Professional Documents
Culture Documents
E8 Authentication Guide
E8 Authentication Guide
Summary information
Confidentiality
The contents of this document are confidential between ABB and its customers. The parties must keep the information herein
confidential at all times and not disclose it, or permit it to be disclosed, to any third party, apart from any of their officers,
employees, agents or advisers who have a specific need to access the information herein and have agreed to be bound by the
terms of confidentiality.
Document Control
Once the project is completed or terminated, this document will revert to an uncontrolled document status. No further advice
will be provided, and each recipient may either destroy the document or mark it as obsolete and retain it for future personal
reference.
All copies of this document will be issued electronically.
• Installation and configuration of OpenAM as the primary Access Management source for Ellipse
• Configuration of an existing Ellipse instance, Appliance or non-Appliance based to support integration with OpenAM
Purpose
This document is a guide to customers and consultants involved with establishing the security Architecture of Ellipse 8.
Scope
This section indicates what is included and also what is not included in the document.
The following is in scope and covered in a section of this document.
Installation Definitions
The following table introduces terminology needed to understand the Ellipse Installation.
Term Definition
IP address Internet Protocol address; a numerical label assigned to each device (for example: computer, printer)
participating in a computer network.
Instance Example Ellipse production
Oracle Linux (OL) Free operating system variant based on Red Hat Enterprise Linux.
Activity Tasks
Prepare Identify servers/URLs and bind credentials of exsiting Active Directory or other LDAPv3 compliant directory
services that record existing organisational user profiles that Ellipse should authenticate against.
Download Download the OpenAM software (OpenAM Server, Tools, Configurator) plus additional Linux system
tools/packages.
Install Install and configure Ellipse to use basic, out-of-the-box authentication to an existing Active Directory service
or other LDAPv3 compliant directory service.
Configure Configure Web Policy agent and Ellipse to use OpenAM.
Prepare
1. Determine where OpenAM Enterprise Server is to be installed
Non-Appliance installations
Non Appliance customers will need to source an additional server, physical or virtual to accomodate the OpenAM Enterprise
software that Ellipse to redirect unauthentication requests to.
ABB recommends the OpenAM server to be sized according to the table following:
The OpenAM server is not expected to require significant resources owing to the fact that the service itself is expected to do
very little processing in normal circumstances. Most processing occurs during login and logoff.
Appliance installations
Appliance based installations have at least two options:
a. source an additional server, physical or virtual to accomodate the OpenAM Enterprise software that Ellipse to redirect
unauthentication requests to
b. instal the OpenAM Server software on the Appliance host. The Appliance utility app-port-manager can be used to
"open" the ports required to ensure that traffic for OpenAM iServer s routed to the service.
• Verify Oracle Linux operating system instance created with root user access available
2. Get AD/LDAP search and credentials
• Obtain Bind DN and password to be used by Open config steps
• Ensure directory is populated with user profiles and associated attributes that should be used during the Ellipse
authentication processes.
• Record the DN and other important directory specific attributes and metadata
Download
1. Download these componets:
• Tomcat 8.0
http://download.fedoraproject.org/pub/epel/6/$basearch
• You will need to have registered with ForgeRock to download the OpenAM Enterprise software and tools.
2. Download additional Linux system packages and tools
• Use yum to install the the OpenLDAP client tools plus other useful tools like netstat andtcpdump:
yum install openldap-client
yum install tcpdump sysstat
Install
This section describes the tasks required to install OpenAM and configure Ellipse to use OpenAM during the Ellipse
authentication phase.
All the tasks described in the "Prepare" section above are assumed to have been completed.
The OpenAM server should be installed its own server, physical or virtual in the same domain as the Ellipse application to be
protected. Cross domain configurations are considered more complex and may require consulting to assist.
Steps
http://<openam_server>:8080/openam
• Choose "Default Configuration". You should receive a message indicating that creation of the default configuration
succeeded.
3. Install Apache HTTTPD if required
• If you are attempting to reconfigure an Appliance you can skip this step and use the HTTP service on the CmdCtl guest. If
you are a non-Appliance installation then you should look to do the same in your installation by using the HTTP server
that is fronting your Ellipse online, EWS and VIP requests.
• If you are a non-Appliance installation that has not previously used Apache to front requests for Ellipse, EWS and/or VIP
then you will need to install and configure and instance of Apache HTTP server so that the OpenAM Web Policy Agent
software can be installed and configured to intercept requests for Ellipse online, EWS and or VIP.
• If you don't have an Apache HTTP server instance that is already fronting Ellipse, the you can install one using yum, on a
new or existing OL server, physical or virtual:
yum install httpd
Not that some Non-Appliance, do-it-youself style installations, may see the package name changed from "httpd" to "httpd22" or "httpd24" corresponding to the version of Apache HTTP Server being used. Appliance installations currently use Apache HTTP Server 2.2.
4. Install OpenAM Web Policy Agent for Apache HTTP server for Ellipse
• Create password file for Web Agent -
echo <WEB_AGENT_PASSWORD> > /tmp/<envname>
• Run the Web Policy agent installer providing parameter values when prompted, as follows:
Param Value
OpenAM URL The URL where OpenAM server has been installed, usually of the form:
http://openam.domain:8080/openam
Agent URL The URL of the Apache instance where the Agent is installed, usually of the form:
http://ellipse-env.domain:80
• Select the realm created above and navigate to Authentication > Core > All Core Settings and set parameter values as
follows:
Param Value
User Profile Dynamic
User Attribute Mapping to Session Attribute <uid_attr_name>|UserToken
where <uid_attr_name> is the name of the LDAP record atribute that holds the user name to be authenticated. This entry is
critical because it creates the mapping between the LDAP profile attribute and the OpenAM session attribute that the Ellipse
code will use to verify token validity.
