Observer Management Server (OMS) 18.1.0OMS manages an extensive menu of essential tasks and delegates specific IT jobs on a tiered authorization basis to appropriately credentialed

Observer ManagementServer (OMS) 18.2.0.0User Guide21 Jan 2021

Notice

Every effort was made to ensure that the information in this manual was accurate at the time of printing. However, informationis subject to change without notice, and VIAVI reserves the right to provide an addendum to this manual with information notavailable at the time that this manual was created.

Copyright

© Copyright 2020 VIAVI Solutions Inc. All rights reserved. VIAVI and the VIAVI logo are trademarks of VIAVI Solutions Inc. (“VIAVI”).All other trademarks and registered trademarks are the property of their respective owners. No part of this guide may bereproduced or transmitted, electronically or otherwise, without written permission of the publisher.

Copyright release

Reproduction and distribution of this guide is authorized for Government purposes only.

Terms and conditions

Specifications, terms, and conditions are subject to change without notice. The provision of hardware, services, and/or softwareare subject to VIAVI standard terms and conditions, available at www.viavisolutions.com/terms.

Specifications, terms, and conditions are subject to change without notice. All trademarks and registered trademarks are theproperty of their respective companies.

Federal Communications Commission (FCC) Notice

This product was tested and found to comply with the limits for a Class A digital device, pursuant to Part 15 of the FCC Rules.These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in acommercial environment. This product generates, uses, and can radiate radio frequency energy and, if not installed and used inaccordance with the instruction manual, may cause harmful interference to radio communications. Operation of this product in aresidential area is likely to cause harmful interference, in which case you will be required to correct the interference at your ownexpense.

The authority to operate this product is conditioned by the requirements that no modifications be made to the equipment unlessthe changes or modifications are expressly approved by VIAVI.

Laser compliance

This device is a class 1 laser product.

Industry Canada Requirements

This Class A digital apparatus complies with Canadian ICES-003.

Cet appareil numérique de la classe A est conforme à la norme NMB-003 du Canada.

WEEE and Battery Directive Compliance

VIAVI has established processes in compliance with the Waste Electrical and Electronic Equipment (WEEE) Directive, 2002/96/EC,and the Battery Directive, 2006/66/EC.

This product, and the batteries used to power the product, should not be disposed of as unsorted municipal waste and should becollected separately and disposed of according to your national regulations. In the European Union, all equipment and batteriespurchased from VIAVI after 2005-08-13 can be returned for disposal at the end of its useful life. VIAVI will ensure that all wasteequipment and batteries returned are reused, recycled, or disposed of in an environmentally friendly manner, and in compliancewith all applicable national and international waste legislation.

It is the responsibility of the equipment owner to return equipment and batteries to VIAVI for appropriate disposal. If theequipment or battery was imported by a reseller whose name or logo is marked on the equipment or battery, then the ownershould return the equipment or battery directly to the reseller.

Instructions for returning waste equipment and batteries to VIAVI can be found in the Environmental section of VIAVI web siteat . If you have questions concerning disposal of your equipment or batteries, contact VIAVI WEEE Program Management team [email protected].

Technical Support

North America 1.844.GO VIAVI / 1.844.468.4284Latin America +52 55 5543 6644EMEA +49 7121 862273APAC +1 512 201 6534All Other Regions viavisolutions.com/contactsemail [email protected]

Support hours are 7:00 A.M to 7:00 P.M. (local time for each office).

mailto:[email protected]:[email protected]

Table of Contents

Chapter 1: Understanding OMS....................................................................................7Understanding the key features..................................................................................................7Choosing how you want to use OMS........................................................................................8

Global Asset Policy settings.....................................................................................................8Understanding OMS architecture................................................................................................9Getting started with OMS...........................................................................................................10

Installing OMS software...........................................................................................................11How to upgrade to Windows 10...........................................................................................12How to start and stop OMS...................................................................................................13Ports used by Observer Platform v17 and later................................................................ 13

Understanding the certificate trust model.............................................................................14How to view certificates......................................................................................................... 14How to change the trust of a certificate........................................................................... 15Certificates and how they are used..................................................................................... 15

Understanding the Transport Layer Security (TLS) setting................................................ 15How to enforce a minimum TLS version.............................................................................17Web browser TLS compatibility chart..................................................................................17How to enable TLS 1.1 and 1.2 in IE10.................................................................................. 18

Chapter 2: Users and User Groups............................................................................. 19Understanding user accounts..................................................................................................... 19

How to add new users............................................................................................................20How to disable a user.............................................................................................................. 21How to enable a user...............................................................................................................21How to delete a user............................................................................................................... 22How to change a user's password....................................................................................... 22Invalid login credentials or access denied..........................................................................23

Understanding user groups.........................................................................................................23

4 Table of Contents (21 Jan 2021) — Archive/Non-authoritative version

How to create a user group.................................................................................................. 24How to add users to a user group.......................................................................................25How to delete a user group.................................................................................................. 25

How to use LDAP groups as user groups............................................................................... 26Understanding user group synchronization with LDAP................................................. 27Differences in LDAP synchronization modes.................................................................... 28

Understanding authorization policies......................................................................................28How to create an authorization policy...............................................................................28How to edit an authorization policy...................................................................................29How to delete an authorization policy.............................................................................. 29How to modify the default authorization policy............................................................ 29Authorization list.......................................................................................................................30

How to configure how user accounts authenticate............................................................. 31Active Directory settings........................................................................................................ 32LDAP settings............................................................................................................................. 33RADIUS settings.........................................................................................................................36TACACS+ settings...................................................................................................................... 38

Chapter 3: Assets and Asset Groups......................................................................... 40Understanding assets and asset elements.............................................................................40

How to add an asset................................................................................................................ 41How to delete an asset...........................................................................................................43How to apply a license to an asset..................................................................................... 43Understanding auto-adding assets and licenses............................................................. 43How to determine who has rights to use an asset.........................................................45Understanding the Global Asset Policy..............................................................................46

Understanding asset groups.......................................................................................................47How to create an asset group.............................................................................................. 48How to add an asset to an asset group............................................................................ 49How to delete an asset group..............................................................................................49How to disable an asset group............................................................................................ 49How to enable an asset group............................................................................................. 50

How to manage software versions using OMS.................................................................... 50How to download upgrades for upgrade policies to use..............................................50How to create an upgrade policy......................................................................................... 51How to disable an upgrade policy.......................................................................................52How to delete an upgrade policy........................................................................................ 52How to update asset groups................................................................................................. 53How to update individual assets..........................................................................................53How to modify the global upgrade policy........................................................................53Upgrade Version settings....................................................................................................... 54

Understanding the OMS upgrade process............................................................................. 54Under what circumstances should I use an upgrade policy?........................................55Understanding which upgrade policy is in effect on assets......................................... 55How does the scheduled transfer operate?...................................................................... 56How does the scheduled installation operate?................................................................56

Table of Contents (21 Jan 2021) — Archive/Non-authoritative version 5

Understanding asset licenses and licensing...........................................................................56How to add an asset license..................................................................................................57How to apply a license to an asset..................................................................................... 58How to import asset licenses................................................................................................59How to edit an asset license................................................................................................. 59How to disable an asset license........................................................................................... 59How to enable an asset license............................................................................................60How to delete a license..........................................................................................................60Why is my license number not working?..........................................................................60

Chapter 4: Installing and Updating OMS..................................................................62How to upgrade OMS.................................................................................................................. 62

How to retrieve a list of available OMS versions............................................................63How to download a version of OMS.................................................................................. 63How to install a version of OMS......................................................................................... 64Upgrade settings...................................................................................................................... 64Version numbering....................................................................................................................65

