Configure PAM Login Capability

Pluggable Authentication Module (PAM) login capability involves two separate components:

• PAM for user authentication
• NSS for group authorization

Together they provide external users the capability to log on to NetWitness without having an internal NetWitness account, and to receive permissions or roles determined by mapping the external group to a NetWitness security role. Both components are required for a login to succeed.

External authentication is a system-level setting. Before configuring PAM, carefully review all of the information here.

Pluggable Authentication Modules

PAM is a Linux-provided library responsible for authenticating users against authentication providers such as RADIUS, Kerberos, and Agent for SecurID. For implementation, each authentication provider uses its own module, which is in the form of an operating system (OS) package such as pam_krb5. NetWitness uses the OS-provided PAM library, and the module that the PAM library is configured to use, to authenticate users.

Note: PAM provides only the ability to authenticate.

Name Service Switch

NSS is a Linux feature that provides databases that the OS and applications use to discover information like hostnames; user attributes like home directory, primary group, and login shell; and to list users that belong to a given group. Similar to PAM, NSS is configurable and uses modules to interact with different types of providers. NetWitness uses OS-provided NSS capabilities to authorize external PAM users by looking up whether a user is known to NSS and then requesting from NSS the groups of which that user is a member. NetWitness compares the results of the request to the NetWitness External Group Mapping and if a matching group is found, the user is granted access to log on to NetWitness with the level of security defined in the External Group Mapping.

Note: NSS does not provide authentication.

PAM and NSS Combination

Both PAM (authentication) and NSS (authorization) must succeed in order for an external user to be allowed to log on to NetWitness. The procedure for configuring and troubleshooting PAM is different than the procedure for configuring and troubleshooting NSS. The PAM examples in this guide include Kerberos, RADIUS, and SecurID. The NSS example includes UNIX. The PAM and NSS module combination used is determined by site needs.

Process Overview

To configure PAM login capability, follow the instructions in this document to complete each step:

1. Configure and test the PAM module.
2. Configure and test the NSS service.
3. Enable PAM in NetWitness Server.
4. Create group mappings in NetWitness Server.

Before beginning the setup of PAM, review the procedure and gather the external authentication server details depending on the PAM module you want to implement.

Before beginning the setup of NSS, review the procedure, identify the group names that you will use in the External Group mapping, and gather the external authentication server details, depending on the NSS service being used.

Before beginning setup of PAM in NetWitness, identify the group names that you will use in the External Group mapping. When mapping roles, the role in NetWitness must match a group name that exists in the external authentication server.

Configure and Test the PAM Module

Choose one of the following sections to set up and configure the PAM component:

• PAM Kerberos
• PAM RADIUS
• PAM Agent for SecurID

PAM KerberosPAM Kerberos

Kerberos Communication Ports – TCP 88

To configure PAM authentication using Kerberos:

1. Execute the following command (but first verify that the krb5-workstation package is installed in your environment):
   yum install krb5-workstation pam_krb5
2. Edit the following lines in the Kerberos configuration file /etc/krb5.conf. Replace variables, which are delimited by <angle brackets>, with your values and omitting the angle brackets. Capitalization is required where shown.
   
   # Configuration snippets may be placed in this directory as well
   includedir /etc/krb5.conf.d/
   
   [logging]
   default = FILE:/var/log/krb5libs.log
   kdc = FILE:/var/log/krb5kdc.log
   admin_server = FILE:/var/log/kadmind.log
   
   [libdefaults]
   dns_lookup_realm = false
   ticket_lifetime = 24h
   dns_lookup_kdc = true
   renew_lifetime = 7d
   forwardable = true
   rdns = false
   default_realm = <DOMAIN.COM>
   default_ccache_name = KEYRING:persistent:%{uid}
   
   [realms]
   <DOMAIN.COM> = {
   kdc = <SERVER.DOMAIN.COM>
   admin_server = <SERVER.DOMAIN.COM>
   }
   
   [domain_realm]
   <domain.com> = <DOMAIN.COM>
   <.domain.com> = <DOMAIN.COM>
3. Test the Kerberos configuration with the command:
   kinit <user>@<DOMAIN.COM>
   No output after entering the password indicates success.
4. Edit the NetWitness Server PAM configuration file /etc/pam.d/securityanalytics to add the following line. If the file does not exist, create it and add the following line:
   auth sufficient pam_krb5.so no_user_check

This completes the configuration for PAM Kerberos. Now, go to the next section, Configure and Test the NSS UNIX Service.

