Managing AAA Sources via IAP Profiles
  • 22 Aug 2023
  • Dark
    Light
  • PDF

Managing AAA Sources via IAP Profiles

  • Dark
    Light
  • PDF

Article summary

Itential Automation Platform (IAP) supports integration with several Authentication, Authorization and Accounting (AAA) sources. Upon initial installation of IAP, the system uses a local AAA service as its source. This is often replaced with an external AAA source such as OpenLDAP or Active Directory Domain Services. Access to IAP will be denied if the AAA source is unavailable.

IAP supports the use of one active AAA source at a time; however, to provide a layer of redundancy, multiple AAA sources can be configured on the IAP system. For example, if an IAP system is integrated with a single AAA source -- such as an LDAP server -- and that LDAP server becomes unavailable, users are unable to log in to IAP. To prepare for such a scenario, a secondary AAA source can be configured. Operators may then manually switch to the secondary AAA source if the primary source becomes unavailable.

⚠ Warning:

AAA sources cannot be federated by enabling multiple simultaneously. Doing so may prevent users from logging in to IAP.


In this document, you will learn how to use IAP profiles to manage AAA sources. A best practice strategy for managing multiple AAA sources via these profiles will be outlined. The procedure for switching between these profiles will be detailed and should be well understood by operations teams.

Managing AAA Sources via IAP Profiles

An IAP profile designates the specific services (applications and adapters) that should be enabled on the IAP server. It is loaded on system startup as defined in the properties.json file. When an application or an adapter is installed and configured, it can then be enabled or disabled per profile. As such, to manage multiple AAA sources via IAP profile:

  1. The relevant AAA adapters are configured on the IAP system.
  2. These adapters are added to separate IAP profiles.
  3. The active IAP profile is changed based on which AAA source is to be used.
⚠ Note:

Only one IAP profile may be active at any time. After making a new profile active, IAP must be restarted for the changes to take effect.


Configuring AAA Adapters

First, all relevant AAA adapters must be configured. Adapters are the software components of IAP that handle the sending and receiving of data to and from external systems. Data is delivered to an adapter via a mechanism within IAP called a broker. A broker is responsible for delivering certain types of data to an adapter. For example, AAA adapters (e.g., LDAP, AD, and RADIUS) must be configured with the aaa broker to receive AAA-specific requests.

Adapters are configured via the Adapters menu of Admin Essentials:

  1. From the IAP dashboard, launch the Admin Essentials application. This application is only available to administrator-level users.
  2. Expand Adapters via the Admin Essentials side navigation menu.
  3. Select the adapter that you would like to configure from the list that is displayed.

The configuration (sometimes known as the service config) of the adapter will be shown. Figure 1 shows an example configuration for the Local AAA adapter.

⚠ Note:

Advanced view has been enabled in Figure 1 to show the adapter configuration in JSON format. Advanced view can be enabled or disabled using the toggle in the upper-right corner.


Figure 1: Adapter Configuration

Adapter Configuration

By default, the Local AAA adapter is configured to point to the MongoDB datastore that was specified during IAP installation. The most important component of the Service Config in Figure 1 is on line 28. Note that aaa is configured within the brokers array. This means that any incoming request to authenticate with IAP will be directed to this adapter. In turn, the adapter will search the local MongoDB datastore for a match to the username and password sent in the authentication request.

Proper setup of each required AAA adapter is crucial. All relevant AAA adapters should be configured and tested before proceeding. Refer to the Integrations & Adapters section of the IAP documentation for detailed information on adapter configuration.

Creating IAP Profiles

After all relevant AAA adapters have been configured, multiple IAP profiles must be created -- one for each of the AAA adapters to be used. Profiles are created via the Profiles menu of Admin Essentials. To create a new profile, you will need to clone the default profile:

  1. From the IAP dashboard, launch the Admin Essentials application.
  2. Expand Profiles via the Admin Essentials side navigation menu.
  3. Select the default profile from the list that is displayed. In most cases, the default profile is profile1.
  4. Click the menu button (stacked dots) at the upper-right corner of the window. Select Clone from the menu to open the clone modal.
  5. Enter the desired name for the new profile, then click the Clone button at the bottom-left of the modal. Itential recommends naming the cloned profile in such a way that the AAA source it uses is readily apparent.

