User Management in ServerView 6.30

Transcription

1 User Guide - English FUJITSU Software ServerView Suite User Management in ServerView 6.30 Centralized Authentication and role-based Authorization Edition March 2014

2 Comments Suggestions Corrections The User Documentation Department would like to know your opinion of this manual. Your feedback helps us optimize our documentation to suit your individual needs. Feel free to send us your comments by to Certified documentation according to DIN EN ISO 9001:2008 To ensure a consistently high quality standard and user-friendliness, this documentation was created to meet the regulations of a quality management system which complies with the requirements of the standard DIN EN ISO 9001:2008. cognitas. Gesellschaft für Technik-Dokumentation mbh Copyright and Trademarks Copyright 2014 Fujitsu Technology Solutions GmbH. All rights reserved. Delivery subject to availability; right of technical modifications reserved. All hardware and software names used are trademarks of their respective manufacturers.

3 Contents 1 Introduction Authorization and authentication concept Target Groups of this Manual Structure of the manual Changes since the previous manual ServerView Suite link collection Documentation for ServerView Suite Notational Conventions User management and security architecture (overview) Prerequisites Global user management using an LDAP directory service Benefits of using a directory service Supported directory services Using Open DJ or an already existing, configured directory service Common user management for the ServerView Suite and the irmc S2/S3/S Role Based Access Control (RBAC) Users, user roles and privileges RBAC implementation in OpenDJ RBAC combined with an already existing configured directory service Single sign-on (SSO) using a CAS service CAS based SSO architecture Single sign-on from the user s point of view User Management in ServerView

4 3 ServerView user management via an LDAP directory service Configuring directory service access ServerView user management with OpenDJ Predefined users and roles Defining / changing the passwords of the predefined users OpenDJ Directory Manager s password Defining / changing the password of svuser Changing predefined passwords of the predefined users Administrator, Monitor, Operator and UserManager Changing the LDAP ports of OpenDJ Changing the LDAP port numbers on Windows systems Changing the LDAP port numbers on Linux systems Managing users, roles and privileges in OpenDJ Starting ServerView User Management Change your own password for OpenDJ User Management wizard Integrating an irmc S2/S3/S4 into ServerView user management with OpenDJ and SSO Integrating an irmc S2/S3/S4 into ServerView user management with OpenDJ Configuring the irmc S2/S3 web interface for CAS-based single sign-on (SSO) authentication Backing up and restoring OpenDJ data Backing up and restoring OpenDJ data on Windows systems Backing up and restoring OpenDJ data on Linux systems Integrating ServerView user management into Microsoft Active Directory Changing the password of the LDAP bind account LDAP Password Policy Enforcement (LPPE) Managing SSL Certificates on the CMS and managed nodes Managing SSL Certificates (Overview) Managing SSL certificates on the CMS A self-signed certificate is created automatically during setup Creating a CA Certificate Software tools to manage certificates and keys User Management in ServerView

5 4.2.4 Replacing the certificate on the Central Management Station (CMS) Replacing the certificate on a Windows system Replacing the certificate on a Linux system Preparing managed nodes for RBAC and client authentication Transferring <system_name>.scs.pem and <system_name>.scs.xml to the managed node Installing the certificate files on a Windows system Installing the certificate files together with the ServerView agents Installing the certificate files on a Windows system where the ServerView agents are already installed Installing the certificate files on a Linux or VMware system Installing the certificate files together with the ServerView agents Installing the certificate files on a Linux/VMware system where the ServerView agents are already installed Installing the certificate via ServerView Update Manager (on a Windows / Linux / VMware system) Using the ServerView Update Manager to install the CMS certificate on the managed node (overview) Installing the CMS certificate on the managed node Uninstalling the CMS certificate from the managed node Role-based permissions for accessing Operations Manager Privilege categories and related privileges Privilege categories (overview) AgentDeploy category AlarmMgr category ArchiveMgr category BackupMgr category Common category ConfigMgr category InvMgr category irmc_mmb category PerfMgr category PowerMon category RackManager category User Management in ServerView

6 RaidMgr category RemDeploy category ReportMgr category SCS category ServerList category UpdMgr category UserMgr category VIOM category Predefined users and roles in OpenDJ Audit logging Audit log storage location Audit log entries Types of audit log entries Header of an audit log entry Structured data of an audit log entry origin element ServerView:env@231 element ServerView:audit@231 element ServerView[.<COMP_NAME>]:msg@231 element ServerView[.<COMP_NAME>]:<operation>@231 element Examples: Entries in the audit log file Appendix 1 - Global irmc S2/S3 user management via an LDAP directory service User management concept for the irmc S2/S Global user management for the irmc S2/S Overview irmc S2/S3 user management via an LDAP directory service (concept) Global irmc S2/S3 user management using roles Organizational unit (OU) SVS Cross-server, global user permissions SVS: Permission profiles are defined via roles SVS_LdapDeployer - Generating, maintaining and deleting the SVS structures Configuration file (XML file) User Management in ServerView

