Central Security Server

Transcription

1 Central Security Server Installation and Administration Guide Release 12.3

2 Please direct questions about {Compuware Product} or comments on this document to: Customer Support Copyright 2014 Compuware Corporation. All rights reserved. Unpublished rights reserved under the Copyright Laws of the United States. U.S. GOVERNMENT RIGHTS-Use, duplication, or disclosure by the U.S. Government is subject to restrictions as set forth in Compuware Corporation license agreement and as provided in DFARS (a) and (a) (1995), DFARS (c)(1)(ii) (OCT 1988), FAR (a) (1995), FAR , or FAR (ALT III), as applicable. Compuware Corporation. This product contains confidential information and trade secrets of Compuware Corporation. Disclosure is prohibited without the prior express written permission of Compuware Corporation. Use of this product is subject to the terms and conditions of the user's License Agreement with Compuware Corporation. Documentation may only be reproduced by Licensee for internal use. The content of this document may not be altered, modified or changed without the express written consent of Compuware Corporation. Compuware Corporation may change the content specified herein at any time, with or without notice. All current Compuware Corporation product documentation can be found at Adobe Reader is a registered trademark of Adobe Systems Incorporated in the United States and/or other countries. All other company and product names are trademarks or registered trademarks of their respective owners. Build: December 3, 2014, 19:59

3 Contents Contents Chapter 1 Installing the Central Security Server CSS System Requirements Installing the CSS on Windows Installing the CSS on Linux Upgrading CSS Upgrading CSS in Failover (Federated) Mode Chapter 2 User Access and Security Accessing the CSS Console Setting Up Local Authentication and Password Policies Setting Up LDAP Authentication Adding or Importing Users Adding a User Importing LDAP Users Resetting a Locked-Out User Deactivating and Deleting Users Creating User Groups Importing LDAP Groups Roles Overview Assigning Roles to Users or User Groups Chapter 3 CSS Administration Tasks Identifying and Fixing User Account Migration Exceptions Performing Security Audits Performing Configuration Audits Changing CSS Memory Settings Configuring the CSS Database Backing Up CSS Recovering CSS With a Corrupt Database Recovering CSS With an Unavailable Database Configuring Failover and Scalability for CSS Moving CSS to a New Server Configuring SSL for CSS

4 Contents Configuring SSL for CSS Using the Diagnostic Web Pages Configuring CSS to Use a Custom LDAP SSL Certificate Creating a New System User Account Index

5 CHAPTER 1 Installing the Central Security Server A Central Security Server is required for a DC RUM or BSM implementation. It is optional for Enterprise Synthetic. You need only one CSS unless you are installing additional instances for failover or scalability. For more information, see Configuring Failover and Scalability for CSS [p. 29]. The CSS is a critical component and should be installed on a high-availability server. Review the system requirements to ensure you are installing on a supported system with the required resources. For more information, see CSS System Requirements [p. 5]. If you have installed a previous version of CSS, see the upgrade instructions. For more information, see Upgrading CSS [p. 9]. IMPORTANT To use CSS Release 12.3 with Synthetic Monitoring Release 12.2, you must install a patch that addresses the POODLE (Padding Oracle On Downgraded Legacy Encryption) vulnerability. The patch is available on the Technical Alerts page for Enterprise Synthetic (Synthetic Monitoring) in the Dynatrace Community. Apply the patch to these components: Synthetic Monitoring Manager Synthetic Monitoring Agent Manager All Synthetic Monitoring agents CSS System Requirements Server Platform 64-bit Windows Server 2008 or 2012 are recommended operating systems. Also supported (all 64-bit): Windows Enterprise 8 Windows 2003 Server 64-bit Red Hat Enterprise 4.x through 6.x 5

6 Chapter 1 Installing the Central Security Server Memory and HDD At least 4 GB RAM and 800 MB hard disk space. Database SQL Server 2008 or 2012 (both 64-bit) are recommended databases. Also supported: Oracle 10g, 10g R2 (10.2), 11g R1 (64-bit), 11g R2 (64-bit). You must have a SQL Server or Oracle database host available prior to installing. If creating the database in advance, configure 2 GB for initial size, with autogrowth of 200 MB for data and 200 MB for log. The DB user requires dbowner permissions. An Oracle DB user requires a minimum of Connect and Resource roles. Browsers Internet Explorer 8 through 10 Firefox 10.x and higher Chrome 18 and higher Installing the CSS on Windows Before You Begin Ensure that a supported database host is accessible. A database will be created during the installation process, or you can create a database in advance if needed (SQL Server only). If you are installing a second CSS for failover or scalability purposes, ensure that an existing CSS is operational. Download the CSS installer executable file from the Dynatrace Community downloads area. 1. Double-click the CSS executable file to start the installation process. 2. On the Introduction page, review the instructions and then click Next. 3. On the License Agreement page, review the terms of the license, indicate whether you accept the terms of the agreement, and click Next to continue or Cancel to quit. If you do not accept the terms of the agreement, you cannot install the software. 4. On the Installation Folder page, review the destination drive and path, make any necessary changes, and then click Next. All selected components will be installed in this single location. 5. In the CSS Failover window, select Failover installation if you are installing a second CSS for failover or scalability. Enter the information for the existing CSS to integrate the servers, and click Next to proceed through the installation. If you are installing CSS for the first time, keep the default settings, and click Next. 6. In the Security Administrator Account page, enter the user name and password for a system administrator account to use with CSS and the integrating products. 7. In the Security Database Configuration screen, enter information to create a database, or identify a database created for CSS: 6

