Skip to Content

Security Settings

CES provides the ability to secure access to BMC AMI Products for Web, product functions, administrative functions, and REST endpoints. With security enabled, a user must provide credentials to access BMC AMI Products for Web. By default, administrative functions are restricted and users will only have access to the base web product functions. Restricted functions do not display in the user interface and REST endpoints will be inaccessible.

The Security page has five tabs:

  • Personal Access Tokens tab
  • Security tab
  • Users tab
  • Groups tab
  • Roles tab

Personal Access Tokens tab

The Personal Access Tokens tab allows you to manage personal access tokens. Personal access tokens are used in place of your credentials when performing Code Pipeline operations using the Code Pipeline API. Personal access tokens are a widespread standard used across well-known organizations and services.

A personal access token is required to authenticate with Code Pipeline when using the Code Pipeline API.

When accessing the Personal Access Tokens tab, a list of configured personal access tokens are displayed which show the user name, generated token, host, and port. The number of personal access tokens displayed in the list at a given time can be changed by selecting a different value in the option field below the list. The default is 25 entries per page but can be changed to 10, 25, 50, 100, 500, or all.

To access a Personal Access Token

In CES, select Administration >Security, and then select the Personal Access Tokens tab.

To add a Personal Access Token

  1. From the Personal Access Tokens tab, click Add.

  2. Complete each of the required fields. If you choose to create a secure host connection, be sure that the port used is already defined as a secure port on the host mainframe.

    • User Name – The RACF login name that will be associated with the token.
    • Token – A generated token used when making API requests.
    • Host Connection – z/OS host system name or IP address that is running Code Pipeline.
  3. When complete, click OK to add the personal access token to the list of personal access tokens.

To edit a Personal Access Token

  1. From the Personal Access Tokens tab, select the personal access token to be edited by clicking on it, and then click Edit.
  2. Modify the content of the fields as needed. If you choose to create a secure host connection, be sure that the port used is already defined as a secure port on the host mainframe. You may also modify the password.
  3. When complete, click OK. The personal access token has been edited and returned to the list of personal access tokens.

To remove a Personal Access Token

  1. From the Personal Access Tokens tab, select the Personal Access Token to be removed. You may remove more than one at a time.
  2. Click Remove. The selected Personal Access Token is removed from the list.

Security tab

The Security tab allows you to enable secure access to administrative functions of CES.

User authentication is achieved through the use of CES internal authentication system, or by utilizing your existing LDAP, X.509, or Kerberos enterprise authentication system. By enabling security, you are able to manage Users, Groups, and Roles.

Although you are not required to secure access to BMC AMI Products for Web, you should consult with the network security group at your site to determine whether or not to enable security for BMC AMI Products for Web.

To access security settings in CES, select Administration >Security, and then select the Security tab.

Authentication Mode

The authentication mode provides the ability to enable or disable security, configure settings that apply to all authentication systems, and configure an authentication system. To enable security, set the authentication mode switch to On.

To support older versions of integrated BMC AMI products that do not support CES security, options are available to disable security for those specific products. By default, security is disabled (Off) for all of the integrated BMC AMI products to ensure that these integrations continue to work with CES. Security can be enabled (On) for those BMC AMI Products for Web which have a release version compatible with CES security.

  • Require CMSC authentication requires CMSC to authenticate via a pre-shared key. To enable CMSC authentication, set the switch to On.
  • Require Workbench user authentication requires Workbench for Eclipse to authenticate using any of the four authentication modes. Without this enabled, Workbench users authenticate anonymously. To enable Workbench for Eclipse user authentication, set the switch to On.
  • Disable Abend-AID Viewer Find and Fix requests Abend-AID Viewer does not support authentication. To disable Abend-AID Viewer Find and Fix requests, set the switch to On.

Internal

With security mode set to Internal

When security is enabled with the Internal authentication mode, CES manages authenticating users, as well as managing user names and passwords. This mode is appropriate when you do not have an enterprise authentication system, or you do not wish to integrate with an enterprise authentication system. This mode replaces previous functionality in CES and iStrobe where passwords were required for administrator access. It also replaces the functionality in iStrobe that required authentication with a user name only.

  1. From the Security window in Administration, toggle the Authentication Mode to On.
  2. Select the Internal option.
  3. To allow new users to self register when they authenticate for the first time in a web product, toggle Allow new users to self register to On.

  4. To enforce better security by means of a strong password, set the Password Policy toggle switch to On. When the password policy is enabled, every user needs to configure a password that contains at least 8 characters including one special character, one number, and a letter in upper case.

