简介
本文档介绍如何在安全网络分析管理器上将单点登录(SSO)设置为空/默认值。
先决条件
要求
本文档没有任何特定的要求。
使用的组件
本文档中的信息基于安全网络分析管理器(SMC) 7.1版及更高版本。
本文建议使用具有复制和粘贴功能的SSH客户端/应用程序。
本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始(默认)配置。如果您的网络处于活动状态,请确保您了解所有命令的潜在影响。
问题
配置的SSO设置无效或过时,或者保存无效或过时的SSO配置后,中央管理显示Configuration Changes Failed
。
解决方案
SSO配置有两个部分,即中央管理和联邦管理器。
如果要比较原始配置和最终配置,请运行所有列出的步骤。
如果不需要比较,则仅运行未标记为(可选)的命令。 本文末尾的“单行”命令将为您执行这些步骤。
步骤1.(可选)如果要将当前中央管理配置与最终结果进行比较,请运行 jq '.configurableElements.sso' /lancope/var/services/cm/configuration/$(awk -F\" '{print $8}' /lancope/var/services/cm-agent/configuration/managementChannel.json)/config.json > jqdoldcm.json
命令。
741smc:~# jq '.configurableElements.sso' /lancope/var/services/cm/configuration/$(awk -F\" '{print $8}' /lancope/var/services/cm-agent/configuration/managementChannel.json)/config.json > jqdoldcm.json
741smc:~#
第2步:(可选)如果要将当前配置与最终结果进行比较,请运行jq . /lancope/var/fedlet-manager/conf/fedlet-manager.json > jqdoldfm.json
命令。
741smc:~# jq . /lancope/var/fedlet-manager/conf/fedlet-manager.json > jqdoldfm.json
741smc:~#
第三步:使用tmpfile=$(mktemp)
命令创建临时变量。
741smc:~# tmpfile=$(mktemp)
741smc:~#
第四步:使用cm_file=$(echo /lancope/var/services/cm/configuration/$(awk -F\" '{print $8}' /lancope/var/services/cm-agent/configuration/managementChannel.json)/config.json)
命令创建临时变量。
741smc:~# cm_file=$(echo /lancope/var/services/cm/configuration/$(awk -F\" '{print $8}' /lancope/var/services/cm-agent/configuration/managementChannel.json)/config.json)
741smc:~#
第五步:使用echo $SWINFO_version
命令确定您当前的安全网络分析版本。
741smc:~# echo $SWINFO_version
7.4.1
如果SMC版本是7.4.1,请运行以下命令:
741smc:~# cp $cm_file $tmpfile && jq --arg foo "" --argjson bar false '.configurableElements.sso.ssoEnabled = $bar|.configurableElements.sso.ssoDescription = $foo|.configurableElements.sso.idpXml = $foo|.configurableElements.sso.ssoProxy = $foo|.configurableElements.sso.ssoOnly = $bar|.configurableElements.sso.downloadIdpXml = $bar' "$tmpfile" > $cm_file && rm -f -- $tmpfile
741smc:~# cp /lancope/var/fedlet-manager/conf/fedlet-manager.json $tmpfile && jq --arg foo "" --argjson bar false '.ssoEnabled = $bar|.ssoDescription = $foo|.idpXml = $foo|.ssoProxy = $foo|.state = "NO_CONFIGURATION"|.message="Single Sign-On is not configured."' $tmpfile >/lancope/var/fedlet-manager/conf/fedlet-manager.json && rm -f -- $tmpfile
741smc:~#
如果SMC版本早于7.4.1,请运行以下命令:
711smc:~# cp $cm_file $tmpfile && jq --arg foo "" --argjson bar false '.configurableElements.sso.ssoEnabled = $bar|.configurableElements.sso.ssoDescription = $foo|.configurableElements.sso.idpXml = $foo|.configurableElements.sso.ssoOnly = $bar|.configurableElements.sso.downloadIdpXml = $bar' "$tmpfile" > $cm_file && rm -f -- $tmpfile
711smc:~# cp /lancope/var/fedlet-manager/conf/fedlet-manager.json $tmpfile && jq --arg foo "" --argjson bar false '.ssoEnabled = $bar|.ssoDescription = $foo|.idpXml = $foo|.state = "NO_CONFIGURATION"|.message="Single Sign-On is not configured."' $tmpfile >/lancope/var/fedlet-manager/conf/fedlet-manager.json && rm -f -- $tmpfile
711smc:~#
步骤6.(可选)如果要将最终结果配置与原始配置进行比较,请运行以下命令:
741smc:~# jq '.configurableElements.sso' $cm_file > jqdnewcm.json
741smc:~# jq . /lancope/var/fedlet-manager/conf/fedlet-manager.json > jqdnewfm.json
741smc:~# diff -y jqdoldcm.json jqdnewcm.json
741smc:~# diff -y jqdoldfm.json jqdnewfm.json
第7步:(可选)删除在上一步比较过程中创建的json
文件。
741smc:~# rm -f jqdoldcm.json jqdnewcm.json
741smc:~# rm -f jqdoldfm.json jqdnewfm.json
步骤 8取消设置在本文档开头创建的变量。
711smc:~# unset tmpfile
711smc:~# unset cm_file
711smc:~#
使用docker central-management
命令重新启动中央管理进程。
741smc:~# docker restart svc-central-management
svc-central-management
741smc:~#
单线自动
运行此命令以执行本文中看到的所有步骤。输出包含一些附加格式。
bash <(base64 -d <<< "H4sIALoa7mQAA+1WbW/aMBD+vl9xiqLSTk1Qt06bhKg00VLxoWQq7TapVJXrXGhKYqe2gaGx/75zAuG19GVfpmkSQfjx+V4eP+EO+Z0ED8Hpiq7oGNZDOAAPWiI28JWpmN0mqIGJEE6ZuUMFzZiArjhj/Vj0wGCaQUQQ+L4PDtRMmtll3d1N+3ZzD2o8vZlCaINVEya4zLA6ZKqqUQ1jjrrK0yqXIop7A8VMLEXV3WWjPnjNrgOVn5mKhQH306/Ko8c9Sl2YFScpEwSntNG4Y0Jg4t9rKfamVsUCajpBzMD/ADUs2TDHUmBXnKIxtk4+UIq8QIO+FEvgrHQM2jCDVPn9A1T8MjzRdpLkBtrXWlbAndIAR3D/EMok5Gke/0XhmxgmaKBjQ1rfRVh/mZQoN/KK2lVe6wpWBJ4lEj0jkbkyuEwzcoVzvbwj9EyGcTTOU128ABLKZRayvIYN1FlZTUsqUAWNxeNUXhzB1RW4nW+tdjO4GaLShEO9Dh/9Q//gLUwma5tHxR5cX0MNSLMCeDan350qFHZ2qH7wPKZ6EEkJjlMsci5umYKIJRq33Kl9ToRFQ6iDS0cmW22PUXMVZyYvAFyKucU+DrPvafK0HT1flPwxfpZlIJLx06mGciQSycJWmQLZV8CZMecQwyWdxKJKwYuIuyVqifJXifLl17PhFh4he4XTNeryN5lWTju4aQTtZuv08vzzRStoOxM/Ra0py7rTIS1Tep24J7xAQKxBSFOqHkPfqcyLOHoVBxs5rQHaev9tKf8X6JJA/249RvELm57AUdn0/rBtkavnty3boBprbev9FGWKwOJH3qbO1lpYWxrcp05C3I4kta1Eyj71rjFQz4swb8wDQVORhk4ngBGjeYmbAUtIy/N7gEzhMJYDTahUhTf63CrZR8opSEIbumh/MIE2jmZr6oI2EHjjlclhhdJNPCwUtjo76CLoKjyNvWHSWE4iWkqivIwy9DLJy9QfEnopNPkfzkbMfQjRGuUTpVRMjfOxknA7JCikd0HRrDWd9yibQpFbCVk0eSTdQZ5FqeliORNtUYxzXgTfPMNYXiTv0+RS5jjkHi/svPn8af+/V711Bhmdu5ApZ5v8pHx2aF3ShwuTGB2F7XW8+Q1WFJRR5gsAAA==" | gunzip)
示例输出:
