Managing DirX Audit Manager Classic

This chapter provides information about how to manage DirX Audit Manager Classic.
It consists of the following sections:

  • Running the DirX Audit Manager Classic service

  • Configuring LDAP authentication

  • Configuring a secure HTTP connection

  • Configuring a secure LDAP connection

  • Configuring Windows authentication using the Kerberos login module

  • Configuring Single Sign-on (SSO) Web authentication using SPNEGO / Kerberos

Running the DirX Audit Manager Classic Service

The DirX Audit Manager Classic application is based on the Apache Tomcat technology.

To start and stop DirX Audit Manager Classic, use the service provided by Apache Tomcat. This service must be configured externally.

You can check whether the application is running in your Internet browser. Type the following URL:

http://hostname:port/AuditManager/?tenant=tenantID
https://hostname:port/AuditManager/?tenant=tenantID

where hostname specifies the server address, port the server port number and tenantID the identifier of a tenant generated during the tenant configuration process. The default port for HTTP is 8080 and 8443 for HTTPS.

Examples:

http://localhost:8080/AuditManager/?tenant=8cd425f7-adcd-4c89-8e24-90160a51b428

https://localhost:8443/AuditManager/?tenant=8cd425f7-adcd-4c89-8e24-90160a51b428

Configuring LDAP Authentication

DirX Audit Manager Classic can authenticate users on an external directory server over the LDAP protocol. The authentication is fully configurable, and you can choose from a broad range of directory services. (See the sections “Audit Manager Classic Authentication” in the Core Configuration and the “Authentication Configuration” in the Tenant Configuration in the chapter “Configuring DirX Audit” in the DirX Audit Installation Guide for details.)

The roles (Auditors, AuditAdmins and RestrictedAuditors) are evaluated in DirX Audit Manager Classic when a user accesses the Dashboard, Audit analysis, Reports and History views. (See the DirX Audit Manager Classic Guide for details.)

Here is a sample configuration for a DirX Identity domain:

Search base for users
cn=Users,cn=My-Company

Search filter for users
(&(objectClass=dxrUser)(%s))

User target
cn

Search base for groups
cn=Groups,cn=DirXmetaRole,cn=TargetSystems,cn=My-Company

Search filter for groups
(&(objectclass=dxrTargetSystemGroup)(uniqueMember=%d))

Group target
cn

List of auditor groups
cn=Auditors,cn=Groups,cn=DirXmetaRole,cn=TargetSystems,cn=My-Company

List of audit administrator groups
cn=AuditAdmins,cn=Groups,cn=DirXmetaRole,cn=TargetSystems,cn=My-Company

List of restricted auditor groups
cn=RestrictedAuditors,cn=Groups,cn=DirXmetaRole,cn=TargetSystems,cn=My-Company

User identification attribute
dxrUID

User mail attribute
mail

Here is a sample configuration for an Active Directory domain:

Search base for users
CN=Users,DC=dxt,DC=my-company,DC=com

Search filter for users
(&(objectClass=user)(%s))

User target
sAMAccountName

Search base for groups
OU=Groups,DC=dxt,DC=my-company,DC=com

Search filter for groups
(&(objectclass=group)(member=%d))

Group target
cn

List of auditor groups
CN=Auditors,OU=Groups,DC=dxt,DC=my-company,DC=com

List of audit administrator groups
CN=AuditAdmins,OU=Groups,DC=dxt,DC=my-company,DC=com

List of restricted auditor groups
CN=RestrictedAuditors,OU=Groups,DC=dxt,DC=my-company,DC=com

User identification attribute
employeeNumber

User mail attribute
mail

Configuring a Secure HTTP Connection

We strongly recommend that you run the DirX Audit Manager Classic application via the HTTPS protocol. See the Tomcat documentation for details. For example, http://tomcat.apache.org/tomcat-11.0-doc/ssl-howto.html.

Configuring a Secure LDAP Connection

DirX Audit Manager Classic can authenticate users on an external directory server over the LDAP protocol. We strongly recommend that you secure this connection. For LDAP to work over an SSL connection, the SSL certificate of the LDAP server must be added to the trusted certificate store (trust store) on the manager container.
See the sections “Authentication Configuration”, “Server LDAP Collector for DirX Identity Format” and “Configuring LDAPS” in the chapter “Configuring DirX Audit” in the DirX Audit Installation Guide for details.

Windows Authentication Using the Kerberos Login Module

DirX Audit Manager Classic can authenticate users with their windows user name and password.
To enable this feature, check Windows authentication in the Configuration Wizard.

