Since TOS Aurora 22-1, there is an option to use a Single Sign On (SSO) for SecureTrack and SecureChange / SecureApp. In new installations, this feature is enabled by default, but in upgraded installations, this feature needs to be enabled manually. This is quite easy, following Tufin Knowledge Base. If SSO is turned on, there is no additional authentication required if a user changes from e.g. SecureTrack to SecureChange.

Enable SSO

To activate SSO access to the command line is necessary. Additionally, administrative permissions are needed (e.g. root or the use of sudo). This command enables SSO:

[Tufin]$ sudo tos config set -p tos.sso.enabled=true

After this action, SSO is active and the login screen shows "Tufin Orchestration Suite".

Sometimes it's useful, to disable SSO (see below).

Disable SSO

Disabling the optional SSO is done using this command with administrative permissions at the CLI (e.g. root or the use of sudo):

[Tufin]$ sudo tos config set -p tos.sso.enabled=false

After this command, a separate login screen is shown for SecureTrack and/or SecureChange - as it has been before for many years.

 

Items to consider when using SSO for SecureTrack and SecureChange

  • The login using the portal shown above requires the user to be configured in SecureTrack.
    If a user is configured in SecureChange only (e.g. Approver, Auditor), a successful login is not possible.
    So these users need to be configured in SecureTrack also (but don't need any permission to view any device).

  • If a disclaimer is required, there is only one possibility to configure it (see also here).

  • If external Servers for authentication are used, please be aware of which server is needed and where users need to be configured. (Special AD branches for user/admin used in SecureTrack vs. separate LDAP authentication in SecureChange).

  • The "old" SSO option for SecureChange is no more supported if SSO for SecureTrack/SecureChange is configured.
    So if a portal is used for SecureChange authentication, this needs to be migrated to use SAML-based authentication.

    > added May, 30th, 2023:
    If you want to use SAML, please consider that there is no support for integration with SAML IDP IBM.

 

 

 

 

 

Sometimes it is necessary to have logs who tried to logon to TufinOS or TOS. Also, not successful tries need to be recognized and logged. This often is a requirement, esp. if compliance regulations need to be fulfilled. Logging can be done by extracting information from Tufin in a tool like e.g. Splunk. The information is stored in some files described below.

 

TufinOS

Logon to the CLI of TufinOS is recorded automatically since it's based on CentOS. The file in which this information can be found is
     /var/log/secure

Please find an example for an unsuccessful (user123) and successful login (root).

Mar 16 19:38:57 localhost sshd[24880]: Invalid user user123 from 10.0.0.23
Mar 16 19:38:57 localhost sshd[24881]: input_userauth_request: invalid user user123
Mar 16 19:39:01 localhost sshd[24880]: pam_unix(sshd:auth): check pass; user unknown
Mar 16 19:39:01 localhost sshd[24880]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.0.23
Mar 16 19:39:01 localhost sshd[24880]: pam_succeed_if(sshd:auth): error retrieving information about user user123
Mar 16 19:39:03 localhost sshd[24880]: Failed password for invalid user user123 from 10.0.0.23 port 50025 ssh2
Mar 16 19:39:11 localhost sshd[24881]: Connection closed by 10.0.0.23

Mar 16 19:39:38 localhost sshd[24888]: Accepted password for root from 10.0.0.23 port 50026 ssh2
Mar 16 19:39:38 localhost sshd[24888]: pam_unix(sshd:session): session opened for user root by (uid=0)

 

Tufin SecureTrack

A successful login to the WebUI of SecureTrack is recorded in the database. This information can be checked in the WebUI also. To do so, go to Menu > Settings > Administration > Audit Trail. As shown below, a successful login and logout can be monitored here.

 

 Sometimes this information isn't sufficient since also not successful login attempts need to be documented. This can be done by checking the file
      /var/log/keycloak/server.log

When using local authentication, a non-successful login of a user (user2) looks like this in the file

WARN 2021-03-16 20:41:28,511 [default task-2::o.k.events.onEvent] [user:] type=LOGIN_ERROR, realmId=f93f5360-fa5c-4777-aa14-c91c4730e49a, clientId=st_httpd_10.0.0.20, userId=null, ipAddress=10.0.0.23, error=identity_provider_error, auth_method=openid-connect, auth_type=code, redirect_uri=https://10.0.0.20/protected/redirect_uri, code_id=dcca1e78-7a0f-43f3-a017-772ac8c291fe, username=user2#ovzwk43sge======, authSessionParentId=dcca1e78-7a0f-43f3-a017-772ac8c291fe, authSessionTabId=BXN4R0pwtHU

When LDAP is used for authentication at SecureTrack, some more basic information is delivered (user1).