Understanding the purpose of HSM........................................................................................65How to configure an HSM Cryptoki client........................................................................66How to add an HSM token....................................................................................................67How to add an HSM private key......................................................................................... 68

How to import and deploy your OVA file..............................................................................68OVA requirements..................................................................................................................... 70

Chapter 5: Backups and Secondary OMS...................................................................71Using a secondary OMS................................................................................................................71

Defining a failover OMS..........................................................................................................72Becoming a primary/secondary OMS.................................................................................. 73

How to share Observer filters....................................................................................................74Understanding configuration backups.................................................................................... 74

How to create a backup..........................................................................................................74How to restore configuration settings............................................................................... 75How to schedule backups.......................................................................................................75How to change where backups are stored........................................................................ 75

Chapter 6: Troubleshooting........................................................................................ 77Understanding logging in OMS................................................................................................. 77

How to view event logs..........................................................................................................77How to send Syslog messages..............................................................................................78How to send SNMP traps.......................................................................................................79How to send e-mail alerts.....................................................................................................80How to return to the default log settings.........................................................................81

Understanding log categories.................................................................................................... 81Informational.............................................................................................................................. 82Warning........................................................................................................................................ 85Error...............................................................................................................................................87Fatal...............................................................................................................................................93

Troubleshooting common problems........................................................................................ 94

6 Table of Contents (21 Jan 2021) — Archive/Non-authoritative version

A probe is not connecting to the analyzer or vice versa...............................................94Users cannot authenticate through OMS.......................................................................... 95Probe will not upgrade........................................................................................................... 95Probe is not being licensed....................................................................................................95Licenses for different versions..............................................................................................95OMS failed to bind the authentication port.....................................................................95RADIUS servers not authenticating.....................................................................................95I cannot see my co-worker’s shared filters....................................................................... 96“Invalid credentials” error when using DNS name..........................................................96

Index..............................................................................................................................97

1

Chapter 1: Understanding OMS

OMS manages an extensive menu of essential tasks and delegates specificIT jobs on a tiered authorization basis to appropriately credentialed networkteam members so you can authenticate user access and passwords, administerupgrades, and streamline management of Observer Platform from a single,centralized location. TLS-based communication security safeguards sensitive userdata while in transit.

Understanding the key featuresDo team members using the asset have valid credentials? OMS determinesclearance levels for users accessing the network via an internal list or using third-party integration with technologies like RADIUS, Active Directory, TACACS+, andLDAP.

Who has permission to carry out which requested actions? Actions include:probe connections, capture initiation, and more. OMS defines role-basedpermissions and group policies, helping you lock down security.

Know how users access resources: What if someone connects to ObserverGigaStor probe, begins a capture, and uses a filter looking for "confidential.doc"?OMS logs the user name, IP address, probe connection, and complete activityhistory.

Standardize asset versions across the enterprise. OMS version controlfunctionality upgrades and downgrades any probe or analyzer as needed ordesired. And when new versions that require license changes are released, thesecan be distributed via OMS, automating the entire upgrade process.

OMS also provides options if you want to control the upgrade schedule, likechoosing to upgrade only major releases. OMS centralized licensing allows you to:

♦ Grant licenses on a first-come, first-serve basis

Choosing how you want to use OMS8 NI Copyright (21 Jan 2021) — Archive/Non-authoritative version

♦ Quickly and efficiently authorize multiple Observer products♦ Manage multiple types of licenses such as Observer Expert, Observer

Suite, and software or hardware probes

Protects analysis tools against connection failures. With redundant OMS inplace, real-time analysis and distributed visibility continue even if the primaryOMS becomes unavailable. With this option, analyzer and probe communicationis secure and uninterrupted.

Offers a centralized repository of tools like filters, commonly used byadministrators to ensure only relevant data is displayed or collected – ultimatelyspeeding troubleshooting and analysis. Our technology ensures secure OMS-probe communication by encrypting all data sent across the network. It alsoprovides integrated multi-vendor support for centralized hardware securitymodules (HSMs), securely managing SSL keys for encryption analysis, reinforcingcompliance initiatives.

With OMS, it's easy to share filter libraries between probes and across thenetwork with other users. Upload or download filter lists to or from OMS asoften as needed.

Share your organization's application definitions database among analyzers andprobes. This benefits your enterprise because key solutions configurations arecentralized and shared for standardization and control – creating enterprise-widenetwork consistency.

Choosing how you want to use OMSThe global asset policy governs how all assets are managed; whether users arevalidated or must log in; or how protocol filters and definitions are shared andsynchronized.

By default, all policies are enabled.

1. Starting in the dashboard, click System > Settings.2. In the System Settings pane, click Global Asses Policy.3. Enable or disable options as you choose.4. Click the accept icon .

The changes take effect immediately or the next time a user attempts to log in.

Global Asset Policy settingsThe Global Asset Policy turns on and off core management features.

Authenticate &authorize usersusing OMS

If selected, users are required to provide a valid user name andpassword when launching an asset.

Synchronizeuser protocoldefinitionsthrough OMS

Assets synchronize user protocol definitions through OMS.Protocol definitions created by one user are pushed to all otherusers. If two users using separate assets change the samedefinition, the last change is kept.

Get list ofProbe Instancesavailable for

All local and remote probe instances to which a user has rightsare visible in the asset. When cleared, only probe instances localto the asset are available; no probe instances of remote assetsare shown.

Understanding OMS architectureChapter 1: Understanding OMS 9

redirection fromOMS

Share filters withOMS

If selected, user may create and share protocol filter definitionswith each other. Whenever a filter is updated, users can beinformed and update their local version. The list of protocolfilters is maintained centrally by OMS.

Manage licenseswith OMS

If selected, a pool of licenses for each asset type is managed byOMS. When a user requests access to an asset or asset element,the asset requests one of the available licenses when it starts.If a valid license is available, the user may user that asset. Thelicense is released when the asset is closed. To manage licensesat each asset individually, clear this box.

Auto-add assetsand licenses

If selected, a new asset is created and/or license is assignedduring the first successful authentication with OMS.

Cache OMS logoncredentials

If selected, OMS user logon credentials are cached for a limitedamount of time.

This allows temporary access to assets when OMS is unavailablefor any reason.

Require loginwhen Observer isrestored from aminimized state

User credentials are required to view Observer after restoring itfrom the Windows taskbar.

This provides added security required by some environments.Unchecking the option reduces the security and removes theprompt for your password. The default is Enabled.

Minimum TLSversion allowed

Sets the minimum Transport Layer Security (TLS) version allowedfor HTTPS and asset-to-asset communication. Observer Platformproducts first attempt TLS 1.2 negotiation, regardless of thissetting.

Example: Set to TLS 1.1 to prohibit TLS 1.0 connections -or-Set to TLS 1.2 to prohibit TLS 1.1 and TLS 1.0 connections.All communication must negotiate into using the minimumversion of TLS or higher. If it cannot, then no networkconnection is made. This includes REST API requests and useraccess to OMS and Observer Apex through a web browser.

Number of hoursto cache OMSlogon credentials

Sets the number of hours to cache OMS user credentials.

Assign auto-addassets to AssetGroup

When an asset is added automatically, assign the asset to thisasset group.

This takes effect only when Auto-add assets and licenses isselected.

Understanding OMS architectureAn architectural image shows the components of the Observer Platform.

OMS controls access to all parts of the Observer Platform ecosystem using itsown internal list or from Active Directory, RADIUS, TACACS+, or LDAP.

Packets between your network devices pass through an Observer nTAP to theactive probe instance on the GigaStor. Observer Suite connects to a passiveinstance for trending and expert data. Expert data is viewable in Observer, andtrending data is available from dashboards in a web browser.

