This section includes the following topics:
Precise systems can provide a high level of protection against external and internal intruders, restricting access to the sensitive information that Precise uses and monitors.
This information includes the following:
When installing a new server, a communication security key is transferred to the new server. To ensure secure transfer of the key, see Securing communication key transfer to a new server.
Configuring a secured Precise systems involves setting file permissions and enabling Precise security mechanisms, such as the Advanced Encryption Standard (AES) and password encryption.
The communication encryption mechanism and the password encryption mechanism support Advanced Encryption Standard (AES) which is used by default. For higher security, it is recommended to use the Precise Web-based user interface client using the Secure Socket Layer (SSL) protocol.
In general, it is recommended to update all the mechanism encryption keys (including SSL) every so often.
Verify that only the Precise users and group have access to files under the Precise root folder. You can change the entire files permissions to have 770 permissions.
Some monitored instances also require access to the file, so the Precise user should be part of these monitored instances user groups as well. |
To set file permissions on Windows
By default, Precise communicates using a symmetric key encryption algorithm called Advanced Encryption Standard (AES).
To replace the communication AES key
<Precise_root>
folder:infra\bin\psin_cli.bat
-i3-user<user_name>
{-i3-encrypted-password<encrypted_password>|-i3-clear-password<clear_password>}
-action communication-key-change
-type aes
./infra/bin/psin_cli.sh
-i3-user<user_name>
{-i3-encrypted-password<encrypted_password>|-i3-clear-password<clear_password>}
-action communication-key-change
-type aes
For the new encryption settings to take effect, you must distribute them to all servers, completing no later than 24 hours after you changed the encryption configuration on the Precise FocalPoint server.
The new encryption settings will be effective within 48 hours. If a server does not receive the new settings within 48 hours, it is no longer able to communicate with the Precise system. In this case, you need to perform an additional step to reestablish the communication.
At the exact moment of key replacement, communication errors may occur in some of the active communication connections. You may encounter these errors in the user interface or in the log files. If they do not persist, ignore them. |
To distribute the new encryption settings to all servers
<Precise_root>
folder on the Main Precise FocalPoint server:infra\bin\psin_cli.bat
-i3-user<user_name>
{-i3-encrypted-password<encrypted_password>|-i3-clear-password<clear_password>}
-action communication-key-distribute
{-servers "<comma_separated_servers_list>" | -all-servers true}
[-manual true]
[-secure true –user-name<user_name>-password<password>]
[-user-name<user_name>]
[-password<password>]
./infra/bin/psin_cli.sh
-i3-user<user_name>
{-i3-encrypted-password<encrypted_password>|-i3-clear-password<clear_password>}
-action communication-key-distribute
{-servers "<comma_separated_servers_list>" | -all-servers true}
[-manual true]
[-secure true –user-name<user_name>-password<password>]
[-user-name<user_name>]
[-password<password>]
-servers
and a comma separated list of specific servers to distribute the key to, or -all-servers
true to distribute the key to all installed servers.-secure true
, and supply the user name and password to use in SSH to connect to the servers.-secure true
and -manual true
to use the manual mode to send the secured mode transfer of key. Note that this manual mode requires you to run the script manually on the related servers.<precise_root>/infra/listener/etc/crypt
folder on the Precise FocalPoint server to the server that did not receive the new settings.You can verify that the encryption configuration has been updated on all servers. This procedure scans all of your Precise servers and checks if the server were successfully updated with the new encryption.
If one of the server reports an error, you need to redistribute the encryption settings. If you still encounter an error after redistributing the settings, contact Precise Customer Support.
Run the verify command at least 48 hours after creating the new AES key. This will ensure that the protocol is secured with the new key. |
See Distributing the new encryption settings to all servers.
If the new encryption settings were successfully received on all servers, the scan results in an output like the following:
Server (aix1) ok
Server (aix2) ok
Server (aix3) ok
server scan done
If errors occurred on at least one of the servers, the scan results in an output like the following:
Server (aix1) ok
error on server (aix 2), see log file for details.
