NVIDIA UFM Enterprise User Manual v6.21.2

Authentication Methods

UFM User Authentication is based on standard Apache User Authentication or Internal UFM Authentication Server.

Each Web Service client application must authenticate against the UFM server to gain access to the system.

The available authentication methods supported by UFM are as follows:

Authentication Method

Description

UFM Related Prefix

REST API Reference

Basic Authentication

Based on user and password, provided by the client. This method is enabled by default.

/ufmRest

Basic Authentication

Session-Based Authentication

A stateful authentication technique where sessions are used to keep track of the authenticated user. This method is enabled by default and is used by the UFM WebUI.

/ufmRestV2

Session-Based Authentication

Client-Based Authentication

Refers to an end user's device proving its own identity by providing a digital certificate that can be verified by a server in order to gain access to UFM resources

/ufmRest

Client-Based Authentication

Token-Based Authentication

Token-based authentication is a protocol which allows users to verify their identity, and in return receive a unique access token. To use UFM, the user should create a token using UFM Web UI or UFM REST API

/ufmRestV3

Token-Based Authentication

Proxy Authentication

Proxy authentication delegates the user authentication to a remote Proxy server.

/ufmRestV2 or

/ufmRestV3

N/A

Azure AD Authentication

Microsoft Azure Authentication is a service provided by Microsoft Azure, the cloud computing platform of Microsoft. It is designed to provide secure access control and authentication for applications and services hosted on Azure.

/ufmRestV2

N/A

Kerberos Authentication

Kerberos is a protocol designed to authenticate service requests between trusted hosts over an untrusted network

/ufmRestKrb

N/A

There are three optional services which can provide authentication handling of UFM.

  1. Apache Web Server (used by default) - Standard Apache web server and supports the above-mentioned authentication methods.

  2. LDAP Authentication - Commonly used for accessing and managing directory information services over a network via a user-configured LDAP server that is responsible for authentication.

  3. UFM Authentication Server - A centralized HTTP server, is responsible for managing various authentication methods supported by UFM.

The management port of the UFM is connected to a secure zone within the customer data center. All communications between any user or service and the UFM must remain encrypted, authenticated, and authorized according to user's security standards.

This option allows the user to set/configure required certificates within UFM server for supporting client-based authentication.

Associating Client Certificate Common Name (CN) with UFM User

It is necessary to associate the Common Name (CN) of a client certificate with a specific UFM user. UFM will internally store the CN and link it to the corresponding user.

Once Apache validates the client certificate's chain, UFM will extract the CN from the certificate and compare it against the stored value. If the CN does not match, the request will be denied. If the CN matches, the request will be authorized, and the system will treat it as though the associated user had logged in directly.

Integrating User Identity into UFM

The user component, also referred to as the "Agent," operates locally on both the UFM master and standby nodes. The Agent's role is to transfer valid certificates into a local folder on the host (which is mapped to the UFM container) and to trigger a local UFM script to restart Apache once the certificates have been updated.

Configuration

To configure UFM with client certificate authentication using locally refreshed certificates, follow these steps:

  1. Install the UFM container with the --local-certs-dir flag, which maps a local host directory to the UFM container.

    TBD: add an example of the Docker install

    Note

    Steps 2-6 should be performed once UFM container is running.

  2. Run the UFM service. Run:

    Copy
    Copied!
                

    systemctl start ufm-enterprise

  3. Enter the UFM container. Run:

    Copy
    Copied!
                

    docker exec -it ufm /bin/bash

  4. Enable client certificate authentication. Run:

    Copy
    Copied!
                

    /opt/ufm/scripts/manage_client_authentication.sh enable-client-cert-authen

  5. Set the client certificate subject identifier to CN. Run:

    Copy
    Copied!
                

    /opt/ufm/scripts/manage_client_authentication.sh set-subject-identifier --identifier CN

  6. Associate a client certificate CN with a UFM user. Run:

    Copy
    Copied!
                

    /opt/ufm/scripts/manage_client_authentication.sh associate-user --cn <CN> --username <UFM user>

  7. Set the SSL server certificate hostname. Run:

    Copy
    Copied!
                

