Choosing Your Security Policy
Your security policy specifies the security scheme for your users. If the same security scheme is used for all users, specify the default authentication domain and transport protocol.
In security.properties, uncomment mks.security.policy.scheme.default and specify your default policy, for example:
mks.security.policy.scheme.default=flat_clear
Authentication Domain
|
Transport Protocol
|
Security Policy
|
Kerberos
|
Clear
|
windows_clear
|
Kerberos
|
Private
|
windows_private
|
Flat File
|
Clear
|
flat_clear
|
Flat File
|
Private
|
flat_private
|
LDAP
|
Clear
|
ldap_clear
|
LDAP
|
Private
|
ldap_private
|
UNIX
|
Clear
|
unix_clear
|
UNIX
|
Private
|
unix_private
|
|
• The default security scheme for Windows systems is nt_clear. The NT security realm is supported for this release but will be dropped in a future release.
• The default security scheme for UNIX systems is unix_clear.
• If you only have a clear or secure port specified in agent.properties, your security scheme must use the appropriate communication method for that port.
|
Using Multiple Security Schemes
Integrity Lifecycle Manager supports the use of multiple security schemes to authenticate users. For example, you could have the following security policy:
mks.security.policy.scheme.default=windows_clear,flat_clear
With this security policy, when a user attempts to log on to the system, the user’s credentials are first presented to the Kerberos server, and if they are accepted, the user is logged on. If the user’s credentials are not accepted, they are presented to the Flat File realm. If they are not accepted by the Flat File realm, then the user is denied access to the application.
The Integrity Lifecycle Manager Agent supports the following security realm combinations:
• Windows and Flat File
• LDAP and Flat File
• UNIX and Flat File
|
Each security scheme in the combination must use the same transport protocol (clear or private).
|
If you are using multiple security schemes and have identical user names in two or more security realms, when logging in with that user name you must use the password as it is defined in the first security realm that is listed. For example, if you have the following security policy:
mks.security.policy.scheme.default=windows_clear,flat_clear
and jbrown is defined as a user name in both the ADS and Flat File security realms, when logging in as jbrown you must use the password defined in the ADS realm.
Specifying Security Policies by Incoming Integrity Lifecycle Manager server Address
You can use specific security schemes for incoming connections to the Integrity Lifecycle Manager Agent based on their IP address (either full or partial). The Integrity Lifecycle Manager Agent selects the security scheme based on the IP address of the incoming connection. If you specify a partial IP address, every incoming connection in the subnet (up to 256 machines) with an IP address that starts with the same three entries as the partial IP address uses the specified security scheme.
Specify the security scheme for incoming connections in the following properties:
mks.security.policy.scheme.<client ip>=<security scheme>
mks.security.policy.scheme.<subnet ip>=<security scheme>
For example, if the incoming connection’s IP address is 10.0.8.24 and you want to use a Windows private security policy, specify the following:
• if you are using a full Integrity Lifecycle Manager server address
mks.security.policy.scheme.10.0.8.24=windows_private
• if you are using a partial Integrity Lifecycle Manager server address
mks.security.policy.scheme.10.0.8=windows_private
You can specify multiple comma-separated security policies for each IP address, for example:
mks.security.policy,scheme.10.0.8.24=windows_private,flat_private
|
When specifying multiple security policies for an IP address, all policies for that IP address must use the same transport protocol.
|
The incoming connection IP address is compared against the specified policies in the order of most specific to least specific. For example, if you specified the following security policies:
mks.security.policy.scheme.10.0.8=ldap_clear,flat_clear
mks.security.policy.scheme.10.0.8.24=flat_private
mks.security.policy.scheme.default=ldap_clear
then an incoming connection with IP address 10.0.8.24 is validated against Flat File using an encrypted transport protocol.
|
The transport protocol does not need to be the same for all IP addresses.
|
Specifying Scheme Order
When using multiple security schemes based on the incoming connection address, the order the security realms are specified in must be the same for all addresses. The default ordering is specified by the mks.security.policy.scheme.default setting. For example, if the default order is the following:
mks.security.policy.scheme.default=windows_clear,flat_clear
then the following scheme orders are valid:
mks.security.policy.scheme.10.0.8.24=windows_private,flat_private
mks.security.policy.scheme.10.0.8.25=windows_clear,flat_clear
but the following scheme orders are not valid:
mks.security.policy.scheme.10.0.8.14=flat_private,windows_private
mks.security.policy.scheme.10.0.8.15=flat_clear,windows_clear
If the default scheme does not contain the complete list of security realms, then you must use the mks.usersDomain property to specify the order. For example, the following is a valid combination of settings:
mks.usersDomain=ads,flat_clear
mks.security.policy.scheme.default=windows_clear,flat_clear
mks.security.policy.scheme.10.0.8.24=windows_private,flat_clear
Specifying the security realm order also resolves potential issues if the same user is defined with an identical user name in more than one security realm. The user will be authenticated from the security realm that appears first in the list.