Securing access to administrative functions

As an administrator, you can enable and configure secure access to CES and the BMC AMI Products for Web

Related topics

Defining-security-settings

Managing-users

Managing-security-groups

You can choose and configure one of the following authentication protocols:

Protocol

Description

Helps CES manages authentication of users, user names, and passwords.

This mode is suitable when you do not want to integrate with an enterprise authentication system.

Helps BMC AMI Products for Web manage authentication with an LDAP authentication server.

This mode offers better user management because user accounts are stored in a centralized LDAP server. When users first log on to a BMC AMI Products for Web, they are registered as valid LDAP users with CES.

Helps configure the Kerberos single sign-on, which manages authentication.

This mode is faster and more secure than LDAP. Users are automatically authenticated when accessing a BMC AMI Products for Web.

Helps configure an SSL client certificate (X.509) to manage authentication.

To use this mode, CES must be configured to use HTTPS.

Before you begin

Important

  • We recommend that you consult with the network security group at your site to determine if you must enable secure access to the BMC AMI Products for Web.
  • You can manage Users, Groups, and Roles by enabling security.

On the Security tab, select Enable to activate the Authentication mode and secure access to the web products.

To support older versions of integrated BMC AMI products that do not support CES security and to ensure that these integrations continue to work with CES, security for these integrated products is disabled (Off), by default.

You can choose to enable security for BMC AMI products that have a release version compatible with CES security by turning on the following toggle switches:

  • Require CMSC authentication: Requires CMSC to authenticate via a pre-shared key.
  • Require BMC AMI DevX Workbench user authentication: Requires Workbench for Eclipse to authenticate using any of the four authentication modes. When this switch is turned off, Workbench users can authenticate anonymously.
  • Enable Abend-AID Viewer find and fix requests: The Abend-AID Viewer does not support authentication. To enable authentication, turn on this switch.

To configure the internal authentication mode

  1. Enable Allow new users to self-register to allow users to self-register when they authenticate for the first time in a BMC AMI Product for Web.

  2. Enable Password policy to enforce better security by means of a strong password. When the password policy is enabled, every user must configure a password that contains at least eight characters including one special character, one number, and one uppercase letter.

    Important

    After enabling the Password Policy, existing users whose passwords are not compliant with the policy are redirected to the Change Password page and must reconfigure their passwords.

  3. Enter the required Administrator user name and Password for the main administrator of CES, and re-enter the password in the Password confirmation field.
  4. Click Apply to save the settings. CES restarts to implement the changes to the Internal security settings and redirects you to the login page.

To configure the LDAP authentication mode

  1. Enter the LDAP server URL and LDAP server port number.
  2. Enable Use LDAP Groups to allow CES groups to be mapped to LDAP configured groups.

  3. In Attribute for group membership, specify the LDAP attribute for a user object to return information about group memberships.

    Important

    • When you enable Use LDAP Groups, you can navigate to the Groups tab to configure an LDAP-specific security group by clicking the Groups link in the UI message.
    • The Attribute for group membership field becomes mandatory on enabling Use LDAP Groups.
    • You perform mappings on the CES Group Configuration UI. After mapping, users retain the Group membership, even if Use LDAP Groups is turned off.
    • CES Groups and LDAP groups have a one-to-one relationship.
  4. In the Bind with pane, select either Search filter or User DN to indicate how you want to associate the security with your LDAP settings. The subsequent fields are enabled or disabled for editing based on your selection.
  5. Enter the Distinguished Name (DN).
  6. (If you have selected Search filter) Enter the required Password for DN, Search base, and Search filter.
  7. In Administrator(s), enter a comma-separated list of administrator IDs. Do not include the domain name in this field.
  8. Click LDAP Server Connection Test. If an LDAP server connection is available, you can apply this security configuration.
  9. Click Apply to save the security settings. CES restarts to implement the changes to the LDAP security settings.

To configure the Kerberos authentication mode

  1. Enter the required Service principal.
  2. In Keytab location, enter the path to the Kerberos keytab prefixed by file:///.
  3. In Administrator(s), enter a comma-separated list of administrator IDs.
  4. Click Kerberos Connection Test. If you can log on, you can apply this security configuration.
  5. Click Apply to save the security settings. CES restarts to implement the changes to the Kerberos security settings.

To configure the Client certificate (X.509) authentication mode

  1. Enter the Client certificate mask, which is the X.509 mask. This is a regular expression used to extract the user name from the X.509 certificate. The user name is used to log on to BMC AMI Products for Web. The default mask, CN=(.*?),, extracts the contents of the Common Name (CN) field from the certificate.  

    You can customize the regular expression for the x509.mask field based on the configuration of your client certificate. Modify the regular expression to match with the subject content of your client certificate. CES uses the default regular expression CN=(.*?),. 

    The default regular expression can support the subject mentioned in the following example:

    CN=John Doe, E=john.doe@bmc.com, OU=Engineering, O=BMC Software Inc, L=Houston, ST=Texas, C=US

    Important

    You must obtain the X.509 certificate from the security team in your organization.

  2. In Administrator(s), enter a comma-separated list of administrator IDs.
  3. Click Apply to save the security settings. CES restarts to implement the changes to the Client certificate security settings.

CES supports multi-factor authentication. For more information, see Enabling-multi-factor-authentication-for-CES.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*