Configuring the Active Directory security mode with the Security Configuration tool

MainView Middleware Monitor provides the following forms of security for user authentication:

  • Internal Security – provided by an internal directory server.
  • Active Directory Delegate Mode Security – combines Active Directory Authentication (user identification and password checking) and Internal LDAP authorization.

You can run the Security Configuration tool during installation or you can run it from the command line, and you can run the security config wizard on either a GUI console or on a text-only console. The security config tool can only be run while MVMM services are down. 

Once the type of security has been chosen, either Internal (default) or Active Directory, you should not switch from one to the other even if you run the Security Configuration Tool again. When Active Directory is chosen and working, you should not switch to another Active Directory unless it has the same groups.

If you need to change the type of security or switch to a different Active Directory with a different directory of groups contact BMC support for advice on how to do this. Changing the directory of groups affects both MainView Middleware Monitor and MainView Middleware Administrator, regardless of its edition.


Note

The Active Directory Only mode (also known as Legacy mode) security configuration that was available in earlier versions of the product is no longer supported for new installations or upgrades.

Related topics

Sample-Active-Directory-configuration-settings-for-Delegate-mode

Configuring-Active-Directory-security

Post-core-component-installation-and-configuration

Before you begin

  • The securityconfig tool requires access to TCP ports 389 and 636 on the Active Directory domain controllers.
  • If you use segregated VLANs, for example, MVMM may not be on the same network segment as domain controllers. Additional configuration may then be needed to allow visibility of the domain controllers.

Delegate Mode Security considerations

For Delegate Mode Security the following information is needed:

Information

Notes

The Active Directory Domain Name

This information should be readily available from the Activey Directory Administrator.

The network ports on which to run the internal LDAP server.

The default ports are 15008 for LDAP and 15011 for LDAPS.

Active Directory Security Transport Type

The type of Active Directory communications. You can choose from SSL, SASL, or SSL and SASL. Both SSL and SASL require some configuration by the Active Directory Network Administrator.

Base Active Directory Fully Qualified Domain Name

The base Active Directory Fully Qualified Domain Name, if different than the Active Directory domain used (i.e., if the Domain to be used is a sub-domain).

TSMA administrator credentials

The user must exist and the password must match that in Active Directory

Common Name (CN) Credentials

The common name of a user which can read entries in the directory. This value is not required when using an existing fully licensed version of TSMA that does not use the same security as MVMM .

LDAP User Search Base

The base DN from which searches for user information occurs. This value is not required when using an existing fully licensed version of TSMA that does not use the same security as MVMM .

LDAP User Search Filter

The search filter used to identify users. This value is not required when using an existing fully licensed version of TSMA that does not use the same security as MVMM .

LDAP Users Search Filter

The search filter used to find users within the directory. This value is not required when using an existing fully licensed version of TSMA that does not use the same security as MVMM .

LDAP User Name Attribute

This is used to identify the text to use as the username. This value is not required when using an existing fully licensed version of TSMA that does not use the same security as MVMM .

LDAP Group Search Base

This is the base DN used to search for groups. Groups should be somewhere down the sub tree rooted by this DN. This value is not required when using an existing fully licensed version of TSMA that does not use the same security as MVMM .

LDAP Group Search Filter

This is the search filter expression used to find groups by name. This value is not required when using an existing fully licensed version of TSMA that does not use the same security as MVMM .

LDAP Group Member Search Filter

This is the search filter expression used to determine members of groups. This value is not required when using an existing fully licensed version of TSMA that does not use the same security as MVMM .

LDAP Groups Search Filter

This is the search filter expression that returns group names. This value is not required when using an existing fully licensed version of TSMA that does not use the same security as MVMM .

LDAP Group Name Attribute

This is the attribute that represents the name of a group. This value is not required when using an existing fully licensed version of TSMA that does not use the same security as MVMM .

LDAP Group Member Attribute

This is the attribute that represents a member of a group. This value is not required when using an existing fully licensed version of TSMA that does not use the same security as MVMM .

LDAP Max Nested Group Recursion Level

Limits the amount of recursion used to find nested groups. This value is not required when using an existing fully licensed version of TSMA that does not use the same security as MVMM .

The type of domain controller list specification

  • Automatic – The list of Domain Controllers are automatically discovered (recommended).
  • Choose from a list – The list of Domain Controllers is automatically discovered and you can select which Domain Controllers to use.
  • Specify a list – Either type or paste a space-delimited list of Domain Controllers.

