You can configure JSA to use supported Lightweight Directory Access Protocol (LDAP) providers for user authentication and authorization.
JSA reads the user and role information from the LDAP server, based on the authorization criteria that you defined.
In geographically dispersed environments, performance can be negatively impacted if the LDAP server and the JSA console are not geographically close to each other. For example, user attributes can take a long time to populate if the JSA console is in North America and the LDAP server is in Europe.
You can use the LDAP plug-in for authentication against an Active Directory server. In JSA 2014.4 and earlier, you must configure the server to allow anonymous bind for authentication. However, in JSA 2014.5 and later versions, LDAP plug-in supports authenticated binds against an Active Directory server.
JSA 2014.4 and later versions, use local LDAP authentication passwords that are stored locally for administrative users. These passwords are used if the external authenticator is unavailable, or if a connection to the LDAP server is unavailable due to network issues.
In JSA 2014.4 and earlier, multiple LDAP server configurations are not supported. However, in JSA 2014.5 and later versions, multiple LDAP server configurations are fully supported and includes new authentication options.
Configuring LDAP Authentication
You can configure LDAP authentication on your JSA system.
If you plan to use SSL encryption or use TLS authentication
with your LDAP server, you must import the SSL or TLS certificate
from the LDAP server to the
/opt/qradar/conf/trusted_certificates directory on your JSA console. For more information
about configuring the certificates, see Configuring SSL or TLS certificatesIf you use an LDAP directory server for user authentication and you want to enable SSL encryption or TLS authentication, you must configure your SSL or TLS certificate..
If you are using group authorization, you must configure a JSA user role or security profile on the JSA console for each LDAP group that is used by JSA. Every JSA user role or security profile must have at least one Accept group. The mapping of group names to user roles and security profiles is case-sensitive.
Authentication establishes proof of identity for any user who attempts to log in to the JSA server. When a user logs in, the user name and password are sent to the LDAP directory to verify whether the credentials are correct. To send this information securely, configure the LDAP server connection to use Secure Socket Layer (SSL) or Transport Layer Security (TLS) encryption.
Authorization is the process of determining what access permissions a user has. Users are authorized to perform tasks based on their role assignments. You must have a valid bind connection to the LDAP server before you can select authorization settings.
User attribute values are case-sensitive. The mapping of group names to user roles and security profiles is also case-sensitive.
The user base DN is where JSA queries and finds users. Enable query permissions to allow your users to query against the user base DN.
- On the Admin tab, click Authentication.
- Click Authentication Module Settings.
- From the Authentication Module list, select LDAP.
- Click Add and complete the basic configuration
Learn more about LDAP basic configuration parameters:
Table 1: LDAP Basic Configuration parameters
The DNS name or IP address of the LDAP server. The URL must include a port value.
For example, ldap://<host_name>:<port> or ldap://<ip_address>:<port>.
Select True or False to specify whether Secure Sockets Layer (SSL) encryption is enabled.
If SSL encryption is enabled, the value in the Server URL field must specify a secure connection. For example, ldaps://secureldap.mydomain.com:636 uses a secure server URL.
Select True or False to specify whether Transport Layer Security (TLS) authentication is enabled.
Transport Layer Security (TLS) encryption to connect to the LDAP server is negotiated as part of the normal LDAP protocol and does not require a special protocol designation or port in the Server URL field.
Search entire base
Select True to search all subdirectories of the specified Directory Name (DN).
Select False to search only the immediate contents of the Base DN. The subdirectories are not searched. This search is faster than one which searches all directories.
LDAP User Field
The user field identifier that you want to search on.
You can specify multiple user fields in a comma-separated list to allow users to authenticate against multiple fields. For example, if you specify uid,mailid, a user can be authenticated by providing either their user ID or their mail ID.
User Base DN
The Distinguished Name (DN) of the node where the search for a user would start. The User Base DN becomes the start location for loading users. For performance reasons, ensure that the User Base DN is as specific as possible.
For example, if all of your user accounts are on the directory server in the Users folder, and your domain name is juniper.com, the User Base DN value would be cn=Users,dc=juniper,dc=com.
Select Ignore or Follow to specify how referrals are handled.
- Under Connection Settings, select the type
of bind connection.
Learn more about bind connections:
Table 2: LDAP bind connections
Bind connection type
Use anonymous bind to create a session with the LDAP directory server that doesn't require that you provide authentication information.
