APM Security
The following information provides an overview of the tasks you perform when securing CA APM.
apmdevops106
The following information provides an overview of the tasks you perform when securing CA APM.
CA APM Security Overview
Use the following security mechanisms to secure Introscope and CA CEM:
- Authentication (user/group) and authorization access to Introscope and CA CEM:
- Local security: Configure file-based Local security in theusers.xmlfile (<EM_Home>/config directory).
- LDAP authentication: Use LDAP for authentication and local security for authorization.
- CA Embedded Entitlements Manager (EEM): Secure Introscope with CA EEM and use CA EEM authentication and authorization for CA CEM.
- Enterprise Manager security:
- Use public and private keys to secure authentication between the Manager of Managers (MOM) and Collectors.
- User authorization is required for securing a connection to the Enterprise Manager.
- Communication between the Collectors and MOM is obfuscated.
- Use configuration properties to secure communications between Enterprise Managers and browsers.
- Use configuration properties to secure communications between an agent and an Enterprise Manager.
- Use configuration properties to perform these tasks:
- View Introscope domains
- Shut down Enterprise Managers
- Perform dynamic instrumentation and thread dumps
- CA CEM security:
- Use root password protection for the Windows or Linux machine on which the TIM is installed.
- Use configuration properties to secure communications between the Enterprise Managers and TIMs.
- Ensure CA CEM data in the APM database is encrypted and meets FIPS compliance.
- APM database security:
- Password protect the APM database.
- Secure a connection to the Enterprise Manager.
- Introscope and CA CEM applications monitoring:
- User authorization is required for business service based security.
Security and Permissions
CA APM security, which consists of authentication and authorization, allows individual users and user groups (groups), which are specified sets of users (such as Application Administrators, System Administrators, or Analysts), to securely log into Introscope and CA CEM. Permissions allow users and groups to perform specific Introscope tasks.
User Authentication
Authentication
is the mechanism that securely identifies users. Authentication provides Introscope and CA CEM with answers to questions such as:- Who is this user?
- Is this user really who they are representing themselves to be?
Authentication systems depend on a unique bit of information known only to the individual being authenticated and the authentication system. In order to verify a user’s identity, the authenticating system typically challenges the user to provide the unique information. If the authenticating system can verify that the information presented is correct, the user is considered authenticated.
User Authorization
Authorization
is the mechanism by which a system determines the level of access a particular authenticated user should have to secured resources (such as applications, pages, and data) controlled by that system. In other words, authorization is the process of checking if a user has permission to perform an action on a resource.An
access policy
grants permission to specific users or groups to perform an action on a set of resources of a given type.For example, a database management system might be designed to provide certain individuals with the ability to retrieve information from a database but not change data stored in the database, while giving other individuals the ability to change data. Authorization systems grant these permissions by providing answers to questions such as:
- Is userXauthorized to access resourceR?
- Is userXauthorized to perform operationP?
- Is userXauthorized to perform operationPon resourceR?
Security Realms
A security realm defines a source of users, user groups, and access policies that is responsible for authenticating, authorizing, or authenticating and authorizing users.
You configure one or more security realms for CA APM security in the
realms.xml
file. Introscope and CA CEM use the security realms configured in realms.xml
to decide how to authenticate and authorize users. When a user logs in to either Introscope or CA CEM the application being logged in to checks each security realm in the order defined in realms.xml. The application checks to see whether a user with the given ID exists. The authentication succeeds If the user password supplied matches the value that is provided for the specific security realm. If one of these conditions is in effect, authentication fails:- No user of that name exists in any of the defined realms.
- The user exists in a realm but the password is wrong.
For information about configuring realms in realms.xml, see these topics:
You can deploy Introscope security using one or any supported combination of these three security realms:
- Local XML files (Local): Local security consists of Local authentication and authorization using XML files stored in the Enterprise Manager in the<EM_Home>/configdirectory.
- For Local authentication, an XML file is used to store the username and password information locally on each Enterprise Manager. The default filename isusers.xml. At runtime, Introscope checks the Local file (users.xml) to authenticate CA APM users.
- For Local authorization, Introscope stores two XML files locally on each Enterprise Manager. Introscope usesdomains.xmlfor domain permissions andserver.xmlfor server permissions. At runtime, Introscope checks the Local files (domains.xml and server.xml) to authorize CA APM users.
Introscope provides Local security as the default.Changing the default CA APM login to Enterprise Managers from the Workstation, WebView, Web Start Workstation, or CEM console is a best practice. If this best practice is not followed and only Introscope local security is used, there is an increased chance of identity theft. - Lightweight Directory Access Protocol (LDAP): An application protocol for querying and modifying directory services running over TCP/IP.You can use the LDAP security realm only to authenticate CA APM users if you use Local XML files for authorization.
- CA EEM:A CA Technologies application that allows other applications to share common access policy management, authentication, and authorization services.You can deploy CA EEM to authenticate and authorize CA APM users.You can also configure CA EEM to use LDAP for authentication and CA EEM for authorization.
This table lists the major features that Introscope security realms support.
Supported features by security realm
| CA EEM
| LDAP
| Local
|
Centralized security server shared by multiple Enterprise Managers | Yes | Yes | No |
Security realm is always available | No | No | Yes Runs in the Enterprise Manager, so it's always available. |
Supports failover | Yes | Yes | Not applicable |
Integrated with SiteMinder | Yes | No | No |
Supports fine-grained permissions? Supports these fine-grained permission types: Business-service-based security Flexible CA CEM permissions | Yes | Not applicable | No |
Industry standard solution | Yes | Yes | No |
Allows for auditing | Yes | Yes | No |
Includes a user interface for managing users | Yes | Yes | No |
Includes a user interface for managing access policies | Yes | Not applicable | No |
You can deploy CA CEM security using one or any supported combination of these two security realms:
- Local XML files (Local):Local security consists of Local authentication and authorization using XML files stored in the Enterprise Manager in the<EM_Home>/config directory.
- For Local authentication and authorization, an XML file is used to store the username and password information locally on each Enterprise Manager. Four default CEM security groups and the users belonging to these groups are also defined here. The default filename isusers.xml. The authorization check is based on the membership that is defined for four default security groups. At runtime, the Local file (users.xml) is used for authentication and authorization of CA CEM users.
- CA EEM:A CA Technologies application that allows other applications to share common access policy management, authentication, and authorization services.
- You can deploy CA EEM to authenticate and authorize CA APM users.
- Configure CA EEM authentication using CA SiteMinder and CA EEM for authorization.
- Configure CA EEM for authentication only, and Local XML files for authorization.
CA APM provides single login capability. Users who are permitted to access both CA CEM and Introscope can navigate between these two applications without being prompted to log in again. Upon CA CEM or Introscope user authentication, CA APM gets the user identity and the name of the realm that authenticated the user. Introscope uses this information to obtain the groups to which the user belongs. Then CA APM uses one of these methods to authorize the user:
- For CA EEM, the user access policy.
- For Local security, membership in one or more CA CEM security user groups.
In setting up CA APM security, your organization must determine which single or hybrid security realm to deploy. To allow CA APM users to access Introscope, deploy either the Local or CA EEM realm.