No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

eSight V300R010C00SPC200, 300, and 500 Self-Service Integration Guide 10

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
eSight as an SSO Server

eSight as an SSO Server

As a web-based and lightweight network management platform, eSight provides the SSO component in the delivery by default. The SSO Server uses the eSight security module as the authentication center by default. Any independent web application system based on Java can serve as an SSO Client to form a trust system with eSight, implementing the SSO function.

Configuring Other Application System SSO Clients

  1. Add the JAR packages required for SSO integration to the SSO Client application system.

    Add the following JAR packages to the WEB-INF\lib directory of the SSO Client:

  2. SSO Client JAR packages adapted to the eSight SSO Server, including com.huawei.oms.sso.client-x.x.x.x.jar and com.huawei.oms.sso.common-x.x.x.x.jar, which can be obtained from eSight installation directory\AppBase\app\sso.app\repository\ui\sso\WEB-INF\lib.
  3. Third-party packages which the SSO Client JAR packages depend on, including com.springsource.org.apache.commons.lang-2.x.x.jar, com.springsource.org.jdom-1.x.x.jar, and commons-logging-1.x.jar. If the packages are contained in the SSO Client application system, you can use them directly. Otherwise, download the packages from eSight installation directory\AppBase\3rdparty\lib.
  4. Add a web filter and session listener to the SSO Client application system.

    Add the following information to the /WEB-INF/web.xml file of the SSO Client application system:

    It is recommended that you configure the filter of the SSO Client in front of other filters in the web.xml.

    <filter> 
    <filter-name>SingleSignOnFilter</filter-name> 
    <filter-class>com.huawei.sso.client.filter.SingleSignOnFilterChainProxy</filter-class> 
    </filter> 
    <filter-mapping> 
    <filter-name>SingleSignOnFilter</filter-name> 
    <url-pattern>/*</url-pattern> 
    </filter-mapping> 
    <listener> 
    <listener-class>com.huawei.sso.client.session.SingleSignOutHttpSessionListener</listener-class> 
    </listener>

  5. Add the ssoconfig.xml configuration file used to connect the SSO Client application system to the SSO Server.

    Create the ssoconfig.xml file in the following format and store the file in /WEB-INF/classes of the SSO Client application system:

    <?xml version="1.0" encoding="UTF-8"?> 
    <ssoconfig> 
    <!--System ID of the current SSO Client (It determines the login page redirected to and must be set the same as the system ID in the ssoconfig.xml file on the SSO Server. If this parameter is not set, the default page is displayed.-->)
    <!-- 
    <sso.client.systemId>1003</sso.client.systemId> 
    --> 
    <!--Whether the SSO Client enables the SSO function-->
    <sso.client.isActive>true</sso.client.isActive> 
    <!--SSO filter list-->
    <sso.client.filters> 
    com.huawei.sso.client.filter.SingleSignOutFilter, 
    com.huawei.sso.client.filter.AuthenticationFilter, 
    com.huawei.sso.client.filter.Cas20ProxyReceivingTicketValidationFilter 
    </sso.client.filters> 
    <!--URLs that do not need to be filtered (Add a slash "/", indicating relative paths.) -->
    <sso.client.actionExcludes> 
    /bsf/login.do,/bsf/login.action,/index.action,/index.do,/index.jsp, /validate.jsp,/self.jsp,/test.jsp 
    </sso.client.actionExcludes> 
    <!--SSO Server private URL-->
    <sso.ssoserver.url>https://10.67.180.236:31942/sso</sso.ssoserver.url> 
    <!--SSO Server private URL (for intranet access between servers)-->
    <sso.ssoserver.privateUrl>http://10.67.180.236:8087/sso</sso.ssoserver.privateUrl> 
    <!-- SSO Client host name (IP address+port number or domain name, for example, www.ssoserver.com)-->
    <sso.ssoserver.serverName>10.137.62.57:38080</sso.ssoserver.serverName> 
    <!--IP address of the SSO Client with multiple network adapters when the SSO Server has the firewall deployed (If this value is not set, the operating system automatically allocates an IP address to the SSO Client.)-->
    <sso.client.bindIp>10.137.62.57</sso.client.bindIp> 
    <!--Implementation class of com.huawei.sso.client.session.SessionInitService-->
    <sso.client.sessionInitServiceImpl>com.huawei.test.SessionInitServiceImpl</sso.client.sessionInitServiceImpl> 
    </ssoconfig>

    The following table lists the configuration items to be modified:

    In the following table, the IP address of the eSight SSO Server is 10.67.180.236, and that of the SSO Client is 10.137.62.57. The IP addresses are used as an example.

    Configuration

    Description

    Example

    sso.ssoserver.url

    URL of the eSight SSO Server

    https://10.67.180.236:31942/sso

    sso.ssoserver.privateUrl

    Private URL of the eSight SSO Server (for intranet access between servers. If no intranet URL exists, the private URL should be the same as the sso.ssoserver.ur configuration item.)

    https://10.67.180.236:31943/sso

    sso.ssoserver.serverName

    IP address+port number of the SSO Client application system

    10.137.62.57:18188

    sso.client.bindIp

    IP address of the SSO Client with multiple network adapters when the SSO Server has the firewall deployed (If this value is not set, the operating system automatically allocates an IP address to the SSO Client.)