7 Chapter 1 Installing the Central Security Server Database type Select MS SQL or Oracle. Host Name Enter the database host machine. Port The default port is entered automatically. Change the port number if you have a conflict. Database name CompuwareSecurity is displayed by default. You can create a new name or identify an existing database. Windows Authentication Select this option to enable a trusted connection for a remote database. Provide the login information for the account under which the service must run for the trusted connection to be allowed. Trusted Account Enter the account name in the form domain\username. Trusted Password Enter the password for the account. If you select this option, the Database Authentication options are not available. Database Authentication Selected by default, use this option if you do not require a Trusted Connection. Enter the login information: User Name Enter the user name for logging in to the specified database. Password Enter the password for the specified user name. Click Next to proceed. 8. When the installation is finished, the Install Complete page notifies you of the general installation status. Review the installation status message and click Done to exit the installer. What to Do Next To access the CSS console, go to Start menu and select All Programs Compuware Common Components Compuware Security. For more information, see User Access and Security [p. 11]. Installing the CSS on Linux Before You Begin Review the system requirements to ensure you are installing on a supported system with the required resources. For more information, see CSS System Requirements [p. 5]. 7

8 Chapter 1 Installing the Central Security Server Ensure that a supported database host is accessible. A database will be created during the installation process, or you can create a database in advance if needed (SQL Server only). 1. Download the CSS Linux installer executable file from the Dynatrace Community downloads area. 2. Create a temporary directory where you have at least 800 MB of space for the installation process and 500 MB for the installed product. 3. Set the environment variable IATEMPDIR for that temporary directory. 4. Execute the Linux installation file: install.bin. 5. On the Introduction page, review the instructions and then click Next. 6. On the License Agreement page, review the terms of the license, indicate whether you accept the terms of the agreement, and click Next to continue or Cancel to quit. If you do not accept the terms of the agreement, you cannot install the software. 7. On the Installation Folder page, review the destination drive and path, make any necessary changes, and then click Next. All selected components will be installed in this single location. 8. In the Security Administrator Account page, enter the user name and password for a system administrator account to use with CSS and the integrating products. 9. In the Security Database Configuration screen, enter information to create a database, or identify a database created for CSS: Database type Select MS SQL or Oracle. Host Name Enter the database host machine. Port The default port is entered automatically. Change the port number if you have a conflict. Database name CompuwareSecurity is displayed by default. You can create a new name or identify an existing database. Windows Authentication Select this option to enable a trusted connection for a remote database. Provide the login information for the account under which the service must run for the trusted connection to be allowed. Trusted Account Enter the account name in the form domain\username. Trusted Password Enter the password for the account. If you select this option, the Database Authentication options are not available. Database Authentication Selected by default, use this option if you do not require a Trusted Connection. Enter the login information: 8

9 Chapter 1 Installing the Central Security Server User Name Enter the user name for logging in to the specified database. Password Enter the password for the specified user name. Click Next to proceed. 10. When the installation is finished, the Install Complete page notifies you of the general installation status. Review the installation status message and click Done to exit the installer. What to Do Next To access the CSS console, go to Start menu and select All Programs Compuware Common Components Compuware Security. For more information, see User Access and Security [p. 11]. Upgrading CSS When upgrade your Dynatrace products that use CSS, CSS must upgraded to the same release. If you have CSS failover servers, the upgrade procedure is different. For more information, see Upgrading CSS in Failover (Federated) Mode [p. 10].. To upgrade an existing CSS: 1. Download the CSS installer executable file from the Dynatrace Community downloads page. 2. Stop the Compuware Common Components service. 3. Install the new CSS release over the existing release. After you start the installation, you will see a message that an existing release was found on the machine. Click OK to proceed with the installation. 4. After installing, verify that CSS is running, that your users and user groups are retained, and that the authentication method (local or LDAP) is configured. What to Do Next IMPORTANT To use CSS Release 12.3 with Synthetic Monitoring Release 12.2, you must install a patch that addresses the POODLE (Padding Oracle On Downgraded Legacy Encryption) vulnerability. The patch is available on the Technical Alerts page for Enterprise Synthetic (Synthetic Monitoring) in the Dynatrace Community. Apply the patch to these components: Synthetic Monitoring Manager Synthetic Monitoring Agent Manager All Synthetic Monitoring agents 9

