No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

eSight V300R010C00SPC200, 300, and 500 Operation Guide 09

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring the LDAP-based Authentication

Configuring the LDAP-based Authentication

After LDAP-based remote authentication is configured, eSight uses LDAP to authenticate users in the AAA system.

Prerequisites

  1. A user with the administrator role has logged in to eSight.
  2. (Optional) The JXplorer has been installed. The following table lists the path for obtaining the tool.

    Software Package

    Software Package Name

    Obtaining Path

    jxplorer-3.2.1

    jxplorer-3.2.1-windows-installer.exe

    Request a Huawei technical support engineer to download the software package from http://www.jxplorer.org/downloads/users.html.

Context

In the LDAP-based authentication mode, eSight only needs to manage roles and assign role permissions rather than managing users. The LDAP server manages users and roles, and authenticates user names and passwords used for eSight login. Figure 3-5 shows the LDAP-based authentication process.

Figure 3-5 LDAP-based authentication process

The LDAP-based authentication process is as follows:

  1. The eSight client sends the user name and password to the eSight server.
  2. When receiving the request, the eSight server establishes a connection with the LDAP server as the LDAP client. The connection can be based on user name and password or SSL.

    When the connection is established, the eSight server transmits user data to the LDAP server for authentication. When the authentication is complete, the LDAP server sends the result to the eSight server.

  3. The eSight server sends the authentication result to the user through the eSight client. The authentication results are as follows:
    • Authentication succeeded: Users can use eSight functions within the user permission scope.
    • Authentication failed: Users receive a login failure prompt on the eSight client, including that the user name or password is incorrect or that the central authentication server is not connected.

Parameters

Specification

LDAP servers that can be connected to eSight are classified into three specifications:

  • Windows AD
  • OpenLDAP

    The OpenLDAP supports the Windows and Linux operating systems.The following describes how to configure OpenLDAP in the Linux operating system.

  • Oracle LDAP

eSight can be connected to the LDAP server in security connection mode. Before the connection, ensure that the LDAP server has enabled the corresponding HTTPS service. In the security connection, either unidirectional authentication or bidirectional authentication can be performed. If the LDAP server does not need to authenticate the certificate of the client (eSight), the unidirectional authentication mode can be used. In this scenario, only the CA certificate of the LDAP server needs to be deployed on eSight. If the LDAP server needs to authenticate the certificate of the client (eSight), the bidirectional authentication mode must be used. In this scenario, both the CA certificate and the identity certificate of the LDAP server must be deployed on eSight.

Parameters Descripion

LDAP-based authentication parameters can be classified into the following types: basic settings, connection, authentication, and authorization. Table 3-7 describes the parameters.

NOTE:

The configuration file involved in table is <eSight installation directory>\eSight\AppBase\etc\oms.sm\ldapAuth.cfg.

Table 3-7 Parameter Description

GUI Parameter

Description

How to Set

Reference Value

Key in the Configuration File

Basic settings

Server domain name/IP address

Domain name or IP address used by the authentication server.

NOTE:

If the domain name is used for authentication, you need to configure the related DNS server address on the eSight server.

Use the same value as that on the LDAP authentication server.

ldap.test.com or 10.134.151.140

LDAPServerIP

Server port number

Port for data communication between the authentication server and eSight server

The authentication server port number is determined by the connection type between the LDAP server and eSight. Use the same value as that on the LDAP authentication server.

Non-OracleLDAP common connection: 389

Non-OracleLDAP SSL connection: 636

OracleLDAP common connection: 31046

OracleLDAP SSL connection: 31047

LDAPPort

Standby server domain name/IP address

Domain name or IP address used by the standby authentication server.

NOTE:

If the domain name is used for authentication, you need to configure the related DNS server address on the eSight server.

Use the same value as that on the LDAP standby authentication server.

ldap.test.com or 10.134.151.140

LDAPBakServerIP

Standby server port number

Port for data communication between the standby authentication server and eSight server

The standby authentication server port number is determined by the connection type between the LDAP standby server and eSight. Use the same value as that on the LDAP standby authentication server.

Non-OracleLDAP common connection: 389

Non-OracleLDAP SSL connection: 636

OracleLDAP common connection: 31046

OracleLDAP SSL connection: 31047

LDAPBakPort

Basic DN

LDAP root directory BaseDN

Set Basic DN to BaseDN of the LDAP root directory collected from the LDAP server.

