Page tree
Skip to end of metadata
Go to start of metadata

On this page:

Target audience:

CAST AI Administrators

Summary: This section describes how to configure access security for your CAST AIC Portal.

Introduction

The CAST AIC Portal has three authentication modes available for use:

Mode
Description
Notes
Default authenticationThis mode is active by default and relies on simple username/password authentication defined in the application-security-default.xml configuration file within the web application.

CAST recommends using Active Directory with LDAP or Standard LDAP because this avoids having to manually manage individual usernames and passwords via In memory authentication.

 

Active Directory with LDAPThis mode is inactive by default and allows users to authenticate with their corporate Active Directory login.
Standard LDAPThis mode is inactive by default and allows users to authenticate with a standard LDAP server that is not Active Directory compatible.

The activation and configuration of the above modes is governed by the security.properties configuration file within the web application:

%CATALINA_HOME%\webapps\CAST-AICP\WEB-INF\security.properties

Authentication mode activation

Activation of any of the authentication modes is handled by the following section in the security.properties file:

# =============================
# CAST AICP security parameters
# =============================

# Applicable security mode
# ------------------------
#  - default    ->    The initial mode when you deploy AICP
#  - ldap        ->    Set this mode for authentication over LDAP(S)
#  - ad            ->    Set this mode for authentication over LDAP(S) with basic Active Directory instances (simplified mode)
security.mode=default

In the "out of the box" state, the default security mode is active as shown above. Only one mode can be active at a a time.

Activation and deactivation action

To activate a mode, change the following line to the required security mode. For example, to change from the Active Directory with LDAP security mode to Active Directory with LDAP, do as follows:

Change

security.mode=default

to:

security.mode=ad

Following any changes you make, save the security.properties file and then restart your application server so that the changes are taken into account.

Configuring each mode

Default authentication mode

This mode is enabled by default "out of the box" with the following case sensitive username and password:

UsernamePasswordUser Group
castcastADMINISTRATORS

Note that the "cast" user is a member of the ADMINISTRATORS user group, which has access to all configuration options and can interact with any Domain and deliver any Application. CAST recommends that you retain at least one user that is a member of the ADMINISTRATORS user group.

If you would like to alter the password for this existing user or you would like to add additional "in memory authentication" users, you need to modify the application-security-default.xml configuration file within the web application. This file contains the following section which defines the users that can access the CAST AIC Portal in Default security mode:

<user-service>
	<user name="cast" password="cast" authorities="ADMINISTRATORS"/>
</user-service>

As shown in the above code, the user is defined in a <user> element using the "name" attribute. This element also defines:

  • the user's password
  • the User Group the user has been assigned to

Adding a new user

To add a new username, add in an additional <user> tag, for example this will add in a username "jhu" with the password "mypassword", assigned to the user group "DELIVERY_GROUP1" (please see the section User groups and roles below for more information about groups and roles):

<user-service>
	<user name="cast" password="cast" authorities="ADMINISTRATORS"/>
	<user name="jhu" password="mypassword" authorities="DELIVERY_GROUP1"/>
</user-service>

Note that you can assign a user to multiple groups if required, for example to assign the user to "DELIVERY_GROUP1", "DELIVERY_GROUP2" and "DELIVERY_GROUP3", use the following syntax:

<user name="jhu" password="mypassword" authorities="DELIVERY_GROUP1,DELIVERY_GROUP2,DELIVERY_GROUP3"/>

Following any changes you make, save the application-security-default.xml file and then restart your application server so that the changes are taken into account.

Removing an existing user

To remove an existing user, simply remove the corresponding <user> tag from the application-security-default.xml file. Following any changes you make, save the application-security-default.xml file and then restart your application server so that the changes are taken into account.

Editing an existing user

To edit an existing user, simply edit the corresponding <user> tag in the application-security-default.xml file. Following any changes you make, save the application-security-default.xml file and then restart your application server so that the changes are taken into account.

Disabling a user without removing it from the application-security-default.xml file

To disable a user, add disabled="true" as an attribute to the <user> tag:

<user name="cast" password="cast" authorities="ADMINISTRATORS" disabled="true"/>

Following any changes you make, save the application-security-default.xml file and then restart your application server so that the changes are taken into account.

