Security Configuration Reference
This is a reference for security configuration in . You can edit the following file to configure security features and properties for LDAP and SAML:
$MOOGSOFT_HOME/config/security.conf
LDAP connection properties
You can configure the LDAP connection using the following properties.
url
The protocol (LDAP or LDAPS) and the host and port of your LDAP server. For example ldap://172.16.124.169:389.
Type |
String |
Required |
Yes |
Default |
N/A |
connectionTimeout
The connection timeout in milliseconds.
Type |
Integer |
Required |
Yes |
Default |
30000 |
readTimeout
The read timeout in milliseconds.
Type |
Integer |
Required |
Yes |
Default |
30000 |
predefinedUser
If enabled, the user account information must exist in the local database as well as the LDAP server and predefined user details are used to populate created or updated user accounts.
If disabled, Moogsoft AIOps creates or updates user accounts with the LDAP information.
Type |
Boolean |
Required |
Yes |
Default |
False |
LDAP attribute search properties
You can configure the authentication bind, DN resolution method and attribute search with the following properties.
resolutionType
The method used to look up the DN (Distinguished Name), a unique path to any object in the active directory.
Type |
String |
Required |
Yes |
One of |
|
Default |
N/A |
The two methods are:
-
direct: The user DN is created using the
usernameAttribute
anduserDnPostfix
properties. These properties are required. For example:"userDnResolution": { "resolutionType": "direct", "direct": { "use=nameAttribute": "uid", "userDnPostfix": "ou=People,dc=moogsoft,dc=com" } }
For a user named John Smith, the user DN is:
uid=john.smith,ou=People,dc=moogsoft,dc=com
-
lookup: Moogsoft AIOps searches for the user in the LDAP server using a combination of
usernameAttribute
anduserBaseSearchFilter
as a filter anduserBaseDn
as a base to find the DN. These properties are required. For example:"userDnResolution": { "resolutionType": "lookup", "lookup": { "usernameAttribute": "sAMAccountName", "userBaseDn": "ou=People,dc=moogsoft,dc=com", "userBaseSearchFilter": "(objectclass=person)" } }
Optionally for both direct and lookup methods, you can use the userDnLookupUser
, userDnLookupPassword
and encryptedUserDnLookupPassword
properties to define the user to look up
each DN in your directory. See Moog Encryptor for more information if you want to use password
encryption.
attributeSearchFilter
An optional LDAP attribute filter to search for user attributes.
Type |
String |
Required |
No |
Default |
|
attributeMap
An attribute map between the LDAP user attributes and the user attributes in the Moogsoft AIOps database.
Type |
String |
Required |
No |
Default |
N/A |
This property uses the following format:
"attributeMap": { "db_column_5": "ldap_attribute_1", "db_column_2": "ldap_attribute_8", "db_column_3": "ldap_attribute_8" }
LDAP group search and mapping properties
You can configure the following properties in the LDAP group search section.
systemUser
Username of the system user to bind and search for user group information. LDAP uses this user
if you leave the userDnLookupUser
property empty. The system sends two
bind requests and two search requests with LDAP. If you do not configure a system user, the user
bind chosen for authentication is also used for the LDAP group search.
Type |
String |
Required |
No |
Default |
N/A |
systemPassword
Password of the system user to bind and search for user group information.
Type |
String |
Required |
No |
Default |
N/A |
groupBaseDn
DN for the part of the LDAP structure that contains the user groups. This is used in
conjunction with the memberAttribute
to find any LDAP groups the user
belongs to. These groups are then mapped to a local role using the roleMap
property.
Type |
String |
Required |
No |
Default |
N/A |
memberAttribute
Attribute used to look for group members.
Type |
String |
Required |
No |
Default |
|
groupNameAttribute
Attribute used to look for group name.
Type |
String |
Required |
No |
Default |
|
roleMap
Defines the role mappings between the user directory and Moogsoft AIOps.
Type |
String |
Required |
No |
Default |
N/A |
LDAP assignTeams properties
You can configure the following sub-properties of assignTeams
to
synchronize team assignment between the user directory and the teams in Moogsoft AIOps.
assignTeams
Sychronizes team assignment between the user directory and the teams in Moogsoft AIOps.
Type |
String |
Required |
No |
Default |
N/A |
teamMap
Defines the LDAP attribute or custom attribute that maps to team names in Moogsoft AIOps. You can provide the mapping as a JSON object. For example:
Type |
JSON Object |
Required |
No |
Default |
N/A |
Example:
{ "LDAP Team" : "My Team", "Another LDAP Team" : "My second team" }
useGroupName
Enable to use the LDAP group name as the team name in Moogsoft AIOps.
Type |
Boolean |
Required |
No |
Default |
|
createNewTeams
Creates a team or teams if they do not exist in Moogsoft AIOps. If
you leave teamMap
empty, the teams adopt their LDAP teams names.
Type |
Boolean |
Required |
No |
Default |
|
LDAP SSL properties
You can optionally configure SSL to enable TLS authentication, using the following properties.
ssl_protocol
The SSL protocol you want to use.
