Adding external authenticators - BlueCat Integrity - 9.5.0

Address Manager Administration Guide

Locale
English
Product name
BlueCat Integrity
Version
9.5.0

Address Manager includes a fully featured authentication subsystem, and it supports mixed-mode authentication through Kerberos, LDAP, Microsoft Active Directory, or RADIUS. Support for RSA SecurID is accomplished through the RADIUS authentication module.

Before Address Manager can exchange authentication information with a remote system, the authenticator must be defined and associated with an Address Manager user. For instructions on how to assign an authenticator to a user, refer to User groups.

Authenticators are a type of system object that represent a connection to an external authentication system. That system’s native safeguards apply for communications between it and Address Manager. Address Manager acts as a proxy client for the authentication system, validating the identity of an Address Manager user without managing or validating the user’s password or credentials. After the external authenticator validates the user, Address Manager considers the user valid until the session closes or times out.
Note: External authentication is not a substitute for Address Manager user management. Authenticators merely shift the responsibility of validating credentials to another system.

You can add more than one authenticator to a user, so that a secondary authenticator can be used if the primary authenticator isn't available. Authenticators can be tested to confirm that Address Manager can communicator with the external service.

The Authenticators page lets you add external authenticators to the Address Manager system. Depending on the type of authenticator you choose, the Add Authenticators page displays different text fields.

Note: IPv6 authentication where the FQDN points to a resolvable AAAA resource record and the authentication system fully supports IPv6 should function as designed. All testing and validation of these IPv6 authentication solutions must be made and are not supported at this time. No IP address configuration options support IPv6 addresses at this time and must use IPv4 addresses only.

To add an external authenticator:

  1. Select the Administration tab. Tabs remember the page you last worked on, so select the tab again to ensure you're on the Administration page.
  2. Under User Management, click Authenticators.
  3. Under Authenticators, click New.
  4. Under Authenticator, select the type of authenticator and assign it a name:
    • Type—select Kerberos, LDAP, Radius, or TACACS+.
      Note:
      • When you create an authenticator for Microsoft Active Directory, select LDAP or Kerberos. If you intend to use an LDAP User Group, you should select LDAP, otherwise, select Kerberos. For more information on LDAP User Groups, refer to Adding LDAP user groups.
      • If creating an RSA SecurID authenticator, select Radius.
    • Name—type a name for the authenticator.
    • Host—type the Fully Qualified Domain Name or IP address for the authenticator.
      Attention: The Host field cannot contain underscore ( _ ) characters. If the FQDN of the host contains underscore characters, you must either enter the IP address of the host or modify the FQDN so that it does not contain underscore characters and enter the updated FQDN without underscore characters.
    • Host (KDC)—appears when Kerberos is selected as the type of authenticator. Type the fully qualified domain name (FQDN) or IP address for the authenticator.
      Note: You can enter either a FQDN or an IP address in the Host field. The information typed in the Realm field must be uppercase (capital letters). Ensure that the time on the Kerberos server and on Address Manager is synchronized to be within one minute of each other.
  5. Under Additional Properties, set the authenticator properties. The fields available in this section will vary depending on the type of authenticator you have selected.
  6. Under Secondary Authenticator, set the secondary authenticator option:

    None—select if a secondary authenticator isn't needed.

    Specific Authenticator—select an authenticator from the list to specify it as a secondary authenticator. If authentication can't be completed by the primary authenticator, the secondary authenticator will be used. Select BlueCat Address Manager Authenticator from the list to use Address Manager as the secondary authenticator.

  7. Under Change Control, add comments, if required.
  8. Click Add.