IBM Support

Locking down a Tivoli Endpoint Manager Security and Compliance Analytics installation"

Technote (troubleshooting)


Problem(Abstract)

There are many possible ways to secure the installation of your TEMA server. This note illustrates the concepts with one example. It is not intended to be a comprehensive security manual.

Resolving the problem

There are many possible ways to secure the installation of your TEMA server. This note illustrates the concepts with one example. It is not intended to be a comprehensive security manual.

Security concerns with a TEMA installation

When using SQL Server Authentication, the TEMA database username and password are stored as clear text in C:\TEMA\config\database.yml, and the BES database username and password are stored in clear text in a TEMA database table. We recommend Windows authentication instead.

If using SSL to access your server the SSL certificate is stored in C:\TEMA\config\keystore. While this file is nominally encrypted, the password to unlock it is stored as clear text in config\jetty-ssl.xml.

The first time the TEMA server is started, the program files are expanded to a directory tree under the installation directory. A sophisticated hacker could breach security by tampering with these files.

We recommend securing the installation directory and using Windows authentication for database access. The following example illustrates one way to do this.

Example secure installation

Prepare the TEMA server

We must select or create a Windows user account to run the TEMA service. This example creates a new local account, but a Domain account may be necessary if the database and server are installed on different machines.

  • Using an administrative account, log in to the server that will host the TEMA server software. These instructions assume this machine is named TEMA_SERVER.
  • Invoke the control panel: 'Start / control panel'
  • Navigate to 'Administrative tools' and double click 'Computer Management'
  • Navigate to 'Local Users and Groups'
  • Right click 'Users' and choose 'New User...'
  • Enter username and password. In the remainder of this document, we assume username: TEMA_svc_user password: temasvc
  • Uncheck 'User must change password at next logon'
  • Check 'Password never expires'
  • Click 'Create'
  • Click 'Close' The new user should appear in the users list.
  • Remove any default permission group membership:
    • Right-click the user and choose 'Properties'
    • Select the 'Member Of' tab
    • Select 'Users' and click 'Remove'
    • Repeat for any other group listed.
  • Click 'OK'
  • Close the 'Computer Management' window
  • Double click 'Local Security Policy'
  • Navigate to 'Local Policies/User Rights Assignment'
  • In the 'Policy' column, double click 'Log on as a Service'
  • Click 'Add user or Group'
  • Enter the the TEMA service user name fully qualified with the TEMA Server name, for example: TEMA_SERVER\TEMA_svc_user
  • Click 'Check Names'
    • If entered incorrectly a warning will appear. Double check and try again.
    • If entered properly, the name will now appear underlined.
  • Click 'OK'
  • Click 'OK'
  • Close the 'Local Security Policy' window
  • Close the 'Administrative Tools' window
  • Close the 'Control Panel' window

Create the TEMA database login

  • Run SQL Server Management Studio, and connect to the SQL Server instance that will host the TEMA database. Connect as an database administrator.
  • Add the TEMA_SERVER\TEMA_svc_user login:*
    • Navigate to 'Security/Logins'
    • Right click 'Logins' and choose 'New Login...'
    • Click 'Search...'
    • Enter the the TEMA service user name fully qualified with the TEMA
    • Server name, for example: TEMA_SERVER\TEMA_svc_user
    • Click 'Check Names'
      • If entered incorrectly a warning will appear. Double-check and try again.
      • If entered properly, the name will now appear underlined.
    • Click 'OK'
  • Do one of the following:
    • Add the 'dbcreator' role: This role may be removed later if desired. See optional steps below.
      • Navigate to 'Server Roles'
      • Check 'dbcreator'
    • Manually create the TEMA database and set the TEMA_svc_user as 'owner' of that database:
      • navigate to <server> / Databases
      • right click 'Databases' and choose 'New Database...'
      • enter the database name, 'tem_analytics' is recommended.
      • click the '...' button
      • check the TEMA_svc_user login and click 'OK'
      • click 'OK'
      • click 'OK' to create the new database

Create a TEMA login on the BES database

  • Run SQL Server Management Studio, and connect to the SQL Server instance that hosts the BES database. Connect as an administrative user.
  • Add the TEMA_SERVER\TEMA_svc_user login as before (see * above)
  • Navigate to 'Security/Logins' and double click the TEMA_svc_user
  • Navigate to user mapping and check the BES database. These instructions assume it's called 'BFEnterprise'
  • Click 'OK'
  • Click the 'New Query' button
  • In the query window enter:
use BFEnterprise;
grant SELECT to [TEMA_SERVER\TEMA_svc_user];
grant EXECUTE to [TEMA_SERVER\TEMA_svc_user];
  • Click 'Execute'
  • Verify that the Messages window says 'Command(s) completed successfully'
  • Do just one of the following:
    • Either add 'alter database' permissions (these may be removed later; see optional steps below)
      • In the query window enter:
use BFEnterprise;
grant CREATE SCHEMA to [TEMA_SERVER\TEMA_svc_user];
grant CREATE TABLE to [TEMA_SERVER\TEMA_svc_user];
grant CREATE VIEW to [TEMA_SERVER\TEMA_svc_user];
grant CREATE FUNCTION to [TEMA_SERVER\TEMA_svc_user];
      • Click 'Execute'
      • Verify that the Messages window says 'Command(s) completed successfully'
    • Or manually install the TEMA extensions into your BES database.
      • tbd

Create a TEMA login on the Web reports database

  • Skip these steps if you're not linking to a Web reports installation.
  • Run SQL Server Management Studio, and connect to the SQL Server instance that hosts the Web Reports database. Connect as an administrative user. These instructions assume the database is called 'WebReportsDB.'
  • Add the TEMA_SERVER\TEMA_svc_user login as before (see*)
  • Click the 'New Query' button
  • In the query window enter:
use WebReportsDB;
grant SELECT to [TEMA_SERVER\TEMA_svc_user];
  • Click 'Execute'
  • Verify that the Messages window says 'Command(s) completed successfully'
  • Close SQL Server Management Studio