Server (aix3) ok
servers scan done
The encryption log is written to the following trace file:
<Precise_root>/logs/infra.i3fp.crypt.log
To verify encryption configuration on all servers
<Precise_root>
folder on the Main Precise FocalPoint server:infra\bin\psin_cli.bat
-i3-user<user_name>
{-i3-encrypted-password<encrypted_password>|-i3-clear-password<clear_password>}
-action communication-key-verify
{-servers "<comma_separated_servers_list>" | -all-servers true}
./infra/bin/psin_cli.sh
-i3-user<user_name>
{-i3-encrypted-password<encrypted_password>|-i3-clear-password<clear_password>}
-action communication-key-verify
{-servers "<comma_separated_servers_list>" | -all-servers true}
Specify one: -servers
and a comma separated list of specific servers to distribute the key to, or -all-servers
true to distribute the key to all installed servers.
Precise uses an Advanced Encryption Standard (AES) to encrypt the passwords that its different components require to access the monitored instances (such as passwords for databases or Java application servers). These passwords are then saved in internal configuration files.
By default the password encryption is AES.
You can replace the password encryption key on the Precise FocalPoint server by using the Precise Command Line Interface (CLI) installation utility. For information on how to deploy this utility, see the Precise CLI Utility Reference Guide.
To replace the password encryption key on the Precise FocalPoint server
<Precise_root>
folder on the Precise FocalPoint server:infra\bin\psin_cli.bat
-i3-user<user_name>
{-i3-password encrypted-password
| -i3-clear-password clear-password}
-action encrypt-update
-type [aes-key]
./infra/bin/psin_cli.sh
-i3-user user-name
{-i3-password encrypted-password
| -i3-clear-password clear-password}
-action encrypt-update
-type [aes-key]
Table 1 Configuring password encryption type elements on the Precise FocalPoint server
Element | Description |
---|---|
-i3-user | See Authenticate to CLI Utility. |
-i3-encrypted-password | See Authenticate to CLI Utility. |
-action | Always: Mandatory: Yes |
-type | Always: aes-key Mandatory: Yes AES-based encryption that uses a random symmetric key. It is recommended to update this key once a year. Security level: high |
For example:
./infra/bin/psin_cli.sh
-i3-user user-name
{-i3-password encrypted-password
| -i3-clear-password clear-password}
-action encrypt-update
-type aes-key
For the new password encryption settings to take effect, you must distribute them to all servers by using the Precise CLI installation utility. This procedure depends on the Precise Listener being up and running on all servers; otherwise, the agents on the servers will not be able to function.
To distribute the new encryption settings to all servers
<Precise_root>
folder on the Precise FocalPoint server:infra\bin\psin_cli.bat
-i3-user user-name
{-i3-password encrypted-password
| -i3-clear-password clear-password}
-action encrypt-distribute
./infra/bin/psin_cli.sh
-i3-user user-name
{-i3-password encrypted-password
| -i3-clear-password clear-password}
-action encrypt-distribute
Table 2 Distributing new password encryption element settings to all servers
Element | Description |
---|---|
-i3-user | See Authenticate to CLI Utility. |
-i3-encrypted-password | See Authenticate to CLI Utility. |
-action | Always: Mandatory: Yes |
The Precise user interface is based on an Apache Tomcat server. You can configure it to work in HTTPS mode. This mode uses the Secure Socket Layer (SSL) protocol to encrypt the data that is sent from the Web browser to the Tomcat server.
To configure Precise Apache Tomcat to work in HTTPS mode
<Precise_root>\products\gui\website
as a certificate .keystore file.<Precise_root>
folder on the Precise FocalPoint:Windows java\JRE\bin\keytool -delete -alias tomcat -keystore products\gui\website\.keystore
For the password, use "changeit." For the question "What is your first and last name," provide the server name used in the URL for the Precise GUI as the answer. |
java/JRE/bin/keytool -delete -alias tomcat -keystore products/gui/website/.keystore
<Precise_root>
folder on the Precise FocalPoint: Windows java\JRE\bin\keytool -genkey -alias tomcat -keyalg RSA -keystore products\gui\website\.keystore -validity 3000
UNIX java/JRE/bin/keytool -genkey -alias tomcat -keyalg RSA -keystore products/gui/website/.keystore -validity 3000
For the password, use "changeit." Also, use the host as displayed in the url for the name. |
<Precise_root>\products\gui\website\conf\server.xml
non-SSL <Connector>
tag, where the preliminary remark is "<!-- Define a non-SSL HTTP/1.1 ...->
."SSL <Connector>
tag, where the preliminary remark is "<!-- Define a SSL Coyote HTTP/1.1 ...->
."Open the Precise application using HTTPS.
