Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

LDAP Authentication

You can configure JSA to use supported Lightweight Directory Access Protocol (LDAP) providers for user authentication and authorization.

JSA reads the user and role information from the LDAP server, based on the authorization criteria that you defined.

In geographically dispersed environments, performance can be negatively impacted if the LDAP server and the JSA Console are not geographically close to each other. For example, user attributes can take a long time to populate if the JSA Console is in North America and the LDAP server is in Europe.

You can use the LDAP authentication with an Active Directory server.

Configuring LDAP Authentication

You can configure LDAP authentication on your JSA system.

If you plan to use SSL encryption or use TLS authentication with your LDAP server, you must import the SSL or TLS certificate from the LDAP server to the /opt/qradar/conf/trusted_certificates directory on your JSA Console. For more information about configuring the certificates, see Configuring SSL or TLS Certificates.

If you are using group authorization, you must configure a JSA user role or security profile on the JSA console for each LDAP group that is used by JSA. Every JSA user role or security profile must have at least one Accept group. The mapping of group names to user roles and security profiles is case-sensitive.

Authentication establishes proof of identity for any user who attempts to log in to the JSA server. When a user logs in, the username and password are sent to the LDAP directory to verify whether the credentials are correct. To send this information securely, configure the LDAP server connection to use Secure Socket Layer (SSL) or Transport Layer Security (TLS) encryption.

Authorization is the process of determining what access permissions a user has. Users are authorized to perform tasks based on their role assignments. You must have a valid bind connection to the LDAP server before you can select authorization settings.

User attribute values are case-sensitive. The mapping of group names to user roles and security profiles is also case-sensitive.

The user base DN is where JSA queries and finds users. Enable query permissions to allow your users to query against the user base DN.

  1. On the Admin tab, click Authentication.

  2. Click Authentication Module Settings.

  3. From the Authentication Module list, select LDAP.

  4. Click Add and complete the basic configuration parameters.

    There are three configuration types and each has specific requirements for the Server URL, SSL Connection, and TLS Authentication parameters:

    Secure LDAP (LDAPS)

    The Server URL parameter must use ldaps:// as the protocol, and specify an LDAP over SSL encrypted port (typically 636). For example ldaps://ldap1.example.com:636

    If you are using Global Catalog because you're using multiple domains, use port 3269. For example ldaps://ldap1.example.com:3269

    The SSL Connection parameter must be set to "True" and the TLS Authentication parameter must be set to "False".

    LDAP with StartTLS

    The Server URL parameter must use ldap:// as the protocol, and specify an LDAP unencrypted port that supports the StartTLS option (typically 389). For example ldap:// ldap1.example.com:389

    The SSL Connection parameter must be set to "False" and the TLS Authentication must be set to "True".

    TLS 1.2 using StartTLS is not the same as the LDAP SSL port.

    TLS Authentication does not support referrals, so referrals must be set to "ignore", and the LDAP server must include a complete structure to search.

    Unencrypted

    An unencrypted LDAP configuration is not recommended.

    The Server URL parameter must use the ldap:// protocol and specify an unencrypted port (typically 389). For example ldap://ldap1.example.com:389

    The SSL Connection parameter and the TLS Authentication parameter must both be set to "False".

    Table 1: LDAP Basic Configuration parameters

    Parameter

    Description

    Search entire base

    Select True to search all subdirectories of the specified Directory Name (DN).

    Select False to search only the immediate contents of the Base DN. The subdirectories are not searched. This search is faster than one which searches all directories.

    LDAP User Field

    The user field identifier that you want to search on.

    You can specify multiple user fields in a comma-separated list to allow users to authenticate against multiple fields. For example, if you specify uid,mailid, a user can be authenticated by providing either their user ID or their mail ID.

    User Base DN

    The Distinguished Name (DN) of the node where the search for a user would start. The User Base DN becomes the start location for loading users. For performance reasons, ensure that the User Base DN is as specific as possible.

    For example, if all of your user accounts are on the directory server in the Users folder, and your domain name is ibm.com, the User Base DN value would be cn=Users,dc=ibm,dc=com.

    Referral

    Select Ignore or Follow to specify how referrals are handled.

  5. Under Connection Settings, select the type of bind connection.

    Table 2: LDAP bind connections

    Bind connection type

    Description

    Anonymous bind

    Use anonymous bind to create a session with the LDAP directory server that doesn't require that you provide authentication information.

    Authenticated bind

    Use authenticated bind when you want the session to require a valid user name and password combination. A successful authenticated bind authorizes the authenticated user to read the list of users and roles from the LDAP directory during the session. For increased security, ensure that the user ID that is used for the bind connection does not have permissions to do anything other than reading the LDAP directory.

