No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

eSight V300R009C00 Single-Node System Software Installation Guide (SUSE Linux) 10

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
(Optional) Logging In to the eSight Client Through Certificate Authentication

(Optional) Logging In to the eSight Client Through Certificate Authentication

eSight supports two login authentication modes: user name and password authentication and certificate authentication. To use the certificate authentication mode, you need to set the SSO authentication mode to certificate authentication and import the client certificate, server client, and root client.

Prerequisites

  • You have obtained the client certificate and password, server certificate and password, and root certificate. If the IP Address field of the backup user name is specified in the server certificate, the value of this field must be the same as the IP address of the eSight server.
  • eSight has users whose name are configured in the CN field in the client certificate.
  • The eSight service has been stopped. For details, see Stopping the eSight Service.

Procedure

NOTE:

For a local HA system, perform the operations only on the active server. For a remote HA system, perform the operations on both the active and standby servers.

  1. Import the CA certificate using a certificate tool on the eSight server.

    1. Log in to the server as the ossuser user.
    2. Stop eSight.
    3. Set the SSO authentication mode to certificate authentication.
      1. Go to the eSight installation directory /AppBase/etc/oms.sm/ext directory.
      2. Change the value of Model in authenticationModel in the configuration file esightsm.sm.ext.xml to 2 (indicating to use the certificate authentication mode).
        <config name="authenticationModel">
           <param name="model">2</param>
        </config>
    4. Start the certificate tool.

      > cd eSight installation directory/mttools/tools

      > ./catool.sh

    5. In the Certificate Tool dialog box, select Import CA Certificate and click Next.
    6. Set related parameters of the certificate and click Apply.

      Parameter

      Description

      Certificate

      Certificate on the server.

      Certificate Password

      Certificate password on the server.

      Issuer Public Key

      Root certificate.

    7. Restart eSight. For details, see Starting the eSight Service.

  2. Import the client certificate in the browser.

    The following uses Internet Explorer 11 as example.

    1. Open the browser and go to the certificate management page.

      Click and choose Internet Options > Content > Certificate.

    2. On the personal tab page, click Import.
    3. Import the client certificate, click Next, and enter the certificate password.

      Use default values for other parameters.

    4. Click Close.

  1. Log in to the eSight client through the SSO certificate authentication mode.

    In the address box of a browser, enter https://eSight server IP address:eSight server port number/ (for example, https://10.10.10.1:31943/), and press Enter.

    NOTE:
    • The default port number of eSight is 31943.
    • The IPv6 address format is supported for login, for example, https://FEC0::10:10:10:20:31943/.
    • The eSight maintenance tool does not support the certificate authentication login mode.
    • In the certificate authentication mode:
      • After a user logs in to eSight, the logout button is unavailable.
      • Only the admin user can view the CRL download management menu.
      • After the admin user downloads the CRL file, the user whose certificate is revoked cannot log in to the eSight client. If the user has logged in to the eSight client before the certificate is revoked, the user can continue using the eSight functions normally. However, after the browser is restarted, the user cannot log in to the eSight client again.

Related Operations

  • In the certification authentication mode, you can set the URL and period for downloading the certificate revocation file to periodically download the certificate revocation file and check whether the certificate is valid based on the certificate revocation file.
    NOTE:

    Only the admin user can perform the operation. The CRL download management menu is invisible to other users.

    1. Choose System > Administration > User Management > CRL Download from the main menu.
    2. Set parameters based on Table 9-1.
      Table 9-1 Parameter description

      Parameter

      Description

      Example

      Download address

      URL for downloading the certificate revocation file.

      NOTE:

      The size of the certificate revocation file cannot be greater than 10 MB.

      http://8.7.174.83:8888/VPN/SPO-E09.crl

      Download mode

      • Once: indicates to download the file once only.
      • Periodic: indicates to download the file periodically.

      Cycle

      Download period

      This parameter is available only when Download mode is set to Periodic.

      Unit: minutes

      • 5
      • 10
      • 15
      • 30
      • 45
      • 60

      5

    3. Click Start task.
  • You can modify the configuration file to change the authentication mode to the user name and password authentication mode.
    1. Stop eSight.
    2. Enable the user name login function.
      NOTE:

      In the two-node cluster scenario, this operation must be performed on both the active and standby nodes.

      1. Log in to the eSight server.
      2. Go to the eSight installation directory/AppBase/etc/oms.sm/ext directory.
      3. Change the value of Model in authenticationModel in the configuration file esightsm.sm.ext.xml to 1 (indicating to use the common authentication mode).
        <config name="authenticationModel">
           <param name="model">1</param>
        </config>
    3. Start eSight.
Download
Updated: 2019-08-10

Document ID: EDOC1100011860

Views: 95679

Downloads: 144

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next