Security - HenryGP/om_ansible GitHub Wiki

Table of contents

1. HTTPS for Ops Manager server
2. SSL for clients and servers
3. LDAP
   • Database users
   • Ops Manager Agents
   • Ops Manager users
4. KMIP

HTTPS for Ops Manager server

By default, the Ops Manager server will be listening to port 8080 using HTTP. To enable https:

1. Modify om_https the vars/om-install-vars.yaml file:

   om_https: true
   

2. Rebuild the images to apply the changes to the provisioner node.

The server will be using a certificate named omserver_server.pem which is generated in runtime at the moment of provisioning and placed in /certs on the omserver container.

When the changes are deployed, Ops Manager will be listening to port 8443 using HTTPS. Accessing locally to your Ops Manager with the browser will be possible through the URL: https://localhost:8443.

SSL for clients and servers

SSL certificates are generated in the ssl-creation.yaml task for clientAuth, serverAuth and both in the case of configuring Replica Sets with clusterAuth x509. All certificates are distributed by the provisioner and placed in the /certs directory of every corresponding host in the infrastructure.

LDAP

When using Docker, om_ansible will provision an additional container with an LDAP server ready to be used with Ops Manager or any of the managed deployments.

MongoDB database users

User	MemberOf
uid=dba,ou=dbUsers,dc=tsdocker,dc=com	cn=dbAdmin,ou=dbRoles,dc=tsdocker,dc=com
uid=writer,ou=dbUsers,dc=tsdocker,dc=com	cn=readWriteAnyDatabase,ou=dbRoles,dc=tsdocker,dc=com
uid=reader,ou=DbUsers,dc=tsdocker,dc=com	cn=read,ou=dbRoles,dc=tsdocker,dc=com

Ops Manager Agents

User	MemberOf
uid=mms-automation,ou=dbUsers,dc=tsdocker,dc=com	cn=automation,ou=dbRoles,dc=tsdocker,dc=com
uid=mms-monitoring,ou=dbUsers,dc=tsdocker,dc=com	cn=monitoring,ou=dbRoles,dc=tsdocker,dc=com
uid=mms-backup,ou=dbUsers,dc=tsdocker,dc=com	cn=backup,ou=dbRoles,dc=tsdocker,dc=com

Ops Manager users

User	MemberOf
uid=owner,ou=omusers,dc=tsdocker,dc=com	cn=owners,ou=omgroups,dc=tsdocker,dc=com
uid=reader,ou=omusers,dc=tsdocker,dc=com	cn=readers,ou=omgroups,dc=tsdocker,dc=com
uid=admin,ou=omusers,dc=tsdocker,dc=com	cn=owners,ou=omgroups,dc=tsdocker,dc=com

KMIP

The following relevant settings are available for configuring integration with KMIP:

• Server: kmip listens on default port, 5696
• CA PEM file: /certs/ca.pem
• kmip client certificate for n1,n2,n3,omserver: /certs/kmip_client.pem