    Provide the Login DN and Password. For example, if the login name is admin and the domain is juniper.com, the Login DN would be cn=admin,dc=juniper,dc=com.

  6. Click Test connection to test the connection information.

    You must provide user information to authenticate against the user attributes that you specified in the LDAP User Field. If you specified multiple values in LDAP User Field, you must provide user information to authenticate against the first attribute that is specified.

    Note:

    The Test connection function tests the ability of JSA to read the LDAP directory, not whether you can log in to the directory.

  7. Select the authorization method to use.

    Table 3: LDAP authorization methods

    Authorization method parameter

    Description

    Local

    The user name and password combination is verified for each user that logs in, but no authorization information is exchanged between the LDAP server and JSA server. If you chose Local authorization, you must create each user on the JSA console.

    User attributes

    Choose User Attributes when you want to specify which user role and security profile attributes can be used to determine authorization levels.

    You must specify both a user role attribute and a security profile attribute. The attributes that you can use are retrieved from the LDAP server, based on your connection settings. User attribute values are case-sensitive.

    Group based

    Choose Group Based when you want users to inherit role-based access permissions after they authenticate with the LDAP server. The mapping of group names to user roles and security profiles is case-sensitive.

    Group base DN

    Specifies the start node in the LDAP directory for loading groups.

    For example, if all of your groups are on the directory server in the Groups folder, and your domain name is juniper.com, the Group Base DN value might be cn=Groups,dc=juniper,dc=com.

    Query limit enabled

    Sets a limit on the number of groups that are returned.

    Query result limit

    The maximum number of groups that are returned by the query. By default, the query results are limited to show only the first 1000 query results.

    By member

    Select By Member to search for groups based on the group members. In the Group Member Field box, specify the LDAP attribute that is used to define the users group membership.

    For example, if the group uses the memberUid attribute to determine group membership, type memberUid in the Group Member Field box.

    By query

    Select By Query to search for groups by running a query. You provide the query information in the Group Member Field and Group Query Field text boxes.

    For example, to search for all groups that have at least one memberUid attribute and that have a cn value that starts with the letter 's', type memberUid in Group Member Field and type cn=s* in Group Query Field.

  8. If you specified Group Based authorization, click Load Groups and click the plus (+) or minus (-) icon to add or remove privilege groups.

    The user role privilege options control which JSA components the user has access to. The security profile privilege options control the JSA data that each user has access to.

    Note:

    Query limits can be set by selecting the Query Limit Enabled checkbox or the limits can be set on the LDAP server. If query limits are set on the LDAP server, you might receive a message that indicates that the query limit is enabled even if you did not select the Query Limit Enabled checkbox.

  9. Click Save.

  10. Click Manage synchronization to exchange authentication and authorization information between the LDAP server and the JSA console.

    1. If you are configuring the LDAP connection for the first time, click Run Synchronization Now to synchronize the data.

    2. Specify the frequency for automatic synchronization.

    3. Click Close.

  11. Repeat the steps to add more LDAP servers, and click Save when complete.

Synchronizing Data with an LDAP Server

You can manually synchronize data between the JSA server and the LDAP authentication server.

If you use authorization that is based on user attributes or groups, user information is automatically imported from the LDAP server to the JSA console.

Each group that is configured on the LDAP server must have a matching user role or security profile that is configured on the JSA console. For each group that matches, the users are imported and assigned permissions that are based on that user role or security profile.

Note:

If you manually run the synchronization, new data is not imported. LDAP users are imported only when you first log in to JSA.

By default, synchronization happens every 24 hours. The timing for synchronization is based on the last run time. For example, if you manually run the synchronization at 11:45 pm, and set the synchronization interval to 8 hours, the next synchronization will happen at 7:45 am. If the access permissions change for a user that is logged in when the synchronization occurs, the session becomes invalid. The user is redirected back to the login screen with the next request.

  1. On the Admin tab, click Authentication.

  2. Click Authentication Module Settings.

  3. From the Authentication Module list, select LDAP.

  4. Click Manage Synchronization >Run Synchronization Now.

Configuring SSL or TLS Certificates

If you use an LDAP directory server for user authentication and you want to enable SSL encryption or TLS authentication, you must configure your SSL or TLS certificate.

  1. Using SSH, log in to your system as the root user.

  2. Type the following command to create the /opt/qradar/conf/trusted_certificates/ directory:

    mkdir -p /opt/qradar/conf/trusted_certificates

  3. Copy the SSL or TLS certificate from the LDAP server to the /opt/qradar/conf/trusted_certificates directory on your system.

  4. Verify that the certificate file name extension is .cert, which indicates that the certificate is trusted.

    The JSA system loads only .cert files.

