Security planning for Presentation Server

The TrueSight Operations Management solution can comprise several components. The following diagram provides an overview of the communication paths among the core TrueSight Operations Management components. For more detailed descriptions about the architectural diagrams, see TrueSight-Operations-Management-architecture.

authenticationFlowAllOverview_110.png

This topic addresses the ways in which sensitive data and user information are secured among the TrueSight Operations Management components. 

User authentication and authorization

The TrueSight Operations Management system uses Remedy Single Sign-On to authenticate and manage users and user groups. BMC Remedy Single Sign-On supports authentication with traditional systems, such as Active Directory, LDAP, SAMLv2, and others systems, and supports integration into existing single sign-on systems.

Following system installation and configuration, users access the TrueSight console from the TrueSight Presentation Server. Role-based-access to the TrueSight Operations Management components is then managed by authorization profiles, which are maintained by the Solution Administrator.  Users cannot directly access any of the components.


Plan to change the out-of-the-box credentials

You must change the out-of-the-box credentials at your first log in for both Remedy SSO Server and Presentation Server. This document explains the steps to change the default passwords as part of the relevant installation procedures.


Security resources

Remedy Single Sign-On

Planning-the-Remedy-Single-Sign-On-Server-deployment

Installing Remedy SSO

Migrating-internal-user-data-from-Atrium-Single-Sign-On-to-Remedy-Single-Sign-OnConfiguring user authentication for the Presentation Server in Remedy SSO

Upgrading Remedy SSO

Role-based user access overviews

TrueSight Infrastructure Management security

Security-planning-for-Infrastructure-Management

Security standards

TrueSight Operations Management supports the following security standards.

Location of security certificates and Java KeyStore files

During installation of the TrueSight App Visibility Manager component, self-signed certificates are created in the following locations to handle authentication between the components. If you prefer to use your own certificates, follow the procedures detailed in Applying private certificates between the App Visibility portal and the Presentation Server. For information about the security certificates used in the TrueSight Infrastructure Management server, see Location of the HTTPS/SSL private key on BMC TrueSight Infrastructure Management Server.

  • Location of the keystore files for TrueSight App Visibility Manager component on the TrueSight Presentation Server
    • Windows
      • %TRUESIGHTPSERVER_HOME%\truesightpserver\conf\secure\adopskeystore.jks
      • %TRUESIGHTPSERVER_HOME%\truesightpserver\conf\secure\adopstruststore.jks
    • Linux
      • $TRUESIGHTPSERVER_HOME/truesightpserver/conf/secure/adopskeystore.jks
      • $TRUESIGHTPSERVER_HOME/truesightpserver/conf/secure/adopstruststore.jks
    • Configuration file: tspsInstallationDirectory/conf/appVisCertificates.xml
  • Location of keystore file that secures communication between clients (browser) and the TrueSight Presentation Server
    • Windows 
      %TRUESIGHTPSERVER_HOME%\conf\secure\loginvault.ks
    • Linux 
      $TRUESIGHTPSERVER_HOME/conf/secure/loginvault.ks


Security certificates on TrueSight App Visibility Manager server components and TrueSight App Visibility Manager agents

Most App Visibility components require two-way authentication, requiring a network of certificates in keystores and truststores.

The referenced document [confluencePage:page:tsomd113.Applying private certificates to App Visibility components] was not found.

For more information, see Applying private certificates to App Visibility components.


Security certificates on Synthetic TEA Agents

You can use custom certificates for the BMC Synthetic Transaction Execution Adapter (TEA) Agents for authentication with App Visibility Manager. You can update certificates before installing your TEA Agents, or you can update certificates on TEA Agents that are already installed. The TEA Agent installation files include a tool to help replace the certificates. For more information, see Applying private certificates to Synthetic TEA Agents.


Data security

The App Visibility portal and App Visibility collector each include an App Visibility database, which is a PostgreSQL database that uses trust authentication. This authentication assumes that anyone who can access the App Visibility portal or collector computers is authorized to access the database.

For more information about maintaining TrueSight App Visibility Manager data security, see Changing the App Visibility database password.

Open ports

For a complete list of ports used by the TrueSight Operations Management solution, see Network-ports.

Related topics

Importing-a-keystore-file-or-replacing-the-certificate-for-the-App-Visibility-proxy

System-requirements-for-Presentation-ServerAccess control for administrators of service providersAccess control for SaaS administrators

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*