サポートと今すぐチャット
サポートとのチャット

Security Analytics Engine 1.0 - User Guide

Security Settings
Introduction
Security wizard
Security wizard pages

Introduction

* 
IMPORTANT: The Security Settings page is only available when the Security Analytics Engine has been installed with the Security Token Service (STS). When the Security Analytics Engine is configured to use an external STS for authentication, as might be the case when the Security Analytics Engine is bundled with another product (for example, Dell™ One Identity Cloud Access Manager), this page is not available. Instead the STS authentication functionality and authorization roles should be configured within the other product.
From the Home page of the Security Analytics Engine Administration web site, click on the Security Settings link to open the Security wizard where you can configure the Security Analytics Engine Administration web site to accept Active Directory® or LDAP credentials depending upon your organization’s needs. This wizard is also used for enabling and configuring two factor identification using the Dell™ SMS service or a RADIUS server, and managing user and group roles.

Security wizard

The Security wizard is displayed when Security Settings is clicked on the Home page of the Security Analytics Engine Administration web site.
This wizard allows you to manage Active Directory® or LDAP security settings for the Security Analytics Engine Administration web site. The wizard is also used for enabling and configuring two factor identification using the Dell SMS service or a RADIUS server, and managing administrator and help desk roles.

Adding new authentication providers

The following procedures explain how to add an authentication provider using Active Directory® or LDAP as the directory service provider, enable two factor authentication and manage roles.
To add Active Directory authentication:
* 
NOTE: Clicking your browser’s back button, a breadcrumb trail link or refreshing the page removes all unsaved changes. To navigate through the wizard, only use the pages listed in the left pane.
1
From the Home page, click on the Security Settings link to open the Security wizard.
2
On the first page (Authentication Provider), enter a display name for the authentication provider. This name is only used within the Administration web pages.
3
Active Directory is selected by default as the directory service provider type. The page’s remaining sections and fields are determined by this selection.
4
Select to use the current domain (default) or manually specify a server and account to use.
If you select Manual, enter the following information:
IP Address - Enter the IP address (or host name) of the server to which the Security Analytics Engine will connect.
User Name - Enter the name of an account from the Active Directory domain with read access.
Password - Enter the password for the account.
5
When using Active Directory for authentication, the Security Analytics Engine has several different ways (or schemes) in which it can accept and validate user credentials. To configure which scheme(s) to use, select at least one of the following check boxes under Authentication Schemes:
HTML Forms - Selected by default, this is the standard login page of the Security Analytics Engine in which a user manually enters their domain username and password to be authenticated.
* 
NOTE: When users are already logged into their Windows® machines this may seem a redundant step which defeats the purpose of single sign-on. However, it is recommended that this option remain selected because the HTML Forms authentication can be used as a fallback mechanism when users access the site from a non-domain joined computer (e.g., over the internet at a hotel).
Kerberos - This scheme is intended to automatically authenticate users via Kerberos when the user is currently logged into and has access to the domain.
Leave the Kerberos scheme checked if you are unsure or if only some of your users will use it. The Security Analytics Engine login page silently attempts the automatic Kerberos authentication and if it fails attempts to fall back to the HTML Forms authentication (if enabled).
* 
NOTE: This option is NOT available when Manual is selected on the Connection Information pane or when the Security Analytics Engine is installed on a non-domain joined server.
Client Certificates (Smart Cards) - Select this scheme to only allow authentication to users that possess an X509 certificate or Smart Card containing a certificate that has been associated to their domain account using Microsoft® Active Directory Certificate Services. When this scheme is enabled the user’s web browser may prompt them to choose a certificate from their local machine or Smart Card. If the certificate is valid, the user is authenticated without having to enter their credentials.
* 
NOTE: As is standard practice, if a user were to lose their certificate or Smart Card you have the option of revoking that certificate in Active Directory Certificate Services before its expiration date. This provides protection against attempts by malicious users to log in using the lost certificate.
Because this revocation check requires an additional network call for each authentication attempt, an additional option, Check For Client Certificate Revocation (CRL), can be enabled or disabled.
6
After selecting the authentication scheme(s), click Two Factor Authentication in the left pane.
7
On the Two Factor Authentication Settings page, select one of the following options:
None - Selected by default, this option means no two factor authentication is performed for relying party applications using this authentication provider. Click Authorized Groups in the left pane and skip to Step 10.
Dell SMS - Selecting this option enables additional authentication through the Dell SMS Service. You must purchase this service from Dell in order to use it for two factor authentication.
Continue to Step 8.
RADIUS - Selecting this option enables additional authentication through a RADIUS server. Skip to Step 9.
8
If Dell SMS is selected, enter the following information:
