Security Management

Administrator Groups

TCPWave’s Administrator Groups feature is designed to help organize and manage administrators within TCPWave’s IPAM application, ensuring efficient assignment of access rights and roles. This documentation provides detailed instructions on creating, managing, and modifying Administrator Groups and roles within TCPWave’s IPAM application.

Types of Administrator Groups

  1. FADM Group (Functional Administrators): Administrators with full operational capabilities, including tasks related to users and managing DNS, DHCP, and ADC operations.

  2. SADM Group (Super Admins): Administrators with extensive operational privileges but without user administration tasks.

  3. NADM Group (Normal Administrators): Administrators with full access to specific subnets and limited access to other DDI components.

  4. PADM Group (Power Administrators): Administrators capable of tasks related to objects and zones, including synchronization of DNS, DHCP, and ADC.

  5. RADM Group (Read-only Administrators): Administrators with limited privileges, primarily restricted to viewing information.

  6. UADM Group (User Administrators): Administrators responsible for managing user accounts and permissions.

Administration and Security

  • Administrator Groups ensure streamlined management and security by enforcing designated roles.

  • Each administrator must belong to at least one group.

  • Groups can have roles associated with different organizations, providing flexibility in role assignments.

  • Only FADM and UADM users can create new Administrator Groups.

  • FADM and UADM groups cannot have additional roles, as they have overarching permissions.

Managing Administrator Groups

  1. Add New Groups: Create new administrator groups.

  2. Edit Groups: Modify existing groups.

  3. Delete Groups: Remove groups with a validation message for confirmation.

  4. Bookmark Groups: Quick access to frequently used groups.

  5. Import Groups: Add groups using the Import Wizard tool.

Creating a Custom Administrator Group

  1. Navigation: Go to Administration >> Security Management >> Administrator Groups.

  2. Initiation: Click the appropriate icon to start and enter group details.

  3. Confirmation and Saving: Confirm the creation of the group.

  4. Administrator Groups Grid Features: Displays relevant information about groups.

  5. Cancellation Option: Allows canceling the creation process.

Creating a Role

  1. Initiation: Click on the designated icon to create a role.

  2. Role Selection: Choose from system-defined roles or custom roles.

  3. Selecting Role and Organization: Choose the required role and organization.

  4. Finalizing Role Creation: Confirm the creation of the role.

Deleting a Role

  1. Selection and Deletion: Select the role record and delete it.

Modifying an Existing Administrator Group

  1. Selecting the Group: Locate and select the desired Administrator Group.

  2. Accessing Edit Mode: Click the ‘Edit’ icon to enter edit mode.

  3. Making Changes: Alter the necessary details.

  4. Saving Edits: Confirm and save changes.

  5. Confirming Changes: Confirm or revert the changes.

  6. Cancellation Option: Cancel edits if needed.

Other Features

  • Viewing Administrator Roles: Right-click on a group to view its roles.

  • Context Menu: Offers various options for group management.

  • Number Dropdown: Adjusts the number of displayed records.

  • Common Functionalities: Includes options like Refresh and Column Visibility.

Permissions

  • Access depends on associated role permissions.

  • Check the Administrator Roles section for more information.

This structured approach enhances operational efficiency and security within TCPWave’s IPAM application.

Administrator Roles

TCPWave’s Administrator Groups feature is designed to help organize and manage administrators within TCPWave’s IPAM application, ensuring efficient assignment of access rights and roles. This documentation provides detailed instructions on creating, managing, and modifying Administrator Groups and roles within TCPWave’s IPAM application.

Types of Administrator Groups

  1. FADM Group (Functional Administrators): Administrators with full operational capabilities, including tasks related to users and managing DNS, DHCP, and ADC operations.

  2. SADM Group (Super Admins): Administrators with extensive operational privileges but without user administration tasks.

  3. NADM Group (Normal Administrators): Administrators with full access to specific subnets and limited access to other DDI components.

  4. PADM Group (Power Administrators): Administrators capable of tasks related to objects and zones, including synchronization of DNS, DHCP, and ADC.

  5. RADM Group (Read-only Administrators): Administrators with limited privileges, primarily restricted to viewing information.

  6. UADM Group (User Administrators): Administrators responsible for managing user accounts and permissions.

Administration and Security

  • Administrator Groups ensure streamlined management and security by enforcing designated roles.

  • Each administrator must belong to at least one group.

  • Groups can have roles associated with different organizations, providing flexibility in role assignments.

  • Only FADM and UADM users can create new Administrator Groups.

  • FADM and UADM groups cannot have additional roles, as they have overarching permissions.