    Warning

    Important

    Post enabling the Password Policy, existing users whose passwords are not compliant with the policy, are redirected to the Change Password page and need to reconfigure the password.

  5. Enter a user name and password for the main administrator of CES.
  6. Click Apply to save and apply the security settings. CES will restart to implement the changes to the security settings.

LDAP

To configure and enable security using LDAP

When security is enabled with an LDAP authentication server, BMC AMI Products for Web will authenticate users with that LDAP server. This mode offers better user management since user accounts are stored in a centralized LDAP server. Valid LDAP users are registered with CES during the users initial login to a web product.

  1. From the Security window in Administration, toggle the Authentication Mode to On.
  2. Select the LDAP option.

  3. Enter the following required information in each of the fields:

    • LDAP server URL
    • LDAP server port number
    • Bind with, either Search filter or User DN
    • Distinguished Name (DN)
    • Password for DN (only required when binding with a search filter)
    • Search base (only required when binding with a search filter)
    • Search filter (only required when binding with a search filter)
    • Administrator(s). Do not include the domain name in this field

  4. You may choose to enable the use of LDAP Groups:

    • Use LDAP Groups - When enabled, this function allows CES groups to be mapped to LDAP configured groups. Set the switch to On.
    • Attribute for group membership - The LDAP attribute at a user object to return information about group memberships. Enter an attribute in this field.
    Warning

    Important

    • Mappings are done on the CES Group Configuration Screen. Once mapped, users retain Group membership, even when Use LDAP Groups is switched off.
    • CES Groups and LDAP groups have a one-to-one relationship.
  5. Click LDAP Server Connection Test. If an LDAP server connection is available, you will be able to apply this security configuration.
  6. Click Apply to save and apply the security settings. CES will restart to implement the changes to the security settings.

Kerberos

To configure and enable security using Kerberos

Enabling security with Kerberos single sign on offers additional advantages over LDAP, such as faster and more secure authentication, as well as users being automatically authenticated when accessing a BMC AMI Product for Web.

  1. From the Security window in Administration, toggle the Authentication Mode to On.
  2. Select the Kerberos option.

  3. Enter the following required information in each of the fields:

    • Service principal
    • Keytab location
    • Administrator(s)
  4. Click Kerberos login test. If you are able to log in, you will be able to apply this security configuration.
  5. Click Apply to save and apply the security settings. CES will restart to implement the changes to the security settings.

Client Certificate

To configure and enable security using a client certificate (X.509)

When security is enabled with a client certificate (X.509), it uses an SSL client certificate to authenticate users. CES must be configured to use HTTPS when using Client certificate as the authentication mode.

  1. From the Security window in Administration, toggle the Authentication Mode to On.
  2. Select the Client certificate option.
  3. Enter the following required information in the field:

    • 509 mask– The X.509 mask is a regular expression used to extract the user name from the X.509 certificate. The user name extracted is used to log into BMC AMI Products for Web. The default mask, as shown below, extracts the contents of the Common Name (CN) field from the certificate.

      CN=(.*?),
  4. Click Apply to save and apply the security settings. CES will restart to implement the changes to the security settings.

Users tab

The Users tab allows you to manage the users that have access to the BMC AMI web applications. When accessing the Users tab, a list of configured users are displayed showing the name of the user, the email address associated with that user, the groups to which the user is assigned, and the individual roles assigned to that user.

You can create and delete users and assign roles to users. Users can also be granted permissions individually by selecting an individual user and editing.

The list of users can be filtered by clicking the filter icon above the list and entering the filter criteria. For example, to filter the list to only those users having the iStrobe User role, click the filter icon and type iStrobe User. If you wanted to further filter the list to those users who also have the Code Pipeline User role, you would type iStrobe User Code Pipeline User into the filter.

The number of users displayed in the list at a given time can be changed by selecting a different value in the option field below the list. The default is 25 entries per page but can be changed to 10, 25, 50, 100, 500, or all.

There are four ways to add users to the list of users:

  • Migrating from a previous release, existing users will be automatically migrated to CES. There are several special cases to be aware of when coming from a previous release.

    • Existing CES or iStrobe installs may have the 'Require administrative password' checkbox enable CES will be placed in the 'Internal' mode security on upgrade. In this case, an 18.2.1 CES user will be created called 'CESAdmin' or 'iStrobeAdmin' with the password that was defined in the previous releases user interface.
    • Existing iStrobe customers that have the 'Require user login' option selected will be upgraded to the 'Internal' mode security and asked to define a password to be used with the user ID on the upgrade to 12.1.
  • Enabling LDAP, Kerberos, or Client Certificates authentication mode which will cause any authenticated user to be automatically added to the list. Any authenticated user will be automatically created in CES. The users will inherit the permissions of any groups that have Automatic-Assign' option checked.
  • Enabling Internal authentication mode as well as enabling the 'Allow users to self-register' option. This allows users to register themselves and will add those users to the list.
  • Manually adding users to the list.

