E-mail
|
Key
This line was removed.
This word was removed. This word was added.
This line was added.
|
Changes (26)
View Page History... |
| You must, therefore, be extremely careful about implementing this tech tip. Secure Single Sign On is a primary design goal and feature of GroundWork Monitor. This tech tip method defeats or weakens the mechanism if not carefully controlled. The security risks are manifest: * Deploying it on an unsecured workstation means you do not know who is using it. |
| * The Portal Landing Page must be chosen as one that is safe for all eyes (default is the Summary page. See [DOC721:How to change the portal page navigation] for more info.) |
| * Control of the selection of permitted pages, containers and applications for the specific Role assigned is critically important and must be reviewed and tested regularly. * Anyone with command line access to the workstation or server where this script is deployed may possibly read the text content of the script and learn the user name and password, as well as the GW Server name, thus making it possible that they could run the script from some other workstation. * It is advisable to configure the GW Server Apache web server to accept connection from IP addresses or ranges on an exclusive basis to reduce the target footprint. |
| * The session token obtained and used for this purpose will have the same expiration characteristics and limitations as any regular user's token. Therefore deploying this you must consider how you will reinitiate running the script when the token is invalidated for one reason or another. |
| h4. Requirements |
| |
| h5. Use GWME 7.2.1 |
... |
| h5. Create or choose user and role |
| In the GroundWork Monitor, as root or admin user: |
| * Create a Role for the purpose and assign the resources, host groups, and service groups that you wish to expose to this mechanism. |
| * If you are using local, Monitor-based Authentication: ** create a Group and associate it with the Role |
... |
| ** create the Group and assign the User to it ** edit the {{/usr/local/groundwork/config/ldap-mapping-directives.properties}} file to associate that Group with the previously created GW Role |
| See [DOC721:System Administration How To's] for more information. |
| h5. Get and modify the script |
... |
| {attachments:patterns=script.html} |
| Attached is a sample script, repeated here with the four places you would need to change shown in {color:FF000C}red{color}: {color:#ff000c}red{color}: |
| {note} <html> |
| <body onload="login();"> |
| <body onload="login();"> |
| <script type="text/javascript" language=JavaScript> |
| function login() \{ |
| document.cookie = "CGISESSID=;path=/;expires=Fri, 3 Aug 1970 20:47:11 UTC"; |
| document.cookie = "PHPSESSID=;path=/;expires=Fri, 3 Aug 1970 20:47:11 UTC"; |
| document.cookie = "nagvis_session=;path=/nagvis;expires=Fri, 3 Aug 1970 20:47:11 UTC"; |
| document.cookie = "treeArrayC=;path=/nms-rstools/php/rstools/;expires=Fri, 3 Aug 1970 20:47:11 UTC"; |
| if (window.document.forms && window.document.forms.length == 1) \{ |
| window.document.forms\[0\].submit(); } |
| window.document.forms\[0\].submit(); |
| } |
| } |
| </script> |
| <form action="http://{color:FF000C}my-groundwork-server{color}/josso/signon/usernamePasswordLogin.do" method="post"> |
| <form action="http://{color:#ff000c}my-groundwork-server{color}/josso/signon/usernamePasswordLogin.do" method="post"> |
| <input type="hidden" name="josso_cmd" value="login"/> |
| <input type="hidden" name="josso_back_to" value="http://{color:FF000C}my-groundwork-server{color}/portal/initiatessologin"/> <input type="hidden" name="josso_username" value="{color:FF000C}user{color}"/> <input type="hidden" name="josso_password" value="{color:FF000C}password{color}"/> </form> </body> |
| <input type="hidden" name="josso_back_to" value="http://{color:#ff000c}my-groundwork-server{color}/portal/initiatessologin"/> <input type="hidden" name="josso_username" value="{color:#ff000c}user{color}"/> <input type="hidden" name="josso_password" value="{color:#ff000c}password{color}"/> </form> </body> |
| </html> {note} |
| Be sure to use the *exact same hostname* in the script that appears in the address line when you are logged in normally. For example, if your GroundWork Monitor hostname is using the short DNS name, use the short name here, not the fqdn, or vice versa. Make sure there are no spaces at the start and end of the username and password, and avoid using escape character like | \| or * in the password field. |
| h5. Distribute the script to the workstations or users |
... |
| {tip} |
| open \-a "Google Chrome" ./script.html |
| {tip} |
... |