Getting started with OMS10 NI Copyright (21 Jan 2021) — Archive/Non-authoritative version

Observer Expert Console connects to a passive probe instance on a GigaStor forexpert data.

Apex produces reports by consolidating trending data from numerous sources,including Observer Suite, Observer Expert (both of which may have multipletrending sources), Expert Probes, GigaStors, and Observer Infrastructure (OI).

If you are viewing an Apex dashboard whose data comes from a GigaStor, youcan drill down from the dashboard into the packets on the GigaStor. This isaccomplished by drilling down from a Business Group with a Data Source that isthe Active Instance (running trending). To data-mine the packets using Observer,use a passive instance on the same GigaStor.

Figure 1: Observer Platform architecture

Getting started with OMSFollow these steps to get started using OMS. This section assumes you do nothave OMS installed and provides the information to take you from an emptyOMS system to fully configured.

1. Install the software. See Installing OMS software (page 11).2. Add or create users. See Understanding user accounts (page 19).3. Add your probe and Observer licenses to OMS. See Understanding asset

licenses and licensing (page 56).4. Create user groups. See Understanding user groups (page 23).

Getting started with OMSChapter 1: Understanding OMS 11

5. Create asset groups. See Understanding asset groups (page 47).

You can also configure other OMS options such as using a failover server,pushing software upgrades to the probes and Observer, and more.

6. If you want to use a second OMS system as a failover, see Using a secondaryOMS (page 71).

7. If you want OMS to push any software updates to the probes or Observer, seeHow to manage software versions using OMS (page 50).

8. If you want to share packet or capture filters across all Observer, see .9. To learn about event logging, see How to view event logs (page 77).10. To be notified by e-mail about certain events, see How to send e-mail alerts

(page 80).

Installing OMS softwareOMS should ideally be deployed in a data center with other servers. It requiresa centrally located placement so assets have fast, reliable access for accountvalidation, content sharing, and other functions.

Prerequisite(s):

See Supported Operating Systems (page 12) for a list of supported operatingsystems.

To install the OMS software, follow these steps:

1. Download the latest installation file from our update site. If you copied theinstallation files from our website, start the installation program.

http://update.viavisolutions.com/latest/OmsSetupx64.exe2. When the setup program runs, follow the onscreen instructions.

Minimum and recommended system specificationsWhen installing the software, follow the minimum and recommendedspecifications for a production environment.

To interact with OMS through a web browser, which presents the entire userinterface, a compatible web browser is required.

♦ Internet Explorer 10.0 or later♦ Microsoft Edge♦ Mozilla Firefox♦ Google Chrome

VirtualAppliance orMinimum

Recommended Optimal

Processor / CPU Dual core Dual core Intel Quad core IntelRAM Minimum 4 GB 8 GB 16 GBMinimum requiredstorage1

500 megabytes ofavailable space



Operating system2 64-bit OperatingSystem

64-bit OperatingSystem

64-bit OperatingSystem

http://update.viavisolutions.com/latest/OmsSetupx64.exe

Getting started with OMS12 NI Copyright (21 Jan 2021) — Archive/Non-authoritative version

VirtualAppliance orMinimum

Recommended Optimal

Windows 7 toWindows Server2012 R2



Network card Virtualized networkadapter

Server-classonboard networkadapter

Intel server-classnetwork adapter

1. Minimum required storage is the disk space required for the software to function, like the totalsize of its executables, any drivers, log files, and downloaded patches.2. See Supported Operating Systems (page 12) for a full list of supported operating systems.

Supported Operating SystemsYour product must be installed on one of these operating systems to receiveassistance from Technical Support.

Table 1. Supported Operating SystemsProduct Name 64-bit Windows 32-bit WindowsGigaStor SoftwareEditionObserver ApexObserverManagementServer (OMS)Observer ExpertObserver StandardObserver Suite

Windows 7 (SP1 or higher) toWindows Server 2012 R2Windows Server 2008 R2Enterprise, Standard, Web (SP1or higher) to Windows Server2012 R2Windows 7 (SP1 or higher) toWindows Server 2012 R2

Not supported

Observer ExpertConsole Only (ECO)

Windows 7 (SP1 or higher) toWindows Server 2012 R2Windows Server 2008 R2Enterprise, Standard, Web (SP1or higher) to Windows Server2012 R2

Windows 7 (SP1 or higher) toWindows Server 2012 R2Windows Server 2008 R2Enterprise, Standard, Web (SP1or higher) to Windows Server2012 R2

How to upgrade to Windows 10Due to the way Microsoft has designed its Windows® 10 operating systemupgrade feature, OMS will not function if you upgrade your operating systemfrom Windows 7, Vista or Windows 8 to Windows 10 without first uninstallingOMS.

This information does not apply if you:

♦ Already uninstalled OMS.♦ Are installing Windows 10 rather than upgrading to it.♦ Are already using Windows 10.♦ Are upgrading using the Observer Platform OS Upgrade product because

it replaces the operating system rather than upgrading it. Additionally, ituses Windows Server 2012 R2.

Note: Unfortunately, if you have already upgraded the operating systemand OMS was not uninstalled prior to upgrading to Windows 10, the only

html_doc/current/win2012r2upgrade/os_upgrade.htmlhtml_doc/current/win2012r2upgrade/os_upgrade.html

Getting started with OMSChapter 1: Understanding OMS 13

path to recovery is to reinstall the operating system. Back up any OMS fileson the operating system, reinstall the operating system, then install OMSand restore its files.

To upgrade a system with OMS to Windows 10:

1. Back up your settings (page 74).2. Uninstall OMS using Control Panel > Program and Features.3. Upgrade your operating system.4. Install the OMS (page 11) software (page 11).5. Restore your settings from step 1 using whatever method is best for you.

OMS is now available to use on Windows 10.

How to start and stop OMSOMS runs as a Windows service. Start and stop the program using the WindowsServices Control Manager.

The OMS starts automatically at system start. OMS is designed to be alwaysrunning, as such it is ideally suited to be installed as Windows service. Typically,the only interaction most users will have with OMS is through its web interface.However, it is not possible to start, stop, or restart OMS through the webinterface.

OMS requires two Windows services: its own and a web server. Both must berunning. They run with Local System account privileges.

1. Choose Start > Control Panel > System and Security > AdministrativeTools > Services.

2. Select Network Instruments Management Server Service and choose toStop the service.

The service starts (or stops). If you are having any issues, first check the logevents and secondly the Windows Event Viewer for details.

Ports used by Observer Platform v17 and laterOpen inbound and outbound TCP 80, 443, and 25901 on your firewalls forObserver Platform products version 17 and later.

Table 2. Supported Operating SystemsPort FunctionalityTCP 80TCP 443TCP 8008TCP 25901

Requests from product toVIAVI to see if a new version orupdate exists.Secure web server traffic,including UnderstandingGigaStor trace extractionbetween Apex and GigaStor.Default port for transfer ofsoftware upgrades.All intra-Observer Platformcommunication.

Understanding the certificate trust model14 NI Copyright (21 Jan 2021) — Archive/Non-authoritative version

Understanding the certificate trust modelThe certificate trust model allows Observer Platform products to securelycommunicate using TLS encryption. It also provides resistance to man-in-the-middle attacks by requiring administrator intervention when a known certificatehas changed.

All product-to-product communication is encrypted by default using SHA2.A web of trust between Observer Platform products is created by requiringcertificates from each participating software application. The main benefit is thatthis ensures encryption of communication (page 15) between all parts of theObserver Platform.

