Login
Contents x
Managing AAA Sources via Itential Platform Profiles
  • 21 Jan 2025
  • Dark
    Light
  • PDF
Contents

Managing AAA Sources via Itential Platform Profiles

  • Updated on 21 Jan 2025
  • Dark
    Light
  • PDF
Article summary

Itential Platform supports integration with several Authentication, Authorization and Accounting (AAA) sources. Upon initial installation of the Platform, the system uses a local AAA service as its source. This is often replaced with an external AAA source such as OpenLDAP or Active Directory Domain Services. Access to the Platform will be denied if the AAA source is unavailable.

Itential Platform supports the use of one active AAA source at a time; however, to provide a layer of redundancy, multiple AAA sources can be configured on the Itential Platform system. For example, if a Platform system is integrated with a single AAA source -- such as an LDAP server -- and that LDAP server becomes unavailable, users are unable to log in to Itential Platform. To prepare for such a scenario, a secondary AAA source can be configured. Operators may then manually switch to the secondary AAA source if the primary source becomes unavailable.

Warning:

AAA sources cannot be federated by enabling multiple simultaneously. Doing so may prevent users from logging into Itential Platform.

In this document, you will learn how to use Itential Platform profiles to manage AAA sources. A best practice strategy for managing multiple AAA sources via these profiles will be outlined. The procedure for switching between these profiles will be detailed and should be well understood by operations teams.

Managing AAA Sources via Profiles

A profile designates the specific services (applications and adapters) that should be enabled on the Itential Platform server. It is loaded on system startup as defined in the properties.json file. When an application or an adapter is installed and configured, it can then be enabled or disabled per profile. As such, to manage multiple AAA sources via profile:

  1. The relevant AAA adapters are configured on the Itential Platform system.
  2. These adapters are added to separate Itential Platform profiles.
  3. The active Itential Platform profile is changed based on which AAA source is to be used.
Note:

Only one Itential Platform profile may be active at any time. After making a new profile active, Itential Platform must be restarted for the changes to take effect.

Configuring AAA Adapters

First, all relevant AAA adapters must be configured. Adapters are the software components of Itential Platform that handle the sending and receiving of data to and from external systems. Data is delivered to an adapter via a mechanism within the Platform called a broker. A broker is responsible for delivering certain types of data to an adapter. For example, AAA adapters (e.g., LDAP, AD, and RADIUS) must be configured with the aaa broker to receive AAA-specific requests.

Adapters are configured via the Adapters menu of Admin Essentials:

  1. From the dashboard, launch the Admin Essentials application. This application is only available to administrator-level users.
  2. Expand Adapters via the Admin Essentials side navigation menu.
  3. Select the adapter that you would like to configure from the list that is displayed.

The configuration (sometimes known as the service config) of the adapter will be shown. Figure 1 shows an example configuration for the Local AAA adapter.

Note:

Advanced view has been enabled in Figure 1 to show the adapter configuration in JSON format. Advanced view can be enabled or disabled using the toggle in the upper-right corner.

Figure 1: Adapter Configuration
Adapter Configuration

By default, the Local AAA adapter is configured to point to the MongoDB datastore that was specified during Itential Platform installation. The most important component of the Service Config in Figure 1 is on line 28. Note that aaa is configured within the brokers array. This means that any incoming request to authenticate with Itential Platform will be directed to this adapter. In turn, the adapter will search the local MongoDB datastore for a match to the username and password sent in the authentication request.

Proper setup of each required AAA adapter is crucial. All relevant AAA adapters should be configured and tested before proceeding.

Creating Profiles

After all relevant AAA adapters have been configured, multiple Itential Platform profiles must be created -- one for each of the AAA adapters to be used. Profiles are created via the Profiles menu of Admin Essentials. To create a new profile, you will need to clone the default profile:

  1. From the dashboard, launch the Admin Essentials application.
  2. Expand Profiles via the Admin Essentials side navigation menu.
  3. Select the default profile from the list that is displayed. In most cases, the default profile is profile1.
  4. Click the menu button (stacked dots) at the upper-right corner of the window. Select Clone from the menu to open the clone modal.
  5. Enter the desired name for the new profile, then click the Clone button at the bottom-left of the modal. Itential recommends naming the cloned profile in such a way that the AAA source it uses is readily apparent.

