Server Administrator provides security through role-based access control (RBAC), authentication, and encryption for both the Web-based and command line interfaces.
Role-Based Access Control
RBAC manages security by determining the operations that can be executed by persons in particular roles. Each user is assigned one or more roles, and each role is assigned one or more user privileges that are permitted to users in that role. With RBAC, security administration corresponds closely to an organization's structure.
User Privileges
Server Administrator grants different access rights based on the user's assigned group privileges. The three user levels are: User, Power User, and Administrator.
Users can view most information.
Power Users can set warning threshold values, run diagnostic tests, and configure which alert actions are to be taken when a warning or failure event occurs.
Administrators can configure and perform shutdown actions, configure Auto Recovery actions in case a system has a hung operating system, and clear hardware, event, and command logs. Administrators can also send e-mail.
Server Administrator grants read-only access to users logged in with User privileges, read and write access to users logged in with Power User privileges, and read, write, and admin access to users logged in with Admin privileges. See Table 3-1.
Table 3-1. User Privileges
User Privileges
Access Type
Admin
Write
Read
User
X
Power User
X
X
Admin
X
X
X
Read access allows viewing of data reported by Server Administrator. Read access does not allow changing or setting values on the managed system.
Write access allows values to be changed or set on the managed system.
Admin access allows shutdown of the managed system.
Privilege Levels to Access Server Administrator Services
Table 3-2 summarizes which user levels have privileges to access and manage Server Administrator Services.
Table 3-2. Server Administrator User Privilege Levels
Service
User Privilege Level Required
View
Manage
Instrumentation
U, P, A
P, A
Remote Access
U, P, A
A
Diagnostics
P, A
P, A
Storage Management
U, P, A
A
Table 3-3 defines the user privilege level abbreviations used in Table 3-2.
Table 3-3. Legend for Server Administrator User Privilege Levels
U
User
P
Power User
A
Administrator
NA
Not Applicable
Authentication
The Server Administrator authentication scheme ensures that the correct access types are assigned to the correct user privileges. Additionally, when the command line interface (CLI) is invoked, the Server Administrator authentication scheme validates the context within which the current process is running. This authentication scheme ensures that all Server Administrator functions, whether accessed through the Server Administrator home page or CLI, are properly authenticated.
Microsoft Windows Authentication
For supported Microsoft® Windows® operating systems, Server Administrator authentication is based on the operating system's user authentication system using Windows NT® LAN Manager (NTLM) modules to authenticate. This underlying authentication system allows Server Administrator security to be incorporated in an overall security scheme for your network.
Red Hat Enterprise Linux Authentication
For supported Red Hat® Enterprise Linux operating systems, Server Administrator authentication is based on the Red Hat Enterprise Linux Pluggable Authentication Modules (PAM) library. This documented library of functions allows an administrator to determine how individual applications authenticate users.
Encryption
Server Administrator is accessed over a secure HTTPS connection using secure socket layer (SSL) technology to ensure and protect the identity of the system being managed. Java Secure Socket Extension (JSSE) is used by supported Microsoft Windows, and Red Hat Enterprise Linux to protect the user credentials and other sensitive data that is transmitted over the socket connection when a user accesses the Server Administrator home page.
Assigning User Privileges
You must properly assign user privileges to all Server Administrator users before installing Server Administrator in order to ensure critical system component security.
The following procedures provide step-by-step instructions for creating Server Administrator users and assigning user privileges for each supported operating system:
NOTICE: You must assign a password to every user account that can access Server Administrator to protect
access to your critical system components. Additionally, users who do not have an assigned password cannot log
into Server Administrator on a system running Windows Server™ 2003 due to operating system constraints.
Creating Server Administrator Users for Supported Windows Operating Systems
NOTE: You must be logged in with Admin privileges to perform these procedures.
Creating Users and Assigning User Privileges for Supported Windows Server 2003 Operating Systems
NOTE: For questions about creating users and assigning user group privileges or for more detailed instructions,
see your operating system documentation.
Click the Start button, right-click My Computer, and point to Manage.
In the console tree, expand Local Users and Groups, and then click Users.