Managing Administrator Groups

  1. Add New Groups: Create new administrator groups.

  2. Edit Groups: Modify existing groups.

  3. Delete Groups: Remove groups with a validation message for confirmation.

  4. Bookmark Groups: Quick access to frequently used groups.

  5. Import Groups: Add groups using the Import Wizard tool.

Creating a Custom Administrator Group

  1. Navigation: Go to Administration >> Security Management >> Administrator Groups.

  2. Initiation: Click the appropriate icon to start and enter group details.

  3. Confirmation and Saving: Confirm the creation of the group.

  4. Administrator Groups Grid Features: Displays relevant information about groups.

  5. Cancellation Option: Allows canceling the creation process.

Creating a Role

  1. Initiation: Click on the designated icon to create a role.

  2. Role Selection: Choose from system-defined roles or custom roles.

  3. Selecting Role and Organization: Choose the required role and organization.

  4. Finalizing Role Creation: Confirm the creation of the role.

Deleting a Role

  1. Selection and Deletion: Select the role record and delete it.

Modifying an Existing Administrator Group

  1. Selecting the Group: Locate and select the desired Administrator Group.

  2. Accessing Edit Mode: Click the ‘Edit’ icon to enter edit mode.

  3. Making Changes: Alter the necessary details.

  4. Saving Edits: Confirm and save changes.

  5. Confirming Changes: Confirm or revert the changes.

  6. Cancellation Option: Cancel edits if needed.

Other Features

  • Viewing Administrator Roles: Right-click on a group to view its roles.

  • Context Menu: Offers various options for group management.

  • Number Dropdown: Adjusts the number of displayed records.

  • Common Functionalities: Includes options like Refresh and Column Visibility.

Permissions

  • Access depends on associated role permissions.

  • Check the Administrator Roles section for more information.

This structured approach enhances operational efficiency and security within TCPWave’s IPAM application.

Administrator Permissions

In TCPWave’s IPAM application, the interface for managing Administrator Permissions offers several key operations. These include adding permissions, editing privileges, and deleting permissions. Each of these functions is vital for controlling access rights and capabilities of administrators and admin groups within the system.

Adding Permissions

Adding permissions in TCPWave’s IPAM application is a structured process that allows administrators to define and assign specific access rights at both individual administrator and group levels. Here’s a detailed guide on how to add permissions effectively:

Navigation and Initial Setup

  1. Accessing the Interface: Begin by navigating to Administration >> Security Management >> Administrator Permissions. This action opens the Administrator Permissions page.

  2. Starting the Process: Click on the relevant icon to open the ‘Administrator Permissions >> New’ page, where you’ll assign permissions.

Assigning Permissions

  1. Level of Assignment: You can assign permissions at two levels:

    • Administrators: Individual admin users.

    • Administrator Groups: Groups comprising multiple administrators.

  2. Types of Privileges Available:

    • Read: Allows viewing and searching for records.

    • Write: Permits adding, modifying, deleting, viewing, and searching for records.

    • Deny: Blocks the ability to add, modify, delete, and view records. In case of permission conflicts, ‘Deny’ takes precedence over ‘Read’ or ‘Write’.

  3. Choosing Levels and Privileges:

    • Select whether to assign permissions to an individual Admin or an Admin Group.

    • The default view is for Admin level.

For Admin Level Permissions

  1. Admin-Level Permissions Setup:

    • Select the required admin from the dropdown.

    • Choose the appropriate Organization and Role from their respective dropdowns. The organization value is contingent on the selected admin.

    • The functions associated with the chosen role are displayed.

    • Select the specific Function for which you want to assign permissions.

    • The system will display all relevant values in a grid based on the selected function. You can select all values or specific ones as needed.

    • For assigning permissions to all functions, select ‘Yes’ to enable the ‘ALL’ option in the Function dropdown. Select ‘No’ to define permissions at the record level of a function.

  2. Confirming the Addition:

    • Click ‘OK’, and a validation message will appear asking for confirmation.

    • Click ‘YES’ to confirm. A message stating “Permission has been created successfully” will display.

For Admin Group Level Permissions

  1. Admin Group-Level Permissions Setup:

    • Similar steps are followed for admin groups, starting with selecting the required group from the dropdown.

    • The rest of the steps mirror those of the Admin level.

Understanding the Administrator Permissions Grid

  • Permission Level: Shows if it’s for Admin or Admin Groups.

  • Function: Indicates the name of the function assigned.

  • Value: Displays the value associated with the function.

  • Admin Group/Admin: Displays the name of the admin group or admin.

  • Organization: Shows the organization’s name related to the permission.

  • Privilege: Indicates the type of privilege (Read/Write/Deny) assigned.

  • Select All: A binary indicator (0 and 1) shows if all options were selected during permission assignment.

By following these steps, you can effectively add and manage permissions in the TCPWave IPAM application, ensuring that each admin or admin group has the appropriate level of access and control.

Editing Privileges

  1. Selection for Editing: Choose an admin or an admin group from the Administrator Permissions grid. Upon selection, the Edit and Delete icons will be activated.

  2. Accessing Privilege Editing: Click the ‘Edit’ icon. This action opens the ‘Change Privilege’ pop-up window.

  3. Choosing Privilege: In the pop-up window, select the desired privilege from the dropdown menu.

  4. Saving Changes: After selecting the new privilege, click ‘OK’. A validation message will then appear, asking you to confirm the update to the selected permission.