10 Chapter 1 Installing the Central Security Server Upgrading CSS in Failover (Federated) Mode CSS servers in failover mode share a common database, so care must be taken to ensure that the database does not get upgraded by a new CSS when other (older) instances are still using it. 1. Get a snapshot of the current CSS database. You can do this by creating a backup of the database. 2. Create a new CSS database for the new release from the backup, or use the CSS recovery procedure to initialize a new database from an archive file. For more information, see Recovering CSS With a Corrupt Database [p. 27]. 3. Access the CSS Advanced Server Configuration panel from any of the existing CSS instances, and deactivate the instance that you want to upgrade first. That will stop integrated components (clients) from using the CSS that is about to be upgraded, and switch security functionality to the other CSS instance(s). 4. Access the CSS that you just disabled. Go to the Database panel, and change the configuration to the new database created from the backup or archive file. 5. Stop the CSS service. 6. Use the installer to upgrade the CSS. For more information, see Upgrading CSS [p. 9]. 7. Start the upgraded CSS, if it is not already running. The first upgraded CSS will migrate the CSS database to the new release if necessary. Verify that this CSS is up and running. 8. Go to a CSS instance that was not upgraded. Access the Advanced Server Configuration panel and reactivate the upgraded CSS. This may cause the CSS clients to switch to the upgraded CSS (depending on its priority relative to the other instances in the old federation). 9. Repeat steps 3 through 8 on the other CSS instances requiring upgrades (deactivate, connect to the new database, stop the service, upgrade, start the service, reactivate). Upon completion, the upgraded instances will be using the same new database, and all of the instances will have switched over to the upgraded federation. 10. Confirm that the upgrade was successful by checking that your users and user groups are retained, and that the authentication method (local or LDAP) is configured properly. If the new CSS instances are working properly, you can delete the old CSS database. 10

11 CHAPTER 2 User Access and Security The Central Security Server (CSS) provides a single point of access for user management and security for DC RUM, Enterprise Synthetic, BSM and the Dynatrace Enterprise Portal. System Administrator Account A system administrator's account is created during CSS installation. You should use caution not to delete this account, but the system will prevent you from deleting the last available administrator account. There is no bootstrap administrator account available. You can assign system administrator privileges to any users added to the system. Overview: Adding Users to a New Implementation The following high-level procedure provides an overview on how to set up product security and add users. Assumption: An administrator has installed a new version of DC RUM and configured it to use CSS. 1. Select a user authentication method. By default ("local" authentication), a system administrator will manually add user accounts. For more information, see Setting Up Local Authentication and Password Policies [p. 13]. You can also use LDAP authentication, where authentication takes place when users log into the system with their network ID and password. We recommend that you use LDAP authentication, if this is a viable option for your organization and you have many potential users. It is more secure than local authentication, as information about users and groups do not have to be replicated in a second location (CSS will not store user passwords if you use LDAP). You may need to consult with your network administrators to properly configure this security feature. For more information, see Setting Up LDAP Authentication [p. 13]. 2. Add or import users. If you use "local" authentication, you create user accounts on the Users screen in the CSS console. For more information, see Adding a User [p. 18]. If you configured LDAP authentication, you have two options: import individual users or import LDAP group(s). If you are going to use LDAP authentication and have a relatively large number of users, we recommend that you import LDAP groups, if possible, to simplify user management. An LDAP group is the equivalent of a corporate network group. A user's 11

12 Chapter 2 User Access and Security membership in that corporate group determines if they can access the system. When a user from the group logs in for the first time, a user account is created automatically in the CSS database. For more information, see Importing LDAP Users [p. 19] and Importing LDAP Groups [p. 21]. All new users whether they are added locally, imported individually from LDAP or as part of an LDAP group will be assigned a role of Guest. Guests can only view reports in the CAS to which they have been assigned. They cannot configure monitoring components. New users are also assigned to the Everyone user group, which also has view-access to assigned reports. 3. Extend access to users or user groups. A user's role assignment determines whether they can configure product features or create reports and dashboards. If added or imported users only need view-access to CAS reports they have been assigned, you do not have to assign a new role their default Guest role assignment gives them the needed view access. You can assign one of four other roles (like the higher-access System Administrator or Report Administrator roles) to individual users, a locally created user group, or an imported LDAP group. You must be a System Administrator to access the RUM Console. A System Administrator user or group can view and edit all CAS reports. For simplified user management, we recommend assigning roles at the group level, if possible, rather than to individual users. You may have to use a combination of individual and group role assignments to meet your access needs. For more information, see Roles Overview [p. 22] and Creating User Groups [p. 21]. 4. If you are using the Dynatrace Enterprise Portal, assign guest users and others to custom dashboards and reports. In the Portal, users with a Guest role can only view the default BSM dashboards. If you want them to see customized dashboards, you will need to assign users or user groups to them. Go to a dashboard page and assign users or user groups (such as the Everyone group). A user or group with a role of System Administrator, Report Administrator and Report Power User can view and edit all dashboards and reports. In each report, you can assign what other users or groups can view or edit the report. See the Enterprise Portal Administration Guide for topics on how to edit page setting permissions. Accessing the CSS Console You can access the CSS console in the following ways: On any server where CSS is installed, go to the Start menu and select Compuware Common Components Compuware Security. In the RUM Console, click the System Users link from the menu. In the Enterprise Synthetic Console, choose File Central Security Server Console from the menu bar. In the Dynatrace Enterprise Portal, some CSS features are available, such as adding local users and user groups, and assigning user roles. Go to Administration Control Panel 12

