-
Notifications
You must be signed in to change notification settings - Fork 11
Administering Bindaas without AdminConsole
It is possible to administer Bindaas without the AdminConsole UI. A UI, however, makes it very easy to manage a Bindaas instance and create APIs. In some production environment, it may be required to deploy Bindaas services and stand-alone piece without the AdminConsole. This article describes the role of various configuration files and how they can be changed to configure Bindaas.
- 1 Removing AdminConsole from standard distribution
- 2 Removing Security Dashboard
- 3 Changing AdminConsole Default Port
- 4 Changing Middleware(service) Default Host/Port
- 5 Enable/Disable Authentication
- 6 Enable/Disable Authorization
- 7 Enable/Disable Audit
- 8 Changing Authorization Provider
- 9 Changing Audit Provider (Not recommended)
- 10 Changing Default Admin Password for AdminConsole
- 11 Configuring Mail
- 12 Configuring Pseudo STS API
- 13 Configuring Trusted Applications
- 14 Configuring Security Dashboard to use Rakshak
- 15 Exporting Audit Logs as CSV from OSGi Console
- 16 Purging Audit Logs
- 17 Purging All API-Keys, Audit other persistent information
Delete the bindaas-web-console-0.0.1.jar from
the $BINDAAS_HOME/bundles/system directory and restart Bindaas.
$ cd $BINDAAS_HOME/bundles/system
$ rm bindaas-web-console-0.0.1.jar
Delete the security-dashboard-0.0.1.jar from
the $BINDAAS_HOME/bundles/system directory and restart Bindaas.
$ cd $BINDAAS_HOME/bundles/system
$ rm security-dashboard-0.0.1.jar
Edit the config.ini located under $BINDAAS_HOME/bin/configuration
directory and change the following property :
org.osgi.service.http.port=8081
Edit the bindaas.config.json file under $BINDAAS_HOME/bin directory and change following properties:
"host": "0.0.0.0"
"port": 9099
If you are using the Query Browser from the AdminConsole to interact with the APIs you will also need to change the proxy URL as follows :
"proxyUrl": "http://myProxy.org" # This must correspond to the host and port set above
Edit the bindaas.config.json file under $BINDAAS_HOME/bin directory and change following properties:
"enableAuthentication": true
Edit the bindaas.config.json file under $BINDAAS_HOME/bin directory and change following properties :
"enableAuthorization": true
Authorization is only enabled if Authentication flag is set to true
Edit the bindaas.config.json file under $BINDAAS_HOME/bin directory and change following properties:
"enableAudit": true
Edit the bindaas.config.json file under $BINDAAS_HOME/bin directory and change following properties :
"authorizationProviderClass": "edu.emory.cci.bindaas.security_dashboard.service.AuthorizationProviderImpl"
Edit the bindaas.config.json file under $BINDAAS_HOME/bin directory and change following properties :
"auditProviderClass": "edu.emory.cci.bindaas.security.impl.DBAuditProvider"
Edit the bindaas.authentication.properties file under $BINDAAS_HOME/bin directory and add as many user/password as you like :
admin=password,
temp1=temp1,
UserA=PassA
The Mail service is used internally by Bindaas to send notifications(if enabled) about new user enrollment. Hence, it is only relevant if AdminConsole is installed. The mailService.properties file under $BINDAAS_HOME/bin directory can be edited to change default Mail settings :
mail.smtp.starttls.enable=true
mail.smtp.port=587
password=passwd
mail.smtp.auth=true
mail.smtp.host=smtp.gmail.com
username=user@gmail.com
The Psudeo STS provides two API : issueToken and validateToken
modeled after SecurityTokenService 1.0.
Using these RESTful operations, a third-party application/user can pass
their own credentials(username/password) in the HTTP Header of the
request. bindaas-pseudo-sts.config.json under $BINDAAS_HOME/bin
directory can be used to change the default configurations as follows
:
{
"ldapProviderClass": "edu.emory.cci.bindaas.security.ldap.LDAPAuthenticationProvider",
"defaultClientId": "external.org",
"defaultLifespanOfKeysInSeconds": 3600
}
The LDAP against which Users are
authenticated can be configured
using bindaas.authentication.ldap.properties file located in the same
directory.
ldap.url=ldap\://ad1.ccibmi.cci.emory.edu\:389
ldap.dn.pattern=cn\=%s,cn\=Users,dc\=ccibmi,dc\=cci,dc\=emory,dc\=edu
Security Dashboard in AIME/Bindaas by default is configured to use the following Identity Service :
{
"rakshakBaseUrl": "http://0.0.0.0:1111/securityTokenService/pure-ldap-service"
}
To change this, edit the
$AIME_HOME/bin/security-dashboard.config.json file and set the new
value for rakshakBaseUrl
Certain routine administration tasks can be performed using the OSGi
Console. Bindaas must be started with -console option in order to
launch the OSGi console.
$ java -Dpid=BINDAAS_INSTANCE -Xmx1024m -XX:MaxPermSize=384m -jar org.eclipse.osgi_3.8.2.v20130124-134944.jar -console
Run the following command to export Audit Logs to a csv file :
osgi > bindaas:audit:dump <<filename>>
<<filename>> is optional. If not specified a new file by the
name bindaas.log.csv is created.
To get access to osgi console telnet to osgi console port that is specified in the startup script
This operation will permanently delete all audit logs. On the OSGi console execute the following command:
osgi > bindaas:audit:clean
All API-Keys, Audit logs and other persistent information are stored in
the H2 Database. If you delete the H2 files all persistent data will be
lost. The H2 files are stored in the $BINDAAS_HOME/bin directory :
*.db