Overview

OAUTH2 user authentication

The CLM employs OAUTH2 user authentication, which is based on Keycloak open-source identity and access management using the OAuth 2.0 protocol.

OAUTH2 supports local user authentication, and authentication using external authentication agents such as RADIUS, LDAP/S, and TACACS+ servers. Windows Active Directory is also supported.

CLM user authentication includes configurable mechanisms that guard against unwanted system access by maintaining strict control over repeated login attempts. See CLM login protection for information.

The CLM also supports the forwarding of user activity log events, as described in CLM user activity logging.

See Configuring single sign-on for specific OAUTH2 configuration information.

Kafka user authentication

The CLM Kafka subsystem reports events to internal clients and systems. The internal Kafka communication is secured using TLS.

Kafka authentication for internal clients is configurable in the nsp—modules—nspos—kafka section of the CLM configuration file.

The following parameter in the CLM configuration file enables or disables the support for the deprecated TLS versions:

• tlsv1ProtocolsEnabled

Internal Kafka client authentication

Kafka authentication for internal clients is based on two-way mTLS, rather than CLM user credentials.

The following parameter in the CLM configuration file enables or disables the support:

• internalClientAuth

The following parameter in the CLM configuration file enables or disables the support:

• configure nspos mtls-kafka-enabled