DC=huawei,DC=com

LDAPBaseDN

User object class name

Object class of the user to be authenticated, such as the administrator and operator

Use the same value as that on the LDAP authentication server.

OpenLDAP:

EmsPerson

OracleLDAP: SMPerson

Window AD: Person

userClassName

Connection

Connection type

The connection types between the LDAP authentication server and eSight are as follows:

  • Common: User name and password
  • Secure( two-way authentication): SSL bidirectional authentication mode. eSight exchanges the certificate with the LDAP authentication server to implement bidirectional authentication.
  • Secure( one-way authentication): SSL unidirectional authentication. eSight verifies the CA certificate of the LDAP server but the LADP server does not verifies the CA certificate of the eSight.

After Connection type is modified, the value of Server port number in the basic parameters is automatically changed to the corresponding default value.

- If the value of Connection type is changed to Common, Server port number is automatically set to 389.

- If the value of Connection type is changed to Secure( two-way authentication) or Secure( one-way authentication), Server port number is automatically set to 636.

LDAPBindType

Secure protocol

eSight complies with the following protocols:

  • TLSv1
  • TLSv1.1
  • TLSv1.2
  • SSLv3

This parameter is mandatory when secure connection is used. Store the certificate that is issued the Certificate Authority (CA) or made by yourself in eSight installation directory/AppBase/etc/certificate as ossuser and ensure that the certificate file permission is 600.

NOTE:

In the two-node cluster scenario, perform this operation only on the active server.

When Connection type is set to Secure(one-way authentication), only LDAP certificate name needs to be set.

  • Secure protocol: Use the same value as that on the LDAP authentication server.
  • eSight certificate name: Set this parameter based on actual needs. Generally speaking, the extension name of an eSight local certificate is p12.
  • LDAP certificate name: Set this parameter based on actual needs. Generally speaking, the extension name of an LDAP local certificate is cer.

Library protection password and Private key password: Use the actual passwords.

TLSv1.2

SSLVersion

eSight certificate name

eSight local certificate name

huawei.p12

CertFile

LDAP certificate name

LDAP server certificate name

rootCA.cer

CACertFile

Library protection password

Used to decrypt the LDAP server certificate file

Changeme_123

NOTE:

Set the parameter to the password configured in Configuring an SSL Certificate.

StoreSecret

Private key password

Used to decrypt the private key stored on the LDAP server

Changeme_123

NOTE:

Set the parameter to the password configured in Configuring an SSL Certificate.

KeySecret

Authentication

Mode

eSight offers two authentication modes:

  • DN integrity during administrator login and query
  • DN authentication: attribute name = User account + Directory

Default value: DN authentication: attribute name = User account + Directory

The authentication mode is determined by the management mode of the LDAP server over users who can log in to eSight.

  • If users who can log in to eSight belong to the same public directory, the DN authentication: attribute name = User account + Directory mode is recommended.
  • If users who can log in to eSight belong to different directories, the DN integrity during administrator login and query mode is recommended.

DN authentication: attribute name = User account + Directory

Configuration of the administrator login and authentication (optional):

DN integrity during administrator login and query

LDAPAuthType

Administrator DN

DN and password of the administrator of the LDAP authentication server

This parameter is mandatory when the DN integrity during administrator login and query mode is used. Enter the DN and password for the administrator who is able to query all LDAP directory users and user groups.

CN=manager,DC=huawei,DC=com

LDAPBindDN

Administrator password

secret

NOTE:

Set this parameter to the password for logging in to the LDAP server.

LDAPBindSecret

User name flag

User name attribute on the LDAP authentication server

The value must be the same as that obtained from the LDAP server.

If LDAP server type is set to Universal LDAP server, this parameter is generally set to uid for OpenLDAP and cn for OracleLDAP.

IfLDAP server type is set to Microsoft AD, this parameter is generally set to cn.

OpenLDAP:

uid

OracleLDAP:

cn

Windows AD:

cn

searchUserAttr.userid

Location format

User directory format of the LDAP authentication server

This parameter is mandatory when the DN authentication: attribute name = User account + Directory mode is used.

  • If Location format is set to Email , the correct format is @xx.xx, for example, @huawei.com.
  • If Location format is set to LDAP directory, the correct format is key=value. Use a comma (,) to separate multiple equations, for example, DC=huawei,DC=com.

