Welcome Guest! Log in
Stambia versions 2.x, 3.x, S17, S18, S19 and S20 are reaching End of Support January, 15th, 2024. Please consider upgrading to the supported Semarchy xDI versions. See Global Policy Support and the Semarchy Documentation.

The Stambia User Community is moving to Semarchy! All the applicable resources have already been moved or are currently being moved to their new location. Read more…

Define a static or a LDAP filtering and customize filtering

    The article purpose is to show how to configure Licenses service in order to define a static or a LDAP filtering and customize filtering.

    Prerequisites:
    • Licenses Service 1.3.0 or higher version.
    • Stambia DI Designer S17.2.12 or higher version.

    From Licenses Service 1.3.0 version we have a possibility to define a LDAP filtering and customize filtering.

     

     

    Static filtering

    With this filtering, you can limit access to users defined into a configuration file.

    Configuration

    The spring-context.xml file should be configured through new bean allowing to configure static filtering.

    The configuration content of this file will look like this:

    <!-- Define a list of Stambia group / filter combination -->                                            
        <bean class="com.stambia.licence.plugin.impl.DesignerFilterManager">    
            <property name="plugins">
                <map>
                    <!-- associate a license.xml Stambia group (in the key attribute) to a filter (in the value-ref attribute)  -->                                    
                    <entry key="default" value-ref="simpleFilter"></entry>
                </map>        
            </property>        
        </bean>
        <!-- Simple filter -->    
        <bean id="simpleFilter"
            class="com.stambia.licence.plugin.impl.DesignerFilterSimplePlugin">
            <!-- userNames: List of allowed username  -->                
            <property name="userNames">
                <list>
                    <value>tsmith</value>
                    <value>ejones</value>
                    <value>dwheldon</value>
                </list>
            </property>
            <!-- logUserListAtStartup: Enable logging user "userNameAttribute" attribute when starting the server -->            
            <property name="logUserListAtStartup" value="true"></property>
        </bean>

     

    The "userNames" property list will contain allowed Operating System user account name.

    The sample spring-context.xml file containing this configuration is located in the following directory:

    conf/samples/filter_simple

     

    LDAP directory filtering

    With this filtering, you can limit access to users defined a LDAP directory.

    Configuration

    The spring-context.xml file should be configured through new bean allowing to configure LDAP properties.

    The configuration content of this file will look like this:

    <!-- Define a list of Stambia group / filter combination -->                                        
        <bean class="com.stambia.licence.plugin.impl.DesignerFilterManager">    
            <property name="plugins">
                <map>
                    <!-- associate a license.xml Stambia group (in the key attribute) to a filter (in the value-ref attribute)  -->                                    
                    <entry key="default" value-ref="ldapFilter"></entry>
                </map>        
            </property>    
        </bean>
    <!-- LDAP configuration -->    
        <bean id="contextSource"
            class="org.springframework.ldap.core.support.LdapContextSource">
            <!-- url: The LDAP URL. format: ldap://<IP_ADDRESS>:<PORT> -->    
            <property name="url" value="ldap://xx.xx.xx.xx:yyy" />
            <!-- userDn: The LDAP user to use -->    
            <property name="userDn" value="cn=admin,dc=myorganization,dc=org" />
            <!-- password: The LDAP user password -->            
            <property name="password" value="LDAP_PASSWORD" />
        </bean>
    <bean id="ldapTemplate"
            class="org.springframework.ldap.core.LdapTemplate">
            <constructor-arg ref="contextSource" />
        </bean>
    <!-- LDAP filter -->    
        <bean id="ldapFilter"
            class="com.stambia.licence.plugin.impl.DesignerFilterLdapPlugin">
            <constructor-arg ref="ldapTemplate" />
            <!-- base: The search base defines the starting point for the search in the directory tree -->    
            <property name="base" value="ou=people,dc=myorganization,dc=org"/>
            <!-- filter: The filter to use in the search
                Note: use &amp; string as AND (&) operator
            -->
            <property name="filter" value="objectClass=person"/>
            <!-- userNameAttribute: LDAP attribute containing the allowed username -->        
            <property name="userNameAttribute" value="userName"/>
            <!-- searchScope: Specifies the portion of the target subtree that should be considered. Supported search scope values are:
                0: baseObject (also known as "base"):  only the entry specified as the search base should be considered.
                1: singleLevel (also known as "one"):  only the immediate children of the entry specified as the search base should be considered.
                2: wholeSubtree (also known as "sub"): indicates that the entry specified as the search base, and all of its subordinates to any depth, should be considered.
            -->
            <property name="searchScope" value="2"/>
            <!-- logUserListAtStartup: Enable logging user "userNameAttribute" attribute when starting the server -->    
            <property name="logUserListAtStartup" value="true"/>
            <!-- refreshInterval: Filter refresh interval (in seconds). Default value is 30 seconds if this property is not setted -->            
            <property name="refreshInterval" value="600"/>    
        </bean>