  5. Confirmation of Update:

    • To proceed with the update, click ‘YES’. A confirmation message, “Permission has been updated successfully,” will be displayed.

    • If you decide against making the change, select ‘No’ to cancel the process.

Deleting Permissions

  1. Selecting Permission for Deletion: From the Administrator Permissions grid, select the record for the admin or admin group whose permissions you wish to remove. The Edit and Delete icons will be enabled.

  2. Initiating Deletion: Click the ‘Delete’ icon. A validation message will appear, asking for confirmation to delete the selected permissions.

  3. Confirming Deletion:

    • Click ‘Yes’ to confirm. A message, “Permissions have been deleted successfully,” indicates that the permissions have been successfully removed.

    • If you do not wish to delete the permissions, do not confirm by clicking ‘Yes’.

Additional Notes on CADM Permissions

  • Access Based on Object Management: CADMs with write access to certain objects or areas automatically receive related permissions. This includes creating DHCP scopes, DNS/DHCP appliances, and option templates.

  • Granular Permissions for Reports: CADMs with access to reports can view all reports, as granular permissions are not supported in this context.

  • Automatic Permissions Extension: Permissions extend to related areas automatically. For example, write access to a network includes write access to its underlying subnets and objects.

  • Bulk Operations: Permissions for bulk operations like import/export are automatically granted as needed for the operation’s success.

  • Permission Dynamics in Subnet Operations: Permissions may change in the event of subnet splits or merges, potentially leading to permission deletions.

Common Functionalities

For more generalized operations within this interface, refer to the ‘Common Functionalities’ section. This includes options for Refresh, Column Visibility, Reset Preferences, and more, providing tools for efficient management of permissions and privileges in the system.

This comprehensive approach to permissions management in TCPWave’s IPAM application ensures a secure and efficient environment, where access rights are carefully controlled and appropriately assigned.

AD/LDAP Admins

The integration and management of Active Directory (AD) / Lightweight Directory Access Protocol (LDAP) administrators in TCPWave’s IPAM application is a comprehensive process that involves several key steps. Here’s a detailed breakdown for clarity:

Integration of AD/LDAP with TCPWave IPAM

  1. Prerequisites for Integration:

    • Create groups in IPAM matching the names of those in LDAP servers (case sensitive).

    • Configure global policy options for auto-creating users in IPAM from LDAP.

    • Set up auto clean-up in IPAM for users no longer authorized in LDAP.

  2. AD/LDAP and IPAM Authentication and Authorization:

    • Utilize global options to establish the AD/LDAP connection with IPAM. These options appear in read-only mode and cover various aspects like LDAP protocol, server, port, and user group details.

  3. Global Options for Connection Setup:

    • Options include settings for LDAP protocol, server IP, port, security principal DN, user group DN, and other LDAP specific settings like user searchbase, object class, user filter, etc.

    • There are also options for mapping LDAP attributes to IPAM administrator attributes, including login name, first/middle/last names, email, phone, and more.

  4. LDAP User Creation and Deletion Options:

    • Settings to control the automatic creation and deletion of LDAP users in IPAM based on their group membership and authorization status.

  5. Additional Options:

    • Include settings for LDAP UID and GID attributes, LDAP schema, SSH filter, functional admin access, group-based authorization, and default user group, role, and organization settings in IPAM.

Adding AD/LDAP Administrators in IPAM

  1. Reload Admins:

    • Click ‘Reload Admins’ to establish a connection to the AD/LDAP server and retrieve the list of LDAP users, which is then compared with existing users in IPAM.

  2. Handling Non-IPAM Administrators:

    • The “AD/LDAP Administrators Not in IPAM” grid updates with administrators not defined in IPAM.

  3. Adding AD/LDAP Administrator to IPAM:

    • Select a record from the grid and click the add icon.

    • Enter basic information like name, email, password, phone number, and upload an image. Mandatory fields include First Name, Last Name, Email, Login Name, and Passwords.

    • Select one or more administrator groups.

    • Set default administrator role and organization based on the selected role.

  4. Finalizing the Addition:

    • Click ‘OK’ to get a validation message for confirmation.

    • Click ‘YES’ to complete the process. You are then navigated back to the updated AD/LDAP Admins page.

By following these steps, AD/LDAP administrators can be seamlessly integrated and managed within the TCPWave IPAM application, ensuring a streamlined process for authentication and authorization.

Appliance Certificate

In an IP Address Management (IPAM) server, SSL certificates play a crucial role in securing communications. These certificates, using HTTPS protocol, encrypt data exchanged between the server and clients. They’re stored in a secure keystore, accessible only with a password. The IPAM system accommodates both default SSL certificates and custom ones signed by a trusted Certificate Authority (CA).