Active Directory with LDAP

This mode is not enabled by default "out of the box". It allows users to login with their corporate Active Directory login. CAST has provided place holder parameters, so you must change these before authentication will work correctly. To do so, modify the security.properties configuration file within the web application. This file contains the following commented section which defines the Active Directory domain and the URL to your internal LDAP server that handles Active Directory authentication:

 

# Parameters for ad mode
# ----------------------
security.ad.url=ldap://directory.example.com/
security.ad.domain=example.com
  • You need to change the two parameters to match your own environment:
  • Following any changes you make, save the security.properties file and then restart your application server so that the changes are taken into account.

User groups

Users will be automatically assigned roles (please see the section User groups and roles below for more information about groups and roles) corresponding to the CN of the Active Directory groups that they are direct members of.

Only groups that users are direct members of are taken into account. Nested groups are not supported. For instance, if user jdoe is member of groupA, which is member of groupB, then jdoe will be attributed the groupA role but not the groupB role.

Standard LDAP

This mode is not enabled by default "out of the box". It may be used with any LDAP compatible corporate directory, including Active Directory (though most of time the Active Directory with LDAP mode should be preferred in this case). It allows users to login to the CAST AIC Portal with their corporate LDAP login. CAST has provided place holder parameters, so you must change these before authentication will work correctly. To do so, modify the security.properties configuration file within the web application. This file contains the following commented section which defines the required parameters:

# Parameters for ldap mode
# ------------------------
security.ldap.url=ldap://directory.example.com/
security.ldap.account.dn=cn=serviceaccount,dc=example,dc=com
security.ldap.account.password=password
security.ldap.account.key=
security.ldap.usersearch.base=dc=example,dc=com
security.ldap.usersearch.filter=(&(objectClass=inetOrgPerson)(uid={0}))
security.ldap.groupsearch.base=dc=example,dc=com
security.ldap.groupsearch.filter=(&(objectClass=groupOfNames)(member={0}))
  • You first need to change the following parameters to match the URL and the service account required to connect to your directory:
security.ldap.url=ldap://directory.example.com/
security.ldap.account.dn=cn=serviceaccount,dc=example,dc=com
security.ldap.account.password=password
  • You then need to change the following parameters related to searching the users in your directory (search base and search filter):
security.ldap.usersearch.base=dc=example,dc=com
security.ldap.usersearch.filter=(&(objectClass=inetOrgPerson)(uid={0}))
  • For Active Directory, the security.ldap.usersearch.filter parameter usually takes the following form:
security.ldap.usersearch.filter=(&(objectClass=user)(sAMAccountName={0}))
  • Following any changes you make, save the security.properties file and then restart your application server so that the changes are taken into account.
Note that if you need to encrypt the login and password parameters to avoid entering values in clear text, please see: CAST AIC Portal - Encrypt login and password for LDAP.

User Groups

Users will be automatically assigned roles (please see the section User groups and roles below for more information about groups and roles) corresponding to the CN of the LDAP groups that they are direct members of.

Only groups that users are direct members of are taken into account. Nested groups are not supported. For instance, if user jdoe is member of groupA, which is member of groupB, then jdoe will be attributed the groupA role but not the groupB role.
  • To enable LDAP group retrieval, modify the security.properties configuration file (this file is described above) within the web application - with the focus on the following section:
# Parameters for ldap mode
# ------------------------
security.ldap.url=ldap://directory.example.com/
security.ldap.account.dn=cn=serviceaccount,dc=example,dc=com
security.ldap.account.password=password
security.ldap.account.key=
security.ldap.usersearch.base=dc=example,dc=com
security.ldap.usersearch.filter=(&(objectClass=inetOrgPerson)(uid={0}))
security.ldap.groupsearch.base=dc=example,dc=com
security.ldap.groupsearch.filter=(&(objectClass=groupOfNames)(member={0}))
  • You need to change the following parameters to match your directory’s structure (group search base, group search filter, group role attribute):
security.ldap.groupsearch.base=dc=example,dc=com
security.ldap.groupsearch.filter=(&(objectClass=groupOfNames)(member={0}))
  • For Active Directory, the security.ldap.groupsearch.filter parameter usually takes the following form:
security.ldap.groupsearch.filter=(&(objectClass=group)(member={0}))
  • Following any changes you make, save the security.properties file and then restart your application server so that the changes are taken into account.

