Page tree
Skip to end of metadata
Go to start of metadata

Summary: this page describes how to manage user authentication methods for the AIP Console (i.e. the web front end).

Introduction

In order to use the AIP Console (AIP Console package), a user must first successfully authenticate. CAST currently supports the following authentication modes:

  • Authentication using local configuration > Definition of the list of users and their password directly in a configuration file
  • Authentication using LDAP
  • Authentication using Active Directory
  • Authentication using SAML

During the AIP Console package - front-end installation, one of the above authentication methods will have been chosen already, therefore this documentation is provided for the following reasons:

  • If you are using Authentication using local configuration, then you may need to declare additional users
  • If you would like to change to a new authentication method

For security reasons, a logged in user will be automatically disconnected after being inactive for some time.

Changing the authentication mode

The authentication mode is configured in the following file. Open the file with a text editor:

Windows

≥ 1.19.x %PROGRAMDATA%\AipConsole\AipConsole\aipConsole.properties
≤ 1.18.x <AIP_console_installation>\AipConsole\data\aipConsole.properties

Linux

$HOME\CAST\AipConsole\data\aipConsole.properties

Locate the following section of options. Change the security.mode option to the mode you require (local, ldapad, saml). Save the file and then consult the appropriate section in this page for instructions about how to configure the chosen mode.

# =============================
# Authentication parameters
# -----------------------------
# Applicable authentication configuration
# -----------------------------
#  - local	->	Default. Contains a local definition of users and passwords
#  - ldap	->	Set this configuration for authentication over LDAP(S)
#  - ad	->	Set this configuration for authentication over LDAP(S) with basic Active Directory instances (simplified mode)
#  - saml -> Set this configuration for SSO authentication using SAML

security.mode=local

Configuring authentication using local configuration

If this mode is currently in use, you may need to declare additional users. Open the following file in a text editor:

Windows

≥ 1.19.x %PROGRAMDATA%\AipConsole\AipConsole\application-security-local.xml
≤ 1.18.x <AIP_console_installation>\AipConsole\data\application-security-local.xml

Linux

$HOME\CAST\AipConsole\data\application-security-local.xml

In this file, you can add an entry for each user, with their password, using the format <user name ="[name]" password="{noop}[password]" authorities="USER">

  • If this authentication mode was chosen during the installation, one user will have already been defined.
  • Ensure all users have the authorities="USER" parameter.
  • Ensure that you include {noop} before your password as shown below. Without this, the user will be invalid.

In the example below, a new user James has been added with the password my_password:

    <authentication-manager>
        <authentication-provider>
            <user-service>
                <user name="admin" password="{noop}admin" authorities="USER"/>
				<user name="James" password="{noop}my_password" authorities="USER"/>
            </user-service>
        </authentication-provider>
    </authentication-manager>

Save the file and then restart the AIP Console package in order for the new configuration to be taken into account. You must assign a role to a new user before that user can log in - see Administration Center - Security - User Roles.

Configuring authentication using LDAP/LDAPS

If you have enabled LDAP/LDAPS, open the following file in a text editor:

Windows

≥ 1.19.x %PROGRAMDATA%\AipConsole\AipConsole\aipConsole.properties
≤ 1.18.x <AIP_console_installation>\AipConsole\data\aipConsole.properties

Linux

$HOME\CAST\AipConsole\data\aipConsole.properties

Locate the following section of options:

# -----------------------------
# Parameters for ldap mode
# -----------------------------
security.ldap.url=
security.ldap.account.dn=
# to encrypt the password use aip-encryption-tool
security.ldap.account.password=
security.ldap.usersearch.base=
security.ldap.usersearch.filter=(&(objectClass=user)(sAMAccountName={0}))
security.ldap.groupsearch.base=
security.ldap.groupsearch.filter=(&(objectClass=group)(member={0}))
security.ldap.groupsearch.maxSearchDepth=10
# Performance fix for nested groups on AD
#security.ldap.groupsearch.filter=(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={0}))
#security.ldap.groupsearch.maxSearchDepth=1

Set the following options according to the requirements of your LDAP/LDAPS directory:

  • security.ldap.url must contain the URL of the directory. Ensure that you use a URL starting with ldap:// or ldaps://.

  • security.ldap.account.dn and security.ldap.account.password contain the service account credentials to be used to connect to the directory. If you would like to encrypt the password see below for more information

  • The remaining options specify the search parameters to be used on the directory

Save the file and then restart the AIP Console service in order for the new configuration to be taken into account.

Encrypting the LDAP service account password

 Click here to expand...

If you would like to encrypt the LDAP service account password rather than inputting the password in plain text, please use the aip-encryption-tool provided with AIP Console and with each AIP Node installation. See Using the aip-encryption-tool to encrypt credentials for more information.

When you have generated an encrypted password, enter it in the security.ldap.account.password option instead of the plain text password, for example:

# -----------------------------
# Parameters for ldap mode
# -----------------------------
security.ldap.url=ldap://my_server:389
security.ldap.account.dn=MYCORP\MyUser
# to encrypt the password use aip-encryption-tool
security.ldap.account.password=CRYPTED2:DCBBF56E64BC89586B8BB74D9673E150B3A712186EFE2BA4A586BF5

Restart the AIP Console service in order for the new configuration to be taken into account.

  • If the service is installed as a Windows Service, restart the service
  • If the service is running only using the batch file, close the CMD window to stop the service, then restart it using the following file:
<AIP_console_installation>\AipConsole\tools\runAIPConsole.bat

Configuring authentication using AD

Open the following file with a text editor:

Windows

≥ 1.19.x %PROGRAMDATA%\AipConsole\AipConsole\aipConsole.properties
≤ 1.18.x <AIP_console_installation>\AipConsole\data\aipConsole.properties

Linux

$HOME\CAST\AipConsole\data\aipConsole.properties

Locate the following section of options:

# -----------------------------
# Parameters for ad mode
# -----------------------------
security.ad.url=
security.ad.domain=

Set the following options according to the requirements of your Active Directory.

  • security.ad.url must contain the URL of the directory. Ensure that you use a URL starting with ldap:// or ldaps://.

  • security.ad.domain contains the Active Directory domain

Save the file and then restart the AIP Console service in order for the new configuration to be taken into account.

Configuring authentication using SAML

See SAML authentication for more information.

  • No labels