Set the properties to securely log in to the appliance.
Prerequisites
To perform any tasks on OpenManage Enterprise, ensure necessary user privileges. See
Role and scope-based access
AD and LDAP directory users can be imported and assigned to one of the OpenManage Enterprise roles (Admin, DeviceManager, or Viewer).
About this task
By clicking
Application Settings
> Security, you can secure your OpenManage Enterprise by specifying the
Restrict Allowed IP Range,
Login Lockout Policy, configuring
TLS Protocol or
RSA SecurID.
Steps
Expand
Restrict Allowed IP Range:
NOTE:When "Restrict Allowed IP Range" is configured in the appliance, any inbound connection to the appliance, such as alert reception, firmware update, and network identities are blocked for the devices which are outside the given range. However, any connection that goes out of the appliance works on all devices.
To specify the IP address range that must be allowed to access OpenManage Enterprise, select the
Enable IP Range check box.
In the
IP Range Address (CIDR) box, you can enter multiple comma-separated IP address ranges.
Click
Apply. To reset to default properties, click
Discard.
NOTE:Apply button will not be enabled if multiple IP ranges are entered in the
IP Range Address (CIDR) box.
Expand
Login Lockout Policy
:
Select the
By User Name check box to prevent a specific username from logging in to OpenManage Enterprise.
Select the
By IP address check box to prevent a specific IP address from logging in to OpenManage Enterprise.
In the
Lockout Fail Count box, enter the number of unsuccessful attempts after which OpenManage Enterprise must prevent the user from further logging in. By default, 3 attempts.
In the
Lockout Fail Window box, enter the duration for which OpenManage Enterprise must display information about a failed attempt.
In the
Lockout Penalty Time box, enter the duration for which the user is prevented from making any login attempt after multiple unsuccessful attempts.
Click
Apply. To reset the settings to default attributes, click
Discard.
Expand
TLS Protocol Configuration:
Set the
TLS Protocol to
TLS 1.2 and Higher,
TLS 1.2, or
TLS 1.3.
NOTE:Ensure that the appliance has the TLS 1.2 protocol set up for migration.
Enter a
Custom TLS 1.2 Cipher String to customize the types of encryption supported by the appliance while using TLS 1.2.
Enter a
Custom TLS 1.3 Cipher String to customize the types of encryption supported by the appliance while using TLS 1.3.
Expand
RSA SecurID Configuration to allow administrators to select which appliance users, including other administrators, need multi-factor authentication to log in to the appliance:
To enable
RSA SecurID, check the
Enabled checkbox.
Log in to the RSA Authentication Server and download the RSA Server Certificate required.
Click
Upload to upload the downloaded certificate and
View to see the details of the certificate.
Enter the
RSA SecurID Authentication Server URL and
Port # for HTTPS access.
Enter the
RSA SecurID Client ID. The ClientID is the hostname/ IP address of the system on which the RSA Authentication Agent application (RSASecurIDSoftwareToken) is installed. Configure the Client ID on the external RSA server's Security Console by clicking
Access > Authentication Agents > Add New to create a ClientID.
Enter the
RSA SecurID Access Key. Retrieve the access key on the RSA authentication server by going to
Setup > System Settings > RSA SecurID
> Authentication API
section.
NOTE:Old access keys do not get invalidated when new keys are generated. The life of an access key is determined by the time frame (Default: 60 days) set on the RSA authentication server. In case of a suspected security breach, regenerate the access key twice on the RSA authentication server before entering the key on the appliance.
Enter the
Connection Timeout. This is the time period for which the RSA authentication server waits for a response from identity routers.
Enter the
Read Timeout. This is the time in seconds a collector waits to read data after the previous read before the read attempt is aborted.
Use the
Test Connection button to verify whether the appliance is able to reach the RSA authentication server via the port provided. If a proxy is introduced, ensure that the appliance can still communicate with the RSA Authentication server to avoid service disruption.
To verify whether the certificate provided is valid, send an
HTTP GET request to
api/ApplicationService/MfaCertificate.
Click
Apply to initiate registration to the RSA authentication server. If a proxy is introduced, ensure that the appliance can still communicate with the RSA Authentication server to avoid service disruption. To discard the changes made, click
Cancel.
NOTE:After 3 invalid passcode entries, the RSA account goes into 'next token mode'. You will be prompted to provide the next 2 passcodes provided by your RSA token generator. If a 4th invalid passcode is entered, your account may be locked. Although the appliance permits login attempts, RSA authentication for the user will fail. Before retrying logins on the appliance, ensure that the RSA server account status is verified.
Data is not available for the Topic
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\