Authentication Servers

The Authentication Servers page shows your existing integrations with authentication servers. You can add a server by clicking the Add server button.

You can integrate OT Security EM with the following types of servers:

You can integrate OT Security EM with your organization’s Active Directory (AD). This enables users to log in to OT Security EM using their Active Directory credentials. The configuration involves setting up the integration and then mapping groups in your AD to User Groups in OT Security EM.

To configure your Active Directory:

  1. Go to Local Settings > Users Management > Authentication Servers.

    The Authentication Servers window appears.

  2. In the upper-right corner, click Add server.

    The Create Authentication Server panel opens with the Server Type.

  3. Click Active Directory, then click Next.

    The Active Directory configuration pane appears.

  4. In the Name box, type the username used for logging in to the server.

  5. In the Domain box, type the FQDN of the organizational domain (for example, company.com).

    Note: To find your domain, type the command “set” in the Windows CMD or command line. The value given for the “USERDNSDOMAIN” attribute is the Domain Name.

  6. In the Base DN box, type the name of the domain. The format for this value is ‘DC={second-level domain},DC={top-level domain}’ (for example DC=company,DC=com).

  7. For each of the groups you want to map from the Active Directory group to an OT Security EM User Group, type the Domain Name of the Active Directory group in the relevant box.

    Note: These parameters are optional. However, If a parameter remains empty, no Active Directory users get assigned to that user group. You can set up an integration without mapped groups, but no user can access the system until you add at least one group mapping.

  8. (Optional) In the Trusted CA section, click Browse and navigate to the file that contains your organization’s CA Certificate.

    Note: You can obtain the certificate from your CA or Network Administrator.

  9. Click Save.

    OT Security EM shows a message prompting you to restart to activate the Active Directory.

  10. Click Restart.

    After the system restarts, OT Security EM activates the Active Directory settings. Any user assigned to the designated group can access the OT Security EM platform using their organizational credentials.

You can integrate OT Security with your organization’s LDAP. This enables users to log in to OT Security EM using their LDAP credentials. The configuration involves setting up the integration and then mapping groups in your Active Directory to User Groups in OT Security EM.

To configure LDAP:

  1. Go to Local Settings> User Management > Authentication Servers.

  2. Click Add Server.

    The Add Authentication Server panel opens with the Server Type.

  3. Select LDAP, then click Next.

    The LDAP Configuration pane appears.

  4. In the Name box, type the username that you want to use for logging in.

    Note:The login name must be unique and clearly denote its usage for LDAP. If you have both LDAP and Active Directory configured, the username serves as the sole identifier that distinguishes between the various server configurations on the login screen.

  5. In the Server box, type the FQDN or the login address.

    Note: If you use a secure connection, Tenable recommends using the FQDN instead of an IP address to ensure verification of the provided secure certificate.
    Note: If you use hostname, it must appear in the list of DNS Servers in the OT Security EM system. See System Configuration > Device.

  6. In the Port box, type 389 to use a non-secure connection, or 636 to use a secure SSL connection.

    Note: If you select 636, you must provide a certificate to complete the integration.

  7. In the User DN box, type the domain name with parameters in DN format. For example, for a server name of AD_1.qa.com, the user DN can be CN=Administrator,CN=Users,DC=qa,DC=com.

  8. In the Password box, type the password of the User DN.

    Note: The OT Security EM configuration with LDAP only continues to work as long as the User DN password is valid. Therefore, when the User DN password changes or ages out, you must update the OT Security EM configuration.

  9. In the User Base DN box, type the base domain name in DN format. For example, DC=qa,DC=com.

  10. In the Group Base DN box, type the Group base domain name in DN format.

  11. In the Domain append box, type the default domain appended to the authentication request if the user did not apply a domain to which they belong.

  12. In the relevant group name boxes, type the Tenable group names for the user to use with the LDAP configuration.

  13. If using Port 636 for the configuration, under Trusted CA, click Browse, and navigate to a valid PEM certificate file.

  14. Click Save.

    OT Security EM starts the Server in the Disabled mode.

  15. To apply the configuration, click the enable toggle.

    The System Restart dialog appears.

  16. Click Restart Now to restart and apply the configuration immediately, or Restart Later to continue using temporarily the system without the new configuration.

    Note: Enabling or disabling LDAP configuration is not complete until the system restarts. If you do not restart the system immediately, click Restart on the banner at the top of the page when you are ready to restart.