Each software application owns a unique certificate. This certificate isautomatically created during the first installation of an Observer Platformapplication, for example, Apex. The unique application certificate is labeledLocal when viewed from inside that software application. Upgrading to newersoftware versions does not create a new certificate, so no certificate maintenanceis typically needed. However, uninstalling and reinstalling (fresh installs) createsa new certificate. The new certificate will be automatically rejected by otherproducts that had a pre-existing association with the asset ID of the reinstalledsoftware.

The first time two products communicate, each checks to see if they havethe certificate for the asset ID of the other software application. If theydo not, then certificates are exchanged, marked Trusted, and associated withthe asset ID of the participating device. This enables the “easy configuration”model. After an association is made, each application will expect to see the samecertificate (to remain trusted) when communicating.

Note: Prior to version 17 of the Observer Platform, encryption was availablebut not enabled by default. This has changed to become the default out-of-the-box behavior in Observer Platform version 17 and later, and it also usesa stronger cipher suite.

Certificates are automatically rejected when trust cannot be verified.If a certificate is associated to an asset ID, and an inbound connection fromthat asset (determined by the asset ID) occurs using a different certificate, theadministrator must inspect and manually accept the certificate because thecertificate is in a Rejected state. A rejected certificate breaks the trust model,so any offending device(s) and software are banned from product-to-productcommunication until an administrator investigates and accepts the certificate.

Certificates can be manually rejected by administrators. In the event thatproduct-to-product communication must be immediately severed because ofan imminent threat or other security risk, an administrator can manually rejectcertificates.

How to view certificatesYou can view every certificate that OMS has collected. This information showscertificate trust state, certificate ID, fingerprints, last time seen, last networklocation, signature algorithm, and more.

Understanding the Transport Layer Security (TLS) settingChapter 1: Understanding OMS 15

To view certificates:

1. Starting in the dashboard, click System > Certificates.2. (Optional) Select a certificate and click Detailsto view its full details.

You successfully viewed the certificates that this installation of OMS hascollected.

Certificate detailsCertificate ID Asset type Asset ID

State Issuing time SHA1 Fingerprint

MDS Fingerprint Asset name Last seen IP

Last seen time

How to change the trust of a certificateThe trust of a certificate can be changed between trusted and rejected states.The certificate must remain trusted for communication to occur.

To change the trust of a certificate:

1. Starting in the dashboard, click System > Certificates.2. Click a certificate to select it.4. Click the change state icon and Yes to confirm.

You successfully changed the trust state of a certificate.

View the certificate details (page 14), such as the signature algorithm, toensure it matches your expectations.

Certificates and how they are usedCertificates ensure secure communication between Observer Platform products.The certificates encrypt this communication and help you the maintain theauthenticity of device communication.

Certificates use public key infrastructure (PKI) to encrypt all product-to-productcommunication using the Transport Layer Security (TLS) cryptographic protocol.The communications that are encrypted include, but are not limited to:

♦ Probe instance redirections♦ Capture data transfers♦ Trending data transfers♦ All other data transfers

Note: The initial handshake between Observer Platform products is notencrypted.

Understanding the Transport Layer Security (TLS)setting

OMS can ensure managed assets use no lower than a minimum version of TLSfor network communication. For your security, assets do not establish network

https://en.wikipedia.org/wiki/Public_key_infrastructurehttps://en.wikipedia.org/wiki/Transport_Layer_Security

Understanding the Transport Layer Security (TLS) setting16 NI Copyright (21 Jan 2021) — Archive/Non-authoritative version

connections with any web browser or Observer Platform product that fails tonegotiate this minimum TLS version or higher.

All managed assets attempt to negotiate network connections using TLS1.2—regardless of your configured TLS minimum. However, if TLS 1.2 is nota cryptographic protocol that can be mutually negotiated, then the defaultbehavior is for the client and host to negotiate the use of TLS 1.1 instead. If TLS 1.1cannot be negotiated, this behavior continues in that the client and host attemptto use TLS 1.0. This “fall back” is commonplace for web applications and is meantto ease network compatibility between devices and web services, but a malicioususer or group can take advantage of this behavior. Increasing the minimumTLS version reduces how accommodating the host is to client connections butsecurity is increased.

The TLS minimum applies to HTTPS sessions and asset-to-assetcommunication. This means all interaction with OMS or Apex through the webinterface must be made using a web browser that supports the minimum TLSversion or higher. This also affects browser-like applications like REST API clientsand other software that can send and receive HTTPS requests, as these mustmeet the minimum TLS version or higher too. Likewise, as an example of asset-to-asset communication, network trending data transferred between a GigaStorsystem and Apex is protected at no less than the minimum TLS version—and TLS1.2 is always attempted first. All communication between assets follows the webcertificate trust model (page 14) that TLS is the basis of.

Note: The TLS setting does not change the security of your notificationsettings. All SNMP traps (page 79), Syslog messages (page 78), andemail notifications (page 80) use their own security measures.

The minimum TLS setting does not set which TLS version gets used;instead, it determines which versions of TLS will never get used. Managedassets cannot establish a network connection with each other or with a webbrowser that does not meet the minimum TLS version or higher. Some exampleoutcomes of your minimum TLS choice:

If TLS 1.1 is set as the minimum version, then TLS 1.0 cannot be negotiated orused.

If TLS 1.2 is set as the minimum version, then TLS 1.1 or TLS 1.0 cannot benegotiated or used.

Forcing a minimum TLS version helps mitigate security risks found in olderTLS versions. Most of what causes older TLS versions to be more susceptibleto cryptographic attack is the quality and implementation of the cipher suitesavailable to that TLS version. A common way to exploit any cryptographicvulnerabilities is for a client to disable newer and safer TLS versions on theirweb browser, application, or device, in the hope that the host negotiates to aless secure version. By forcing a minimum TLS version, malicious users or groupswanting to connect to assets at a less secure TLS version simply cannot do so.These potentially less secure connections are not allowed.

Choosing a minimum of TLS 1.1 or TLS 1.2, while more secure, can interferewith specific older versions of assets. If you use an asset managed (page40) by OMS that includes or is within versions v17.0.0.0 to v17.0.6.0, thoseassets will not be able to communicate with OMS or other managed assets unlessTLS 1.0 is set as the minimum. It is recommended you upgrade these assets (page

Understanding the Transport Layer Security (TLS) settingChapter 1: Understanding OMS 17

50) to the latest available version if you want to set the minimum TLS versionto TLS 1.1 or 1.2 successfully.

The TLS minimum setting is backwards compatible with v15 and v16 assets.Backwards compatibility is achieved because older OMS-managed assets that usea pre-shared key file (*.OEK) are neither positively or negatively affected by theminimum TLS setting. These legacy assets continue to use the pre-shared OEKkey file.

How to enforce a minimum TLS versionTo ensure managed assets use no lower than a minimum version of TLS fornetwork communication, you can set the minimum TLS version allowed. Thissetting is located in the Global Asset Policy.

To enforce a minimum TLS version across HTTPS and asset-to-assetcommunication:

1. Starting in the dashboard, click System > Settings.2. In the System Settings pain, click Global Asset Policy.3. Set Minimum TLS version allowed to a minimum version of TLS.

Note: All communication must negotiate into using the minimumversion of TLS or higher. If it cannot, then no network connection ismade. This includes REST API requests and user access to OMS and Apexthrough a web browser.

You might be prompted to confirm your choice depending on the TLS versionyou select.

4. Click the accept icon .

Assets now prohibit network connections that use a TLS version lower than theminimum TLS version allowed.

Web browser TLS compatibility chartThe minimum TLS setting affects user sessions through a web browser. You mustuse a browser compatible with at least your selected minimum TLS version,otherwise you will not be able to interact with your assets through the webbrowser.

