The Sentinel Rapid Deployment server installation creates a system user and a group that owns the installed files within <install_directory>. If the user does not exist, it is created and its home directory is set to <install_directory>. If a new user is created, the password for the user is not set by default in order to maximize security. If you want to log in to the system as a user created during installation, you must set a password for the user after installation.
The system users might vary in their level of security depending on the operating system on which the Collector Manager is installed.
Linux: The installer prompts you to specify the name of the system user who owns the installed files, as well as the location to create its home directory. By default, the system user is esecadm; however, you can change this system username. If the user does not exist, it is created along with its home directory. If a new user is created, the password for the user is not set during installation to maximize security. If you want to log in to the system as the user, you must set a password for the user after installation. The default group is esec.
During client installation, if the user already exists, the installer does not prompt for the user again. This behavior is similar to the behavior during uninstallation or reinstallation of software. However, you can have the installer prompt for the user again:
Delete the user and group created at the time of the first installation
Clear the ESEC_USER environment variables from /etc/profile
Windows: No users are created.
The password policies for system users are defined by the operating system that is being used.
All Sentinel Rapid Deployment application users are native database users, and their passwords are protected by using procedures followed by the native database platform. These users have only read access to certain tables in the database so that they can execute queries against the database.
The installer creates and configures a PostgreSQL database with the following users:
admin: The admin user is the administrator user for all Sentinel applications to log in.
dbauser: The dbauser is created as a superuser who can manage the database. The password for dbauser is set at the time of the installation of the Sentinel Rapid Deployment server. This password is stored in the <user home directory>/.pgpass. The system follows the PostgreSQL database password policies. For more information, see Section 5.3.3, Enforcing a Password Policy for Users.
appuser:
The appuser is the non-superuser that is used by the Sentinel applications to connect to the database. By default, the appuser uses a password that is randomly generated during installation and is stored and encrypted in the XML files (das_core.xml, das_binary.xml, and advisor_client.xml) in the <install_directory>/config directory. To change the password for the appuser, use the <install_directory>/bin/dbconfig utility. For more information, see DAS Container Files
in the Sentinel Rapid Deployment Reference Guide.
NOTE:There is also a PostgreSQL database user that owns the entire database including system database tables. By default, the PostgreSQL database user is set to NOLOGIN so that no one can log in as the PostgreSQL user.
Sentinel Rapid Deployment utilizes standards-based mechanisms to make it easier to enforce password policies.
The installer creates and configures a PostgreSQL database with the following users:
dbauser: The database owner (database administrator user). The password is set during the installation process.
appuser: This is the application user who is used to log in to the database from Sentinel Rapid Deployment. The password is randomly generated during the installation process, and it is intended for internal use only.
admin: The administrator credentials can be used to log in to the Sentinel Rapid Deployment Web interface. The password is set during the installation process.
By default, user passwords are stored within the PostgreSQL database, which is embedded in Sentinel Rapid Deployment. PostgreSQL provides the option to utilize a number of standards-based authentication mechanisms, as described in the Client Authentication section of the PostgreSQL documentation.
Utilizing these mechanisms affects all user accounts in Sentinel Rapid Deployment, including the users of the Web application and accounts used only by back-end services, such as dbauser and appuser.
A simpler option is to use an LDAP directory to authenticate Web application users. To enable this option on the Sentinel Rapid Deployment server, see Section 3.6, LDAP Authentication. This option has no effect on the accounts used by back-end services, which continue to authenticate through PostgreSQL unless you change the PostgreSQL configuration settings.
You can achieve robust Sentinel Rapid Deployment password policy enforcement by using these standards-based mechanisms and the existing mechanisms in your environment such as your LDAP directory.