Click Action, and then click New User.
Type the appropriate information in the dialog box, select or clear the appropriate check boxes, and
then click Create.
NOTICE: You must assign a password to every user account that can access Server Administrator to protect
access to your critical system components. Additionally, users who do not have an assigned password
cannot log into Server Administrator on a system running Windows Server 2003 due to operating
system constraints.
In the console tree, under Local Users and Groups, click Groups.
Click the group to which you want to add the new user: Users, Power Users, or Administrators.
Click Action, and then click Properties.
Click Add.
Type the user name that you are adding and click Check Names to validate.
Click OK.
New users can log into Server Administrator with the user privileges for their assigned group.
Creating Users and Assigning User Privileges for Supported Windows 2000 Operating Systems
NOTE: For questions about creating users and assigning user group privileges or for more detailed instructions,
see your operating system documentation.
Right-click My Computer and point to Manage.
In the console tree, expand Local Users and Groups, and then click Users.
Click Action, and then click New User.
Type the appropriate information in the dialog box, select or clear the appropriate check boxes, and
then click Create.
NOTICE: You must assign a password to every user account that can access Server Administrator to protect
access to your critical system components. Additionally, users who do not have an assigned password
cannot log into Server Administrator on a system running Windows Server 2003 due to operating
system constraints.
In the console tree, under Local Users and Groups, click Groups.
Click the group to which you want to add the new user: Users, Power Users, or Administrators.
Click Action, and then click Properties.
Click Add.
Click the name of the user you want to add, and then click Add.
Click Check Names to validate the user name that you are adding.
Click OK.
New users can log into Server Administrator with the user privileges for their assigned group.
Adding Users to a Domain
NOTE: For questions about creating users and assigning user group privileges or for more detailed instructions,
see your operating system documentation.
NOTE: You must have Active Directory installed on your system to perform the following procedures.
Click the Start button, and then point to Control Panel→ Administrative Tools→ Active Directory
Users and Computers.
In the console tree, right-click Users or right-click the container in which you want to add the new user,
and then point to New→ User.
Type the appropriate user name information in the dialog box, and then click Next.
NOTICE: You must assign a password to every user account that can access Server Administrator to protect
access to your critical system components. Additionally, users who do not have an assigned password
cannot log into Server Administrator on a system running Windows Server 2003 due to operating
system constraints.
Click Next, and then click Finish.
Double-click the icon representing the user you just created.
Click the Member of tab.
Click Add.
Select the appropriate group and click Add.
Click OK, and then click OK again.
New users can log into Server Administrator with the user privileges for their assigned group and domain.
Creating Server Administrator Users for Supported Red Hat Enterprise Linux Operating Systems
Admin access privileges are assigned to the user logged in as root. To create users with User and Power User privileges, perform the following steps.
NOTE: You must be logged in as root to perform these procedures.
NOTE: You must have the useradd utility installed on your system to perform these procedures.
Creating Users
NOTE: For questions about creating users and assigning user group privileges or for more detailed instructions,
see your operating system documentation.
Creating Users With User Privileges
Run the following command from the command line:
useradd -d <home-directory> -g <group> <username>
where <group> is notroot.
NOTE: If <group> does not exist, you must create it by using the groupadd command.
Type passwd<username> and press <Enter>.
When prompted, enter a password for the new user.
NOTICE: You must assign a password to every user account that can access Server Administrator to protect
access to your critical system components.
The new user can now log in to Server Administrator with User group privileges.
Creating Users With Power User Privileges
Run the following command from the command line:
useradd -d <home-directory> -g root <username>
NOTE: You must set root as the primary group.
Type passwd<username> and press <Enter>.
When prompted, enter a password for the new user.
NOTICE: You must assign a password to every user account that can access Server Administrator to protect
access to your critical system components.
The new user can now log in to Server Administrator with Power User group privileges.
Disabling Guest and Anonymous Accounts in Supported Windows Operating Systems
NOTE: You must be logged in with Admin privileges to perform this procedure.
If your system is running Windows Server 2003, click the Start button, right-click My Computer, and
point to Manage. If your system is running Windows 2000, right-click My Computer and point to Manage.
