CAST Dashboards
Page tree

Versions Compared

Old Version 4

changes.mady.by.user James Hurrell

Saved on

compared with

New Version 5

changes.mady.by.user James Hurrell

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Note

The ability to use encrypted passwords with WAR or ZIP files delivered in CAST Dashboards ≥ 2.0 is currently not supported.

Panel

Table of Contents


Info

Summary: this page describes how to encrypt logins and passwords for the CAST dashboards/RestAPI:

  1. when connecting to CAST Storage Service/PostgreSQL
  2. when configuring LDAP authentication

...

Encrypting access to CAST Storage Service/PostgreSQL

Database server credential encryption is
Info
Note

The ability to use encrypted CAST Storage Service/PostgreSQL credentials with WAR or ZIP files delivered in CAST Dashboards ≥ 2.0 is currently not supported.

For CAST Dashboards 1.x, encrypted CAST Storage Service/PostgreSQL credentials are only supported for Dashboards deployed on Apache Tomcat 8 or above.

To encrypt the login and password that are defined when configuring access to the CAST Storage Service/PostgreSQL instance where your Measurement or Dashboard Service schemas are located, browse to the following URL to access the built in login/password key generation page:

...

When configuring access to an LDAP server for authentication, an LDAP service account login and password must be specified in thesecurity.properties file in clear text as described in User authentication:

Code Block
languagetext
WAR 1.x
security.ldap.account.dn=cn=serviceaccount,dc=example,dc=com
security.ldap.account.password=password

WAR and ZIP ≥ 2.x
security.ldap.manager.dn=CN=serviceaccount,OU=RESOURCES,OU=FR,DC=example,DC=com
security.ldap.manager.password=password

To avoid the need to do this, browse to the following URL to access the built in login/password key generation page:

...

When successfully authenticated, you now need to enter the credentials (service account login and password) for your LDAP server that you would ordinarily enter into the security.properties file for configuring LDAP mode, and that you wish to encrypt. In the example below, we have entered the required LDAP credentials:

...

Info

Note that the encryption key combines the values assigned to the following lines in the security.properties file:

Code Block
languagetext
WAR 1.x
security.ldap.account.dn=cn=serviceaccount,dc=example,dc=com
security.ldap.account.password=password

WAR and ZIP ≥ 2.x
security.ldap.manager.dn=CN=serviceaccount,OU=RESOURCES,OU=FR,DC=example,DC=com
security.ldap.manager.password=password

Therefore, you must enter in the "username" and "password" fields in the encryption tool EXACTLY what is entered in the "security.ldap.account.dn=" and "security.ldap.account.password=" lines in the security.properties file. For example, if the security.properties file contains:

Code Block
WAR 1.x
security.ldap.account.dn=CN=myserviceaccount,DC=example,DC=com
security.ldap.account.password=mypassword

WAR and ZIP ≥ 2.x
security.ldap.manager.dn=CN=myserviceaccount,DC=example,DC=com
security.ldap.manager.password=mypassword

...then you need to enter exactly the same in the following fields:

...

You now need to copy this key to the clipboard or to a text file and then open the following file with a text editor:

Code Block
languagetext
WAR 1.x
CATALINA_HOME\webapps\<dashboard>\WEB-INF\security.properties

WAR ≥ 2.x
CATALINA_HOME\webapps\<dashboard>\WEB-INF\classes\application.properties
 
ZIP ≥ 2.x
<unpacked_zip>\application.properties

Locate the following configuration in the file:

Code Block
languagetext
WAR 1.x
# Parameters for ldap mode
# ------------------------
security.ldap.url=ldap://directory.example.com/
security.ldap.account.dn=cn=serviceaccount,dc=example,dc=com
security.ldap.account.password=password
security.ldap.account.key=
security.ldap.usersearch.base=dc=example,dc=com
security.ldap.usersearch.filter=(&(objectClass=user)(sAMAccountName={0}))
security.ldap.groupsearch.base=dc=example,dc=com
security.ldap.groupsearch.filter=(&(objectClass=group)(member={0}))

WAR and ZIP ≥ 2.x

## SPRING SECURITY LDAP CONFIG
# LDAP url, in the form ldap://HOST:PORT
security.ldap.url=ldap://directory.example.com/
# The ldap base where users and groups can be found
security.ldap.base=dc=example,dc=com
# The DN for accessing the LDAP repository
security.ldap.manager.dn=CN=serviceaccount,OU=RESOURCES,OU=FR,DC=example,DC=com
# The associated password. You can encrypt this using the aip encryption tool
security.ldap.manager.password=password

For CAST Dashboards 1.x

Expand

First remove the two lines with the security.ldap.account.dn and security.ldap.account.password parameters. Then enter the key generated previously into the line containing "key". This should give you the following:

Code Block
languagetext
# Parameters for ldap mode
# ------------------------
security.ldap.url=ldap://directory.example.com/
security.ldap.account.key=A9762B77F8A5B6C0A885BABD58DFA1438D77A51B94ECA09
security.ldap.usersearch.base=dc=example,dc=com
security.ldap.usersearch.filter=(&(objectClass=user)(sAMAccountName={0}))
security.ldap.groupsearch.base=dc=example,dc=com
security.ldap.groupsearch.filter=(&(objectClass=group)(member={0}))

Save the file,

...

restart the web application and ensure you can login and view the data you need to.

For CAST Dashboards 2.x

Expand

Add a new line underneath security.ldap.manager.password called security.ldap.manager.key and enter the key generated previous into this new line. You do not need to remove the security.ldap.manager.dn or security.ldap.manager.password - if the security.ldap.manager.key is present it will be used. This should give you the following:

Code Block
languagetext
## SPRING SECURITY LDAP CONFIG
# LDAP url, in the form ldap://HOST:PORT
security.ldap.url=ldap://directory.example.com/
# The ldap base where users and groups can be found
security.ldap.base=dc=example,dc=com
# The DN for accessing the LDAP repository
security.ldap.manager.dn=CN=serviceaccount,OU=RESOURCES,OU=FR,DC=example,DC=com
# The associated password. You can encrypt this using the aip encryption tool
security.ldap.manager.password=password
security.ldap.manager.key=A9762B77F8A5B6C0A885BABD58DFA1438D77A51B94ECA09

Save the file, restart the web application and ensure you can login and view the data you need to.

What happens if the LDAP credentials change (new password)?

...

  • temporarily restoring access using a login and password, i.e. removing the security.ldap.account.key line from security/ security.ldap.manager.key line from the .properties file and (for 1.x WAR files only) re-adding the security.ldap.account.dn and security.ldap.account.password lines.
  • accessing key.html and encrypting the new login/password into a key.
  • removing the re-adding the security.ldap.account.dn and .key / security.ldap.manager.key line with the new key and (for 1.x WAR files only) removing the security.ldap.account.password lines from dn and security.properties and re-adding the security.ldap.account.key line with the new keypassword lines.