For example:https://<host>:<port>
After restarting the Precise FocalPoint, the SSL port changes to the default port added by the user during installation. If you want to use a different port, you can change the port as described in the Change GUI server port section in the Precise CLI Utility. |
When first launching Precise in a client, a security alert is displayed with the certificate details. You should sign your certificate with a trusted root authority (such as VeriSign). Alternatively you can install the certificate on each client server that uses the Precise GUI.
In AdminPoint, click the Setup tab and click on Nodes in the drop-down menu
In the Nodes tab, click Edit to update the URL of the node for which you configured the SSL, according to step 4. In addition, if you are working with the Precise Custom Portal, the following configuration must be performed.
To configure Precise Apache Tomcat to work in HTTPS mode with the Precise Custom Portal
<i3>java\jre\bin\keytool -export -alias tomcat -file <file_name>.crt
-keystore <i3>products\gui\website\.keystore
Import the certificate:<i3>java\jre\bin\keytool -import -file <file_name>.crt -alias tomcat
-storepass <changeit> -keystore <i3>\java\JRE\lib\security\cacerts
Verify that the same |
For the password, use "changeit." |
To install a certificate
For general information regarding configuring HTTPS mode, see Apache Tomcat server instructions found at this site: http://tomcat.apache.org/tomcat-4.1-doc/ssl-howto.html
For information regarding configuring J2EE to work in HTTPS mode, see the Precise for J2EE User Guide.
For an Apache Tomcat server, you can configure the Tomcat session timeout.
To change the session timeout for an Apache Tomcat server
<Precise_root>\products\gui\website\webapps\i3\web.xml
<session-config>
<session-timeout>180</session-timeout>
</session-config>
Configuring the Precise login mechanism is not required to secure a Precise system. |
Precise FocalPoint confirms the Precise authentication credentials by using the Java Authentication and Authorization Service (JAAS). The JAAS runs a login module that authenticates the password according to an internal Precise roles' table.
Because the JAAS is a common Application Programming Interface (API), you can also configure it to run a custom login module that authenticates a role’s password against an external, centralized password repository. To do so, you must first define the respective role in AdminPoint. For more information on managing roles in AdminPoint, see the Precise Administration Guide.
The login module is a Java class that implements the login module interface of the JAAS API. This API exists for the Java Runtime Application (JRE) version 1.4.2 and later. It is part of the javax.security.auth.* package.
When your own login module is ready for use, configuring the external password authentication involves the following tasks:
To update the Precise configuration
<Precise_root>/products/i3fp/login/jaas.config
StartPoint{com.precise.infra.login.InfraDbLdapSupportLoginModule required;};
To StartPoint{new login module class required;};
To add the new login module class to the Precise classpath
<Precise_root>/products/i3fp/bin/psin_i3fp_init.xml
After you have finished installing all Precise components on a server, you may remove the user (used by the Precise services) from the Administrators group and either assigns it to the Power Users"group or Users group. In both cases the user should be set to have Login as service authorization. If the user is set to the Users group, you also need to grant access permissions to authenticated users for each Precise service on the machine. To do this, use the SC.exe utility from the Microsoft Resource Kit.
For example:
E:\Program Files\Resource Kit\sc.exe sdset psin_sentry_8.7
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA) (A;;CCLCSWRPWPDTLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
E:\Program Files\Resource Kit\sc.exe sdset psin_i3fp_8.7
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA) (A;;CCLCSWRPWPDTLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
E:\Program Files\Resource Kit\sc.exe sdset psin_gui_8.7
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA) (A;;CCLCSWRPWPDTLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
This is only an example. Do not copy and paste it in your application. The commands may be different in different Windows versions. The general idea is to use |
Support of the Single Sign On feature means adding the capability to Precise to be an integrated part of an enterprise application. It also allows the enterprise application users to log in to their systems only once, remembering the credentials and authorization used by the user, and then removing the need to log in again to each of the enterprise systems.
The prerequisites, installation, and configuration of this feature is described in the following sections:
Before you configure the Single Sign On feature it is best to define at least one user in Precise who also appears in the SiteMinder folder. This is important for security reasons.
To configure Precise and to enable it to operate using a Single Sign On feature, install and configure the following products:
SiteMinder Web agent version 6.00 Hotfix 05.03 or higher*
Precise does not sell or provide CA SiteMinder®. This product should be acquired from Computer Associates. |
The Precise Single Sign On feature works with Apache Web server v2.2.3 or higher. The Apache Web server should be configured to work as a reverse proxy server, which is installed using the Tomcat port of Precise.