In the console tree, expand Local Users and Groups and click Users.
Click the Guest or IUSR_system name user account.
Click Action and point to Properties.
Select Account is disabled and click OK.
A red circle with an X appears over the user name. The account is disabled.
Configuring the SNMP Agent
Server Administrator supports the Simple Network Management Protocol (SNMP) systems management standard on all supported operating systems. In most cases, SNMP is installed as part of your operating system installation. An installed supported systems management protocol standard, such as SNMP, is required before installing Server Administrator. See "Installation Requirements" for more information.
You can configure the SNMP agent to change the community name, enable Set operations, and send traps to a management station. To configure your SNMP agent for proper interaction with management applications such as the Dell OpenManage™ IT Assistant and Array Manager, perform the procedures described in the following sections.
NOTE: For IT Assistant to retrieve management information from a system running Server Administrator, the
community name used by IT Assistant must match a community name on the system running Server Administrator.
For IT Assistant to modify information or perform actions on a system running Server Administrator, the community
name used by IT Assistant must match a community name that allows Set operations on the system running
Server Administrator. For IT Assistant to receive traps (asynchronous event notifications) from a system running
Server Administrator, the system running Server Administrator must be configured to send traps to the system
running IT Assistant.
The following procedures provide step-by-step instructions for configuring the SNMP agent for each supported operating system:
Configuring the SNMP Agent for Systems Running Supported Windows Operating Systems
Server Administrator uses the SNMP services provided by the Windows SNMP agent. You can configure the SNMP agent to change the community name, enable Set operations, and send traps to a management station. To configure your SNMP agent for proper interaction with management applications such as IT Assistant and Array Manager, perform the procedures described in the following sections.
NOTE: See your operating system documentation for additional details on SNMP configuration.
Enabling SNMP Access By Remote Hosts
Windows Server 2003, by default, does not accept SNMP packets from remote hosts. For systems running Windows Server 2003, you must configure the SNMP service to accept SNMP packets from remote hosts if you plan to manage the system by using SNMP management applications from remote hosts.
To enable a system running the Windows Server 2003 operating system to receive SNMP packets from a remote host, perform the following steps:
Click the Start button, right-click My Computer, and point to Manage.
The Computer Management window appears.
Expand the Computer Management icon in the window, if necessary.
Expand the Services and Applications icon and click Services.
Scroll down the list of services until you find SNMP Service, right-click SNMP Service, and then
click Properties.
The SNMP Service Properties window appears.
Click the Security tab.
Select Accept SNMP packets from any host, or add the remote host to the Accept SNMP packets
from these hosts list.
Changing the SNMP Community Name
Configuring the SNMP community names determines which systems are able to manage your system through SNMP. The SNMP community name used by management applications must match an SNMP community name configured on the Server Administrator system so that the management applications can retrieve management information from Server Administrator.
If your system is running Windows Server 2003, click the Start button, right-click My Computer, and
point to Manage. If your system is running Windows 2000, right-click My Computer and point to Manage.
The Computer Management window appears.
Expand the Computer Management icon in the window, if necessary.
Expand the Services and Applications icon and click Services.
Scroll down the list of services until you find SNMP Service, right-click SNMP Service, and then
click Properties.
The SNMP Service Properties window appears.
Click the Security tab to add or edit a community name.
To add a community name, click Add under the Accepted Community Names list.
The SNMP Service Configuration window appears.
Type the community name of a system that is able to manage your system (the default is public) in
the Community Name text box and click Add.
The SNMP Service Properties window appears.
To change a community name, select a community name in the Accepted Community Names list
and click Edit.
The SNMP Service Configuration window appears.
Make all necessary edits to the community name of the system that is able to manage your system
in the Community Name text box, and then click OK.
The SNMP Service Properties window appears.
Click OK to save the changes.
Enabling SNMP Set Operations
SNMP Set operations must be enabled on the Server Administrator system to change Server Administrator attributes using IT Assistant.
