CloudBridge Agent Configuration

Prerequisites

Ensure that you have the capabilities required to deploy CloudBridge agents.

Obtaining the CloudBridge Software Packages

The download links of CloudBridge packages do not contain sha256. Links that end with sha256 are used to download software package verification files.

Checking the Update Logs of the CloudBridge Deployment Package

The following table lists the update logs of the CloudBridge deployment package.

Verifying the Integrity of the CloudBridge Agent Software Package

The software package version number mentioned in this document is just an example.

1. Use PuTTY or FTP to connect to the server to be deployed. Then, log in to the server as the root user, and use SFTP to upload the CloudBridge Agent software package and the corresponding SHA-256 file to the server. Next, run ll to view the uploaded software package and verification file.

   [root@cluster-test-eq9ku xxx]# ll
   total 75724
   -rw-r--r-- 1 root root 32696037 Dec  1 16:12 cloudAgent-authSource-24.5.1.1.zip
   -rw-r--r-- 1 root root      101 Dec  1 16:11 cloudAgent-authSource-24.5.1.1.zip.sha256
   -rw-r--r-- 1 root root 44832098 Dec  1 16:12 cloudAgent-identitySource-24.5.1.1.zip
   -rw-r--r-- 1 root root      105 Dec  1 16:11 cloudAgent-identitySource-24.5.1.1.zip.sha256

2. Run the following commands to check the integrity of the gateway software package. If OK is displayed, the package is complete.

   sha256sum -c cloudAgent-identitySource-24.5.1.1.zip.sha256

   [root@cluster-test-eq9ku xxx]#  sha256sum -c cloudAgent-identitySource-24.5.1.1.zip.sha256
   cloudAgent-identitySource-24.5.1.1.zip: OK

   sha256sum -c cloudAgent-authSource-24.5.1.1.zip.sha256

   [root@cluster-test-eq9ku xxx]# sha256sum -c cloudAgent-authSource-24.5.1.1.zip.sha256
   cloudAgent-authSource-24.5.1.1.zip: OK

   

   If the integrity check fails, the software package might have been damaged during the download process. Download the software package again or contact technical support.

Procedure

1. Deploy the AD service, and create a domain account to establish an enterprise management system. For details, see Setting Up an AD Server and Creating a Domain Account.
2. Add a CloudBridge agent.
   1. Log in to the administrator portal.
   2. On the top navigation bar, choose Settings > CloudBridge Agents.
   3. On the CloudBridge Agents page, click Add CloudBridge Agent. Then, enter an agent name, select either Authentication Provider or Identity Source for the CloudBridge agent type, and click OK.

      

      

      • The system automatically generates a client ID and secret for the CloudBridge agent you created. Keep the client ID and secret properly.
      • If you have forgotten the client secret, click Reset Secret to generate a new one for the target agent. The original secret will become invalid after the resetting. Exercise caution when performing this operation.
      • Click Configure IP to configure the IP address of the server where the CloudBridge Agent is located. If this parameter is left unconfigured, IP address access control will be disabled. Only one IP address can be configured, and IP addresses using an asterisk (*) as a wildcard (for example, 10.10.10.*) are not supported. Only the CloudBridge Agent set up on the specified IP address will be accessible.
      • To view the connection logs, click View Logs.
      • To delete the CloudBridge agent, click Delete.

3. Deploy the CloudBridge agent. If the deployment is successful, the agent status is displayed as Online on the CloudBridge Agents page.
   Figure 1 Viewing CloudBridge agent status
   

   The following instructions explain how to deploy the CloudBridge Agents of the identity source and the authentication provider type.

   

   • The server must have JDK 17 installed. (For versions earlier than CloudBridge 24.5.1.1, JRE 1.8 is required.)
     1. Download the JDK source code package from the official website.
     2. Run the following commands to extract the JRE to the specified directory and configure the JRE environment variables:

        tar -zxvf jdk-17_linux-x64_bin.tar.gz -C /usr/local/

        chmod 755 /usr/local/jdk-17.0.12

        echo "export PATH" >> /etc/profile

        echo "export PATH=$PATH:/usr/local/jdk-17.0.12/bin" >> /etc/profile

        source /etc/profile

        java -version

   • The server must have curl and netstat installed to use the watchdog function.
   • You are advised to run the CloudBridge client as a non-root user.

