This Admin Guide details the common procedures that you will need to follow in order to set up and use Access Control Plus.
3.1 Starting Up
To start Access Control Plus, follow these steps:
- Open a terminal window on the server and login with suitable file permissions.
- Run the scm-access-control-plus service, located in the /etc/init.d folder:
lrwxrwxrwx 1 root root 65 Apr 24 11:43 scm-access-control-plus -> /opt/wandisco/scm-access-control-plus/bin/scm-access-control-plus
- Run the script with the start command:
[root@localhost init.d]# ./scm-access-control-plus start
Starting scm-access-control-plus:. [ OK ]
- The Access Control Plus application will start. Read more about the svn-multisite init.d script
3.2 Shutting down
- Open a terminal window on the server and login with suitable file permissions.
- Run the svn-multisite service, located in the init.d folder:
lrwxrwxrwx 1 root root 65 Apr 24 11:43 scm-access-control-plus -> /opt/wandisco/scm-access-control-plus/bin/scm-access-control-plus
- Run the stop script, i.e.:
[root@redhat6 init.d]# ./scm-access-control-plus stop Stopping scm-access-control-plus:. [ OK ]
- The process will shut down.
3.3 init.d Management Script
The 'start-up' script for persistent running of Access Control Plus can be found in the
Run the script with the help command to list the available commands:
[root@redhat6 init.d]# ./scm-access-control-plus help
usage: ./scm-access-control-plus (start|stop|restart|force-reload|status|version) start Start Access Control Plus services stop Stop Access Control Plus services restart Restart Access Control Plus services force-reload Restart Access Control Plus services status Show the status of Access Control Plus services version Show the version of Access Control Plus
Check the running status (with current process ID).
[root@redhat6 init.d]# ./scm-access-control-plus status Checking scm-access-control-plus:running with PID 29516 [ OK ]
[root@redhat6 init.d]# ./scm-access-control-plus version 1.0.0-1180
3.4 Password change/recovery
This section explains what to do if an admin loses their password and needs to regain entry to Access Control Plus. Currently the method uses a script that resets Access Control Plus's authentication. If you have set up to use LDAP, this will be disabled, returning access to local users. A new administrator-level local users will be created with credentials that you supply when you run the script.
Disable LDAP/external authentication
In the event that you need to disable LDAP authentication and return your deployment to the default internally managed users, use the following procedure. Your LDAP authorites will not be deleted, only disabled. They can be re-enabled from the Settings screen.
- Open a terminal on your node. Navigate to the replicator directory.
$ cd /opt/wandisco/scm-access-control-plus
- Run the following command-line utility.
[root@redhat6 scm-access-control-plus]# java -jar scm-access-control-plus-resetSecurity.jar Enter full path to the replicator properties folder: /opt/wandisco/scm-access-control-plus/properties Enter your username: temporary Enter your new password:************ Confirm your new password:************ Enter your first name: Temorary Enter your last name: Account Enter your email address: firstname.lastname@example.org A new user has been created, in order for this to take effect you will need to restart this node. [root@redhat6 scm-access-control-plus]#
- Respond to each prompt, then when you've entered everything, restart Access Control Plus to add the new users.
- Now login using the orginal authentication form:
An Account is a collection of information that tells Access Control Plus which resources the account holder can access and what level of access they should have. Accounts are the fundamental building blocks for Access Control, although the Access Control model actually handles permissions only on a per-team basis, not directly on individual accounts.
3.5 Create an Account
There are three methods for four routes to an account creation. This procedure follows the sequence that follows from clicking the Create User button, on the Accounts pane that appears on the master screen. You can also create an account from within the Create Team procedure. A more common approach is to add accounts by setting up a query to an available LDAP authority, to add accounts using LDAP, see Connect to LDAP.
Shortly it will be possible to create accounts using a REST API.
- 1. Login to Access Control Plus. Click the + Create button on the Accounts panel.
- 2. An entry table will open. Enter the account holder's details, as described below.
- First Name
- The acount holder's first name.
- Last Name
- The account holder's last name.
- Account Name
- The account name that Access Control Plus will use internally to refer to the account holder.
- The password for the account (obfuscated entry)
- Confirm Password
- A repeat entry of the password to confirm it was correctly entered.
- Email Address
- The email address associated with the account holder
- Public Key (for Git access)
- The account holder's public key when running with Git that is using ssh authentication. When copying this into the form ensure that no breaks are added - a key should be one unbroken line of characters.
- Disabled (Checkbox)
- This checkbox is used to disable the acount. When ticked the account holder will be completely locked out. All authorization is disabled. This feature offers administrators a means of removing access without completely removing an account or messing with rules. The effect of a disablement is effectively instant from the moment the entry screen is updated, unless batched updates
- User type (Drop-down)
The User type drop-down menu is used to select a type for the account. The following account types are available:
- A standard account holder supports all levels of access on all available resources, subject to the rules that apply to the teams for which the account is a member.
- Audit User
- An Auditor account is of a special type that can never be granted write permissions. This provides administrators with complete confidence when adding accounts for employees who need access to repository data but who are not qualified to make changes.
