Introduction
This document describes how to set the Single Sign On (SSO) to the empty/default values on the Secure Network Analytics Manager.
Prerequisites
Requirements
There are no specific requirements for this document.
Components Used
The information in this document is based on the Secure Network Analytics Manager (SMC) Version 7.1 and later.
An SSH client/application with copy-and-paste functionality is encouraged for this article.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Problem
The SSO settings configured are invalid, or outdated, or the Central Management shows Configuration Changes Failed
Solution
There are two parts to the SSO Configuration which are Central Management and Fedlet Manager.
If a comparison of the original and final configurations is desired, then run all listed steps.
If a comparison is not desired then only run the commands that are not marked as (Optional). A One-Liner command at the end of this article performs the steps for you.
Step 1. (Optional) If you wish to compare the current Central Management configuration with the end result, run the jq '.configurableElements.sso' /lancope/var/services/cm/configuration/$(awk -F\" '{print $8}' /lancope/var/services/cm-agent/configuration/managementChannel.json)/config.json > jqdoldcm.json command.
741smc:~# jq '.configurableElements.sso' /lancope/var/services/cm/configuration/$(awk -F\" '{print $8}' /lancope/var/services/cm-agent/configuration/managementChannel.json)/config.json > jqdoldcm.json
741smc:~#Step 2. (Optional) if you wish to compare the current configuration with the end result, run the jq . /lancope/var/fedlet-manager/conf/fedlet-manager.json > jqdoldfm.json command.
741smc:~# jq . /lancope/var/fedlet-manager/conf/fedlet-manager.json > jqdoldfm.json
741smc:~#
Step 3. Create a temporary variable with the tmpfile=$(mktemp) command.
741smc:~# tmpfile=$(mktemp)
741smc:~#
Step 4. Create a temporary variable with the cm_file=$(echo /lancope/var/services/cm/configuration/$(awk -F\" '{print $8}' /lancope/var/services/cm-agent/configuration/managementChannel.json)/config.json)command.
741smc:~# cm_file=$(echo /lancope/var/services/cm/configuration/$(awk -F\" '{print $8}' /lancope/var/services/cm-agent/configuration/managementChannel.json)/config.json)
741smc:~#Step 5. Determine your current Secure Network Analytics version with the echo $SWINFO_version command.
741smc:~# echo $SWINFO_version
7.4.1
If the SMC version is 7.4.1, run these commands:
741smc:~# cp $cm_file $tmpfile && jq --arg foo "" --argjson bar false '.configurableElements.sso.ssoEnabled = $bar|.configurableElements.sso.ssoDescription = $foo|.configurableElements.sso.idpXml = $foo|.configurableElements.sso.ssoProxy = $foo|.configurableElements.sso.ssoOnly = $bar|.configurableElements.sso.downloadIdpXml = $bar' "$tmpfile" > $cm_file && rm -f -- $tmpfile
741smc:~# cp /lancope/var/fedlet-manager/conf/fedlet-manager.json $tmpfile && jq --arg foo "" --argjson bar false '.ssoEnabled = $bar|.ssoDescription = $foo|.idpXml = $foo|.ssoProxy = $foo|.state = "NO_CONFIGURATION"|.message="Single Sign-On is not configured."' $tmpfile >/lancope/var/fedlet-manager/conf/fedlet-manager.json && rm -f -- $tmpfile
741smc:~#
If the SMC version is earlier than 7.4.1, run these commands:
711smc:~# cp $cm_file $tmpfile && jq --arg foo "" --argjson bar false '.configurableElements.sso.ssoEnabled = $bar|.configurableElements.sso.ssoDescription = $foo|.configurableElements.sso.idpXml = $foo|.configurableElements.sso.ssoOnly = $bar|.configurableElements.sso.downloadIdpXml = $bar' "$tmpfile" > $cm_file && rm -f -- $tmpfile
711smc:~# cp /lancope/var/fedlet-manager/conf/fedlet-manager.json $tmpfile && jq --arg foo "" --argjson bar false '.ssoEnabled = $bar|.ssoDescription = $foo|.idpXml = $foo|.state = "NO_CONFIGURATION"|.message="Single Sign-On is not configured."' $tmpfile >/lancope/var/fedlet-manager/conf/fedlet-manager.json && rm -f -- $tmpfile
711smc:~#
Step 6. (Optional) If you wish to compare the end result configuration with the original configurations, run these commands:
741smc:~# jq '.configurableElements.sso' $cm_file > jqdnewcm.json
741smc:~# jq . /lancope/var/fedlet-manager/conf/fedlet-manager.json > jqdnewfm.json
741smc:~# diff -y jqdoldcm.json jqdnewcm.json
741smc:~# diff -y jqdoldfm.json jqdnewfm.json
Step 7. (Optional) Delete the json files created as part of this comparison process in the last step.