     

    The bean class="org.springframework.ldap.core.support.LdapContextSource" allows to configure your LDAP parameters : LDAP URL, user, password

    The bean class="com.stambia.licence.plugin.impl.DesignerFilterManager" allows to configure LDAP filtering for each Stambia group defined into the license.xml file. You need to associate a Stambia group to a LDAP filtering. For each Stambia Group, you can use a different LDAP filtering.
    The bean class="com.stambia.licence.plugin.impl.DesignerFilterLdapPlugin" allows to configure a specific LDAP filtering.

     

    The sample spring-context.xml file containing this configuration is located in the following directory:

    conf/samples/filter_ldap

     

    About LDAP directory impact

    You must use a LDAP attribute for each concerned user Stambia DI that will contain the Operating System user account name.
    This attribute name must be set in the “userNameAttribute” property value contained into the LDAP filtering bean.
    For example: if your user account name is "johnsmith", you need to have the “userNameAttribute” property on your LDAP entry with "johnsmith" as value.

     

     

    Combine multiples filters

    With the following configuration, you can associate:

    • a Stambia Group (externalPeopleGroup) to a LDAP filter
    • a Stambia Group (default) to a combination of 2 LDAP filters using the com.stambia.licence.plugin.impl.DesignerFilterComposePlugin bean.

     

