Cool Solutions

KeyShield SSO Integration With Filr-1.2.0

vkarthik

By:

February 24, 2015 9:29 am

Reads:5,024

Comments:0

Score:5

Print/PDF

This article presents how to integrate KeyShield SSO with Filr-1.2.0

Index

1. INTRODUCTION
1.1 What is Keyshield SSO?
1.2 Advantages
2. Requirements
2.1 Basic Requirements
3. Steps For Keyshield SSO Server Installation
3.1 Copying the installation file
3.2 Begin the installation
3.3 Installation Status
3.4 Opening the KeyShield Server
3.5 Apply the License to the KeyShield Server
4. Keyshield SSO Server Configuration
4.1 Configuration Page
4.2 Authentication Connectors
4.2.1 Adding a Authentication Connector
4.2.1.1 Directory Services provided by Authentication Connectors
4.3 Client Interface
4.3.1 Adding a Client Interface
4.4 Providing API Authorizations
4.5 Apply Changes
4.6 Download KeyShield SSO CLient
4.6.1 Download Configuration file
5. Filr Admin Configuration
5.1 Login as Admin to FILR
6. Start the KeyShield SSO Client
7. Verification
7.1 Login to the Filr as LDAP user

1. INTRODUCTION

1.1 KeyShield SSO?

KeyShield SSO is a single sign-on solution that allows users to access their applications without having to authenticate to each one of them. Once users authenticate against a recognized user source – eDirectory, Active Directory, LDAP – they can simply launch their applications and KeyShield will provide the identity to the application.

ks-1

1.2 Advantages

Users do not have to remember dozens of usernames and passwords so do not endanger security by writing them on pieces of paper stuck to your monitor. It is not necessary to synchronize the login data between systems with different levels of security and threaten the security by leakage from the less secure systems. No further waste of time and money – users can access network systems instantly; authentication is not necessary as well as regular maintenance of usernames and passwords.

2. Requirements

2.1 Basic Requirements

  • 1 Filr server
  • 1 Linux server for KeyShield installation
  • The KeyShield Installation file (keyshield.bin file)
  • The KeyShield license file (keyshield.key file)

3. Steps for KeyShield SSO Server Installation

3.1 Copying KeyShield installation file (.bin file) for your Linux server

Copy the KeyShield Installation file from the local path to your Linux se

rver which you will be using as your KeyShield Server. Use any software for secure file transfer from your local computer to a remote one. Ex: WinSCP, SSH2, SecureFx etc…

Figure 1.1 Copying Installation File from Local path to Linux

Figure 1.1 Copying Installation File from Local path to Linux

3.2 Begin the Installation

  • Login to the Linux server and go to the location of the installation file.
  • Provide the execution rights to the file using the command (chmod 777 filename.bin)
  • Start the installation using (. /filename.bin)
  • The installer begins and asks for Java runtime Press #4 and continue
  • Just press Enter for all the further installation steps
  • You can also configure the KeyShield Server Http port during the installation process (optional).
Figure 1.2   Installing the .bin file

Figure 1.2 Installing the .bin file

3.3 Installation Status

  • Check whether the KeyShield server is running and then proceed. (rckshield status).
Figure 1.3 Checking for the Installation Status

Figure 1.3 Checking for the Installation Status

3.4 Opening the Keyshield Server

(Note: The firewall should be switched off before opening the KeyShield server)

[In SLES the command is rcSuSEfirewall2 stop]

Open the keyshield server using the port 8485(Ex: http://hostname:8485). The port 8485 is for Http and the port 8486 is for Https.

Figure 1.4 KeyShield SSO Start Page

Figure 1.4 KeyShield SSO Start Page

3.5 Apply License to the KeyShield Server

  • Click on the “About” page
  • Choose the license file
  • Upload the license file
Figure 1.5 Installed license to the KeyShield Server

Figure 1.5 Installed license to the KeyShield Server

  • After the file is uploaded the About page looks as shown in the Figure 1.5

4. KeyShield SSO Server Configuration

4.1 Configuration page

  • Go to the “Configuration” page
Figure 1.6 Configuration Page

Figure 1.6 Configuration Page

4.2 Authentication Connectors

It connects SSO server to the directory service which holds an identity of your users. eDirectory, Active Directory and generic LDAP (e.g. OpenLDAP) are supported. If you are using more than one directory service providers (e.g. eDirectory and Active Directory), you must define separate own connector for each.