Operations on Appliance Certificates

  1. Import: Adding new SSL certificates to the keystore.

  2. Delete: Removing existing certificates from the keystore.

  3. Change Storage Password: Updating the password that secures the keystore.

Importing a Certificate

To import a custom SSL certificate:

  1. Access Certificates Page: Navigate through Administration > Security Management > Appliance Certificates.

  2. Initiate Import: Click the import button to launch the Import Certificate dialog.

  3. Uploading Files: Select and upload the certificate file and, if needed, the private key file. For server or client certificates, the private key is crucial.

  4. Enter Passwords: If the private key is secured with a password, provide it along with the keystore’s password.

  5. Trust CA Checkbox: When importing root or intermediate certificates, select the Trust CA checkbox to mark them as trusted within the system. Caution: Only check this for root certificates.

  6. Finalize Import: Click OK. The system will then validate and securely store the certificate.

    • Note: Private keys and their passwords are only required for communication and encryption certificates, not for root or intermediate certificates.

Deleting a Certificate

To remove an SSL certificate:

  1. Select Certificate: Choose the desired certificate from the list.

  2. Request Deletion: Click the delete icon, which prompts for confirmation.

  3. Confirm Deletion: Enter the keystore password and confirm by clicking OK. The certificate will be removed from the keystore.

Changing the Storage Password

Periodically changing the keystore password is a recommended security measure:

  1. Select Record: Choose any certificate to enable the password change option.

  2. Access Password Change: Click the change password icon. A dialog box will prompt for password inputs.

  3. Update Password: Input the current password, followed by the new password (entered twice for confirmation).

  4. Apply Changes: Click OK to update. A confirmation message will verify the successful password change.

Best Practices and Notes

  • Certificate Renewal: Regularly monitor and renew certificates to avoid expiry and maintain secure communications.

  • Private Key Security: Handle private keys with utmost security. Keep them password-protected and safeguard the password.

  • Keystore Backup: Frequently back up the keystore to avert data loss from system failures.

  • CA Trust: Import certificates exclusively from reputable and trusted CAs.

  • Password Complexity: Employ complex and robust passwords for the keystore to bolster security.

By attentively managing SSL certificates, the security and integrity of communication and data within your IPAM server are significantly enhanced.

Authentication Configuration

The IPAM system is designed to enable different authentication modules such as Database Authentication, customized PAM authentication, LDAP authentication, RADIUS, and TACACS+ authentication in a pluggable way.

The IPAM (IP Address Management) Authentication module is designed to provide a secure and adaptable way for user authentication within the IPAM system. It supports various widely-used centralized authentication mechanisms, enhancing security and user management.

Supported Authentication Mechanisms

  1. Microsoft Active Directory Kerberos Authentication: Utilizes Kerberos protocol for authenticating users in environments using Microsoft Active Directory.

  2. LDAP (Lightweight Directory Access Protocol): A protocol enabling users to access and maintain distributed directory information services over a network.

  3. RADIUS (Remote Authentication Dial-In User Service): A networking protocol providing centralized Authentication, Authorization, and Accounting (AAA) management for users accessing a network.

  4. TACACS+ (Terminal Access Controller Access-Control System Plus): An advanced version of TACACS, providing more flexible Authentication, Authorization, and Accounting services in network environments.

Additionally, IPAM supports UNIX-based PAM (Pluggable Authentication Modules) authentication and database-based authentication for versatile user validation.

IPAM Session Timeout Management

IPAM session timeout is an important security feature that logs out users after a period of inactivity. To manage session timeouts:

  • Navigation: Go to Administration >> Security Management >> Authentication Configuration >> Authentication Rules.

  • Modification: Use the ‘Modify’ button to adjust session timeout settings.

  • Settings:

    • Idle Session Timeout: The duration (in seconds) after which an idle session times out.

    • Idle Session Timeout Warning: The duration (in seconds) before the idle session times out, after which a warning is issued to the user.

Understanding TACACS

TACACS is a protocol primarily used in UNIX networks for remote authentication. It communicates with an authentication server (or appliance) to validate users attempting to access a router or a network access point. Key aspects include:

  • Functionality: TACACS services are managed by a TACACS daemon, usually on a UNIX system, enabling centralized control over multiple network access points.

  • Process: It allows network appliances to interact with the authentication server to verify user access. Based on the response from the TACACS server, access is either granted or denied.

  • RFC and Ports: Defined in RFC 1492, TACACS typically uses TCP or UDP port 49.

  • Flexibility: The decision-making process for authentication is versatile, allowing the use of various algorithms and data.

  • Modularity: TACACS provides distinct and modular Authentication, Authorization, and Accounting services. Each can be connected to its own database for enhanced service integration.

Through these mechanisms, the IPAM Authentication module ensures robust security and efficient management of user access, adapting to various network environments and requirements.

