AppDynamics for Databases

2.9.x Documentation

On this page:

Your Rating:
Results:
PatheticBadOKGoodOutstanding!
51 rates

If you run AppDynamics for Databases on a publicly accessible server, or if you'd like to lock down its usage internally, then the simplest solution is to username/password protect access to the UI. You have the option to setup basic security, best for an environment where very few users will have access to the AppDynamics for Databases GUI, or you can integrate AppDynamics for Databases with your LDAP server to grant many users and groups access.

Setup Basic Security

AppDynamics for Databases has three predefined users:

  • admin: The administrator is has the permissions of all three security role resources: Administration Access, Read-Only Access, and masterUser Access. The default password for the admin user is "admin".
  • readonly: The readonly user has the permissions of only the Read-Only Access Role. The default password for the readonly user is "readonly".
  • master: The master user has the permissions of the appd4db-admin role. The default password for the master user is "welcome".

AppDynamics for Databases has three predefined security roles resources:

  • Administration Access: Provides total control over AppDynamics for Databases. Users created with this role can perform all functions. The default role name for the Administration Access security role resource is "admin".
  • Read-Only Access:  Provides read-only access  to AppDynamics for Databases. Users created with this role cannot add collectors, licenses or create alerts. This user has access to all the database, server, and NetApp activity pages and reports. The default role name for the Read-Only Access Access security role resource is "readonly".
  • masterUser Access: Provides access only to the Security Setup page, where the master user can modify passwords for basic authentication, modify security role names, and can change the LDAP/Active Directory configuration. The default role name or the Read-Only Access Access security role resource is "readonly".

Note: The role name in the Security Roles section has to match an LDAP Group that the LDAP user belongs to.  For example, if I log into AppDynamics for Databases with user = "Bob" and "Bob" belongs to the LDAP group "AppD4DB-readonly" then the name "AppD4DB-readonly" has to be a role name within one of the Security Roles.

These users and roles are initially configured in <AppD4DB install dir>\apache-tomcat\conf\tomcat-users.xml and <AppDInstallDir>\apache-tomcat\conf\web.xml, respectively. Passwords are encrypted. You can change the passwords and rolenames on the AppDynamics for Databases Security window. 

tomcat-users.xml
<tomcat-users>
<role rolename="admin"/>
<role rolename="readonly"/>
<role rolename="appd4db-admin"/>
<user password="8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918" roles="admin,readonly,appd4db-admin" username="admin"/>
<user password="8171bacf32668a8f44b90087ad107ed63170f57154763ba7e44047bf9e5a7be3" roles="readonly" username="readonly"/>
<user password="280d44ab1e9f79b5cce2dd4f58f5fe91f0fbacdac9f7447dffc318ceb79f2d02" roles="appd4db-admin" username="master"/>
</tomcat-users>

Note: Do not change the contents of tomcat-users.xml.

Implement authentication

  1. At the bottom of <AppD4DB install directory>\apache-tomcat\conf\web.xml, look for the following code:
    Note: Do not change the contents of web.xml except as instructed below.
  2. Insert a closing XML comment tag after "Password protect AppDynamics for Database pages". The closing XML comment tag is "–>".
  3. Remove the closing XML comment tag before "</web-app>".  The closing XML comment tag is "–>".
  4. Save the file and then restart the AppDynamics for Databases UI service.
    • Windows: Go to the Windows services manager and restart "DBTuna GUI".
    • Linux: From the AppDynamics for Databases install directory, run the stop.sh script followed by the start.sh script. 
  5. In a browser, go to the security page.  For example,  http://<hostname>:8090/security.  
    The following dialog appears where you can setup basic security or enable LDAP/Active Directory Service integration for AppDynamics for Databases:
  6.  Enter the passwords for the admin and readonly users and then click Modify Password
    To change the password of a user, enter the password twice in the boxes provided and then click Modify Password.
  7. You can change the role name of any of the security roles resources by entering the new Role Name and then clicking Modify Role Name.

When you have security enabled, users must enter the security credentials to access the AppDynamics for Database GUI.  The appearance of the logon dialog differs depending on the browser used to access the AppDynamics for Databases GUI. The following is the logon dialog as it appears in Windows Internet Explorer9.

If you enter the wrong username/password combination, the uncompleted logon dialog reappears so you can re-enter your credentials.  

If you try to access a page not accessible to the role to which your username has been assigned, you will receive a security violation error.

Setup LDAP/Active Directory Integration

When LDAP/Active Directory is integrated, your LDAP and Active Directory users matching the filters defined in this section, will be granted AppDynamics for Databases permissions.

