Setting Up Security

This article contains the following topics:
casm171
This article contains the following topics:
Before you allow people to use CA SDM, it is important that you set up security to determine the following:
  • Which users can access the system
  • What level or levels of access users can have
  • How users are authenticated when they log in
CA EEM User Base Configurations
CA EEM is a central repository of user information (identities). CA EEM defines user authentication and access to other applications. If you have several CA Technologies products installed, some of them can use CA EEM to store identities and access policies. CA SDM only uses CA EEM for authentication. CA EEM is not a CA SDM configuration option and must be installed separately.
The CA EEM repository of user records is
either
of the following sources:
  • An external LDAP directory
  • Its own internal tables in the MDB
CA EEM has an LDAP interface for use when it is configured to use the MDB.
The MDB tables used by CA EEM are different from the ones used by CA SDM.
If your organization uses a directory server, such as Active Directory or eTrust Directory, consider configuring CA EEM to use the directory for its user base. This configuration makes the users in your directory accessible by any other application that uses CA EEM. Because CA EEM centralizes access management, it is typically installed on a single server.
CA SDM
CA SDM stores contact information in MDB tables. These tables have no relationship to CA EEM. CA SDM does not use CA EEM for access or identity management. CA SDM manages its own access and security with Access Types and Data Partitions.
CA SDM uses CA EEM only for authentication. If you want to use CA EEM to authenticate users in CA SDM, install CA EEM. If you integrate CA SDM with CA EEM, it replaces the CA SDM operating system authentication with CA EEM authentication.
To integrate CA EEM and CA SDM, you must set the
eiam_hostname
,
use_eiam_artifact
, and
use_eiam_authentication
options in Options Manager, Security.
To summarize:
  • The CA SDM user base is separate from that of CA EEM.
  • CA SDM uses the MDB to store Contact information. CA SDM also features an LDAP integration, which allows it to create new Contacts from an LDAP server and synchronize existing contacts with the directory.
  • CA EEM is CA’s solution to centralized user management. If you have several CA products installed, they all may be using CA EEM to store identities and access policies.
  • CA EEM may be configured to either point to an external (LDAP) directory or use the MDB to store user information. CA EEM itself has an LDAP interface for use when it is configured to use the MDB.
    The tables used by CA EEM in the MDB are different from the ones used by CA SDM.
CA EEM as LDAP Configuration
When CA EEM is configured to use MDB rather than an external directory to store user information, CA EEM exposes the user directory using an LDAP interface. If your site does not use an external LDAP server, you can still get the advantages of external LDAP configuration by configuring CA SDM to use CA EEM as an LDAP source. This configuration can be useful if your site does not use an LDAP server but you want to consolidate user management in CA EEM. Other CA products also use CA EEM, which can greatly simplify user management.
Diagram depicting CA EEM as LDAP configuration
Diagram depicting CA EEM as LDAP configuration
This configuration is applicable only when CA EEM is configured to use the MDB. If CA EEM is configured to an external LDAP server, configure CA SDM to point to the same LDAP server,
not
CA EEM. For more information, see How to integrate CA SDM with LDAP.
 
Configure the CA EEM r8.4 SP4 CR05 User Store
You can configure CA EEM r8.4 SP4 CR05 to store user records in an external LDAP directory or in its own internal MDB tables. When CA EEM uses an external LDAP directory, it is a read-only interface; you cannot add or modify users through the CA EEM interface.
Follow these steps:
  1. Click Start, Programs, CA, Embedded Entitlements Manager, EEM UI.
    The CA EEM user interface appears.
  2. Click the Configure tab.
  3. Click the EEM Server sub-tab.
  4. On the left-hand pane, click the Global Users / Global Groups link.
  5. On the right-hand pane, select one of the following options:
    • Store in internal datastore
    • Reference from an external directory
    • Reference from CA SiteMinder
       If you select the Reference from an external directory option, you are prompted for the LDAP server details.
  6. Click Save.
    The user store configuration for CA EEM is complete.
Configure the CA EEM r12 CR02 User Store
You can configure CA EEM r12 CR02 to store user records in an external LDAP directory or in its own internal MDB tables. When CA EEM uses an external LDAP directory, it is a read-only interface; you cannot add or modify users through the CA EEM interface.
Follow these steps:
  1. Click Start, Programs, CA, Embedded Entitlements Manager, Admin UI.
    The CA EEM user interface appears.
  2. Click the Configure Tab.
  3. Click on User Store subtab.
  4. On the left-hand pane, click the User Store link.
  5. On the right-hand pane, select one of the following options:
    • Store in internal user store
    • Reference from an external LDAP Directory.
    • Reference from CA SiteMinder
If you select the Reference from an external directory option, you are prompted for the LDAP server details.
6. Click Save.
The user store configuration for CA EEM is complete.
Add Users and Groups
If CA EEM is configured to reference an external directory, you cannot add users using the CA EEM user interface. CA EEM is a read-only interface to the LDAP server. You must use whatever interface is provided with your particular LDAP server product to update user records.
Follow these steps:
  1. Click Start, Programs, CA, Embedded Entitlements Manager, Admin UI/EEM UI.
  2. Log in using the CA EEM administrator user name and password. These are specified during the CA EEM installation. CA EEM must be installed separately and is not a configuration option for CA SDM.
  3. Click the Manage Identities tab.
  4. On the left-hand pane, click the Users tab to search for and update existing user records.
    To manage the CA EEM groups, click the Groups tab.
  5. Click the icon to the left of the Users folder.
    The form for creating a user record appears.
  6. Complete the form and click Save.
    The new CA EEM user record is saved in the MDB.
The steps to edit an existing user record and maintain group records are similar to these steps.
Security Considerations
When you first install CA SDM, the system is set up to allow maximum access to any contact that does not have an explicit access type that is defined in the contact record.  Perform the following steps before using the application:
  1. Review the predefined access types to determine a reasonable default for your system.
    Administrator is set as the default access type, which is not a good choice for most sites. For example, some sites offer read-only CA access to most members of the IT organization. If you set CMDB User as the default access type, you do not have to set the access type of new users unless they need additional privileges. Similarly, if most users require the privilege to write configuration information, you can select CMDB Analyst as the default access type.
  2. Assign the access types of remaining contacts explicitly.
    For example, if you select CMDB User as the default access type, modify the contact records for your analyst contacts to assign an access type of analyst.
CA EEM Authentication for CA Process Automation
CA SDM and CA Process Automation communicate using a web services exchange over HTTP. Although every measure is made to pass minimal amounts of sensitive information between the products, a malicious entity can access user names, passwords, and proprietary information. You can take deliberate steps to secure server communication.
For CA Process Automation authentication, consider the following recommendations:
  • As an option, you can configure CA Process Automation to use CA EEM as an authentication server. CA Process Automation implements default groups and policies within CA EEM. You can modify the default groups and policies to meet the needs of your organization.
  • Using CA EEM eliminates the need to pass plain text user names and passwords for authentication purposes. If you are using multi-tenancy, CA EEM is required for enabling multi-tenancy within CA Process Automation.
    To achieve authentication security in this integration, it is not necessary to have CA SDM configured to use CA EEM. However, CA EEM is required for CA Process Automation multi-tenancy implementation.
  • Configure CA Process Automation to communicate using secure communications over HTTPS. HTTPS URLs use SSL/TLS to eliminate plain text exchanges while protecting proprietary and other sensitive data from accidental or malicious disclosure.