To configure the Apache Web server for Windows
<Precise_root>/infra/setup.xml
file and edit the <tomcat-port> tag.The restart order is important because the Tomcat server has to release the port that the Apache server is configured to listen to.
To configure the Apache Web server for Linux
For installing the SiteMinder Web agent you need to have SiteMinder installed on your application and a user name and password for access to the SiteMinder support site to download the SiteMinder Web agent.
To install the SiteMinder Web agent
\Program Files\Apache Software Foundation\Apache2.2\conf
folder, and then set EnableWebAgent="YES".The SiteMinder Policy server is used to configure the policy server to protect Precise.
To configure the Policy server
To make changes on the System tab
To make changes on the Domains tab
To configure the Precise-Realm
To create and name a rule under the Precise-Realm
To add a new response under the Precise/Responses entry
To add a new policy under the Precise/Policies entry
The Precise configuration needs to be changed to connect it to SiteMinder and activate the Single Sign On feature. To connect SiteMinder and activate the Single Sign On feature to Precise.
<Precise_root>\products\gui\website\webapps\i3\Login
products\i3fp\login\jaas.config
file so that its content looks like:StartPoint{com.precise.infra.login.SiteMinderLoginModule required;};
To disable the integration between SiteMinder and Precise, two procedures need to be performed: one to roll back the Precise configuration changes and one to roll back the Apache Web agent configuration changes.
To roll back the Precise configuration changes
<Precise_root>\products\gui\website\webapps\i3\Login
products\i3fp\login\jaas.config
file so that its content looks like: StartPoint{com.precise.infra.login.InfraDbLoginModule required;};
To rollback the SiteMinder configuration changes
\Program Files\Apache Software Foundation\Apache2.2\conf
web_server_home/conf
Precise can integrate with Lightweight Directory Access Protocol (LDAP). LDAP is a better option than JAAS. The following section describes how to configure LDAP.
Once integrated with LDAP, Precise gets all users and groups from the LDAP and synchronizes them into its own database. Login passwords are authorized by LDAP, thus preventing the need to keep (and verify) the users' passwords within Precise.
LDAP provides access for management and browser applications that provide read/write interactive access to the X500 folder. Setting up an LDAP configuration will reduce Users/Roles management in Precise; it also uses the already managed LDAP repository for Precise.
Pay close attention to your organizational structure in the LDAP repository before setting up the LDAP configuration for Precise. You must understand the current LDAP structure to determine the data needed from existing LDAP repository entities for Precise.
Map a set of users and roles to a Precise domain. While synchronizing the LDAP data to Precise, the relevant users/roles will be identified by the given domain. For login, the domain name will be the user.
It is preferable to set the domain name as the enterprise domain, and the Users/Roles root as the relevant LDAP branch which contains the domain users. |
Setting up the Precise system to work with LDAP blocks all user/role management operations in the Precise system, except for permissions management. The LDAP synchronization process deletes all Precise users and roles from the Precise system which are not also found in the LDAP repository, except for user "admin" and role "Precise manager."
Map a set of users and roles to the Precise domain. After synchronizing the LDAP data to the Precise system, the domain will identify relevant users or roles. The domain name will be user-defined for login purposes. Set the domain name as the enterprise domain, and the users/roles root as the relevant LDAP branch that holds domain users.
To enable synchronization of Users and Roles from the LDAP repository into the Precise database, configure the LDAP as described below.