- Application Adminstrator
- This account type is specifically for SCM administrators who will themselves manage Access Control Plus. Administrators can access the admin console and have permissions to change all Access Control Plus settings.
- Update (button)
- Use this button to submit the account details entered into the form, or for that matter any changes that are made during the edit of an existing account.
- 3. Once the account holder's details are entered, click the Update button to save the changes to Access Control Plus's internal database. The account is ready to add to teams, which will then enable you to apply rules to it, which ultimately provide access control for available SCM resources.
Access to nothing by default All accounts are created with no access to any resources. For an account to gain access to a repository it must first become a member of a team, then that team must have a rule set up that associates repository resources along with permission levels. For more details see the section about Rules
3.6 Edit an existing account
Use the following procedure to make changes to an existing account.
- 1. Login to Access Control Plus. Locate the account that you wish to change.
Search by filter Click the Filter to bring up a search entry box. You can select from several critera (Name, Username, Email) for the search.
Manual Search Use the pagination page links at the bottom of the Accounts panel to run through the available accounts.
Selecting an account Click on the Account holder's name to bring up the account screen
- 2. An account screen provides an overview of the account's team memberships and access privilages.
It's possible to return to the account's entry form in order to make edits. To do this, click on the Edit link. In the main panel are lists of the teams to which the account is a member and all rules that currently apply to the account.
Change Teams membership From the Teams table it is possible to click on a Team name in order to remove the account from that team / subteam.
Change a rule Click on any rule in the Rules table in order to remove the account from the rule.
- 3. Once you have finished with the account screen, click the tab on the left hand side of the panel to close the screen.
Note that the "Edit" screen is renamed "Details" for LDAP users as it is not possible to edit an LDAP-based user through Access Control Plus. If you need to modify an LDAP users you will need to do it from within your LDAP service.
Important: When LDAP authority tries to enter in an account that has a username that already exists on the system
When LDAP sync discovers there is already existing account with the same username it will log a warning and not will synchronize this user. The existing username can be local (entered into Access Control Plus directly) or from different LDAP authority. However, if the user exists in LDAP and can authorize against SVN, then it will get in and Authz will apply any rules.
In version 4.2:
As only usernames were used to match users a conflict would not be detected. In this situation users with duplicate usernames would be synchronized.
Solution: If Apache is suitably configured, the local accounts, via the passwd file would get precedence, so it should work OK for local users. However if the username conflict is between two LDAP authorities then we currently still can get the clash.
3.7 Remove an account
Use this procedure to completely remove an account from Access Control Plus. Be aware that it is often better to disable accounts, should the holder need to get their access back in future.
- 1. Login to the admin console. From the management screen, locate the account that you wish to remove.
- 2. Tick the check box to the left of the Account holder's name then click the -Remove button on the top of the Accounts pane.
- 3. A pop-up warning will ask "Are you sure?". There is no undo for an account removal so consider that question carefully. If you are sure, Click OK. The acccount will not be completely removed from Access Control, it will no longer appear on the accounts list, or in any teams or rules.
If you need to check the accounts particulars to ensure that you are removing the correct account, go to the accounts details screen, you'll find a Delete button at the bottom. This does the same thing as the remove link on the main management screen.
3.8 Disable an account
Disable accounts remain stored in Access Control Plus, they are, however, unable to login or interactive with any repository resources. A disabled account can be added back at a moments notice by re-enabling them.
Disabled accounts are not counted towards the licensed number of users so it is possible to store users in a disabled state even if you are needing to make room for additional users within the limit of your current license.
- 1. Login to the admin console. From the management screen, locate the account that you wish to disable.
- 2. Click on the account holder's name to open up the Account page.
- 3. Click on the Edit button to view the account's basic details. From the accounts details screen, tick the Disabled check box, then click the Update button.
Teams are intended to make organizing account permissions much simpler as they allow you to apply rules en mass, rather than have to detail permissions for each individual account. There are.
3.9 Create a Team
Use this procedure to set up a new Access Control Team. This method follows the method for adding accounts manually, it is also possible to manager your team structure through LDAP, setting up a query that will filter for the specific account holders that you need for a particular team. For more about this see Adding an LDAP-based team
- 1. Login to the admin console.
- 2. On the Teams pane, click the + Create button.
- 3. Complete the entry form for your new team.
- Team Name
- Enter a name for the team.
- Team Description
- Enter a description for the team.
- Team Leaders
- During the team creation process this section is not available.
- Create (button)
- Click the button to save the new team.
- 4. The team's screen now appears. From here you define the team in terms of it's Subteams, Members, Resources and Rules.
- Subteams are themselves teams of accounts. Subteams differ from teams in that they can only be formed as a subset of its parent team's accounts and available resources. The chief benefit of subteams is that they allow administrators to dole out portions of accounts to suborinate team leaders who are able to manage their subteam, without having wider access to members and resources that fall outside of their responsibility. Put simply, this allows administrators to take vacations as day-to-day user creation/removal etc. can be delegated to team leaders, while at the same time, still limiting full SCM access.