If your system is running Windows Server 2003, click the Start button, right-click My Computer, and
point to Manage. If your system is running Windows 2000, right-click My Computer and point to Manage.
The Computer Management window appears.
Expand the Computer Management icon in the window, if necessary.
Expand the Services and Applications icon, and then click Services.
Scroll down the list of services until you find SNMP Service, right-click SNMP Service, and click
Properties.
The SNMP Service Properties window appears.
Click the Security tab to change the access rights for a community.
Select a community name in the Accepted Community Names list, and then click Edit.
The SNMP Service Configuration window appears.
Set the Community Rights to READ WRITE or READ CREATE, and click OK.
The SNMP Service Properties window appears.
Click OK to save the changes.
Configuring Your System to Send SNMP Traps to a Management Station
Server Administrator generates SNMP traps in response to changes in the status of sensors and other monitored parameters. You must configure one or more trap destinations on the Server Administrator system for SNMP traps to be sent to a management station.
If your system is running Windows Server 2003, click the Start button, right-click My Computer, and
point to Manage. If your system is running Windows 2000, right-click My Computer and point to Manage.
The Computer Management window appears.
Expand the Computer Management icon in the window, if necessary.
Expand the Services and Applications icon and click Services.
Scroll down the list of services until you find SNMP Service, right-click SNMP Service, and click
Properties.
The SNMP Service Properties window appears.
Click the Traps tab to add a community for traps or to add a trap destination for a trap community.
To add a community for traps, type the community name in the Community Name box and click
Add to list, which is located next to the Community Name box.
To add a trap destination for a trap community, select the community name from the Community
Name drop-down box and click Add under the Trap Destinations box.
The SNMP Service Configuration window appears.
Type in the trap destination and click Add.
The SNMP Service Properties window appears.
Click OK to save the changes.
Configuring the SNMP Agent on Systems Running Supported Red Hat Enterprise Linux
Operating Systems
Server Administrator uses the SNMP services provided by the ucd-snmp or net-snmp SNMP agent. You can configure the SNMP agent to change the community name, enable Set operations, and send traps to a management station. To configure your SNMP agent for proper interaction with management applications such as IT Assistant and Array Manager, perform the procedures described in the following sections.
NOTE: See your operating system documentation for additional details on SNMP configuration.
SNMP Agent Access Control Configuration
The management information base (MIB) branch implemented by the Instrumentation Service is identified by the OID, 1.3.6.1.4.1.674.10892.1. Management applications must have access to this branch of the MIB tree to manage systems running the Instrumentation Service.
For Red Hat Enterprise Linux operating systems, the default SNMP agent configuration gives read-only access for the "public" community only to the MIB-II "system" branch (identified by the OID, 1.3.6.1.2.1.1) of the MIB tree. This configuration does not allow management applications to retrieve or change Instrumentation Service and other systems management information outside of the MIB-II "system" branch.
If Server Administrator detects this configuration during installation, it attempts to modify the SNMP agent configuration to give read-only access to the entire MIB tree for the "public" community. It does this by changing the SNMP agent configuration file, /etc/snmp/snmpd.conf, in two ways.
The first change is to create a view to the entire MIB tree by adding the following line if it does not exist:
view all included .1
The second change is to modify the default "access" line to give read-only access to the entire MIB tree for the "public" community. Server Administrator looks for the following line:
access notConfigGroup "" any noauth exact systemview none none
If Server Administrator finds the line above, it modifies the line so that it reads:
access notConfigGroup "" any noauth exact all none none
These changes to the default SNMP agent configuration give read-only access to the entire MIB tree for the "public" community.
NOTE: To ensure that Server Administrator is able to modify the SNMP agent configuration to provide proper
access to systems management data, it is recommended that any other SNMP agent configuration changes be
made after installation of Server Administrator.
Changing the SNMP Community Name
Configuring the SNMP community names determines which systems are able to manage your system through SNMP. The SNMP community name used by management applications must match an SNMP community name configured on the Server Administrator system so that the management applications can retrieve management information from Server Administrator.