Dell SMS Service Access Key - Enter the access key code provided by Dell.
Mobile Phone Number Attribute - Enter the name of the attribute in the directory service provider containing a user’s mobile phone number.
Click Authorized Groups in the left pane and skip to Step 10.
9
If RADIUS is selected, enter the following information:
Server - Enter the RADIUS server’s host name or IP address.
Port - Enter the port number for the RADIUS server.
Shared Secret - Enter the RADIUS server’s shared secret string.
Username Attribute - Enter the attribute name from your primary directory service provider that represents the unique username mapping between the two directory stores.
Pre-authenticate For Challenge/Response - Select this check box if you know your RADIUS server is configured for Challenge/Response authentication. If configured, a user may have to answer several questions correctly before being able to log in.
Click Authorized Groups in the left pane and continue to Step 10.
10
The final wizard page (Authorized Groups) is used to assign Administrator or Help Desk permissions to specific groups and/or individual accounts. Adding a group or individual account to the Administrator list allows them full permissions on the Security Analytics Engine Administration web site, while adding a group or individual account to the Help Desk Operators group only allows access to the Auditing and Policy Overrides pages.
* 
NOTE: If groups and/or individual accounts are not added then the fallback login is always used to access the Security Analytics Engine Administration web site. We strongly recommend assigning permissions if multiple users need access to the Administration web site.
11
(Optional) Add groups and/or individual accounts as authorized Security Analytics Engine administrators:
To add groups:
In the Search for text field associated with the Groups section, enter the name or partial name of a group. Leaving this field blank will return all groups.
Click Search to open the Authorize Administration Groups dialog and display the results of your search.
From the Available Groups list, select the group(s) to add to the Authorized Groups list.
Click the button to move the group(s) to the Authorized Groups list.
Once all changes have been made, click Accept to save and return to the Authorized Groups page.
To add individual accounts:
In the Search for text field associated with the Individual Accounts section, enter the name or partial name of an account. Leaving this field blank will return all accounts.
Click Search to open the Authorize Administration Accounts dialog and display the results of your search.
From the Available Accounts list, select the account(s) to add to the Authorized Accounts list.
Click the button to move the account(s) to the Authorized Accounts list.
Once all changes have been made, click Accept to save and return to the Authorized Groups page.
12
(Optional) Add groups and/or individual accounts as authorized help desk operators:
To add groups:
In the Search for text field associated with the Groups section, enter the name or partial name of a group. Leaving this field blank will return all groups.
Click Search to open the Authorize Help Desk Groups dialog and display the results of your search.
From the Available Groups list, select the group(s) to add to the Authorized Groups list.
Click the button to move the group(s) to the Authorized Groups list.
Once all changes have been made, click Accept to save and return to the Authorized Groups page.
To add individual accounts:
In the Search for text field associated with the Individual Accounts section, enter the name or partial name of an account. Leaving this field blank will return all accounts.
Click Search to open the Authorize Help Desk Accounts dialog and display the results of your search.
From the Available Accounts list, select the account(s) to add to the Authorized Accounts list.
Click the button to move the account(s) to the Authorized Accounts list.
Once all changes have been made, click Accept to save and return to the Authorized Groups page.
13
Once you have finished adding groups and individual accounts, click Save to save all changes made in the wizard. Once the changes have been saved, a bar appears beneath the breadcrumb trail indicating whether or not the changes were successfully saved. Use the browser buttons or breadcrumb trail to exit the wizard.
To add LDAP authentication:
* 
NOTE: Only select LDAP if you understand the LDAP schema necessary for configuring the Security Analytics Engine.
* 
NOTE: Clicking your browser’s back button, a breadcrumb trail link or refreshing the page removes all unsaved changes. To navigate through the wizard, only use the pages listed in the left pane.
1
From the Home page, click on the Security Settings link to open the Security wizard.
2
On the first page (Authentication Provider), enter a display name for the authentication provider. This name is only used within the Administration web pages.
3
Select LDAP as the directory service provider type. The page’s remaining sections and fields are determined by this selection.
4
In the Hostname/IP Address field, enter the IP address or host name of the LDAP server(s). The value should be of the form ‘hostname:port’.
* 
NOTE: The default port of 389 is used if no port value is specified.
* 
NOTE: Specify multiple LDAP servers by separating the values with a comma.
5
By selecting the Is Secure check box, you have the option of using LDAPS for secure communication to the LDAP server using SSL. To use this feature, the LDAP server must have a properly installed SSL certificate with a host name or DNS name matching the value entered in the Hostname/IP Address field.
6
In the DN of User to Bind With and Password fields, enter the full distinguished name (DN) of an account that can be used to bind and perform read-only searches against the LDAP server and the account’s password.
7
In the Search Base field, enter the distinguished name of the location (or container) within your directory from which all user and group objects are accessible.
8
In the Attribute Mappings pane, enter values for the following attributes in the LDAP directory:
