- Has anyone successfully implemented LDAP authentication for Command Central ?
- Has anyone controlled the access levels with LDAP groups in Command Central ?
- Does Command Central have Single-Sign-On to other components/instances ?
Hello Suresh,
I had modified the jaas.config file with the LDAP details.
com.softwareag.sso.pid.properties , in this file, there is a property “enabled=true” .
Now we need to provide the SSO login details to complete the process. It can be achieved in 2 ways,
-
modifying the com.softwareag.security.ldap.pid.properties for both SPM and CCE
-
modify the jaas.config file
-
set the below parameters, as per your LDAP server
watt.server.ldap.url=ldap://<ip address/host>:389 -------> needs modification
watt.server.ldap.prin=CN=user,OU=myuser,DC=ldap,DC=server -------> needs modification
watt.server.ldap.cred=******** -------> needs modification
watt.server.ldap.creategroups=true
watt.server.ldap.gidprop=CN
watt.server.ldap.uidprop=CN
watt.server.ldap.usecaching=false
watt.server.ldap.userrootdn=DC=my,DC=ldap,DC=server -------> needs modification if present otherwise remove
watt.server.ldap.mattr=memberOf
watt.server.ldap.grouprootdn=DC=my,DC=ldap,DC=server -------> needs modification if present otherwise remove
watt.server.ldap.groupobjclass=group
watt.server.ldap.personobjclass=person
- for the jass.config file , use the parameters for LDAP login, and update the code there. I used the sample code in the pdf and just used the LDAP credentials used in the Directory Services setup in MWS.
After that I was able to connect to the Integration Server from the CCE console.
But it is for the fixed user only. Like in the Authentication tab for the IS component , there will be a pencil icon , where we can select the user for IS admin login. There by default it is taking Fixed User. There I gave my own LDAP credentials and it was able to login to the IS from the CCE console.
But I was not able to login to the CCE UI page via LDAP login. I created same group name as the DN of the LDAP server ( mentioned in the pdf ) and they associated it with Administrator roles in Roles.txt and Groups.txt under profiles. Hence I am also stuck midway regarding this issue.
Thanks and Regards
Abir Banerjee
Hi Suresh,
Yes, it is possible to enable LDAP auth for Command Central.
LDAP login module needs to be added to CCE profile’s jaas.config
e.g. add to realm Default in install_dir\profiles\CCE\configuration\security\jaas.config
com.softwareag.security.sin.is.ldap.lm.LDAPLoginModule optional
url="ldap://hostname.eur.ad.sag:3456"
prin="CN=BGQATest,OU=Generic,OU=Bulgaria,DC=eur,DC=ad,DC=sag"
cred="yourcredpassword"
gidprop="CN"
uidprop="CN"
usecaching="false"
userrootdn="dc=eur,dc=ad,dc=sag"
mattr="memberOf"
memberinfoingroups=false
grouprootdn="dc=eur,dc=ad,dc=sag"
groupobjclass="group"
personobjclass="person"
creategroups=true;
This way all incoming connections to Command Central including command line tool, UI, etc. can be authenticated using LDAP.
There is Single Sign On support for some of the products. For example If you are logged in Command Central Web UI you can go to product’s overview tab and in the upper right corner there is a link to this product’s administration page. If SSO is supported for this product, it’s opened without the need for entering credentials.
For connections from Platform manager to components e.g for monitoring in Command Central 9.8 By default, the Authentication mode for run-time components that support trusted authentication is set to Trusted. In the instance Overview tab, click in the Authentication field to change the authentication mode using the Authentication Mode dialog box.
When you specify the authentication mode for an instance, that authentication mode is also set for all layered product instances of the main product instance. For example, Business Rules uses the authentication mode set for the Integration Server instance to which it belongs. However, changing the authentication mode for the OSGI profile of Integration Server does not change the authentication mode for the Integration Server run-time component that belongs to that OSGI profile.
Was anyone able to integrate Command Central by using the first approach i.e. adding the properties in ‘com.softwareag.security.ldap.pid.properties’ file on CCE and SPM ?
If yes, would you please guide with the set up steps
Currently i have added the properties on the CCE and SPM property file but while i am trying to log in it fails.
Also, i am not able to find what errors are coming. Can any one guide on this as well?
Best,
Mayank
Hi Mayank,
in order to use dynamic configuration property file it is also required to modify your jaas.config
What is the version of Command Central you are using ?
- modify install_dir/profiles/CCE/configuration/security/jaas.config
to include LDAP login module and an alias for the LDAP configuration
e.g.
com.softwareag.security.sin.is.ldap.lm.LDAPLoginModule sufficient
alias=“name1”; - create configuration file under
profiles\CCE\configuration\com.softwareag.platform.config.propsloader with the name
com.softwareag.platform.ldap.server.pid-name1.properties
PLease note that file name contains the alias
The contents of the file should also include this alias
e.g.
alias=name1
url=ldaps://vmdaeseclinux.eur.ad.sag:10636
prin=CN=sectest,OU=user,OU=Germany,dc=eur,dc=ad,dc=sag
cred=*******
useaf=true
dnprefix=CN=
dnsuffix=,OU=user,OU=Germany,dc=eur,dc=ad,dc=sag
usecaching=false
mattr=roleoccupant
gidprop=CN
grouprootdn=OU=Groups,OU=Germany,dc=eur,dc=ad,dc=sag
groupobjclass=organizationalRole
personobjclass=organizationalPerson
truststoreUrl=file:///C:/SoftwareAG/common/conf/ldap_truststore.jks
truststorePassword=******
truststoreType=jks
Then open command Central UI or use the command line tool and provide your credentials
You can check if there are any errors inside
profiles\CCE\logs\wrapper.log
something that looks like this:
INFO | jvm 1 | 2015/06/30 10:26:46 | [com.softwareag.security.sin.is.ldap.lm.LDAPLoginModule] 2015-06-30 10:26:46,158 ERROR: Authentication failed
Best Regards,
Veselin