Chapter 2. Appliance Security

2.1. Setting the Password for the Administrative User

Red Hat CloudForms uses a unique admin user to control all functions in the web-based user interface. After installing the appliance, change the default password of the admin to restrict administrative access to the appliance’s UI.

Important

Red Hat CloudForms appliances are designed for admin users with root access. Red Hat does not recommend or support CloudForms appliance configurations with users lacking root access.

Changing the admin password uses the same process as changing any standard user in the appliance.

  1. Access the appliance through your web browser and log in.
  2. From the settings menu, select Configuration.
  3. In the accordion tree on the left, click on Access Control, then select the Administrator under the Users section. This displays the details for the admin user.
  4. On the details page, select ConfigurationEdit this user from the toolbar.
  5. Enter a new password in the Change Password / Confirm Password fields.
  6. Click Save at the bottom of the page.
  7. Log out of the user interface.
  8. Test your new password by logging into the user interface. Additionally, test your new password in the appliance console.

The Red Hat CloudForms appliance now has a non-default admin password. This restricts access to your appliance’s administrative functions.

2.2. Configuring Host-Based Access Control Rules on your IPA Server

Red Hat CloudForms provides support for external authentication using an IPA server. However, there are certain recommendations to enhance security to your appliance, such as creating a specific user group and host group that can access the appliance authentication service.

Run the following steps on your IPA server:

  1. Create a user group and restrict access to only the Red Hat CloudForms users:

    [root@ipa ~]# ipa group-add cloudforms_users --desc="cloudforms Users"
    [root@ipa ~]# ipa group-add-member cloudforms_users --users=testuser1,testuser2
  2. Create a host group and restrict access to your appliance hosts:

    [root@ipa ~]# ipa hostgroup-add cloudforms_hosts --desc "Red Hat CloudForms hosts"
    [root@ipa ~]# ipa hostgroup-add-member cloudforms_hosts --hosts=appliance1.example.com,appliance2.example.com
  3. Add rules to allow the host group and user group access to the Red Hat CloudForms HTTP service:

    [root@ipa ~]# ipa hbacrule-add cloudforms_access --srchostcat=all
    [root@ipa ~]# ipa hbacrule-add-service cloudforms_access --hbacsvcs httpd-auth
    [root@ipa ~]# ipa hbacrule-add-user cloudforms_access --groups cloudforms_users
    [root@ipa ~]# ipa hbacrule-add-host cloudforms_access --hostgroups cloudforms_hosts
  4. Remove the default rule on your IPA server to allow access to all:

    [root@ipa ~]# ipa hbacrule-disable allow_all

This ensures only users in the cloudforms_users group can access the authentication service (http-auth) on the appliances in the cloudforms_hosts host group.