Difference between revisions of "Fusion Security integration with FMR"
(→Ensuring FMR can communicate with Fusion Security) |
|||
(23 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
+ | [[Category:Installation_and_Configuration]] | ||
+ | [[Category:RegistrySecurity]] | ||
+ | [[Category:FMR_Configuration_Reference]] | ||
+ | [[Category:How_To V11]] | ||
== Overview == | == Overview == | ||
This guide explains how to get Fusion Security to communicate with the Fusion Metadata Registry. Please note, that "Fusion Security" is an old Security Web Application and should not be confused with the newer product "Fusion Security Manager". | This guide explains how to get Fusion Security to communicate with the Fusion Metadata Registry. Please note, that "Fusion Security" is an old Security Web Application and should not be confused with the newer product "Fusion Security Manager". | ||
Line 8: | Line 12: | ||
Fusion Security is a Java Web Application that can be deployed like any other WAR file. If possible it is recommended to have it on a different Tomcat to the one running FMR. For the purposes of this guide, it is assumed to be running on localhost, port: 8081 with the name of "Fusion Security". So direct access to its ui would be made at http://localhost:8081/FusionSecurity | Fusion Security is a Java Web Application that can be deployed like any other WAR file. If possible it is recommended to have it on a different Tomcat to the one running FMR. For the purposes of this guide, it is assumed to be running on localhost, port: 8081 with the name of "Fusion Security". So direct access to its ui would be made at http://localhost:8081/FusionSecurity | ||
− | Most of Fusion Security's configuration must be specified within the Fusion Security configuration file. To read more on this please | + | Most of Fusion Security's configuration must be specified within the Fusion Security configuration file. To read more on this please refer to the [[Media:FusionSecurity2_SetupGuide.pdf|Setup Guide]]. For the use of Fusion Security please refer to the [[Media:FusionSecurity2_UserGuide.pdf|User Guide]]. |
Once Fusion Security has started you can check it is operational by checking the following pages: | Once Fusion Security has started you can check it is operational by checking the following pages: | ||
Line 22: | Line 26: | ||
+ | This value needs to be specified as the security.url in the FMR database. You may not use the User Interface to do this. To modify the database: | ||
− | + | 1. Using the database tool of choice edit the table: registry_settings | |
− | + | 2. Modify or add the following values | |
− | Using the database tool of choice edit the table: registry_settings | + | <pre> |
− | Modify or add the following values | ||
security.auth.prov: registry | security.auth.prov: registry | ||
security.url: http://localhost:8081/FusionSecurity | security.url: http://localhost:8081/FusionSecurity | ||
− | + | </pre> | |
+ | or run the following SQL (for MySQL): | ||
+ | <pre> | ||
INSERT INTO `registry_settings`(`name`,`value`) | INSERT INTO `registry_settings`(`name`,`value`) | ||
VALUES | VALUES | ||
Line 38: | Line 44: | ||
`name` = VALUES(`name`), | `name` = VALUES(`name`), | ||
`value` = VALUES(`value`); | `value` = VALUES(`value`); | ||
+ | </pre> | ||
+ | FMR '''must''' be restarted after this. This change will not change a running Registry. | ||
− | Fusion | + | NOTE: When viewining an FMR connected to a Fusion Security, the Server Security page will not explicitly show this connection. |
+ | == Troubleshooting == | ||
− | + | === Eratic behaviour in the User Interface === | |
+ | Fusion Security will time out a user after 15 minutes of inactivity, where inactivity is defined as being no communication from client to server. After this period, the root / admin user of Fusion Security is logged out, but there is no clue given via the front-end User Interface. The User Interface may then act erratically. If you suspect Fusion Security is not performing tasks correctly: | ||
+ | * In your browser of choice, navigate to the front page of Fusion Security. If logged in, explicitly click log out | ||
+ | * Log in as the root user | ||
+ | * Attempt the task again | ||
− | + | === Web Service Communication === | |
− | + | '''Fusion Security communicate to FMR via the Web Service:''' | |
− | |||
− | == Web Service Communication == | ||
− | |||
<pre> | <pre> | ||
http://localhost:8080/FusionRegistry/ws/public/sdmxapi/rest/organisationscheme/all/all/latest/?references=none&detail=full | http://localhost:8080/FusionRegistry/ws/public/sdmxapi/rest/organisationscheme/all/all/latest/?references=none&detail=full | ||
</pre> | </pre> | ||
+ | This Web Service must be returning in SDMX 2.1 format all of the Organisations present in FMR. | ||
− | FMR communicate to | + | '''FMR communicate to Fusion Security via the Web Service:''' |
<pre> | <pre> | ||
− | + | http://localhost:8081/FusionSecurity/ws/auth/organisationscheme/all/all/latest/?references=none&detail=full | |
</pre> | </pre> | ||
+ | |||
+ | This is a secure Web Service and so is invoked with user and password credentials. It returns informnation about the user such as the user's role and administration permissions. | ||
=== Ensuring Fusion Security can communicate with FMR === | === Ensuring Fusion Security can communicate with FMR === | ||
Line 72: | Line 85: | ||
* In FMR attempt to logon as this user | * In FMR attempt to logon as this user | ||
* If you are now logged in to the FMR and can access the Settings pages the 2 systems are communicating correctly | * If you are now logged in to the FMR and can access the Settings pages the 2 systems are communicating correctly | ||
+ | |||
+ | If you see failures, look at the FMR log and look for communication to Fusion Security. There should be entries like: | ||
+ | <pre> | ||
+ | INFO qtp1076496284-44 io.sdmx.fusion.service.manager.FusionSecurityRESTAuthenticationManager - Attempting authentication for: <user> | ||
+ | INFO qtp1076496284-44 io.sdmx.utils.http.broker.RestMessageBroker - Call URL: http://localhost:8081/FusionSecurity/ws/auth/organisationscheme/all/all/latest/?references=none&detail=full | ||
+ | </pre> | ||
+ | |||
+ | Look for errors of mis-configured URLs |
Latest revision as of 03:10, 30 March 2024
Contents
Overview
This guide explains how to get Fusion Security to communicate with the Fusion Metadata Registry. Please note, that "Fusion Security" is an old Security Web Application and should not be confused with the newer product "Fusion Security Manager".