To manually add a user

  1. From the Users tab, click Add.
  2. Complete each of the required fields.
    • Name: The name of the user.
    • Password: Add a temporary password assigned to the user. When the user first logs in they will be required to change their password.
    • Email: An email address associated with the user.
    • Roles: This list of roles that can be assigned to the user. To assign a role to a user, click the toggle to On.
  3. Click OK. The user appears in the Users table.

To edit a user

  1. From the Users tab, select a user from the list and click Edit.
  2. Modify the content of the fields as needed. If you edit a user that is not yourself and change their password, that user will be required to change their password at their next login. Changes to any roles assigned to the user will not take effect until their next login. When you've completed editing the user, click OK to update the user in the list of users.

To remove a user

  1. From the Users tab, select a user to be removed by clicking on the user name in the table. You may remove more than one at a time. You cannot remove yourself from the list of users.
  2. Click Remove.
  3. When prompted, click Yes to remove the user.

To modify the roles assigned to a user

  1. From the Users tab, select a user by clicking on the user name in the table.
  2. Click Edit.
  3. Edit the roles assigned to the user as is appropriate.
  4. Click OK to apply those roles to that user.

Groups tab

The Groups tab allows you to manage security groups. Groups provide the ability to easily assign roles to many users at a time as well as automatically assign roles to new users. Groups can also be associated with host connections to restrict user access to specific host connections. When accessing the Groups tab, a list of configured groups are displayed which show the name of the group, a description of the group, the roles associated with the group, and whether or not new users are auto assigned to the group. The group is also expandable to show the list of users that belong to that group.

The list of groups can be filtered by clicking the filter icon above the list and entering the filter criteria. For example, to filter the list to only those groups that have the iStrobe User role, you would click the filter icon and type iStrobe User. If you wanted to further filter the list to the users that also have the Code Pipeline User role, you would type iStrobe User Code Pipeline User into the filter.

The number of groups displayed in the list at a given time can be changed by selecting a different value in the option field below the list. The default is 25 entries per page but can be changed to 10, 25, 50, 100, 500, or all.

To add a group

  1. From the Groups tab, click Add.
  2. Under Group Name, add the name of the group, and optionally add a description for the group.
  3. Under Roles, click the toggle switch to On for those roles you would like assigned to the group.
  4. Under User Assignment, click the toggle switch to On for those users you would like assigned to the group. To automatically assign new users to the group, click the Auto assign users toggle switch to On.
  5. Click OK to create the group and save the settings. The group appears in the Groups table.

To edit a group

  1. From the Groups tab, select a group by clicking on the group name to highlight it in the table.
  2. Click Edit to reveal the attributes of the group, including the users.
  3. Under User Assignment, click the toggle switch to On for those users you would like added to the group.
  4. Click OK to save the settings for the group.

To remove a group

  1. From the Groups tab, select a group by clicking on the group name to highlight it in the table.
  2. Click Remove. The group is deleted from the table.

To remove a user from a group

  1. From the Groups tab, expand the group from which you would like to delete a user by clicking the plus sign next to the group name.
  2. Click Edit.
  3. Under User Assignment, click the toggle switch to Off for the user you would like removed from the group. The user is deleted from the group.

Roles tab

The Roles tab allows you to manage security roles. Roles control the access rights to BMC AMI Products for Web and functionality. By default, a number of roles are provided to cover most situations. You can customize many of the existing roles or create new roles to suit your security needs. When accessing the Roles tab, a list of configured roles are displayed which show the name of the role, and a description of the role.

Warning

Important

The CES Administrator and the Super Administrator roles cannot be edited or removed.

The number of roles displayed in the list at a given time can be changed by selecting a different value in the option field below the list. The default is 25 entries per page but can be changed to 10, 25, 50, 100, 500, or all.

Product Roles and Rights

Product

Default Roles

Description

Access/Rights

BMC AMI Common Enterprise Services (CES)

CES Administrator

Users assigned this role have access to CES configuration settings for Database, Host Connections, Licensing, Issue Tracking, Update Center, Security and Web Server.