    <!-- Define a list of Stambia group / filter combination -->                                                
        <bean class="com.stambia.licence.plugin.impl.DesignerFilterManager">    
            <property name="plugins">
                <map>
                    <!-- associate a license.xml Stambia group (in the key attribute) to a filter (in the value-ref attribute)  -->                                    
                    <entry key="default" value-ref="ldapGroupfilter"></entry>
                    <entry key="externalPeopleGroup" value-ref="ldapfilterForExternals"></entry>
                </map>        
            </property>    
        </bean>
     <!-- LDAP configuration -->    
        <bean id="contextSource"
            class="org.springframework.ldap.core.support.LdapContextSource">
            <!-- url: The LDAP URL. format: ldap://<IP_ADDRESS>:<PORT> -->    
            <property name="url" value="ldap://xx.xx.xx.xx:yyy" />
            <!-- userDn: The LDAP user to use -->    
            <property name="userDn" value="cn=admin,dc=myorganization,dc=org" />
            <!-- password: The LDAP user password -->            
            <property name="password" value="LDAP_PASSWORD" />
        </bean>
    <bean id="ldapTemplate"
            class="org.springframework.ldap.core.LdapTemplate">
            <constructor-arg ref="contextSource" />
        </bean>
     <!-- LDAP filter 1 -->    
        <bean id="ldapfilterForSupportTeam"
            class="com.stambia.licence.plugin.impl.DesignerFilterLdapPlugin">
            <constructor-arg ref="ldapTemplate" />
            <!-- base: The search base defines the starting point for the search in the directory tree -->    
            <property name="base" value="ou=support,ou=people,dc=myorganization,dc=org"/>
            <!-- filter: The filter to use in the search
                Note: use &amp; string as AND (&) operator
            -->
            <property name="filter" value="objectClass=person"/>
            <!-- userNameAttribute: LDAP attribute containing the allowed username -->        
            <property name="userNameAttribute" value="username"/>
            <!-- searchScope: Specifies the portion of the target subtree that should be considered. Supported search scope values are:
                0: baseObject (also known as "base"):  only the entry specified as the search base should be considered.
                1: singleLevel (also known as "one"):  only the immediate children of the entry specified as the search base should be considered.
                2: wholeSubtree (also known as "sub"): indicates that the entry specified as the search base, and all of its subordinates to any depth, should be considered.
            -->
            <property name="searchScope" value="2"/>
        </bean>
        <!-- LDAP filter 2 -->    
        <bean id="ldapfilterForDevelopmentTeam"
            class="com.stambia.licence.plugin.impl.DesignerFilterLdapPlugin">
            <constructor-arg ref="ldapTemplate" />
            <!-- base: The search base defines the starting point for the search in the directory tree -->    
            <property name="base" value="ou=development,ou=people,dc=myorganization,dc=org"/>
            <!-- filter: The filter to use in the search
                Note: use &amp; string as AND (&) operator
            -->
            <property name="filter" value="objectClass=person"/>
            <!-- userNameAttribute: LDAP attribute containing the allowed username -->        
            <property name="userNameAttribute" value="username"/>
            <!-- searchScope: Specifies the portion of the target subtree that should be considered. Supported search scope values are:
                0: baseObject (also known as "base"):  only the entry specified as the search base should be considered.
                1: singleLevel (also known as "one"):  only the immediate children of the entry specified as the search base should be considered.
                2: wholeSubtree (also known as "sub"): indicates that the entry specified as the search base, and all of its subordinates to any depth, should be considered.
            -->
            <property name="searchScope" value="2"/>
        </bean>
     <!-- LDAP filter 3 -->    
        <bean id="ldapfilterForExternals"
            class="com.stambia.licence.plugin.impl.DesignerFilterLdapPlugin">
            <constructor-arg ref="ldapTemplate" />
            <!-- base: The search base defines the starting point for the search in the directory tree -->    
            <property name="base" value="ou=externals,ou=people,dc=myorganization,dc=org"/>
            <!-- filter: The filter to use in the search
                Note: use &amp; string as AND (&) operator
            -->
            <property name="filter" value="objectClass=person"/>
            <!-- userNameAttribute: LDAP attribute containing the allowed username -->        
            <property name="userNameAttribute" value="username"/>
            <!-- searchScope: Specifies the portion of the target subtree that should be considered. Supported search scope values are:
                0: baseObject (also known as "base"):  only the entry specified as the search base should be considered.
                1: singleLevel (also known as "one"):  only the immediate children of the entry specified as the search base should be considered.
                2: wholeSubtree (also known as "sub"): indicates that the entry specified as the search base, and all of its subordinates to any depth, should be considered.
            -->
            <property name="searchScope" value="2"/>
        </bean>
        <!-- combine many filters -->        
        <bean id="ldapGroupfilter"
            class="com.stambia.licence.plugin.impl.DesignerFilterComposePlugin">
            <property name="filters">
                <list>
                    <ref bean="ldapfilterForSupportTeam"/>
                    <ref bean="ldapfilterForDevelopmentTeam"/>
                </list>
            </property>
            <!-- logUserListAtStartup: Enable logging user "userNameAttribute" attribute when starting the server -->            
            <property name="logUserListAtStartup" value="true"></property>
            <!-- refreshInterval: Filter refresh interval (in seconds). Default value is 30 seconds -->            
            <property name="refreshInterval" value="60"/>    
        </bean>
       

     

    The sample spring-context.xml file containing this configuration is located in the following directory:

    conf/samples/filter_compose

     

     

    Operating the License Server

      Stopping / Restarting the License Server

      If your License Server was installed as a service, simply operate the service using your OS' service management tools.

      Otherwise, use the "bin/start" and "bin/stop" scripts.

      Checking the License Server status

      Watching the log files

      The License Server writes information into the "log/com.stambia.licence.server.log" file.

      Watching the server process

      Search for a java process which contains "com.indy.license.server.jar" in the command line.

      On Windows:

      • Using the Task manager
        • Make sure your Task Manager displays the "Command Line" column
        • Search for a Java process where the command line contains "com.indy.license.server.jar"
      • Using the command line (as an administrator)
      C:\WINDOWS\system32>wmic process where "name like '%java%' and commandline like '%com.indy.license.server.jar%'" get Name,ProcessId,ParentProcessId
      Name      ParentProcessId  ProcessId
      java.exe  3180             3704

      Note: on Windows, when the License Server is installed as a service, there might be two processes, which is normal (there is a service wrapper + the actual service).

