OpenManage Enterprise 4.1.x User's Guide

Set the login security properties

Set the properties to securely log in to the appliance.

1. Expand Restrict Allowed IP Range:
   NOTE:When "Restrict Allowed IP Range" is configured in the appliance, any inbound connection to the appliance, such as alert reception, firmware update, and network identities are blocked for the devices which are outside the given range. However, any connection that goes out of the appliance works on all devices.
   1. To specify the IP address range that must be allowed to access OpenManage Enterprise, select the Enable IP Range check box.
   2. In the IP Range Address (CIDR) box, you can enter multiple comma-separated IP address ranges.
   3. Click Apply. To reset to default properties, click Discard.
   NOTE:Apply button will not be enabled if multiple IP ranges are entered in the IP Range Address (CIDR) box.
2. Expand Login Lockout Policy :
   1. Select the By User Name check box to prevent a specific username from logging in to OpenManage Enterprise.
   2. Select the By IP address check box to prevent a specific IP address from logging in to OpenManage Enterprise.
   3. In the Lockout Fail Count box, enter the number of unsuccessful attempts after which OpenManage Enterprise must prevent the user from further logging in. By default, 3 attempts.
   4. In the Lockout Fail Window box, enter the duration for which OpenManage Enterprise must display information about a failed attempt.
   5. In the Lockout Penalty Time box, enter the duration for which the user is prevented from making any login attempt after multiple unsuccessful attempts.
   6. Click Apply. To reset the settings to default attributes, click Discard.
3. Expand TLS Protocol Configuration:
   1. Set the TLS Protocol to TLS 1.2 and Higher, TLS 1.2, or TLS 1.3.
      NOTE:Ensure that the appliance has the TLS 1.2 protocol set up for migration.
   2. Enter a Custom TLS 1.2 Cipher String to customize the types of encryption supported by the appliance while using TLS 1.2.
   3. Enter a Custom TLS 1.3 Cipher String to customize the types of encryption supported by the appliance while using TLS 1.3.
4. Expand RSA SecurID Configuration to allow administrators to select which appliance users, including other administrators, need multi-factor authentication to log in to the appliance:
   1. To enable RSA SecurID, check the Enabled checkbox.
   2. Log in to the RSA Authentication Server and download the RSA Server Certificate required.
   3. Click Upload to upload the downloaded certificate and View to see the details of the certificate.
   4. Enter the RSA SecurID Authentication Server URL and Port # for HTTPS access.
   5. Enter the RSA SecurID Client ID. The ClientID is the hostname/ IP address of the system on which the RSA Authentication Agent application (RSASecurIDSoftwareToken) is installed. Configure the Client ID on the external RSA server's Security Console by clicking Access > Authentication Agents > Add New to create a ClientID.
   6. Enter the RSA SecurID Access Key. Retrieve the access key on the RSA authentication server by going to Setup > System Settings > RSA SecurID > Authentication API section.
      NOTE:Old access keys do not get invalidated when new keys are generated. The life of an access key is determined by the time frame (Default: 60 days) set on the RSA authentication server. In case of a suspected security breach, regenerate the access key twice on the RSA authentication server before entering the key on the appliance.
   7. Enter the Connection Timeout. This is the time period for which the RSA authentication server waits for a response from identity routers.
   8. Enter the Read Timeout. This is the time in seconds a collector waits to read data after the previous read before the read attempt is aborted.
   9. Use the Test Connection button to verify whether the appliance is able to reach the RSA authentication server via the port provided. If a proxy is introduced, ensure that the appliance can still communicate with the RSA Authentication server to avoid service disruption.
      To verify whether the certificate provided is valid, send an HTTP GET request to api/ApplicationService/MfaCertificate.
   10. Click Apply to initiate registration to the RSA authentication server. If a proxy is introduced, ensure that the appliance can still communicate with the RSA Authentication server to avoid service disruption. To discard the changes made, click Cancel.
       NOTE:After 3 invalid passcode entries, the RSA account goes into 'next token mode'. You will be prompted to provide the next 2 passcodes provided by your RSA token generator. If a 4th invalid passcode is entered, your account may be locked. Although the appliance permits login attempts, RSA authentication for the user will fail. Before retrying logins on the appliance, ensure that the RSA server account status is verified.