- Accounts that are added to a team become Members. You can add existing accounts using the + Add button, then selecting accounts. From the Add Members screen you can also create a new member using the Create member button.
- Resources are representations of repository templates. If you create a team on a new node you'll not be able to add resources until you have established some Repository Templates from the Settings section.
Adding an LDAP-based team
Follow this procedure to create a team that is populated from an LDAP authority.
In previous versions of Access Control it was possible to import user accounts from LDAP at the global level, before assignment to a team. Access Control Plus doesn't support the global importation from LDAP (except for "Admin" accounts see below) because team membership is a fundamental requirement of Access Control Plus's model, in which all access control is applied at the team level. There is no concept of a free-floating accounts, unless the LDAP Authority is flagged for managing Admin accounts, admin accounts are handled differently, they will be imported from LDAP without needing to be assigned to a team.
Recommended approach for access management
When building your access structure you should think first in terms of teams and the access privileges that they will require - then populate teams directly from LDAP using a suitable query. If you really need that global LDAP team, you can create a team called "global" and add to it all accounts.
Mix and match Once LDAP-based accounts have been added to Access Control Plus, they'll appear within the Accounts pane and can be added to any team. However, it's easier to track and manage LDAP users if they're enabled through their own team, where the team is setup to get its members from an authority, although, so long as you tick the checbox Allow local users you can also add local users to an LDAP-managed team.
- 1. Login to Access Control Plus. If you have not done so already, add an LDAP authority (in this case the one from which you will be pulling accounts.
- 2. On the Teams pane, click on the + Create button.
- 3. Fill out a Team Name and Team Description, then click the Create button.
- 4. The Team is created, now click on the Edit link.
- 5. From the Team edit window, enter the relevant details for an LDAP authority that you wish to associate with the team. Select the authority from the dropdown. If your authority query already filters the accounts that you need then you don't need to include a query, otherwise you'll need to add one. Once you have entered those details, click Update
- 6. Click on Close.
- 7. You will be returned to the master screen. You'll note that the team should now be populated from LDAP.
- 8. Now return to the team by clicking on its name. You can now select from the manually select which users from LDAP are added to the group. Also add any other team components (Resources, Rules, subteams etc) that you need.
3.10 Edit a Team
- 1. Login to the admin console.
- 2. On the Teams pane, click the name of the team that you wish to edit.
- 3. The team's screen will open.
From here you can create additional Subteams, Add more resources, Add/Remove Members or Rules.
3.11 Delete a Team
- 1. Login to the admin console.
- 2. Click on the Team or Subteam that you wish to delete.
- 3. Click on the Edit button to view the teams/subteams settings
- 4. You will be prompted to confirm the deletion - Access Control Plus doesn't allow deletions to be undone so it always checks before deleting an object.
Resources are the available repository data, they can be in the form of full repositories or small portions of a repositories file tree. It's only possible to add Resources to Access Control Plus when there is at least one account assigned to a team.
3.12 Create a Resource
Use this procedure to create additional resources, when not syncing with WANdisco's MultiSite products. If you are connecting to MultiSite then resources are selected from whatever repositories that are automatically added. See Create a Resource in a MultiSite Environment
- 1. Login to the admin console, on the main management screen, click the + Create button at the top of the Resources pane.
- 2. The Resources entry form opens. Fill the form using the guidelines below.
- Repository Name
- Enter a name for the resource.
- Repository Location (SVN Only?)
- Enter the file path to the repository data.
- Repository Template lists
- Select from the available Repository Templates that you've added.
- 3.Click Save. You'll be returned to the main screen, with the new resources added to the list.
Create a Resource in a MultiSite Environment
Use this procedure to create additional resources, if syncing with WANdisco's MultiSite products. If you are connecting to MultiSite then resources are selected from whatever repositories that are automatically added.
Repositories (w/o templates) currently can't be deleted until they are assigned a template.
- 1. Login to the admin console, on the main management screen, click the Assign template button of a repository that has been sync'ed from Git and or SVN MultiSite.
- 2. A Window will appear that lists the available Repository Templates that correspond with the relevant version control system. Select one of the available templates.
- 3.Click Save. You'll be returned to the main screen, with the new resource added to the list.
3.13 Edit a Resource
You can easily edit resources by clicking on the resource's name.
Access Control Plus supports repository resources in various configurations: replicated (managed and replicated through a WANdisco MultiSite product), non-replicated (stored in a MultiSite node and not replicated to other nodes) and in stand-alone mode, "local repositories" which are stored directly on the Access Control Plus server. You can tell the type of a particular resource by checking the text under its title; it will say either "Replicated" or "Non-replicated".
- 1. Change any of the values, then click Save.
3.14 Remove a Resource
You can remove the resource from the main screen:
- 1. Change any of the values, then click Save.
Rules are used to define the parameters for what resources and what permission levels are applied to accounts, strickly through the account's team membership - rules are not applied directly to accounts. Accounts can only have rules applied to them if they are first assigned to a team.