-

LDAPLoginUserDirectory

Directory/Email suffix

Suffix of the user directory/email, used to form a complete DN with the login user name

Authorization

Bound role obtaining

eSight obtains the role of login users in either of the following modes:

  • Create user and bind role on the eSight server
  • Query the name of specific attribute in user data model

Default value: Query the name of specific attribute in user data model

The method for obtaining the bound role is determined by the capability of the LDAP authentication server.

  • If the user data model of the LDAP authentication server does not specify the user role through the attribute name, use the Create user and bind role on the eSight server mode. In this case, create a user and bind it to a role on eSight.
NOTE:

In this scenario, the password configured during user creation on eSight does not take effect. The password on the LDAP authentication server is valid.

  • If the user data model of the LDAP authentication server specifies the user role through the attribute name, use the Query the name of specific attribute in user data model mode.
NOTE:

In this scenario, ensure that at least one role from the authentication server role list is available on eSight.

Object class attribute

Name of a specific attribute in the user data model of the LDAP authentication server

This parameter is mandatory when Obtaining bound role is set to Query the name of specific attribute in user data model.

Use the same value as that on the LDAP authentication server.

OpenLDAP: groupName

OracleLDAP: groupName

Windows AD:

memberOf

searchUserAttr.userGroup

Role name separator

Character that separates roles in the role list defined on the LDAP authentication server

;

valueSeparator

Windows AD

Obtaining Information from the LDAP Server

  1. Log in to the LDAP server as an operating system user in the Administrators group.
  2. Right-click Computer and choose Manage from the shortcut menu. The Server Manager page is displayed.
  3. In the navigation tree, choose Roles > Active Directory Domain Services > Active Directory Users and Computers and select the domain controller on which accounts are saved.

    NOTE:

    The name of the domain controller selected is the value that will be set for Basic DN in eSight GUI, that is, DC=man,DC=sunrise,DC=com.

Creating User Groups Matching Roles on eSight

NOTE:

The default role of eSight is used as an example here. To use a user-defined role, you need to create a user group corresponding to this role.

Because the LDAP server provides a default group Administrators, you only need to create the user groups Operator, Monitor, and Open API user group.

  1. Right-click in the blank area on the man.sunrise.com controller and choose New > Group.

  2. Set Group name to Operator and click OK.

  3. Create user groups Monitor and OpenAPI similarly.

Adding Users to the Corresponding User Groups

  1. Right-click the user group Operator and choose Properties.

  2. On the Members tab page, click Add, add users planned to the group, and click OK.

  3. Add users to groups Administrators, Monitor, and Open API user group similarly.
NOTE:

If Jack and Tom are newly created on windows AD and the option for changing the password upon next login is selected, you must change the password before logging in to eSight. Otherwise, the error information "Incorrect user name or password." is displayed.

(Optional) Using the JXplorer to Configure the eSight Page

You need to use the JXplorer to obtain LDAP user information for configuration based on Configuring Interconnection Parameters on eSight.

  1. Configure the login page, where User DN and Password need to be set to administrator@huawei.com and LDAP server login password of the administrator respectively. For the user DN, the suffix of the mailbox address is the domain name of the LDAP server.

  2. Set related parameters. Table 3-8 describes the mapping between the JXplorer parameters and parameters on the eSight page for the zathing user.

    Table 3-8 JXplorer parameters and parameters on the eSight page

    JXplorer Parameter

    Parameter on the eSight Page

    JXplorer login page

    Host

    Domain name/IP address of the authentication server. (Only the IP address can be entered on the JXplorer.)

    Port

    Authentication server port

    Base DN

    Basic DN

    User DN

    Administrator DN

    Password

    Administrator password

    JXplorer user parameter page

    ObjectClass

    User object class name

    cn

    User name

    userPassword

    Password

    memberOf

    Group name

    Value of distinguishedName with CN stripped off/Email address suffix in the value of userPrincipalName

    Directory/Email suffix

Configuring the SSL Certificate (Optional for the Security Connection Scenario)

By default, the Windows AD domain does not support SSL. To support SSL, you need to install the CA certificate.

  1. Add the AD certificate services.

    1. Log in to the LDAP server as an operating system user in the Administrators group.
    2. Right-click Computer and choose Manage from the shortcut menu. The Server Manager page is displayed.
      NOTE:

      Windows Server 2008 is used an example in this step.

    3. Right-click Roles and choose Add Roles from the shortcut menu in the navigation tree.
    4. In the displayed dialog box, click Server Roles, select Active Directory Certificate Services, and click Next.
    5. Take all default settings for the following steps and click Install.