To change the SNMP community name used for retrieving management information from a system running Server Administrator, edit the SNMP agent configuration file, /etc/snmp/snmpd.conf, and perform the following steps:
Find the line that reads:
com2sec publicsec default public
or
com2sec notConfigUser default public
Edit this line, replacing public with the new SNMP community name. When edited, the new line
should read:
com2sec publicsec default community_name
or
com2sec notConfigUser defaultcommunity_name
To enable SNMP configuration changes, restart the SNMP agent by typing:
service snmpd restart
Enabling SNMP Set Operations
SNMP Set operations must be enabled on the system running Server Administrator in order to change Server Administrator attributes using IT Assistant.
To enable SNMP Set operations on the system running Server Administrator, edit the SNMP agent configuration file, /etc/snmp/snmpd.conf, and perform the following steps:
Find the line that reads:
access publicgroup "" any noauth exact all none none
or
access notConfigGroup "" any noauth exact all none none
Edit this line, replacing the first none with all. When edited, the new line should read:
access publicgroup "" any noauth exact all all none
or
access notConfigGroup "" any noauth exact all all none
To enable SNMP configuration changes, restart the SNMP agent by typing:
service snmpd restart
Configuring Your System to Send Traps to a Management Station
Server Administrator generates SNMP traps in response to changes in the status of sensors and other monitored parameters. One or more trap destinations must be configured on the system running Server Administrator for SNMP traps to be sent to a management station.
To configure your system running Server Administrator to send traps to a management station, edit the SNMP agent configuration file, /etc/snmp/snmpd.conf, and perform the following steps:
Add the following line to the file:
trapsinkIP_address community_name
where IP_address is the IP address of the management station and community_name is the SNMP community name
To enable SNMP configuration changes, restart the SNMP agent by typing:
service snmpd restart
X.509 Certificate Management Prerequisites
Web certificates are necessary to ensure the identity of a remote system and to ensure that information exchanged with the remote system cannot be viewed or changed by others.
This section explains the administrative prerequisites for ensuring your ability to generate a new X.509 certificate, reuse an existing X.509 certificate, or import a root certificate or certificate chain from Certification Authority (CA) on each supported operating system.
The X.509 certificate management is provided through the Server Administrator home page for all supported operating systems.
Firewall Configuration on Systems Running Supported Red Hat Enterprise Linux Operating Systems
If you enable firewall security when installing Red Hat Enterprise Linux, the SNMP port on all external network interfaces is closed by default. To enable SNMP management applications such as IT Assistant to discover and retrieve information from Server Administrator, the SNMP port on at least one external network interface must be open. If Server Administrator detects that the SNMP port is not open in the firewall for any external network interface, Server Administrator displays a warning message and logs a message to the system log.
You can open the SNMP port by disabling the firewall, opening an entire external network interface in the firewall, or opening the SNMP port for at least one external network interface in the firewall. You can perform this action before or after Server Administrator is started.
To open the SNMP port using one of the previously described methods, perform the following steps:
At the Red Hat Enterprise Linux command prompt, type setup and press <Enter> to start the Text
Mode Setup Utility.
NOTE: This command is available only if you have performed a default installation of the operating system.
The Choose a Tool menu appears.
Select Firewall Configuration using the down arrow and press <Enter>.
The Firewall Configuration screen appears.
Select the Security Level by tabbing to it and pressing the spacebar. The selected Security Level is
indicated by an asterisk.
NOTE: Press <F1> for more information about the firewall security levels. The default SNMP port number is 161.
If you are using the X Window System GUI, pressing <F1> may not provide information about firewall security
levels on newer versions of Red Hat Enterprise Linux.
To disable the firewall, select No firewall or Disabled and go to step 7.
To open an entire network interface or the SNMP port, select High, Medium, or Enabled and
continue with step 4.
Tab to Customize and press <Enter>.
The Firewall Configuration - Customize screen appears.
Select whether to open an entire network interface or just the SNMP port on all network interfaces.
To open an entire network interface, tab to one of the Trusted Devices and press the spacebar.
An asterisk in the box to the left of the device name indicates that the entire interface will be opened.
To open the SNMP port on all network interfaces, tab to Other ports and type snmp:udp.