13 Chapter 2 User Access and Security User Management. You must use the CSS console to configure an authentication method and perform other administrative tasks. Setting Up Local Authentication and Password Policies By default, the CSS uses "local authentication," when an administrator manually creates user accounts that are validated against a Password Policy. Password policies are applicable only to local users. The Password Policy has a default "low security" setting. This setting requires a six-character minimum password, but has no minimums on numbers, characters or special characters to be used, and would have no expiration age requiring resets. Selecting the default "high security" policy, naturally, would enable stronger password requirements. The low- and high-security settings cannot be changed. You also can select a "custom" security setting and create your own policy from the options provided. As you add local users and their initial passwords, make note of the Password Policy used. Password policies can be modified only by a user with a role of System Administrator or Report Administrator. Most of the password policy settings are self-explanatory. Of note is Password History; this setting pertains to the number of passwords that will be stored in the database. For low security, a value of -1 means that when a password expires, a user can enter the same one again on the reset. For high security, the value is 50, so if a user's password expires, when they enter a new password, the last 50 passwords used will be compared, and a match will not be allowed. Unsuccessful Login Attempts also has a low-security value of -1, meaning that a user can try an unlimited number of login attempts and won't be deactivated. For high security, five unsuccessful login attempts will deactivate the user account. NOTE When you enable LDAP Authentication, you cannot create password policies. 1. Go to the CSS console. On the server where CSS is installed, go to the Start menu and select Compuware Common Components Compuware Security. 2. In the Users screen, select the Password Policy task. By default, the Security Setting option is set to Low, and the other fields on the page are populated with default values. You cannot edit this policy. 3. In the Security Setting field, you can change the policy to High or Custom. You cannot edit the high-security policy. 4. Optional: If you want to create your own password policy, select Custom and enter values in the Password Format and General sections. 5. If you changed the Security Settings from the default low-security, click Save. Setting Up LDAP Authentication To set up LDAP authentication, you need to configure the CSS to communicate with the LDAP server. 13

14 Chapter 2 User Access and Security On the Authentication screen, enter basic information needed to connect to your LDAP server and test that you can find the users and groups that need access to Dynatrace. Use the Advanced Settings to filter your user or group search to ease importing these users later. For more information, see Using Advanced Settings [p. 15]. CSS is configured to use Microsoft Active Directory for LDAP authentication. You need to use the Advanced Settings to properly configure CSS to use Apache DS or another LDAP directory server. TIP We recommend using a free LDAP browser, such as Softerra 4.5, to view attributes used in your organization's LDAP server. Some familiarity with these attributes will be required to properly configure the CSS. 1. Go to the CSS console. On the server where CSS is installed, go to the Start menu and select Compuware Common Components Compuware Security. 2. From the CSS menu, select Authentication. 3. Select LDAP Enabled to activate the LDAP Configuration fields. 4. Select the LDAP Server Type. MS Active Directory is displayed by default. Select Other to use Apache DS or another server type. Click Load Defaults to populate configuration fields according to the LDAP server type selected. 5. Under Connection, use the fields to define the connection between the CSS and the LDAP server: Host Name Enter the hostname of the LDAP server. Encryption Method You can choose SSL or None. This selection will determine the default port used. Port The LDAP default SSL port is 636; the LDAP default clear port is 389. If needed, you may enter another value to communicate to the LDAP server. Service Account User Name and Password The CSS makes queries to the LDAP server. The Service Account information tells the CSS the user name and password to use to make these queries. A best practice is to use a non-user account that has search access and a non-expiring password, if security policies allow. The value in the Service Account User Name field is passed directly into LDAP as the BIND's DN (Distinguished Name). The CSS does no processing of this field. For non-active Directory LDAP servers, the Service Account User Name field must be a full DN, not an RDN (Relative DN) or a user name. Click Test Connection to see if you have configured the CSS connection correctly. If the connection is successful, CSS will attempt to determine the Base Distinguished Name (Base 14

