Settings

The Settings tab allows you to configure general Manage settings, authentication options and perform reboot and shutdown operations.

System Admin

In the System Admin menu you can:

  • Review the currently installed Manage version
  • Install Manage upgrade packs
  • View system update history. All the applied updates after Manage 2.3 will be listed here.
  • Configure the Manage web service listening port
  • Configure the Manage web service with custom SSL key
  • Download and restore Manage system configuration backup files
  • Collect system information and generate system diagnostic file
  • Collect hardware information and generate hardware diagnostic file

Custom SSL Certificate

Custom SSL certificates can be used to comply with enterprise security policies. To use a SSL certificate from an external PKI, choose Upload SSL Key in the Admin Web section.

Paste the Private Key in PEM (Base64 encoded DER certificate) format to the SSL Key field, and the certificate in the field below, again PEM formatted. The certificate supports Root and Intermediate Certificates of the related Certificate Authorities. In that case, paste the whole chain in the following order:

  1. Root Certificate
  2. Intermediate Certificate
  3. Server Certificate

Note: Make sure that the passphrase is removed from the private key.

Choose Apply to install the certificates. The Manage web interface will restart immediately and the new certificate will be presented. In some cases, it is necessary to refresh the browser window. For security reasons, the following principles are recommended if you’re willing to generate key pairs for this Gemini appliance:

  • At least 2048-bit, preferably 4096-bit.
  • Key pairs generated with AES256.
  • Signed with SHA-2 (SHA-256 or SHA-384), not SHA-1 or MD5.

Information

Information displays detailed software and hardware information of your Gemini appliance. Here you may review the currently installed software version of:

  • Gemini Enterprise Manage (Appliance)
  • Linux Kernel
  • Java

Detailed hardware information on your Gemini appliance includes:

  • CPU
  • Memory
  • NIC
  • Chassis

The Listen Port tab lists all the currently listening ports.

This information is usually requested by the Gemini Customer Support team to assist with your support case.

In the Audit Report tab you can create downloadable audit reports which includes a list of all the libraries that Manage uses, along with the version info and licenses. The current listening ports are also included in the reports.

Authentication

The Gemini appliance offers administration access either with the Gemini Enterprise: Manage web interface or by running CLI commands using SSH.

Manager Users

To configure access to the Manage web console, configure as many local Admin Users as required. The passwords of the admin users need to comply with the Password Policy configured at a later stage.

User Permissions

A user role is a template of individual user permissions that control behavior and access across different areas. Several roles are provides by default. New roles may be created as needed with customized permissions as desired.

Note: If Manage is upgraded from versions prior to Manage 2.4, all the existing users will be granted to Supervisor, which has full permissions to all functions, after the upgrade.

The roles need be applied to each Manage user.

In LDAP authentication, you also need to specify a default permission role for each LDAP resource. The Supervisor and Manage User roles are default roles and cannot be removed. A role may be deleted only if there are no users assigned to that role. Once read-only permission of one function is granted to a user, they can read the status and settings in this function page, but cannot perform actions. Granting a Write permission also implies Read permission.

LDAP

You can configure LDAP resources to support LDAP authentication for the Manage web interface. When LDAP resources are configured successfully and correctly, a user will be able to log in to Manage with their LDAP account. Note that Manage supports Simple BIND request and Search/Bind request to connect with the LDAP server, and LDAP server access is only used for authentication - not for accessing roles or permissions.

To configure a LDAP resource with Simple Bind:

  1. Use the toggle button to enable LDAP Authentication.
  2. Choose Add LDAP Resource.
  3. Configure the Host using the FQDN (not IP address). Add the port and enable SSL if needed.
  4. Select Simple Bind.
  5. Configure the User Base DN. The BaseDN should be able to locate the users who should have access to Manage only.
  6. Configure the Login Attribute. This should be a real attribute in the LDAP directory which can be used for the Manage account user name (e.g., uid, CN, or name).
  7. Select a default permission role for new Manage user created during LDAP authentication.
  8. Choose *Add.

Note: Ensure that your BaseDN includes only those users who should have access to the appliance administration screens.

To configure a LDAP resource with Search/Bind:

  1. Use the toggle button to enable LDAP Authentication.
  2. Choose Add LDAP Resource.
  3. Configure the Host using the FQDN (not IP address). Add the port and enable SSL if needed.
  4. Select Search/BIND.
  5. Configure the Lookup DN and Lookup Password. This is used to log in to LDAP server and fetch the LDAP trees. The whole LDAP trees will be cached on the system for further use.
  6. Configure the BaseDN. The BaseDN should be able to locate only the users who should have access to Manage.
  7. Configure the User Search Filter.
  8. Configure the Login Attribute. This should be an existing attribute in the LDAP directory and can be used for Manage account user name, e.g., uid, CN, or name.
  9. Configure Role. Select a default permission role for the new Manage user created during LDAP authentication.

Single Sign-on (SSO)

Single Sign-on (SSO) provides the ability to use an HTTP Reverse Proxy Server to handle Manage authentication. Once a user successfully logged in to the proxy, they can seamlessly access the Manage web interface without having to log in again.

Manage expects a specific HTTP Request Header from the Reverse Proxy. The name of the HTTP Header field can be configured in the Single Sign-On configuration screen. Select Automatically Create User when the username from an authenticated request through the Reverse Proxy does not exist as a local Manage admin user. If this option is not selected and the username from the request doesn’t exist in Manage, the request will fail and the Manage login prompt will be shown.

For added security, authentication requests can be restricted to a specific set of IP addresses, and only requests which include the username field in the HTTP Header.

Once SSO is authenticated, it will bypass any other authentication methods such as LDAP.

Password Policy

Password Policy allows you to enforce password requirements to meet your security needs, including password complexity and password duration.

Note: Password Complexity applies to the admin and OS users. Password Duration only applies to OS users.

Proxy

Proxy Settings allows you to configure a proxy server for specific services, e.g., to download Cloudera artifacts.

Login Banner

Enable and edit the banner message to present to users when accessing the appliance via console, SSH, or browser.

Reboot

Allows you to reboot your Gemini appliance immediately.

Shutdown

Allows you to shutdown and power off your Gemini appliance immediately. Note that Splunk services will be stopped prior to shutdown in order to prevent unexpectederrors.

Account

Displays information on the session’s currently logged in user.

Profile

Update the current user’s name, password, avatar, and preferred languages on the user interface. Manage supports multiple languages including English, German, Japanese, and Traditional-Chinese.

Logout

Immediately logs the current user out of the session.