• Execution of the above step is critical because it ensures that the username entered by the user is available to Ellipse as
a session attribute. Ellipse uses the OpenAM security token generated after successfull authentication to retrieve the
session and then extract the session attribute created to record the user name. For example, under AD, the
"samAccountName" usually records the users Windows domain account user name. If this attribute were to be the one
that is determined to holds the name of the Ellipse user, then the attributed map value would be
"samAccountName|UserToken".
• Note that the "UserToken" portion of the example mapping must be the same as the value of JBoss system property
named "mincom.openam.usertoken" which defaults to "UserToken"
• Save the configuration changes
2. Create new Authentication Module(s)
• Navigate to Access Control > realm-ellipse-<envname> > Authenticaton > Module Instances > new, setting parameters
as follows:
Param Value
Name <custLDAPname>
Type LDAP or Active Directory or Windows Desktop SSO or OAuth 2.0 / OpenID Connect
• Select the new LDAP module created above (exanmple was custLDAPname>, and enter parameters as follows:
Param Value
Primary LDAP Server IP address:port or hostname:port of the customer's primary Active Directory or
other LDAPv3 compliant directory server
Secondary LDAP Server IP address:port or hostname:port of the customer's secondary Active Directory or
other LDAPv3 compliant directory server
DN to Start User Search DN to search for users
Bind User DN DN of a user with "bind" authority to the Directory Service
Bind User Password Password of user with "bind" authority to the Directory Service
Attribute Used to Retrieve User Profile LDAP attribute name that will be used to locate the user profile from the OpenAM
Datastore
Attributes Used to Search for a User to LDAP attribute names that will be used to find the user to be authenticated
be Authenticated
User Search Filter Optional, in most cases not require. Used to further filter the LDAP search task.
Search Scope SUBTREE
• Navigate to Access Control > realm-ellipse-<envname> > Authenticaton > Authentication Chaining > ldapService,
setting parameters as follows:
Param Value
Instance LDAP
Criteria REQUISITE
On an Appliance this would usually be something like:
ellipse-<envname>.appliancehost.domain
Instance to 'LDAP' and Criteria to 'REQUIRED', save
Note
Even though the profile and session attribute mapping settings are marked as "Hot-Swappable: yes", setting changes
still seem to take quite some time to come into effect. The amount of time is supposed to be controlled by the Agent
configuration refresh interval setting. If you want the change to persist immediately, you should restart the agent with
"service httpd restart"
Use this parameter when you want the RIA code to extract the username to sign on to Ellipse with from a HTTP header
embedded in the request by OpenAM agent after successful authentication via the OpenAM server. This authentication
mechanism is used mostly in development and test environments only as it is less secure than the alternative which is to use
call OpenAM service with the OpenAM authentication token to retrieve the user name.
login with:
http:/ellipse-envname.apliancehostname.domain/ria/ui.html
Manual configuration of Apache HTTP Server to use the
Web Policy Agent
Installation of the Web Policy Agent is supposed to update your Apache httpd.conf configuration to include the OpenAM Web
Policy Agent modules, effectively "activating" the Web Policy Agent intercept point. In our experience, the OpenAM Web Policy
Agent software installation does NOT always reliably perform this change and it needs to be checked following apparent
successful installation of the Web Policy Agent.
To check if the OpenAM Web Policy Agent module has been installed in the main Apache configuration configuration file and/or
any of the folder that Apache is configured to look for configuration files, most commonly in:
/etc/httpd/httpd.conf /etc/httpd/conf.d/*
use an editor or search tool to look for this directive. Following is an example using "grep" to search:
Both Appliance and non-Applioance installations may consider introducing an additional HTTP configuration file (under conf.d)
in order to ensure that the OpenAM Web Policy agent is configured to intercept requests passing through the Apache instance
on the "cmdctl" guest and destined for Ellipse.
include ${web_agent_home}/web_agents/apache22_agent/Agent_001/config/dsame.conf
where ${web_agent_home} is the fully qualified path of the location where the OpenAM Web Policy Agent software was
installed/unzipped.
::Note: that the change must be performed on __all__ Ellipse server types / guests for a given environment. A typical production environment will often include:
1. To start manually
2. Check the BATCH.Log for startup. The Ellipse Batch JBoss server logs are at
/opt/ellipse/jboss-as-7.1.1.Final.noHornetQ/standalone/log/server.log
Start Web Policy agent (Apache HTTP Server)
The OpenAM Web Policy Agent runs inside the Apache Web Server which fronts the Ellipse instance. The Apache server should
already be defined as a service which start automatically when the server / guest boots.
1. Start
http://ellipse-<envname>.appliancehost.domain/ria/ui.html
Stopping Ellipse
This procedure applies to Ellipse Online, Ellipse Batch and Ellipse Web Services instances.
To stop:
• removing the Apache HTTP "include" conf directive (added automatically by the Web Policy Agent install or in some cases
manually after the install by the installer)
• restarting Apache HTTP
Note that if you do disable the Web Policy Agent then you'll need to also remove the JVM args added to Ellipse which "tell"
Ellipse to look for the security tokens generated by the Web Policy Agent following a successful authentication request during
Ellipse sign-on.