  2. Issue a server identity authentication certificate.

    1. On the Server Manager page, choose Roles> Active Directory Certificate Services.
    2. In Certificate Templates Console, right-click Kerberos Authentication and choose Duplicate Template from the shortcut menu.
    3. In the Duplicate Template dialog box, ensure that Windows Server 2003 Enterprise is selected and click OK.
    4. In the Properties of New Template dialog box, select the settings such as Publish certificate in Active Directory and Allow private key to be exported. Then, click OK.
    5. On the displayed Server Manager page, right-click Certificate Templates and choose New > Certificate Template to Issue from the shortcut menu.
    6. In the Enable Certificate Templates dialog box, select the created template and click OK.

  3. Register the certificate.

    1. Choose Start > Run on the desktop, enter MMC, and press Enter.
    2. On the Console1 page, choose File> Add/Remove Snap-ins.
    3. In Available snap-ins under Add or Remove Snap-ins, select Certificates and click Add.
    4. In the displayed dialog box, select Computer account and click Next.
    5. In the displayed Select Computer dialog box, select Local computer and click Finish.
    6. In the displayed Add or Remove Snap-ins dialog box, click OK.
    7. In the Console1 navigation tree, unfold Certificates (Local Computer) and choose Personal.
    8. Right-click Certificates and choose All Tasks > Request New Certificate from the shortcut menu.
    9. In the Certificate Enrollment dialog box, click Next.
    10. In the Select Certificate Enrollment Policy dialog box, select Active Directory Enrollment Policy and click Next.
    11. Select a certificate and allow it to be used for server identity authentication and Kerberos' duplicate template, that is, the template created in 2.3. Then, click Register.
    12. In the Certificate Enrollment dialog box, click Finish.

  4. Export the authentication certificate.

    1. In the Console1 navigation tree, unfold Certificates (Local Computer) and choose Personal.
    2. Right-click the newly registered authentication certificate and choose All Tasks > Export from the shortcut menu.
    3. In the Certificate Export Wizard dialog box, click Next.
    4. Select Yes, export the private key and click Next.
    5. Select Export all extended properties and click Next.
    6. Set a password that needs to be entered when a certificate is imported, and click Next.
      NOTE:

      Remember the password set here, because it will be used when you perform the steps in section Configuring Interconnection Parameters on eSight.

    7. In File name, enter the path, file name, and file name extension (.pfx), and click Next.

      Example: D:\windowsAD.pfx

    8. Click Finish.

  5. Export the CA root certificate.

    1. In the Console1 navigation tree, unfold Certificates (Local Computer) and choose Personal.
    2. Right-click the CA root certificate and choose All Tasks > Export from the shortcut menu.
    3. In the Certificate Export Wizard dialog box, click Next.
    4. Select No, do not export the private key and click Next.
    5. Select DER encoded binary X.509 (.CER) and click Next.
    6. In File name, enter the path, file name, and file name extension (.cer), and click Next.

      Example: D:\huawei.cer

    7. Click Finish.

  6. Import the certificate.

    1. On the Console1 page, choose File> Add/Remove Snap-ins.
    2. In Available snap-ins under Add or Remove Snap-ins, select Certificates and click Add.
    3. In the displayed dialog box, select Service account and click Next.
    4. In the displayed Select Computer dialog box, select Local computer and click Next.
    5. In the Certificates snap-in dialog box, select Active Directory Domain Services and click Finish.
    6. In the displayed Add or Remove Snap-ins dialog box, click OK.
    7. In the Console1 navigation tree, unfold Certificates - Service (Active Directory Domain Services) on Local Computer, right-click NTDS\Personal, and choose All Tasks > Import from the shortcut menu.
    8. In the Certificate Import Wizard dialog box, click Next.
    9. Click Browse and find the exported authentication certificate file.
    10. Enter the password that is set when the authentication certificate is exported, and click Next.
    11. Ensure that Place all certificates in the following store is set to NTDS\Personal. Then, click Next.
    12. Check the settings and click Finish.
    13. In the Console navigation tree, choose NTDS\Personal > Certificates, right-click the imported certificate, and choose Open from the shortcut menu.
    14. On the Details tab page in the Certificate dialog box, click Enhanced Key Usage, check the server identity (1.3.6.1.5.5.7.3.1), and click OK.

  7. Place the CA certificate and authentication certificate exported in Step 4 and Step 5 to the <Installation directory>/AppBase/etc/certificate directory in the eSight server.