15 Chapter 2 User Access and Security DN) value for your LDAP server, if this value is accessible to the CSS service through the server's environment variable. You can choose a different Base DN if another one is better for your environment. 6. Under Search Settings, enter information to find LDAP users and groups: Base DN Select a Base DN from the list, which has been populated with values from the LDAP server. Select one that is high enough in the LDAP directory that contains all of the potential Dynatrace users. The Base DN setting becomes the root node that limits all subsequent searches performed by the CSS, which will be unable to find any user or group that is higher in the LDAP hierarchy than the value set as the Base DN. Click Refresh to update this field if necessary. Test User Name If using Active Directory, enter the user ID (their samaccountname) of someone who will use Dynatrace, and click Test Users. If that user's information is displayed, you have properly configured CSS to find your LDAP users (but additional configuration is required). You can later "import" that user (and others) on the Users screen. For more information, see Importing LDAP Users [p. 19]. For other LDAP servers, the Service Account User Name field must be a full DN (Distinguished Name), not an RDN (Relative DN) or a user name. If you don't see the required users, select a different Base DN from the list or click Advanced Settings to use additional search parameters. Test Group Name Enter an LDAP group name, which can include the wildcard character *, and click Test Groups. If groups matching the search criteria are displayed, you have properly configured CSS to find your LDAP groups. You can later "import" that group on the User Groups screen. For more information, see Importing LDAP Groups [p. 21]. If you don't see any matching group(s), select a different Base DN from the list or click Advanced Settings to use different search parameters. 7. Click Save if your configuration yields the LDAP users and groups required. A message confirming a successful save will appear at the top of the Authentication page. Proceed to the Advanced Settings screen if any adjustments or improvements to the CSS search filters or search base nodes are needed. Using Advanced Settings CSS uses the Advanced Settings to find users and groups within your LDAP server. They also tell the CSS the attributes used by your LDAP server to store information like a user's address, first name, last name and other attributes. For instance, in Active Directory, the last name of each user is typically stored in an LDAP attribute named SN. Because the CSS needs to know a few things about each user (like their address), it needs to know which of the user's attributes hold this information. Using an LDAP browser will help you determine how these attributes are defined in your organization's LDAP server. The Advanced Settings are also used to define the search filters that the CSS uses to find users, groups, and the groups that a particular user is in. These are mostly LDAP filters, written to 15

16 Chapter 2 User Access and Security return information about a user or group. Some default filters may contain {0} and {1}. These two strings are not actually used "as is" when the CSS makes a query to the LDAP server. These two strings are placeholders. Before the CSS uses a search filter with either of these placeholders, it replaces them with an appropriate value (depending on the configuration). For instance, when performing a user search, the {0} placeholder is replaced by the value that you have configured for the name of the attribute that holds a user's LDAP ID (samaccountname for Active Directory). When the CSS looks for a particular user, then the {1} in the default user search is replaced by the user's LDAP ID. If the CSS is looking for all users, then the {1} is replaced by a wild card (*). The purpose for the placeholders is that the searches must be reactive to the rest of the LDAP configuration. There are three search filters that must be correctly configured. The first is used by the CSS to find LDAP groups. The second is used by the CSS to find LDAP users, and the third is used to find LDAP group(s) that contains a particular LDAP user. Each of these filters must be set correctly for the CSS to be able to work with your LDAP server. Each of these searches has an associated search base that can be adjusted. As mentioned earlier, all CSS searches are narrowed to the Base DN configured on the Authentication screen. You can use three additional settings to further narrow the scope of each of the three types of searches. Use the User Search Base field to further narrow the part of the LDAP hierarchy searched for users. If you leave the fields empty, user searches will look under the sub-tree set on the Authentication screen as the Base DN. Setting a value means that the user searches will look under the sub-tree defined by concatenating the value of the User Search Base with the Base DN. For example, if the Base DN is set to DC=google, DC=com and the User Search Base is OU=New York, then the search for users would be rooted at OU=New York,DC=google,DC=com and only users under that sub-tree would be found by the CSS. This same principle applies to the two other searches. Their search bases are combined with the Base DN to limit the portion of the LDAP tree that is searched. 8. If needed, change LDAP connection configuration settings. Connection Timeout specifies the maximum time allowed for the server to run search and bind operations. The LDAP server may return referrals when performing searches, in order to extend the search to include results from another LDAP server. By default, Follow Referrals is enabled. In the Referral Limit field, specify the maximum number of referrals that can be chained together. The default is 10. Many LDAP servers support an LDAP extension that allows search results to be returned in discrete pieces called pages. This is useful when an LDAP search returns a lot of results. Instead of trying to return 100,000 results all at once, the LDAP server (at the request of the LDAP client) can return only one page at a time (where the page size is dictated by the LDAP client). The CSS acts as an LDAP client, and can be configured to request pagination, and to set the page size to a particular value. When LDAP is enabled, any LDAP user with valid LDAP credentials may access Dynatrace. Select LDAP Auto Import to disable this feature. If disabled, only LDAP users that have been explicitly imported into the CSS are allowed access. 9. Define the Group Settings. 16