Creating a new profile by cloning the default profile ensures that all required running properties and server configurations are included.

In the following example (Figure 2), two profiles were created by cloning the default profile: LDAP and LocalAAA.

Figure 2: Cloning the Default Profile

Cloning the Default Profile


Configuring IAP Profiles

Next, the newly created profiles must be configured:

  1. From the IAP dashboard, launch the Admin Essentials application.
  2. Expand Profiles via the Admin Essentials side navigation menu.
  3. Select the profile you would like to edit (configure) from the list that is displayed.
  4. Click the Configure tab located near the top of the window.

From the Configure tab, adapters can be enabled or disabled via the Adapters option (accessed beneath the Edit Profile Services header). To enable an adapter:

  1. Select the checkbox for the adapter.
  2. Click the Save icon ( ) in the upper-left corner.

In the following example (Figure 3), the LocalAAA profile created in the previous section has been selected for configuration. The Local AAA adapter has been enabled via checkbox - all other AAA adapters remain disabled (unchecked).

Figure 3: Local AAA Profile Configuration

Local AAA Profile Configuration


In Figure 4, the LDAP profile has been selected for configuration and enabled (checked).

Figure 4: LDAP Profile Configuration

LDAP Profile Configuration


Switching Between Profiles

Once all profiles are configured, operators may switch between them to determine which AAA source is used by IAP. To change the active IAP profile:

  1. From the IAP dashboard, launch the Admin Essentials application.
  2. Expand the Profiles via the Admin Essentials side navigation menu.
  3. Select the profile you would like to make active from list that is displayed.
  4. Click the menu button (stacked dots) in the upper-right corner.
  5. Select View Metadata from the menu to open the metadata drawer.
  6. Click the Active Profile toggle to mark the selected profile as the active profile (Figure 5).
  7. Click the Save button at the bottom-left of the metadata drawer. A success banner will display, prompting you to restart IAP.
  8. Restart the IAP server. In IAP environments utilizing MongoDB replica sets, all IAP servers reading data from the MongoDB database will need to be restarted.
⚠ Warning:

In some IAP versions, the active AAA adapter is prevented from loading properly if any other AAA adapter is using the "aaa" broker. As a recommended precaution, be sure the "aaa" broker is only present in the configuration of the AAA adapter to be used.


Figure 5: Enabling a Profile

Metadata Drawer


Directly Editing the IAP Profile via properties.json

Itential recommends changing the profile configuration via the UI whenever possible. However, if an unavailable AAA source has made IAP inaccessible, the active profile can be changed by editing the properties.json file:

  1. Navigate to the properties.json file (located in $IAP_HOME/current) and open it via text editor.
  2. Find the configuration line for id (e.g., "id": "LDAP").
  3. Change the value of id to the name of the desired profile (e.g., "id": "LocalAAA").
  4. Restart the IAP server.

Appendix A: properties.json

Most configuration properties for IAP are stored in named profiles. In turn, these profiles are stored in the MongoDB database used by IAP as a datastore.

The properties.json file ($IAP_HOME/current/properties.json) referred to throughout this document provides IAP with two main pieces of information:

  • The location of the MongoDB database that is used as a datastore.
  • The name of the profile within that datastore that is active when the server starts.

The following is an example properties.json file that is loading the Local_AAA profile from a local installation of MongoDB.

{
  "pathProps": {
    "description": "File Path Variables",
    "sdk_dir": "/opt/pronghorn-applications",
    "encrypted": true
  },
  "id": "Local_AAA",
  "mongoProps": {
    "credentials": {
      "passwd": "itentialPassword",
      "user": "itentialUser"
    },
    "db": "pronghorn",
    "url": "mongodb://localhost:27017"
  }
}

Was this article helpful?

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.