User Administration and Security - Advanced

Table of Contents

Viewing Users Logged into the CommServe

A user can connect to the CommServe through the CommCell Console or through the Command Line Interface. You can view the users that are currently logged on to the CommServe and obtain the following information about each user:

  • user name
  • host name from where the user logged on
  • date and time the user logged on to the CommServe
  • amount of time the user has been inactive

Use the following steps to view the users that are currently logged in to the CommServe:

  1. From the CommCell Browser, right-click the CommServe node, and then click View > Users Logged In.

    The Users Logged In dialog box displays all of the CommCell Console and command line user sessions.

  2. Click Close.

You can also send instant messages or disconnect a user from the Users Logged In dialog box. For information on these operations, see Sending Instant Messages.

Setting the Time Out Period for Inactive Login Sessions

By default, the connection timeout in the CommCell Console is disabled. You can configure the CommCell Console to disconnect users that have been inactive after a specific period of time, which by default is 180 minutes. You can also modify this timeout interval based on your needs.

Use the following steps to enable the console timeout:

  1. From the CommCell Console ribbon, click Control Panel.
  2. Under the Configure section, click System.
  3. Click the Allow GUI connections to timeout checkbox.
  4. In the GUI Timeout in minutes box, specify the timeout interval in minutes.
  5. Click OK.

Adding a Domain Controller for Active Directory Services

Review these important considerations before adding domain controllers:

  • The CommServe must have LDAP, DNS, and Kerberos connectivity to each domain that you want to register for single sign-on. If firewalls exist between the CommServe and domain controllers, these services must be able to traverse the firewall in order for single sign-on to function.
  • When using trusted domains, register both domains with the CommServe so that users from the trusted domains can log on using single sign-on.
  • No two domain controllers can have the same domain name. Do not register duplicate domain controllers with the CommServe.
  • Do not add a name server for a Windows 2000 domain controller, Windows 2000 domain controllers do not support the Security Descriptor Definition Language (SDDL) form of SID (security identifier).

Procedure

  1. Obtain the domain name and fully qualified domain name of the Active Directory server.
  2. Ensure that LDAP is configured on the Active Directory (AD) server:
    1. From the AD Server, select Start > Run.
    2. In the Run dialog box, type ldp and click OK.
    3. From the Connections menu, click Connect.
    4. In the Connect dialog box, enter information about the server:
      • In the Server box, type the name of the external domain server, e.g., computer.domain.com.
      • In the Port box, type 636 as the port number for the external domain server.
      • Select the SSL checkbox to check for the proper certificate.
      • Click OK.

      When the LDAP is properly configured, the external domain server details are displayed in the LDP window. Otherwise, an error message appears indicating that a connection cannot be made using this feature.

  3. From the CommCell Browser, go to Security.
  4. Right-click Name Servers > Add new domain > Active Directory.
  5. In the Add New Domain Controller dialog box, enter the information about the domain controller:
    1. In the NetBIOS Name box, enter the domain name, for example, mydomain.
    2. In the Domain Name box, enter the Fully Qualified Domain Name (FQDN), for example, mydomain.mycompany.com.
    3. To allow users to automatically log on to the CommCell Console, select the Enable SSO check box.
    4. Next to the User Account box, click Edit.
    5. In the Enter User Account Information dialog box, enter the user account information for the domain.

      The user account must have at least read access to the domain.

  6. Click OK.

Adding an External Group (Associate the Domain with a User Group)

After configuring the domain controller, you should associate certain external domain user groups (domain name\user group) with a user group defined in the CommServe. This will provide the external domain users access to the CommCell entities. Note that the CommCell user group must have Browse capabilities in order for the Single Sign On feature to work properly.

  1. The external user group for the user must have Group Scope defined as Global on the Active Directory Domain:
    1. Navigate to Start | Administrative Tools | Active Directory Users and Computers.
    2. Right-click the external group and select Properties.
    3. Select Global from Group Scope and click OK.

  2. From the CommCell Browser, navigate to Security | Name Server | <Domain Name>, right-click External Groups and select Add New Group.
  3. In the Add new External Group dialog box, click Browse next to the Select an External Group box.

  4. In the Select an external group dialog box, select the <external user group> the user belongs to.
  5. Click OK.
  6. From the Available CommCell Groups box, select the <CommCell user group> to associate with the external user group.
  7. Use the right arrow > to move the CommCell user group to the Associated CommCell Groups box.
  8. Click OK.

Enabling Single Sign On

Use the Single Sign On (SSO) feature to log on to the CommServe using user account credentials from the Active Directory (AD) service provider. Active Directory user accounts inherit the capabilities of the CommCell user group the AD group is associated with. The CommCell user group must include the Browse capability.