7 Starting SVS_LdapDeployer deploy: Create or modify an LDAP v2 structure delete: Deleting an LDAP v2 structure Typical application scenarios Performing an initial configuration of an LDAP v2 structure Re-generating or expanding an LDAP v2 structure Re-generating an LDAP v2 structure and prompting for and saving authentication data irmc S2/S3 user management via Microsoft Active Directory Configuring irmc S2/S3 LDAP/SSL access at the Active Directory server Assigning user roles to an irmc S2/S3 user irmc S2/S3 user management via Novell edirectory Software components and system requirements Installing Novell edirectory Configuring Novell edirectory Integrating irmc S2/S3 user management in Novell edirectory Assigning an irmc S2/S3 user to a permission group Tips on administering Novell edirectory irmc S2/S3 user management via OpenLDAP Installing OpenLDAP Creating SSL certificates Configuring OpenLDAP Integrating irmc S2/S3 user management in OpenLDAP Tips on OpenLDAP administration Configuring alerting to global irmc S2/S3 users Global alerting Displaying alert roles Assigning irmc S2/S3 users to an alert role SSL copyright Appendix 2 - Global irmc S4 user management via an LDAP directory service User management concept for the irmc S Global user management for the irmc S Overview irmc S4 user management via an LDAP directory service (concept) Global irmc S4 user management using roles User Management in ServerView

8 Organizational unit (OU) SVS Cross-server, global user permissions SVS: Permission profiles are defined via roles SVS_LdapDeployer - Generating, maintaining and deleting the SVS structures Configuration file (XML file) Starting SVS_LdapDeployer deploy: Create or modify an LDAP v2 structure delete: Deleting an LDAPv2 structure Typical application scenarios Performing an initial configuration of an LDAP v2 structure Re-generating or expanding an LDAP v2 structure Re-generating an LDAP v2 structure and prompting for and saving authentication data irmc S4 user management via Microsoft Active Directory Configuring irmc S4 LDAP/SSL access at the Active Directory server Assigning user roles to an irmc S4 user irmc S4 user management via Novell edirectory Software components and system requirements Installing Novell edirectory Configuring Novell edirectory Integrating irmc S4 user management in Novell edirectory Assigning an irmc S4 user to a permission group Tips on administering Novell edirectory irmc S4 user management via OpenLDAP Installing OpenLDAP Creating SSL certificates Configuring OpenLDAP Integrating irmc S4 user management in OpenLDAP Tips on OpenLDAP administration Configuring alerting to global irmc S4 users Global alerting Displaying alert roles Assigning irmc S4 users to an alert role SSL copyright User Management in ServerView

9 1 Introduction This manual describes the authorization and authentication concept on which the global user management and the security architecture of the ServerView Suite and the irmc S2/S3/S4 are based. 1.1 Authorization and authentication concept User management and security architecture of the ServerView Suite and the irmc S2/S3/S3/S4 are based on three fundamental concepts: Global user management using an LDAP directory service Role Based Access Control (RBAC) Single sign-on (SSO) based on a centralized authentication service (CAS) Global user management using an LDAP directory service Users are stored and managed centrally for all related central management stations (CMS) by means of a directory service. The directory service provides all data needed for authentication and authorization. You have the option to use ServerView Operations Manager s own preconfigured directory service (ForgeRock s OpenDJ) or an already operating, configured directory service (e.g. Microsoft Active Directory). Role Based Access Control (RBAC) Role Based Access Control (RBAC) manages access control by defining a set of user roles (security roles). One or more roles are assigned to each user, and one or more user privileges are assigned to each role. RBAC allows you to align your security concept with the structure of your organization by assigning a task-oriented permission profile to each role. RBAC is already implemented in the OpenDJ directory service, which is automatically installed during the installation of ServerView Operations Manager. If you use an already configured directory service such as Active Directory, you have to additionally import the ServerView-specific privileges into it. Subsequently, you can assign the required roles to the users that are supposed to have the associated privileges. User Management in ServerView 9