    /opt/ufm/scripts/manage_client_authentication.sh set-ssl-cert-hostname --hostname <hostname>

  8. Restart Apache once the certificates have been refreshed.

    Note

    Note: This command should be embedded in the "Agent" and can be invoked after the certificates have been refreshed and UFM container is running. Run:

    docker exec ufm /opt/ufm/scripts/manage_client_authentication.sh restart_ufm_websrv

LDAP (Lightweight Directory Access Protocol) is commonly used for accessing and managing directory information services over a network.

If an LDAP server is configured, users can authenticate to UFM using LDAP as an external authentication method. To set up LDAP authentication, run the following script:

Copy
Copied!
            

/opt/ufm/scripts/ufm_configure_ldap.py --auth-url='<auth_url>' --bind-dn='<bind_dn>' -–bind-password='<bind_password>'

For detailed usage instructions, refer to the script’s help documentation.

Important: After executing the script, restart UFM to apply the updated Apache configuration. Once restarted, users can log in to the UFM Web UI and access the UFM REST API using their LDAP credentials. To verify the configuration, attempt to log in to the UFM Web UI with an LDAP username and password.

Note

If UFM is deployed in Docker container mode, run the configuration script inside the container as follows:

Copy
Copied!
            

docker exec -it ufm sh -c "/opt/ufm/scripts/ufm_configure_ldap.py --auth-url='<auth_url>' --bind-dn='<bind_dn>' -–bind-password='<bind_password>'"

Configurations of the UFM Authentication Server

The UFM Authentication Server is designed to be configurable and is initially turned on by default.

Enabling the UFM Authentication Server provides a centralized service that oversees all supported authentication methods within a single service, consolidating them under a unified authentication API.

Apache utilizes the authentication server's APIs to determine a user's authentication status.

All activities of the UFM Authentication Server are logged in the authentication_service.log file, located at /opt/ufm/files/log.

To enable/disable the UFM Authentication Server, refer to .

Token-Based Authentication

Token-based authentication is a protocol which allows users to verify their identity, and in return receive a unique access token. During the life of the token, users then access the UFM APIs that the token has been issued for, rather than having to re-enter credentials each time they need to use any UFM API.

Note

Under the Settings section there is a tab titled called “Access Tokens”.

The functionality of the added tab is to give the user the ability to create new tokens & manage the existing ones (list, copy, revoke, delete):

image2022-4-28_22-56-28-version-1-modificationdate-1748450425443-api-v2.png

Actions:

Name

Icon

Description

Revoke

image2021-11-26_10-42-46-version-1-modificationdate-1748450425877-api-v2.png

Revoke a specific token.

Note

The revoked token will no longer be valid.

Delete

image2021-11-26_10-42-50-version-1-modificationdate-1748450426320-api-v2.png

Delete a specific token.

Copy

image2021-11-26_10-43-2-version-1-modificationdate-1748450426880-api-v2.png

Copy specific token into the clipboard.

Note

Each user is able to list and manage only the tokens that have been created by themselves. Only the users with system_admin role will be able to create tokens.


Proxy Authentication

Delegating Authentication to a Proxy

To allow a custom user authentication, you can configure UFM to delegate the user authentication to a remote Proxy server. The remote Proxy server is written by the user, thus, allowing flexibility on deciding how the authentication is performed.

By default, the feature is disabled. To activate the feature, configure auth_proxy_enabled with true.

In case server authentication is enabled, use /ufmRestV2, otherwise, use /ufmRestV3 to send requests to UFM.

The request header should contain a username and role. The available roles are System_Admin, Fabric_Admin, Fabric_Operator, and Monitoring_Only. If the request header is sent without a username or a role, it is rejected by the UFM.

For example:

Copy
Copied!
            

