Create authentication realms

Depending on your authentication type, you can create Internal Storage, LDAP, PKI Certificate, and SSO authentication realms in Deployment Automation.

If you add multiple realms, ensure that there are no users with the same username across realms.

Add an Internal Storage authentication realm

You can create an Internal Storage authentication realm, which relies on basic authentication using a login and password.

Caution: To prevent issues with authentication, avoid adding more than one Internal Storage authentication realm.

To create an Internal Storage authentication realm:

  1. In Deployment Automation, navigate to Administration > Security. The Authentication (Users) page opens.

  2. In the Authentication Realms side panel, click Create Authentication Realm .

  3. In the Create Authentication Realm dialog box, specify the following parameters:

    Parameter Description
    Name Enter a unique name for the authentication realm.
    Description (Optional) Enter additional information about the realm.
    Type From the list of types, select Internal Storage.
    Authorization realm

    Select the authorization realm you created earlier, or use the default authorization realm, Internal Security.

    For details about adding authorization realms, see Authorization realms and groups.

    Allowed login attempts

    Deployment Automation provides a lockout mechanism to protect against harmful attacks.

    Specify how many unsuccessful login attempts in a row are allowed before a user is locked out. Default: 5 login attempts. A value of 0 means unlimited attempts and turns off the lockout mechanism.

    Upgrade from 6.3.3 or earlier: If you had the lockout threshold set to 0, the threshold automatically changes to 5 login attempts after the upgrade.

    By default, Deployment Automation locks out a user account for 30 minutes. To change the lockout interval, see Modify the account lockout settings.
  4. Click Save.

Back to top

Add an LDAP authentication realm

If you are using LDAP, you can import users and map them to the security system.

When creating an LDAP authentication realm, provide information about your LDAP installation. For additional configuration requirements, see Configure LDAP authentication.

To create an LDAP authentication realm:

  1. In Deployment Automation, navigate to Administration > Security. The Authentication (Users) page opens.

  2. In the Authentication Realms side panel, click Create Authentication Realm .

  3. In the Create Authentication Realm dialog box, specify the following parameters:

    Parameter Description
    Name Enter a unique name for the authentication realm.
    Description (Optional) Enter additional information about the realm.
    Type From the list of types, select LDAP.
    Authorization realm

    Select the authorization realm you created earlier, or use the default authorization realm, Internal Security.

    For details about adding authorization realms, see Authorization realms and groups.

    Context Factory

    Enter the context factory class to use for connecting. The class may vary depending on your Java implementation.

    Default for Sun Java implementations:

    com.sun.jndi.ldap.LdapCtxFactory

    LDAP URL

    Enter the LDAP server URL, beginning with ldap:// or ldaps://. Separate additional servers with a space, for example:

    ldap://ldap.mydomain.com:389 ldap://ldap2.mydomain.com

    Use DN Pattern

    (Optional) Enter the user directory entry pattern. The username replaces {0} in the pattern, for example:

    cn={0},ou=employees,dc=yourcompany,dc=com

    User Search Base

    (Optional) Specify the user base directory in which to search for users, for example:

    ou=employees,dc=mydomain,dc=com

    User Search Filter

    (Optional) Enter an LDAP filter expression to apply when searching for a user's directory entry. The username replaces {0} in the pattern, for example:

    uid={0}

    If this is an attribute and not a part of the user DN pattern, wrap the value in parentheses, for example:

    ud=(0)

    Search User Subtree (Optional) Select this option to search for users in the subtree.
    Search Connection DN

    (Optional) Enter the complete directory name to use when binding to LDAP for searches, for example:

    cn=admin,dc=mydomain,dc=com

    Leave the field empty to establish an anonymous connection.

    This option is required if the LDAP server cannot be accessed anonymously.

    Search Connection Password (Optional) Enter the password to use when binding to LDAP for searches.
    Name Attribute (Optional) Enter the attribute name that contains the user's name, as set in LDAP.
    Email Attribute (Optional) Enter the attribute name that contains the user's email, as set in LDAP.
  4. Click Save.

Back to top

Add a PKI Certificate authentication realm

You can configure Deployment Automation to use your organization's public key infrastructure (PKI) certificates for user authentication. To support multiple certificates, create multiple PKI Certificate authentication realms.

Using this type of authentication, you can access Deployment Automation automatically based on a PKI certificate installed in your web browser.

For additional configuration requirements, see Configure PKI Certificate authentication.

Caution: PKI Certificate and SSO authentication realms are incompatible and cannot be used in the same implementation. To use smart cards with SSO, configure this option in OpenText SBM. For details, see the SBM documentation.

To create a PKI Certificate authentication realm:

  1. In Deployment Automation, navigate to Administration > Security. The Authentication (Users) page opens.

  2. In the Authentication Realms side panel, click Create Authentication Realm .

  3. In the Create Authentication Realm dialog box, specify the following parameters:

    Parameter Description
    Name Enter a unique name for the authentication realm.
    Description (Optional) Enter additional information about the realm.
    Type From the list of types, select PKI Certificate.
    Authorization realm Accept the default authorization realm, Internal Security. A PKI certificate authentication realm always uses Internal Security for authorization.
    CA Certificate File

    Enter the full path to the file with the issuer's certificate information, for example:

    D:\auth\ca.crt

    Username Attribute

    Select the Subject (default) or Alternative Subject option. Then select a corresponding username attribute from the list.

    Ensure that the attribute maps to the certificate value used for username. See PKI Certificate parsing.

    Email Attribute

    To use no email attribute, leave None selected.

    To specify an email attribute, select the Subject or Alternative Subject option, and then choose one of the available attributes.

