No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

eSight V300R010C00SPC200, 300, and 500 Self-Service Integration Guide 11

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
eSight as a CAS SSO Client

eSight as a CAS SSO Client

By default, eSight integrates the client toolkit of the CAS SSO server in 3.3.3 and the configuration profile of the web service filter. However, eSight is not configured as a CAS SSO client by default. To configure eSight as a CAS SSO client, modify the configuration file of the web server and start the eSight server.

Start the eSight server as a CAS SSO client. You do not need to modify components installed on eSight, for example, Facilities Infrastructure Manager and Smart Reporter.

File Description

  • Client toolkit

eSight is preconfigured with the CAS official client took kit cas-client-core-3.3.3.jar in eSight installation path\AppBase\app\sso.app\repository\ui\sso\WEB-INF\lib. The CAS client preconfigured in the system supports only version 3.x or later.

This toolkit is downloaded from the CAS official website http://developer.jasig.org/cas-clients/ and is not modified. If the version is different from the CAS SSO server version or the CAS SSO server has slightly modified the toolkit (Constraint: The package path and public method of the org.jasig.cas.client.validation.Assertion category cannot be changed.), replace the toolkit with the official toolkit.

Replacement method: Shut down the eSight server, delete the existing cas-client-core-3.3.3.jar toolkit, and copy the adaptation package released by the SSO server to eSight installation path\AppBase\app\sso.app\repository\ui\sso\WEB-INF\lib. After the configuration file is modified correctly, start the eSight server.

  • Configuration template of the web service filter

The file is web.xml.cas.sso.template in eSight installation path\AppBase\app\sso.app\repository\ui\sso\WEB-INF\template. By default, this configuration file is not loaded by any program.

Configuring the eSight Server

  1. Close the eSight server.
  2. Modify the web.xml configuration file.

    File path: AppBase\app\sso.app\repository\ui\sso\WEB-INF

    1. Back up the web.xml file in the file path.
      • In Windows, copy the file to the "template" directory, right-click the file, and rename it web.xml.backup.
      • On the Linux operating system, run the following command:
        mv web.xml ./template/web.xml.backup
    2. Copy the template\web.xml.cas.sso.template file to the upper-layer directory and rename it web.xml.
      • On the Windows operating system, copy web.xml.cas.sso.template to the upper-layer WEB-INF and rename the file web.xml.
      • On the Linux operating system, run the following command in the template/ directory:
        cp web.xml.cas.sso.template ../web.xml
    3. Modify configuration items in the web.xml file.
      • On the Windows operating system, use the text editor to modify the web.xml file.
      • On the Linux operating system, use the vim editor. Press i to enter the edit mode, and move the cursor to modify configuration items. After the modification is complete, press Esc to return to the normal mode. Enter :wq to save the configuration and exit.
        vim web.xml
      Table 2-1 Configuration items in the web.xml file

      filter-name

      (Filter Name)

      param-name

      (Parameter Name)

      param-value

      (Parameter Description)

      Example

      Mandatory

      eSightlogout

      logoutHandler

      Indicates the Handler category of the logout operation to implement the com.huawei.eSight.solution.sso.cascade.SSOSignOutHandler interface.

      Complete path: com.huawei.esight.solution.sso.cas.CasSSOLogoutHandler

      Yes

      logoutUrl

      Logout URL of the CAS.

      NOTICE:

      If the CAS server uses HTTPS, set an HTTPS logout URL, for example, https://10.137.63.1:8443/cas/logout.

      https://10.137.63.1:8443/cas/logout

      Yes

      • CASFilter

      casServerLoginUrl

      Indicates the URL of the CAS login page.

      https://10.137.63.1:8443/cas/login

      Yes

      serverName

      Indicates the eSight server address. In most cases, the port number is 31942.

      https://10.137.63.2:31942/

      Yes

      CAS Validation Filter

      casServerUrlPrefix

      Indicates the CAS server service address.

      https://10.137.63.1:8443/cas/

      Yes

      serverName

      Indicates the eSight server address. The port is 31942.

      https://10.137.63.2:31942/

      Yes

      hostnameVerifier

      Indicates the verifier. It must be configured when the CAS SSO server address is in IP format and uses HTTPS as the URL.

      Default value: com.huawei.eSight.solution.sso.cas.CasHostNameVerifier

      No modification is required.

      No

      eSightinit

      UserFetcherClassName

      Indicates the interface for obtaining the user name and role that are authenticated by the upper-level NMS. This parameter is used to implement the com.huawei.eSight.solution.sso.cascade.UpSSOUserDefineInterface interface.

      NOTE:

      If a standard CAS system is to be integrated, you can inherit the com.huawei.eSight.solution.sso.cas.AbstractCasSSOUserDefine category to obtain role functions, without the need to implement the getUserID method.