Prerequisite: Setup Basic Security

  1. Open <AppD4DB install directory>\apache-tomcat\conf\server.xml, locate the line beginning with <!--Realm adCompat...  and remove the comment tags from the beginning and end of that line.
  2. Save the file and then restart the AppDynamics for Databases UI service.
    • Windows: Go to the Windows services manager and restart "DBTuna GUI".
    • Linux: From the AppDynamics for Databases install directory, run the stop.sh script followed by the start.sh script.
  3.  In a browser, go to the security page.  For example,  http://<hostname>:8090/security.
  4. Scroll down the Security Setup window, you will see the following sections that you must complete and then click Save Config to integrate your LDAP or Active Directory Service server with AppDynamics for Databases. 

To complete the fields in the LDAP/Active Directory Authentication section

Your LDAP/Active Directory server administrator should provide you with the values you need to complete this section.

The following helps you understand the requirements of each property name field of the LDAP/Active Directory Authentication section:

  • masterUsername: The AppDynamics for Databases user name of the master user or of an administrator. 
  • masterPassword: The password for the master user.
  • connectionName: The user name AppDynamics for Databases uses to log on to the LDAP or Active Directory server.
  • connectionPassword: The password for the user AppDynamics for Databases uses to log on to the LDAP or Active Directory server.
  • connectionURL: The URL of the LDAP or Active Directory server
  • userBase: The starting point for the search for users in the LDAP directory tree. This is referred to as the distinguished name. You can specify the search base using the following comma-separated objects, which are not case-sensitive:
    • CN: common name
    • OU: organizational unit
    • O: organization
    • C: country
    • DC: domain
  • userSubtree: Set this value to "true" to search through the entire user subtree.
  • roleSearch: The filter to use for searching groups.
  • roleName: The name of the role.
  • roleSubtree: Set this value to "true" to search through the entire role subtree.
  • roleBase: The starting point for the search for roles.

Enable Authentication Tracking

To log failed and successful logon attempts, add the following code to the end of <AppD4DB install directory>\conf\logging.properties.

logging.properties
org.apache.catalina.realm.level = ALL
org.apache.catalina.realm.useParentHandlers = true
org.apache.catalina.authenticator.level = ALL
org.apache.catalina.authentical.useParentHandlers = true

Monitor Access Attempts

You can check to see who has been successful and unsuccessful attempts to log on to the AppDynamics for Databases UI in the catalina.<date>.log file located in <AppD4DB Install directory>\apache-tomcat\logs.  The contents of this file can help you determine whether you have correctly configured the LDAP/Active Directory settings; if the user cannot log on, their logon attempts will show in this file. 

  • No labels

10 Comments

  1. Unknown User (cnelson2@lifetimefitness.com)

    When I view the security page the LDAP/Active Directory Authentication section says "Not Active". I am presented no other options to enable or configure LDAP/AD.

    1. Hi Chevis,

      LDAP integration is supported in AppD4DB 2.7.4 and higher. Make sure you have followed the directions in "To implement authentication:",above including restarting the UI service, and then go to the security page and scroll down. You should be able to see it.

      Cheers,
      Jacquie

      1. Unknown User (cnelson2@lifetimefitness.com)

        I appreciate the response but this is exactly what I have already done. I am running build 2.7.5. The web.xml as shown above lists the auth-method as BASIC. I would think this should be set to Active Directory (though that isn't it as I tried) or LDAP to enable those authentication methods. 

        Regardless, I am still stuck with "Not Active" for LDAP/Active Directory Authentication. 

        I do have basis authentication enabled and have been restarting the GUI whenever I make another guess at how this should be configured. 

        1. Hi Chevis,

          I've escalated this issue to the subject matter expert to ensure the directions are correct.  We'll get back to you as soon as possible. 

          Regards,

          Jacquie

  2. Hi Chevis,

    Please can you edit the (install dir)/apache-tomcat/conf/server.xml and remove the XML comment tags from the start and end of line 120 (the line beginning <Realm adCompat="true"), then re-start the GUI via either the stop.sh/start.sh script if on Linux or via the "DBTuna GUI" windows service if on Windows.

    Thanks,

    Ian

    1. Unknown User (cnelson2@lifetimefitness.com)

      That did the trick! I am now presented options to configure LDAP/Active Directory Authentication.

      Appreciate the assistance!

      1. Our pleasure!  Thanks for helping us improve the documentation.

        Cheers,

        Jacquie

  3. We just found out that the role name in the Security Roles section has to match an LDAP Group that the LDAP user belongs to.  We were lucky that we had an LDAP administrator work with us that could see what was being passed back to AppD4DB when we tried LDAP authentications.

    For example, if I log into AppD4DB with user = "Bob" and "Bob" belongs to the LDAP group "AppD4DB-readonly" then the name "AppD4DB-readonly" has to be a role name within one of the Security Roles.  

     

    1. Thanks Jack.  I've update this doc with the information you provided.

      Best regards,

      Jacquie

  4. Thanks Jacquie.