Implementing TACACS+ Authentication in TCPWave IPAM

To integrate TACACS+ (Terminal Access Controller Access-Control System Plus) authentication in TCPWave’s IPAM system, follow these detailed steps:

Accessing Authentication Configuration

  1. Navigating to Configuration Page: Start by going to Administration >> Security Management >> Authentication Configuration. This will lead you to the Authentication Configuration page, where various authentication types are listed.

Enabling TACACS+

  1. Selecting TACACS+: From the list of available authentication types, select ‘TACACSP’.

  2. Initiating the Switch to TACACS+: Click on the provided icon to begin the process of switching to TACACS+ based authentication. A validation message will appear asking for confirmation: “Are you sure to switch to TACACS+ based authentication?”

  3. Confirming the Change: Click ‘YES’ to proceed with enabling TACACS+ authentication.

TACACS+ Operations in IPAM

  • User Login: When a user successfully logs in using TACACS+ authentication, TCPWave IPAM sends an accounting start packet to the TACACS+ accounting appliance. This packet includes information similar to what is sent to the Audit Log for user events or commands.

  • User Logout: The system sends an accounting STOP packet when a user logs out, whether from the GUI (Graphical User Interface) or CLI (Command Line Interface), or when a session times out.

  • Handling System Restarts and Failures: In cases of product restarts or software failures, IPAM will discard any outstanding accounting packets.

By following these steps, TACACS+ can be effectively integrated as the authentication mechanism in TCPWave’s IPAM system, enhancing network security and centralizing user access control.

RADIUS

RADIUS is a distributed client/Appliance system that secures networks against unauthorized access. RADIUS clients run on supported Cisco devices and send authentication requests to a central RADIUS Appliance, which contains all user authentication and network service access information.

Configuring AAA Authentication in TCPWave IPAM

The process of configuring AAA (Authentication, Authorization, and Accounting) authentication involves creating and applying named lists of authentication methods to various interfaces in the IPAM system. Here’s a more detailed guide:

  1. Defining a Named Authentication Method List: - You create a list specifying the types and sequence of authentication methods to be used. - This list needs to be associated with specific interfaces to become active.

  2. Applying the Authentication Method List: - The defined method list must be applied to an interface for the authentication to take effect. - The only automatic application occurs with the default method list, aptly named “default.” This is automatically applied to all interfaces unless a specifically named method list is assigned to an interface.

Enabling RADIUS Authentication in TCPWave IPAM

To switch to RADIUS-based authentication in the TCPWave IPAM application:

  1. Accessing Authentication Configuration: - Go to Administration >> Security Management >> Authentication Configuration. This opens the page showing various authentication types.

  2. Selecting RADIUS Authentication: - From the list of authentication types, select ‘RADIUS’.

  3. Initiating RADIUS Authentication: - Click the relevant button to enable RADIUS authentication. - A validation message will appear, asking if you are sure you want to switch to RADIUS-based authentication.

  4. Confirming the Switch: - Click ‘YES’ to confirm. This action activates RADIUS as the authentication method for your IPAM server.

By completing these steps, you effectively enable RADIUS authentication in the TCPWave IPAM, ensuring a secure and efficient authentication process.

Integrating SAML with TCPWave IPAM

The Security Assertion Markup Language (SAML) integration in TCPWave IPAM provides a secure method for exchanging authentication and authorization data. SAML operates with three main roles: Principal, Identity Provider (IDP), and Service Provider (SP). Typically, a Principal requests a service from the SP, which then gets authentication from the IDP. The SP, based on the IDP’s assertion, grants access and provides the service.

TCPWave IPAM, acting as a Service Provider, supports integration with various third-party Identity Providers and accommodates both SP-initiated and ID

IDRAC SSL Management

For enhanced security in a TCPWave environment, administrators can effectively manage iDRAC (Integrated Dell Remote Access Controller) SSL certificates. This ensures secure communication between users and iDRAC hosts. The following are the key operations and steps to manage iDRAC SSL certificates:

Operations on iDRAC SSL Certificates

  • Uploading SSL Certificate: Adding new SSL certificates to iDRAC.

  • Downloading SSL Certificate: Retrieving existing SSL certificates from iDRAC.

  • Deleting SSL Certificate: Removing SSL certificates from iDRAC.

Uploading SSL Certificate to iDRAC

  1. Access iDRAC SSL Management: - Navigate to Administration > Security Management > iDRAC SSL Management. - Ensure you’re in the iDRAC SSL Management section.

  2. iDRAC Appliance Identification: - iDRAC appliances will be listed on the page. To add a new one, input the iDRAC IP in the appliance details within TCPWave IPAM, under IPAM/DNS/DHCP Management in the PAM settings.

  3. Initiate Certificate Upload: - Select the intended iDRAC appliance. - Click the upload icon to start uploading the SSL certificate.

  4. Provide Certificate Details: - In the pop-up window, select between SSL Certificate or Custom SSL Signing Certificate. - Upload the Keyfile and Certificate File. For a Custom SSL Signing Certificate, a passphrase might also be required.