PAM RADIUSPAM RADIUS

Radius Communication Ports - UDP 1812 or UDP 1813

To configure PAM authentication using Radius you must add the NetWitness Server to your Radius Server’s Client list and configure a shared secret. Contact the Radius Server Administrator for this procedure.

There are two procedures available: one for upgrading to version 12.4 from a lower version and another for fresh installation of version 12.4.

Configure PAM authentication using RADIUS (from lower versions to 12.4)

To configure PAM authentication using RADIUS:

1. Execute the following command (but first verify that the pam_radius_auth package is installed in your environment):

   yum install pam_radius_auth

2. Edit the RADIUS configuration file, /etc/raddb/server as follows:

   # server[:port] shared_secret timeout (s)
   server secret 3

3. Edit the NetWitness Server PAM configuration file /etc/pam.d/securityanalytics to add the following line. If the file does not exist, create it and add the following line:

   auth sufficient pam_radius_auth.so

4. Execute the following command to copy the RADIUS library:

   cp /usr/lib/security/pam_radius_auth.so /usr/lib64/security/

Caution: For PAM RADIUS to work, the /etc/raddb/server files must have write permission. The command needed for this is: chown netwitness:netwitness /etc/raddb/server.

Caution: You must restart the Jetty server after making the above changes for PAM RADIUS. The command for this is:
systemctl restart jetty

The PAM Modules and associated services output information to /var/log/messages and /var/log/secure. These outputs can be used to assist in troubleshooting configuration problems.

The following procedure is an example of the steps to configure PAM authentication for RADIUS using SecurID:

Note: The examples in these tasks use Authentication Manager as the RADIUS server.

1. Execute the following command (but first verify that the pam_radius_auth package is installed in your environment):

   yum install pam_radius_auth

2. Edit the RADIUS configuration file, /etc/raddb/server and update it with the authentication manager instance hostname, shared secret and timeout value:

   # server[:port] shared_secret timeout (s)

   111.222.33.44 secret 1

   #other-server other-secret 3

   192.168.12.200:6369 securid 10

   Note: You must comment out 127.0.0.1 and other-server lines and add the IP address of the authentication manager primary instance with RADIUS port number (for example, 192.168.12.200:1812), RADIUS shared secret, and a timeout value of 10.

3. Edit the NetWitness Server PAM configuration file /etc/pam.d/securityanalytics to add the following line. If the file does not exist, create it and add the following line:

   auth sufficient pam_radius_auth.so

   Note: You can add debug to the end of the above line in the /etc/pam.d/securityanalytics file to enables PAM debugging (for example, auth sufficient pam_radius_auth.so debug)

4. Run the following command to copy the RADIUS library:

   cp /usr/lib/security/pam_radius_auth.so /usr/lib64/security/

The PAM Modules and associated services output information to /var/log/messages and /var/log/secure.These outputs can be used to assist in troubleshooting configuration problems.

Configure PAM authentication using RADIUS (for fresh installation of 12.4)

IMPORTANT: The steps listed below are applicable to a fresh 12.4 installation of the NetWitness Platform.

To configure PAM authentication using RADIUS:

1. Execute the following command (but first verify that the pam_radius package is installed in your environment):

   yum install pam_radius

2. Edit the RADIUS configuration file, /etc/pam_radius.conf as follows:

   # server[:port] shared_secret  timeout (s)
   server          secret         3

3. Edit the NetWitness Server PAM configuration file  /etc/pam.d/securityanalytics to add the following line. If the file does not exist, create it and add the following line:

   auth sufficient pam_radius_auth.so

Caution: For PAM RADIUS to work, the /etc/pam_radius.conf files must have write permission. The command needed for this is: chown netwitness:netwitness /etc/pam_radius.conf.

Caution: You must restart the Jetty server after making the above changes for PAM RADIUS. The command for this is:
systemctl restart jetty

The PAM Modules and associated services output information to /var/log/messages and /var/log/secure. These outputs can be used to assist in troubleshooting configuration problems.

The following procedure is an example of the steps to configure PAM authentication for RADIUS using SecurID:

Note: The examples in these tasks use Authentication Manager as the RADIUS server.