Use authenticated bind when you want the session to require a valid user name and password combination. A successful authenticated bind authorizes the authenticated user to read the list of users and roles from the LDAP directory during the session. For increased security, ensure that the user ID that is used for the bind connection does not have permissions to do anything other than reading the LDAP directory.
Provide the Login DN and Password. For example, if the login name is admin and the domain is juniper.com, the Login DN would be cn=admin,dc=juniper,dc=com.
- Click Test connection to test the connection
You must provide user information to authenticate against the user attributes that you specified in the LDAP User Field. If you specified multiple values in LDAP User Field, you must provide user information to authenticate against the first attribute that is specified.
The Test connection function tests JSA’s ability to read the LDAP directory, not simply whether you can log in to the directory.
- Select the authorization method to use.
Learn more about authorization methods:
Table 3: LDAP authorization methods
Authorization method parameter
The user name and password combination is verified for each user that logs in, but no authorization information is exchanged between the LDAP server and JSA server. If you chose Local authorization, you must create each user on the JSA console.
Choose User Attributes when you want to specify which user role and security profile attributes can be used to determine authorization levels.
You must specify both a user role attribute and a security profile attribute. The attributes that you can use are retrieved from the LDAP server, based on your connection settings. User attribute values are case-sensitive.
Choose Group Based when you want users to inherit role-based access permissions after they authenticate with the LDAP server. The mapping of group names to user roles and security profiles is case-sensitive.
Group base DN
Specifies the start node in the LDAP directory for loading groups.
For example, if all of your groups are on the directory server in the Groups folder, and your domain name is juniper.com, the Group Base DN value might be cn=Groups,dc=juniper,dc=com.
Query limit enabled
Sets a limit on the number of groups that are returned.
Query result limit
The maximum number of groups that are returned by the query. By default, the query results are limited to show only the first 1000 query results.
Select By Member to search for groups based on the group members. In the Group Member Field box, specify the LDAP attribute that is used to define the users group membership.
For example, if the group uses the memberUid attribute to determine group membership, type memberUid in the Group Member Field box.
Select By Query to search for groups by running a query. You provide the query information in the Group Member Field and Group Query Field text boxes.
For example, to search for all groups that have at least one memberUid attribute and that have a cn value that starts with the letter 's', type memberUid in Group Member Field and type cn=s* in Group Query Field.
- If you specified Group Based authorization, click Load Groups and click the plus (+) or minus (-) icon to add
or remove privilege groups.
The user role privilege options control which JSA components the user has access to. The security profile privilege options control the JSA data that each user has access to.
Query limits can be set by selecting the Query Limit Enabled check box or the limits can be set on the LDAP server. If query limits are set on the LDAP server, you might receive a message that indicates that the query limit is enabled even if you did not select the Query Limit Enabled check box.
- Click Save.
- Click Manage synchronization to exchange authentication
and authorization information between the LDAP server and the JSA console.
If you are configuring the LDAP connection for the first time, click Run Synchronization Now to synchronize the data.
Specify the frequency for automatic synchronization.
- Repeat the steps to add more LDAP servers, and click Save when complete.
Synchronizing Data with an LDAP Server
You can manually synchronize data between the JSA server and the LDAP authentication server.
If you use authorization that is based on user attributes or groups, user information is automatically imported from the LDAP server to the JSA console.
Each group that is configured on the LDAP server must have a matching user role or security profile that is configured on the JSA console. For each group that matches, the users are imported and assigned permissions that are based on that user role or security profile.
If you manually run the synchronization, new data is not imported. LDAP users are imported only when you first log in to JSA.
By default, synchronization happens every 24 hours. The timing for synchronization is based on the last run time. For example, if you manually run the synchronization at 11:45 pm, and set the synchronization interval to 8 hours, the next synchronization will happen at 7:45 am. If the access permissions change for a user that is logged in when the synchronization occurs, the session becomes invalid. The user is redirected back to the login screen with the next request.
- On the Admin tab, click Authentication.
- Click Authentication Module Settings.
- From the Authentication Module list, select LDAP.
- Click Manage Synchronization >Run Synchronization Now.
Configuring SSL or TLS Certificates
If you use an LDAP directory server for user authentication and you want to enable SSL encryption or TLS authentication, you must configure your SSL or TLS certificate.