You need to create at least one user source (directory connector). The easiest way is to use some existing LDAP directory, which is a part of your lab environment. The system you are going to integrate should use same directory or same UserIDs (common UserIDs are email address, CN, sAMAccountName etc…). The connector needs user account to search the directory for user objects. Based on the directory service technology, different authentication method can be used:

  1. Manual Authentication – method for all client platforms. Users must enter the authentication username and password that is valid for one user object in the directory.
  2. eDirectory Authentication – method for integration with Novell client on Windows OS. KeyShield SSO client gets the identity of the user from his authentication to eDirectory. The identity is then verified using a token.
  3. Active Directory Authentication – method for Windows workstations included in the domain (Active Directory). KeyShield SSO client uses Microsoft API to obtain the user’s identity.

4.2.1 Adding a authentication Connector

  • Select “add” to add an Authentication Connector
  • Provide your LDAP server details along with the port (Ex: 389 for unsecured TCP port without SSL and 636 for secured TCP port with SSL )and click OK
Figure 1.7 Adding LDAP server address

Figure 1.7 Adding LDAP server address

4.2.1.1 Directory Services provided by Authentication Connectors

There are 3 different directory services / LDAP server types supported by Keyshield Integration with FILR 1.2.0 among which any one can be used as shown below:

  1. Generic LDAP – This method can be used for the directory (tested – eDirectory, genericLDAP and Active Directory) as shown in Figure 1.8. You need to download method_manual.reg (Manual Authentication for client) from “downloads” if you use this service as shown in Figure 1.9.
  • Enter the mandatory fields and proceed to Test connection

 

  • The keyshield SSO mgr account should be created specific and used as SSO admin or you can use any other user to be the SSO admin having minimum rights of read, compare and browse the entity/object rights.
    Figure 1.8 Using generic LDAP Directory Service

    Figure 1.8 Using generic LDAP Directory Service

    Figure 1.9 Downloading manual authentication registry file

    Figure 1.9 Downloading manual authentication registry file

  • eDirectory – This method can be used for eDirectory directory service shown in Figure 1.10. You need to download method_edir.reg (eDirectory Authentication for client) from “downloads” page, if you use this service as shown in Figure 1.11.
    Figure 1.10 Using eDirectory Directory Service

    Figure 1.10 Using eDirectory Directory Service

    Figure 1.11 Downloading eDirectory authentication registry file

    Figure 1.11 Downloading eDirectory authentication registry file

  • Active Directory – This method can be used for Active Directory service shown in Figure 1.12. You need to download method_ad.reg (Active Directory Authentication for client) from “downloads” page, if you use this service as shown in Figure 1.13.

 

Figure 1.12 Using Active Directory Service

Figure 1.12 Using Active Directory Service

 

Figure 1.13 Downloading Active Directory authentication registry file

Figure 1.13 Downloading Active Directory authentication registry file

  • Once you download the client authentication file (method_manual.reg / method_edir.reg / method_ad.reg) and run the file. Check the registry editor [start > run > regedit] for verification.
Figure 1.14 Registry Verification

Figure 1.14 Registry Verification

4.3 Client Interfaces

Defines connection point for SSO clients by IP address and port on which the server is listening and processing connection requests. If you are using more than one connector, a unique combination of address and port must be assigned to each of them. A default connector is assigned to each interface.

4.3.1 Adding a Client Interface

  • Select add Interface from the Client Interfaces section in the configuration page as shown below
Figure 1.15 Client Interfaces section in Configuration page

Figure 1.15 Client Interfaces section in Configuration page

  • IP address/hostname on which KeyShield SSO server will listen for incoming client connections.
Figure 1.16 Client Interface configurations

Figure 1.16 Client Interface configurations

4.4 Providing API Authorizations

  • Select the API authorizations from the General section in the Configuration page.
  • Type the ip address of your Filr server to allow access to the KeyShield SSO server.
  • Select the connectors which you have created [Refer figure 1.7]
  • Click TEST and then OK
  • Copy the API Key to a notepad for further use [Used in Filr server Keyshield SSO config. page]
Figure 1.17 Providing API Authorizations

Figure 1.17 Providing API Authorizations

4.4.1 General/Web Interface [If you want to use HTTPS]

  • Go to the “Configuration” page > Select “General” Tab > In General/Web interface > click edit
  • This is used to provide PKCS #12 certificate for Https keystore and API keystore fields for using KeyShield SSO in secure Https protocol.
Figure 1.18 General Web Interface or API Configuration