(Optional) Configuring Group Embedding Authorization

On the Windows AD, a user belongs to group1 and group1 belongs to group2, as shown in Figure 3-6. The groups have an embedding relationship. The group1 and group2 roles have been created on eSight. If the user logs in to eSight now, the user has only the rights of the group1 role. To make the user has the rights of the group2 role after logging in to eSight, the group embedding authorization function must be enabled. Table 3-9 describes related parameters.

Figure 3-6 Embedding authorization description

NOTE:

Group embedding supports only the Windows AD. A maximum of five embedding layers are supported. One user or group cannot belong to multiple groups. Otherwise, the user has no permission after login.

Table 3-9 Embedding authorization parameters

Parameter

Description

Value Range

Effective Mode

IsEnableGroupNest

Indicates whether to enable the group embedding authorization.

The default value is false.

true: Enable the group embedding authorization.

false: Do not enable the group embedding authorization.

Manually change the value. The change takes effect after eSight is restarted.

NOTE:

The path of the configuration file in the table is <eSight installation directory>\eSight\AppBase\etc\oms.sm\ext\eSight.ldapAuth.ext.cfg.

Configuring Interconnection Parameters on eSight

  • LDAP Common Authentication Mode
    1. Choose System > System Settings > System Interconnection > Authentication Server Configuration.
    2. Select Authentication to LDAP.
    3. Set LDAP-based authentication parameters in terms of the basic settings, connection, and authentication.
      NOTE:

      The authentication server address can be a domain name or an IP address. The IP address is used as an example here. For details about the domain name example, see (Optional) Domain Name Authentication Configuration.

      NOTE:

      Currently, single-directory and multi-directory login modes are supported. If the single-directory login mode is selected, only users under the specified directory can log in. If the multi-directory login mode is selected, users under all directories can log in by using the email format.

      The following figure shows a configuration example of the single-directory login mode.

      The following figure shows a configuration example of the multi-directory login mode.

    4. Click Test to verify the connection between eSight and the authentication server.

      If the connection failed, verify that the authentication server IP/domain name, port number, and basic DN are the same as values on the LDAP authentication server.

      If the connection is successful, the context can be initialized based on the IP address/domain name, port number, and basic DN.

    5. Click Apply.

      LDAP-based remote authentication is enabled immediately.

  • LDAP SSL authentication without a certificate

    Before using the LDAP SSL authentication mode, configure the LDAP common authentication mode.

    Manually modify the configuration file <eSight installation path>\eSight\AppBase\etc\oms.sm\ldapAuth.cfg.

    NOTE:

    This mode is not recommended due to security risks.

    1. Change the value of LDAPBindType to 2.
    2. Change the value of LDAPPort to the SSL authentication port of the LDAP server. (For example, the SSL port of the AD server is 636.)
    3. If a standby authentication server is configured, change the value of LDAPBakPort to the SSL authentication port of the standby LDAP server. (For example, the SSL port of the AD server is 636.)
    4. Change the value of SSLVersion to the version of the secure connection protocol supported by the LDAP server. The default value is TLSv1.2.
    5. Restart eSight for the settings to take effect. For details about how to restart eSight, see "Common Operations and Configuration > Common eSight Operations" in the Maintenance Guide.
  • LDAP SSL Authentication Mode
    1. If the SSL authentication mode is selected, modify connection parameters based on parameter settings for the common authentication mode.

    2. Click Test to verify the connection between eSight and the authentication server.

      If the connection failed, verify that the authentication server IP/domain name, port number, and basic DN are the same as values on the LDAP authentication server.

      If the connection is successful, the context can be initialized based on the IP address/domain name, port number, and basic DN.

    3. Click Apply. LDAP-based remote authentication is enabled immediately.
  • (Optional) Domain Name Authentication Configuration

    Enter the domain name format of the authentication server. The related configuration must be modified. The common authentication mode is used as an example.

  • (Optional) Standby Authentication Server Configuration

    Enter the domain name or IP address and port number of the standby authentication server. The common authentication mode is used as an example.

  • (Optional) Administrator Login Configuration

    By default, authentication is performed under an eSight user directly. However, eSight also allows an administrator to log in and query the DN for authentication. If DN integrity during administrative login and query is selected, you also need to configure the DN and password of the administrator.