Table 3. Web browser TLS compatibility

Web browser1 TLS 1.0 TLS 1.1 TLS 1.2 ConsiderationsChrome 41 orhigher

Yes Yes Yes None

Firefox 36 or higher Yes Yes Yes NoneInternet Explorer 10 Yes No No Enable 1.1

and 1.2 (page18)

Internet Explorer 11 Yes Yes Yes NoneMicrosoft Edge Yes Yes Yes None

1. Only officially supported web browsers on supported operating systems are listed.

You may test the TLS compatibility of unsupported web browsers by visiting .

Understanding the Transport Layer Security (TLS) setting18 NI Copyright (21 Jan 2021) — Archive/Non-authoritative version

How to enable TLS 1.1 and 1.2 in IE10Microsoft Internet Explorer 10 (IE10) does not support TLS 1.1 or 1.2 with itsdefault settings. You must explicitly enable TLS 1.1 and TLS 1.2 when using theIE10 web browser.

Be aware that your institution might be controlling these settings with aWindows Group Policy. If so, you may be unable to change these settings or theyhave been made for you and TLS 1.1 and/or TLS 1.2 are enabled.

To enable TLS 1.1 and 1.2 in IE10:

1. Starting in Internet Explorer 10, click Tools > Internet Options.

The Tools menu can sometimes be seen as a gear icon.2. Click the Advanced tab.3. In the Security area, select Use TLS 1.1 and Use TLS 1.2.4. Click OK to save your changes.

Microsoft Internet Explorer 10 is now able to negotiate TLS 1.1 and TLS 1.2connections.

2

Chapter 2: Users and User Groups

Create user groups and accounts in OMS or import them from Active Directory,LDAP, RADIUS, or TACACS+. Also establish and enforce permission policies.

Understanding user accountsA user account provides an individual a user name and password to connect toassets managed by OMS.

All users who want to access an asset managed by OMS must have a user accountin OMS that is either verified locally with an internally-stored password orthrough a third-party authentication server. To use an asset or asset element:

♦ A user account must be verified. As an OMS administrator, you can chooseto use a combination of locally and remotely authenticated user accountsin your environment.

♦ A user account must be a member of a user group to connect to anyassets.

♦ A user group's permission policy determines the level of access to eachasset, including no access.

♦ The asset or asset element must be in a user group to which the useraccount is also a member.

♦ A user account may be a member of zero, one, or more user groups.

Permissions for verified and constantly reverified whenever a user attempts anaction (such as logging in, redirecting a probe, starting a packet capture, viewinga report, and so on). If the account has been disabled or deleted, the user isdenied access.

There are three types of users:

♦ Local user: User name and password are entered into and authenticatedby OMS. Local users are easier to configure and manage for small teams

Understanding user accounts20 NI Copyright (21 Jan 2021) — Archive/Non-authoritative version

who are not using third-party authentication servers or for groups in alab or testing environment who want to remain separate from the widerenterprise for their testing.

♦ Remote user: User name and password are from and authenticated by athird-party authentication server. If you are adding more than a handfulof users, we recommend these accounts be imported into OMS ratherthan manually added. If your organization has a large number of users tomanage, you may want to choose to authenticate users remotely since itreduces your burden as an OMS administrator. It is also one less passwordeach user must remember and maintain.

♦ admin: A special type of local user. It cannot be deleted or disabled nordoes it need to be a member of any user groups. It has full access at alltimes. The default password is admin—this password is case-sensitive—and should be changed for your environment.

How to add new usersNew users can either be manually added to an internal list or imported fromthird-party authentication systems.

Prerequisite(s):

Before adding a user, consider how you want the users to authenticate:locally using a user list maintained by OMS or remotely using a third-partyauthentication server. See Configuring how user accounts should authenticate(page 31).

There are two ways to get user accounts into OMS: you can add them using theprocess below or you can import them. See How to import users from third-partyauthentication servers. Choose the one that is best for you.

1. Starting in the dashboard, click Auth > Users.2. Click and complete the fields using the information in User settings (page

20) if necessary.3. Click User Groups. Listed are the available user groups. Adding a user to a

user group is an easy drag-and-drop operation from the Available list to theMembers of list.

Note: If the user is not added to at least one user group that user willnot be able to log in or use any asset.


The user account is created and now has access to any assets allowed by the usergroup.

User settingsThe User settings control how and whether a user may log in and use an asset.

Username If you imported users from a remote authentication server, thisis automatically inserted.

The case-sensitive user name for this user.

Valid Input: Any character may by used, except for these five: "' & >

Understanding user accountsChapter 2: Users and User Groups 21

Description Descriptions are optional and displayed in the Users table.

Consider a real name, or a department name if the user name isshared.

Email Email addresses are optional and displayed in the Users table.

Login enabled As an alternative to deletion, a user can be disabled.

Only enabled users may log in. The 'admin' user cannot bedisabled.

Managementtype

Specifies if the user name and password of this user ismaintained by a third-party authentication tool ('AuthenticatesRemotely') or by OMS ('Local User').

Local is selected by default unless explicitly changed.

Set password Password to be used with the user name.

If you import users and change Management type to 'LocalUser,' this field appears to contain a password. In fact, it is blankand a password must be set manually either by you, as theOMS administrator, or by the user while in a session where youare logged on. As OMS administrator, you can provide usersa password or have them type one themselves. To have usersuse their password from the remote authentication server, setAuth > Users > [User] > Management type to 'AuthenticatesRemotely.'

Valid Input: Any character may by used, except for these five: "' & > Users.2. Select the user account to disable.3. Clear Login enabled.4. Click the accept icon .

The user may no longer access any assets.

How to enable a userIf a user is locked out of their OMS account or cannot access assets they normallycan, the user account may have been disabled. With the correct permissions, youcan re-enable a user account that was disabled.

To enable a user:

1. Starting in the dashboard, click Auth > Users.2. Select the user account to enable.

All disabled user accounts will show (disabled) near the name.3. Select Login enabled.4. Click the accept icon .

The user can now log in and access assets they have permission to access (page45).

Understanding user accounts22 NI Copyright (21 Jan 2021) — Archive/Non-authoritative version

How to delete a userYou can delete a user account from the OMS internal list or remove access for auser if authentication is through LDAP, Active Directory, RADIUS, or TACACS+.

If the user account is from the OMS internal list, the user is deleted from OMS.If you get the user from LDAP, Active Directory, RADIUS, or TACACS+, the useris removed from OMS but remains active on those third-party authenticationservers.

Tip! Instead of deleting the user, consider whether disabling the user ismore appropriate for you. Some organizations require inactive accounts bemaintained for auditing purposes. See How to disable a user (page 21).

1. Starting in the dashboard, click Auth > Users.2. Select the user account to delete.3. Click the garbage can icon .4. Click Yes to confirm the deletion.

The user is deleted when the Deleted the user: pop-up appears on the screen.The user no longer has access to any assets managed by OMS.

How to change a user's passwordOnly users listed as 'Local User' may have their password changed. Userswho authenticate remotely must change their password through the normalmechanism for the authentication server.

Prerequisite(s):

You must be a member of a user group that has an authorization policy thatallows you Admin or Level One Edit rights to OMS > AAA > Users.

If a password has not been set or has been forgotten by either you or the user, itcan be changed at any time without needing to know the original password.

To change the password:

1. Starting in the dashboard, click Auth > Users.2. Select the user account to change.3. Choose one:

● Have the user change their password. This would be done with both ofyou at the same system. If you are logged on at the user's system, be sureto log off before leaving.

This choice prevents you as administrator from having knowledge of theirpassword.

● Change the user's password and inform them of the new password.

This choice is less secure since you will know what the password is and theuser cannot change the password.

Understanding user groupsChapter 2: Users and User Groups 23


The user password is changed when the Saved user: pop-up appears on thescreen.