ERROR 2021-03-16 21:14:53,338 [default task-1::c.t.c.k.a.c.h.d.LoginHandlersDispatcher.handleLogin] [user:] LDAP authentication failed for user:{user1}: java.lang.RuntimeException: LDAP authentication failed for user:{user1}
...
WARN 2021-03-16 21:14:53,340 [default task-1::o.k.events.onEvent] [user:] type=LOGIN_ERROR, realmId=f93f5360-fa5c-4777-aa14-c91c4730e49a, clientId=st_httpd_10.0.0.20, userId=d733890d-f5be-449d-8e8e-efab9972fef1, ipAddress=10.0.0.24, error=invalid_user_credentials, auth_method=openid-connect, auth_type=code, redirect_uri=https://10.0.0.20/protected/redirect_uri, code_id=1d8576e7-69d5-4549-85a6-e014f2a7c14d, username=user1#ovzwk4rr, authSessionParentId=1d8576e7-69d5-4549-85a6-e014f2a7c14d, authSessionTabId=bFfur4XdKlI

As shown above, a successful authentication can be monitored in "Audit Trail". If necessary, information can also be gathered directly by asking the database.

 

Tufin SecureChange

When trying to log authentication at SecureChange, only a log file at the CLI can be evaluated:
     /var/log/tomcat/securechange.log

A successful login is recorded here, e.g. for a local user (hcarr)

INFO 2021-03-16 21:21:22,066 [catalina-exec-19::c.t.s.s.AdminAuthenticatorHelper.performAuthentication] [user:system] authenticating hcarr
INFO 2021-03-16 21:21:22,072 [catalina-exec-19::c.t.s.s.UsernamePasswordAuthenticator.authenticate] [user:system] User ID: 4, User name: Henry Carr logged in.
...

A successful login is recorded here, e.g. for a user authenticated using an LDAP server (user1)

INFO 2021-03-16 21:24:36,345 [catalina-exec-15::c.t.s.s.AdminAuthenticatorHelper.performAuthentication] [user:system] authenticating user1
INFO 2021-03-16 21:24:36,351 [catalina-exec-15::c.t.s.s.LdapUserResolver.authenticateUserByLdap] [user:system] Start authentication of user [user1].
INFO 2021-03-16 21:24:36,362 [catalina-exec-15::c.t.s.s.LdapUserResolver.authenticateUserByLdap] [user:system] Successful authentication of user [user1]. The authenticated userName is [user1].
INFO 2021-03-16 21:24:36,369 [catalina-exec-15::c.t.s.s.LdapUserResolver.getLoggedInUserFromDb] [user:system] User user1 found in DB by LDAP ID kBxZxiVaE0uwfM5vdPy5pw==. DB id is 43
INFO 2021-03-16 21:24:36,372 [catalina-exec-15::c.t.s.s.UsernamePasswordAuthenticator.authenticate] [user:system] User ID: 43, User name: user1 logged in.
...

Trying wrong credentials (mleu) delivers

INFO 2021-03-16 21:23:52,088 [catalina-exec-18::c.t.s.s.AdminAuthenticatorHelper.performAuthentication] [user:system] authenticating mleu
INFO 2021-03-16 21:23:52,093 [catalina-exec-18::c.t.s.s.LdapUserResolver.authenticateUserByLdap] [user:system] Start authentication of user [mleu].
WARN 2021-03-16 21:23:52,099 [catalina-exec-18::c.t.s.s.LdapUserResolver.authenticateUserByLdap] [user:system] The authentication of the user [mleu] is failed. User [mleu] does not exist when using filter [(&(sAMAccountType=805306368)(|(sAMAccountName=mleu)(userPrincipalName=mleu)))] and baseDN [cn=users,dc=aerasec,dc=labor].
INFO 2021-03-16 21:23:52,105 [catalina-exec-18::c.t.s.c.l.SCLdapServiceImpl.getLdapUser] [user:system] Searching for LDAP user mleu
INFO 2021-03-16 21:23:52,106 [catalina-exec-18::c.t.s.c.l.SCLdapServiceImpl.getLdapUser] [user:system] Searching for LDAP user mleu in LdapConfiguration Lab_AD
INFO 2021-03-16 21:23:52,114 [catalina-exec-18::c.t.s.c.l.SCLdapServiceImpl.findUserInLdap] [user:system] User not found in LDAP by name [mleu].

In any case, these data need to be forwarded to a central reporting tool.
Forwarding the content of these files can be done e.g., by syslog, using a Splunk Forwarder, or any other method.

 

 

 

AERAsec is proud to announce that we are the first Tufin Service Delivery Partner + (SDP+) in Germany

Service Delivery Partner Plus

Tufin has announced that its Service Delivery Partner Plus (SDP+) training program has introduced a new developer course to its 2020 portfolio. Designed to fill industry gaps, the course delivers training and development opportunities in key areas such as Tufin APIs, integrations, customizations, and development techniques.