Logging In to eSight Again

Use the user name and password on the LDAP server to log in to eSight again. If the login is successful and the user permission is correct, the configuration is correct. If the login fails or the user permission is incorrect, check the configuration.

NOTE:

After the active and standby authentication servers are configured, it takes about 60 seconds for logging in to eSight as a remote user when the active authentication server fails to be connected but the standby authentication server is successfully connected.

OpenLDAP

Obtaining Information Aboutthe LDAP Server

  1. Log in to the LDAP server as the root user.
  2. Open the /etc/openldap/slapd.conf file.

  3. Obtain the rootdn, rootpw, and suffix parameters in the slapd.conf file.

    NOTE:

    The suffix parameter maps the Base DN parameter (that is, dc=huawei,dc=com) on the eSight page to be configured.

(Optional) Using the JXplorer to Configure the eSight Page

You need to use the JXplorer to obtain LDAP user information for configuration based on Configuring Interconnection Parameters on eSight.

  1. Configure the login page, where User DN and Password need to be set to the values of rootdn and rootpw in the slapd.conf file respectively.

  2. Upon successful login, view user parameter settings. The following figure shows the parameter settings of the usertest user.

  3. Table 3-10 lists the mapping between the JXplorer parameters and parameters on the eSight page.

    Table 3-10 Mapping between JXplorer parameters and parameters on the eSight page

    JXplorer Parameter

    Parameter on the eSight Page

    Host

    Domain name/IP address of the authentication server. (Only the IP address can be entered on the JXplorer.)

    Port

    Authentication server port

    Base DN

    Basic DN

    User DN

    Administrator DN

    Password

    Administrator password

    ObjectClass

    User object class name

    cn

    User name

    userPassword

    Password

    groupName

    Group name

    NOTE:

    The uid and sn attributes also indicate the user name, which must be the same as the value of cn.

Deploying SSL Certificates (Mandatory Only for the Security Connection Scenario)

  • Scenario 1: Certificates Have Been Configured for OpenLDAP
    1. Obtain the certificate directory.

      Go to the OpenLDAP configuration file directory, that is, <Installation directory>/openldap/etc/openldap/.

      Open the slapd.conf configuration file.

      The following figure shows an example of the certificate directories.

    2. Export a .p12 certificate.

      For example, run the openssl command to combine the server.crt and server.key certificate files in the directory into an identity certificate server.p12.

      # openssl pkcs12 -export -clcerts -in server.crt -inkey server.key -out server.p12

    3. Import the certificates.

      Save the identity certificate server.p12 and CA certificate ca.crt in the <Installation directory>/eSight/AppBase/etc/certificate on the eSight server.

  • Scenario 2: Certificates Need to Be Generated by Running the openssl Command for OpenLDAP
    1. Log in to the LDAP server as the root user.
    2. Create a folder with a random name in a random directory, and go to the directory.

      # mkdir /var/certs

      # cd /var/certs

    3. Generate a CA certificate.
      1. Generate a CA private key.

        # openssl genrsa -out ca.key 2048

      2. Use the CA private key to generate a CA certificate.

        # openssl req -new -x509 -days 36500 -key ca.key -out ca.crt

        Enter related certificate information as prompted.

    4. Create related CA directories.

      # mkdir demoCA

      # cd demoCA/

      # mkdir newcerts

      # touch index.txt

      # echo '01' > serial

    5. Generate a self-signed certificate through the CA.
      1. Generate a server private key.

        openssl genrsa -out server.key 2048

      2. Use the server private key to generate a certificate request file on the server side.

        openssl req -new -key server.key -out server.csr

        Enter related certificate request information as prompted.

      3. Use the server certificate request file to generate a self-signed certificate through the CA.

        openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key

      4. Export a .p12 certificate.

        openssl pkcs12 -export -clcerts -in server.crt -inkey server.key -out server.p12

    6. Configure certificates.

      Go to the OpenLDAP configuration file directory, that is, <Installation directory>/openldap/etc/openldap/.

      In the slapd.conf configuration file, modify the certificate directories to the certificate creation directories or move certificates to the directories in the configuration file. The following figure shows an example of the certificate directories in the configuration file.

    7. Import the certificates.

      Save the ca.crt and server.p12 certificates to the <Installation directory>/eSight/AppBase/etc/certificate directory on the eSight server. Alternatively, sign and issue a client certificate and an identity certificate for eSight based on the CA or server certificate.