3.15 Using Rule lookup
The Rule lookup tool provides administrators with a means of testing what access and permissions apply to specific accounts. Given that Accounts can belong to multiple teams and have multiple rules applied, the Rule lookup tool can useful tool.
If you have two repositories with the same name (also of the same SCM type) then currently a rule lookup that will display them will currently only show one of the repositories (chosen randomly). We'll address this issue in a future release.
- 1. Click the Rule lookup link on the top menu bar.
- 2. Enter an account name, along with a repository and path for which you want to test access.
Any rules that apply to the account for the specified resources will show up after you click the Lookup button. They will appear in the Permissions table.
3.16 Create a Rule
Use this procedure to create a new rule
- 1. Login to the admin console. As rules can only be assigned to Team, select a team. Click on the Team's name.
- 2. On the Team screen, click the + Create button at the top of the Rules pane.
- 3. Provide a name then proceed to the Rule screen. Click on the + Add button to add members to which the new rule will apply.
- 4. Next, select the accounts. Note that there is a check box on the right-hand pane Apply to all current and future members - check this to ensure that the rule is applied automatically to all new members of the team.
When you've added all the necessary accounts, click the Confirm button.
- 5. Finally, you need to add details of what resources and to what level the account holders get access. Click the +Add button to go to the resources screen.
- 6. On the left-side pane select from the available resources. When you've finished, click the Confirm button.
- 7. The permission level for each repository resource is then selected. The options are Deny, Read and Read/write
When done, click the Save selection button.
- 8. The new rule will now appear on the list.
3.17 Edit a Rule
You can edit a rule by clicking on its name on the main screen. This will open up the Rule from where you can modify any of its settings.
3.18 Delete a Rule
You can delete a rule by clicking on it's corresponding check box and then clicking on the - Remove button.
When only DENY rules apply to an account
When troubleshooting user access problems (in deployments that manage htpasswd/sshd files) you may notice that an active account for which only DENY rules currently apply will generate an authentication rather than authorization error on any Git/SVN access attempt. It's as if the account didn't exist or the wrong password was given, instead of not having the appropriate access permissions. This apparent quirk is by design. If an account doesn't have access to any resources at all, we don't bother writing it to the password or sshd rules file. In fact, if the account doesn't have any associated rules then "Deny" rules are applied by default and the account will not be written to the AuthZ file either.
You should note that this does not occur if authentication is delegated to LDAP/AD or any method which does not use passwd/sshd files.
This section deals with the changing and modifying the application settings.
3.19 Connecting your nodes
If you are deploying multiple Access Control Plus node, you'll need to do the following steps to get the nodes talking to each other correctly.
Nodes that are not the state machine creator will be locked-down until they're inducted
You won't be able to create any objects (accounts, teams, rules etc) on the non-state machine creator nodes until you have completed the following procedure.
- 1. Repeat the installation procedure on your additional Access Control Plus nodes. Take note of Step 11."
There can be only one..
When installing your nodes remember that the step to assign one node as the state machine creator should only be answered "Y" on one of your nodes. It can be any of the nodes, it doesn't have to be the first one that you install.
In the rest of this procedure we'll refer to the state machine creator node as the "Induction controller node"
- 2. When all nodes have been installed and are up-and-running, Login to each node that you did not assigned as the state machine creator (Induction controller) node. You'll see that these nodes are in a waiting state, locked down until it has been inducted into the replication network.
We'll need to copy the provided details into the 'Induction Controller Node's' Inductor entry fields.
- 3. Login to the Induction Controller Node, go to the Settings, then click on Node Induction, under Node Management.
- 4. Copy the details of each node into the form, ensure that the Inductor host name doesn't include the protocol prefix 'http://'. Once entered, click Confirm. The node will appear in the list of pending nodes. It should quickly complete the induction.
Permit no actions until induction completes.
Although the induction process is usually very fast, in the event that induction takes a while, take action to ensure that there is no attempt to interact with the admin console screens until the induction controller node reports that the process has completely.
- 5. Repeat these steps for each node until all Access Control Plus nodes have completed induction.
- 6. Once induction has completed on each node, it should be included in the Nodes list and become 'unlocked', allowing you to login and interact with the admin console, create accounts, teams, etc.
Stuck in pending state
Should any node get stuck in a pending state, you can cancel its induction and try again. Troubleshooting
3.20 Enable SSL Encryption
Access Control Plus supports the use of Secure Socket Layer encrytion (SSL) for securing network traffic. Currently SSL properties are not exposed through the admin console, instead you need to make edits to Access Control Plus's applications properties file.
/opt/wandisco/scm-access-control-plus/properties/applications.propertiesIf you plan to use SSL you need to run through the following steps before going into production.
SSL is enabled for both UI and the underlying Rest API (the administrator's access to HTTP port will automatically redirect to HTTPS) AND for internal communication between nodes on application.port. For this reason the switch over needs to be done on all nodes at once, otherwise those nodes that delayed their switch will no longer be able to talk to those nodes running with SSL.
Using stronger and faster encryption
Java's default SSL implementation is intentionally weak so as to avoid the import regulations associated with stronger forms of encryption. However stronger algorithms are available to install, placing the legal responsibility for compliance with local regulation on the user.