10 Target Groups of this Manual Single sign-on (SSO) The ServerView Suite provides the single sign-on (SSO) feature for the login to its individual components. The SSO is based on a central authentication service (CAS). SSO means you have to prove your authentication only once. Once your authentication has been successful, you can access all ServerView components without being prompted to log in again at any of them. 1.2 Target Groups of this Manual This manual is intended for system administrators, network administrators and service technicians who already have a basic knowledge of hardware and software. The manual provides an overview of the authorization and authentication concept of the ServerView Suite and describes in detail the steps you have to take to setup ServerView user management or to integrate ServerView user management into the already existing user management of your IT. 10 User Management in ServerView

11 Structure of the manual 1.3 Structure of the manual This manual provides you with information about the following topics: Chapter 2: User management and security architecture (overview) This chapter provides you with an overview of the authorization and authentication concept of the ServerView Suite. Chapter 3: ServerView user management via an LDAP directory service This chapter provides you with information on the following topics: Configuring directory service access. ServerView user management with OpenDJ Integrating ServerView user management into Microsoft Active Directory. Chapter 4: Managing SSL Certificates on the CMS and the managed nodes This chapter provides you with information on the following topics: Managing SSL Certificates (overview). Managing SSL Certificates on the Central Management Station (CMS). Preparing managed nodes for RBAC and client authentication. Chapter 5: Role-based permissions on accessing Operations Manager This chapter provides you with detailed information on the following topics: Privilege categories and related privileges. Predefined users and roles in OpenDJ Chapter 6: Audit logging This chapter provides you with detailed information on CAS-related audit logging, the audit log storage location, and the structure of the audit log entries. User Management in ServerView 11

12 Changes since the previous manual Appendix 1 : irmc S2/S3 user management via an LDAP directory service This chapter provides you with information on the following topics: Global User management concept for the irmc S2/S3. User permissions, permission groups and roles. irmc S2/S3 user management via Microsoft Active Directory, Novell edirectory, OpenLDAP, and OpenDJ. Appendix 2 : irmc S4 user management via an LDAP directory service This chapter provides you with information on the following topics: Global User management concept for the irmc S4. User permissions, permission groups and roles. irmc S4 user management via Microsoft Active Directory, Novell edirectory, OpenLDAP, and OpenDJ. 1.4 Changes since the previous manual This edition of the "User Management in ServerView" manual is valid for the ServerView Operations Manager version 6.30 and replaces the following online manual: ServerView Suite - User Management in ServerView, October 2013 edition. The manual features the following changes and enhancements: A new script has been provided for changing the password of the read-only user account being used for the LDAP queries on Active Directory. This script allows you to change the password without having to restart a Windows service or Linux daemon, see section "Changing the password of the LDAP bind account" on page User Management in ServerView

13 ServerView Suite link collection 1.5 ServerView Suite link collection Via the link collection, Fujitsu Technology Solutions provides you with numerous downloads and further information on the ServerView Suite and PRIMERGY servers. For ServerView Suite, links are offered on the following topics: Forum Service Desk Manuals Product information Security information Software downloads Training I The downloads include the following: Current software versions for the ServerView Suite as well as additional Readme files. Information files and update sets for system software components (BIOS, firmware, drivers, ServerView agents and ServerView update agents) for updating the PRIMERGY servers via ServerView Update Manager or for locally updating individual servers via ServerView Update Manager Express. The current versions of all documentation on the ServerView Suite. You can retrieve the downloads free of charge from the Fujitsu Technology Solutions Web server. For PRIMERGY servers, links are offered on the following topics: Service Desk Manuals Product information Spare parts catalogue User Management in ServerView 13

14 Documentation for ServerView Suite Access to the link collection You can reach the link collection of the ServerView Suite in various ways: 1. Via ServerView Operations Manager. Select Help Links on the start page or on the menu bar. This opens the start page of the ServerView link collection. 2. Via the start page of the online documentation for the ServerView Suite on the Fujitsu Technology Solutions manual server. I You access the start page of the online documentation via the following link: In the selection list on the left, select Industry standard servers. Click the menu item PRIMERGY ServerView Links. This opens the start page of the ServerView link collection. 3. Via the ServerView Suite DVD. In the start window of the ServerView Suite DVD, select the option Select ServerView Software Products. Click Start. This takes you to the page with the software products of the ServerView Suite. On the menu bar select Links. This opens the start page of the ServerView link collection. 1.6 Documentation for ServerView Suite The documentation can be downloaded free of charge from the Internet. You will find the online documentation at under the link x86 Servers. For an overview of the documentation to be found under ServerView Suite as well as the filing structure, see the ServerView Suite sitemap (ServerViewSuite Site Overview). 14 User Management in ServerView