  5. Complete the Upload Process: - Confirm the upload and application of the SSL Server Certificate. - The appliance may require a reset to fully apply the new settings.

Downloading SSL Certificate from iDRAC

  1. Select the iDRAC Appliance: - From the iDRAC SSL Management page, choose the appliance whose certificate you need to download. - The download icon will activate.

  2. Download the Certificate: - Click the download icon. The SSL Server certificate for the chosen iDRAC appliance will be downloaded to your local system.

Deleting SSL Certificate from iDRAC

  1. Choose the Appropriate Appliance: - Select the iDRAC appliance from which you wish to delete the SSL certificate.

  2. Delete the Certificate: - Click the delete icon to remove the Custom SSL Signing certificate from the selected iDRAC appliance.

Important Notes and Best Practices

  • Permissions: Make sure you have the necessary role-based permissions in TCPWave IPAM to perform these actions.

  • Certificate Verification: Always double-check certificate details before uploading to avoid security risks.

  • Post-Upload Actions: Restarting services or the iDRAC appliance may be necessary after uploading new certificates.

  • Backups: Maintain backups of all SSL certificates and keys in a secure location before making changes.

By adhering to these guidelines, administrators can ensure the security and proper management of SSL communications between iDRAC hosts and clients within their network infrastructure.

Identity Administration

TCPWave Identity Administration provides an advanced framework for effective user identity management. It emphasizes the importance of Segregation of Duties (SoD) to minimize risks in DNS/DHCP service management. Unlike traditional models where admins are mapped directly to organizations or roles, TCPWave maps admins to one or more admin groups. This enhances security and operational efficiency. Here’s an in-depth look at the functionalities within the Identity Administration module.

Key Functionalities in Identity Administration

  1. Adding Administrators: - Create new admin profiles, defining their access levels and association with admin groups, not directly to specific roles or organizations. This ensures a flexible and secure approach to admin management.

  2. Cloning Administrators: - Duplicate existing admin profiles to create new ones. This feature is particularly useful for quickly setting up admins with similar access requirements or roles, ensuring consistency in admin rights and permissions.

  3. Editing Administrator Details: - Modify existing admin profiles. This function allows for updates or changes in admin details, group associations, or access levels, maintaining up-to-date and relevant admin information.

  4. Unlocking or Changing Passwords: - Provide password management for admins. This includes both unlocking accounts and changing passwords, essential for maintaining secure access to the system.

  5. Bookmarking Profiles: - Allows for quick access to frequently used admin profiles. This feature enhances the user experience by enabling easy retrieval of commonly accessed administrator information.

  6. Importing Administrator Data: - Bulk upload or update admin profiles. This is useful for large-scale deployments or updates, where manual entry of each admin profile would be time-consuming.

Importance of Segregation of Duties (SoD)

  • Minimizing Risks: SoD in TCPWave Identity Administration ensures that no single individual has complete control over critical functions, thereby reducing the risk of errors or fraud.

  • Enhanced Security: By mapping admins to groups rather than direct roles or organizations, there is an added layer of security and oversight, which is crucial in sensitive network infrastructures like DNS/DHCP management.

Best Practices for Administrators in TCPWave

  • Regular Profile Reviews: Periodically review admin profiles to ensure they reflect current roles and access needs.

  • Secure Password Policies: Enforce strong password policies and regular password changes to safeguard against unauthorized access.

  • Audit and Monitor: Regularly audit admin actions and monitor for any irregular activities, ensuring adherence to set protocols and policies.

TCPWave’s approach to Identity Administration, with its emphasis on Segregation of Duties and group-based admin mapping, offers a secure and efficient way to manage user identities within your network infrastructure. This ensures that DNS/DHCP services are managed effectively, minimizing risks and enhancing overall security.

Adding an Administrator in TCPWave IPAM

To add a custom administrator in TCPWave’s IPAM system, follow these structured steps to ensure that each administrator is correctly set up with the necessary details, roles, and group associations. This process plays a crucial role in defining the scope of access and permissions for each administrator.

Steps to Add a Custom Administrator

  1. Accessing the Identity Administration Interface: - Navigate to Administration >> Security Management >> Identity Administration. This opens the Identity Administration page.

  2. Initiating Administrator Creation: - Click the button to start creating a new administrator. You will be directed to the ‘Administrator >> New’ page.

  3. Filling Out the Administrator Form: - Enter the basic information of the administrator:

    • First Name

    • Middle Name (optional)

    • Last Name

    • Email

    • Login Name

    • Initial Password

    • Re-Enter Password

    • Phone Number

    • Upload Image (optional)

    • Note: Fields like First Name, Last Name, Email, Login Name, and Passwords are mandatory.

  4. Setting Administrator Groups: - View the list of available administrator groups. - Choose one or more groups to associate with the administrator. - Confirm your selections, which will then appear under ‘Associated Administrator Groups’.