741smc:~# rm -f jqdoldcm.json jqdnewcm.json
741smc:~# rm -f jqdoldfm.json jqdnewfm.json
Step 8. Unset the variables created at the start of this document.
711smc:~# unset tmpfile
711smc:~# unset cm_file
711smc:~#
Restart the central management process with the docker central-managementcommand.
741smc:~# docker restart svc-central-management
svc-central-management
741smc:~#
One-Liner Automatic
Run this command to perform all of the steps seen in this article. The output contains some additional formatting.
bash <(base64 -d <<< "H4sIALoa7mQAA+1WbW/aMBD+vl9xiqLSTk1Qt06bhKg00VLxoWQq7TapVJXrXGhKYqe2gaGx/75zAuG19GVfpmkSQfjx+V4eP+EO+Z0ED8Hpiq7oGNZDOAAPWiI28JWpmN0mqIGJEE6ZuUMFzZiArjhj/Vj0wGCaQUQQ+L4PDtRMmtll3d1N+3ZzD2o8vZlCaINVEya4zLA6ZKqqUQ1jjrrK0yqXIop7A8VMLEXV3WWjPnjNrgOVn5mKhQH306/Ko8c9Sl2YFScpEwSntNG4Y0Jg4t9rKfamVsUCajpBzMD/ADUs2TDHUmBXnKIxtk4+UIq8QIO+FEvgrHQM2jCDVPn9A1T8MjzRdpLkBtrXWlbAndIAR3D/EMok5Gke/0XhmxgmaKBjQ1rfRVh/mZQoN/KK2lVe6wpWBJ4lEj0jkbkyuEwzcoVzvbwj9EyGcTTOU128ABLKZRayvIYN1FlZTUsqUAWNxeNUXhzB1RW4nW+tdjO4GaLShEO9Dh/9Q//gLUwma5tHxR5cX0MNSLMCeDan350qFHZ2qH7wPKZ6EEkJjlMsci5umYKIJRq33Kl9ToRFQ6iDS0cmW22PUXMVZyYvAFyKucU+DrPvafK0HT1flPwxfpZlIJLx06mGciQSycJWmQLZV8CZMecQwyWdxKJKwYuIuyVqifJXifLl17PhFh4he4XTNeryN5lWTju4aQTtZuv08vzzRStoOxM/Ra0py7rTIS1Tep24J7xAQKxBSFOqHkPfqcyLOHoVBxs5rQHaev9tKf8X6JJA/249RvELm57AUdn0/rBtkavnty3boBprbev9FGWKwOJH3qbO1lpYWxrcp05C3I4kta1Eyj71rjFQz4swb8wDQVORhk4ngBGjeYmbAUtIy/N7gEzhMJYDTahUhTf63CrZR8opSEIbumh/MIE2jmZr6oI2EHjjlclhhdJNPCwUtjo76CLoKjyNvWHSWE4iWkqivIwy9DLJy9QfEnopNPkfzkbMfQjRGuUTpVRMjfOxknA7JCikd0HRrDWd9yibQpFbCVk0eSTdQZ5FqeliORNtUYxzXgTfPMNYXiTv0+RS5jjkHi/svPn8af+/V711Bhmdu5ApZ5v8pHx2aF3ShwuTGB2F7XW8+Q1WFJRR5gsAAA==" | gunzip)
Example output:
742smc:~# bash <(base64 -d <<< "H4sIALoa7mQAA+1WbW/aMBD+vl9xiqLSTk1Qt06bhKg00VLxoWQq7TapVJXrXGhKYqe2gaGx/75zAuG19GVfpmkSQfjx+V4eP+EO+Z0ED8Hpiq7oGNZDOAAPWiI28JWpmN0mqIGJEE6ZuUMFzZiArjhj/Vj0wGCaQUQQ+L4PDtRMmtll3d1N+3ZzD2o8vZlCaINVEya4zLA6ZKqqUQ1jjrrK0yqXIop7A8VMLEXV3WWjPnjNrgOVn5mKhQH306/Ko8c9Sl2YFScpEwSntNG4Y0Jg4t9rKfamVsUCajpBzMD/ADUs2TDHUmBXnKIxtk4+UIq8QIO+FEvgrHQM2jCDVPn9A1T8MjzRdpLkBtrXWlbAndIAR3D/EMok5Gke/0XhmxgmaKBjQ1rfRVh/mZQoN/KK2lVe6wpWBJ4lEj0jkbkyuEwzcoVzvbwj9EyGcTTOU128ABLKZRayvIYN1FlZTUsqUAWNxeNUXhzB1RW4nW+tdjO4GaLShEO9Dh/9Q//gLUwma5tHxR5cX0MNSLMCeDan350qFHZ2qH7wPKZ6EEkJjlMsci5umYKIJRq33Kl9ToRFQ6iDS0cmW22PUXMVZyYvAFyKucU+DrPvafK0HT1flPwxfpZlIJLx06mGciQSycJWmQLZV8CZMecQwyWdxKJKwYuIuyVqifJXifLl17PhFh4he4XTNeryN5lWTju4aQTtZuv08vzzRStoOxM/Ra0py7rTIS1Tep24J7xAQKxBSFOqHkPfqcyLOHoVBxs5rQHaev9tKf8X6JJA/249RvELm57AUdn0/rBtkavnty3boBprbev9FGWKwOJH3qbO1lpYWxrcp05C3I4kta1Eyj71rjFQz4swb8wDQVORhk4ngBGjeYmbAUtIy/N7gEzhMJYDTahUhTf63CrZR8opSEIbumh/MIE2jmZr6oI2EHjjlclhhdJNPCwUtjo76CLoKjyNvWHSWE4iWkqivIwy9DLJy9QfEnopNPkfzkbMfQjRGuUTpVRMjfOxknA7JCikd0HRrDWd9yibQpFbCVk0eSTdQZ5FqeliORNtUYxzXgTfPMNYXiTv0+RS5jjkHi/svPn8af+/V711Bhmdu5ApZ5v8pHx2aF3ShwuTGB2F7XW8+Q1WFJRR5gsAAA==" | gunzip)
Stage 1 - Init Variables and Gather Files
Making temp file ...
Done
Getting current Central Management state
Done
Getting current Fedlet Statement
Done
Stage 1 - complete
Stage 2 - Modifying configurations
Updating Central Management and Fedlet Manager Configuration
Done
Stage 2 - Complete
Stage 3 - Compare
Comparing CM configurations
Note, this wont look any different unless SSO was actually configured previously or this is broken
Old CM Config | New CM Conf
{ {
"ssoEnabled": true, | "ssoEnabled": false,
"ssoDescription": "Known Bad Configuration", | "ssoDescription": "",
"idpXml": "https://www.example.com", | "idpXml": "",
"ssoProxy": "", "ssoProxy": "",
"ssoOnly": false, "ssoOnly": false,
"downloadIdpXml": true | "downloadIdpXml": false
} }
Comparing Fedlet Statements
Old Fedlet Statement | New Fedlet Statement
{ {
"ssoEnabled": true, | "ssoEnabled": false,
"ssoDescription": "Known Bad Configuration", | "ssoDescription": "",
"idpXml": "", "idpXml": "",
"spFqdn": "742smc.example.com", "spFqdn": "742smc.example.com",
"ssoProxy": "", "ssoProxy": "",
"state": "FAILED_TO_DOWNLOAD_IDP", | "state": "NO_CONFIGURATION",
"message": "We couldn’t reach the Identity Provider URL. En | "message": "Single Sign-On is not configured."
} }
Stage 3 - Complete
Stage 4 - Unset variables, delete temporary files, and restart services
Restarting Central Management
svc-central-management
Restarting Super Tomcat
smc
Done
Stage 4 - complete
742smc:~#
Feedback