1. Execute the following command (but first verify that the pam_radius package is installed in your environment):

   yum install pam_radius

2. Edit the RADIUS configuration file, /etc/pam_radius.conf and update it with the authentication manager instance hostname, shared secret and timeout value:

   # server[:port] shared_secret timeout (s)

   111.222.33.44 secret 1

   #other-server other-secret 3

   192.168.12.200:6369 securid 10

   Note: You must comment out 127.0.0.1 and other-server lines and add the IP address of the authentication manager primary instance with RADIUS port number (for example, 192.168.12.200:1812), RADIUS shared secret, and a timeout value of 10.

3. Edit the NetWitness Server PAM configuration file /etc/pam.d/securityanalytics to add the following line. If the file does not exist, create it and add the following line:

   auth sufficient pam_radius_auth.so

   Note: You can add debug to the end of the above line in the /etc/pam.d/securityanalytics file to enables PAM debugging (for example, auth sufficient pam_radius_auth.so debug)

The PAM Modules and associated services output information to /var/log/messages and /var/log/secure.These outputs can be used to assist in troubleshooting configuration problems

Add a RADIUS Client and Associated AgentAdd a RADIUS Client and Associated Agent

Note: The examples in these tasks use Authentication Manager as the RADIUS server.
You must use administrative account credentials to log on Authentication Manager Security Console.

To add a RADIUS Client and Associated Agent:

1. Log on to Authentication Manager.

   The Security Console is displayed.

2. In the Security Console, click RADIUS > RADIUS Client > Add New.

   The Add RADIUS Client page is displayed.

   

3. In RADIUS Client Settings, provide the following information:

   1. In the Client Name field, enter the name of the client, for example, NetWitness.
   2. In the IPv4 Address field, enter the IPv4 address of the RADIUS client, for example, 192.168.12.108.
   3. In the Make/Model drop-down list, select the type of RADIUS client, for example, Fortinet.
   4. In the Shared Secret field, enter the authentication shared secret.

4. Click Save & Create Associated NetWitness Agent.

   

5. Click Save.

If the Authentication Manager instance is unable to find the authentication agent on the network, a warning page is displayed. Click Yes, Save Agent.

For more information, see the "Add a RADIUS Client" topic in Authentication Manager 8.2 Administrator’s Guide.

This completes the configuration for PAM RADIUS. Now, go to the next section, Configure and Test the NSS UNIX Service.

PAM Agent for SecurIDPAM Agent for SecurID

PAM Communication Port - UDP 5500

The SecurID PAM module is supported only under the following condition:

Trusted connections must be enabled and functioning between NetWitness and Core services.

Configure the SecurID PAM Module

To configure Authentication Manager:

1. Log on to Authentication Manager.

   The Security Console is displayed.

   

2. In the Security Console, add a new authentication agent.

   Click Access > Authentication Agents > Add New.

   The Add New Authentication Agent page is displayed.​

   

3. In the Hostname field, type the hostname of the NetWitness Server.​

4. Click Resolve IP.

   The IP address of the NetWitness Server is automatically displayed in the IP Address field.

5. Keep the default settings and click Save.

6. Generate a configuration file.

   Go to Access > Authentication Agents > Generate Configuration File.

   The Generate Configuration File page is displayed.

   

7. Keep the defaults and click Generate Config File.

   This creates AM_Config.zip, which contains two files.

8. Click Download Now.

To install and configure the PAM SecurID module:

1. On the NetWitness Server, make the following directory:

   mkdir /var/ace

2. On the NetWitness Server, copy sdconf.rec from the .zip file to /var/ace.
3. Create the text file sdopts.rec in the /var/ace directory.

4. Insert the following line:

   CLIENT_IP=<IP address of NetWitness Server>​

5. Install the SecurID Authorization Agent for PAM, which is available in the yum repository:

   yum install sid-pam-installer​

6. Run the install script:

   /opt/rsa/pam-agent-installer/install_pam.sh

7. Follow the prompts to accept or change the defaults.

8. Edit the NetWitness Server PAM configuration file, /etc/pam.d/securityanalytics to add the following line. If the file does not exist, create it and add the following line:

   auth sufficient pam_securid.so

This completes the installation of the SecurID PAM module. Next, test the connectivity and authentication. Then, follow the procedures in Configure and Test the NSS UNIX Service.

Note: If the PAM SecurID setup is not complete, it may crash the Jetty server and the NetWitness UI will not be displayed. You must wait until the PAM authentication configuration is complete and then restart the Jetty server.

To test connectivity and authentication:

1. Run /opt/pam/bin/64bit/acetest, and enter the username and passcode.​

2. (Optional) If acetest fails, turn on debugging:

   vi/etc/sd_pam.conf
   RSATRACELEVEL=15

3. Run /opt/pam/bin/64bit/acestatus. The output is displayed as shown below.

RSA ACE/Server Limits
---------------------
Configuration Version : 15 Client Retries : 5
Client Timeout : 5 DES Enabled : Yes

RSA ACE/Static Information
--------------------------
Service : securid Protocol : udp Port Number : 5500

RSA ACE/Dynamic Information
---------------------------
Server Release : 8.1.0.0 Communication : 5

RSA ACE/Server List
-------------------
Server Name : auth81.netwitness.local
Server Address : 192.168.100.10
Server Active Address : 192.168.100.10
Master : Yes Slave : No Primary : Yes
Usage : Available for Authentications

4. (Optional) To troubleshoot the Authentication Manager server,
   go to Reporting > Real-time Activity Monitors > Authentication Activity Monitor.
   Then click Start Monitor.

5. If you changed the setting, reset RSATRACELEVEL to 0:​

   vi/etc/sd_pam.conf
   RSATRACELEVEL=0

Caution: After installation, verify that VAR_ACE in the /etc/sd_pam.conf file points to the correct location of the sdconf.rec file. This is the path to the configuration files. The command needed for this is: chown -R netwitness:netwitness /var/ace.​​

This completes the configuration for PAM Agent for SecurID. Now, go to the next section, Configure and Test the NSS UNIX Service.

Configure and Test the NSS UNIX ServiceConfigure and Test the NSS UNIX Service

ConfigurationConfiguration

No configuration is necessary to enable the NSS UNIX module; it is enabled in the host operating system by default. To authorize a user for a specific group, simply add that user to the operating system and add them to a group:

1. Create an OS group to use add your external user to with this command:

   groupadd <groupname>

2. Add the external user to the OS with this command:

   adduser -G <groupname> -M -N <externalusername>

Note: This does NOT permit or allow access to the NetWitness Server console.

This completes the configuration for NSS UNIX. Next, go to Test NSS Functionality.

Test NSS FunctionalityTest NSS Functionality

To test whether NSS is working with any of the previous NSS services, use the following commands:

getent passwd <pamUser>
getent group <groupOfPamUser>

Output should be similar to:

[root@~]# getent passwd myuser
myuser:*:10000:10000::/home/myuser:/bin/sh

[root@~]# getent group mygroup
mygroup:*:10000:myuser3

• If neither command produces output, NSS is not working properly for external authorization. Refer to the troubleshooting guidance for your NSS module provided in this document.

• If getent commands succeed and authentication success is confirmed in /var/log/secure but NetWitness still fails to allow External users to login:

  • Was the correct group name specified for the NSS group in NW External Group Mapping? See Enable PAM and Create Group Mappings below.
  • It is possible that the NSS configuration has changed and NetWitness has not picked up the change. A reboot of the NetWitness host will cause NetWitness to pick up NSS configuration changes. A restart of the Jetty server is not sufficient.

Enable PAM in NetWitness ServerEnable PAM in NetWitness Server

1. Go to (Admin) > Security.

   The Security view is displayed with the Users tab open.

2. Click the Settings tab.

3. Under PAM Authentication, select Enable PAM Authentication and click Apply.

   

Test External Authentication for PAMTest External Authentication for PAM

1. Go to (Admin) > Security.

   The Security view is displayed with the Users tab open.

2. Click the Settings tab.

3. Under PAM Authentication, select Enable PAM Authentication.

   

4. Under PAM Authentication options, click Test.

   The PAM Authentication Test dialog is displayed.

   

5. Type a user name and password that you want to test for authentication using the current PAM configuration.

6. Click Test.

   The external authentication method is tested to ensure connectivity.

7. If the test does not succeed, review and edit the configuration.

PAM is enabled, and Active Directory configurations will also remain enabled. PAM configurations are automatically populated in the External Group Mapping tab so that you can map security roles to each group.

Create Group Mappings in NetWitness ServerCreate Group Mappings in NetWitness Server

To configure security roles used for PAM access, see (Optional) Map User Roles to External Groups.