15 Notational Conventions 1.7 Notational Conventions The following notational conventions are used in this manual: V Caution I This symbol points out hazards that can lead to personal injury, loss of data or damage to equipment. This symbol highlights important information and tips. italics fixed font semi-bold fixed font <abc> [Key symbols] Table 1: Notational conventions This symbol refers to a step that you must carry out in order to continue with the procedure. Commands, menu items, names of buttons, options, variables, file names and path names are shown in italics in descriptive text. System outputs are indicated using a fixed font. Commands to be entered via the keyboard are written in a semi-bold fixed font. Angle brackets are used to enclose variables which are to be replaced by actual values. Keys are shown according to their representation on the keyboard. If uppercase letters are to be entered explicitly, then the Shift key is shown, e.g. [SHIFT] - [A] for A. If two keys need to be pressed at the same time, this is shown by placing a hyphen between the two key symbols. References to text or sections of text in this manual are shown with the chapter or section heading and the page on which that chapter or section begins. Screen outputs Please note that the screen output is dependent in part on the system used and therefore some details may not correspond exactly to the output you will see on your system. You may also see system-dependent differences in the menu items available. User Management in ServerView 15

16

17 2 User management and security architecture (overview) The authorization and authentication concept provided by the user management and security architecture of the ServerView Suite is based on three fundamental concepts: "Global user management using an LDAP directory service" on page 20: User names are stored and managed centrally for all related platforms using a directory service. The directory service provides all data needed for authentication and authorization. "Role Based Access Control (RBAC)" on page 23: Role Based Access Control (RBAC) manages user authorization by assigning permissions by means of user roles (security roles). In this case, each role defines a specific, task-oriented permission profile. "Single sign-on (SSO) using a CAS service" on page 26: The various ServerView products have their own Web servers or application servers, which all have to individually determine a user s identify before allowing administrative access. This would require the user to issue repeatedly his or her credentials whenever changing from one product s web pages to the ones of another. With SSO, a user logs in once and is subsequently able to access all systems and services participating at the "SSO domain" without being prompted to log in again at any of them. An "SSO Domain" comprises all systems where authentication is performed using the same CAS service. The following sections provide more detailed information about these concepts. I Interaction between ServerView Operations Manager Ï 5.0 and ServerView Agents < 5.0: ServerView Agents < V5.0 do not support the concepts mentioned above. Nevertheless, you can use ServerView Operations Manager V5.x to perform any operations (including security-relevant operations) for ServerView Agents < V5.0. To enable this, Operations Manager s user/password list must contain valid entries (user/password combinations with the appropriate permissions) for the related managed nodes. The procedure is similar to that used in ServerView Operations Manager < V5.0. Single sign-on is not supported. User Management in ServerView 17

18 Prerequisites 2.1 Prerequisites ServerView Suite user management and security architecture require the following software: JBoss Web server As of version 5.0, ServerView Operations Manager uses the JBoss Web server. The required files are installed automatically together with the ServerView Operations Manager software. JBoss is configured as an independent service referred to as ServerView JBoss Applications Server 7. You can start / stop the service as follows: On Windows Server 2008/2012 systems: Select Administrative Tools - Services I On all Windows systems, you can alternatively use the following CLI commands for starting and stopping the JBoss service: "%WINDIR%\system32\net.exe" start "ServerView JBoss Application Server 7" "%WINDIR%\system32\net.exe" stop "ServerView JBoss Application Server 7" On Linux systems, use the following command: /etc/init.d/sv_jboss start stop LDAP directory service During installation of ServerView Operations Manager, you can select whether you want to use ServerView Operations Manager s internally used OpenDJ directory service or an already existing directory service (e.g. Microsoft Active Directory). 18 User Management in ServerView

19 Prerequisites Centralized Authentication Service (CAS) The CAS service is needed for the single sign-on (SSO) feature. The CAS service caches user credentials on the server side and subsequently authenticates users invisibly when they request for different services. CAS is installed automatically along with the ServerView Operations Manager software. For details on how to install the ServerView Operations Manager, which includes the components mentioned above, please refer to the manuals "ServerView Operations Manager - Installation under Windows" and "ServerView Operations Manager - Installation under Linux". User Management in ServerView 19