See Oracle's page on the Import limits of Cryptographic Algorithms.
If you need stronger algorithms, I.E., AES which supports 256-bit keys, then you can download JCE Unlimited Strength Jurisdiction Policy Files that can be installed with your JDK/JRE.
See Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 7
Important: To follow this procedure you will need to create a keystore and a truststore.
You might be familiar with the Public-key system that allows two parties to use encryption to keep their communication with each other private (incomprehensible to an intercepting third-party). The keystore is used to store the public and private keys that are used in this system. However, in isolation, the system remains susceptible to the hijacking of the public key file, where an end user may receive a fake public key and be unaware that it will enable communication with an impostor. Enter Certificate Authorities (CAs). These trusted third parties issue digital certificates that verify that a given public key matches with the expected owner. These digital certificates are kept in the truststore (Which is really just another keystore file, but for certificates instead of keys. An SSL implementation that uses both keystore and truststore files offers a more secure SSL solution.
- 1. Create a new directory in which to store your key files, this directory can be placed anywhere, although in this example we'll store them within the Access Control file structure. Open a terminal and navigate to
- 2. From within the
/configfolder make a new directory called ssl.
-rw-rw-r-- 1 wandisco wandisco 29 Apr 5 16:53 main.conf [User@redhat6 config]$ mkdir ssl
- 3. Go into the new directory.
- 4. Copy your private key into the directory. If you don't already have keys set up you can use JAVA's keygen utility, using the command:
keytool -genkey -keyalg RSA -keystore wandisco.ks -alias server -validity 3650 -storepass <YOUR PASSWORD>
Knowledgebase Read more about the Java keystore generation tool in the KB article - Using Java Keytool to manage keystores
- Switch for generating a key pair (a public key and associated private key). Wraps the public key into an X.509 v1 self-signed certificate, which is stored as a single-element certificate chain. This certificate chain and the private key are stored in a new keystore entry identified by alias.
- -keyalg RSA
- The key algorithm, in this case RSA is specified.
- This is file name for your private key file that will be stored in the current directory.
- - alias server
- Assigns an alias "server" to the key pair. Aliases are case-insensitive.
- -validity 3650
- Validates the keypair for 3650 days (10 years). The default would be 3 months
- - storepass <YOUR PASSWORD>
- This provides the keystore with a password.
No password specified If no password is specified on the command, you'll be prompted for it. Your entry will not be masked so you (and anyone else looking at your screen) will be able to see what you type.
Most commands that interrogate or change the keystore will need to use the store password. Some commands may need to use the private key password. Passwords can be specified on the command line (using the
However, a password should not be specified on a command line or in a script unless it is for testing purposes, or you are on a secure system. When placed into the Access Control Plus properties file we'll first need to manually encrypt it.
The utility will prompt you for the following information
What is your first and last name? [Unknown]: What is the name of your organizational unit? [Unknown]: What is the name of your organization? [Unknown]: What is the name of your City or Locality? [Unknown]: What is the name of your State or Province? [Unknown]: What is the two-letter country code for this unit? [Unknown]: Is CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct? [no]: yes
Enter key password for <mykey> (RETURN if same as keystore password):
- 5. With the keystore now in place, we next need to make the edit to the application.properties file.
node.id=bouncer application.hostname=172.16.5.94 application.port=6888 #content server port content.server.port=6845 jetty.http.port=8882 database.location=/opt/wandisco/scm-access-control-plus/database application.location=/opt/wandisco/scm-access-control-plus content.location=/opt/wandisco/scm-access-control-plus/content jetty.https.port=8084 ssl.enabled=true ssl.debug=false ssl.keystore= ssl.keystore.password= #Option SSL parameters ssl.key.alias ssl.key.password - SimpleCrypt encrypted ssl.truststore ssl.truststore.password - SimpleCrypt encrypted
- Switch for enabled SSL. Value: true
- debugging mode. Don't enable by default. Value: false
- The absolute path to the keystore
- The password for the keystore - this password must be encrypted using the SimpleCrypt class. We've provided a little utility to handle the encryption:
/opt/wandisco/scm-access-control-plus/scm-access-control-plus-cryptPassword.jarUse the utility as follows:
java -jar scm-access-control-plus-cryptPassword.jar password Gbwkzxmo70xNNy1/oVMb/7PuE3yB1+fhHX7O9qxIg6k3eNDuU6bzOCKO4Ldi0SJDDycScJjnGq2FxOYYAl0JiBRXIDGRxEVBj <snip>
Optional SSL parameters:
These additional parameters support a more robust implementation of SSL that uses trust certification.
- Specify an alias for the private key. This is the name by which the key will be accessible inside the keystore.
- Password if the cert is password protected - must be encrypted as above.
- Path to the truststore file
- Password for the truststore - must be encrypted as above.
Changes in any of these value require a restart of Access Control Plus. Any invalid value will likely result in Access Control Plus not running properly.