AERAsec is proud to be the first SDP+ partner in Germany (press release in German language) after being one of the first SDP partners worldwide. So we can deliver now even more value to our customers due to the ability to officially deliver customizations of the Tufin Orchestration Suite. So customers will have additional value not only from AERAsec's experience but also from very intense cooperation between AERAsec and Tufin.

Customers purchasing Tufin products from AERAsec will have an additional advantage because of special conditions regarding these services. Please This email address is being protected from spambots. You need JavaScript enabled to view it. if you want to know more about AERAsec delivering Tufin Products and Services.

 

 

 

 

AERAsec is proud to announce that we are one of the worldwide first three Tufin Service Delivery Partners (SDP) and currently the only one in Central Europe

https://tcw-8egzwiavysvuu1nzct.netdna-ssl.com/sites/default/files/service-delivery-partner_0.png

Tufin has announced that a new partner program is launched in June 2018. The Service Delivery Partner Program enables partner to be more service-ready.

AERAsec has a wide experience from many projects helping customers to get their values by the Tufin Orchetration Suite. The way of working closely together with Tufin Technologies will be continued in an even more intense way. So customers will have additional value not only from experience, but also from a more intense cooperation between AERAsec and Tufin. Customers purchasing Tufin products from AERAsec will have an additional advantage because of special conditions regarding these services.

Please This email address is being protected from spambots. You need JavaScript enabled to view it. if you want to know more about AERAsec delivering Tufin Products and Services.

 

 

 

The protection of your personal information is very important to us. Therefore, you will find here a privacy policy.

  • This website can be used without the explicit provision of personal data, except your IP address. This is recorded, please see below.

  • Regarding the transfer of data from the Internet to us, we point out that the transfer takes place in a possibly untrustworthy way. On the one hand, this may be because it is carried out in plain language or, on the other hand, it is used for transmission itself by systems that are insecure and that we have no control over (for example, provider routers on the Internet).

  • There is a cookie used (Hex 32) but no tools for data analysis are used on this web server, i.e. no Google Analytics and similar tools used for identification or tracking.

  • All access to this web server will be logged according to the default web server installation.
    These data are the time and date of access, the requested URL, the IP sender address and, if applicable, the referer and the browser used, if applicable including the operating system used.
    These data are used to troubleshoot the operation of the server if necessary. Furthermore, they are only evaluated for statistical purposes and not made available to third parties.

  • Please note that we can not be held responsible for the privacy practices of sites to which links from this server point.

  • You have the right to receive information about your personal data stored by us at any time.
    Likewise, you have the right to correct and delete your data, as far as they are not required for the mandatory filing obligation for business transactions.
    The same applies to the blocking of data, which is kept in a separate lock file.
    You can make changes or revoke your consent to the storage of your data by This email address is being protected from spambots. You need JavaScript enabled to view it. us with future effect. These changes are made as promptly as possible.

  • Responsible party within the meaning of the Federal Data Protection Act (BDSG) and at the same time a service provider within the meaning of the Telemedia Act (TMG) is AERAsec Network Services and Security GmbH.
    Please find further information in the imprint.

The Tufin Orchestration Suite (TOS) sometimes needs to be customized. Tufin delivers some options to use an own logo, but not everywhere. Let's have a look the default options and more.

 

SecureChange

in SecureChange a user with administrative rights has access to the Settings tab in the menu. Selecting Menu > Settings > Customzation offers the use of an own logo.

At the bottom of the page is a button labeled Publish. Pressing it will change the logo used in SecureChange.

So changing the logo in SecureChange is quite easy.

 

SecureTrack

By default, an own logo can be integrated for SecureTrack Reports. This is done via Menu > Settings > Configuration > Reports. The fiels Custom Logo allows to place the own logo here.

As an option, the logo can also be shown on every PDF page. The result looks quite good.

 

Sometimes the WebUI of SecureTrack shall also be customized. Tufin doesn't have an option for this in the Menus of SecureTrack. But changing the logo is also possible.
Requirement: PNG file with a size of 120x50 called tufin-suite-logo.png.
The following procedure is for SecureTrack R17-3 (paths may vary in other versions).

If you have your logo, make a backup of the original files before you continue. Then rename your logo to tufin-suite-logo.png and place it on the server:

Logo in the WebUI top left:
/var/www/html/images/header/tufin-suite-logo.png

Logo for Login window:
/usr/keycloak-2.5.4.Final/themes/tufin-theme/login/resources/img/tufin-suite-logo.png

Logo for Logout window
/var/www/html/logout/tufin-suite-logo.png

After having changed these settings (and cleared the browser cache), the own logo is shown in SecureTrack also.