Page tree
Skip to end of metadata
Go to start of metadata

Summary: this page describes how to manage user authentication methods for the AIP Console (i.e. the web front end).

Introduction

In order to use the AIP Console (AIP Console package), a user must first successfully authenticate. CAST currently supports the following authentication modes:

  • Authentication using local configuration > Definition of the list of users and their password directly in a configuration file
  • Authentication using LDAP
  • Authentication using Active Directory
  • Authentication using SAML

During the AIP Console - front-end installation, one of the above authentication methods will have been chosen already, therefore this documentation is provided for the following reasons:

  • If you are using Authentication using local configuration, then you may need to declare additional users
  • If you would like to change to a new authentication method

For security reasons, a logged in user will be automatically disconnected after being inactive for some time.

Changing the authentication mode

The authentication mode is configured in the following file. Open the file with a text editor:

Windows

%PROGRAMDATA%\AipConsole\AipConsole\aipConsole.properties

Linux

$HOME\CAST\AipConsole\data\aipConsole.properties

Locate the following section of options. Change the security.mode option to the mode you require (local, ldapad, saml). Save the file and then consult the appropriate section in this page for instructions about how to configure the chosen mode.

# =============================
# Authentication parameters
# -----------------------------
# Applicable authentication configuration
# -----------------------------
#  - local	->	Default. Contains a local definition of users and passwords
#  - ldap	->	Set this configuration for authentication over LDAP(S)
#  - ad	->	Set this configuration for authentication over LDAP(S) with basic Active Directory instances (simplified mode)
#  - saml -> Set this configuration for SSO authentication using SAML

security.mode=local

Re-assigning the admin role when changing authentication mode

If you have already been using a specific authentication mode and are now switching to a new mode (i.e. local to LDAP), then you will need to re-assign the ADMIN role to a user logging in with the new authentication mode. To do so:

  • first ensure that the new authentication mode is configured
  • stop the AIP Console front-end service
  • on the machine hosting AIP Console, locate the following file and run it - this file will remove all the entries in the internal H2 database related to role assignment and will force the initial start-up wizard to be re-displayed when the AIP Console front-end service is restarted:
%PROGRAMFILES%\CAST\AipConsole\AipConsole\admin\cleanupSecurityEntries.bat
  • restart the AIP Console service
  • connect to AIP Console from the machine hosting AIP Console:
http://localhost:8081/ui/index.html#/
  • The initial start-up wizard will be displayed and will prompt you for the configurationKey.txt key (to prove you can legitimately configure the ADMIN role). Click Next to continue:

  • Now enter the login name that will be assigned as the first user with the ADMIN role and then click Next:

  • A summary will be displayed - then click Save and Finish to proceed. You will now see the familiar AIP Console login screen - login with the user you assigned the ADMIN role to.

You will now need to configure any additional ADMIN users and Application Owners. See Administration Center - Security.

Configuring authentication using local configuration

If this mode is currently in use, you may need to declare additional users. Open the following file in a text editor:

Windows

%PROGRAMDATA%\AipConsole\AipConsole\application-security-local.xml

Linux

$HOME\CAST\AipConsole\data\application-security-local.xml

In this file, you can add an entry for each user, with their password, using the format <user name ="[name]" password="{noop}[password]" authorities="USER">

  • If this authentication mode was chosen during the installation, one user will have already been defined.
  • Ensure all users have the authorities="USER" parameter.
  • Ensure that you include {noop} before your password as shown below. Without this, the user will be invalid.

In the example below, a new user James has been added with the password my_password:

    <authentication-manager>
        <authentication-provider>
            <user-service>
                <user name="admin" password="{noop}admin" authorities="USER"/>
				<user name="James" password="{noop}my_password" authorities="USER"/>
            </user-service>
        </authentication-provider>
    </authentication-manager>

Save the file and then restart the AIP Console package in order for the new configuration to be taken into account. You must assign a role to a new user before that user can log in - see Administration Center - Security - User Roles.

