Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
devel:documentation:systems:dev:remote-connector [2019/10/17 14:08] fiserp [Start remote connector - Windows] |
— (current) | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Remote connector server ====== | ||
- | {{tag> system connector configuration }} | ||
- | Remote connector server is a standalone daemon used for interfacing some of the more difficult systems. You deploy connector bundles into the connector server. Then, you configure CzechIdM to use connectors from within the remote connector server. As far as IdM is concerned, there is no difference if actions on end system are performed by connector server or IdM itself. The only difference is in the point of origin of network communication. | ||
- | ===== Why use remote connector server? ===== | ||
- | CzechIdM comes bundled only with certain types of connectors. For some deployments, | ||
- | * We cannot run Java code on the target system (e. g. .NET code is needed). | ||
- | * The OS does not have some normal API (e. g. old Windows without WinRM) so we need to run commands on it locally. | ||
- | * Security reasons - we do not want to run the connector code under the same user as the CzechIdM. | ||
- | * You need to use two different versions of one connector (or two connectors which bundle different versions of the same library - for example Apache CXF). If you did deploy them both into one Java context, libraries would break due to Java Class FQDN conflicts. | ||
- | ===== How does a remote connector server works in CzechIdM? ===== | ||
- | The remote server connector configuration form behaves just like the local connector form - this means that definition is stored in the EAV attributes for system which it belongs. As a key to EAV attributes are used the system name, connector name, and connector version. Therefore, it is possible to have multiple connectors with different version on the remote connector server. | ||
- | |||
- | |||
- | ===== Connector server setup ===== | ||
- | Download appropriate version of the connector server. If you are a BCV developer, use our internally provided version. | ||
- | |||
- | ==== Using connector server on BCV projects ==== | ||
- | - Download the all-in-one prepared bundle from [[https:// | ||
- | - Continue with deployment instructions. | ||
- | |||
- | ==== Using connector server from ConnID ==== | ||
- | - Download connector server from the [[https:// | ||
- | - **Use version | ||
- | - Download following libraries and add them to the '' | ||
- | * jackson-annotations-2.9.8 | ||
- | * jackson-core-2.9.8 | ||
- | * jackson-databind-2.9.8 | ||
- | - Add those libraries to the '' | ||
- | |||
- | ==== Remote connector server configuration - Linux ==== | ||
- | |||
- | Create new user under which the connector server will be started and give him ownership of connector-server directory. | ||
- | < | ||
- | useradd connector-server | ||
- | chown -R connector-server: | ||
- | </ | ||
- | |||
- | All commands execute in root folder of remote connector server. | ||
- | |||
- | |||
- | Next it's good to setup new password for connector server. This password will IdM use to connect to connector-server. | ||
- | < | ||
- | ./ | ||
- | </ | ||
- | |||
- | |||
- | Create service file for connector-server. Content of the file, change path according where you have your connector server | ||
- | / | ||
- | < | ||
- | |||
- | [Unit] | ||
- | Description=Java Connector Server Service | ||
- | [Service] | ||
- | User=connector-server | ||
- | WorkingDirectory=/ | ||
- | ExecStart=/ | ||
- | SuccessExitStatus=143 | ||
- | [Install] | ||
- | WantedBy=multi-user.target | ||
- | </ | ||
- | |||
- | Reload, enable and start deamon. To control service use " | ||
- | < | ||
- | systemctl daemon-reload | ||
- | systemctl enable java-connector-server | ||
- | systemctl start java-connector-server | ||
- | </ | ||
- | |||
- | To configure settings (such as log, port...) will be found at configurations file: conf/ | ||
- | |||
- | * To directory " | ||
- | * To directory " | ||
- | * In default scripts will look to " | ||
- | |||
- | If you will add AD connector you also need create connector server truststore. | ||
- | Create truststore in "" | ||
- | < | ||
- | openssl genrsa -out fakecert.key | ||
- | openssl req -new -key fakecert.key -out fakecert.csr -subj "/ | ||
- | openssl x509 -req -in fakecert.csr -signkey fakecert.key -days 1 -sha256 -out fakecert.crt | ||
- | keytool -importcert -file fakecert.crt -alias placeholder-cert -keystore truststore.jks | ||
- | Enter keystore password: | ||
- | Re-enter new password: | ||
- | ... | ||
- | Trust this certificate? | ||
- | Certificate was added to keystore | ||
- | |||
- | rm fakecert.key fakecert.csr fakecert.crt | ||
- | chmod 644 truststore.jks | ||
- | chown connector-server: | ||
- | </ | ||
- | |||
- | Add truststore to start scripts: | ||
- | Add this java property to java start options in " | ||
- | < | ||
- | -Djavax.net.ssl.trustStore=/ | ||
- | </ | ||
- | or add this to service installation in „bin\ConnectorServer.bat“(windows) | ||
- | < | ||
- | " | ||
- | </ | ||
- | |||
- | ==== Remote connector server configuration - Windows ==== | ||
- | |||
- | <note important> | ||
- | All commands execute in root folder of remote connector server. | ||
- | |||
- | Start CMD under system admid. Then go to connector-server root directory. | ||
- | |||
- | < | ||
- | cd C: | ||
- | bin\ConnectorServer.bat /setkey | ||
- | bin\ConnectorServer.bat /install connector_server | ||
- | </ | ||
- | |||
- | Then start service in " | ||
- | If connector_server service started correctly set this service to automatic start. | ||
- | |||
- | |||
- | |||
- | ===== Connecting CzechIdM to a remote connector server ===== | ||
- | - In CzechIdM, on the system tab, create a new system. | ||
- | - In the detail of this system, check option **"Use remote connector server" | ||
- | - When you are done, '' | ||
- | - Go to the **" | ||
- | - Configure everything else as you would do if you were not using remote connector server. |