20 Global user management using an LDAP directory service 2.2 Global user management using an LDAP directory service The global user management of the ServerView Suite and of the irmc S2/S3/S4 each centrally stores users for all Central Management Stations (CMS) / irmc S2/S3/S4 in the directory of an LDAP directory service. This enables you to manage the users on a central server. The users can therefore be used by all the CMS and irmc S2/S3/S4 that are connected to this server in the network. I Important note: Performing integrated user management based on a common directory service only works for both ServerView users and global irmc S2/S3/S4 users if the irmc S2/S3/S4 is configured to belong to the DEFAULT department. I Throughout this manual, the term "user management of the irmc S2/S3/S4" is used in the sense of "global" irmc S2/S3/S4 user management. Besides, the irmc S2/S3/S4 supports "local" user management, which stores the related user IDs locally in the irmc S2/S3/S4 s non-volatile storage and manages them via the irmc S2/S3/S4 user interfaces (see the "irmc S2/S3 - integrated Remote Management Controller" and the "irmc S4 - integrated Remote Management Controller" manuals for details) Benefits of using a directory service The use of a directory service offers the following benefits: A directory service manages real user identities thus making it possible to use personal identities instead of unspecific local accounts. A directory service uncouples user management from server management. Thus, a server administrator cannot change user rights unless he or she has the right to modify directory service data. ServerView uses the directory service for both authentication and authorization of a user: Authentication validates a user s identity: "Who are you?" Authorization defines a user s rights: "What are you allowed to do?" 20 User Management in ServerView

21 Global user management using an LDAP directory service Furthermore, using a directory service for the CMS allows you to use the same user identifications for logins on the CMS and on the managed servers Supported directory services Directory services supported by the ServerView Suite: The ServerView Suite currently supports the following directory services: OpenDJ (running in "embedded" mode on JBoss). Microsoft Active Directory I During the installation of ServerView Operations Manager you have the option to choose ServerView's internal directory service (OpenDJ). Directory services supported by the irmc S2/S3/S4: The irmc S2/S3/S4 currently supports the following directory services: Microsoft Active Directory Novell edirectory OpenLDAP OpenDJ (running in "embedded" mode on JBoss) Using Open DJ or an already existing, configured directory service Using OpenDJ If you do not specify a separate directory service during the installation of Operations Manager, the setup installs ForgeRock's OpenDJ as its own directory service. The service runs in "embedded" mode on JBoss. Thus, OpenDJ is only available if the service ServerView JBoss Application Server 7 is running. Using an already existing, configured directory service If a directory service (e.g. Microsoft Active Directory) has already been established for the user management in your IT environment, you can use it instead of ServerView's own OpenDJ. User Management in ServerView 21

22 Global user management using an LDAP directory service Common user management for the ServerView Suite and the irmc S2/S3/S4 Using Active Directory, you can set up a cross-server user management comprising all servers managed by the ServerView Suite as well as the related irmc S2/S3/S4. CMS Login Authentication (SSL) irmc S2/S3/S4... Login Authentication (SSL) Directory service (e.g. Active Directory) Central user identifications ServerView RAID Login Authentication (SSL) Figure 1: Shared use of the global users by various components of the ServerView suite Communications between the individual CMS / irmc S2/S3/S4 /... and the central directory service is performed via the TCP/IP protocol LDAP (Lightweight Directory Access Protocol). LDAP makes it possible to access the directory services used most frequently and most suitable for user management. I For security reasons, it is urgently recommended that communication via LDAP is secured by SSL. Otherwise passwords are transmitted in plain text. 22 User Management in ServerView

23 Role Based Access Control (RBAC) 2.3 Role Based Access Control (RBAC) User management of the ServerView Suite as well as global irmc S2/S3/S4 user management is based on role-based access control (RBAC), which enables you to align your security concept with your organization s structure. RBAC is based on the principle of least privilege. This means that no user should have more privileges than are necessary for using a particular ServerView component or performing a particular ServerView-specific task Users, user roles and privileges RBAC controls the assignment of permissions to users by means of user roles instead of directly assigning the corresponding privileges to users: A set of privileges is assigned to each user role. Each set defines a specific, task-oriented permission profile for activities on the ServerView Suite. One or more roles are assigned to each user. The concept of user roles offers important advantages, including: The individual permissions do not need to be assigned to each user or user group individually. Instead, they are assigned to the user role. It is only necessary to adapt the permissions of the user role if the permission structure changes. Several roles may be assigned to each user. In this case, the permissions for this user are defined by the sum of the permissions of all assigned roles. User Management in ServerView 23

24 Role Based Access Control (RBAC) RBAC implementation in OpenDJ RBAC is already implemented in the OpenDJ directory service that is automatically installed during the installation of Operations Manager. Predefined users and roles By default, OpenDJ provides the predefined user roles Administrator, Monitor, Operator, and UserAdministrator, each of them being dedicated to one of the predefined users Administrator, Monitor, Operator, and UserManager, respectively. You can of course align your security concept with your organization s structure by creating additional users, roles, and role-to-user assignments. In figure 2 is shown the concept of role-based assignment of user permissions with the user names Administrator, Monitor, Operator and UserManager and the corresponding roles Administrator, Monitor, Operator and UserAdministrator. Users Administrator Operator Monitor UserManager Roles Administrator Operator Monitor UserAdministrator Privileges e.g. modify alarm config. e.g. access archive mgr. e.g. access serverlist UserMgmt Figure 2: Example of role-based assignment of user permissions I Strictly speaking, OpenDJ predefines two additional users that are comprehensively authorized and dedicated to special purposes: "cn=directory Manager" (OpenDJ's Directory Manager account) and svuser (used for accessing the directory service by CAS and ServerView's security module). The scope of permissions granted by the predefined user roles increases from Monitor (lowest permission level) through Operator up to Administrator (highest permission level). For details, see chapter "Audit logging" on page User Management in ServerView