Users are authenticated according the Kerberos configuration as configured in the core configuration step in the “Audit Manager Classic Authentication” dialog. (See the Kerberos file option.) If the Kerberos configuration file is missing the Key Distribution Center (KDC) is taken from the DNS configuration. The user is authenticated against this KDC.

For authentication, the standard DirX Audit Manager Classic login page is used:

https://hostname:port/AuditManager/?tenant=tenantID

Enter your user name in Name in the format Kerberos REALM\username, for example
MY-Company.COM\user01. If you omit Kerberos REALM then the default realm is used for authentication.

Enter your domain password in Password.

Kerberos Configuration File

The Kerberos configuration file contains the Kerberos configuration information including the locations of KDCs and admin servers for the Kerberos realms of interest. On Windows systems, its default location is C:\Windows\krb5.ini. On Unix systems, its default location is /etc/krb5.conf.

Here is a sample configuration file:

[libdefaults]
default_realm = MY-COMPANY.COM
default_tkt_enctypes = aes256-cts aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
default_tgs_enctypes = aes256-cts aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
permitted_enctypes = aes256-cts aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
default_checksum = rsa-md5
kdc_timesync = 0
kdc_default_options = 0x40000010
clockskew = 300
check_delegate = 0
ccache_type = 3
kdc_timeout = 60000

[realms]
MY-COMPANY.COM = {
    kdc = DXA-SERVER-01.my-company.com:88
}

[domain_realm]
my-company.com= MY-COMPANY.COM
.my-company.com = MY-COMPANY.COM

Configuring SSO Web Authentication Using SPNEGO / Kerberos

DirX Audit Manager Classic can authenticate users through the SPNEGO mechanism using Kerberos authentication protocol. Users can authenticate without entering their usernames/passwords.

The Kerberos authentication is fully configurable. To enable this feature, check Windows SSO in the Tenant Configuration Wizard for a defined tenant.

There are two required configuration items:

  • Keytab location – the location of the keytab file that contains the service principal-specific information.

  • Service Principal Name (SPN) – defines a unique service principal name registered in the domain.

For authentication, the DirX Audit Manager Classic URL is used:

https://hostname:port/AuditManager/?tenant=tenantID

If authentication was not successful, you are redirected to the standard DirX Audit Manager Classic login page.

The next sections describe how to create these items and configure your Internet browser for SSO authentication.

Generating the Keytab File

Use the ktpass tool to generate the keytab file that contains the service principal-specific name and the keys required for the Kerberos ticket validation. If the validation is successful, the user is authenticated (but not yet authorized).

To generate the keytab file, run the following command in the command line as an administrator:

ktpass -princ HTTP/fully_qualified_Audit_manager_classic_hostname@AD_name -mapuser username -out filename keytab -pass user’s_password -crypto All

For example:
ktpass -princ HTTP/tomcat.my-company.com@MY-COMPANY.COM -mapuser tomcat -out tomcat.keytab -pass dxt -crypto All

(the example assumes that tomcat is a user existing in Active Directory).

The keytab file is then created and can be found in the current working directory of the command line.

Defining the Service Principal Name

The Service Principal Name (SPN) is a unique service principal name registered in a domain. It is mapped to a user registered in Active Directory. The creation of the user in Active Directory is not described here.

The SPN format for a Web application is as follows:

HTTP/fully_qualified_hostname@AD_name

For example:
HTTP/tomcat.my-company.com@MY-COMPANY.COM

The Kerberos realm name is equivalent to the name of the Active Directory.

Configuring the Internet Browser for Windows SSO Authentication

When using Windows authentication, the Internet browser must be configured as described here.

Configuring Microsoft Edge and Google Chrome

To configure the Microsoft Edge and Google Chrome browsers:

  1. Press the Windows key + R to open the Run command box. Type inetcpl.cpl and then press Enter.

  2. Navigate to the Security tab.

  3. In the Local intranet window, enter the web address of the host name where DirX Audit Manager Classic is installed into Add this web site to the zone.

  4. In the Internet Options window, click the Advanced tab and scroll to Security settings. Ensure that the Enable Integrated Windows Authentication (requires restart) box is selected.

  5. Click OK.

  6. Restart the Internet Explorer browser to activate this configuration.

Configuring Mozilla Firefox

To configure the Firefox browser:

  1. Start Firefox.

  2. In the address field, enter about:config.

  3. In the search filter, enter network.n.

  4. Double-click on network.negotiate-authn.trusted-uris. This preference lists the URIs that are permitted to engage in Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) authentication with the browser. Enter the Audit Manager Classic installation URL (http://fully_qualified_name_of_Audit_Manager_classic_host or
    https://fully_qualified_name_of_Audit_Manager_classic_host when using a secure connection).