[AuthProxy]  # Defaults to false, but set to true to enable this feature auth_proxy_enabled = true  # HTTP Header name that will contain the username auth_proxy_header_name = X_WEBAUTH_USER # HTTP Header name that will contain the user roles. The available roles are as follows: System_Admin, Fabric_Admin, Fabric_Operator, and Monitoring_Only auth_proxy_header_role = X_WEBAUTH_ROLE   # Set to `true` to enable auto sign up of users who do not exist in UFM DB. Defaults to `true`. auth_proxy_auto_sign_up = true  # Limit where auth proxy requests come from by configuring a list of IP addresses. # This can be used to prevent users spoofing the X_WEBAUTH_USER header. # This option is required # Example `whitelist = 192.168.1.1, 192.168.1.0/24, 2001::23, 2001::0/120` auth_proxy_whitelist = # Define a list of allowed Common Names (CNs) for mTLS on authentication proxy requests. # Only clients with certificates that contain CN values from this list are allowed to act as an authentication proxy. # Example: `auth_proxy_cn_whitelist = user1, service1, client-cert`. auth_proxy_cn_whitelist =

Parameter

Default

Description

auth_proxy_enabled 
false

Enables authentication by proxy

auth_proxy_header_name
X_WEBAUTH_USER

The HTTP header that contains the UFM username, to be supplied by the proxy.

auth_proxy_header_role 
X_WEBAUTH_ROLE

The HTTP header that will include the UFM role. The available predefined roles are:

  • System_Admin

  • Fabric_Admin

  • Fabric_Operator

  • Monitoring_Only

auth_proxy_auto_sign_up

True

Allows automatic signup of users who are not yet present in UFM.

auth_proxy_whitelist

N/A

Restricts the source of authentication proxy requests by setting up a list of allowed IP addresses.

This field is mandatory when the client certificate is disabled and optional when the client certificate is enabled.

Example: whitelist = 192.168.1.1, 192.168.1.0/24, 2001::23, 2001::0/120

auth_proxy_cn_whitelist

N/A

Specifies a list of permitted Common Names (CNs) for mTLS in authentication proxy requests.

Only clients with certificates containing CN values from this list are authorized to act as an authentication proxy.

Example: auth_proxy_cn_whitelist = user1, service1, client-cert.

This field is mandatory when the client certificate is enabled, and the subject identifier of the client certificate is the Common Name (CN). For additional details, see Client-Based Authentication.

To use this feature, the Authentication Server must be enabled. For more information, refer to Enabling UFM Authentication Server

Azure AD Authentication

Microsoft Azure Authentication is a service provided by Microsoft Azure, the cloud computing platform of Microsoft. It is designed to provide secure access control and authentication for applications and services hosted on Azure.

UFM supports Authentication using Azure Active Directory, and to do so, you need to follow the following steps:

Register UFM in Azure AD Portal

To log in via Azure, UFM must be registered in the Azure portal using the following steps:

  1. Log in to Azure Portal, then click "Azure Active Directory" in the side menu.

  2. If you have access to more than one tenant, select your account in the upper right. Set your session to the Azure AD tenant you wish to use.

  3. Under "Manage" in the side menu, click App Registrations > New Registration.

    image2023-7-26_7-16-15-version-1-modificationdate-1748450427317-api-v2.png

  4. Provide the application details:

    1. Name: Enter a descriptive name.

    2. Supported account types: Account types that are allowed to login and use the registered application.

    3. Redirect URL: select the app type Web, and Add the following redirect URL https:///auth/login

      azureauth2-version-1-modificationdate-1748450427873-api-v2.png

      Then, click Register. The app’s Overview page opens.

  5. Under Manage in the side menu, click Certificates & Secrets > New client secret.

    azureauth3-version-1-modificationdate-1748450428307-api-v2.png

    Provide a description for the client secret and set an expiration time, then click "Add."

  6. Copy the client secret key value which will be needed to configure the UFM with Azure AD (Please note that the value of the generated secret will be hidden and will not be able to be copied/read after you leave the page.

    Under "Manage" in the side menu, click App roles > Create app role.

    azureauth4-version-1-modificationdate-1748450428843-api-v2.png

  7. Provide the role details. Please note that the role value must be a valid UFM role; otherwise, the login will fail.

    azureauth5-version-1-modificationdate-1748450429353-api-v2.png

  8. Assign the created role to the user. Follow the below steps:

    azureauth6-version-1-modificationdate-1748450429767-api-v2.png

    image2023-7-26_7-28-25-version-1-modificationdate-1748450430237-api-v2.png

    image2023-7-26_7-27-55-version-1-modificationdate-1748450430693-api-v2.png

    azureauth9-version-1-modificationdate-1748450431153-api-v2.png

  9. Click on "Overview" in the side menu to view the application information, such as tenant ID, client ID, and other details.