25 Role Based Access Control (RBAC) I The UserAdministrator role does not match this hierarchy as its only purpose is to provide the privileges allowing for user management with OpenDJ. If an external directory service (e.g. Active Directory) is used for user management in ServerView, the UserAdministrator role is not imported into this directory service. Aligning your security concept with your organization s structure To align your security concept with your organization s structure, the ServerView Suite allows you to conveniently create additional users, roles, and role-to-user assignments by using the User Management link under the Security entry in the SerververView Operations Manager s start page RBAC combined with an already existing configured directory service You can also integrate RBAC user management for the ServerView Suite into your already existing RBAC user management that is based on a configured directory service (e.g. Microsoft Active Directory). See section "Integrating ServerView user management into Microsoft Active Directory" on page 60) for details. User Management in ServerView 25

26 Single sign-on (SSO) using a CAS service 2.4 Single sign-on (SSO) using a CAS service In order to allow users to login to their individual components (e.g. Web services), the ServerView Suite provides the single sign-on (SSO) feature. ServerView implements the SSO mechanism by means of a central authentication service (CAS), which processes the single sign-on procedure in a completely transparent manner from the user s point of view. V Important! Always sign off and close your browser if you have to let your PC unattended! The CAS stores the information on a user s identity in a secure browser cookie (Ticket Granting Cookie, TGC, see page 28), which is deleted when the user explicitly signs off, or when the user closes the browser. An unattended browser session therefore represents a severe security gap. I Requirement for using SSO: The CAS service must be configured for all irmc S2/S3/S4 participating in the SSO domain (see the "irmc S2/S3 - integrated Remote Management Controller" and the "irmc S4 - integrated Remote Management Controller" manual for details). It is absolutely necessary that all systems participating in the SSO domain reference the CMS via the same addressing representation. (An SSO Domain comprises all systems where authentication is performed using the same CAS service.) Thus, for example, if you have installed the ServerView Operations Manager by using the name "my-cms.my-domain", you must specify exactly the same name for configuring the CAS service for an irmc S2/S3/S4. If, instead, you specify only "my-cms" or another IP address of my-cms, SSO will not be enabled between the two systems. 26 User Management in ServerView

27 Single sign-on (SSO) using a CAS service CAS based SSO architecture An SSO architecture is based on the following components and items: CAS service providing the centralized authentication service CAS client as part of any "casified" ServerView Suite component Service Ticket (ST) Ticket Granting Ticket (TGT) Centralized Authentication Service (CAS service) manages user authentication The CAS service manages the central user authentication. For this purpose, the CAS service mediates between the browser on the management console (client system) and the directory service that manages the users. CAS client intercepts and redirects the service request The CAS client is part of any "casified" ServerView Suite component. It is a filter that intercepts any request to the component in order to validate the user's authentication. The CAS client redirects the request to the CAS service, which subsequently processes user authentication. Service Ticket (ST) and Service Granting Ticket (TGT) After having successfully authenticated the user, the CAS service assigns the so-called Ticket Granting Ticket (TGT) to the user. This is technically achieved by setting a corresponding secure browser cookie. Whenever the CAS client of a ServerView Suite component redirects an HTTPS request to the CAS service, the TGT cookie causes the service to create a request specific Service Ticket (ST) and send it back to the CAS client by an additional request parameter. First, the CAS client validates the ST by a direct call to the CAS service and only then passes the original request to the ServerView Suite component. User Management in ServerView 27

28 Single sign-on (SSO) using a CAS service Ticket Granting Cookie (TGC) Once the Web browser has established an SSO session with the CAS service, the Web browser exposes a secure cookie to the CAS service. This cookie contains a string identifying a Ticket Granting Ticket (TGT), and therefore is referred to as the ticket granting cookie (TGT cookie or TGC). I The TGC will be destroyed when the user logs out of CAS or when he/she closes the browser. The Ticket Granting Ticket Cookie has a lifetime that is set in CAS service's configuration file (pre-configured value: 24 hours). Its maximum duration is 24 hours. This means that a user is logged out after 24 hours at the latest. The maximum duration time cannot be modified on an installed system. How CAS based SSO processes an initial single sign-on (SSO) request In figure 3 is illustrated how CAS based single sign-on (SSO) processes an initial single sign-on authentication. Figure 3: SSO architecture using the CAS service 28 User Management in ServerView

