No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

FusionInsight HD 6.5.0 Administrator Guide 02

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Interconnecting with a Third-party CAS Server

Interconnecting with a Third-party CAS Server

Scenario

The Central Authentication Service (CAS) server provides the access authentication function to implement single sign-on (SSO).

Currently, FusionInsight Manager integrates the CAS software and can be used as an authentication server. To better interconnect with other products and implement the SSO function, FusionInsight Manager also supports interconnection with other CAS servers.

NOTE:
  • The login account must exist on both the cluster and the third-party authentication centers, and the passwords are consistent. After changing the password of a user in FusionInsight, you must change the user's password in CAS Server.
  • The passwords of the login account and cluster secondary authentication account are different. That is, the login account and password are stored in the storage of the third-party authentication center, and the cluster secondary authentication account (for starting and stopping the service) and password are stored in the storage of the cluster.
  • FusionInsight can interconnect with CAS Server of which the version ranges from 3.4.3 to 3.5.2.

Impact on the System

To interconnect with a third-party CAS Server you need to stop the cluster first. Services are unavailable before the cluster is restarted.

Prerequisites

The time difference between the third-party CAS server node and the active OMS node cannot exceed 1 minute. Otherwise, the error message Access failed will be displayed during SSO.

Configuring Information about the Third-party CAS Server

There are two configuration scenarios: configuration during the Manager installation and configuration after the cluster installation.

  • Configuring the third-party CAS server during the Manager installation
    1. The installation configuration file install.ini of the FusionInsight Manager provides parameters for the interconnection with third-party servers. Two parameters must be configured during the OMS installation.
      [HA] 
          ha_mode=double 
          local_ip1= 
          local_ip2= 
          local_ip3= 
          local_ip4= 
          peer_ip1= 
          peer_ip2= 
          peer_ip3= 
          peer_ip4= 
          ws_float_ip= 
          ws_float_ip_interface= 
          ws_float_ip_netmask= 
          ws_gateway= 
          om_float_ip= 
          om_float_ip_interface= 
          om_float_ip_netmask= 
          om_gateway= 
          ntp_server_ip= 
          om_mediator_ip= 
          sso_ip=
          sso_port= 
          bigdata_home= 
          bigdata_data_home= 
          cluster_nodes_scale=
          tls_protocol_min=
      [/HA]
      • sso_ip indicates the IP address of the CAS server to be interconnected.
      • sso_port indicates the port of the CAS server to be interconnected.
    2. After the OMS is installed, go to Interconnecting with a Certificate and perform 3.
    3. After the Manager installation is complete, on the FusionInsight Manager portal, choose Homepage > Stop and enter the password of the current login administrator.

      In the displayed page, click OK to stop the cluster.

    4. Choose Cluster > Mores > Synchronize configurations to synchronize the cluster configurations.

      In the displayed dialog box, click OK for the system to synchronize the cluster configurations.

    5. Choose Homepage > Start to start the cluster for the configuration to take effect.
  • Configuring the third-party CAS server after the cluster installation

    To interconnect with a third-party after the cluster installation is complete, perform the following operations:

    1. Use PuTTY to log in to the active OMS node as user omm.
    2. Run the following commands to configure the third-party CAS server:

      cd ${BIGDATA_HOME}/om-server/tomcat/webapps/web/WEB-INF/config/

      sh update_fi_sso_info.sh IP address of the third-party CAS server Port of the third-party CAS server

    3. After the command is run successfully, run the following command for the configuration to take effects:

      cd ${BIGDATA_HOME}/om-server/om/sbin/

      sh restart-controller.sh

    4. Go to Interconnecting with a Certificate and perform 5.
    5. On the FusionInsight Manager portal, choose Homepage > Stop and enter the password of the current login administrator.

      In the displayed page, click OK to stop the cluster.

    6. Choose Homepage > More > Synchronize configurations to synchronize the cluster configurations.

      In the displayed dialog box, click OK for the system to synchronize the cluster configurations.

    7. Choose Homepage > Start to start the cluster for the configuration to take effect.

Interconnecting with a Certificate

After installing the OMS, if the SSO from the third-party server to FusionInsight cannot be performed successfully, you need to interconnect with the certificate.

Assume that ocscas.crt is the certificate of the third-party CAS server. Perform the following operations to import the certificate to tomcat and jdk of FusionInsight as user omm:

  1. Import the certificate to jdk.

    1. Copy the certificate to ${JAVA_HOME}/jre/lib/security/.
    2. Run the following command: keytool -import -noprompt -trustcacerts -alias caspublickey -file ocscas.crt -keystore cacerts -storepass changeit

  2. Import the certificate to tomcat.

    1. Copy the certificate to ${BIGDATA_HOME}/om-server/tomcat/conf/security/.
    2. Run the following commands:

      keytool -import -noprompt -trustcacerts -alias caspublickey -file ocscas.crt -keystore tomcat.keystore -storepass Changeme_123

      keytool -import -noprompt -trustcacerts -alias caspublickey -file ocscas.crt -keystore tomcat_om.keystore -storepass Changeme_123

  3. Run the following command to restart Tomcat:

    1. Log in to the active OMS node as user omm.
    2. Run the jps | grep Bootstrap command to query the PID of tomcat and run the kill -9 command, such as kill -9 1203, to forcibly stop the tomcat process.
    3. Run the sh ${BIGDATA_HOME}/om-server/tomcat/bin/startup.sh command.

  4. If security measures such as IP filtering are enabled on the third-party CAS server.

    • If yes,you need to add the cluster IP address to the whitelist on the third-party CAS server to ensure the access from the cluster IP access is not denied.Go to 5.
      NOTE:

      This operation is mandatory if the third-party CAS is a cluster of FusionInsight.

    • If no,the task is complete.

  5. Configure the blacklist and whitelist for the third-party CAS server.

    1. Log in to the active OMS node as user omm and run the following commands:

      cd ${BIGDATA_HOME}/om-server/tomcat/webapps/cas/WEB-INF/

      vi web.xml

    2. In the file, find the following configuration section, and add the cluster IP address between <param-value></param-value>.
      ... 
      <param-name>WhiteParamList</param-name> 
      <param-value></param-value> 
      ...
    3. After the configuration is complete, stop tomcat.

      Run the jps | grep Bootstrap command to query the PID of tomcat and run the kill -9 command, such as kill -9 1203, to forcibly stop the tomcat process.

    4. Run the sh ${BIGDATA_HOME}/om-server/tomcat/bin/startup.sh command to start tomcat.

Download
Updated: 2019-05-17

Document ID: EDOC1100074522

Views: 6164

Downloads: 12

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next