Configuring for domain authentication

This topic provides instructions for configuring TrueSight Server Automation - Data Warehouse so users can authenticate to the Authentication Service by providing an AD/Kerberos user name, domain, and password. To configure for domain authentication, perform the following steps:

Step 1: Obtain the KDC host names

Perform the following steps to obtain the host names for Active Directory Key Distribution Centers (KDCs). You will need these host names during the configuration process.

  1. From the command line, enter the following command:
    nslookup -type=srv _kerberos._tcp.REALM 

    where REALM is a Microsoft Windows domain name. 

  2. Look up the KDCs for each realm against which users authenticate and the realm of the Authentication Server. If multiple realms are used, such as SUB1.DEV.MYCOMPANY.COM and SUB2.DEV.MYCOMPANY.COM, look up the KDC for the parent realm (DEV.MYCOMPANY.COM) also. For example:
    nslookup -type=srv _kerberos._tcp.SUB1.DEV.MYCOMPANY.COM

    nslookup -type=srv _kerberos._tcp.SUB2.DEV.MYCOMPANY.COM
    nslookup -type=srv _kerberos._tcp.DEV.MYCOMPANY.COM

    The Active Directory KDC's host name is reported as the value of service (UNIX) or svr hostname (Windows). For example:

    service = 0 100 88 kdc.sub2.dev.mycompany.com 

    (Ignore the numbers before the host name.)

Step 2: Create or modify a blappserv_krb5.conf file

Use this procedure to create a blappserv_krb5.conf file. This file configures Kerberos so that it can communicate with the Active Directory server or servers.

When you create the blappserv_krb5.conf file, you must define a default realm, which must be realm of the Authentication Server. When domain authentication users log on and they do not provide a fully qualified user name, they are authenticated as members of the default realm.

Note

When identifying servers in the blappserv_krb5.conf file, do not use IP addresses. The Application Server must be able to resolve Domain Name System (DNS) names of Active Directory servers.

  1. Create a text file and add content to it as described below. The content varies depending on the domain functional level of the domain controller where Active Directory is running.
    Domain functional level set to Windows 2008 or later

    [libdefaults]
    ticket_lifetime = 6000
    default_realm = <AUTHSERVER_REALM>

    [realms]
    <AUTHSERVER_REALM> = {
    kdc = <AUTHSERVER_REALM_KDC>:88
    }
    <USERS_REALM> = {
    kdc = <USERS_REALM_KDC>:88
    }
    <PARENT_REALM> = {
    kdc = <PARENT_REALM_KDC>:88
    }

    [domain_realms]
    .<AUTHSERVER_DOMAIN> = <AUTHSERVER_REALM>
    .<USERS_DOMAIN> = <USERS_REALM>
    .<PARENT_DOMAIN> = <PARENT_REALM>

    Domain functional level set to Windows 2003

    [libdefaults]
    ticket_lifetime = 6000
    default_realm = <AUTHSERVER_REALM>
    default_tkt_enctypes = des-cbc-md5
        default_tgs_enctypes = des-cbc-md5

    [realms]
    <AUTHSERVER_REALM> = {
    kdc = <AUTHSERVER_REALM_KDC>:88
    }
    <USERS_REALM> = {
    kdc = <USERS_REALM_KDC>:88
    }
    <PARENT_REALM> = {
    kdc = <PARENT_REALM_KDC>:88
    }

    [domain_realms]
    .<AUTHSERVER_DOMAIN> = <AUTHSERVER_REALM>
    .<USERS_DOMAIN> = <USERS_REALM>
    .<PARENT_DOMAIN> = <PARENT_REALM>
    • <AUTHSERVER_REALM> is the realm where the keytab file was generated.
    • <AUTHSERVER_REALM_KDC> is the host name for the Active Directory Key Distribution Center (KDC), which is servicing that realm. If multiple KDCs are running, list all of those KDCs.
    • <USERS_REALM> is the realm where users are defined.
    • <USERS_REALM_KDC> is the host name for the KDC, which is servicing that realm. If multiple KDCs are running, list all of those KDCs. If users are defined in multiple realms, create a separate stanza for each realm.
    • <PARENT_REALM> is the parent realm of <AUTHSERVER_REALM> and <USERS_REALM>.
    • <PARENT_REALM_KDC> is the host name for the KDC servicing the parent realm. If multiple KDCs are running, list all of those KDCs. 

    • In the domain_realms section, <AUTHSERVER_DOMAIN><USERS_DOMAIN>, and <PARENT_DOMAIN> provide DNS names. A period before each DNS name indicates that you are mapping every system with a DNS name ending with that value to a corresponding Kerberos realm. For example:

      .sub1.dev.mycompany.com = SUB1.DEV.MYCOMPANY.COM
      .sub2.dev.mycompany.com = SUB2.DEV.MYCOMPANY.COM
      .dev.mycompany.com = DEV.MYCOMPANY.COM

      To obtain host names for any of the KDCs listed in this file, use the nslookup command.

