Moogsoft Docs

Security Configuration Reference

This is a reference for security configuration in Moogsoft AIOps. You can edit $MOOGSOFT_HOME/config/security.conf to configure security features such as LDAP and SAML.

LDAP Connection Properties

You can configure the LDAP connection using the following properties:

url

The protocol (LDAP or LDAPS) along with the host and port of your LDAP server. For example: ldap://172.16.124.169:389.

Type: String

Required: Yes

Default: N/A

connectionTimeout

Defines the connection timeout in milliseconds.

Type: String

Required: Yes

Default: 30000

readTimeout

Defines the read timeout in milliseconds.

Type: String

Required: Yes

Default: 30000

predefinedUser

If enabled, the user account information must exist in the local database as well as the LDAP server and predefined user details are used to populate created or updated user accounts.

If disabled, Moogsoft AIOps creates or updates user accounts with the LDAP information.

Type: String

Required: Yes

Default: False

LDAP Attribute Search Properties

You can configure the authentication bind, DN resolution method and attribute search with the following properties:

resolutionType

Defines the method to look up the DN (Distinguished Name), a unique path to any object in the active directory.

Type: String

Required: Yes

One of: direct, lookup

Default: N/A

There are two methods to choose from:

  • direct: If using this method, the user DN is created using the usernameAttribute and userDnPostfix properties. These properties are required. For example:

    "userDnResolution": {
            "resolutionType" : "direct",
                    "direct" : {
                            "usernameAttribute": "uid",
                    "userDnPostfix": "ou=People,dc=moogsoft,dc=com"
                    }
    },      

    For a user called John Smith, the user DN is:

    uid=john.smith,ou=People,dc=moogsoft,dc=com
  • lookup: If using this method, Moogsoft AIOps searches for the user in the LDAP server using a combination of usernameAttribute and userBaseSearchFilter as a filter and userBaseDn as a base to find the DN. These properties are required. For example:

    "userDnResolution": {
            "resolutionType" : "lookup",
                    "lookup" :    {
                            "usernameAttribute": "sAMAccountName",
                "userBaseDn" : "ou=People,dc=moogsoft,dc=com",
                "userBaseSearchFilter" : "(objectclass=person)",
                    }
    },

    Optionally for both "direct" and "lookup" methods, you can use the userDnLookupUser, userDnLookupPassword and encryptedUserDnLookupPasswordproperties to define the user to look up each DN in your directory. See Moog Encryptor for more information if you want to use password encryption.

    If you leave the userDnLookupUser property empty, LDAP uses the systemUser defined in the LDAP Group Search section instead.

attributeSearchFilter

Defines an optional LDAP attribute filter to search for user attributes.

Type: String

Required: No

Default: (objectclass=*)

attributeMap

Defines an attribute map between the LDAP user attributes and the user attributes in the Moogsoft AIOps database.

Type: String

Required: No

Default: N/A

This property uses the format:

"attributeMap": {
       "db_column_5": "ldap_attribute_1",
       "db_column_2": "ldap_attribute_8",
       "db_column_3": "ldap_attribute_8",
}
LDAP Group Search and Mapping

You can configure the following properties in the LDAP group search section:

systemUser

Username of the system user to bind and search for user group information. LDAP uses this user if you leave the userDnLookupUser property empty. The system sends two bind requests and two search requests with LDAP. If you do not configure a system user, the user bind chosen for authentication is also used for the LDAP group search.

Type: String

Required: No

Default: N/A

systemPassword

Password of the system user to bind and search for user group information.

Type: String

Required: No

Default: N/A

groupBaseDn

DN for the part of the LDAP structure that contains the user groups. This is used in conjunction with the memberAttribute to find any LDAP groups the user belongs to. These groups are then mapped to a local role using the roleMap property.

Type: String

Required: No

Default: N/A

memberAttribute

Attribute used to look for group members.

Type: String

Required: No

Default: member

groupNameAttribute

Attribute used to look for group name.

Type: String

Required: No

Default: CN

roleMap

Defines the role mappings between the user directory and Moogsoft AIOps.

Type: String

Required: No

Default: N/A

LDAP AssignTeams Properties

You can configure the following sub-properties of assignTeams to synchronize team assignment between the user directory and the teams in Moogsoft AIOps.

assignTeams

Sychronizes team assignment between the user directory and the teams in Moogsoft AIOps.

Type: String

Required: No

Default: N/A

teamMap

Defines the LDAP attribute or custom attribute that maps to team names in Moogsoft AIOps. You can provide the mapping as a JSON object. For example:

{ "LDAP Team" : "Moogsoft Team", "Another LDAP Team" : "Another Moogsoft team" }

Type: JSON Object

Required: No

Default: N/A

useGroupName

Enable to use the LDAP group name as the team name in Moogsoft AIOps.

Type: Boolean

Required: No

Default: false

createNewTeams

Creates a team or teams if they do not exist in Moogsoft AIOps. If you leave teamMap empty, the teams adopt their LDAP teams names.