Configuring Interconnection Parameters on eSight

  • LDAP Common Authentication Mode
    1. Choose System > System Settings > System Interconnection > Authentication Server Configuration.
    2. Select Authentication to LDAP.
    3. Set LDAP authentication parameters in terms of the basic settings, connection, and authentication.
      NOTE:

      The authentication server address can be a domain name or an IP address. The IP address is used as an example here. For details about the domain name example, see (Optional) Configuring....

    4. Click Test to verify the connection between eSight and the authentication server.
      • If the connection failed, verify that the authentication server IP/domain name, port number, and basic DN are the same as values on the LDAP authentication server.
      • If the connection is successful, the context can be initialized based on the IP address/domain name, port number, and basic DN.
    5. Click Apply.

      LDAP-based remote authentication is enabled immediately.

  • LDAP SSL Authentication Mode
    1. If the SSL authentication mode is selected, modify connection parameters based on parameter settings for the common authentication mode.

    2. Click Test to verify the connection between eSight and the authentication server.
      • If the connection failed, verify that the authentication server IP/domain name, port number, and basic DN are the same as values on the LDAP authentication server.
      • If the connection is successful, the context can be initialized based on the IP address/domain name, port number, and basic DN.
    3. Click Apply.

      LDAP-based remote authentication is enabled immediately.

  • (Optional) Domain Name Authentication Configuration

    Enter the domain name format of the authentication server. The related configuration must be modified. The common authentication mode is used as an example.

  • (Optional) Standby Authentication Server Configuration

  • (Optional) Administrator Login Configuration

    By default, authentication is performed under an eSight user directly. However, eSight also allows an administrator to log in and query the DN for authentication. If DN integrity during administrative login and query is selected, you also need to configure the DN and password of the administrator.

Logging In to eSight Again

Use the user name and password on the LDAP server to log in to eSight again. If the login is successful and the user permission is correct, the configuration is correct. If the login fails or the user permission is incorrect, check the configuration.

NOTE:

After the active and standby authentication servers are configured, it takes about 60 seconds for logging in to eSight as a remote user when the active authentication server fails to be connected but the standby authentication server is successfully connected.

OracleLDAP

Creating a Remote User

  1. Log in to the LDAP server as the root user.
  2. Edit the configuration information about the user password policy.

    1. Run the following commands to edit the password policy as the ssouser user.
      NOTE:

      The following operations are preformed to disable the default password policy of Oracle. When setting a new password for a user later, ensure that the new password meets the eSight's requirements for password complexity, with the goal of ensuring security for the user.

      • The password cannot contain the user name in normal or reverse order.
      • The password ranges from 8 to 32 characters.
      • No character can exceed 3 occurrences in the password.
      • The password must contain at least one uppercase letter, lowercase letter and digit.
      • The password must be different from the previous 3 passwords.

      # su - ssouser

      > cd /opt/sso/dsee7/bin

      > ./dsconf set-server-prop -p 31046 pwd-strong-check-enabled:off

      Press Enter.

      Certificate"CN=SZX1000048543, CN=31047, CN=Directory Server, O=Sun Microsystems"presented by the server isnot trusted.
      Type "Y" to accept, "y" to accept just once, "n" to refuse, "d" for more details: y

      Enter y and press Enter.

      Enter "cn=Directory Manager" password:

      Enter the password of the SSO administrator and press Enter.

      Directory Server must be restarted for changes to take effect.
    2. Run the following command to restart the directory server instance:

      > ./dsadm restart /opt/sso/dsee7/ssoinstance

  3. Create a remote user.

    Use the jxplorer-3.2.1 tool. See the Prerequisites.
    1. Open the jxplorer-3.2.1 tool and set parameters for connecting to the LDAP server.

    2. Choose com>sso in the navigation tree, right-click users,and choose Create from the shortcut menu.
    3. Set the parameters such as the user name, user category, group name, and user password. Then, click Submit.

(Optional) Using the JXplorer to Configure an eSight Page

Table 3-11 lists the mapping between the JXplorer parameters and parameters on the eSight page for the loginUser1 user.

Table 3-11 Mapping between JXplorer parameters and parameters on the eSight page

JXplorer Parameter

Parameter on the eSight Page

Host

Domain name/IP address of the authentication server. (Only the IP address can be entered on the JXplorer.)

Port

Authentication server port

Base DN

Basic DN

User DN

Administrator DN

Password

Administrator password

ObjectClass

User object class name

cn

User name

userPassword

Password

groupName

Group name

Deploying the SSL Certificate (Mandatory Only for the Security Connection Scenario)

  1. Log in to the LDAP server as the root user.
  2. Enter the bin directory under the directory in which the directory server software is installed.

