APM Security

The following information provides an overview of the tasks you perform when securing CA APM.
apmdevops106
The following information provides an overview of the tasks you perform when securing CA APM.
CA APM Security Overview
Use the following security mechanisms to secure Introscope and CA CEM:
  • Authentication (user/group) and authorization access to Introscope and CA CEM:
  • Enterprise Manager security:
    • Use public and private keys to secure authentication between the Manager of Managers (MOM) and Collectors.
    • User authorization is required for securing a connection to the Enterprise Manager.
    • Communication between the Collectors and MOM is obfuscated.
    • Use configuration properties to secure communications between Enterprise Managers and browsers.
    • Use configuration properties to secure communications between an agent and an Enterprise Manager.
    • Use configuration properties to perform these tasks:
      • View Introscope domains
      • Shut down Enterprise Managers
      • Perform dynamic instrumentation and thread dumps
  • CA CEM security:
    • Use root password protection for the Windows or Linux machine on which the TIM is installed.
    • Use configuration properties to secure communications between the Enterprise Managers and TIMs.
    • Ensure CA CEM data in the APM database is encrypted and meets FIPS compliance.
  • APM database security:
    • Password protect the APM database.
    • Secure a connection to the Enterprise Manager.
  • Introscope and CA CEM applications monitoring:
    • User authorization is required for business service based security.
Security and Permissions
CA APM security, which consists of authentication and authorization, allows individual users and user groups (groups), which are specified sets of users (such as Application Administrators, System Administrators, or Analysts), to securely log into Introscope and CA CEM. Permissions allow users and groups to perform specific Introscope tasks.
User Authentication
Authentication
is the mechanism that securely identifies users. Authentication provides Introscope and CA CEM with answers to questions such as:
  • Who is this user?
  • Is this user really who they are representing themselves to be?
Authentication systems depend on a unique bit of information known only to the individual being authenticated and the authentication system. In order to verify a user’s identity, the authenticating system typically challenges the user to provide the unique information. If the authenticating system can verify that the information presented is correct, the user is considered authenticated.
User Authorization
Authorization
is the mechanism by which a system determines the level of access a particular authenticated user should have to secured resources (such as applications, pages, and data) controlled by that system. In other words, authorization is the process of checking if a user has permission to perform an action on a resource.
An
access policy
grants permission to specific users or groups to perform an action on a set of resources of a given type.
For example, a database management system might be designed to provide certain individuals with the ability to retrieve information from a database but not change data stored in the database, while giving other individuals the ability to change data. Authorization systems grant these permissions by providing answers to questions such as:
  • Is user
    X
    authorized to access resource
    R
    ?
  • Is user
    X
    authorized to perform operation
    P
    ?
  • Is user
    X
    authorized to perform operation
    P
    on resource
    R
    ?
Security Realms
A security realm defines a source of users, user groups, and access policies that is responsible for authenticating, authorizing, or authenticating and authorizing users.
You configure one or more security realms for CA APM security in the
realms.xml
file. Introscope and CA CEM use the security realms configured in
realms.xml
to decide how to authenticate and authorize users. When a user logs in to either Introscope or CA CEM the application being logged in to checks each security realm in the order defined in realms.xml. The application checks to see whether a user with the given ID exists. The authentication succeeds If the user password supplied matches the value that is provided for the specific security realm. If one of these conditions is in effect, authentication fails:
  • No user of that name exists in any of the defined realms.
  • The user exists in a realm but the password is wrong.
For information about configuring realms in realms.xml, see these topics:
You can deploy Introscope security using one or any supported combination of these three security realms:
  • Local XML files (Local): Local security consists of Local authentication and authorization using XML files stored in the Enterprise Manager in the
    <EM_Home>/config
    directory.
    • For Local authentication, an XML file is used to store the username and password information locally on each Enterprise Manager. The default filename is
      users.xml
      . At runtime, Introscope checks the Local file (users.xml) to authenticate CA APM users.
    • For Local authorization, Introscope stores two XML files locally on each Enterprise Manager. Introscope uses
      domains.xml
      for domain permissions and
      server.xml
      for server permissions. At runtime, Introscope checks the Local files (domains.xml and server.xml) to authorize CA APM users.
    Introscope provides Local security as the default.
    Changing the default CA APM login to Enterprise Managers from the Workstation, WebView, Web Start Workstation, or CEM console is a best practice. If this best practice is not followed and only Introscope local security is used, there is an increased chance of identity theft.
  • Lightweight Directory Access Protocol (LDAP): An application protocol for querying and modifying directory services running over TCP/IP.
    You can use the LDAP security realm only to authenticate CA APM users if you use Local XML files for authorization.
  • CA EEM
    :
    A CA Technologies application that allows other applications to share common access policy management, authentication, and authorization services.
    You can deploy CA EEM to authenticate and authorize CA APM users.
    You can also configure CA EEM to use LDAP for authentication and CA EEM for authorization.
This table lists the major features that Introscope security realms support.
Supported features by security realm
CA EEM
LDAP
Local
Centralized security server shared by multiple Enterprise Managers
Yes
Yes
No
Security realm is always available
No
No
Yes
Runs in the Enterprise Manager, so it's always available.
Supports failover
Yes
Yes
Not applicable
Integrated with SiteMinder
Yes
No
No
Supports fine-grained permissions?
Supports these fine-grained permission types:
Business-service-based security
Flexible CA CEM permissions
Yes
Not applicable
No
Industry standard solution
Yes
Yes
No
Allows for auditing
Yes
Yes
No
Includes a user interface for managing users
Yes
Yes
No
Includes a user interface for managing access policies
Yes
Not applicable
No
You can deploy CA CEM security using one or any supported combination of these two security realms:
  • Local XML files (Local):
    Local security consists of Local authentication and authorization using XML files stored in the Enterprise Manager in the
    <EM_Home>
    /config directory.
    • For Local authentication and authorization, an XML file is used to store the username and password information locally on each Enterprise Manager. Four default CEM security groups and the users belonging to these groups are also defined here. The default filename is
      users.xml
      . The authorization check is based on the membership that is defined for four default security groups. At runtime, the Local file (
      users.xml
      ) is used for authentication and authorization of CA CEM users.
    Introscope provides Local security as the default.
  • CA EEM
    :
    A CA Technologies application that allows other applications to share common access policy management, authentication, and authorization services.
CA APM provides single login capability. Users who are permitted to access both CA CEM and Introscope can navigate between these two applications without being prompted to log in again. Upon CA CEM or Introscope user authentication, CA APM gets the user identity and the name of the realm that authenticated the user. Introscope uses this information to obtain the groups to which the user belongs. Then CA APM uses one of these methods to authorize the user:
  • For CA EEM, the user access policy.
  • For Local security, membership in one or more CA CEM security user groups.
In setting up CA APM security, your organization must determine which single or hybrid security realm to deploy. To allow CA APM users to access Introscope, deploy either the Local or CA EEM realm.