Summary: this page describes how to manage user authentication methods for the Console (i.e. the web front end) 1.x.
Note that the authentication mechanism has changed in 2.x, see Configure authentication and roles using Keycloak - v. 2.x.
Introduction
In order to use Console (Console package), a user must first successfully authenticate. CAST currently supports the following authentication modes:
- Authentication using local configuration > Definition of the list of users and their password directly in a configuration file
- Authentication using LDAP
- Authentication using Active Directory
- Authentication using SAML
During the AIP Console - front-end installation, one of the above authentication methods will have been chosen already, therefore this documentation is provided for the following reasons:
- If you are using Authentication using local configuration, then you may need to declare additional users
- If you would like to change to a new authentication method
For security reasons, a logged in user will be automatically disconnected after being inactive for some time.
Changing the authentication mode
The authentication mode is configured in the following file. Open the file with a text editor:
Windows %PROGRAMDATA%\AipConsole\AipConsole\aipConsole.properties Linux $HOME\CAST\AipConsole\data\aipConsole.properties
Locate the following section of options. Change the security.mode option to the mode you require (local, ldap, ad, saml). Save the file and then consult the appropriate section in this page for instructions about how to configure the chosen mode.
# ============================= # Authentication parameters # ----------------------------- # Applicable authentication configuration # ----------------------------- # - local -> Default. Contains a local definition of users and passwords # - ldap -> Set this configuration for authentication over LDAP(S) # - ad -> Set this configuration for authentication over LDAP(S) with basic Active Directory instances (simplified mode) # - saml -> Set this configuration for SSO authentication using SAML security.mode=local
Re-assigning the admin role when changing authentication mode
If you have already been using a specific authentication mode and are now switching to a new mode (i.e. local to LDAP), then you will need to re-assign the ADMIN role to a user logging in with the new authentication mode. To do so:
- first ensure that the new authentication mode is configured
- stop the Console front-end service
- on the machine hosting Console, locate the following file and run it - this file will remove all the entries in the internal H2 database related to role assignment and will force the initial start-up wizard to be re-displayed when the Console front-end service is restarted:
%PROGRAMFILES%\CAST\AipConsole\AipConsole\admin\cleanupSecurityEntries.bat
- restart the Console service
- connect to Console from the machine hosting Console:
http://localhost:8081/ui/index.html#/
- The initial start-up wizard will be displayed and will prompt you for the configurationKey.txt key (to prove you can legitimately configure the ADMIN role). Click Next to continue:
- Now enter the login name that will be assigned as the first user with the ADMIN role and then click Next:
- A summary will be displayed - then click Save and Finish to proceed. You will now see the familiar Console login screen - login with the user you assigned the ADMIN role to.
You will now need to configure any additional ADMIN users and Application Owners. See Administration Center - Security.
Configuring authentication using local configuration
If this mode is currently in use, you may need to declare additional users. Open the following file in a text editor:
Windows %PROGRAMDATA%\AipConsole\AipConsole\application-security-local.xml Linux $HOME\CAST\AipConsole\data\application-security-local.xml
In this file, you can add an entry for each user, with their password, using the format <user name ="[name]" password="{noop}[password]" authorities="USER">
- If this authentication mode was chosen during the installation, one user will have already been defined.
- Ensure all users have the authorities="USER" parameter.
Ensure that you include {noop} before your password as shown below. Without this, the user will be invalid.
In the example below, a new user James has been added with the password my_password:
<authentication-manager>
<authentication-provider>
<user-service>
<user name="admin" password="{noop}admin" authorities="USER"/>
<user name="James" password="{noop}my_password" authorities="USER"/>
</user-service>
</authentication-provider>
</authentication-manager>
Save the file and then restart the Console package in order for the new configuration to be taken into account. You must assign a role to a new user before that user can log in - see Administration Center - Security - User Roles.
Configuring authentication using LDAP/LDAPS
If you have enabled LDAP/LDAPS, open the following file in a text editor:
Windows %PROGRAMDATA%\AipConsole\AipConsole\aipConsole.properties Linux $HOME\CAST\AipConsole\data\aipConsole.properties
Locate the following section of options:
# -----------------------------
# Parameters for ldap mode
# -----------------------------
security.ldap.url=
security.ldap.account.dn=
# to encrypt the password use aip-encryption-tool
security.ldap.account.password=
security.ldap.usersearch.base=
security.ldap.usersearch.filter=(&(objectClass=user)(sAMAccountName={0}))
security.ldap.groupsearch.base=
security.ldap.groupsearch.filter=(&(objectClass=group)(member={0}))
security.ldap.groupsearch.maxSearchDepth=10
# Performance fix for nested groups on AD
#security.ldap.groupsearch.filter=(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={0}))
#security.ldap.groupsearch.maxSearchDepth=1
Set the options according to the requirements of your LDAP/LDAPS directory - note that all fields are mandatory:
security.ldap.url must contain the URL of the directory. Ensure that you use a URL starting with ldap:// or ldaps://.
security.ldap.account.dn and security.ldap.account.password contain the service account credentials to be used to connect to the directory. If you would like to encrypt the password see below for more information
- The remaining options specify the search parameters to be used on the directory
Save the file and then restart the Console service in order for the new configuration to be taken into account. Example:
# -----------------------------
# Parameters for ldap mode
# -----------------------------
security.ldap.url=ldap://directory.example.com/
security.ldap.account.dn=cn=serviceaccount,dc=example,dc=com
# to encrypt the password use aip-encryption-tool
security.ldap.account.password=my_password
security.ldap.usersearch.base=dc=example,dc=com
security.ldap.usersearch.filter=(&(objectClass=user)(sAMAccountName={0}))
security.ldap.groupsearch.base=dc=example,dc=com
security.ldap.groupsearch.filter=(&(objectClass=group)(member={0}))
security.ldap.groupsearch.maxSearchDepth=10
# Performance fix for nested groups on AD
#security.ldap.groupsearch.filter=(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={0}))
#security.ldap.groupsearch.maxSearchDepth=1
- You must assign a role to a new user before that user can log in - see Administration Center - Security - User Roles.
- If you are having trouble configuring LDAP authentication, you can configure the Console to log messages relevant to LDAP in DEBUG mode which can help trace the issue. See AIP Console - Logging mechanisms.
Encrypting the LDAP service account password
Configuring authentication using AD
Open the following file with a text editor:
Windows %PROGRAMDATA%\AipConsole\AipConsole\aipConsole.properties Linux $HOME\CAST\AipConsole\data\aipConsole.properties
Locate the following section of options:
# ----------------------------- # Parameters for ad mode # ----------------------------- security.ad.url= security.ad.domain=
Set the following options according to the requirements of your Active Directory.
security.ad.url must contain the URL of the directory. Ensure that you use a URL starting with ldap:// or ldaps://.
security.ad.domain contains the Active Directory domain
Save the file and then restart the Console service in order for the new configuration to be taken into account.
- You must assign a role to a new user before that user can log in - see Administration Center - Security - User Roles.
- If you are having trouble configuring Active Directory authentication, you can configure the Console to log messages relevant to Active Directory in DEBUG mode which can help trace the issue. See AIP Console - Logging mechanisms.
Configuring authentication using SAML
See SAML authentication for more information.