5. If necessary, have the user log off and log on.

This ensures the user has access to the features to which they have rights.

The password is changed.

Invalid login credentials or access deniedThe message Invalid login credentials or access denied generallymeans exactly what it says; however, it can also mean that the user account isnot a member of any group, which will prevent the user from being able to login. Adding a user to a group or re-enabling the user may resolve the error.

A user can become “locked out” of accessing OMS and assets after fiveunsuccessful login attempts. The account is disabled for 10-minutes and awarning message is recorded in the OMS log.

Understanding user groupsOMS controls access to the assets it manages through user groups. Differentgroups have access to different assets or have different levels of access to thesame asset. This access is controlled through the permission policy associatedwith the user group. Assigning permissions to a group rather than to each uniqueuser makes maintenance for the OMS administrator much easier.

User groups are collections of users, asset groups, and single assets. By assigninga permission policy to the group, you control what access members of the groupshave.

OMS does not have a default user group. You must create at least one user group,associate a permission policy with it, and add users to the group before any usercan access any assets managed by OMS.

User group permissions are additive. When a user is a member of multiplegroups, the user is granted the least restrictive permissions. If a user is a memberof multiple user groups and at least one of the user groups allows access to thefeature, then that group's permissions are in effect for that feature. That means ifone group has access to a feature and another group does not, any user who is amember of both groups is indeed granted access.

Some examples of groups you might create may be based on:

♦ Location—Suppose you want Pat to have full access to the local probesin Chicago, but not allow him to capture packets on probes located in thecentral office in New York. Create two Authentication permission policies("Chicago Probes" and "New York Probes") and two user groups ("Admins"and "Operators") with the appropriate permissions policy set. Add Pat toboth user groups. By adding Admins (who have full permissions) to theaccess list for Chicago Probes, Pat is granted full access permission to anyprobe in the Chicago asset group. By adding Operators to the access listfor New York Probes, Pat will have more restricted access to the New YorkProbes.

Understanding user groups24 NI Copyright (21 Jan 2021) — Archive/Non-authoritative version

♦ Employment status: internal vs. contractor—Suppose Pat is acontractor and you want contractors to have the ability to use thenetwork trending, but not to administer the probe or set properties.Create two Authentication permission policies ("Employee Permissions"and "Contractor Permissions") and two user groups ("Employees" and"Contractors") with the appropriate permissions policy set. As a memberof the Contractors user group, Pat will not be able to change a probe'sproperties but will be able to see how the network is performing based onstatistical analysis of the packets through network trending.

♦ Responsibility: security team vs. network team—Suppose Patis a network administrator. As a network administrator, Pat needsaccess to many things, but all security analysis and artifact and streamreconstruction is handled by the security team of which Pat is nota member. Create two Authentication permission policies ("SecurityPermissions" and "Network Admin Permissions") and two user groups("Security Admins" and "Network Admins") with the appropriatepermissions policy set. As a member of the 'Network Admins' user group,Pat will not be able to reconstruct any artifacts such as VoIP calls orviewed websites, but will be able to capture and analyze traffic from aprobe.

♦ OMS role—Suppose Pat is an OMS administrator while Chris is not. As anOMS administrator, Pat has the ability to add users, change passwords,and other tasks. Meanwhile, Chris is a user of the Observer Platform whoshould not have the same rights as Pat. Create an 'OMS Admin' group andadd Pat to it. Add Chris to the 'Observer Platform' group.

Figure 2: User Groups

Users

Asset Groups

Assets

User Groups

How to create a user groupUser groups are very beneficial when you have a collection of users for which youwant to regulate access to assets.

Tip! In Auth > AuthFlow, you can create a new user group by clicking .

1. Starting in the dashboard, click Auth > User Groups.

Understanding user groupsChapter 2: Users and User Groups 25

2. Click the new icon .3. Type a Group name.

Group names are case-sensitive. An effective group name is identifiable toother users.

Valid Input: Any character may by used, except for these five: " ' & > AuthFlow, you can drag a user directly onto a group.

1. Starting in the dashboard, click Auth > User Groups.2. Select the user group you want to update.3. Click Users. Adding users is an easy drag-and-drop operation from the

Available list to the Members list.4. Click the accept icon .

The user is added and now has access to all assets in the group using theprivileges set in the group's permission policy.

How to delete a user groupDeleting a user group removes access for all users in the group. The user accountsremain though.

../oms/what_is_a_permission_policy.html#wwcreating_a_policies

How to use LDAP groups as user groups26 NI Copyright (21 Jan 2021) — Archive/Non-authoritative version

Tip! Instead of deleting the group, consider whether disabling the group ismore appropriate for you. Some organizations require inactive accounts bemaintained for auditing purposes.

1. Starting in the dashboard, click Auth > User Groups.2. Select one by clicking a table row.3. Click the garbage can icon .4. Click Yes to confirm the deletion.

The group is deleted when the Deleted the group popup appears on the screen.All users in the group no longer have access to OMS or any assets unless they area member of another group.

How to use LDAP groups as user groupsYou can use LDAP groups directly as OMS user groups. This means OMS can, ifconfigured, rely on the LDAP server for issuing memberships to user groups andextending access to assets.

Prerequisite(s):

These steps can only be followed if your authentication scheme (page 31)is set to LDAP and you have Bind DN and Bind password set. Also, if yourinstitution uses a different authentication scheme than LDAP—such as RADIUS,Active Directory, or others—these steps cannot be followed.

By using LDAP groups as user groups (page 23), you are shifting allmanagement of OMS user groups (only the groups you specify) to be handleddirectly from the LDAP server.

User groups imported using this method are just like other user groups, suchas the user group being able to inherit an authorization policy and be grantedaccess to assets (page 47). Also, you cannot make edits (page 27) toindividual users imported through LDAP group synchronization. A small indicatorin your users table shows you which users were imported through LDAP groupsynchronization and are therefore uneditable.

To use LDAP groups as user groups:

Note: Local OMS user groups can continue to be used regardless of thesesettings.

1. Starting in the dashboard, click Auth > Authentication.2. In General Settings, click Authenication scheme > LDAP.3. In the LDAP User Group Synchronization area, select Synchronize LDAP

groups with OMS.

More options appear immediately after the setting is enabled.4. Set your preferred synchronization method in the Synchronization list.

Periodic Automatically synchronize with LDAP at recurring periods.

Manual Require manual synchronizations, and never synchronizeautomatically.

How to use LDAP groups as user groupsChapter 2: Users and User Groups 27

Note: With either choice, you can always synchronize by clicking‘Synchronize Now’.

5. Configure the following settings:SynchronizationRate (hours)

Required if Periodic

Group DN OptionalGroup filter RequiredGroup IDattribute

Optional

Group nameattribute

Required

Group descriptionattribute

Optional

See LDAP settings (page 33) for detailed descriptions of each setting, ormove the pointer over a setting name for in-app descriptions.


The first synchronization occurs at this time. If your group attribute settings arecorrect and your filter query returned results, the returned results are now OMSuser groups.

The results of this first synchronization—and every subsequent synchronization—appear in your event log (page 77). Two events are logged for eachsynchronization or periodic re-synchronization: one when it begins and one whenit finishes. Also, one event is logged for each user added or removed from theuser group due to LDAP group membership changes.

Understanding user group synchronization with LDAPUser groups synchronized through LDAP have nearly identical behavior to“normal” user groups. However, the members of these groups are changeablefrom the LDAP server only.

LDAP group synchronization allows you to use your institution’s LDAPdirectory as the basis of some user groups. Because many LDAP directoriesinclude groups that are maintained by network access, geographical location,job responsibilities, and more, the LDAP directory is already controlling policyfor your institution in a number of ways. By allowing OMS to synchronize withspecific groups from the LDAP server, you can use the groups and its membersjust as if they were created natively in OMS.