Object Class of Users - Enter the Object Class in your LDAP schema that represents a User object.
Object Class of Groups - Enter the Object Class in your LDAP schema that represents a Group object.
User’s Unique ID Attribute - (Optional) Enter an attribute that can be used to uniquely identify a user account.
Group’s Unique ID Attribute - (Optional) Enter an attribute that can be used to uniquely identify a group.
User’s Login Name Attribute - Enter the attribute that contains the value a user types on the Security Analytics Engine Login page when entering their credentials.
Group’s Name Attribute - Enter the attribute name that corresponds to a group’s display name.
User’s Email Attribute - (Optional) Enter an attribute name from which an authenticated user’s email address can be found.
Group’s Members Attribute - Enter the name of a multi-valued attribute that contains a list of the group’s members.
User’s First Name Attribute - Enter the user’s First Name attribute.
User’s Last Name Attribute - Enter the user’s Last Name attribute.
9
After entering the attribute values, click Two Factor Authentication in the left pane.
10
On the Two Factor Authentication Settings page, select one of the following options:
None - Selected by default, this option means no two factor authentication is performed for relying party applications using this authentication provider. Click Authorized Groups in the left pane and skip to Step 13.
Dell SMS - Selecting this option enables additional authentication through the Dell SMS Service. You must purchase this service from Dell in order to use it for two factor authentication.
Continue to Step 11.
RADIUS - Selecting this option enables additional authentication through a RADIUS server. Skip to Step 12.
11
If Dell SMS is selected, enter the following information:
Dell SMS Service Access Key - Enter the access key code provided by Dell.
Mobile Phone Number Attribute - Enter the name of the attribute in the directory service provider containing a user’s mobile phone number.
Click Authorized Groups in the left pane and skip to Step 13.
12
If RADIUS is selected, enter the following information:
Server - Enter the RADIUS server’s host name or IP address.
Port - Enter the port number for the RADIUS server.
Shared Secret - Enter the RADIUS server’s shared secret string.
Username Attribute - Enter the attribute name from your primary directory service provider that represents the unique username mapping between the two directory stores.
Pre-authenticate For Challenge/Response - Select this check box if you know your RADIUS server is configured for Challenge/Response authentication. If configured, a user may have to answer several questions correctly before being able to log in.
Click Authorized Groups in the left pane and continue to Step 13.
13
The final wizard page (Authorized Groups) is used to assign Administrator or Help Desk permissions to specific groups and/or individual accounts. Adding a group or individual account to the Administrator list allows them full permissions on the Security Analytics Engine Administration web site, while adding a group or individual account to the Help Desk Operators group only allows access to the Auditing and Policy Overrides pages.
* 
NOTE: If groups and/or individual accounts are not added then the fallback login is always used to access the Security Analytics Engine Administration web site. We strongly recommend assigning permissions if multiple users need access to the Administration web site.
14
(Optional) Add groups and/or individual accounts as authorized Security Analytics Engine administrators:
To add groups:
In the Search for text field associated with the Groups section, enter the name or partial name of a group. Leaving this field blank will return all groups.
Click Search to open the Authorize Administration Groups dialog and display the results of your search.
From the Available Groups list, select the group(s) to add to the Authorized Groups list.
Click the button to move the group(s) to the Authorized Groups list.
Once all changes have been made, click Accept to save and return to the Authorized Groups page.
To add individual accounts:
In the Search for text field associated with the Individual Accounts section, enter the name or partial name of an account. Leaving this field blank will return all accounts.
Click Search to open the Authorize Administration Accounts dialog and display the results of your search.
From the Available Accounts list, select the account(s) to add to the Authorized Accounts list.
Click the button to move the account(s) to the Authorized Accounts list.
Once all changes have been made, click Accept to save and return to the Authorized Groups page.
15
(Optional) Add groups and/or individual accounts as authorized help desk operators:
To add groups:
In the Search for text field associated with the Groups section, enter the name or partial name of a group. Leaving this field blank will return all groups.
Click Search to open the Authorize Help Desk Groups dialog and display the results of your search.
From the Available Groups list, select the group(s) to add to the Authorized Groups list.
Click the button to move the group(s) to the Authorized Groups list.
Once all changes have been made, click Accept to save and return to the Authorized Groups page.
To add individual accounts:
In the Search for text field associated with the Individual Accounts section, enter the name or partial name of an account. Leaving this field blank will return all accounts.
Click Search to open the Authorize Help Desk Accounts dialog and display the results of your search.
From the Available Accounts list, select the account(s) to add to the Authorized Accounts list.
Click the button to move the account(s) to the Authorized Accounts list.
Once all changes have been made, click Accept to save and return to the Authorized Groups page.
16
Once you have finished adding groups and individual accounts, click Save to save all changes made in the wizard.
関連ドキュメント

The document was helpful.

評価を選択

I easily found the information I needed.

評価を選択