Authenticating Active Directory users using Windows Integrated Authentication
Windows Integrated Authentication (WIA) allows a user to securely reuse their desktop credentials to log onto the mangement console when using a browser that supports WIA. Using WIA requires that the console server is installed and running on a Windows machine that is joined to the forest which you have chosen to manage, or is installed and running on a Unix machine that is running Authentication Services and is joined to the forest which you have chosen to manage. The client browser must also be joined to the same forest.
Authenticating Active Directory users using a username and password
When authenticating Active Directory users using a username and password, the credentials are used to obtain a Kerberos Ticket Granting Ticket (TGT) from Active Directory. If the Management Console for Unix server is running on a machine that is joined to a domain in a managed Active Directory forest (either on Windows or using Authentication Services on Unix or Linux), a Kerberos service ticket is also obtained for the host account. This second step is necessary to ensure that the TGT has not been falsified and to map any Domain Local Groups to the server's domain.
If the server has not been joined, or is joined to a different forest than the one being managed, an attacker could subvert the logon security by spoofing fake responses from Active Directory (for example, by hijacking DNS to point to a rogue Active Directory service). This is because the security guarantees of the Kerberos protocol require proof of a shared key between Active Directory and the server, before it can be proven that a given TGT is valid; and this proof requires obtaining a service ticket encrypted in the server's key.
Note: While you can run the Management Console for Unix server on a computer that is not joined to the forest, One Identity recommends that you run the Management Console for Unix server on a machine joined to the Active Directory forest you are managing to ensure that Active Directory users can be securely authenticated
Installing a production certificate
SSL/TLS encryption of HTTP traffic between the server and web browser, and integrity checking of data received from the Management Console for Unix server is required to ensure that:
- The web browser application is using code and data coming from a trusted source
- Information about the Unix hosts managed by Management Console for Unix is not exposed in clear text on a network
- Authentication information, such as Active Directory passwords and Unix logon and root passwords, are kept secure
For this reason, Management Console for Unix is configured to require all connections to the browser be secured with the SSL/TLS protocol. See Disabling SSL/TLS encryption.
When installed, Management Console for Unix will initially be configured with a newly generated self-signed certificate. Because the authenticity of this certificate cannot be verified, your browser will usually display a warning message whenever you launch the mangement console. To rectify this situation, you can install a custom key pair for SSL/TLS.
Generating a custom SSL/TLS certificate and key pair for Management Console for Unix
You can obtain a trusted certificate from a third-party Certificate Authority. Each authority has its own instructions, but all require you to generate a Certificate Signing Request (CSR). See Exporting Data using the -certreq command for details about generating a CSR using the PKCS#10 format.
Optionally you can use a tool (such as, keytool or OpenSSL) to manually generate the public/private key pair and the certificate you need. You can also obtain a certificate and key pair from your Enterprise Certificate Authority.
To install a custom SSL/TLS certificate and key pair using keytool
-
Generate a private key in the keystore file using the keytool command:
keytool -genkeypair -storetype JKS -alias <aliasName> -keyalg RSA
-keysize 2048 -validity <numberOfDaysForCertificateToBeValid>
-keystore <keystoreName>
NOTE: See step 3 below for the final keystoreName value.
-
Enter the keystore password and provide the other specifications it asks for (or click enter to accept the default). When it asks, "what is your first and last name?" enter the Management Console for Unix server's resolvable host name, such as
computer.test.com
Note: Optionally, you can include this option in the above keytool command:
-dname "CN=<hostName>"
where < hostName> is the Management Console for Unix server's resolvable host name.
If the host name does not match the Management Console for Unix server's resolvable host name, your browser might indicate a security problem with the certificate that states the presented certificate was issued for a different web site's address.
-
Verify the newly created keystore file:
keytool -list -v -keystore <keystoreName>
Enter the keystore password when prompted.
-
Export the certificate from the keystore:
keytool -export -alias <aliasName> -keystore <keystoreName> -rfc -file
<certificateName>.cer
Enter the keystore password when prompted.
- Stop the Management Console for Unix service.
See Start/stop/restart Management Console for Unix service for details.
-
Jetty and the Management Console for Unix expect the keystore file to be in a standard location:
- On Windows platforms: %SystemDrive%:\ProgramData\Quest Software\Management Console for Unix\jetty-base\etc\keystore
- One Unix/Linux platforms: /var/opt/quest/mcu/jetty-base/etc/keystore
If the keystore file from Step 1 is not already in this location, copy or move it to this location and ensure it has read permissions that will allow the Management Console for Unix service to read it.
- Open the custom.cfg file for editing.
See Setting custom configuration settings for general information about customizing configuration settings for the mangement console.
-
Modify the following Jetty Settings:
-Djetty.sslContext.keyStorePassword=<password>
-Djetty.sslContext.keyManagerPassword=<password>
-Djetty.sslContext.trustStorePassword=<password>
where <password> is your plain text password or, if obfuscated (as explained below), is something similar to:
OBF:1tvp1saj1y7z1sar1tvd
Note: Optionally you can obfuscate your SSL keystore password so it is not stored in plain text by running the following command from your installation directory:
The output of gen_secure_password.exe lists
- your password in plain text
- an "MD5:" checksum
- an encrypted version of the password using UnixCrypt (if a user name was supplied.)
- the obfuscated password pre-pended with "OBF:"
Jetty only supports obfuscation (OBF) of SSL keystore passwords; the others can be ignored.
-
Save the custom.cfg file.
-
Start the Management Console for Unix service.
For more information, see the Jetty documentation at: Configuring SSL/TLS.