To configure LDAP
<precise_root>\products\i3fp\registry\products\infrastructure\login\ldap.xml
<precise_root>\products\i3fp\registry\products\infrastructure\roles\settings.xml
by updating ignore-last-role-on-delete to true:<ignore-last-role-on-delete>true</ignore-last-role-on-delete>
Enter the following connection information:
<host>
to specify the host name/IP of the LDAP repository server<port>
to specify the port on which the LDAP repository server is listening on<bind-user>
to specify the LDAP user name for binding in the synchronization process<bind-password>
to specify the password of the bind userThe |
The domain element holds information for the domains that are required to synchronize. You can specify one or more domain elements. Enter the following mapping information:
<domain-name>
A unique name for the domain, to be concatenated to the imported users or roles name. The user name of such user is: domain-name\user-name
.<root-group>
To specify an LDAP group DN. The import process will take all members (users and groups) of this group. (Use this when <domain-root-method>
is 'single'.)<users-root>
To specify an LDAP object DN. The import process will take all users under this object. (Use this when <domain-root-method>
is ‘multiple’.)<groups-root>
To specify an LDAP object DN. The import process will take all groups under this object. (Use this when <domain-root-method>
is 'multiple'.)The names |
Enter the following general information:
<user-object-class>
Indicates the object class name in the LDAP for the user entity.<group-object-class>
Indicates the object class name in LDAP for the group entity.<user-name-attribute>
Indicates the attribute name in the LDAP for the user name.<group-name-attribute>
Indicates the attribute name in the LDAP for the group name.<user-dn-attribute>
Indicates the attribute name in the LDAP for the user entity DN.<user-login-attribute>
Indicates the attribute name in the LDAP for the user login ID.<group-members-attribute>
Indicates the attribute name in the LDAP for the group members list.<max-users>
Indicates the maximum number of users allowed to import into Precise.<max-groups>
Indicates the maximum number of groups allowed to import into Precise.<domain-root-method>
Indicates whether to use the <root-group>
or the <users-root>/<groups-root>
configuration for the entities mapping. Specify single or multiple.<paging-size>
Indicates the number of entities per page in the result set from the LDAP. If zero (0) is specified, the paging mechanism is not used.<use-ldap-authentication>
Indicates whether the LDAP authentication mechanism is used. Specify true or false.<use-ldap-management>
If <use-ldap-authentication>
is set to true, this parameter specifies whether users/roles management is by LDAP or by the Precise user interface. Specify true or false.<use-case-sensitive>
If <use-case-sensitive>
is set to true, the LDAP sync user will be set to case sensitive.Below is a registry entry example for the ldap.xml file.
<ldap>
<!-- Indicator for using Ldap authentication true/false -->
<use-ldap-authentication>true</use-ldap-authentication>
<!-- Indicator for using Ldap for managing users/roles, true will block I3 GUI operations -->
<use-ldap-managment>true</use-ldap-managment>
<!-- Ldap server host name -->
<host>pss-dc01</host>
<!-- Ldap server port -->
<port>389</port>
<!-- Ldap paging size -->
<paging-size>500</paging-size>
<!-- Ldap bind user name -->
<bind-user>CN=i4dcf,OU=APM Service Users & Groups,DC=precise,DC=com</bind-user>
<!-- Ldap bind user password, encrypted!! -->
<bind-password>_EncryptI3_A_1_F10EEB2FC3B6F88E</bind-password>
<!-- in case there is only on domain the user can configure not to type the domain in the login -->
<use-domain-in-login>false</use-domain-in-login>
<domains>
<domain>
<domain-name>development</domain-name>
<!-- Ldap group to import its members -->
<root-group>CN=BU_RnD,OU=R&D,OU=APM,DC=precise,DC=com</root-group>
<!-- Ldap group to import its members -->
<root-group>CN=GRP_Integration,OU=Unknown users & groups,OU=APM Service Users & Groups,DC=precise,DC=com</root-group>
</domain>
<domain>
<domain-name>QA</domain-name>
<!-- Ldap group to import its members -->
<root-group>CN=BU_RnD,OU=R&D,OU=APM,DC=precise,DC=com</root-group>
</domain>
</domains>
<!-- Ldap objectClass of the Users to sync -->
<user-object-class>person</user-object-class>
<!-- Ldap objectClass of the Roles to sync -->
<group-object-class>group</group-object-class>
<!-- Ldap attribute name of the User name -->
<user-name-attribute>name</user-name-attribute>
<!-- Ldap attribute name of the User distinguished name -->
<user-dn-attribute>distinguishedName</user-dn-attribute>
<!-- Ldap attribute name of the User login name -->
<user-login-attribute>sAMAccountName</user-login-attribute>
<!-- Ldap attribute name of the Role member list -->
<group-members-attribute>member</group-members-attribute>
<!-- Ldap attribute name of the Role name -->
<group-name-attribute>name</group-name-attribute>
<!-- I3 max users -->
<max-users>500</max-users>
<!-- I3 max roles -->
<max-roles>500</max-roles>
<!-- Parameters handling method: single/multiple -->
<domain-root-method>single</domain-root-method>
<!-- Ldap sync user set as case sensitive -->
<use-case-sensitive>false</use-case-sensitive>
</ldap>
For more information on running LDAP-sync command, see the Precise CLI Utility Reference Guide.
| | | | | | | |