17 a. In the Group Search Base field, enter the group's Relative Distinguished Name (RDN) value, relative to the Base DN entered on the Authentication screen. This value is optional but can be helpful in reducing the load on your LDAP server if the sub-tree searched for groups can be limited beyond the Base DN. b. In the Group Search Filter, check that the LDAP filter is applicable to your LDAP server's schema. c. In the Group Name field, enter the name of the LDAP attribute used to hold a group's name. d. In the Description field, enter the name of the LDAP attribute used to hold a group's description. e. In the Test Group Name field, enter the name of a group. You can use wild card characters (*) if the exact name is unknown. This name will be matched against the attribute set in Step 9.c [p. 17]. f. Click Test Groups. If you see the desired group, you have configured CSS properly for groups and can proceed to the User Settings section. 10. Define the User Settings. a. In the User Search Base field, enter the RDN of the node containing user accounts, relative to the Base DN entered on the Authentication screen. This value is optional but can be helpful in reducing the load on your LDAP server if the sub-tree search for users can be limited beyond the Base DN. b. In the User Search Filter, check that the LDAP filter is applicable to your LDAP server's schema. Remember that the {0} placeholder value will be replaced (within CSS) before the query is submitted to the LDAP server. In this case, the placeholder will be replaced with the value entered into the Test User Name field below. c. In the User Name field, enter the name of the LDAP attribute used to hold a user's account ID. d. In the Address field, enter the name of the LDAP attribute used to hold a user's address. e. In the First Name field, enter the name of the LDAP attribute used to hold a user's first name. f. In the Last Name field, enter the name of the LDAP attribute used to hold a user's last name. g. In the User Group Search Base field, enter the RDN of the node containing the groups that your user is a member, relative to the Base DN entered on the Authentication screen. This value is optional but can be very helpful in reducing the load on your LDAP server if the sub-tree searched for the groups that a user is in can be limited beyond the Base DN. This is likely the same RDN that was entered in Step 9.a [p. 17]. h. In the Test User Name field, enter the name of a user. You can use wild cards (*) if the exact name is not known. This name is going to be matched against the attribute set in Step 10.c [p. 17]. i. Click Test Users. If you see the desired users and groups, you have configured CSS properly for finding your users. 11. If your tests found the right users and groups, click Apply. The Advanced Settings screen will close and you will return to the Authentication screen. 12. Click Save. Chapter 2 User Access and Security 17

18 Chapter 2 User Access and Security You can now import users or groups from the Users or User Groups screens. When you search for users or groups on those screens you will be limited to the search bases configured on the Advance Settings screen. Adding or Importing Users System or Report Administrators can add users, or import them from LDAP. In the CSS console, go to the Users screen. The top of the Users screen has the following tabs: View All On this tab, you can see a list of all current users and the last time they logged into the system. On the Actions column associated with a user, you can edit their account, deactivate the account, or view the user account details. You can search for active or deactivated users by entering user information in any of the fields. Click Add User to add new local user accounts. The user list Actions column contains the following three icons: Icon Label Edit User Deactivate User Details Description Click to access the user's profile page. You can edit the user's name, password, user group or role assignment. Deactivates the user from the system. For more information, see Deactivating and Deleting Users [p. 20]. Displays view-only details about the user account. Import LDAP Users If you have enabled and configured LDAP authentication, you can import LDAP users to access the system. Related Information Adding a User [p. 18] Importing LDAP Users [p. 19] Adding a User If you are using local authentication, you can add users for DC RUM, BSM, Synthetic Monitoring and the Dynatrace Enterprise Portal. 1. Go to the CSS console. On the server where CSS is installed, go to the Start menu and select Compuware Common Components Compuware Security. 2. Click the Users task. The View All tab will display all current users in the system. 3. Click Add User. A New User form will display for an administrator to enter account information. 18

