Configuring single sign-on and adding Web GUI customization with scripts

Learn how to customize the Web GUI in your Netcool® Operations Insight® on OpenShift® 1.6.10 deployment.

About this task

You can add customization to the Web GUI with start or stop scripts, which can be mounted from a configmap. For example, you can configure Netcool Operations Insight on OpenShift to use Security Assertion Markup Language (SAML) as an authentication service for single sign-on. This configuration is customized by running more user-provided scripts as part of the webgui container startup process. A configmap object provides the customized scripts.

Startup scripts are mounted as shell scripts and sourced as part of the container startup or shutdown. Scripts are mounted before or after the server starts or stops. Startup scripts consist of four sections or files:

  • pre-server-start
  • pre-server-stop
  • post-server-start
  • post-server-stop

User scripts are a collection of files that are mounted on the container in the directory that is pointed to by the ${USER_SCRIPTS_DIRECTORY} environment variable. These files can be other shell scripts, python scripts, certificate files, and any other files that can be used as part of the script.

Procedure

  1. Create two YAML files, which contain your customization scripts. One file for startup scripts and another for user scripts, as in the following examples.
    Example <release-name>-webgui-startup-scripts.yaml file for startup scripts:
    apiVersion: v1
    kind: ConfigMap
    metadata:
      labels:
        managedByUser: "true"
      name: <release-name>-webgui-startup-scripts
    Example <release-name>-webgui-user-scripts.yaml file for user scripts:
    apiVersion: v1
    kind: ConfigMap
    metadata:
      labels:
        managedByUser: "true"
      name: <release-name>-webgui-user-scripts
  2. Note: The configmaps must be created before you install the product.
    Create two configmaps, one for each YAML file, by running the following commands:
    oc create -f <release-name>-webgui-startup-scripts.yaml
    oc create -f <release-name>-webgui-user-scripts.yaml
  3. Ensure that the managedByUser parameter is set to true in each configmap. Otherwise, the operator replaces the configmap.
  4. Configure SAML by adding a python script in the webgui-user-scripts configmap, as in the following example:
    configureSAML.py: |
        #
    
        print "Configure SAML Interceptor"
        # create SAML configiration
        AdminTask.configureInterceptor('[-interceptor com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor -customProperties [ '
            '"sso_1.sp.acsUrl=https://<cluster>/samlsps/netcool",'
            '"sso_1.sp.idMap=localRealm",'
            '"sso_1.idp_1.EntityID=https://<cluster>/samlsps/netcool",'
            '"sso_1.idp_1.SingleSignOnUrl=https://login.ibm.com/saml/sps/saml20ip/saml20/login.jsp?RequestBinding=HTTPPost&PartnerId=noi-test&NameIdFormat=Email&Target=https://<cluster>/",'
            '"sso_1.sp.filter=request-url^=oauth2/login.jsp|/snoop"]]')
        # trust realm
        AdminTask.configureTrustedRealms(['-communicationType', 'inbound', '-trustAllRealms'])
        AdminTask.configureTrustedRealms(['-communicationType', 'outbound', '-trustAllRealms'])
    
        # And done
        AdminConfig.save()
    For more information about these parameters, see SAML web single sign-on (SSO) trust association interceptor (TAI) custom properties.
    Include the certificate needed to trust the Identity Provider (IdP) as another file in the same configmap, as in the following example:
      SAMLCert.pem: |
        -----BEGIN CERTIFICATE-----
        MIIDUDCCAjgCCQ...
          <Insert here their IdP trust certificates>
        ...k+qTDaA2kiOcABCYLl59iXYZj/abdEF1g/
        -----END CERTIFICATE-----
  5. Start the scripts and register the certificate in the truststore.
    pre-server-start: |
        #
        # Pre server startup script
        #
        echo "Running pre-server startup custom scripts"
    
        echo "Import the certificate"
        /home/netcool/app/was/java/bin/keytool -noprompt \
            -import -trustcacerts -alias saml-store \
            -keystore /home/netcool/app/jazz/profile/config/cells/JazzSMNode01Cell/nodes/JazzSMNode01/trust.p12 \
            -storetype PKCS12 -noprompt -storepass WebAS -file ${USER_SCRIPTS_DIRECTORY}/SAMLCert.pem
    
        echo "Configure SAML"
        /home/netcool/app/jazz/profile/bin/wsadmin.sh -username smadmin -password ${WAS_PASSWORD} -conntype NONE -lang jython -f ${USER_SCRIPTS_DIRECTORY}/configureSAML.py

What to do next

For more information about single sign-on, see Single sign-on. For information about the LDAP Proxy configmap, see LDAP Proxy configmap.