Creating a new profile by cloning the default profile ensures that all required running properties and server configurations are included.

In the following example (Figure 2), two (2) profiles were created by cloning the default profile: LDAP and LocalAAA.

Figure 2: Cloning the Default Profile
Cloning the Default Profile

Configuring Profiles

Next, the newly created profiles must be configured:

  1. From the dashboard, launch the Admin Essentials application.
  2. Expand Profiles via the Admin Essentials side navigation menu.
  3. Select the profile you would like to edit (configure) from the list that is displayed.
  4. Click the Configure tab located near the top of the window.

From the Configure tab, adapters can be enabled or disabled via the Adapters option (accessed beneath the Edit Profile Services header). To enable an adapter:

  1. Select the checkbox for the adapter.
  2. Click the Save icon ( ) in the upper-left corner.

In the following example (Figure 3), the LocalAAA profile created in the previous section has been selected for configuration. The Local AAA adapter has been enabled via checkbox - all other AAA adapters remain disabled (unchecked).

Figure 3: Local AAA Profile Configuration
Local AAA Profile Configuration

 

In Figure 4, the LDAP profile has been selected for configuration and enabled (checked).

Figure 4: LDAP Profile Configuration
LDAP Profile Configuration

Switching Between Profiles

Once all profiles are configured, operators may switch between them to determine which AAA source is used by the Platform. To change an active Itential Platform profile:

  1. From the dashboard, launch the Admin Essentials application.
  2. Expand the Profiles via the Admin Essentials side navigation menu.
  3. Select the profile you would like to make active from list that is displayed.
  4. Click the menu button (stacked dots) in the upper-right corner.
  5. Select View Metadata from the menu to open the metadata drawer.
  6. Click the Active Profile toggle to mark the selected profile as the active profile (Figure 5).
  7. Click the Save button at the bottom-left of the metadata drawer. A success banner will display, prompting you to restart Itential Platform.
  8. Restart the Platform server. For Itential Platform environments utilizing MongoDB replica sets, all Platform servers reading data from the MongoDB database will need to be restarted.
Warning:

In some Itential Platform versions, the active AAA adapter is prevented from loading properly if any other AAA adapter is using the "aaa" broker. As a recommended precaution, be sure the "aaa" broker is only present in the configuration of the AAA adapter to be used.

Figure 5: Enabling a Profile
Metadata Drawer

Directly Editing the Profile via properties.json

Itential recommends changing the profile configuration via the UI whenever possible. However, if an unavailable AAA source has made Itential Platform inaccessible, the active profile can be changed by editing the properties.json file:

  1. Navigate to the properties.json file (located in $IAP_HOME/current) and open it via text editor.
  2. Find the configuration line for id (e.g., "id": "LDAP").
  3. Change the value of id to the name of the desired profile (e.g., "id": "LocalAAA").
  4. Restart the Itential Platform server.

Appendix A: properties.json

Most configuration properties for Itential Platform are stored in named profiles. In turn, these profiles are stored in the MongoDB database used by the Platform as a datastore.

The properties.json file ($IAP_HOME/current/properties.json) referred to throughout this document provides the Platform with two main pieces of information:

  • The location of the MongoDB database that is used as a data store.
  • The name of the profile within that data store that is active when the server starts.

The following is an example properties.json file that is loading the Local_AAA profile from a local installation of MongoDB.

{
  "pathProps": {
    "description": "File Path Variables",
    "sdk_dir": "/opt/pronghorn-applications",
    "encrypted": true
  },
  "id": "Local_AAA",
  "mongoProps": {
    "credentials": {
      "passwd": "itentialPassword",
      "user": "itentialUser"
    },
    "db": "pronghorn",
    "url": "mongodb://localhost:27017"
  }
}
Was this article helpful?
What's Next
Privacy Policy
Cookie Policy
Terms of Use
EULA
Copyright © 2024 Itential for Developers
Change password!
Changing your password will log you out immediately. Use the new password to log back in.
Change profile
Success!
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.
Logout