742smc:~# bash <(base64 -d <<< "H4sIALoa7mQAA+1WbW/aMBD+vl9xiqLSTk1Qt06bhKg00VLxoWQq7TapVJXrXGhKYqe2gaGx/75zAuG19GVfpmkSQfjx+V4eP+EO+Z0ED8Hpiq7oGNZDOAAPWiI28JWpmN0mqIGJEE6ZuUMFzZiArjhj/Vj0wGCaQUQQ+L4PDtRMmtll3d1N+3ZzD2o8vZlCaINVEya4zLA6ZKqqUQ1jjrrK0yqXIop7A8VMLEXV3WWjPnjNrgOVn5mKhQH306/Ko8c9Sl2YFScpEwSntNG4Y0Jg4t9rKfamVsUCajpBzMD/ADUs2TDHUmBXnKIxtk4+UIq8QIO+FEvgrHQM2jCDVPn9A1T8MjzRdpLkBtrXWlbAndIAR3D/EMok5Gke/0XhmxgmaKBjQ1rfRVh/mZQoN/KK2lVe6wpWBJ4lEj0jkbkyuEwzcoVzvbwj9EyGcTTOU128ABLKZRayvIYN1FlZTUsqUAWNxeNUXhzB1RW4nW+tdjO4GaLShEO9Dh/9Q//gLUwma5tHxR5cX0MNSLMCeDan350qFHZ2qH7wPKZ6EEkJjlMsci5umYKIJRq33Kl9ToRFQ6iDS0cmW22PUXMVZyYvAFyKucU+DrPvafK0HT1flPwxfpZlIJLx06mGciQSycJWmQLZV8CZMecQwyWdxKJKwYuIuyVqifJXifLl17PhFh4he4XTNeryN5lWTju4aQTtZuv08vzzRStoOxM/Ra0py7rTIS1Tep24J7xAQKxBSFOqHkPfqcyLOHoVBxs5rQHaev9tKf8X6JJA/249RvELm57AUdn0/rBtkavnty3boBprbev9FGWKwOJH3qbO1lpYWxrcp05C3I4kta1Eyj71rjFQz4swb8wDQVORhk4ngBGjeYmbAUtIy/N7gEzhMJYDTahUhTf63CrZR8opSEIbumh/MIE2jmZr6oI2EHjjlclhhdJNPCwUtjo76CLoKjyNvWHSWE4iWkqivIwy9DLJy9QfEnopNPkfzkbMfQjRGuUTpVRMjfOxknA7JCikd0HRrDWd9yibQpFbCVk0eSTdQZ5FqeliORNtUYxzXgTfPMNYXiTv0+RS5jjkHi/svPn8af+/V711Bhmdu5ApZ5v8pHx2aF3ShwuTGB2F7XW8+Q1WFJRR5gsAAA==" | gunzip)
Stage 1 - Init Variables and Gather Files
Making temp file ...
Done
Getting current Central Management state
Done
Getting current Fedlet Statement
Done
Stage 1 - complete
Stage 2 - Modifying configurations
Updating Central Management and Fedlet Manager Configuration
Done
Stage 2 - Complete
Stage 3 - Compare
Comparing CM configurations
Note, this wont look any different unless SSO was actually configured previously or this is broken
Old CM Config | New CM Conf
{ {
"ssoEnabled": true, | "ssoEnabled": false,
"ssoDescription": "Known Bad Configuration", | "ssoDescription": "",
"idpXml": "https://www.example.com", | "idpXml": "",
"ssoProxy": "", "ssoProxy": "",
"ssoOnly": false, "ssoOnly": false,
"downloadIdpXml": true | "downloadIdpXml": false
} }
Comparing Fedlet Statements
Old Fedlet Statement | New Fedlet Statement
{ {
"ssoEnabled": true, | "ssoEnabled": false,
"ssoDescription": "Known Bad Configuration", | "ssoDescription": "",
"idpXml": "", "idpXml": "",
"spFqdn": "742smc.example.com", "spFqdn": "742smc.example.com",
"ssoProxy": "", "ssoProxy": "",
"state": "FAILED_TO_DOWNLOAD_IDP", | "state": "NO_CONFIGURATION",
"message": "We couldn’t reach the Identity Provider URL. En | "message": "Single Sign-On is not configured."
} }
Stage 3 - Complete
Stage 4 - Unset variables, delete temporary files, and restart services
Restarting Central Management
svc-central-management
Restarting Super Tomcat
smc
Done
Stage 4 - complete
742smc:~#