Create a secure installation directory for TEMA

  • With Windows Explorer, navigate to the drive TEMA will reside on. These instructions assume 'Local Disk (C:)'
  • Right click and choose 'New Folder' These instructions assume the folder is called C:\TEMA.
  • Right click the TEMA folder and select 'properties'
  • Choose the 'Security' tab and click 'Advanced'
  • Choose the 'Permissions' tab and click 'Change Permissions...'
  • Uncheck 'Include inheritable permissions from this object's parent.'
  • At the security warning dialog, choose 'Remove' to Remove inherited parent permissions from this object. The 'permission entries:' list should now be now empty.
  • Add the users/groups that should have access to the TEMA directory
    • click 'Add...'
    • Enter the name of the TEMA service user, example: TEMA_SERVER\TEMA_svc_user
    • click 'Check Names' The server\username should now be underlined.
    • click 'OK'
    • In the 'Permissions:' window click 'Full Control' in the 'Allow' column. All remaining boxes in the 'Allow' column will now be checked.
    • click 'OK'
    • Repeat the last six steps to add the administrator account you're currently logged in as. You may also wish to add the 'Administrators' group.
    • click 'OK'
    • click 'OK'
    • click 'OK'

Install TEMA

  • Unpack the TEMA zip file to the TEMA directory.
  • Open a command prompt window. If 'User account control' is enabled, be sure to 'Run as Administrator.'
  • Navigate to the TEMA directory:
C:\>CD \TEMA
C:\TEMA>
  • Start the TEMA service with the SSL configuration, service user and password. We recommend using the default certificate for initial configuration. Once TEMA is up and running, you can add your own certificate.
C:\TEMA>tema install config\jetty-ssl.xml TEMA_SERVER\TEMA_svc_user temasvc
.
. IBM Tivoli Endpoint Manager Analytics install and launch utility.
.
. using jetty configuration: C:\TEMA\config\jetty-ssl.xml
.                 java home: C:\Program Files (x86)\Java\jdk1.6.0_23
.     detected architecture: 'x86'
.
. Service installed.  Use 'tema start' to start it.
.

C:\TEMA>tema start
.
. IBM Tivoli Endpoint Manager Analytics install and launch utility.
.

SERVICE_NAME: TEMAnalytics
TYPE               : 10  WIN32_OWN_PROCESS
STATE              : 2  START_PENDING
(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE    : 0  (0x0)
SERVICE_EXIT_CODE  : 0  (0x0)
CHECKPOINT         : 0x0
WAIT_HINT          : 0x7d0
PID                : 2748
FLAGS              :
.
. Service start requested.  The server will take a moment to initialize.
.
. The server logs are in: C:\TEMA\log
.
  • Verify that the service is running as the correct user
    • Launch 'Control Panel'
    • Choose 'Administrative Tools'
    • Double click 'Services'
    • Locate the 'Tivoli Endpoint Manager Analytics' service
    • Verify that the 'Log On As' column lists the 'TEMA_svc_user' It may be listed as 'TEMA_SERVER\TEMA_svc_user' or simply '.\TEMA_svc_user'
    • Close the 'Services', 'Administrative Tools', and 'Control Panel' windows.
  • Launch Firefox and navigate to https://localhost
    • Firefox may warn that the connection is 'untrusted.' This is normal with the testing certificate. Click 'I understand the risks' and add an exception. You should be on the initial setup screen.
  • Enter the TEMA server name, a database name and choose 'Windows authentication' TEMA will authenticate as the TEMA_svc_user
  • Enter a the username/password to use for the TEMA administrator account and click 'Create'
  • Enter the BES and database information, using Windows Authentication. Repeat for Web Reports if desired.
  • Click 'Create' The TEMA server is now installed and running.

Test the installation

  • Log in as an unprivileged user and verify that you cannot access the TEMA installation directory.
  • Verify that you can only access the TEMA web application via https://

Optional steps

  • Remove the 'db creator' role from your service user, and the 'create' permissions from your BES database if you added them temporarily.
    • Open a command window (as Administrator if UAC is on).
    • Navigate to the TEMA directory and stop the TEMA server
C:\>CD \TEMA
C:\TEMA>tema stop
    • Open SQL Server Management Studio.
    • Connect to the TEMA database server.
    • Sign in as a database admin.
    • Navigate to 'Security/Logins'.
    • Double click the TEMA_svc_user Login.
    • Navigate to 'Server Roles'.
    • Uncheck 'dbcreator'.
    • Click OK.
    • Close the server connection.
    • Connect to the BES database server.
    • Sign in as a database admin.
    • Click 'New Query'.
    • Enter the following, substituting your BES database name:
use BFEnterprise;
revoke CREATE SCHEMA from [TEMA_SERVER\TEMA_svc_user];
revoke CREATE TABLE from [TEMA_SERVER\TEMA_svc_user];
revoke CREATE VIEW from [TEMA_SERVER\TEMA_svc_user];
revoke CREATE FUNCTION from [TEMA_SERVER\TEMA_svc_user];
    • Click 'Execute'. The Messages window should say 'Command(s) completed successfully'.
    • Close the server connection
    • Restart your TEMA server. In the command window type:
C:\TEMA>tema start
    • After the server starts, verify that TEMA is operating normally.
  • Install your own SSL certificate.

Historical Number

1784

Document information

More support for: IBM BigFix family

Software version: DSS SCM 1.0

Operating system(s): Windows

Reference #: 1506240

Modified date: 16 October 2013


Translate this page: