Tanzu GemFire Management Console 1.2

PDF
1.3 1.2

Security and Modes

Last Updated February 19, 2025

This topic describes the options for securing VMware Tanzu GemFire Management Console.

Overview

VMware Tanzu GemFire Management Console offers the following options for securing Tanzu GemFire Management Console itself:

The authentication mode selected does not impact access to GemFire clusters. The management of Authentication and Authorization for every GemFire cluster is overseen by the GemFire security manager operating within the cluster.

Developer Mode

By default, Tanzu GemFire Management Console deploys in Developer Mode. Developer Mode provides all of the capabilities of Tanzu GemFire Management Console and does not require authentication to access any stored cluster connections. No credentials are requires to access Developer Mode.

Multi-User Mode

To enable Multi-User Mode, you must configure Tanzu GemFire Management Console to authenticate against a provider such as LDAP, OAuth2, SAML, or Kerberos. The security provider handles management of authentication for the GemFire Management Console only (not the GemFire clusters). Once configured, users must authenticate before accessing the GemFire Management Console and shared connection information.

OAuth2 Configuration Requirements

Tanzu GemFire Management Console requires the following configuration information to use OAuth2:

  • Authorization Endpoint
  • Issuer
  • Client ID
  • Client Secret
  • JWK Set Endpoint
  • User Info Endpoint
  • User ID Claim Name
  • Token Endpoint

LDAP Configuration Requirements

Tanzu GemFire Management Console requires the following configuration information to use LDAP:

  • LDAP Server URL: LDAP Server URL. Example: ldap://localhost:389/dc=vmware,dc=com
  • LDAP Admin Username (optional): An LDAP Admin user. Example: cn=admin,dc=gemfire,dc=com
  • LDAP Admin Password (optional): LDAP Admin user password
  • User Search Filter: Unique attribute to search for user. Examples: uid, cn
  • Group DN (optional): Unique identifier of group. Examples: cn=adminGroup,dc=vmware,dc=com
  • Group Search Filter (optional): Unique identifier to check if user belongs to the above group. Examples: memberOf, gidNumber
  • Management Console Admin Username: A Management Console Admin user who will be able to edit the configuration later
  • Management Console Admin Password: Password of the Management Console Admin User

SAML Configuration Requirements

Tanzu GemFire Management Console supports SAML2. The following information is required to set up SAML.

There are three different configuration options to choose from:

Configure Metadata URL

  • Metadata URL: Identity Provider’s metadata URL.

Configure Metadata XML:

  • Metadata in XML Format: Metadata of the Identity Provider provided in XML format.

Configure Manually:

  • SSO URL: Identity Provider Single Sign On URL.

  • ACS Binding: Assertion Consumer Service Binding (HTTP POST or HTTP Redirect Binding).

  • IDP Logout URL (optional): Identity Provider Logout URL.

  • Logout Service Binding: Logout Service Binding (HTTP POST or HTTP Redirect Binding).

  • Verification Certificate: Identity Provider’s X509 Certificate used to verify assertions in SAML responses from the asserting party (IDP).

  • IDP Entity ID: Identity Provider Entity ID or Issuer attribute of the SAML responses that the Identity Provider issues.

  • NameId Format (optional): Name Identifier formats control how the users at IDPs are mapped to users at GemFire Management Console (SP) during single sign-on.

  • Sign Authentication Requests: When enabled, this feature allows for the signing of SAML2 AuthNRequests. It necessitates a Signing Certificate and a Private Key for encryption and decryption.

  • Signing Certificate: The Identity Provider uses the Public Key/Certificate to encrypt the assertion.

  • Private Key: Private Key is required to decrypt the encrypted value at the Service Provider.

The follow parameters are common amongst all three options:

  • ACS URL: Assertion Consumer Service URL is auto-populated, and Identity Provider will reply SAML responses to this URL. It is also known as Reply URL, SP Sign-IN URL, or Post Back URL. Users can copy and provide this value for SAML application configuration in the Identity Provider.

  • SP Entity ID: The Service Provider Entity ID, an application-specific unique identifier, distinguishes Service Providers within a SAML-based federation (Identity Provider). It is also known as Audience URL, Application ID URL, or Relying Party Identifier. Users may furnish this during SAML application configuration if permitted by the Identity Provider.

  • Principal Identifier (optional): This principal identifier field enables customization and retrieval of the display name of logged in user in GemFire Management Console from attributes within the SAML response, displaying the username or email address.

Logout from GemFire Management Console will only log users out from Tanzu GemFire Management Console, not from the Identity Provider. Once SAML is configured, users are not allowed to change Identity Provider later for security reasons.

Kerberos Configuration Requirements

Tanzu GemFire Management Console supports Kerberos authentication.

You can configure the management console to use Kerberos Authentication by providing the following configurations parameters.

  1. Service Principal Name: A unique identifier of a service instance.

    Kerberos authentication uses Service Principal Names (SPN) to associate a service instance with a service sign-in account. The SPN has two components: a service name and a hostname. For example, HTTP/imap.example.com is the service principal name of the “HTTP” service on the host imap.example.com. The SPN should refer to the host where Tanzu GemFire Management Console is running.

    Example: HTTP/gmc-server.domain.local@DOMAIN.LOCAL

  2. Keytab File: A keytab is a file containing pairs of Kerberos principals and encrypted keys that are derived from the Kerberos password. You can use this file to log on to Kerberos without being prompted for a password.

    A keytab can be generated by using the ktpass command on a Windows server.

    Example:

    ktpass /out c:\gmcuser.keytab /mapuser gmcuser@DOMAIN.LOCAL /princ HTTP/gmc-server.domain.local@DOMAIN.LOCAL /pass password /ptype KRB5_NT_PRINCIPAL /crypto All

    The output of this command is a generated keytab file gmcuser.keytab which can be uploaded to Tanzu GemFire Management Console.

  3. Kerberos Config File: The Kerberos config file, krb5.conf, contains Kerberos configuration information including:

    • The locations of KDCs and admin servers for the Kerberos realms of interest
    • Defaults for the current realm and for Kerberos applications
    • Mappings of hostnames onto Kerberos realms

    The following is a sample krb5.conf which contains a default realm and KDC host:

        [libdefaults]
    default_realm = DOMAIN.LOCAL

    [realms]
    DOMAIN.LOCAL = {
        kdc = WinServer1.DOMAIN.LOCAL
    }

  4. Admin User: This user should be an admin user who configures security for Tanzu GemFire Management Console who can edit the config later.

    Once Kerberos security is configured

    • GMC can be accessed in a domain joined Windows environment via SSO of logged-in user by configuring browsers for Spnego Negotiation.
    • GMC can be accessed outside of the domain with Username/Password and the user will be authenticated by the KDC server configured in the krb5.conf file.