When more than one domain controller is explicitly or implicitly listed, the priority is automatically managed based on domain controller response times.

Certificates

If using SSL, a set of security certificates might be needed to verify the Domain Controller. The security certificates can be configured in the following ways:

  • Capture the current set of security certificates. With this option, the securityconfig tool attempts to connect to each Domain Controller to capture the certificate sent. These captured certificates are saved and used in future connections to verify the authenticity of the Domain Controller. This method is more secure but still runs some risk that the newly-discovered Domain Controller is malevolent.
  • Import security certificates. This option enables the Active Directory network administrator to import private certificates from a certificate authority.
  • Allow any SSL connection, ignoring any security identification. This configuration is the least secure, but easiest to install.

Password for the security certificate keystore. 

  • During an upgrade, the keystore password from the previous installation is used. 
  • During a new installation, the new keystore password is requested. Keep this password in a safe place for future reference.

To configure Active Directory Delegate Mode security

  1. From the command line, go to the MVMM installation directory, and type: securityconfig

    The securityconfig wizard opens and displays a welcome message, followed by a dialog box requesting the type of security configuration wanted. If the security type has already been set, that type is displayed as the default, which you can override.

  2. Select Active Directory Security, and click Next. 
  3. Select Active Directory (Delegate Mode), enter the Active Directory Domain Name, select either SSLSASL, or SSL/SASL, and enter port numbers to be used for the internal LDAP server, and then click Next.
    DelegateConfiguration.PNG

  4. The security configuration wizard then queries an Active Directory Domain Controller (which might take a few seconds) and displays the base Active Directory Fully Qualified Domain Name that the controller returned. If required, you can change the name displayed. Then click Next.
  5. You are prompted to enter the TSMA Administrator user credentials. Enter a user and password. Click Next.
  6. You may be prompted to enter the CN credentials.  Enter a CN and password. Click Next.
  7. You may be prompted to review and alter MVMA security settings.  You may use the substitution values to avoid repeating text string or you may enter the full values.  When the values have been modified to your satisfaction, click Next.
  8. You are prompted to choose how to select the list of Domain Controllers. Select from Automatic Configuration, Choose From a List of Generated Domain Controllers, or Specify Domain Controllers. Then click Next.
  9. In the displayed list of Domain Controllers (note that if you selected to specify the list of Domain Controllers you now need to enter their names, separating names with a space),select the relevant Controllers, and then click Next.

  10. Define how you would like to handle Active Directory Domain Controller security certificates by selecting one of the following: 

    Capture Current Set of SSL Certificates     (If you select this option, the security config wizard takes a few moments (depending on the length of the list and response times) to query each domain controller; you also need to update the certificates in the keystore file manually if your domain controller certificates are revoked.)

    Import Certificate from your Active Directory Administrator     (If you select this option, you are prompted to enter one or more security certificate file names and certificate alias; enter an alias (name for documentary purposes) for the certificate and the location of the certificate file, and then click Next).

    Note

    If this is a new installation, you are prompted for the new keystorepassword (Enter the password, and click Next to continue).

    The product cannot connect to the domain controllers using expired certificates. If the used certificates expire (default is one year), you must renew the certificates accordingly using the Security Configuration tool.

    Allow any SSL Security Certificates (If you select this option you will need to manually import any active directory certificates required into the MVMA truststore)

     

  11. Review the verification of the security settings, as shown in the following image, and then click Next.
    VerifySecuritySettings.PNG

  12. In the Configuration Review screen, verify the information is correct and click Next.
    At this point, the service.cfg file is re-written with changes reflecting your configuration decisions.
  13. Click Done to exit the wizard.

To configure Internal security

  1. From the command line, go to the MVMM installation directory, and type: securityconfig

    The securityconfig wizard opens and displays a welcome message, followed by a dialog box requesting the type of security configuration wanted. If the security type has already been set, that type is displayed as the default, which you can override. 

  2. Select Internal Security, and click Next. 
  3. Enter a port number to be used for the internal LDAP server, and click Next to display the Configuration Review screen. 
  4. After reviewing the information, click Next. The service.cfg file is re-written with changes reflecting your configuration decisions. 
  5. Click Done to exit the wizard.


 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*