Use the following steps to enable SSO for an active directory domain:

  1. From the CommCell Browser, go to Security > Name Servers.
  2. Right click the domain and click Properties.

    The Edit Domain Controller Details dialog box appears.

  3. Select the Enable SSO check box.

    This allows users to automatically log on to the CommCell Console.

  4. Click OK.

Associating an Admin Domain with a Resource Domain

You can also register Active Directory Admin domains and Resource domains with the CommServe. Admin domain contains the user credentials of all the users. The Resource domain includes the resources or applications that can be accessed by each user in the admin domain. In order to enable the users in the admin domain to access the resources in the resource domain, you need to associate the admin domain with the resource domain when adding a new domain controller.

  1. From the CommCell Browser, go to Security > Name Servers.
  2. Right click the admin_domain and click Properties.

    The Edit Domain Controller Details dialog box appears.

  3. From the Resource Domain list, select the resource domain.
  4. Click OK.

Adding a Domain Controller for Domino Directory Services

Use the following steps to register an external Domino Directory Domain with the CommServe.

When registering a new Domain controller, note the following:

  • Ensure that there are no two domain controllers with the same domain name. In other words, you cannot register duplicate domain controllers with the CommServe.
  • Once you have registered the Domain Controller, make sure to restart the IIS services on the Web Server in order to enable logging to the Web Console using the new domain.

  1. Enable web access for the IBM Domino:
    • From the Domino Administrator window, select the Configuration tab.
    • Double-click All Server Documents.
    • Double-click the <IBM Domino Document> on the right pane.
    • Click Edit Server.
    • Click the Ports | Internet Ports | Directory tab.
    • Click the drop-down arrow for TCP/IP Port Status and select Enabled.
    • Click OK.

  2. Create an Internet Password for the Domino user:
    • From the Domino Administrator window, select Peoples & Groups tab.
    • Double-click Organization.
    • Double-click the <user name> on the right pane.
    • Click Edit User.
    • Click Enter Password.
    • In the Enter HTTP Password dialog box, type the internet password.
    • Click OK.

  3. Ensure that LDAP is configured on the Active Directory (AD) server.

    To verify whether the external domain client has been configured for LDAP, see Verify LDAP configuration on External Domain.

  4. From the CommCell Browser, go to the Security node.
  5. Right-click Name Servers and click Add New Domain > Domino Directory Service.
  6. Type the organization name in the Domino Organization box.
  7. Type the client computer name in which the IBM Domino resides in the Domino Server Host Name box.
  8. Specify the port used by Lightweight Directory Access Protocol (LDAP) to communicate to the IBM Domino in the Domino LDAP Port box.
  9. Click Edit to enter the user account information for the external domain:
    1. Type the user name in the User Name box.
    2. Type the password for the user account in the Password box.
    3. Re-type the password in the Confirm Password box.
    4. Click OK.
  10. Click OK.

    Once you have registered the Domain Controller, restart the IIS services on the Web Server computer.

Deleting an External Domain

Use the following steps to delete an external domain from the CommCell:

  1. From the CommCell Browser, go to Security > Name Servers.
  2. Right-click on the domain that you want to delete and click Delete.
  3. Click Yes to confirm deletion.

Disabling the Ability to Associate Domain User to a CommCell Group

The ability to associate a domain user to a user group also causes the CommCell to display the domain user in the following locations:

  • from the CommCell Users and user_group nodes in the CommCell browser
  • under the Available Users section in the Users tab of any CommCell group

Use the following steps to hide the domain users from the above CommCell locations and to disable the ability to associate them with user groups:

  1. From the CommCell Browser, right-click the CommServe node and then click Properties.
  2. Click the Additional Settings tab and then click Add.
  3. In the Name box, type Hide external users. The Category and Type details will be automatically populated.

    Alternatively, you can click Lookup and search for the global parameter using the Find box.

  4. In the Value box, type 1.
  5. Click OK to save the global parameter configuration.
  6. Click OK.

Enabling User Authentication for Installing Agents on the CommCell

CommCell environments can be secured by limiting agent installations to those users belonging to the following user group:

  • A user group with Installation capabilities for the CommCell
  • A user group with Administrative Management capabilities for the CommCell or an existing client computer within the CommCell

Use the following steps to require user authentication before installing an Agent on the CommCell:

  1. From the CommCell Browser, right-click the CommServe and then click Properties.

    The CommCell Properties dialog box appears.

  2. Click the Security tab.
  3. Select the Require Authentication for Agent Installation check box.
  4. Click OK.