Support for Fusion Security was added in FMR version 11.9.0, so this information is only applicable to FMR 11.9.0 and subsequent versions.
Setting up Fusion Security
Fusion Security is a Java Web Application that can be deployed like any other WAR file. If possible it is recommended to have it on a different Tomcat to the one running FMR. For the purposes of this guide, it is assumed to be running on localhost, port: 8081 with the name of "Fusion Security". So direct access to its ui would be made at http://localhost:8081/FusionSecurity
Most of Fusion Security's configuration must be specified within the Fusion Security configuration file. To read more on this please refer to the Setup Guide. For the use of Fusion Security please refer to the User Guide.
Once Fusion Security has started you can check it is operational by checking the following pages:
- The front page of the User Interface: http://localhost:8081/FusionSecurity
- The product information page: http://localhost:8081/FusionSecurity/ws/fusion/info/product
Setting up Communication from FMR to Fusion Security
There is no User Interface to assign Fusion Security as FMR's security mechanism. The assignment must be performed via database manipulation.
- Start your Fusion Security instance in the Tomcat of your choice. We recommend using port 8081.
- Determine what the entry point for your Fusion Security instance is. An example of this is: http://localhost:8081/FusionSecurity . This value is the front page of Fusion Security but should not have any explicit pages (such as overview.html or index.html) in it.
This value needs to be specified as the security.url in the FMR database. You may not use the User Interface to do this. To modify the database:
1. Using the database tool of choice edit the table: registry_settings 2. Modify or add the following values
security.auth.prov: registry security.url: http://localhost:8081/FusionSecurity
or run the following SQL (for MySQL):
INSERT INTO `registry_settings`(`name`,`value`) VALUES ('security.auth.prov','registry'), ('security.url','http://localhost:8081/FusionSecurity') ON DUPLICATE KEY UPDATE `name` = VALUES(`name`), `value` = VALUES(`value`);
FMR must be restarted after this. This change will not change a running Registry.
NOTE: When viewining an FMR connected to a Fusion Security, the Server Security page will not explicitly show this connection.
Troubleshooting
Eratic behaviour in the User Interface
Fusion Security will time out a user after 15 minutes of inactivity, where inactivity is defined as being no communication from client to server. After this period, the root / admin user of Fusion Security is logged out, but there is no clue given via the front-end User Interface. The User Interface may then act erratically. If you suspect Fusion Security is not performing tasks correctly:
- In your browser of choice, navigate to the front page of Fusion Security. If logged in, explicitly click log out
- Log in as the root user
- Attempt the task again
Web Service Communication
Fusion Security communicate to FMR via the Web Service:
http://localhost:8080/FusionRegistry/ws/public/sdmxapi/rest/organisationscheme/all/all/latest/?references=none&detail=full
This Web Service must be returning in SDMX 2.1 format all of the Organisations present in FMR.
FMR communicate to Fusion Security via the Web Service:
http://localhost:8081/FusionSecurity/ws/auth/organisationscheme/all/all/latest/?references=none&detail=full
This is a secure Web Service and so is invoked with user and password credentials. It returns informnation about the user such as the user's role and administration permissions.
Ensuring Fusion Security can communicate with FMR
- In your browser of choice, navigate to the front page of Fusion Security
- Log in as the root user
- Select a user other than the root user - if no other users exist, create one.
- On the right-hand side of the screen should be 2 tabs: "User Details" and "Organisations". Click on Organisations
- A tree of structures obtained from the FMR should be displayed. This is grouped by Agencies, Data Providers and Data Consumers.
- If this list is populated with the correct structures, then Fusion Security can get information from FMR. If not, then Fusion Security has not been set up correctly.
Ensuring FMR can communicate with Fusion Security
- Explicitly log out of Fusion Security (if logged in) and then log in as the root user.
- Create a new user in Fusion Security with an easy name and simple password. Do not use unusual characters in either the username or password - stick to simple alphanumerics.
- Set this new user to be an Administrator
- In FMR attempt to logon as this user
- If you are now logged in to the FMR and can access the Settings pages the 2 systems are communicating correctly
If you see failures, look at the FMR log and look for communication to Fusion Security. There should be entries like:
INFO qtp1076496284-44 io.sdmx.fusion.service.manager.FusionSecurityRESTAuthenticationManager - Attempting authentication for: <user> INFO qtp1076496284-44 io.sdmx.utils.http.broker.RestMessageBroker - Call URL: http://localhost:8081/FusionSecurity/ws/auth/organisationscheme/all/all/latest/?references=none&detail=full
Look for errors of mis-configured URLs