User groups imported and synchronized from an LDAP server are usablelike any other user group. User groups imported using this method are justlike other user groups, such as the user group being able to inherit a permissionpolicy and be granted access to assets (page 47).

Members of an LDAP-synchronized user group are modifiable from theLDAP server only. Additions or removals of users from a user group fully dependon the LDAP server. For example, the only way to remove a user, from an LDAPuser group in OMS, is to remove the user from the LDAP group directly in LDAP.

The users that are imported as part of the LDAP group synchronization arenot editable. Any properties those users might have, such as an email address,are dimmed and unavailable for edits with the exception of enabling a user

Understanding authorization policies28 NI Copyright (21 Jan 2021) — Archive/Non-authoritative version

(page 49) and disabling a user (page 21). The reason LDAP-group users areuneditable, after they are synchronized in OMS, is because any edits made wouldbe overwritten the next time a synchronization is performed.

Differences in LDAP synchronization modesUser group synchronization using LDAP groups can be performed automaticallyor manually. There are differences between the available modes.

Periodic synchronization means that every N-hours (where N is configurable),OMS automatically sends your LDAP group filter query to the LDAP server andfetches its results. This keeps your LDAP-synchronized user groups perpetuallysynchronized in OMS. The synchronization rate determines how often this isdone. For example, a synchronization rate of 12 hours means that 12 hours mustelapse before any user additions or removals actually occurring on the LDAPserver will be reflected in OMS user groups, as the LDAP query executes every 12hours only.

Manual synchronization means that OMS will not automatically send an LDAPquery to synchronize the user groups. Each time you want to reflect useradditions or removals that might have occurred on the LDAP server, you must login to OMS and manually synchronize. This can cause user groups to become out-of-date with the LDAP server; however, users will never be added or subtractedfrom these user groups without an OMS administrator’s consent.

Regardless of your chosen synchronization mode, you can synchronize at anytime by clicking Synchronize Now. The LDAP activity is recorded in the OMSevent log.

Understanding authorization policiesAuthorization policies provide a centralized way to configure and manage a setof authorization that applies to only a subset of users or groups for the ObserverPlatform.

There is a default authorization policy that is aptly named Default Policy. Itallows full administrative access for all users to all applications and contains thedefault settings when creating new policies.

Note: Authorization policies differ from authentication schemes.Authorization policies control access to the Observer Platform but only aftera user account has been authenticated (page 31). Authentication occurseither locally or with a third-party server.

An authorization policy must be selected when creating a user group (page24). Authorization policies apply to a user group and never directly to anindividual user.

How to create an authorization policyCreate new permission policies when the Default Policy does not meet yourneeds, which is likely every situation except proof of concepts since the DefaultPolicy allows full access to everything.

Understanding authorization policiesChapter 2: Users and User Groups 29

Note: An authorization policy can prohibit use of an asset or asset element(page 40), but the policy cannot hide the assets from being seen.

1. Starting in the dashboard, click Auth > Authorization.2. Click the new icon .3. Type a Policy Name.

Names are case-insensitive. That means you cannot have two names that arethe same except for upper- or lowercase spelling differences. For example,‘Administrators’ and ‘administrators’ are considered identical.

4. Type a description.5. For each policy, select the permission you want user groups to have.6. Click Accept.

How to edit an authorization policyPermission policies can be edited at any time. Edit an authorization policy toaffect the permissions of all user groups it is assigned to.

To edit an anthorization policy:

1. Starting in the dashboard, click Auth > Authorization.2. Select an authorization policy by clicking it.3. Click the edit icon .4. Make changes to the authorization policy.

For descriptions of the available options, see .5. Click Accept.

You successfully edited a authorization policy. These changes take effectimmediately on any user group currently assigned the authorization policy.

How to delete an authorization policyAuthorization policies can be deleted for any reason. Deleting an authorizationpolicy causes the user groups it was assigned to, to use the default policyinstead.

To delete authorization policy:

1. Starting in the dashboard, click Auth > Authorization.2. Select an authorization policy by clicking it.3. Click the garbage can icon .4. Click Yes to confirm the deletion.

The authorization policy has been deleted. Any user groups that were assignedthe authorization policy will now use the default policy.

How to modify the default authorization policyTo affect the asset authorization of all user groups that are not specifically givena authorization policy, you can modify the Default Policy.

Understanding authorization policies30 NI Copyright (21 Jan 2021) — Archive/Non-authoritative version

By default, all user groups use Default Policy as an authorization policy unlessexplicitly changed.

To modify the default authorization policy:

1. Starting in the dashboard, click Auth > Authorization.2. Click Default Policy.3. Click the edit icon .4. Modify the default authorization policy. See for details about each option.5. Click Accept.

Now, any user group that has Default Policy selected for its authorization policyis granted these authorizations.

Authorization listThe policy settings control the type of access a user group has. Use thisinformation to configure an authorization policy.

Observer

♦ Administer—Grants users the ability to administer probes and probeinstances.

♦ Log User Activity—Grants users the ability to view log file activity.♦ Protocol Definitions—Grants users the ability to view protocol definitions.♦ Redirect—Grants users the ability to change where a probe instance is

connected.♦ Shared Filters—Grants users the ability to modify filters marked as shared

in Observer Analyzer.♦ Artifact Reconstruction

● Reconstruct Stream—Controls whether HTML and other non-VoIPstreams can be reconstructed.

● Voice and Video Playback—Control whether VoIP content can bereconstructed.

Observer Apex

♦ No Access: Use of Apex is denied.♦ User: User may create and use:

● Application Dependency Mapping● Dashboards● Execute dashboards● Widgets

♦ System: Cannot use anything in User, but may

● Change options under System● Use the log● Connect to a Observer GigaStor● Use a drill down

How to configure how user accounts authenticateChapter 2: Users and User Groups 31

● Set and manage alarms♦ Admin/Full: User and System access.

Observer Infrastructure

♦ Access Level—

● No Access: Use of Observer Infrastructure (OI) is denied.● User: User may connect to device groups.● System: User access, plus Connect to device groups and view status

and properties.

Edit device groups.

Start/stop polling.● Admin/Full: System access, plus Create and delete device groups and

routes.

Activate device groups.

Edit maps.♦ Web Reports—Grants users ability to view reports in a web browser.

Observer Management Server

♦ Access Level—

● No Access: Use of OMS is denied.● System: Allows the user the ability to change options under System.● Admin/Full: System access, plus ability to control (add, modify, delete):

Assets Asset groups

Authentication Auto-adding assets andlicenses

Licenses Permissions

Security Shared filters

Shared protocols Updates

Upgrades Users

User groups♦ Auto-Add Asset & License—Grants users the ability to auto-add new

assets to OMS plus license them if System > Settings is set to allowthose.

How to configure how user accounts authenticateUsers are granted access after validating with OMS or a third-partyauthentication server like Active Directory, LDAP, RADIUS, or TACACS+.

Rather than maintaining separate user accounts on each asset, all assets on yournetwork can query OMS to authenticate users. OMS can do it using an internallystored list of users and their passwords or forward the authentication request toa third-party authentication server.

1. Starting in the dashboard, click Auth > Authentication.2. In the Authentication Scheme list, choose:

How to configure how user accounts authenticate32 NI Copyright (21 Jan 2021) — Archive/Non-authoritative version

● Active Directory and configure the Active Directory settings (page32).

● LDAP and configure the LDAP settings (page 33).● Local and configure the list of users and passwords manually.● RADIUS and configure the RADIUS settings (page 36).● TACACS+ and configure the TACACS+ settings (page 38).


