(Optional) Logging In to the eSight Client Through Certificate Authentication

Prerequisites

• You have obtained the client certificate and password, server certificate and password, and root certificate. If the IP Address field of the backup user name is specified in the server certificate, the value of this field must be the same as the IP address of the eSight server.
• eSight has users whose names are configured in the CN field in the client certificate.
• The eSight service has been stopped. For details, see Stopping the eSight Service.

Procedure

1. Import the CA certificate using a certificate tool on the eSight server.
   1. Log in to the server as the Administrator user.
   2. Double-click the eSight console icon on the desktop or choose Start > All Programs > eSight > eSight Console.
   3. Stop eSight.
   4. Set the SSO authentication mode to certificate authentication.
      1. Go to the eSight installation directory /AppBase/etc/oms.sm/ext directory.
      2. Change the value of Model in authenticationModel in the configuration file esightsm.sm.ext.xml to 2 (indicating to use the SSO certificate authentication mode).

         <config name="authenticationModel">
            <param name="model">2</param>
         </config>

   5. In the eSight Console dialog box, choose Tools > Certificate Tool.
   6. In the Certificate Tool dialog box, select Import CA Certificate and click Next.
   7. Set related parameters of the certificate and click Apply.

      Parameter	Description
      Certificate	Certificate on the server.
      Certificate Password	Certificate password on the server.
      Issuer Public Key	Root certificate.

   8. Restart eSight. For details, see Starting the eSight Service.

2. Import the client certificate in the browser.

   The following uses Internet Explorer 11 as example.

   1. Open the browser and go to the certificate management page.

      Click and choose Internet Options > Content > Certificate.

   2. On the personal tab page, click Import.
   3. Import the client certificate, click Next, and enter the certificate password.

      Use default values for other parameters.

   4. Click Close.

3. Log in to the eSight client through the SSO certificate authentication mode.

   In the address box of a browser, enter https://eSight server IP address:eSight server port number/ (for example, https://10.10.10.1:31943/), and press Enter.

   • The default port number of eSight is 31943.
   • The IPv6 address format is supported for login, for example, https://[fc10::10:10:10:20]:31943/.
   • The eSight maintenance tool does not support the certificate authentication login mode.
   • In the certificate authentication mode:
     • After a user logs in to eSight, the logout button is unavailable.
     • Only the admin user can view the CRL download management menu.
     • After the admin user downloads the CRL file, the user whose certificate is revoked cannot log in to the eSight client. If the user has logged in to the eSight client before the certificate is revoked, the user can continue using the eSight functions normally. However, after the browser is restarted, the user cannot log in to the eSight client again.

Related Operations

• In the certification authentication mode, you can set the URL and period for downloading the certificate revocation file to periodically download the certificate revocation file and check whether the certificate is valid based on the certificate revocation file.

  Only the admin user can perform the operation. The CRL download management menu is invisible to other users.

  1. Choose System > Administration > User Management > CRL Download from the main menu.
  2. Set parameters based on Table 8-2.
     Table 8-2 Parameter description

     Parameter	Description	Example
     Download address	URL for downloading the certificate revocation file. NOTE: The size of the certificate revocation file cannot be greater than 10 MB.	http://10.7.174.83:8888/VPN/SPO-E09.crl
     Download mode	Once: indicates to download the file once only. Periodic: indicates to download the file periodically.	Cycle
     Download period	This parameter is available only when Download mode is set to Periodic. Unit: minutes 5 10 15 30 45 60	5

  3. Click Start task.
• You can modify the configuration file to change the authentication mode to the user name and password authentication mode.
  1. Stop eSight.
  2. Enable the user name login function.

     In the two-node cluster scenario, this operation must be performed on both the active and standby nodes.

     1. Log in to the eSight server.
     2. Go to the eSight installation directory/AppBase/etc/oms.sm/ext directory.
     3. Change the value of Model in authenticationModel in the configuration file esightsm.sm.ext.xml to 1 (indicating to use the common authentication mode).

        <config name="authenticationModel">
           <param name="model">1</param>
        </config>

  3. Start eSight.