      Complete path: com.huawei.eSight.solution.sso.cas.CasSsoUserDefineImpl

      Yes

      • The JAR package of the interface is com.huawei.esight.solution.sso.cascade-2.0-SNAPSHOT.jar in AppBase/app\sso.app\repository\ui\sso\WEB-INF\lib.
      • The com.huawei.eSight.solution.sso.cascade.SSOSignOutHandler interface is implemented as follows:

        doBeforeLogin(Request req): indicates the operation before the login.

        doAfterLogin(Request req): indicates the operation after the login, for example, the CAS records the mapping between sessions and tickets.

        isLogoutRequest(Request req): determines the logout request from the upper-level SSO.

        handleLogout(Request req): handles the logout of the upper-level SSO, for example, deleting sessions.

      • The com.huawei.eSight.solution.sso.cascade.UpSSOUserDefineInterface interface is implemented as follows:

        getUserID(Request req): obtains the user name that is authenticated by the upper-level SSO, for example, from the sessions.

        getRoles(Request req): obtains the role transmitted from the upper-level SSO.

        doOtherOperation(Request req): indicates other operations after authentication by the upper-level SSO.

  3. If the CAS SSO server uses HTTPS, eSight needs to import the certificate of the CAS server.

    1. Copy the CAS server certificate, for example, casserver.crt, to the eSight server (directory example: /opt/casserver.crt).
    2. Go to eSight installation directory/AppBase/jre/bin.
      • In the Windows operating system, press Shift, right-click and choose Open command window here, and run the following command (use double quotation marks to mark the complete path of the certificate):
        keytool -import -keystore ..\lib\security\cacerts  -file "D:\casserver.crt" -alias casserver
      • In the Linux operating system, run the cd command to go to the "{Installation directory}/AppBase/jre/bin" directory and run the following command (use double quotation marks to mark the complete path of the certificate):
        ./keytool -import -keystore ../lib/security/cacerts  -file "/opt/casserver.crt" -alias casserver

      Press Enter and enter the certificate password (changeme_123 by default). Enter y and press Enter as prompted. The import is successful.

  4. Restart the eSight service.

Configuring the CAS SSO Server

  1. Import the eSight certificate to the CAS SSO server.

    1. Copy the eSight server to the CAS server, for example, D:\process.crt (/opt/process.crt in Linux).

      eSight provides only a temporary certificate in AppBase\etc\certificate\application\process\process.crt. Enterprise users need to use their own certificates.

    2. Run the JRE keytool command to import the certificate.

      For Windows, run the following command in the cmd window. D:\Java\jdk1.7.0_17\jre\lib\security\cacerts indicates the JRE path where the CAS Server system operates. Mark the complete path with double quotation marks ("").

      keytool -import -keystore "D:\Java\jdk1.7.0_17\jre\lib\security\cacerts"  -file "D:\process.crt" -alias eSightserver

      Run the bash command in Linux. /java/jdk1.7.0_17/jre/lib/security/cacerts indicates the JRE path where the CAS Server operates. Mark the complete path with double quotation marks ("").

      keytool -import -keystore "/java/jdk1.7.0_17/jre/lib/security/cacerts" -file "/opt/process.crt"

  2. Verify the configuration on the CAS server. If the CAS server uses HTTP, cancel HTTPS authentication first. If the CAS server uses HTTPS, skip the following operations:

    1. Modify the \cas\WEB-INF\deployerConfigContext.xml file.

      Configure p:requireSecure="false" in the Bean, indicating whether secure authentication is required. The value false indicates that secure authentication is not used. If this parameter has not been configured, add them as follows:

      <bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"   p:httpClient-ref="httpClient"  p:requireSecure="false"/>
    2. (2) In the \cas\WEB-INF\spring-configuration\ticketGrantingTicketCookieGenerator.xml file, set p:cookieSecure to false.
      <beanid="ticketGrantingTicketCookieGenerator" class="org.jasig.cas.web.support.CookieRetrievingCookieGenerator"
      p:cookieSecure="false"
      p:cookieMaxAge="-1"
      p:cookieName="CASTGC"
      p:cookiePath="/cas" />

  3. Verify that the logout configuration of the CAS SSO server supports the redirection to other pages.

    The file is \cas\WEB-INF\cas-servlet.xml. If the following option does not exist, add p:followServiceRedirects="true":

    <bean id="logoutController" class="org.jasig.cas.web.LogoutController"
    p:centralAuthenticationService-ref="centralAuthenticationService"
    p:logoutView="casLogoutView"
    p:warnCookieGenerator-ref="warnCookieGenerator"
    p:ticketGrantingTicketCookieGenerator-ref="ticketGrantingTicketCookieGenerator"
    p:followServiceRedirects="true"
    />

  4. Verify that the certificate verifier of the CAS server is HTTPS certificate-free.

    Check whether org.jasig.cas.CentralAuthenticationServiceImpl is HTTPS domain name-free. If not, the CAS SSO server cannot send logout requests to the eSight server because the eSight server supports HTTPS logout URLs. Modify the source code of the CAS server by adding the static code segment to the category file.

    static
    {
    //Initialize HttpsURLConnection and implement HTTPS domain name-free authentication.
    HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier()
    {
    @Override
    public boolean verify(String arg0, SSLSession arg1) {
          return true;
    };
    });
    }

    The complied category is in \WEB-INF\lib\cas-server-core-3.4.6.jar.

Download
Updated: 2019-12-13

Document ID: EDOC1100044386

Views: 21496

Downloads: 93

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Share
Previous Next