Enable Azure Authentication from UFM

Azure authentication is disabled by default. To enable it, please refer to Enabling Azure AD Authentication.

Azure Authentication Login Page

After enabling and configuring Azure AD authentication, an additional button will appear on the primary UFM login page labeled 'Sign In with Microsoft,' which will leads to the main Microsoft sign-in page:

MSFT-version-1-modificationdate-1748450431697-api-v2.png

Kerberos Authentication

Kerberos is a network authentication protocol designed to provide strong authentication for client-server applications by using secret-key cryptography.

The Kerberos protocol works on the basis of tickets, it helps ensure that communication between various entities in a network is secure. It uses symmetric-key cryptography, which means both the client and servers share secret keys for encrypting and decrypting communication.

To enable Kerberos Authentication, refer to Enabling Kerberos Authentication.

Setting Up Kerberos Server Machine

To set up a system as a Kerberos server, perform the following:

  1. Install the required packages:

    Copy
    Copied!
                

    #Redhat   sudo yum install krb5-libs krb5-server  # Ubuntu sudo apt-get install krb5-kdc krb5-admin-server

  2. Edit the Kerberos configuration file ‘/etc/krb5.conf’ to reflect your realm, domain and other settings:

    Copy
    Copied!
                

    [libdefaults]     default_realm = YOUR-REALM    [realms]    YOUR-REALM = {         kdc = your-kdc-server         admin_server = your-admin-server     }    [domain_realm]    your-domain = YOUR-REALM     your-domain = YOUR-REALM 

  3. Use the kdb5_utilcommand to create the Kerberos database:

    Copy
    Copied!
                

    kdb5_util create -r YOUR-REALM -s 

  4. Add administrative principals:

    Copy
    Copied!
                

    Kadmin.local addprinc -randkey HTTP/YOUR-HOST-NAME@YOUR-REALM 

  5. Start KDC and Kadmin services:

    Copy
    Copied!
                

    sudo systemctl start krb5kdc kadmin  sudo systemctl enable krb5kdc kadmin

  6. Generate a keytab file. The keytab file contains the secret key for a principal and is used to authenticate the service.

    Copy
    Copied!
                

     kadmin.local ktadd -k /path/to/your-keytab-file HTTP/YOUR-HOST-NAME@YOUR-REALM 

    Replace /path/to/your-keytab-file with the actual path where you want to store the keytab file.

Setting Up Kerberos Client Machine

Follow the below steps to set up a system as a Kerberos client.

  1. Install the required packages. When installing the UFM, the following packages will be installed as dependencies:

    Copy
    Copied!
                

    #Redhat   krb5-libs krb5-workstation mod_auth_gssapi # Ubuntu krb5-config krb5-user libapache2-mod-auth-gssapi

  2. Configure the /etc/krb5.conf file to reflect your realm, domain, local names map and other settings:

    Copy
    Copied!
                

    kinit -k -t /path/to/your-keytab-file HTTP/YOUR-HOST-NAME@YOUR-REALM 

    Copy
    Copied!
                

    [libdefaults]     default_realm = YOUR-REALM    [realms]    YOUR-REALM = {         kdc = your-kdc-server         admin_server = your-admin-server         auth_to_local_names = {             your-principle-name = your-local-user         }       }    [domain_realm]    your-domain = YOUR-REALM     your-domain = YOUR-REALM 

  3. Copy the keytab file from the Kerberos server to the machine where your service runs (the client). It is important to ensure that it is kept confidential.

    Please ensure that the keytab file exists and that Apache has the necessary read permissions to access the keytab file; otherwise, Kerberos authentication will not function properly.

  4. Obtain a Kerberos ticket-granting ticket (TGT):

  5. Enable Kerberos Authentication from UFM. Kerberos authentication is disabled by default. To enable it, please refer to Enabling Kerberos Authentication.

  6. Test the Kerberos Authentication. You can use curl to test whether the user can authenticate to UFM REST APIs using Kerberos.

    Copy
    Copied!
                

    curl --negotiate -i -u : -k 'https://ufmc-eos01/ufmRestKrb/app/tokens' 

© Copyright 2025, NVIDIA. Last updated on Jul 30, 2025.