Chapter 2. Appliance Security
2.1. Setting the Password for the Administrative User
Red Hat CloudForms uses a unique
admin user to control all functions in the web-based user interface. After installing the appliance, change the default password of the
admin to restrict administrative access to the appliance’s UI.
Red Hat CloudForms appliances are designed for
admin users with
root access. Red Hat does not recommend or support CloudForms appliance configurations with users lacking
admin password uses the same process as changing any standard user in the appliance.
- Access the appliance through your web browser and log in.
- From the settings menu, select Configuration.
In the accordion tree on the left, click on Access Control, then select the Administrator under the Users section. This displays the details for the
- On the details page, select → from the toolbar.
- Enter a new password in the Change Password / Confirm Password fields.
- Click Save at the bottom of the page.
- Log out of the user interface.
- Test your new password by logging into the user interface. Additionally, test your new password in the appliance console.
The Red Hat CloudForms appliance now has a non-default
admin password. This restricts access to your appliance’s administrative functions.
2.2. Configuring Host-Based Access Control Rules on your IPA Server
Red Hat CloudForms provides support for external authentication using an IPA server. However, there are certain recommendations to enhance security to your appliance, such as creating a specific user group and host group that can access the appliance authentication service.
Run the following steps on your IPA server:
Create a user group and restrict access to only the Red Hat CloudForms users:
[root@ipa ~]# ipa group-add cloudforms_users --desc="cloudforms Users" [root@ipa ~]# ipa group-add-member cloudforms_users --users=testuser1,testuser2
Create a host group and restrict access to your appliance hosts:
[root@ipa ~]# ipa hostgroup-add cloudforms_hosts --desc "Red Hat CloudForms hosts" [root@ipa ~]# ipa hostgroup-add-member cloudforms_hosts --hosts=appliance1.example.com,appliance2.example.com
Add rules to allow the host group and user group access to the Red Hat CloudForms HTTP service:
[root@ipa ~]# ipa hbacrule-add cloudforms_access --srchostcat=all [root@ipa ~]# ipa hbacrule-add-service cloudforms_access --hbacsvcs httpd-auth [root@ipa ~]# ipa hbacrule-add-user cloudforms_access --groups cloudforms_users [root@ipa ~]# ipa hbacrule-add-host cloudforms_access --hostgroups cloudforms_hosts
Remove the default rule on your IPA server to allow access to all:
[root@ipa ~]# ipa hbacrule-disable allow_all
This ensures only users in the
cloudforms_users group can access the authentication service (
http-auth) on the appliances in the
cloudforms_hosts host group.