SSLv3 Support SSLv3 is support (though not enforced). If your browser setting has SSLv3 disabled, you will get a handshake error message. If it has both SSLv3 and TLS enabled, then, depending on the browser, it will try to switch from TLS to SSLv3 during the handshake. If you receive a handshake error message in your browser, make sure that TLS is disabled and only SSLv3 is enabled. All current browsers support SSLv3.
Setting the server key
In the keystore, the server certificate is associate with a key. By default, we look for a key named
server to validate the certificate. If you use a key for the server with a different name, enter this in the SSL settings.
Export the certificate
Next we need to export the certificate so that it can be added to the tuststore as the trusted certificate. Again, using Java' trusty Keytool.
keytool -export -alias server -file <Cert-Name>.cert -keystore wandisco.ks Enter keystore password: Certificate stored in file <Cert-Name>.cert
Create a Truststore
Use this short procedure for creating a new Truststore:
- For each certificate (CA) that you trust, run the following command
keytool -import -file C:\cascerts\<Cert-Name>.cert -alias <Cert-Name-Alias> -keystore myTrustStoreThe first command creates a keystore file named myTrustStore in the current working directory and imports the first certificate into the truststore with an alias of <Cert-Name-Alias>. The format of myTrustStore is JKS. Each additional run of the command adds additional certificates to the TrustStore. Once completed, myTrustStore is available to be used as the truststore.
A complete debug of the SSL logging will be required to diagnose the problems. To capture the debugging, run the java process with:
To enable the logging of SSL implemented layer, turn the logging to FINEST for 'com.wandisco.platform.net' package.
3.21 Node Repair
The Node Repair tool is used to recover from the loss of one or more nodes. Once replication is set up.
Important: The Node Repair tool provides an effective method of returning a failed node back into production. However, its misuse can worsen the situation. Until we place blocks against potentially destructive actions we strongly recommend that you don't use the Repair Tool unless under direct instruction from WANdisco's support team.
3.22 Connect to MultiSite
In this section we connect Access Control Plus to an existing Git or SVN MultiSite setup.
- 1. Login to the admin console. Click on the Settings link on the top menu.
- 2. Click on the Connect to MultiSite bar in the External Applications section.
- 3. Enter the required MultiSite details:
- API IP
- The IP address of the MultiSite node
- API PORT
- The port used for Rest API traffic (Default is 8082)
- API USER
- Username for the account Access Control Plus use use to access the MultiSite node.
- Managing Node (Drop-down)
- Select which Access Control Plus node will manage communication with MultiSite.
- Poll Period
- The frequency (in seconds) that Access Control Plus will check for changes on the MultiSite node.
- Use SSL (checkbox)
- Enable SSL encryption for the API traffic.
- Password for the MultiSite account
- Retype Password
- Repeated password entry (to ensure you entered it correctly above.
- Save/Cancel (buttons)
- Click Save to store the details, or Cancel to clear them.
- 4. Return to the main Access Control Plus screen. If there are Repositories being handled by MultiSite, they'll be automatically sync'ed with Access Control Plus, appearing in the Repositories panel.
At this point the repositories are known to Access Control Plus, but it still needs to be configured with authentication and or authorization files for each repository. This is handled through the Repository Template section.
Return to the Getting Set up
3.23 Connect to LDAP
This section explains how to configure Access Control Plus to query one or more LDAP authorities in order to pull in accounts for your Git or Subversion users.
The settings tell Access Control Plus how to use any available LDAP Authorities that you connect up.
- Synchronisation Period (minutes)
- Access Control Plus will rerun your LDAP queries with this frequency, picking up any changes that may have occurred within the LDAP service.
Don't set the period to 0. You shouldn't need to constantly hit your LDAP authority.
If you perform an import from an earlier version of Access Control you must ensure that Access Control Plus does not poll the LDAP authorities during the process. You can do this by setting the Synchronisation Period to 999 (minutes) - Just for the duration of the import
- Allow Local Users (checkbox)
- Ticked by default. When ticked it is possible to field both LDAP-controlled and manually entered Accounts. Some organizations don't permit manually entered accounts, they need to be sure that all accounts are managed through their LDAP. If this is the case, untick the check box once you're LDAP accounts have been successfully imported.
TIP Should you be running with Local Users disabled and your LDAP service fails, you can re-enable local users as part of the account password recovery process. This process will automatically re-enable local users, allowing you to gain access to the admin console.
Entering LDAP Authority details
This is the entry form for adding any number of LDAP Authorities. Multiple Authorities are checked in the order that matches their order number (see below). The lower the order number, the earlier the authority is checked.
- The priority given to the LDAP URL. e.g. A Location Order of 1 means that Access Control will look within that defined authority for a user first. If unsuccessful then Access Control will then check the authority with the next order number (e.g. 2).
- Regular Expression:
- Enter a regular expression to set a pattern for matching against available LDAP authorities. The expression, is applied locally to limit unnecessary queries against available LDAP authorities. For instance, setting an expression that specifies a top-level domain can ensure that authentication of a user (whose username is their email address) doesn't need to run through all LDAP authorities, but instead can be checked only against those servers that match the the regular expression - in this case, the same top-level domain.