Type |
String |
Required |
No |
Default |
|
server_cert_file
Location of the SSL server certificate.
Type |
String |
Required |
No |
Default |
N/A |
client_cert_file
Location of the SSL client certificate.
Type |
String |
Required |
No |
Default |
N/A |
client_key_file
Location of the client key file.
Type |
String |
Required |
No |
Default |
N/A |
SAML service provider properties
You can configure a SAML realm by giving it a name and editing the following properties.
idpMetadataFile
Location of the identity provider's metadata file. The metadata file provides information on how to connect to the IdP. Moogsoft AIOps requires the file to be in .xml format.
Type |
String |
Required |
Yes |
Default |
|
spMetadataFile
Location of the service provider's metadata file. Moogsoft AIOps writes the SP metadata information to this file. This location must be accessible and editable by the Apache Tomcat user. Moogsoft AIOps requires the file to be in .xml format. If your IdP does not have an SP metadata file generator, you can create one manually. See Build a Service Provider Metadata File for instructions.
Type |
String |
Required |
Yes |
Default |
|
defaultRoles
Default roles that Moogsoft AIOps assigns to new users upon first login using SAML. If the user already has a role mapping, Moogsoft AIOps uses that instead.
Type |
Array |
Required |
Yes |
Default |
|
defaultTeams
Default teams that Moogsoft AIOps assigns to new users upon first login using SAML. You can create an empty list if you do not want to assign new users to a team.
Type |
Array |
Required |
No |
Default |
|
defaultGroup
Default primary group that Moogsoft AIOps assigns to new users upon first login using SAML.
Type |
Array |
Required |
Yes |
Default |
|
SAML user mapping properties
You can configure how to map IdP user fields to existing Moogsoft AIOps users and how to map user fields for new users. All mappings are case sensitive. Each mapping follows the format:
"MoogsoftAttribute" : "IdPAttribute"
existingUserMappingField
The field that Moogsoft AIOps uses to map existing users to your IdP users.
Type |
String |
Required |
No |
One of |
|
Default |
|
username
The IdP attribute that maps to username in Moogsoft AIOps.
Type |
String |
Required |
Yes |
Default |
|
The IdP attribute that maps to email in Moogsoft AIOps.
Type |
String |
Required |
Yes |
Default |
|
fullName
The IdP attributes that map to full name in Moogsoft AIOps.
Type |
String |
Required |
Yes |
Default |
|
SAML assignTeams properties
You can configure the following sub-properties of assignTeams
to
synchronize team assignment between the SAML user directory and the teams in Moogsoft AIOps.
teamAttribute
The IdP attribute that maps to teams in Moogsoft AIOps.
Type |
String |
Required |
No |
Default |
|
teamMap
The IdP attribute or custom attribute that maps to team names in Moogsoft AIOps.
Type |
JSON Object |
Required |
No |
Default |
|
createNewTeams
Creates a team or teams if they do not exist in Moogsoft AIOps. If
you leave teamMap
empty, the teams adopt their IdP teams names.
Type |
Boolean |
Required |
No |
Default |
|
SAML assignRoles properties
You can configure the following sub-properties of assignRoles
to
synchronize team assignment between the SAML user directory and the roles in Moogsoft AIOps.
roleAttribute
The IdP attribute containing role information.
Type |
String |
Required |
No |
Default |
|
roleMap
The IdP attribute that maps to Moogsoft AIOps roles.
Type |
JSON Object |
Required |
No |
Default |
|
SAML security properties
You can configure the following SAML security properties.
keystorePassword
Your unencrypted keystore password. Any whitespace in the name is replaced with an underscore.
Type |
String |
Required |
No |
Default |
N/A |
encryptedKeystorePassword
Your encrypted keystore password. Any whitespace in the name is replaced with an underscore.
Type |
String |
Required |
No |
Default |
N/A |
privateKeyPassword
Your private key password. Any whitespace in the name is replaced with an underscore.
Type |
String |
Required |
No |
Default |
N/A |
maximumAuthenticationLifetime
Maximum time in seconds for Moogsoft AIOps to receive an IdP's SAML assertion before it becomes invalid.
Type |
Integer |
Required |
No |
Default |
|
serviceProviderEntityId
Service Provider Entity ID assertion number. Some IdPs require this ID.
Type |
String |
Required |
No |
Default |
|
SAML optional properties
You can customize your SAML realm with a number of optional properties
contactNumber
The IdP attribute that maps to contact number in Moogsoft AIOps.
Type |
String |
Required |
No |
Default |
N/A |
department
The IdP attribute that maps to department in Moogsoft AIOps.
Type |
String |
Required |
No |
Default |
N/A |
primaryGroup
The IdP attribute that maps to primary group inMoogsoft AIOps.
Type |
String |
Required |
No |
Default |
N/A |
timezone
The IdP attribute that maps to timezone in Moogsoft AIOps.
Type |
String |
Required |
No |
Default |
N/A |