Configuring authentication using LDAP/LDAPS

If you have enabled LDAP/LDAPS, open the following file in a text editor:

Windows

%PROGRAMDATA%\AipConsole\AipConsole\aipConsole.properties

Linux

$HOME\CAST\AipConsole\data\aipConsole.properties

Locate the following section of options:

# -----------------------------
# Parameters for ldap mode
# -----------------------------
security.ldap.url=
security.ldap.account.dn=
# to encrypt the password use aip-encryption-tool
security.ldap.account.password=
security.ldap.usersearch.base=
security.ldap.usersearch.filter=(&(objectClass=user)(sAMAccountName={0}))
security.ldap.groupsearch.base=
security.ldap.groupsearch.filter=(&(objectClass=group)(member={0}))
security.ldap.groupsearch.maxSearchDepth=10
# Performance fix for nested groups on AD
#security.ldap.groupsearch.filter=(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={0}))
#security.ldap.groupsearch.maxSearchDepth=1

Set the options according to the requirements of your LDAP/LDAPS directory - note that all fields are mandatory:

  • security.ldap.url must contain the URL of the directory. Ensure that you use a URL starting with ldap:// or ldaps://.

  • security.ldap.account.dn and security.ldap.account.password contain the service account credentials to be used to connect to the directory. If you would like to encrypt the password see below for more information

  • The remaining options specify the search parameters to be used on the directory

Save the file and then restart the AIP Console service in order for the new configuration to be taken into account. Example:

Example configuration
# -----------------------------
# Parameters for ldap mode
# -----------------------------
security.ldap.url=ldap://directory.example.com/
security.ldap.account.dn=cn=serviceaccount,dc=example,dc=com
# to encrypt the password use aip-encryption-tool
security.ldap.account.password=my_password
security.ldap.usersearch.base=dc=example,dc=com
security.ldap.usersearch.filter=(&(objectClass=user)(sAMAccountName={0}))
security.ldap.groupsearch.base=dc=example,dc=com
security.ldap.groupsearch.filter=(&(objectClass=group)(member={0}))
security.ldap.groupsearch.maxSearchDepth=10
# Performance fix for nested groups on AD
#security.ldap.groupsearch.filter=(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={0}))
#security.ldap.groupsearch.maxSearchDepth=1

Encrypting the LDAP service account password

 Click here to expand...

If you would like to encrypt the LDAP service account password rather than inputting the password in plain text, please use the aip-encryption-tool provided with AIP Console and with each AIP Node installation. See Using the aip-encryption-tool to encrypt credentials for more information.

When you have generated an encrypted password, enter it in the security.ldap.account.password option instead of the plain text password, for example:

# -----------------------------
# Parameters for ldap mode
# -----------------------------
security.ldap.url=ldap://my_server:389
security.ldap.account.dn=MYCORP\MyUser
# to encrypt the password use aip-encryption-tool
security.ldap.account.password=CRYPTED2:DCBBF56E64BC89586B8BB74D9673E150B3A712186EFE2BA4A586BF5

Restart the AIP Console service in order for the new configuration to be taken into account.

  • If the service is installed as a Windows Service, restart the service
  • If the service is running only using the batch file, close the CMD window to stop the service, then restart it using the following file:
<AIP_console_installation>\AipConsole\tools\runAIPConsole.bat

Configuring authentication using AD

Open the following file with a text editor:

Windows

%PROGRAMDATA%\AipConsole\AipConsole\aipConsole.properties

Linux

$HOME\CAST\AipConsole\data\aipConsole.properties

Locate the following section of options:

# -----------------------------
# Parameters for ad mode
# -----------------------------
security.ad.url=
security.ad.domain=

Set the following options according to the requirements of your Active Directory.

  • security.ad.url must contain the URL of the directory. Ensure that you use a URL starting with ldap:// or ldaps://.

  • security.ad.domain contains the Active Directory domain

Save the file and then restart the AIP Console service in order for the new configuration to be taken into account.

Configuring authentication using SAML

See SAML authentication for more information.

  • No labels