Chapter 2. Appliance Security
2.1. Setting the Password for the Administrative User
Red Hat CloudForms uses a unique admin user to control all functions in the web-based user interface. After installing the appliance, change the default password of the admin to restrict administrative access to the appliance’s UI.
Changing the admin password uses the same process as changing any standard user in the appliance.
- Access the appliance through your web browser and log in.
- Navigate to → .
-
In the accordion tree on the left, click on Access Control, then select the Administrator under the Users section. This displays the details for the
adminuser. - On the details page, select → from the toolbar.
- Enter a new password in the Change Password / Confirm Password fields.
- Click Save at the bottom of the page.
- Log out of the user interface.
- Test your new password by logging into the user interface. Additionally, test your new password in the appliance console.
The Red Hat CloudForms appliance now has a non-default admin password. This restricts access to your appliance’s administrative functions.
2.2. Configuring Host-Based Access Control Rules on your IPA Server
Red Hat CloudForms provides support for external authentication using an IPA server. However, there are certain recommendations to enhance security to your appliance, such as creating a specific user group and host group that can access the appliance authentication service.
Run the following steps on your IPA server:
Create a user group and restrict access to only the Red Hat CloudForms users:
[root@ipa ~]# ipa group-add {productname_short_l}_users --desc="{productname_short_l} Users" [root@ipa ~]# ipa group-add-member {productname_short_l}_users --users=testuser1,testuser2Create a host group and restrict access to your appliance hosts:
[root@ipa ~]# ipa hostgroup-add {productname_short_l}_hosts --desc "Red Hat CloudForms hosts" [root@ipa ~]# ipa hostgroup-add-member {productname_short_l}_hosts --hosts=appliance1.example.com,appliance2.example.comAdd rules to allow the host group and user group access to the Red Hat CloudForms HTTP service:
[root@ipa ~]# ipa hbacrule-add {productname_short_l}_access --srchostcat=all [root@ipa ~]# ipa hbacrule-add-service {productname_short_l}_access --hbacsvcs httpd-auth [root@ipa ~]# ipa hbacrule-add-user {productname_short_l}_access --groups {productname_short_l}_users [root@ipa ~]# ipa hbacrule-add-host {productname_short_l}_access --hostgroups {productname_short_l}_hostsRemove the default rule on your IPA server to allow access to all:
[root@ipa ~]# ipa hbacrule-disable allow_all
This ensures only users in the {productname_short_l}_users group can access the authentication service (http-auth) on the appliances in the {productname_short_l}_hosts host group.
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.