URL: the URL for the LDAP authority, using the format ldap(s)://hostport/basedn?attribute
- Bind User DN:
- Bind Password:
- First Name Attribute:
- Last Name Attribute:
- Email Address Attribute:
- Public Key Attribute:
- (Optional) Used with the LDAP service is encrypted, requiring Access Control Plus to be setup with an SSH key pair. As with any public key entry, make sure that no line breaks are introduced to the key, it should be one long string, no breaks.
- Case Insensitive Usernames?
- Tick this checkbox if you need MultiSite to stop distinguishing between usernames that differ only by their case pattern.
For example, with the "Case Insensitive Usernames?" unticked (it is by default), MultiSite will treat username "MelissaJones" and username "melissajones" as two distinct users. Support for username case insensitivity is a feature that may be required when Active Directory
- System Administrator Group?:
- Tick this checkbox if the authority will return users who are System Administrators (able to access the MultiSite admin console).
We strongly recommend that you guard against the adding of LDAP-based accounts that use the same account name. Currently there's no guard against having two accounts with the same name - as accounts can be distributed accross any number of authorities. In the event that you attempt to add two accounts that use the same account name, their addition will fail and an error message will appear in the logs that warns you of an "Incorrect result size: expected 1, actual 2".
3.24 Email Notification
The mail notification system lets you connect Access Control Plus to an email gateway server, which enables it to send alert email concerning important system events. It's possible to add as many email gateways as you like, so that the loss of a single mail server need to result in the halting of notifications.
The following procedure shows you have to set up an email gateway.
- 1. Logon to the Access Control Plus admin console. Click on the Settings link.
- 2. Click on the Email Notifications bar.
- 3. Fill out the entry form for your gateway.
- IP/Hostname of SMTP Server:
- your email server's address.
- SMTP Server Port
- The port assigned for SMTP traffic (Port 25 etc).
- Encryption Type
- Indicate your server's encryption type - None, SSL (Secure Socket Layer) or TLS (Transport Layer Security). SSL is a commonly used. For tips on setting up suitable keystore and truststore files see Setting up SSL Key pair.
If you're not familiar with the finer points of setting up SSL keystores and truststores it is recommended that you read the following article: Using Java Keytool to manage keystores.
- Authentication Required
- Indicate whether you need a username and password to connect to the server - requires either "true" or "false".
- User Name
- If authentication is required, enter the authentication username here.
- If authentication is required, enter the authentication password here.
- Sender Address
- Provide an email address that your notifications will appear to come from. If you want to be able to receive replies from notifications you'll need to make sure this is a valid and monitored address.
- Number of Tries Before Failing
- Set the number of attempts SVN MultiSite Plus makes in order to send out notifications.
- Interval Between Tries (Seconds)
- Set the time (in seconds) between your server's attempts to send notifications.
- 4. Once a gateway is in place you need to add a list of email address to where Access Control Plus will actually send notification emails.
Just enter addresses on the Add destination entry field and click + Add.
- 5. Before notifications can be sent, the service must be enabled by ticking the Enable notifications checkbox.
You can untick the checkbox if you need to disable the feature, without removing or editing the gateway or destination settings.
The following events currently trigger notifications (when suitably configured)
3.25 Create a Repository Template
In Access Control Plus's backend, there's a mechanism or managing and replicating the core password and or authz files. This mechanism needs a template creating which will contain the path location for these files, as well as a number of optional parameters. Once setup, Repositories that are added to Access Control can be assigned the template, telling Access Control Plus how to handle the repository's necessary files.
Follow this procedure for adding a Repository Template:
- 1. Login to the admin console. Click on the Settings link on the top bar.
- 2. Click on the Repository Templates bar under in the Applications Settings, near the top of the list. Click on the Create button.
- 3. A small entry form will appear. Complete the details.
- A useful label for the product to refer to this repository.
- A description of the template to help you distinguish from it from potential others.
- A useful label for the product to refer to this repository.
- Type (Dropdown)
- There's a dropdown select from where you select which SCM product that you are going to refer to. Options: GIT or SVN.
- 4. The screen will be parsed, your selection detected and a Generators dropdown will appear. From this dropdown you can select multiple user access assets, of which the following area currently available:
- SSH Key File Generator
- Transports ssh keys between nodes.
- Apache Password File Generator
- Transports Apache password files between nodes.
- SVN Authz File Generator
- Handles the Authz file (under SVN).
- GIT Authz File Generator
- Handles the Authz file (under Git).
There are more details about how these files are managed and distributed in the Generic File Replication Section
- 7. Enter the Target Location. Find location of generated file on target node. Absolute path.
Click on Show optional parameters to see a number of extra entry fields. When you have completed the entries you need, click on the Update button.
- 8. You can create any number of Repository Templates, reflecting how many separate collections of repositories you are running where each requires a different series of user management files.
3.26 Enable/Disable Batch updates
Follow this procedure to enable Batch mode. Make sure you understand what it does and how it works before you do though.