29 Single sign-on (SSO) using a CAS service Explanation: 1. A user calls a ServerView Suite component e.g. the Operations Manager by entering the service s URL at the Management Console. 2. This user request is redirected to the CAS service. 3. The CAS service generates a CAS login window, which is displayed at the management console. The CAS login window prompts the user for the login credentials (user name and password). 4. The user enters his login credentials. 5. The CAS service validates user name and password and redirects the request to the originally requested component. In addition, the CAS service sets the TGT cookie and assigns the user the Service Ticket (ST) and Ticket Granting Ticket (TGT). 6. The CAS client sends the Service Ticket to the CAS service for validation. 7. If validation was successful, the CAS service returns the following information: "Service Ticket is ok.", user name. 8. The web application (ServerView component) answers the original request (see step 1). How CAS based SSO processes subsequent SSO requests Once being successfully authenticated to access a service (e.g. the Operations Manager), the user can call another service (e.g. the irmc S2/S3/S4 Web interface) without being prompted for login credentials. In this case the CAS service performs authentication using the Ticket Granting Cookie (TGC) which has been set during a former login procedure for this user. If the TGC matches a valid ticket-granting ticket (TGT), the CAS service automatically issues a service ticket (ST) each time the Web browser sends a request for a service of the "SSO domain". Thus, the user can access the ServerView Suite component without being prompted for credentials. User Management in ServerView 29

30 Single sign-on (SSO) using a CAS service Single sign-on from the user s point of view SSO means that you have to prove your authentication only once, namely to the CAS service: At your first login to a component of the ServerView Suite (e.g. Operations Manager) the CAS service displays a separate window that prompts you for your credentials (user name and password). Once authentication is successful, you can access all ServerView Suite components and irmc S2/S3/S4 of your SSO domain without being prompted to log in at any of them again. (3) CAS login window (1) (4) CAS service (2) (1a) (5) (5) (5) Operations Mgr. other Web app.... irmc S2/S3/S4 Web GUI (1) A user sends an HTTP Request to a ServerView Suite component (e.g. Operations Manager). (1a) CAS internally redirects the request to the CAS service (transparently for the user). (2) The CAS service displays its login window prompting the user for his login credentials. (3) The user enters his user name / password combination and confirms his settings. (4) The CAS service authenticates the user. (5) Once authentication has been successful, the user is allowed to access any other component without being prompted to login again. Figure 4: Single sign-on procedure from the user s point of view 30 User Management in ServerView

31 3 ServerView user management via an LDAP directory service This chapter provides you with information on the following topics: "Configuring directory service access" on page 31 "ServerView user management with OpenDJ" on page 32 "Integrating ServerView user management into Microsoft Active Directory" on page 60 I Important note: To operate both ServerView user management and irmc S2/S3/S4 global user management within the same Organizational Unit (OU) SVS, irmc S2/S3/S4 user management must only use the DEFAULT department. Alert roles cannot be used in the ServerView Suite, i.e. they are ignored by all ServerView components except the irmc S2/S3/S Configuring directory service access Both centralized authentication and role-based authorization of the ServerView user management are based on data that are managed centrally using an LDAP directory service. The information needed for connecting to an LDAP directory service is requested during Operations Manager setup. If want to modify these settings later on, proceed as follows: On Windows systems, repeat the setup performing an upgrade/modify installation. On Linux systems, execute the following command: /opt/fujitsu/serverviewsuite/svom/serverview/tools/changecomputerdetails.sh User Management in ServerView 31

32 ServerView user management with OpenDJ 3.2 ServerView user management with OpenDJ If you do not specify a separate directory service during the installation of Operations Manager installation, the setup installs ForgeRock's OpenDJ as its own directory service. The service runs in "embedded" mode on JBoss. Thus, OpenDJ is only available if the service ServerView JBoss Application Server 7 is running Predefined users and roles Role Based Access Control (RBAC) is already implemented in the OpenDJ directory service. OpenDJ predefines the user roles Administrator, Monitor, Operator, and UserAdministrator, each of them being dedicated to one of the predefined users Administrator, Operator, Monitor, and UserManager. In addition, OpenDJ predefines two comprehensively authorized users that are dedicated to special purposes. In table 2 on page 33 an overview is given of the user names, passwords and roles that are predefined in OpenDJ. V CAUTION! For better security, it is strongly recommended that you change the predefined passwords as soon as possible. For details on how to change passwords, please refer to the section "Defining / changing the passwords of the predefined users" on page 34. For details on the scope of permissions granted by the individual user roles, see chapter "Role-based permissions for accessing Operations Manager" on page User Management in ServerView