    10.137.62.57

    sso.client.sessionInitServiceImpl

    Implementation class of the com.huawei.sso.client.session.SessionInitService interface. This interface is invoked when the eSight SSO Server completes authentication and redirects the request to the current system. You can obtain information about the user and role using parameters of this interface.

    com.huawei.test.SessionInitServiceImpl

  6. Develop the interface implementation class to initialize the session information about the SSO Client application system or perform other operations.

    1. Implement the initUserSession method of the com.huawei.sso.client.session.SessionInitService interface to initialize the session information about the SSO Client application system or perform other operations.

      This interface is invoked when the eSight SSO Server completes authentication and redirects the request to the current system. You can obtain information about the user and role using parameters of this interface.

      The following figure shows the process for invoking the SessionInitService interface.

      The sample code is as follows:

      import java.util.ArrayList;
      import java.util.List;
      import java.util.Map;
      import javax.servlet.http.HttpServletRequest;
      import javax.servlet.http.HttpServletResponse;
      import javax.servlet.http.HttpSession;
      import com.huawei.sso.client.session.SessionInitService;
      import com.huawei.sso.client.validation.Assertion;
      import com.huawei.sso.common.exception.UnauthorizedServiceException;
      
      /**
      * Class for client session initialization
       */
      public class SeesionInitServiceImpl extends SessionInitService
      {
      
          /**
      * Session initialization interface invoked when the user is redirected from another system to this SSO Client for the first time
           * Invoking time: when the SSO Server completes authentication and redirects the request to the current system.
           *
      * @param request HTTP request
           * @param response HTTP request
      * @param userName user name
           */
          @Override
          public void initUserSession(final HttpServletRequest request, final HttpServletResponse response,
              final String userName)
                  throws UnauthorizedServiceException
          {
              final HttpSession session = request.getSession(false);
      //Example which shows how to set the user name in the session
              session.setAttribute("logInUser", userName);
      //Example which shows how to obtain the role information and set the user name in the session
              final List<String> roles = getRoles(request);
              session.setAttribute("logInRole", roles);
          }
      
          private List<String> getRoles(final HttpServletRequest request)
          {
              final HttpSession session = request.getSession(false);
      
              if (session == null)
              {
                  return null;
              }
      //Obtain the assertion generated by the SSO Server.
              final Assertion assertion = (Assertion)session.getAttribute("_const_sso_assertion_");
              if (assertion == null)
              {
                  return null;
              }
              @SuppressWarnings("unchecked")
              final Map<String, Object> attributes = assertion.getPrincipal().getAttributes();
              if (attributes == null)
              {
                  return null;
              }
      
              final Object roleStrObject = attributes.get("roleNames");
              if (roleStrObject == null)
              {
                  return null;
              }
      //Role character string in the format of [role1, role2]
              String roleStr = roleStrObject.toString();
              if ((null == roleStr) || roleStr.isEmpty())
              {
                  return null;
              }
      //If the role is empty, null will be returned.
              final String nullstr = "[]";
              if (nullstr.equals(roleStr))
              {
                  return null;
              }
      //Obtain the information within the brackets ([]) in the role character string.
              if (roleStr.length() > nullstr.length())
              {
                  roleStr = roleStr.substring(1, roleStr.length() - 1);
              }
              final String[] roleArray = roleStr.split(", ");
              final List<String> roleList = new ArrayList<String>(roleArray.length);
              for (final String eachRole : roleArray)
              {
                  if ((null == eachRole) || eachRole.isEmpty())
                  {
                      continue;
                  }
                  roleList.add(eachRole.trim());
              }
              return roleList;
          }
      
      }
    2. Configure the complete path of the implementation class of the SessionInitService interface to the sso.client.sessionInitServiceImpl configuration item in the ssoconfig.xml file as described in step 3.
      <sso.client.sessionInitServiceImpl>com.huawei.test.SessionInitServiceImpl</sso.client.sessionInitServiceImpl> 

  7. Configure the SSL certificate.

    The eSight SSO Server adopts the HTTPS protocol. The SSL certificate of the eSight SSO Server should be trusted by the SSO Client by default.

    eSight provides only a temporary certificate in eSight installation directory\AppBase\etc\certificate\application\process\process.crt. Enterprise users need to use their own certificates.

    Import the certificate in either of the following ways (just for your reference):

    1. Run the JRE keytool command to import the certificate of the eSight SSO Server to the JRE trust certificate store of the SSO Client application system. The process is described as follows:
      1. Copy the eSight certificate to a directory on the SSO Client application system server, for example, D:\process.crt (/opt/process.crt for Linux).
      2. Run the JRE keytool command to import the certificate.