  • Database
  • Host Connections
  • Issue Tracking
  • Licensing
  • Personal Access Tokens
  • Update Center
  • Security
  • Web Server

Super Admin

Users assigned this role have access to administrative functionality for all BMC AMI Products for Web.

  • Access to all product Administrator functionality

Personal Access Tokens Administrator

Users assigned to this role have the ability to add, edit, and delete Personal Access tokens.

  • Personal Access Token

Workbench Team Profile Exporter

Users assigned this role have the ability to export Workbench team profiles to any group of which they are a member.

  • Export Workbench team profile

Workbench Team Profile Administrator

Users assigned this role have the ability to view, add, and delete Workbench team profiles for all groups.

  • Administer Workbench team profiles

BMC AMI iStrobe (iStrobe)

iStrobe Administrator

Users assigned to this role have the ability to use the functions in iStrobe Administration to configure and control access to iStrobe content.

  • Administration
  • Submit Strobe Measurements
  • Strobe Administration
  • Use Performance Tracker
  • Folder Creation
  • Folder Management
  • Strobe Insight Reports Access

iStrobe Performance Tracker

Users assigned this role have access to use iStrobe Performance Tracker functionality.

  • Use Performance Tracker

iStrobe User

User assigned this role have access to Submit Strobe Measurements and create Folders in iStrobe.

  • Submit Strobe Measurements
  • Folder Creation

BMC AMI DevX Code Pipeline (Code Pipeline)

Code Pipeline Administrator

Users assigned this role have access to manage Code Pipeline server connections for use in the Code Pipeline Web Interface.

  • Access to Code Pipeline Administrator Area (until this is removed)

Code Pipeline User

Users assigned this role have access to the Code Pipeline web Deployment application as well as the Code Pipeline Mobile and Web applications.

  • Mobile / Web Approvals
  • Deployments

Code Pipeline Approver

Users assigned this role have access to the Code Pipeline Mobile and Web applications

  • Mobile / Web Approvals

Fault Analytics

Fault Analytics Administrator

Users assigned this role have access to Abend-AID Fault Analytics' Administration, Preferences and Reports screens.

  • Administration
  • Preferences
  • Reports

Fault Analytics User

Users assigned this role have access to Abend-AID Fault Analytics' Preferences and Reports screens.

  • Preferences
  • Reports

Topaz for Java Performance (TJP)

Topaz for Java Performance User

Users assigned this role have full access to Topaz for Java Performance.

  • Full Access to TJP

BMC AMI DevX Total Test (Total Test)

Total Test Administrator

Users assigned to this role have access to administer the Total Test web client. An administrator has read/write/delete permissions to all test artifacts in the repository. Only selected users should have this role.

  • Use of Total Test Web client for components including:
    • creating
    • reading
    • modifying
    • deleting
    • executing
  • Create, update, and delete all test artifacts including connections and environments

Total Test User

Users assigned to this role can access and use the Total Test web client, as well as functionality from Workbench and the CLI that requires information from the repository. Most users who are allowed to use Total Test should have this role.

  • Use of Total Test Web client for components including:
    • creating
    • reading
    • modifying
    • deleting
    • executing

BMC AMI Security Session Monitor (Session Monitor)

Session Monitor User

Users assigned this role have full access to 

Session Monitor

.

  • Full access to Session Monitor

BMC AMI Ops Automation for Batch ThruPut (Automation for Batch ThruPut)

Automation for Batch ThruPut User

Users assigned this role have full access to Automation for Batch ThruPut .

  • Full access to 

    Automation for Batch ThruPut


To add a role

  1. From the Roles tab, click Add. The role appears in the Roles box. You can rename the role by clicking it and typing a new name in the Roles field.

  2. Complete each of the required fields.

    • Name: The name of the role.
    • Description: An optional description of the role.
    • Rights: The list of rights that can be assigned to the role listed by BMC AMI Products for Web. To assign a right to a role, click the toggle to On.
  3. When the appropriate rights have been selected for a role, click OK. The role is saved with the given name and associated functions.

To modify functions assigned to a role

  1. From the Roles tab, select the role to be modified by clicking it, and then click Edit.
  2. Modify the functions assigned to the role by resetting toggle switches for various functions.
  3. Click OK. The role is modified with the associated functions.

To delete a role

  1. From the Roles tab, select the role to be deleted by clicking it.
  2. Click Remove next to the role name. When prompted, click Yes to delete the role.

Related topics

Administration

Database Settings

Host Connection Settings

Issue Tracking Settings

Workbench-License-Settings

Workbench-Team-Profiles

Update Center

Webhooks

Web Server

iStrobe-Administration


 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC AMI Common Enterprise Services 20.14