Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Next revision Both sides next revision
devel:documentation:systems:dev:winrm_connector [2019/06/13 12:22]
kucerar 		devel:documentation:systems:dev:winrm_connector [2019/07/17 05:22]
kucerar path to crt
Line 1: Line 1:
 ====== WinRM Connector ====== ====== WinRM Connector ======
-This connector can be used to connect to basically to any system which can be managed via powershell commands or some specialized client which can be called from powershell.+Windows Remote Management (WinRM) connector can be used to connect to basically to any system which can be managed via powershell commands or some specialized client which can be called from powershell.
  
 Connector is based on Connid CMD connector. We made fork of CMD connector version 0.4-SNAPSHOT. Connector is based on Connid CMD connector. We made fork of CMD connector version 0.4-SNAPSHOT.
Line 30: Line 30:
  
 It supports HTTP and HTTPS communication. HTTPS communication can be a little bit tricky to configure. You need the right It supports HTTP and HTTPS communication. HTTPS communication can be a little bit tricky to configure. You need the right
-certificate which is used in WinRM listener on Win server and then import crt to the trust store on machine where this connector is running+certificate which is used in WinRM listener on Win server and then import crt to the trust store on machine where this connector is running or you can edit file winrm\_wrapper.py to change the path to .pem certificate which is needed for HTTPS connection. 
-In file winrm_wrapper.py on line 39 where the session for WinRM is created you need to specify ca trust path. +<code> 
-On Debian based system the default system ca path is "/etc/ssl/certs" +p = winrm.protocol.Protocol(endpoint=endpoint, 
 +                            transport=authentication, 
 +                            username=user, 
 +                            password=password, 
 +                            ca_trust_path='/opt/connid-connector-server/certs/winrm_ca.pem') 
 +</code>
 ===== Configuration ===== ===== Configuration =====
 Connector has few settings which need to be configured before you used it. Connector has few settings which need to be configured before you used it.
Line 100: Line 104:
 | \_\_ACCOUNT\_\_  | CREATE, UPDATE, DELETE, SEARCH  | | \_\_ACCOUNT\_\_  | CREATE, UPDATE, DELETE, SEARCH  |
 | \_\_GROUP\_\_    | NONE                  | | \_\_GROUP\_\_    | NONE                  |
 +
 +===== Managing users groups =====
 +When you use this connector for some system where you need to manage groups for users (OpenLims). Attribute for roles must be called "roles" is schema definition. Then it's work in the same way as roles for AD. That's mean you need to create role in IdM which will have assigned this system and in mapping override attribute "roles" with value which the system accept. Strategy should be Merge or Authoritative merge 
 +
 +===== Scripts =====
 +==== python ====
 +Python scripts should start with these two lines:
 +<code>#!/usr/bin/env python
 +# -*- coding: utf-8 -*-</code>
 +
 +The second line is important because in python 2.x default encoding is ASCII so if don't specify the encoding in python file then we will have problems with using diacritics.
 +Then if we need to load powershell script into python and replace some params, It's recommended to open with encoding.
 +<code>
 +import codecs
 +f = codecs.open(os.environ["script"], encoding='utf-8', mode='r') #os.environ["script"] is path to script which is send from IdM configuration
 +command = f.read()
 +command = command.replace("$firstName", winrm_wrapper.getParam("firstName"))
 +</code>
 +For getting parameter from environment you can use method in winrm_wrapper which will return value or empty string if the variable is not in environment. It will return value as unicode with utf-8 encoding
 +
 +We are using encoding otherwise you will have problem with diacritics in powershell when you want to encode the powershell script before sending it via WinRM.
 +
  
 ===== Installation ===== ===== Installation =====
Line 109: Line 135:
 Now we have prepared the tool which is used by our connector. Next you need to install java connector server. Connector server is not mandatory but as we wrote in the first section it's recommended to use it. Now we have prepared the tool which is used by our connector. Next you need to install java connector server. Connector server is not mandatory but as we wrote in the first section it's recommended to use it.
  
 +<note>Configure log rotation for connector server log file</note>
 You can download whole bundle with prepared and tested connector server here:<note important>It's not released to public yet</note> You can download whole bundle with prepared and tested connector server here:<note important>It's not released to public yet</note>
  
Line 121: Line 148:
 You will probably need to add these libs into classpath in ConnectorServer.sh or ConnectorServer.bat it depends on your OS. You will probably need to add these libs into classpath in ConnectorServer.sh or ConnectorServer.bat it depends on your OS.
  
-Now you can put winrm-connector-0.5.jar to the bundles folder inside connector server and you can start it.+If you want to be able to run connector server as a service follow next steps 
 + 
 +<code> 
 +# create user which we run the connector server 
 +useradd connector-server 
 + 
 +#create file 
 +/etc/systemd/system/java-connector-server.service 
 + 
 +# content of the file, change path according where you have your connector server 
 +[Unit] 
 +Description=Java Connector Server Service 
 +[Service] 
 +User=connector-server 
 +WorkingDirectory=/opt/connid-connector-server 
 +ExecStart=/bin/bash /opt/connid-connector-server/bin/ConnectorServer.sh -run -properties /opt/connid-connector-server/conf/connectorserver.properties 
 +SuccessExitStatus=143 
 +[Install] 
 +WantedBy=multi-user.target 
 + 
 +# Reload and enable deamon 
 +systemctl daemon-reload 
 +systemctl enable java-connector-server 
 + 
 +# Use this to start/stop/status 
 +systemctl start java-connector-server 
 +systemctl stop java-connector-server 
 +systemctl status java-connector-server 
 +</code> 
 + 
 +Now you can put winrm-connector-1.0.0.jar to the bundles folder inside connector server and you can start it.
  
 Next thing which you need to do is configure WinRM on windows server or check if WinRM is accessible. You can follow steps from out [[tutorial:adm:configuration_-_winrm|tutorial]] Next thing which you need to do is configure WinRM on windows server or check if WinRM is accessible. You can follow steps from out [[tutorial:adm:configuration_-_winrm|tutorial]]