Security
Looking for AssetTrack installation instructions?
Looking to understand how to create/manage users and groups? That information can be found here.
The security information described here is targeted to system administrators, network operations personnel, and security auditors to understand what how the AsseTrack system is secured.
On this page:
Authentication
AssetTrack client applications (web, Windows, and mobile clients) are protected to prevent unauthorized access. AssetTrack offers two different authentication methods to choose from depending on your environment.
AssetTrack Security mode
If you select this security mode, then AssetTrack maintains its own list of users and passwords within the AssetTrack database. Passwords are stored in an encrypted field (MD5 hash). There is no relationship between these AssetTrack credentials and any existing credentials (e.g. Active Directory domain credentials).
Each time a user begins using an AssetTrack client application, they're challenged to authenticate using their AssetTrack user and password.
This security mode is appropriate for installations where there is no overarching Active Directory domain that covers all AssetTrack users.
Windows Security mode (aka Active Directory, single sign-on, SSO)
If you select this security mode, AssetTrack delegates authentication to an Active Directory. If a user has successfully logged onto their workstation computer, AssetTrack does not challenge the user for credentials.
Mobile devices are an exception; they will continue to challenge for credentials. Because they're often disconnected from the network, so they operate in a way analogous to the way laptops work when disconnected from an Windows domain: You must log into AssetTrack Mobile at least once while connected to the Active Directory (i.e. cradled or connected via wi-fi). Thereafter, AssetTrack Mobile caches your credentials locally in an encrypted fashion so users can log into AssetTrack Mobile even when disconnected from the Active Directory.
Security policy
Under AssetTrack Security mode, where AssetTrack manages user passwords, various password policies can be imposed on the user, e.g. minimum password length, maximum auth attempts, complexity, age, reuse.
Under both security modes, you can set security policies like idle timeout.
Web services security
All communication between AssetTrack Server and its clients occurs over HTTP or HTTPS. Security-conscious users can choose to install an SSL certification on the AssetTrack Server and specify that all communications should occur over the encrypted HTTPS protocol.
Given the above, AssetTrack Server hosts multiple web service endpoints. Access to these services is password protected using a web service extension library called WS-Security, an open security protocol specification.
Security between AssetTrack and third-party systems
CA Asset Portfolio Management (APM)
Component | Comment | Protocol |
AssetTrack Importer | This is an extract-transform-load (ETL) operation. The importer accesses read-only views within the MDB and reads their data and writes the data to the AssetTrack database. | Access to SQL Server using either SQL Server Security or Windows Security |
AssetTrack Server | When AssetTrack publishes (writes) data to APM r11.x versions, it uses APM's Connect API. This is a COM-based object model that directly opens a connection to the MDB to read and write data. | In r11.x, access to SQL Server using either SQL Server Security. |
CA Service Desk
Component | Comment | Protocol |
AssetTrack Importer | This is an extract-transform-load (ETL) operation. The importer accesses read-only views within the MDB and reads their data and writes the data to the AssetTrack database. | Access to SQL Server using either SQL Server Security or Windows Security |
AssetTrack Server | In APM r12, AssetTrack writes to Service Desk using its web service API. | HTTP or HTTPS depending on whether an SSL certificate has been installed for the Service Desk server. |
HP AssetCenter/Asset Manager
Component | Comment | Protocol |
AssetTrack Importer | This is an extract-transform-load (ETL) operation. The importer accesses tabular text files exported from HPAM using Connect-It and loads them into the AssetTrack database. | File system access. |
AssetTrack Server | AssetTrack writes to text files that are processed by a Connect-It scenario. | File system access. |