  5. Assigning Roles and Organizations: - Default Administrator Role: Select a default role associated with the chosen admin group. - Default Organization: The system automatically populates this based on the selected role.

  6. Reviewing Permissions: - Under the ‘Permissions’ tab, review the permissions assigned to the admin groups and the individual admin.

  7. Handling Extensions: - The ‘Extensions’ tab allows you to view and manage extensions assigned to the admin.

  8. Completing the Addition: - Click ‘OK’ to proceed. A validation message will ask for confirmation to add the admin. - Click ‘YES’ to finalize the addition. You’ll receive a confirmation message: “Admin has been created successfully.”

  9. Verification in Identity Administrator Grid: - The newly added admin will be listed in the Identity Administrator grid,

Message Certificates

TCPWave’s Secure Message Tunnel (SMT) utilizes SSL certificates to secure communications between the IPAM server and remote systems. Managing these certificates is crucial for maintaining encrypted and secure message exchanges in your network. Here’s an overview of how to handle these certificates effectively:

Key Operations for Message Certificates

  1. Import: Add a new SSL certificate to the SMT.

  2. Delete: Remove existing certificates.

  3. Create Self-Signed Certificate: Generate a certificate within the system.

  4. Sync Certificate Truststore: Ensure uniform certificate trust across the network.

  5. Change Storage Password: Update the password for added security.

  6. Download Truststore: Retrieve the truststore file for troubleshooting or manual updates.

  7. Refresh: Update the view with the latest certificate information.

Importing a Message Certificate

  1. Access Certificates Page: Go to Administration > Security Management > Message Certificates.

  2. Initiate Import: Click the import button to start the process.

  3. Certificate Details: - For a JKS type Keystore, upload the Keystore file and enter its password. - For individual certificate and private key files, uncheck the “KeyStorage” option, upload the files, and enter the private key password.

  4. Trust CA Checkbox: If importing a root certificate, select ‘Trust CA’.

  5. Finalizing Import: Confirm the import. A service restart of IPAM may be needed for the changes to take effect.

Deleting a Message Certificate

  1. Select Certificate: Choose the certificate you want to delete from the Message Certificates page.

  2. Initiate Deletion: Click the delete icon and confirm by entering the Certificate Storage password.

  3. Confirm Deletion: The certificate will be removed from both the IPAM and remote truststores.

Creating a Self-Signed Certificate

  1. Generate Certificate: Click on the option to create a self-signed certificate and provide the necessary details.

  2. Apply Changes: Confirm to automatically update the truststores with the new certificate.

Syncing the Certificate Truststore

  1. Initiate Sync: Click to start the synchronization process.

  2. Confirm Sync: This updates the truststore across all remote systems.

Changing the Storage Password

  1. Access Change Option: From the Message Certificates page, initiate the password change.

  2. Update Password: Enter the old and new passwords and confirm the update.

Downloading the Truststore

  1. Initiate Download: Select the download truststore option.

  2. Retrieve File: Use the provided link to download and manually apply the truststore file if needed.

By following these procedures, administrators can ensure robust management of SMT certificates, thereby bolstering the security and efficiency of network communication in the TCPWave IPAM environment.

Root Access Management

TCPWave DDI’s Root Access Management is a vital feature for administrators, offering secure control over root access. It facilitates managing, revoking, and rotating root passwords, crucial for SSH access to TCPWave Remote, Primary, and Secondary appliances, especially in disaster recovery scenarios. This guide outlines the methods and steps involved in this process.

Types of Root Access Management

  1. Native: Disables root authentication on all active TCPWave Remote appliances, as well as Primary and Secondary IPAM appliances, unless the global option for Native Authentication is set to ‘Yes’. In that case, root access is enabled. TACACS+ authentication remains effective if previously configured.

  2. CyberArk: Enables root authentication across all TCPWave appliances. Root passwords are periodically rotated by the CyberArk server. For root access, administrators must request the password from the CyberArk server admin.

  3. Hashicorp: Enables root authentication managed by the Hashicorp vault server using One-Time Passwords (OTPs). In this setup, TACACS+ authentication is not compatible.

How to Update Root Access Preferences

  1. Accessing the Feature: - Navigate to Administration >> Security Management >> Root Access Management. The feature is accessible only to FADM and UADM administrators.

  2. Selecting the Vault Type: - Choose between ‘Native’, ‘CyberArk’, or ‘Hashicorp’ as per the requirement.

  3. Configuring the Settings: - For CyberArk and Hashicorp, ensure the necessary configurations are in place, like server host, SSL certificates, and any required IP addresses or hostnames.

  4. Submitting Changes: - Click ‘Ok’ to initiate the update. A validation message will appear for confirmation. - Click ‘YES’ to proceed. A confirmation message will indicate that the configuration update has started on all relevant TCPWave appliances.

Additional Configuration Notes

  • For CyberArk and Hashicorp: The configuration files (sshd_config and pam.d/sshd) on the appliances are updated to reflect the chosen authentication method.