  2. Do one of the following steps:

    • On UNIX, save the file to the /br directory with the following name, blappserv_krb5.conf.
      For example, if TrueSight Server Automation - Data Warehouse is installed in the default location, you would save the file to the  

      /usr/local/bmc/TSSA-DW/br

       directory.

    • On Microsoft Windows, save the file to the \br directory with the following name, blappserv_krb5.conf
      For example, if TrueSight Server Automation - Data Warehouse is installed in the default location, you would save the file to the C:\Program Files\BMC Software\TSSA-DW\br  directory.

Step 3: Create or modify a blappserv_login.conf file

You must create a blappserv_login.conf file, which provides necessary Kerberos authentication information and provides the location of the keytab file.

The details of this procedure can vary, depending on whether isActiveDirectoryLdapCheckEnabled is set to true, the default, or false.

  1. Do one of the following steps:

    • If isActiveDirectoryLdapCheckEnabled is set to false, create a text file and add the following text to this file:

      com.bladelogic.auth.service.ADKerberosPasswordLogin {
      com.sun.security.auth.module.Krb5LoginModule required
      doNotPrompt=false
      debug=false
      useTicketCache=false;
      };

    • If isActiveDirectoryLdapCheckEnabled is set to true, create a text file and add the following text to this file:

      com.sun.security.jgss.accept {
      com.sun.security.auth.module.Krb5LoginModule required
           useKeyTab=true
        storeKey=true
        keyTab="<location_of_keytab_file>"
        principal="blauthsvc/<instance>@<REALM>"
        doNotPrompt=true
        debug=false;
       };

      com.bladelogic.auth.service.ADKerberosPasswordLogin {
      com.sun.security.auth.module.Krb5LoginModule required
              doNotPrompt=false
              useTicketCache=false
              debug=false;
             };
    • <keyTab> is the location of the blauthsvc.keytabfile on your system.

      • On UNIX, if TrueSight Server Automation - Data Warehouse is installed in the default location, the keyTab line would look like this example:

        keyTab="/usr/local/bmc/TSSA_DW/br/blauthsvc.keytab"

      • On Windows, if TrueSight Server Automation - Data Warehouse is installed in the default location, the keyTab line would look like this example:

        keyTab="C:\\Program Files\\BMC Software\\TSSA-dW\\br
        \\blauthsvc.keytab"

        Note

        Be sure to use the double backslash syntax as shown.

    • <instance> is the instance of the Authentication Server for reports (generally a host name).
    • <REALM> is the Microsoft Windows domain in which the Authentication Server is running.
  2. Do one of the following steps:
    • On UNIX, save the file to the /br directory with the name, blappserv_login.conf. For example, if TrueSight Server Automation - Data Warehouse is installed in the default location, save the file to the <TSSA-DWInstallationDirectory> directory.
    • On Windows, save the file to the \br directory with the name, blappserv_login.conf. For example, if TrueSight Server Automation - Data Warehouse is installed in the default location, save the file to the <TSSA-DWInstallationDirectory> directory.

  3. Run the blasadmin syncFile command. For more information about the syncFile command, see Persisting changes in configuration files from file system to database in the TrueSight Server Automation documentation.

Step 4: Configure the Authentication Service for domain authentication

Use the Application Server Administration console (blasadmin utility) to configure the TrueSight Server Automation Authentication Service so that the service can use the Kerberos configurations that you set up in the previous procedures.

  1. Add the entry of the domain to be authenticated in the host file of the system.
  2. On the reports server, start the Application Server Administration console (the blasadmin  utility) as follows.
    • (Windows) Navigate to the <TSSA-DWInstallationDirectory> \bin directory and enter the following command: blasadmin.
    • (UNIX) Navigate to the <TSSA-DWInstallationDirectory> /br directory and enter the following command: blasadmin.

  3. To allow users to log on by using domain authentication, enter the following command:

    set AuthServer isDomainAuthEnabled true

    By default, this value is set to false.

  4. If you are not using the default file name of blappserv_krb5.conf, enter the following command to enable the Authentication Server to locate the file. Otherwise, you can skip this step.

    set AuthServer AuthSvcKrb5Config <fileName>

    <fileName> is the name of the blappserv_krb5.conf file. This file is essential for supporting Kerberos. By default, AuthSvcKrb5Config is set to a value of blappserv_krb5.conf.

  5. If you are not using the default file name of blappserv_login.conf, enter the following command to enable the Authentication Server to locate the fileOtherwise, you can skip this step.

    set AuthServer AuthSvcKrb5LoginConfig <fileName>

    <fileName> is the name of the blappserv_login.conf file. This file is essential for supporting Kerberos. By default AuthSvcKrb5LoginConfig is set to a value of blappserv_login.conf.

  6. Run the syncFile command. For more information, see Persisting changes in configuration files from file system to the database.

  7. Restart the following services:
    • TrueSight Server Automation - Data Warehouse
    • Authentication Server


 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*