Cloud Cruiser became HPE Consumption Analytics on Nov. 1, 2018. You'll still see the old name in places while we update this site.

 

 

Consumption Analytics Documentation
Home > Documentation for older versions > Cloud Cruiser 4 > Administering > Managing the application server > Configuring authentication

Configuring authentication

By default, HPE Consumption Analytics Portal authenticates users using its internal database to manage credentials. You can configure HPE Consumption Analytics Portal to integrate with an external authentication system, such as an LDAP server or an SSO (Single Sign-On) system. To configure authentication, you must create a text file named <install_dir>/apache-tomcat-7.0.54/webapps/ROOT/WEB-INF/classes/security.properties. The contents of the file depend on the specific authentication system used and are detailed below in the appropriate section.

Internal authentication

Internal is the default configuration. It will be used if there is no security.properties file present. Alternately, you can explicitly configure internal authentication. The syntax of the security.properties file for URL is:

authentication.method=internal

LDAP authentication

The syntax of the security.properties file for LDAP is:

authentication.method=LDAP
ldap.url=ldap://<server_name>:<port>
ldap.adminDN=<adminDN>
ldap.adminPassword=<adminPassword>
ldap.baseDN=<baseDN>
ldap.userDNPattern=<userDNPattern>
ldap.userSearchPattern=<userSearchPattern>
ldap.passwordAttribute=<attributeName>

The properties referenced by this syntax are:

<server_name> Host name or IP address of the LDAP server.
<port>

Port on which the LDAP server is listening (typically 389).
<adminDN>

The Distinguished Name (principal) to use for obtaining authenticated LDAP contexts (administrator or manager access). For example, cn=Manager,dc=mycompany,dc=com.

Ensure that your Active Directory user is enabled. For example, Microsoft AD LDS users are disabled by default.
<adminPassword>

The password corresponding to the ldap.adminDN value.
<baseDN> An optional DN that will be combined with the ldap.userDNPattern or ldap.userSearchPattern value when matching users. For example, ou=My Organization,dc=mycompany,dc=com.
<userDNPattern>

Pattern used to match users in the LDAP directory. The special token {0} will be replaced with the username being authenticated. For example,
uid={0},ou=users,dc=mycompany,dc=com
<userSearchPattern>

User search pattern typically used in Active Directory configurations as an alternate to ldap.userDNPattern. The special token {0} will be replaced with the username being authenticated. For example, (&(&(objecClass=user)(objectCategory=person))(userPrincipalName={0})).
<passwordAttribute>

The attribute of the user object (objectClass) that contains the password to be verified against. For example, userPassword.

For example:

authentication.method=LDAP
ldap.url=ldap://localhost:6389
ldap.adminDN=CN=admin2999,CN=Roles,OU=app1,DC=contoso,DC=local
ldap.adminPassword=92#$Zg!5r
ldap.baseDN=OU=app1,DC=contoso,DC=local
ldap.userDNPattern=uid={0},OU=app1,DC=contoso,DC=local
ldap.userSearchPattern=(&(objectClass=user))
ldap.passwordAttribute=userPassword

You must specify at least one of ldap.userDNPattern or ldap.userSearchPattern. If you specify both, HPE Consumption Analytics Portal will first attempt to match against ldap.userDNPattern. If no match is found, HPE Consumption Analytics Portal will then try to match against ldap.userSearchPattern.

ldap.baseDN is optional. If present, it will be combined with ldap.userDNPattern and ldap.userSearchPattern when matching users.

SSO authentication

HPE Consumption Analytics Portal SSO configurations utilize http headers. The syntax of the security.properties file for SSO is:

authentication.method=SSO
sso.username.header=<usernameHeaderName>
sso.enablement.header=<enablementHeaderName>
sso.enablement.value=<enablementValue>
sso.logout.url=<logoutURL>
sso.create.unrecognized.users=<createUsersFlag>

The properties referenced by this syntax are:

<usernameHeaderName>

Name of the HTTP header that will contain the username. This property is required.

<enablementHeaderName>

Name of the HTTP header that specifies whether the user is enabled. This property is optional. If not defined, the user is always considered enabled.

<enablementValue>

The value of the sso.enablementHeaderName that indicates a user is enabled. This property is optional.

If specified, the user will be considered enabled only if the value specified matches the value of sso.enablementHeaderName. If this property is not specified, the user is considered enabled based on the presence of sso.enablementHeaderName (with any or no value).
<logoutURL> If specified, the application will redirect to this URL when the user logs out. This property is optional.

<createUsersFlag>

If this value is "true," unrecognized users (users who have not logged into HPE Consumption Analytics Portal) will be created with default values. If the value is "false," unrecognized users will not be permitted to login. The default value is "false." This property is optional.

The following video shows how to configure HPE Consumption Analytics Portal for SSO authentication:

 

Last modified

Tags

This page has no custom tags.

Classifications

This page has no classifications.
    Powered by MindTouch ®