        For Windows, run the following command in the cmd window. D:\Java\jdk1.7.0_17\jre\lib\security\cacerts indicates the JRE path where the SSO Client application system operates. Mark the complete path with double quotation marks ("").

        keytool -import -keystore "D:\Java\jdk1.7.0_17\jre\lib\security\cacerts"  -file "D:\process.crt" -alias eSightserver

        Run the bash command in Linux. /java/jdk1.7.0_17/jre/lib/security/cacerts indicates the JRE path where the SSO Client application system operates. Mark the complete path with double quotation marks ("").

        keytool -import -keystore "/java/jdk1.7.0_17/jre/lib/security/cacerts" -file "/opt/process.crt" -alias eSightserver
    2. Implement the ConnectionSSLSokcetFactory interface of the SSO Client JAR packages to load the SSO Server certificate to the custom SSLSocket.
      1. Implement the ConnectionSSLSokcetFactory interface. The example is as follows:
        import java.io.File;
        import java.io.FileInputStream;
        import java.io.IOException;
        import java.security.GeneralSecurityException;
        import java.security.KeyManagementException;
        import java.security.KeyStore;
        import java.security.NoSuchAlgorithmException;
        import java.security.SecureRandom;
        import java.security.cert.Certificate;
        import java.security.cert.CertificateFactory;
        import java.util.ArrayList;
        import java.util.Iterator;
        import java.util.List;
        import javax.net.ssl.SSLContext;
        import javax.net.ssl.SSLSocketFactory;
        import javax.net.ssl.TrustManager;
        import javax.net.ssl.TrustManagerFactory;
        import com.huawei.sso.client.util.ConnectionSSLSokcetFactory;
        
        public class SsoClientSSLSocketFactory implements ConnectionSSLSokcetFactory
        {
        
            /**
             * {@inheritDoc}
             */
            @Override
            public SSLSocketFactory fetchSSLSocketFactory()
            {
                SSLContext sc;
                try
                {
                    sc = SSLContext.getInstance("SSL");
        //process.crt indicates the certificate path.
                    sc.init(null, getTrustManagersFromCrt("process.crt"), new SecureRandom());
                    return sc.getSocketFactory();
                }
                catch (final KeyManagementException e)
                {
                }
                catch (final NoSuchAlgorithmException e)
                {
                }
                catch (final IOException e)
                {
                }
                catch (final GeneralSecurityException e)
                {
                }
                return null;
            }
        
            /**
             * Obtain the trust certificate management class.
             *
             * @param crtPath path certificate
             * @return TrustManager[]
             * @throws IOException
             * @throws GeneralSecurityException
             */
            public TrustManager[] getTrustManagersFromCrt(final String crtPath)
                throws IOException, GeneralSecurityException
            {
        
                final File trustFile = new File(crtPath);
                if (!trustFile.exists() || !trustFile.isFile())
                {
                    return null;
                }
                final CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
                final List<Certificate> certificates = new ArrayList<Certificate>();
                FileInputStream trustFileInputStream = null;
                try
                {
                    trustFileInputStream = new FileInputStream(trustFile);
                    certificates.addAll(certificateFactory.generateCertificates(trustFileInputStream));
                }
                finally
                {
                    if (null != trustFileInputStream)
                    {
                        try
                        {
                            trustFileInputStream.close();
                        }
                        catch (final IOException e)
                        {
                            System.out.println("Failed to close the trust file.");
                        }
                    }
                }
                final KeyStore keyStore = KeyStore.getInstance("JKS");
                keyStore.load(null, null);
                int i = 0;
                for (final Iterator<Certificate> cerIterator = certificates.iterator(); cerIterator.hasNext(); i++)
                {
                    keyStore.setCertificateEntry("TrustCertAlias_" + i, cerIterator.next());
                }
                final TrustManagerFactory trustFactory =
                    TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
                trustFactory.init(keyStore);
                final TrustManager[] trustManagers = trustFactory.getTrustManagers();
                return trustManagers;
            }
        
        }
      2. Add the ssoclient.properties configuration file to the WEB-INF\classes\ directory of the SSO Client application system. The configuration key is SSLSocketFactory.provider, and the value is the complete path of the ConnectionSSLSokcetFactory interface implementation class.
        SSLSocketFactory.provider=com.huawei.test.SsoClientSSLSocketFactory

Configuring the eSight SSO Server

  1. Configure the SSO Client whitelist on the eSight SSO Server.

    Path of the configuration file: eSight installation directory\AppBase\etc\oms.sso\sso.xml

    Configuration item: <param name="client-trusted-ip"></param>

    Only the IP addresses and domain names configured here can be used to log in to the SSO Client. Separate multiple IP addresses or domain names with a comma (,).

    Example:

    <param name="client-trusted-ip">10.137.63.1,10.137.63.2,10.137.63.3</param>

  2. Restart the eSight service.
Translation
Download
Updated: 2019-10-30

Document ID: EDOC1100044386

Views: 17637

Downloads: 87

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next