Displaying Hover Text for LDAP Information

You create an LDAP properties configuration file to display LDAP user information as hover text. This configuration file queries the LDAP database for LDAP user information that is associated with events, offenses, or assets (if available).

The web server must be restarted after the LDAP properties is created. Consider scheduling this task during a maintenance window when no active users are logged in to the system.

The following example lists properties that you can add to an ldap.properties configuration file.

  1. Use SSH to log in to JSA as a root user.

  2. To obtain an encrypted LDAP user password, run the following perl script:

    perl -I /opt/qradar/lib/Q1/ -e "use auCrypto; print Q1::auCrypto::encrypt ('<password>');"

  3. Use a text editor to create the /opt/qradar/conf/ldap.properties configuration file.

  4. Specify the location and authentication information to access the remote LDAP server.

    1. Specify the URL of the LDAP server and the port number.

      Use ldaps:// or ldap:// to connect to the remote server, for example, ldap.url=ldaps://LDAPserver.example.com:389.

    2. Type the authentication method that is used to access the LDAP server.

      Administrators can use the simple authentication method, for example, ldap.authentication=simple.

    3. Type the user name that has permissions to access the LDAP server.

      For example, ldap.userName=user.name .

    4. To authenticate to the remote LDAP server, type the encrypted LDAP user password for the user.

      For example, ldap.password=password .

    5. Type the base DN used to search the LDAP server for users.

      For example, ldap.basedn=BaseDN .

    6. Type a value to use for the search parameter filter in LDAP.

      For example, in JSA, when you hover over ldap.filterString=(&(objectclass=user)(samaccountname=%USER%)), the %USER% value is replaced by the user name.

  5. Type one or more attributes to display in the hover text.

    You must include at least one LDAP attribute. Each value must use this format: ldap.attributes.AttributeName=Descriptive text to show in UI.

  6. Verify that there is read-level permission for the ldap.properties configuration file.

  7. Log in to JSA as an administrator.

  8. On the Admin tab, select Advanced >Restart Web Server.

Administrators can hover over the Username field on the Log Activity tab and Offenses tab, or hover over the Last User field on the Assets tab (if available) to display more information about the LDAP user.

Multiple LDAP Repositories

You can configure JSA to map entries from multiple LDAP repositories into a single virtual repository.

Note:

If you configure the same user account in multiple LDAP servers, regardless of the User Base DN that is configured, a user can authenticate to either LDAP server. When they authenticate, the user is granted access to the same JSA account.

If multiple repositories are configured, when a user logs in, they must specify which repository to use for authentication. They must specify the full path to the repository and the domain name in the user name field. For example, if Repository_1 is configured to use domain example.com and Repository_2 is configured to use domain example.ca.com, the login information might look like these examples:

  • OU=User Accounts,OU=PHX,DC=qcorpaa,DC=aa,DC=example.com\username

  • OU=Office,OU=User Accounts,DC=qcorpaa,DC=aa,DC=example.ca.com\username

For an example using repository IDs, if the repository ID of Repository_1 is UsersJSA and the repository ID of Repository_2 is UsersJSAca, the login information might look like these examples:

  • UsersJSA\<username>

  • UsersJSA\<username>

User information is automatically imported from the LDAP server for repositories that use user attributes or group authorization. For repositories that use local authorization, you must create users directly on the JSA system.

Example: Least Privileged Access Configuration and Set Up

Grant users only the minimum amount of access that they require to do their day-to-day tasks.

You can assign different privileges for JSA data and JSA capabilities. You can do this assignment by specifying different accept and deny groups for security profiles and user roles. Accept groups assign privileges and deny groups restrict privileges.

Let's look at an example. Your company hired a group of student interns. John is in his final year of a specialized cyber security program at the local university. He was asked to monitor and review known network vulnerabilities and prepare a remediation plan based on the findings. Information about the company's network vulnerabilities is confidential.

As the JSA administrator, you must ensure that the student interns have limited access to data and systems. Most student interns must be denied access to JSA Vulnerability Manager, but John's special assignment requires that he has this access. Your organization's policy is that student interns never have access to the JSA API.

The following table shows that John must be a member of the company.interns and qvm.interns groups to have access to JSA Risk Manager and JSA Vulnerability Manager.

Table 4: User Role Privilege Groups

User Role

Accept

Deny

Admin

jsa.admin

company.firedemployees

QVM

jsa.qvm

qvm.interns

company.firedemployees

jsa.qrm

company.interns

QRM

jsa.qrm

company.interns

company.firedemployees

The following table shows that the security profile for qvm.interns restricts John from accessing the JSA API.

Table 5: Security Profile Privilege Groups

Security profile

Accept

Deny

QVM

qradar.secprofile.qvm

company.firedemployees

API

qradar.secprofile.qvm.api

company.firedemployees

qradar.secprofile.qvm.interns