      On Linux:

      Search for a java process which contains "com.indy.license.server.jar" in the command line.

      ps -ef | grep com.indy.license.server.jar

      Updating the license.xml file

      Your "license.xml" file may change in the future (adding new licenses, changing MAC addresses...).

      Do not edit this file by yourself - your licenses may become invalid. Instead, please send a request to the Support Team.

      When the Support delivers a new "license.xml" file, simply replace the previous file with this new one. The change is immediate.

       

      Define a custom certificate and customize SSL options

        The article purpose is to show how to configure Licenses service and Stambia DI Designer in order to define a custom certificate and to customize SSL options.

        Prerequisites:
        • Licenses Service 1.4.0 or higher version.
        • Stambia DI Designer S20.4.0 or higher version.

         

        From Licenses Service 1.4.0 version we have a possibility to define a custom certificate and customize SSL options

        From Stambia DI Designer S20.4.0 we have a possibility to define the certificate the Designer should use for contacting the license service, when the license service is using a custom certificate.

        Configuration

        The spring-context.xml file should be configured through a new bean allowing to configure ssl properties.

        The configuration content of this file will look like this:

        <!-- SSL configuration -->
        <!-- This can be used to override the default SSL configuration and default certificate used. -->
        <bean
        	class="com.stambia.licence.plugin.ssl.impl.DesignerSslPlugin">	
        	  <!-- enableSsl: enable SSL -->			
        	  <property name="enableSsl" value="true"></property>
        	  <!-- keyStoreType: The keyStore type -->					
        	  <property name="keyStoreType" value="JKS"></property>
        	  <!-- keyStore:  The relative or absolute path to the keyStore -->					
        	  <property name="keyStore" value="path_to_keystore/keystore.jks"></property>
        	  <!-- keyStorePassword: The keyStore password -->					
        	  <property name="keyStorePassword" value="keystore_password"></property>
        	  <!-- keyAlias: The certificate alias to be used -->					
        	  <property name="keyAlias" value="key_alias"></property>
        	  <!-- keyPassword: The certificate password -->					
        	  <property name="keyPassword" value="key_password"></property>
          </bean>
        

         

        The sample spring-context.xml file containing this configuration should be added in the following directory:

        conf/samples/ssl_configuration

        When those properties are not specified, it uses by default the self-signed certificate as before.

        About Designer impact

        Designer accepts the legacy self-signed certificate and also any signed certificate.

        To allow to customize the certificate used by the license service, the designer should be configured to be able to define the certificate.

         

        Prerequisites:
        • This feature is available from Designer S20.4.0

         

        Designer certificates

        Stambia.ini file has been updated to support four new properties to define an additional keystore containing the certificate for the license service.

        To define the custom keystore that the designer will use additionally, we should configure stambia.ini file by adding the following lines:

        -Dlicense.service.keystore.path= the path where is located the keystore.file
        -Dlicense.service.keystore.type= the keystore type
        -Dlicense.service.keystore.password= the security password
        -Dlicense.service.keystore.key.alias= the keystore alias
        

        After stambia.ini configuration set, we can use the matching server or key license in designer.

        JVM certificates truststore

        When exchanging with the license service, the certificates checks take into account the certificates of the JVM truststore.

        For exchanges the designer takes into account a combination of the following certificates:

        • the internal certificate
        • the JVM truststore
        • the custom keystore defined in stambia.ini (if defined)

        With this, the designer takes into account automatically the truststore of the JVM, which allows to accept most of the signed certificates automatically.

        When JVM trustore is in a different location than the default, then you can indicate it in stambia.ini file by using the following standard JVM options to specify the JVM truststore configuration:

        -Djavax.net.ssl.trustStore= the path where is located the keystore.file
        -Djavax.net.ssl.trustStoreType= the keystore type
        -Djavax.net.ssl.trustStoreProvider= provider
        -Djavax.net.ssl.trustStorePassword=the keystore password
        

        After stambia.ini configuration set, we can use the matching server or key license in designer.

         

        Articles

        Suggest a new Article!