Figure 1.18 General Web Interface or API Configuration

[ For user guide on creating a self-signed digital certificate in PKCS #12 foramt see the article “Generating a Self-Signed Certificate for HTTPS Keystore and API Keystore in Key Shield SSO Server” ]

4.5 Apply Changes

  • Click on the Apply popup for every change in the Configuration page
Figure 1.19 Apply for modified changes

Figure 1.19 Apply for modified changes

4.6 Downloading KeyShield SSO Client

  • Go to the Downloads page
  • Download the MSI installation package and install it on your windows [If you are using Windows OS]
  • If you are a different OS, download the installation package accordingly.
Figure 1.20 Downloading KeyShield SSO Client for Windows

Figure 1.20 Downloading KeyShield SSO Client for Windows

4.6.1 Download Configuration file

  • Download the kshield.cfg file
Figure 1.21 Downloading Configuration file

Figure 1.21 Downloading Configuration file

  • Put the kshield.cfg file in the directory where KShieldClient.msi is installed as shown in Figure 1.20
  • The configuration file will contain the KeyShield Server information
Figure 1.22 Putting the Configuration file into same directory

Figure 1.22 Putting the Configuration file into same directory

5. FILR Admin Configuration

5.1 Login to the Filr

  • Login to Filr as the admin and select Admin Console > KeyShield SSO
Figure 1.23 Filr Admin Page

Figure 1.23 Filr Admin Page

  • Tick the Check box to Enable KeyShield SSO
  • Enter the KeyShield Server url
  • Enter the Connector name given in the KeyShield SSO server.
  • Test the Connection
Figure 1.24 Filr Keyshield http Configuration Page

Figure 1.24 Filr Keyshield http Configuration Page

  • For the test connection to be successful in 8486 port you have to import the self-signed Digital certificate to Filr server before you test the connection
Figure 1.25 Filr Keyshield https Configuration Page

Figure 1.25 Filr Keyshield https Configuration Page

6. Start the KeyShield SSO Client

  • Select Start > KeyShield SSO Client
Figure 1.26 Starting the KeyShield SSO Client

Figure 1.26 Starting the KeyShield SSO Client

  • After starting the KeyShield SSO Client, the KeyShield icon will appear in the system tray
  • Right click the KeyShield Client icon in system tray and select Current State to view the current status as shown below
Figure 1.27 Check the Keyshield state

Figure 1.27 Check the Keyshield state

  • The KeyShield Client identified the KeyShield Server and it will be waiting for authentication details
Figure 1.28 Showing KeyShield SSO Current state

Figure 1.28 Showing KeyShield SSO Current state

  • Now, right click on the KeyShield SSO icon in the System Tray and select Login as…[If you are using Manual Authentication method]
  • After that, a prompt appears asking for user-name and password; now provide the Filr LDAP user details to login as shown in Figure 1.29.
  • You will be authenticated once the login is successful as shown in Figure 1.30
Figure 1.29 KeyShield SSO Login Prompt

Figure 1.29 KeyShield SSO Login Prompt

 

Figure 1.30 Authenticated Successfully

Figure 1.30 Authenticated Successfully

  • If you are using eDirectory as your directory service [eDirectory Authentication method], you should login to the corresponding eDirectory tree using Novell Client.
  • If you are using Active Directory as your directory service [Active Directory Authentication method], the computer object should be in the same domain.

7. Verification

7.1 Login to the Filr as LDAP user

  • Login with the Ldap user who is authenticated with the KeyShield client for the 1st time, after which you don’t need to remember the user credentials until you disconnect of the KeyShield Client which is running.
Figure 1.31 Filr User Log-In for 1st time

Figure 1.31 Filr User Log-In for 1st time

  • Once you Login you won’t be able to log-out and you will be redirected to the same page till you disconnect the KeyShield client
  • To verify close the browser or window and again open the browser and just type the Filr ip-address and you will be logged in as the LDAP user whom you have authenticated with the KeyShield SSO client.

Note: The solution provided in this document is not copied from any other source or means

1 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 5 (1 votes, average: 5.00 out of 5)
You need to be a registered member to rate this post.
Loading...

Tags: , , , ,
Categories: Filr, Novell, Technical

0

Disclaimer: This content is not supported by Micro Focus. It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test it thoroughly before using it in a production environment.

Comment

RSS