No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Administrator Guide

OceanStor 2800 V5 V500R007

This document is applicable to OceanStor 2800 V5. Routine maintenance activities are the most common activities for the storage device, including powering on or off the storage device, managing users, modifying basic parameters of the storage device, and managing hardware components. This document is intended for the system administrators who are responsible for carrying out routine maintenance activities, monitoring the storage device, and rectifying common device faults.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring a CAS Server (Applicable to V500R007C50 and Later)

Configuring a CAS Server (Applicable to V500R007C50 and Later)

After a Central Authentication Service (CAS) server is configured on the storage system, eSight users can directly access the storage system through Single Sign-On (SSO).

Context

  • As a part of identity management, SSO allows a user to access protected resources of applications on the same server after the user logs in to any one of the applications. In other words, after passing the security verification of an application, the user does not need to log in to other applications again for verification when accessing protected resources of these applications.
  • CAS is a single sign-on protocol for the web. Its purpose is to permit users to access multiple applications by providing their credentials (such as user names and passwords) only once.
  • For more information, see SSO Integration in the eSight Product Documentation.

Prerequisites

The storage system has been added to eSight for management. For details about how to add a storage system to eSight for management, see Storage Management in the eSight Product Documentation.

Procedure

  1. Stop the eSight service. For details, see Starting and Stopping the eSight Server in the eSight Product Documentation.
  2. Log in to the eSight server.

    • In Windows, log in as user Administrator.
    • In Linux, log in as user ossuser.
    • In the event of a dual-node system, log in to the active server as user ossuser.

  3. Add the storage system to the whitelist in the SSO configuration file of eSight.

    1. Use Notepad to open the sso.xml file in eSight installation directory .../eSight/AppBase/etc/oms.sso.
    2. Add the IP address of the storage system to the <param name="client-trusted-ip">XX.XX.XX.XX</param> tag.
      <param name="client-trusted-ip">XX.XX.XX.XX,YY.YY.YY.YY</param>
      NOTE:

      If there are multiple IP addresses, use commas (,) to separate them.

    3. Save the configuration file and start eSight.

  4. Enable SSO.

    1. Open the config.xml file in eSight installation directory .../eSight/AppBase/etc/esight.storage.
    2. Set <param name="devicemanager.ssologin">XXX</param> to true.
      <param name="devicemanager.ssologin">true</param>

  5. Enable the eSight service. For details, see Starting and Stopping the eSight Server in the eSight Product Documentation.
  6. Obtain the CAS server's SSO certificate named ca.crt from eSight installation directory .../eSight/AppBase/etc/certificate/application/ca.
  7. Import the SSO certificate into the storage system.

    1. In the address box, type https://XXX.XXX.XXX.XXX:8088 and press Enter to log in to DeviceManager.
      NOTE:

      XXX.XXX.XXX.XXX represents the management network port IP address of the storage system.

    2. Choose Settings > Storage Settings > Value-added Service Settings > Credential Management.
    3. In the Credential Management area, select the SSO certificate and click Import and Activate.

      The Import and Activate dialog box is displayed.

    4. Set the certificate parameter. For details, see Table 5-9.
      Table 5-9 Certificate parameter

      Parameter

      Description

      CA Certificate File

      SSO certificate file.

    5. Click OK.

      The security alert dialog box is displayed.

    6. Confirm the information in the dialog box, select I have read and understand the consequences associated with performing this operation, and click OK.

      The Success dialog box is displayed.

    7. Click OK.

      The imported certificate is displayed in the certificate list.

  8. Configure the CAS server on the storage system.

    1. Log in to DeviceManager.
    2. Choose Settings > Permission Settings > CAS Server Settings.
    3. Configure the CAS server.
      1. Select Enable.
      2. Enter the CAS server's Address and Server Port.
        NOTE:
        • The address of the CAS server is that of the eSight server.
          • If eSight is used in the multi-subnet management scenario, use the IP address of the eSight server that is in the same network segment as that of the storage system.
          • If eSight is used in the southbound and northbound isolation scenario, use the southbound IP address.
        • The default port number is 31942.
      3. Click Save.

        The Success dialog box is displayed, indicating that the operation is successful.

      4. Click OK.
      5. (Optional) Click Test to check whether the configured CAS server is available.

  9. Log in to eSight. On the Storage Device tab page, click to log in to the DeviceManager of the storage system.

Follow-up Procedure

To enable eSight users to log in to the storage system through SSO, you must establish a mapping relationship between eSight user roles and storage system user roles. An eSight user has the same storage system permissions as the storage system user role corresponding to the eSight user role. By default, the storage system has created a mapping relationship between two groups of roles. See Table 5-10.

Table 5-10 Role mapping

eSight User Role

Storage System User Role

Administrator

Super administrator

Monitor

Maintenance administrator

If you want to use another eSight user role, create a storage system user role with its name set to that of the eSight user role on the storage system so that a mapping relationship between the two roles is established.

For example, if the role of an eSight user is role1, create the role1 role on the storage system. Then, the eSight user has the same storage system permissions as role1 created on the storage system.

Translation
Download
Updated: 2019-07-11

Document ID: EDOC1000181576

Views: 18601

Downloads: 25

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next