33 ServerView user management with OpenDJ User name Password User role LDAP Distinguished name / Description./. admin cn=directory Manager,cn=Root DNS,cn=config svuser The Password has to be specified during installation of ServerView Operations Manager. This is OpenDJ s Directory Manager account. A root DN (or root user) is generally given full access to all data in the server. In OpenDJ, root users will be allowed to bypass access control evaluation by default. They will have full access to the server configuration and perform most other types of operations. OpenDJ allows the server to be configured with multiple root users. All rights given to root users are assigned through privileges. cn=svuser,ou=users,dc=fujitsu,dc=com This account is used for accessing the directory service by CAS and ServerView's security module. Therefore, you will find the related data in the configuration file <ServerView directory>\jboss\standalone\ svconf\sv-sec-config.xml. Administrator admin Administrator cn=serverview Administrator,ou=users, dc=fujitsu,dc=com Default user for role Administrator. Monitor admin Monitor cn=serverview Monitor,ou=users, dc=fujitsu,dc=com Default user for role Monitor. Operator admin Operator cn=serverview Operator,ou=users, dc=fujitsu,dc=com Default user for role Operator. UserManager admin UserAdministrator cn=serverview UserManager,ou=users, dc=fujitsu,dc=com Table 2: User names, roles and passwords predefined in OpenDJ Default user for role UserAdministrator. User Management in ServerView 33

34 ServerView user management with OpenDJ Defining / changing the passwords of the predefined users I Important note: Do not use the backslash character ("\") within your passwords OpenDJ Directory Manager s password I Please note: The OpenDJ Directory Manager s predefined password is "admin". For security reasons, it is strongly recommended that you change the predefined password. I In the following explanation, the string "new_dm_pw" is a placeholder for the new password. Replace the placeholder with the adequate password you want to use. Changing the OpenDJ Directory Manager s predefined password on Windows systems I Please note: To set up a password containing one or more percent signs (%), you have to double any percent sign when specifying the password in the command line. E.g., you must type hello%%world in the command line for setting up the password hello%world. On Windows systems, proceed as follows to change the predefined password: 1. Open a Windows Command Prompt. 2. Ensure that the environment variables JAVA_HOME and OPENDS_JAVA_HOME are set to the installation directory of the Java Runtime Environment (JRE). If, for example, the JRE is installed under C:\Program Files (x86)\java\jre7, setting the variables is done by entering the following commands: SET JAVA_HOME=C:\Program Files (x86)\java\jre7 SET OPENDS_JAVA_HOME=C:\Program Files (x86)\java\jre7 SET PATH=C:\Program Files (x86)\java\jre7\bin 3. Change directory to <ServerView directory>\opends\bat. 34 User Management in ServerView

35 ServerView user management with OpenDJ 4. Change the OpenDJ Directory Manager's password (here: the predefined password "admin") by entering the following command in one single line: ldappasswordmodify -h localhost -p D "cn=directory Manager" -w admin -a "dn:cn=directory Manager,cn=Root DNs,cn=config" -n "new_dm_pw" -c "admin" 5. Restart the service ServerView JBoss Application Server 7 to activate your password settings. Changing the OpenDJ Directory Manager s predefined password on Linux Systems I Please note: To set up a password containing one or more special characters of the shell, you have to precede ("escape") any special character with a backslash ("\") when specifying the password in the command line. E.g., you must type hello\$world in the command line for setting up the password hello$world. On Linux systems, proceed as follows to change the predefined passwords: 1. Open a command shell. 2. Ensure that the environment variables JAVA_HOME and OPENDS_JAVA_HOME are set to the installation directory of the Java Runtime Environment (JRE). If, for example, the JRE is installed under /usr/java/default, setting the variables is done by entering the following commands: export JAVA_HOME=/usr/java/default export OPENDS_JAVA_HOME=/usr/java/default 3. Change directory to /opt/fujitsu/serverviewsuite/opends/bin. 4. Change the OpenDJ Directory Manager's password by entering the following command in one single line:./ldappasswordmodify -h localhost -p D "cn=directory Manager" -w admin -a "dn:cn=directory Manager,cn=Root DNs,cn=config" -n "new_dm_pw" -c "admin" 5. Restart the ServerView JBoss service to activate your password settings: /etc/init.d/sv_jboss restart User Management in ServerView 35