Type: Boolean

Required: No

Default: false

LDAP SSL Properties

You can optionally configure SSL to enable TLS authentication:

ssl_protocol

Defines the SSL protocol you want to use.

Type: String

Required: No

Default: TLSv1.2

server_cert_file

SSL server certificate.

Type: String

Required: No

Default: N/A

client_cert_file

SSL client certificate.

Type: String

Required: No

Default: N/A

client_key_file

Client key file.

Type: String

Required: No

Default: N/A

SAML Service Provider Properties

You can configure a SAML realm by giving it a name and editing the following properties:

idpMetadataFile

Location of the identity provider's metadata file. The metadata file provides information on how to connect to the IdP. Moogsoft AIOps requires the file to be in .xml format.

Type: String

Required: Yes

Default: "/usr/share/moogsoft/etc/saml/my_idp_metadata.xml"

spMetadataFile

Location of the service provider's metadata file. Moogsoft AIOps writes the SP metadata information to this file. This location must be accessible and editable by the Apache Tomcat user. Moogsoft AIOps requires the file to be in .xml format. If your IdP does not have an SP metadata file generator, you can create one manually. See Build a Service Provider Metadata File for instructions.

Type: String

Required: No

Default: "/usr/share/moogsoft/etc/saml/my_sp_metadata.xml"

defaultRoles

Default roles that Moogsoft AIOps assigns to new users upon first login using SAML. If the user already has a role mapping, Moogsoft AIOps uses that instead.

Type: Array

Required: Yes

Default: [ "Operator" ]

defaultTeams

Default teams that Moogsoft AIOps assigns to new users upon first login using SAML. You can create an empty list if you do not want to assign new users to a team.

Type: Array

Required: No

Default: [ "Cloud DevOps" ]

defaultGroup

Default primary group that Moogsoft AIOps assigns to new users upon first login using SAML.

Type: Array

Required: Yes

Default: [ "End-User" ]

SAML User Mapping Properties

You can configure how to map IdP user fields to existing Moogsoft AIOps users and how to map user fields for new users. All mappings are case sensitive. Each mapping follows the format:

"MoogsoftAttribute" : "IdPAttribute"

existingUserMappingField

Defines the field that Moogsoft AIOps uses to map existing users to your IdP users.

Type: String

Required: No

One of: username, email

Default: "username"

username

Defines the IdP's attribute that maps to username in Moogsoft AIOps.

Type: String

Required: Yes

Default: "$Email"

email

Defines the IdP's attribute that maps to email in Moogsoft AIOps.

Type: String

Required: Yes

Default: "$Email"

fullname: Defines the IdP attributes that map to full name in Moogsoft AIOps.

Type: String

Required: Yes

Default: "$FirstName $LastName"

SAML Optional Properties

You can customize your SAML realm with a number of optional properties:

contactNumber

Defines the IdP attribute that maps to contact number in Moogsoft AIOps.

Type: String

Required: No

Default: "phone",

department

Defines the IdP attribute that maps to department in Moogsoft AIOps.

Type: String

Required: No

Default: "department",

primaryGroup

Defines the IdP attribute that maps to primary group inMoogsoft AIOps.

Type: String

Required: No

Default: "primaryGroup",

timezone

Defines the IdP attribute that maps to timezone in Moogsoft AIOps.

Type: String

Required: No

Default: "timezone",

SAML assignTeams Properties

You can configure the following sub-properties of assignTeams to synchronize team assignment between the SAML user directory and the teams in Moogsoft AIOps:

teamAttribute

Defines the IdP attribute that maps to teams in Moogsoft AIOps.

Type: String

Required: No

Default: "groups"

teamMap

Defines the IdP attribute or custom attribute that maps to team names in Moogsoft AIOps.

Type: JSON Object

Required: No

Default: { "IdP Team" : "Moogsoft AIOps Team", "Another IdP Team" : "Another AIOps team" }

createNewTeams

Creates a team or teams if they do not exist in Moogsoft AIOps. If you leave teamMap empty, the teams adopt their IdP teams names.

Type: Boolean

Required: No

Default: false

SAML assignRoles Properties
roleAttribute

Defines the IdP attribute containing role information.

Type: String

Required: No

Default: "groups"

roleMap

Defines the IdP attribute that maps to Moogsoft AIOps roles.

Type: JSON Object

Required: No

Default: { "IdP Standard User" : "Operator", "IdP Manager User" : "Manager" }

SAML Security Properties
keystorePassword

Your keystore password. Any whitespace in the name is replaced with an underscore.

Type: String

Required: No

Default: "<my_realm>_secret"

privateKeyPassword

Your private key password. Any whitespace in the name is replaced with an underscore.

Type: String

Required: No

Default: "<my_realm>_secret"

maximumAuthenticationLifetime

Maximum time in seconds for Moogsoft AIOps to receive an IdP's SAML assertion before it becomes invalid.

Type: Integer

Required: No

Default: 2592000 (720 hours)

serviceProviderEntityId

Service Provider Entity ID assertion number. Some IdPs require this ID.

Type: String

Required: No

Default: "MoogsoftAIOps"