Active Directory settingsUse the information to assist you when configuring the Authentication to useActive Directory.

Authenticationscheme

The system or service for managing user names, passwords,groups, and authentication, can be specified.

Local Exclusively managed within this system.

LDAP Any LDAP directory service (do not select forconfiguring Windows Active Directory)

Active Directory Windows Active Directory service

RADIUS RADIUS authentication server

TACACS+ TACACS+ authentication server

Default UserGroup

Any end user who is not assigned to a user group isautomatically placed into the group chosen from this list andgiven the permissions it grants. The default is None.

If set to None, any user attempting to log in must already existin the Users table before any authentication attempt to thethird-party authentication server is made. If the attempting userdoes not exist in the Users table, they are always denied and noauthentication attempt is made.

Enable SessionTimeout

If selected, user sessions terminate after N-minutes of inactivity.

This minimizes the chances of an unattended user session beinghijacked.

Session Timeout(Minutes)

Sets the duration of user inactivity before a session terminates.

Valid Input: The default is 0, which means that the session nevertimes out.

Cacheauthentications(Minutes)

Sets how long, in minutes, successful authentications are cached.

This reduces the frequency of authentication requests made tothe third-party authentication server.

Server The host address of the Active Directory server.

Valid Input: Valid addresses include IPv4, IPv6, or DNS name.

Port The port number of the Active Directory server. The default is389.

Version The protocol version of LDAP the Active Directory host uses.

Connectionsecurity

The security type for authenticating and encryptingconnections.


Base DN The Base Distinguished Name is the point in the directory treefrom which users are verified. This might be the root or someplace lower in the tree to limit the number of users returned.Required.

Example: dc=networkinstruments,dc=comAdministrators should find the Base DN directly from the ActiveDirectory server to ensure accuracy.

Domain The parent domain name.

A fully-qualified domain name (FQDN) does not need to bespecified.

Bind DN The Bind Distinguished Name is required for importing useraccounts from the Active Directory server.

The Bind DN user account needs domain user privileges, andadministrators should find a suitable Bind DN directly from theActive Directory server to ensure accuracy.

Bind password The password of the Bind DN.

Timeout inseconds

The duration (in seconds) a connection attempt waits beforeaborting. The default is 10.

A connection retry attempt is made if this value elapses.

LDAP settingsUse the information to assist you when configuring the Authentication to useLDAP.








Default UserGroup













Server The host address of the LDAP server. Required.

Valid Input: Valid addresses include IPv4, IPv6, or DNS name.

Port The port number accepting connections to the LDAP server. Thedefault is 389.

Version The LDAP protocol version the LDAP server uses.

Connectionsecurity

The security type for authenticating and encryptingconnections.

Base DN The Base Distinguished Name is the point in the directory treefrom which users are verified. This might be the root or someplace lower in the tree to limit the number of users returned.Required.

Example: dc=networkinstruments,dc=comAdministrators should find the Base DN directly from the LDAPserver to ensure accuracy.

Bind DN The Bind Distinguished Name (Bind DN) is required forimporting user accounts from the LDAP server.

The Bind DN user account needs domain user privileges, andadministrators should find a suitable Bind DN directly from theLDAP server to ensure accuracy.

Bind password The password of the Bind DN.

This is the password of the user set in 'Bind DN'.

Timeout inseconds

The duration a connection attempt waits before aborting.

A connection retry attempt is made if this value elapses.

Synchronize LDAPgroups with OMS

If selected, specified LDAP groups are brought directly into OMSas dynamic user groups. Any addition or removal of users in anunderlying LDAP group will affect the OMS user group in thesame manner.

You must designate which LDAP groups are used for thispurpose by writing an LDAP query in Group filter.

Synchronization LDAP group synchronization can be performed automatically ormanually.

Periodic Automatically synchronize with LDAP at recurringperiods.

Manual Require manual synchronizations, and neversynchronize automatically.

With either choice, you can always synchronize by clicking‘Synchronize Now’.

SynchronizationRate (hours)

Sets how frequently OMS synchronizes with the LDAP server, inhours.

Each synchronization, OMS refreshes imported LDAP groupswith any user additions and removals that occurred on the LDAPserver during that time.

Valid Input: Valid values are 1-24.


Group DN The Distinguished Name of a group is the point in the directorytree from which groups are contained.

Example: ou=MIN,ou=USA,ou=UserGroups -or-ou=Groups,ou=SecurityThis might be the beginning of all groups or some place lower inthe tree to limit the number of groups returned.

Group filter The full LDAP query that determines which LDAP groups areimported and synchronized as OMS user groups.

LDAP groups that are returned by your query become OMS usergroups.

Example: (&(objectCategory=Group)(cn=USA-MIN-USERS-Net-Administrators))Valid Input: The maximum number of characters is 16383.

Group IDattribute

The attribute in which the ID for each group is stored.

If no group ID attribute is provided, then IDs are createdautomatically.

Example: uidNumber -or- objectGUIDGroup nameattribute

The attribute in which the desired group name for each group isstored. Required.

When synchronizing groups, the value in this attribute ismapped to the Group Name field in the User Groups table.

Example: cn -or- displayNameGroup descriptionattribute

The attribute in which the desired description for each group isstored.

When synchronizing groups, the value in this attribute ismapped to the Description field in the User Groups table.

Example: (&(objectCategory=group)(description=*))User DN The User Distinguished Name (DN) is a user that will

authenticate to the LDAP tree using a bind request. This userwill be someone with access to search all or part of the LDAPdirectory tree. If left blank, and anonymous bind request is used.

Use a User DN if:

Use if LDAP installation does not support anonymous bind,and you do not want to save a bind DN and password.

You have a fairly simple LDAP hierarchy and want to skip theinitial search for users.

You want to restrict who can log on. This is done through theBase DN.

The Bind DN is different from where the user object islocated.

User filter The user filter restricts who may use the Observer Platform. Thefilter limits what part of the LDAP tree is used to validate user


accounts so that OMS does not have large lists of users who donot require access to the Observer Platform. Required.

Example: (&(objectClass=person)(uid=$1)) Find allentries with an objectClass of 'person' where the uid isthe User DN (represented by $1), including 'anonymous.'Valid Input: The maximum number of characters is 16383.

User ID attribute The name of the attribute in which the user ID for each user isstored. If no user ID attribute is provided, then IDs are createdsequentially starting with 90000000.

Usernameattribute

The name of the attribute in which the user name for each useris stored. Required. This used primarily when importing users.When importing users, values in the uid attribute are mapped tothe Username field for display in the Users list.

User descriptionattribute

The name of the attribute in which the description for eachuser is stored. This used primarily when importing users. Whenimporting users, values in the displayName attribute are mappedto the Description field for display in the Users list.

Understanding how OMS authenticates with LDAPOMS authenticates with the LDAP server when a bind request is accepted.

To authenicate with the LDAP server, the following steps are performed for abind request:

RADIUS settingsUse the information to assist you when configuring the Authentication to useRADIUS.


You can use your RADIUS server to authenticate users, but you cannot import alist of users from it. You can, however, manually enter them or get a list of usersfrom your domain server and then switch the authentication type.

You define primary and secondary RADIUS servers. Refer to the documentationof your third-party RADIUS server for more details. Choosing RADIUSauthentication requires you to enter the IP address of the RADIUS server, alongwith a "shared secret" that matches a secret on the RADIUS server.








Default UserGroup












Shared secret Providing the shared secret, a text string, is necessary forauthenticating with the RADIUS host.

Authenticationtype

The authentication method of the server(s) must be specified.

S

Documents

Observer Management Server (OMS) 18.1.0OMS manages an extensive menu of essential tasks and delegates specific IT jobs on a tiered authorization basis to appropriately credentialed