In this example, the user would also have to be registered in the Active Directory user registry for the domain SUB2.DEV.MYCOMPANY.COM.

The same issue applies to the BLAdmins role, the GlobalReportAdmins role, which has built-in authorizations to see data for all BMC Service Automation Reporting and Analytics sites, and the GlobalReportViewers role, which has read access to all reports at all sites in a TrueSight Server Automation installation. To allow a user to log into:

  • The BLAdmins role, you must use RBAC to add a fully qualified user name to the BLAdmins role.
  • The GlobalReportAdmins role, you must use RBAC to add a fully qualified user name to the GlobalReportAdmins role.
  • The GlobalReportViewers role, you must use RBAC to add a fully qualified name to the GlobalReportViewers role.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*