  • For Hashicorp: - If SSL connection to the Hashicorp vault server is enabled, a server certificate must be uploaded. - The vault configuration file is located at /opt/tcpwave/etc/config.hcl. - After Hashicorp authentication is set, OTPs generated by the vault server are used for root access. These OTPs are deleted from the secrets engine after successful use.

Permissions and Access

  • This section is enabled or disabled based on the role assigned to you. For more details, check the Administrator Roles section.

By managing root access effectively through these methods, TCPWave DDI administrators can ensure secure and controlled root-level operations across their network infrastructure, aligning with best practices for system security and disaster recovery protocols.

Session Token Management

TCPWave IPAM’s Session Token Management enhances the security of REST API interactions through a dual-validation approach, combining session tokens with IP address whitelisting. This system ensures that API requests are not only authenticated but also originate from pre-approved network locations. Here’s an in-depth look at managing session tokens within TCPWave IPAM:

Operations in Session Token Management

  • Add: Create new session tokens for API access.

  • Deactivate: Disable active session tokens to revoke access.

Adding a Session Token

  1. Navigate to Token Management: - Access the Session Token Management section within the Security Management of the TCPWave IPAM administration panel.

  2. Initiating Token Generation: - Click on the add button to bring up the Generate Session Token dialogue.

  3. Providing Token Details: - Enter the Application name, Description, and the IP Address from which API requests are allowed. This IP whitelisting enhances security by ensuring that even if a token is compromised, only requests from specific IPs are accepted.

  4. Generating the Token: - Upon clicking OK, the system generates the token and confirms its creation. The new token is then listed in the Session Token Management grid, ready for API use.

Deactivating a Session Token

  1. Selecting the Token for Deactivation: - In the Session Token Management grid, choose the token you intend to deactivate.

  2. Deactivating the Token: - Click the deactivate button to start the process.

  3. Confirming Deactivation: - The system will request confirmation. Upon agreement, the token is deactivated, rendering it unusable for future API requests.

Utilizing the Context Menu

  • The context menu in the grid offers quick actions like copying a token to the clipboard for ease of use and deactivating tokens as needed.

The Importance of Session Token Management

  • Enhanced API Security: By requiring session tokens for API authentication, TCPWave IPAM ensures that API interactions are secure.

  • Controlled Access: Limiting API access to specific IP addresses adds a layer of security, protecting against unauthorized use.

  • Efficient Management: The system allows for straightforward creation and revocation of tokens, providing flexibility and control in API access management.

  • Role-Based Permissions: Access to this section is governed by the permissions associated with user roles. For more information about your role and permissions, refer to the Administrator Roles section.

Session Token Management is a key aspect of TCPWave IPAM’s security infrastructure, ensuring API interactions are both secure and efficiently managed. By implementing this dual-validation method, TCPWave provides administrators the necessary tools to effectively oversee and safeguard their network management operations.

User Certificates

TCPWave DDI’s User Certificates feature is a critical security mechanism for integrating third-party software with the TCPWave IPAM system. These certificates enable external applications to interact with IPAM securely, under the privileges of an associated IPAM user. Particularly useful in automation and routine task execution within IPAM, user certificates provide a robust layer of authentication and authorization. Here’s a detailed guide on how to manage these certificates:

Importing User Certificates

  1. Accessing User Certificates: - Navigate to Security Management > User Certificates in the TCPWave DDI administration panel.

  2. Initiating Import: - Click the import button to open the Import Certificate window.

  3. Providing Certificate Details: - Certificate File: Select and upload the certificate file (formats like .pem, .crt, etc.) representing the third-party application. - Associated Admin: Choose an IPAM user to associate with this certificate. This determines the access level of the third-party application when using the certificate.

  4. Finalizing Import: - Click ‘OK’ to import the certificate. Once validated, it’s listed in the User Certificates grid and is ready for use.

Deleting User Certificates

  1. Selecting the Certificate: - Choose the certificate to be deleted from the User Certificates grid.

  2. Initiating Deletion: - Click the delete icon. A confirmation prompt will appear.

  3. Confirming Deletion: - Upon confirmation, the certificate is removed from the system and the grid, thereby revoking any associated third-party application’s access.

The Importance of User Certificates in TCPWave DDI

  • Secure External Application Integration: User certificates allow external applications to securely access IPAM functionalities, adhering to the associated user’s access controls and permissions.

  • Authentication and Authorization: They provide a method for authenticating and authorizing third-party software, ensuring actions taken by these applications are within the permissions of the linked IPAM user.

  • Trust and Security: The certificates must be signed by a trusted root, which is part of the IPAM Appliance Certificates repository, adding an extra layer of trust and security in communications.

By leveraging User Certificates, TCPWave DDI enables a secure and controlled way of extending IPAM functionalities to external applications. This system ensures that all interactions are authenticated and authorized, in line with the privileges of the associated IPAM user, thus maintaining the integrity and security of the network management operations.