User groups and roles

The CAST AIC Portal provides a means to restrict access to certain functions through the use of groups and roles. Currently, two roles are available:

RoleDescription
Platform Administrator

Is granted full access to all the AIC Portal's functions:

  • Create, Read, Update, Delete any Domain and any Application
  • Can deliver any Application using the CAST Delivery Manager Tool
  • Can assign groups to domains giving members of the group the Delivery Manager role

Out of the box, the CAST AIC Portal has one Platform Administrator - the "cast" user, a member of the ADMINISTRATORS group and enabled by default.

Delivery Manager

Is granted access as follows:

  • Read access to specific Domains and Applications
  • Can deliver specific Applications using the CAST Delivery Manager Tool

Out of the box, the CAST AIC Portal has no Delivery Managers defined.

Configuring the Platform Administrator role

The Platform Administrator role is configured using the following XML file - all groups (and their members) defined in this XML configuration file will be granted the Platform Administrator role:

%CATALINA_HOME%\webapps\CAST-AICP\WEB-INF\administrators.xml

By default, the "in memory authentication" cast user is a member of the "ADMINISTRATORS" group, which in turn has been granted the Platform Administrators role (CAST recommends that you leave this configuration at its default):

<?xml version="1.0" encoding="UTF-8"?>
<administrators xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                xsi:noNamespaceSchemaLocation="administrators.xsd">
    <!-- The default ADMINISTRATORS group is attributed to the default user cast.
    Please do not remove this value. -->
    <group>ADMINISTRATORS</group>
</administrators>

Behaviour in each authentication mode

Depending on the authentication mode you are using, the Platform Administrator role behaves as follows:

Authentication ModeBehaviour
Default AuthenticationIn order to gain the Platform Administrator role, the user must be a member of the default ADMINISTRATORS group, or a custom group that has been added to the administrators.xml file. Users are assigned to groups via the application-security-default.xml configuration file as described above.
Active Directory with LDAP and Standard LDAPIn order to gain the Platform Administrator role, the user must be a member of an Active Directory or LDAP group whose CN (Common Name) matches the default ADMINISTRATORS group defined in the administrators.xml file, or a custom group that has been added to the administrators.xml file.

Granting the Platform Administrator role to a group

To assign another group the Platform Administrator role, insert a new <group> element as shown below:

Active Directory with LDAP and Standard LDAP

In this mode simply add the Common Name (CN) of the Active Directory group that you want to assign the Platform Administrator role to. In this example, the Active Directory group "company.development.castadmins" has been added:

<?xml version="1.0" encoding="UTF-8"?>
<administrators xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                xsi:noNamespaceSchemaLocation="administrators.xsd">
    <!-- The default ADMINISTRATORS group is attributed to the default user cast.
    Please do not remove this value. -->
    <group>ADMINISTRATORS</group>
    <group>company.development.castadmins</group>
</administrators>

Following any changes you make, save the administrators.xml file and then restart your application server so that the changes are taken into account.

Default Authentication

In this mode simply add the name of the group that you want to assign the Platform Administrator role to. In this example, the group "ITADMINS" has been added:

<?xml version="1.0" encoding="UTF-8"?>
<administrators xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                xsi:noNamespaceSchemaLocation="administrators.xsd">
    <!-- The default ADMINISTRATORS group is attributed to the default user cast.
    Please do not remove this value. -->
    <group>ADMINISTRATORS</group>
    <group>ITADMIN</group>
</administrators>

Following any changes you make, save the administrators.xml file and then restart your application server so that the changes are taken into account.

Configuring the Delivery Manager role

In contrast to the Platform Administrator role, the configuration the Delivery Manager role is achieved using the CAST AIC Portal's GUI. This is discussed in further detail in:

Note that the information related to the Delivery Manager role (i.e. users/groups who have been granted this role) is stored in a HSQLDB (HyperSQL DataBase). Data is stored in the following location:

%CATALINA_HOME%\webapps\CAST-AICP\database
  • No labels