Chapter 2. Appliance Security

2.1. Setting the Password for the Administrative User

Red Hat CloudForms uses a unique admin user to control all functions in the web-based user interface. After installing the appliance, change the default password of the admin to restrict administrative access to the appliance’s UI.

Changing the admin password uses the same process as changing any standard user in the appliance.

  1. Access the appliance through your web browser and log in.
  2. From the settings menu, select Configuration.
  3. In the accordion tree on the left, click on Access Control, then select the Administrator under the Users section. This displays the details for the admin user.
  4. On the details page, select ConfigurationEdit this user from the toolbar.
  5. Enter a new password in the Change Password / Confirm Password fields.
  6. Click Save at the bottom of the page.
  7. Log out of the user interface.
  8. Test your new password by logging into the user interface. Additionally, test your new password in the appliance console.

The Red Hat CloudForms appliance now has a non-default admin password. This restricts access to your appliance’s administrative functions.

2.2. Configuring Host-Based Access Control Rules on your IPA Server

Red Hat CloudForms provides support for external authentication using an IPA server. However, there are certain recommendations to enhance security to your appliance, such as creating a specific user group and host group that can access the appliance authentication service.

Run the following steps on your IPA server:

  1. Create a user group and restrict access to only the Red Hat CloudForms users:

    [root@ipa ~]# ipa group-add {productname_short_l}_users --desc="{productname_short_l} Users"
    [root@ipa ~]# ipa group-add-member {productname_short_l}_users --users=testuser1,testuser2
  2. Create a host group and restrict access to your appliance hosts:

    [root@ipa ~]# ipa hostgroup-add {productname_short_l}_hosts --desc "Red Hat CloudForms hosts"
    [root@ipa ~]# ipa hostgroup-add-member {productname_short_l}_hosts,
  3. Add rules to allow the host group and user group access to the Red Hat CloudForms HTTP service:

    [root@ipa ~]# ipa hbacrule-add {productname_short_l}_access --srchostcat=all
    [root@ipa ~]# ipa hbacrule-add-service {productname_short_l}_access --hbacsvcs httpd-auth
    [root@ipa ~]# ipa hbacrule-add-user {productname_short_l}_access --groups {productname_short_l}_users
    [root@ipa ~]# ipa hbacrule-add-host {productname_short_l}_access --hostgroups {productname_short_l}_hosts
  4. Remove the default rule on your IPA server to allow access to all:

    [root@ipa ~]# ipa hbacrule-disable allow_all

This ensures only users in the {productname_short_l}_users group can access the authentication service (http-auth) on the appliances in the {productname_short_l}_hosts host group.