Batch updates is a mechanism that can improve performance in large deployments that field large numbers of accounts holders, accross a number of nodes. There's a section in the Reference Guide that explains more about Batch Updates Mode.
- 1. Login to Access Control Plus, click on the Settings link.
- 2. Click on the Access Control Updates bar.
- 3. Tick the Enable checkbox. Confirm the switch period (in seconds) and select which node will manage the batching process.
- 4. Click on Save.
See Access Control Updates for more details.
3.2.7 Example Configuration
Per-repository Authz via SVNServe and SSH
The following details map out an example setup that sets up authorization using Authz on a per-repository basis, running on SVNServe with SSH encryption. This is only intended as an illustration, so you shouldn't follow it as an actual set up procedure.
The setting set the target location of the authz file and the common path segment of the SVN repositories:
- Target Location:
- Common Repository Path Segment:
svnserve.conf controls the behavior of the svnserve daemon on a per-repository basis. It is located in the conf subdirectory of the repository, e.g. /opt/svn/repo/conf/svnserve.conf.
[general] anon-access = none auth-access = write authz-db = authz [sasl]
- Determines the access level for unauthenticated users. "write" allows all repository operations. "read" allows all operations except committing and changing revision properties. "none" allows no unauthenticated access. The default level is "read".
The following configuration is required on the server:
- Create an "authorized_keys" file at:
- Change the permissions and ownership as follows:
chmod 600 /home/wandisco/.ssh/authorized_keys chown wandisco:wandisco /home/wandisco/.ssh/authorized_keys
The following configuration is required for clients:
- If required generate ssh keys:
ssh-keygen -t rsa
- Copy the ssh key to the server entering the password for the wandisco user when prompted:
ssh-copy-id wandisco@<ip address>
- The previously empty authorized_keys file should now look like this:
ssh-rsa <RSA KEY> <client hostname>
- Modify the authorized_keys file as follows:
command="svnserve -t --tunnel-user=<username> -r /opt/svn" ssh-rsa <RSA KEY> <client hostname>
- Where username is the account added to Access Control Plus. Example:
command="svnserve -t --tunnel-user=user1 -r /opt/svn" ssh-rsa <RSA KEY> <client hostname>This would work with a user added to Access Control Plus with Account Name "user1".
Access Control Plus Admin Console settings
- Add a team
- Add a User
- Add a resource
- Add a rule
An Authz file should be generated, here:
/opt/svn/repo/conf/authzIt should look like this: Example (Team: team1, Account Name: user1, Resource: repo0, Perms: RW)
# Generated by Access Control Plus, WANdisco. # ACP Node Name : node1 # ACP Node Hostname : 172.16.6.55 # Generation Audit number : abab31d2-a266-426b-a578-336b58419130 # Generation Serial number : 187 # Template Id : 97e47269-4b20-40e8-b1a0-fa052d74ecb9 # Template Name : svn # Template Description : svn # Assignment Type : svn-authz # Assignment Id : 1de6a9c6-c8ec-4eaa-9391-0a7cd55f8ab3 # Assignment Modified at : 2014-05-27 23:32:16.346 [groups] virtual_team_team1_rule_rule1_88b17a89-157b-48ab-a9dd-364912f20b25 = user1 [/] * = [repo:/] @virtual_team_team1_rule_rule1_88b17a89-157b-48ab-a9dd-364912f20b25 = rw
Access the repository using:
svn co svn+ssh://wandisco@<ip address>/repo
Problem: replication runs very slowly while server load and traffic are both light.Solution:
It's possible that pending tasks are currently stuck and are therefore holding up further replication. To test if this is what is happening
- Go to Settings/Node Induction
- Check for any pending tasks
- If you find that there are pending tasks then you should consider aborting them.
- Recheck replication to see if things improve (it can take a few mins for backlogs to clear).
Problem: Induction never completes (blocked CD port)
Use this work-around for unblocking a deployment which is stuck in an induction This can occur should a second induction be triggered while an induction is still being progressed.
- Make sure the CD port is not blocked. Full duplex access is required between all nodes. By default the content delivery port is 6445 unless a different port was specified. You can confirm allocation of the port by checking the
- Shut down the replicators at all nodes.
service scm-access-control-plus stop
- Delete the contents of the database directory from all nodes.
- Restart the replicator on all nodes.
service scm-access-control-plus start
- On your first node complete the induction form using the details of your second node. You must not refresh the page or make any other changes while the induction is in progress.
- You can verify the induction completed succesfully by making a call using the REST API
http://IP:PORT/dcone/tasks/pendingand make sure there are no tasks present.
- If tasks remain then you'll need to wait while they complete before you log in to the Access Control Plus UI on your second node. If you are unable to log in then induction is still in progress!
Once the induction of the second node is confirmed as complete, you can repeat the procedure for the third node, running through the procedure for each additional node, one at a time.
Copyright © 2010-2014 WANdisco plc.
All Rights Reserved
This product is protected by copyright and distributed under licenses restricting copying, distribution and decompilation.
Access Control Plus
Last doc build: 17:35 09 May 2014