    Ensure that the attribute maps to the certificate value used for email ID. See PKI Certificate parsing.
    Full Name Attribute

    To use no full name attribute, leave None selected.

    To specify a full name attribute, select the Subject or Alternative Subject option, and then choose one of the available attributes.

    Ensure that the attribute maps to the certificate value used for full name. See PKI Certificate parsing.

    Verify Revocation Select this option to check if the user certificate has been revoked since it was last authenticated through the PKI certificate.
    Revocation Strategy

    If you selected to verify revocation, choose the revocation strategy:

    • Strict (default). Defines the certificate as revoked (sets the certificate revocation status to true) if any exception happens during verification.

      For example, if Deployment Automation cannot access an Online Certificate Service Provider (OCSP) URL or cannot read or parse a downloaded certificate revocation list, the certificate is considered revoked.

    • Mild. Ignores exceptions described for strict verification and continues to the next verification point. If all verification points are ignored or the revocation status is false for all of them, the certificate is considered valid (the resulting revocation status is false).
    Revocation Source Type

    If you selected to verify revocation, choose the revocation source type:

    External (default)

    Use this revocation source type to run the verification using the Online Certificate Service Provider (OCSP) and/or certificate revocation list (CRL) in a specified location:

    • OCSP Server URL. To use an OCSP, enter the URL that points to the service, for example:

      http://<server-name>:9999

      Caution: The Deployment Automation server and the OCSP server must use the same time and time zone. Otherwise, the login fails for the Strict strategy, and the verification using OCSP is skipped for the Mild strategy.

    • CRL Distribution Point. To use a CRL file, provide the URL from which to download the file. Enter URLs beginning with http(s)://, file://, or ldap://, for example:

      http://<server-name>:8080/crl.pem

      https://<server-name>:8443/crl.file

      "ldap://<ldap-server-name>:389/ou=Users dc=da,dc=com?certificateRevocationList;binary"

      "file://D:/StrongAuth/crl.der"

    Internal

    Select this revocation source type to run the verification using the certificate revocation list (CRL) specified in the internal Deployment Automation file.

    For details on how to configure the server to support this option, see Set up internal revocation verification.

    Both Select this option to run the verification using both internal and external certificate revocation lists. Then specify the options for each list.
    Use Revocation Cache

    (Optional) If you selected to verify revocation, you can cache the results from the last verification. This helps avoid performance degradation for each login to the server.

    Deployment Automation caches the following information:

    • Revocation status. The last certification revocation status is stored in the cache and used without additional verification for subsequent requests associated with this certificate.

    • Certificate revocation lists (CRLs). The downloaded lists are kept in memory and stored locally in the server's var\cache\pki directory:

      <da_profile_directory>\var\cache\pki

      Deployment Automation can download only one CRL at a time from a single endpoint. When a CRL is being downloaded, all other requests are postponed until the download completes.

    Updating the authentication realm clears both caches.
    Revocation Cache Expiration Period If you selected to use revocation cache, specify the time period, in hours, after which to refresh the cache. The default period is 24 hours.
  4. Click Save.

PKI Certificate parsing

Every PKI certificate has a Subject and Alternative Subject section. These sections contain information about the user for whom the certificate was issued.

The following examples demonstrate the attributes and values for each section:

  • Subject section example:

    Copy code 
    Subject: C=UA, L=Kiev, O=microfocus, OU=DA, CN=sample name/emailAddress=sample@email.com/street=sample street, SN=sample/name=sample

  • Subject attributes that you can select for parsing:

    C

    O

    T

    OU

    CN

    L

    ST

    SN

    EmailAddress

    DC

    UID

    STREET

    SURNAME

    GIVENNAME

    INITIALS

    GENERATION

    UnstructuredAddress

    UnstructuredName

    UNIQUE_IDENTIFIER

    DN_QUALIFIER

    PSEUDONYM

    POSTAL_ADDRESS

    NAME_AT_BIRTH

    COUNTRY_OF_CITIZENSHIP

    COUNTRY_OF_RESIDENCE

    GENDER

    PLACE_OF_BIRTH

    DATE_OF_BIRTH

    POSTAL_CODE

    BUSINESS_CATEGORY

    TELEPHONE_NUMBER

    NAME

  • Alternative Subject section example:

    Copy code 
    X509v3 Subject Alternative Name: email:email@test.com, DNS:dns-sample, IP Address:1.2.3.4, URI:uri test, Registered ID:1.2.3.4.5.6

  • Alternative Subject attributes that you can select for parsing:

    otherName

    email

    DNS

    URI

    IP Address

    Registered ID

Back to top

Add an SSO authentication realm

To use a Single Sign-On authentication realm in Deployment Automation, you need OpenText SBM.

For details about setting up SSO in SBM, see Single Sign-On (SSO) configuration.

Caution: PKI Certificate and SSO authentication realms are incompatible and cannot be used in the same implementation. To use smart cards with SSO, configure this option in SBM. For details, see the SBM documentation.

To create an SSO authentication realm:

  1. In Deployment Automation, navigate to Administration > Security. The Authentication (Users) page opens.

  2. In the Authentication Realms side panel, click Create Authentication Realm .

  3. In the Create Authentication Realm dialog box, specify the following parameters:

    Parameter Description
    Name Enter a unique name for the authentication realm.
    Description (Optional) Enter additional information about the realm.
    Type From the list of types, select Single Sign-On.
    Authorization realm

    Select the authorization realm you created earlier, or use the default authorization realm, Internal Security.

    For details about adding authorization realms, see Authorization realms and groups.

    User Header Name Specify the header name for an authorization token used by the SSO provider, for example, ALFSSOAuthNToken.
  4. Click Save.

Back to top

See also: