SRP authentication


This topic describes the use of the Secure Remote Password (SRP) Authentication.

For SRP, the TrueSight Server Automation Authentication Service authenticates client-tier users against a registry of authorized users. That registry is a user table in the database of the Application Server. Information in the user table is derived from the role-based access control (RBAC) utility of TrueSight Server Automation. Note that the TrueSight Server Automation - Data Warehouse user interface provides no capability to manage users. To add or delete users, change passwords, or specify security settings for users, you must use the RBAC Manager in the TrueSight Server Automation Console or CLI (BLCLI).

SRP is the default approach of TrueSight Server Automation for authentication. For users who authenticate with SRP, session credentials are always refreshed as long as those users have RBAC user accounts that have not been disabled or deleted.

The Authentication Service used by TrueSight Server Automation - Data Warehouse obtains its user information from the reports data warehouse. If you use RBAC to add, remove, or disable users, those user changes are not reflected in the reports data warehouse until the next time its data is updated. This delay means newly added users who are able to log on to other TrueSight Server Automation applications might not be able to log in to TrueSight Server Automation - Data Warehouse. Similarly, changes to SRP passwords do not take effect until the reports data warehouse is updated. Changes to user information for other authentication protocols are not subjected to the same delay because those changes are made to an external identity management system. However, irrespective of the authentication protocol being used, TrueSight Server Automation - Data Warehouse can never be aware of changes to role authorizations until the reports data warehouse is updated.

The Authentication Service used by TrueSight Server Automation - Data Warehouse has a different account lockout implementation than the mechanism RBAC uses for SRP authentication. For SRP, administrators typically configure a threshold for failed logon attempts. After the threshold is reached, the SRP account is locked. The Authentication Service for TrueSight Server Automation - Data Warehouse locks users according to policies set at individual TrueSight Server Automation sites. However, updating the reports data warehouse overwrites all user status information, including the number of unsuccessful logon attempts or the time an account has been locked out. Consequently, overwriting can cause users to be reinstated unless that user is also locked out in the RBAC database.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*