    # cd /opt/sso/dsee7/bin

  3. Run the following command to find the name of the certificate of the LDAP server:

    # ./dsadm list-certs /opt/sso/dsee7/ssoinstance/

    Alias        Valid from        Expires on        Self-signed?  Issued by                                                         Issued to
    -----------  ----------------  ----------------  ------------  ----------------------------------------------------------------  --------------
    defaultCert  2016/03/02 10:45  2018/03/02 10:45  y             CN=SZX1000068784,CN=31047,CN=Directory Server,O=Sun Microsystems  Same as issuer
    1 certificate(s) found

  4. Run the following commands to export the certificate key file and set a password:

    # ./dsadm export-cert -o /tmp/fengph_ldap.pfx /opt/sso/dsee7/ssoinstance defaultCert

    Choose the PKCS#12 file password:
    Confirm the PKCS#12 file password:
    NOTE:

    Remember the password set here, because it will be used when you perform the steps in section Configuring Interconnection Parameters on eSight.

  5. Encrypt and export the LDAP server certificate using the keytool tool of the JRE.

    # cd /opt/sso/OSSJRE/jre_linux/bin

    # ./keytool -export -keystore /tmp/fengph_ldap.pfx -alias defaultCert -file ldap.cer -storetype PKCS12 -rfc

    Enter keystore password:  
    Certificate stored in file <ldap.cer>
    NOTE:

    Remember the password set here, because it will be used when you perform the steps in section Configuring Interconnection Parameters on eSight.

  6. Import the certificate.

    • Find the ldap.cer file under the bin directory of the JRE, and import the file to the <Installation directory>/AppBase/etc/certificate directory on the eSight server. Then, run the following commands to allocate permissions and groups:

      # chmod 700 ldap.cer

      # chown ossuser:ossgroup ldap.cer

    • Find the fengph_ldap.pfx file (certificate key file) under the /tmp directory provided in step 4, and import the file to the <Installation directory>/AppBase/etc/certificate directory on the eSight server.

Configuring Interconnection Parameters on eSight

  • LDAP Common Authentication Mode
    1. Choose System > System Settings > System Interconnection > Authentication Server Configuration.
    2. Select Authentication to LDAP.
    3. Set LDAP authentication parameters in terms of the basic settings, connection, and authentication.
      NOTE:

      The authentication server address can be a domain name or an IP address. The IP address is used as an example here. For details about the domain name example, see (Optional) Configuring....

    4. Click Test to verify the connection between eSight and the authentication server.
      • If the connection failed, verify that the authentication server IP/domain name, port number, and basic DN are the same as values on the LDAP authentication server.
      • If the connection is successful, the context can be initialized based on the IP address/domain name, port number, and basic DN.
    5. Click Apply.

      LDAP-based remote authentication is enabled immediately.

  • LDAP SSL Authentication Mode
    1. If the SSL authentication mode is selected, modify connection parameters based on parameter settings for the common authentication mode.

    2. Click Test to verify the connection between eSight and the authentication server.
      • If the connection failed, verify that the authentication server IP/domain name, port number, and basic DN are the same as values on the LDAP authentication server.
      • If the connection is successful, the context can be initialized based on the IP address/domain name, port number, and basic DN.
    3. Click Apply.

      LDAP-based remote authentication is enabled immediately.

  • (Optional) Domain Name Authentication Configuration

    Enter the domain name format of the authentication server. The related configuration must be modified. The common authentication mode is used as an example.

  • (Optional) Standby Authentication Server Configuration

  • (Optional) Administrator Login Configuration

    By default, authentication is performed under an eSight user directly. However, eSight also allows an administrator to log in and query the DN for authentication. If DN integrity during administrative login and query is selected, you also need to configure the DN and password of the administrator.

Logging In to eSight Again

Use the user name and password on the LDAP server to log in to eSight again. If the login is successful and the user permission is correct, the configuration is correct. If the login fails or the user permission is incorrect, check the configuration.

NOTE:

After the active and standby authentication servers are configured, it takes about 60 seconds for logging in to eSight as a remote user when the active authentication server fails to be connected but the standby authentication server is successfully connected.

Translation
Download
Updated: 2019-09-12

Document ID: EDOC1100044378

Views: 84671

Downloads: 405

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next