- Using SSH, log in to your system as the root user.
User name: root
- Type the following command to create the
mkdir -p /opt/qradar/conf/trusted_certificates
- Copy the SSL or TLS certificate from the LDAP server to
/opt/qradar/conf/trusted_certificatesdirectory on your system.
- Verify that the certificate file name extension is
.cert, which indicates that the certificate is trusted.
The JSA system loads only
Displaying Hover Text for LDAP Information
You create an LDAP properties configuration file to display LDAP user information as hover text. This configuration file queries the LDAP database for LDAP user information that is associated with events, offenses, or assets (if available).
The web server must be restarted after the LDAP properties is created. Consider scheduling this task during a maintenance window when no active users are logged in to the system.
The following example lists properties that you can add to an
ldap.properties configuration file.
ldap.url=ldap://LDAPserver.example.com:389 ldap.authentication=simple ldap.userName=user.name ldap.password=your.encrypted.password ldap.basedn=O=IBM,C=US ldap.filterString=(&(objectclass=user)(samaccountname=%USER%)) ldap.attributes.displayName=Name ldap.attributes.email=Email ldap.attributes.employeeID=EmployeeID ldap.attributes.department=Department
- Use SSH to log in to JSA as a root user.
- To obtain an encrypted LDAP user password, run the following perl script:
perl -I /opt/qradar/lib/Q1/ -e "use auCrypto; print Q1::auCrypto::encrypt ('<password>');"
- Use a text editor to create the
- Specify the location and authentication information to
access the remote LDAP server.
Specify the URL of the LDAP server and the port number.
ldap://to connect to the remote server, for example, ldap.url=ldaps://LDAPserver.example.com:389.
Type the authentication method that is used to access the LDAP server.
Administrators can use the simple authentication method, for example,
Type the user name that has permissions to access the LDAP server.
To authenticate to the remote LDAP server, type the encrypted LDAP user password for the user.
Type the base DN used to search the LDAP server for users.
Type a value to use for the search parameter filter in LDAP.
For example, in JSA, when you hover over
%USER%value is replaced by the user name.
- Type one or more attributes to display in the hover text.
You must include at least one LDAP attribute. Each value must use this format:
ldap.attributes.AttributeName=Descriptive text to show in UI.
- Verify that there is read-level permission for the
- Log in to JSA as an administrator.
- On the Admin tab, select Advanced >Restart Web Server.
Administrators can hover over the Username field on the Log Activity tab and Offenses tab, or hover over the Last User field on the Assets tab (if available) to display more information about the LDAP user.
Multiple LDAP Repositories
You can configure JSA to map entries from multiple LDAP repositories into a single virtual repository.
If you configure the same user account in multiple LDAP servers, regardless of the User Base DN that is configured, a user can authenticate to either LDAP server. When they authenticate, the user is granted access to the same JSA account.
If multiple repositories are configured, when a user logs in,
they must specify which repository to use for authentication. They
must specify the full path to the repository and the domain name in
the user name field. For example, if Repository_1 is configured to
example.com and Repository_2
is configured to use domain
example.ca.com, the login information might look like these examples:
User information is automatically imported from the LDAP server for repositories that use user attributes or group authorization. For repositories that use local authorization, you must create users directly on the JSA system.
Example: Least Privileged Access Configuration and Set Up
Grant users only the minimum amount of access that they require to do their day-to-day tasks.
You can assign different privileges for JSA data and JSA capabilities. You can do this assignment by specifying different accept and deny groups for security profiles and user roles. Accept groups assign privileges and deny groups restrict privileges.
Let's look at an example. Your company hired a group of student interns. John is in his final year of a specialized cyber security program at the local university. He was asked to monitor and review known network vulnerabilities and prepare a remediation plan based on the findings. Information about the company's network vulnerabilities is confidential.
As the JSA administrator, you must ensure that the student interns have limited access to data and systems. Most student interns must be denied access to JSA Vulnerability Manager, but John's special assignment requires that he has this access. Your organization's policy is that student interns never have access to the JSA API.
The following table shows that John must be a member of the company.interns and qvm.interns groups to have access to JSA Risk Manager and JSA Vulnerability Manager.
Table 4: User Role Privilege Groups
The following table shows that the security profile for qvm.interns restricts John from accessing the JSA API.
Table 5: Security Profile Privilege Groups