19 Chapter 2 User Access and Security NOTE User names can only include alphanumeric characters, periods, dashes and underscores. You also must not use the reserved user names: anonymous-guest and ANONYMOUS. 4. Enter information under the Details and Password sections. Address is an optional field. Ensure the password you create follows the Password Policy selected. 5. Optional: Assign the new user to a User Group or assign User Authorities (a role). All new users whether they are added locally, imported individually from LDAP or as part of an LDAP group will be assigned a role of Guest. A Guest has limited view-access to reporting functionality in the Central Analysis Server and the Dynatrace Enterprise Portal. They cannot configure monitoring components. New users are also assigned to the Everyone user group. A user's role assignment determines whether they can configure product features or create reports and dashboards. If added or imported users only need view-access to CAS reports they have been assigned, you do not have to assign a new role their default Guest role assignment gives them the needed view access. You can assign one of four other roles (like the higher-access System Administrator or Report Administrator roles) to individual users, a locally created user group, or an imported LDAP group. You must be a System Administrator to access the RUM Console. A System Administrator user or group can view and edit all CAS reports. The new user's page will show any user group or role assignments. For more information, see Creating User Groups [p. 21] and Roles Overview [p. 22]. Importing LDAP Users Before You Begin You must enable and configure LDAP authentication before importing LDAP users. When configuring LDAP authentication, you should also test that your LDAP searches yield the users you intend to import. 1. Go to the CSS console. On the server where CSS is installed, go to the Start menu and select Compuware Common Components Compuware Security. 2. Click the Users task. The View All tab will display all current users in the system. 3. Click the Import LDAP Users tab. Four search fields will display. 4. Enter enough criteria to find the new user and click Search. By default, a maximum of 20 user names will be displayed. You can limit or extend the search by changing the value in the Max Results Returned field. 19

20 Chapter 2 User Access and Security 5. Select the users needed and click Import. Use the Select All option to select users displayed. The users will appear on the View All page. NOTE If an LDAP user account matches a locally-created user account, the local user account takes precedence over the LDAP account. New users are assigned a Guest role and have limited access to product functionality. They are also added to the Everyone user group. You can assign them to other user groups, roles with additional product access, and custom dashboards. For example, if you want the new user to have full access to the Portal, dashboards and reports, you would assign them to a Report Administrator role or to a user group with that role. Resetting a Locked-Out User If a user is locked out of the system for some reason (failed login attempts, etc.), an administrator can change the password on the user's account to regain access. Go to the Users View All page, and click the user's edit icon page. On that page, enter a new password and save the changes. to access the user's Edit When the user logs in again (using the new password you created), they will need to change their password to complete the reset. Deactivating and Deleting Users Deleting a user account is a two-step process: first an administrator deactivates the account, then deletes it. 1. Go to the CSS console. On the server where CSS is installed, go to the Start menu and select Compuware Common Components Compuware Security. 2. Click the Users task. The View All tab will display all current users in the system. 3. Select the box next to a user's name. You can select multiple users. 4. Click Deactivate. The user account is removed from the Active users list and cannot access the system. 5. In the search fields at the top of the View All tab, under Active, select No, and click Search. The user account that was just deactivated will appear, along with any other deactivated accounts. At this stage, an administrator has three options: Simply leave the user account in a deactivated state. Delete the user account by clicking the delete icon. The user account will be removed from the list. Re-activate the account by clicking the activate icon. 20

21 Chapter 2 User Access and Security After making your selection, you can go back to the search field at the top of the View All screen, and change the Active choice back to Yes and click Search to see your currently active user accounts. Creating User Groups System or Report Administrators can create user groups to help streamline user management. Administrators can assign roles to user groups, in addition to individuals. All new groups are assigned to the Guest role, which has limited product access. You can add locally-created users or imported LDAP users to local user groups. 1. Go to the CSS console. On the server where CSS is installed, go to the Start menu and select Compuware Common Components Compuware Security. 2. Select the User Groups task. The View All tab will display all of the current user groups. 3. Click Add Group. 4. Give the group a name and description. NOTE User Group names can only include alphanumeric characters, periods, dashes and underscores. You also must not use the reserved user names: anonymous-guest and ANONYMOUS. 5. Click Save. You are returned to the View All tab and the new group will appear in the list. The list's Actions column shows icons to edit the group ( ), assign members to it ( ), or show group details ( ). To delete a user group, select the box next to a group's name and click Delete. 6. To add users to the group, click the group's Assign Members icon ( ). 7. In the [Group Name] - Assigned Users screen, click Assign Members to show a list of available users. You can search for users by entering applicable data in the fields at the top of the screen. 8. Select the users to include in the user group. 9. Click OK. The user(s) selected will appear on the [Group Name] - Assigned Users screen. Importing LDAP Groups If your organization has well-defined Active Directory groups that match your potential user base, we recommend importing LDAP groups rather than individual LDAP users. If the Active Directory groups do not match your user base (for example, the groups are too large), you should 21

