The instructions in this section assume that you have already used the configuration tool to configure the Postgres database use by the NetIQ Cloud Manager Application Server, as described in Section 13.1, Configuring the PostgreSQL Database Connection and Credentials.
The Net IQ Cloud Manager Application Server can connect to and search several different kinds of authentication sources to collect information about users in those sources. These are the users that can be authorized, depending on their individual roles, to log into Cloud Manager as Cloud Manager users.
The Cloud Manager Application Server configuration tool includes a segment that displays directly after the Postgres Configuration segment of the script, prompting you to choose an authentication source and asking for specific information that allows Cloud Manager connection to that source.
NOTE:If you configured authentication sources in a previous configuration session, you can manage those configuration settings in a new session. The tool provides a new option (NetIQ Cloud Manager - Manage Authentication) that you can select to make authentication configuration changes subsequent to your initial work.
This section discusses the authentication source options in Cloud Manager and how to obtain the data you provide for the tool. The section also includes an explanation of the setup you need to perform, if any, to prepare each of these authentication sources for connection to Cloud Manager.
The NetIQ Cloud Manager administrator can choose to authenticate users through a supported Lightweight Directory Access Protocol (LDAP) directory service, either Microsoft Active Directory or Novell eDirectory. Cloud Manager users must have an account in the LDAP directory and must be members of the Cloud Manager user group. In addition, the LDAP user you specify as the read-only user must have All Attribute access to the area of the directory to be used by Cloud Manager.
You can also choose to add the Secure Sockets Layer (SSL) protocol to manage the security of authentication data being passed between Cloud Manager and LDAP. Adding SSL to the authentication process adds encryption and verification the process.
This section helps you to prepare the information you need to configure LDAP for Cloud Manager authentication. If you want to use another authentication service, see Section 13.3.2, Configuring Authentication to NetIQ Access Manager.
Make sure you know the information you are prompted to provide during the LDAP configuration:
|
Information Needed for LDAP Configuration |
Description |
|---|---|
|
Do you want to use SSL with LDAP? |
If you respond with “yes” to this question, you are asked for an SSL certificate later in the configuration. |
|
LDAP Source |
You need to select the LDAP source for use with Cloud Manager, either Novell eDirectory or Microsoft Active Directory. |
|
LDAP host address |
This is the address (DNS name or IP address) of the LDAP host that Cloud Manager can connect to for authentication. If you chose to use SSL with LDAP, this address should match the subject of the certificate issued for the LDAP host. The configuration tool immediately validates this address when you specify it. |
|
LDAP port |
Designate the port where you want the LDAP server to listen for communication from Cloud Manager. If you are using SSL, the default port is 636. If you chose not to use SSL, the default port is 389. |
|
Path to SSL certificate on LDAP server |
This is the file system path to the SSL certificate you previously copied to the LDAP server. The certificate must be in DER format.1 You need to use this setting only if you want to use SSL with the LDAP authentication. |
|
LDAP read-only user DN |
Specify the distinguished name (DN) of an existing LDAP read-only user who has read access to the LDAP directory. This user must have All Attribute read rights to the area of the directory that is to be used for Cloud Manager. |
|
LDAP read-only user’s password |
Specify the password for the LDAP read-only user. When you specify the user password, the configuration tool immediately attempts an SSL authentication to validate the existence of this user and password. |
|
Cloud Manager LDAP user DN |
Specify the DN of an existing LDAP user whom you want to designate as the Cloud Manager administrator. When you specify this LDAP user, the configuration tool immediately attempts to locate the user in LDAP, then asks you to verify that this is the user you want to designate as the Cloud Manager administrator. Make sure that the mail attribute is set for this user in LDAP. |
|
LDAP DN of NCM Users |
Specify the DN of the LDAP container where the users whom you want to log in to Cloud Manager already exist. This is the parent context of users that will be allowed to log in to the Cloud Manager Application Console. All subdirectories and users are included by default. Make sure that all users, regardless of their context in this container, have their email domain configured prior to logging into the Application Console. NOTE:You can use the Cloud Manager Application Console later to import users who do not currently exist in this DN. |
1 Use the following command on a Linux machine to fetch the certificate and then copy it to another machine if needed.
echo 'GET / 1.0' | openssl s_client -connect <server_ip_addr_or_dns>:<port>| sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' >ldap.pem
The following command converts the certificate to DER format (required by Cloud Manager):
openssl x509 -in ldap.pem -inform PEM -out ldap.cer -outform DER
Continue running the configuration tool (/opt/netiq/cloudmanager/configurator/config). In the configuration segment following the configuration of the Postgres database, the tool displays the following text:
Authentication Type 1) LDAP 2) NAM Selection:
Specify 1 (LDAP) as the authentication type you want to configure.
Follow the prompts and use the information you gathered in Step 1 to complete this segment of the configuration.
After the LDAP authentication configuration, continue with Section 13.4, Installing and Configuring Other Cloud Manager Feature Settings.
The NetIQ Cloud Manager administrator can choose to authenticate customers through NetIQ Access Manager (NAM).
This section helps you to prepare the information you need to configure Cloud Manager authentication through NetIQ Access Manager. If you want to use some other authentication service, see Section 13.3.1, Configuring Authentication to an LDAP Directory.
If you want to learn more about NetIQ Access Manager, see the NetIQ Access Manager Appliance 4.0 Web site.
Make sure you know the information you are prompted to provide during the Access Manager authentication configuration:
|
Information Needed to Configure Authentication to NAM |
Description |
|---|---|
|
Cloud Manager Administrator user name |
Specify the initial user name that you want to designate as the Cloud Manager administrator. This should be the new administrator’s login name or Common Name (CN) and must already exist in your LDAP directory. |
|
Cloud Manager Administrator email address |
Specify the email address of the user you want to be the Cloud Manager administrator. This email address must already exist as an LDAP attribute of the future administrator. If the user has more than one email address, use the first address in the email attributes list. Cloud Manager uses this email address to determine the administrative permissions to apply to the user. |
As you continue running the configuration tool (/opt/netiq/cloudmanager/configurator/config) following the configuration of the Postgres database, the tool displays the following text:
Authentication Type 1) LDAP 2) NAM Selection:
Specify 2 (NAM) as the Authentication Type you want to configure.
Follow the prompts and use the information you gathered in Step 1 to complete this segment of the configuration.
After the NetIQ Access Manager authentication configuration, continue with Section 13.4, Installing and Configuring Other Cloud Manager Feature Settings.