22 Chapter 2 User Access and Security import individual LDAP users and manage them in local user groups. For more information, see Importing LDAP Users [p. 19] and Creating User Groups [p. 21]. LDAP groups are different from locally-created user groups, in that an entire group is imported from LDAP, and users cannot be added or deleted in the CSS. User membership is controlled by the corporate group in Active Directory, so users can be added or deleted from the group by network administrators. Before trying to import an LDAP group, ensure that LDAP authentication is enabled, and initial configuration tests yielded groups with users that you needed. If you didn't see the groups and users needed during the test, you may need to adjust the LDAP attributes. For more information, see Setting Up LDAP Authentication [p. 13]. 1. Go to the CSS console. On the server where CSS is installed, go to the Start menu and select Compuware Common Components Compuware Security. 2. Select the User Groups task. The View All tab will display all of the current user groups. 3. Click the Import LDAP Groups tab. 4. Enter a group name and click Search. Groups matching the search criteria will be displayed. Maximum results can be decreased or increased. 5. Select the group(s) needed and click Import. The selected groups will appear on the View All page. Once the group has been imported, it has a default role of Guest, which has limited product access. To provide additional access, you can assign a different role and reports to the entire group. When a user from the group logs in with their network ID and password, a user account is created automatically. Once that user account is created, you can assign that user a role, local user group (that has a different role) or reports. NOTE If an LDAP user account matches a locally-created user account, the local user account takes precedence over the LDAP account. Roles Overview Roles define access for the product components integrated with the CSS (DC RUM, BSM, Enterprise Synthetic, and Dynatrace Enterprise Portal). A system administrator can assign users and user groups to roles. All new users, by default, are assigned to the Guest role. There are seven default user roles with different levels of product access: System Administrator Has complete access to system functionality, including user management, LDAP and database configuration; and can create and view all reports and dashboards. A system administrator must install the product and set up a user authentication method. Only a system administrator can access the RUM Console to configure DC RUM monitoring. A 22

23 Chapter 2 User Access and Security system administrator is automatically added to the System Administrator user group on the CAS. NOTE CAS user groups cannot be configured in the CSS. Reporting Administrator Has access to all functionality needed to configure Dynatrace Enterprise Portal reporting. Can access the CSS to add local users and assign roles and user groups. Has the same CAS access as a Reporting Power User, with the additional privileges to use all DMI features. Has full access to BSM functionality. Reporting Power User On the CAS, this user can create, save, import, and export reports. Can assign users to Portal dashboards. In BSM, this user can set up adaptor connections and navigate the Service Model. Synthetic Console User Can log in to the Enterprise Synthetic Console and access all available Console features. Packet Capture User Has access to the packet data-mining tool on the CAS. Also has the same access as a Reporting User. Reporting User Can use the Data Mining Interface in CAS to create personal reports. Can use the Charting Portlet in the Portal to create personal reports. In BSM, can navigate in the client, but cannot change any component or feature. Mobile Application User Has access to assigned reports in the MobileAPM app. In the CAS, has the same access rights as a Guest. Guest On the CAS, this user can view reports assigned to this user. Has view access to the default Dynatrace Enterprise Portal Executive and Operations dashboards, but cannot make changes to any component or feature. Will have view access to custom dashboards and to any drill-down reports assigned to this user. Assigning Roles to Users or User Groups When you create new local user accounts, you can assign a role to the new user on that screen. You can also assign roles to individual users, or multiple users or user groups from the Roles screen. If you have many users, we recommend that you create user groups for users who will have similar access, and assign a role to that group. 1. Go to the CSS console. On the server where CSS is installed, go to the Start menu and select Compuware Common Components Compuware Security. 2. Select the Roles task. The Roles screen displays available roles. 23

24 Chapter 2 User Access and Security 3. Click the icon for the role you'd like to assign. The [Role Name] - Assigned Users page displays the users assigned to the selected role on the Users tab. The User Groups tab will display groups assigned to the role. 4. On the Users tab, click Assign Members. The Select Users dialog displays a list of active users. Users currently assigned to the role have a selected check box. 5. Select the users you want to assign to the role, and click OK. NOTE To assign user groups to a role, use the same process, but from the User Groups tab. What to Do Next To remove users from a user group, deselect them on the Select Users dialog box, and click OK. 24

25 CHAPTER 3 CSS Administration Tasks An administrator may need to perform some of the following tasks to configure CSS for your organizations security or application performance needs. Identifying and Fixing User Account Migration Exceptions During the CAS upgrade from a release earlier than 12.0, existing user accounts are migrated to the CSS. If some user accounts did not migrate successfully, a migration record is created in the CSS database that you can view in the CSS console. A typical scenario is that a user or user group already existed in the CSS when the migration occurred. An administrator can identify users or user groups that did not migrate properly, and can rectify the issue if needed in the CSS interface. If there was a migration exception, a Migration task will appear in the CSS interface. 1. Go to the CSS console. On the server where CSS is installed, go to the Start menu and select Compuware Common Components Compuware Security. 2. If there are migration exceptions, a Migration task will appear. Click on the task to open the report. A list of migration exceptions is displayed that show the Principle Name (the user or group that did not migrate) and the reason it did not migrate properly. 3. Click the Show Details icon to display additional information about the user or group that did not migrate. 4. If needed, manually add the users or groups to the CSS. For users, click on the Users link; for groups, the User Group link. Performing Security Audits You can produce a report that shows any authentication attempts, user additions or other events on the CSS. 25