     If a non-root user already exists, you do not need to create one. If you prefer to use a new non-root user, run the following commands as the root user:

     groupadd {User group}

     useradd -d /home/Username -s /bin/bash -g User group -m Username

     unzip -od {Directory where the decompressed files are stored} cloudAgent.zip

     chown -R {Username}:{User group} {Directory where the decompressed files are stored}

     chmod 700 -R {Directory where the decompressed files are stored}

     su - {Username}

   • The following procedure uses CentOS Linux release 8.2.2004 as an example to describe how to deploy the CloudBridge identity source agent.
     1. Download the deployment package of the identity source agent according to the region where the instance is located.
     2. Upload the deployment package to the target server.
     3. Run unzip -od {Directory where the decompressed files are stored} cloudAgent.zip to decompress the deployment package. Specify a unique directory to ensure successful deployment. For details about the deployment package, see Table 2.

        Table 2 Directory structure

        Name	Description
        agent.sh	Automatically runs the agent upon startup.
        cloudAgent-identitySource.jar	Serves as the agent deployment package.
        cloudBridge.sh	Used to manually run the agent.
        config	Serves as the directory for storing the agent configuration file (application.yml).
        connector	Serves as the deployment package of the LDAP connector.
        encrypt.sh	Used to encrypt the passwords of principal accounts in AD.
        log	Serves as the directory for storing the agent log file (agent.log).

     4. Go to the directory where the decompressed files are stored, and configure the application.yml file in the config directory. Add a space in front of each attribute value. For details about the parameters involved, see Adding an AD Identity Source in OneAccess.

        To encrypt agentSecret and credentials, follow these steps:

        1. Generate the root key and working key. Run the ./encrypt.sh setKey command in the directory where the CloudBridge installation package is decompressed. When prompted with the message "please enter the encryption key:", enter your custom key and press Enter. If you see the message "the encryption key setting succeeds", the key has been set successfully.
        2. Run the ./encrypt.sh encrypt command. When prompted with the message "please enter what you want to encrypt content:", enter the value of agentSecret and press Enter to obtain the encrypted agentSecret, for example, {AES_GCM}0000xxxxxx111111.
        3. Run the ./encrypt.sh encrypt command. When prompted with the message "please enter what you want to encrypt content:", enter the value of credentials and press Enter to obtain the encrypted credentials, for example, {AES_GCM}0000xxxxxx222222.
        4. Copy the encrypted value into the appropriate position in the application.yml file. Enclose the value in double quotation marks (").

        

        Table 3 Parameter description

        Parameter	Description
        * address	Listening address for CloudBridge startup. The default value is 127.0.0.1.
        * port	The listening port for CloudBridge startup can be modified. Assign different port numbers when starting multiple CloudBridge agents. The default value is 9081.
        * serverAddress	wss://{Domain name of the tenant who needs to use the CloudBridge agent}/api/v1/ws
        * agentId	Automatically generated by the system after the agent is added. For details, see 2.
        * agentSecret	Automatically generated by the system after the agent is added. For details, see 2.
        * host	IP address of the AD server.
        * port	TCP/IP port of the AD server.
        * ssl	The default value is true, indicating that SSL is used for connecting to the AD server. If you do not want to use SSL, set the value to false.
        * principal	Identifier used for AD server authentication.
        * credentials	Password of principal.
        * baseContexts	The root node (for example, OU=huaweitest,DC=test,DC=com) in the AD tree where the accounts to be synchronized are located.

        

        If you do not receive any responses after running the ./encrypt.sh setKey command and entering a key, install the rng-tools to enhance the rate at which the system entropy pool is replenished.

        1. Run the following commands to install rng-tools:

           yum install rng-tools

           cat /etc/sysconfig/rngd

           If the file does not exist, run the following command to add it:

           echo "OPTIONS=\"-r /dev/urandom\"" > /etc/sysconfig/rngd

        2. Run the following commands to start the rng service and query its status:

           service rngd start: starts the rng service.

           service rngd status: checks the rng service status.

           If the status is enabled, the service is actively running.

           

     5. Once you finish the configuration, run the ./cloudBridge.sh start command to start the agent. If you see the message "Starting Agent Success.", the agent startup is successful.
        

        • Ensure that you have permissions for the deployment package.
        • The message "Starting Agent Fail." indicates that the startup fails. Check the configuration file.
        • To enable automatic startup, run the ./agent.sh install command as the root user. This installation process also verifies the basic system environment to ensure that all service installation requirements are met. You will be prompted to enter the startup user during the installation. If no startup user is specified, the script will be run with the current user. If you see the message "The Agent service installed successfully, need to reboot will take effect.", the installation is successful.
        • To uninstall the agent, run ./agent.sh uninstall. The message "uninstall Agent Success." shows up, indicating that the agent is uninstalled successfully.
        • If you do not receive any response after running the command ./cloudBridge.sh start, you can install rng-tools by following the instructions in the previous section where a similar problem occurs after running ./encrypt.sh setKey.
     6. Obtain logs from the log/agent.log file.
   • The following procedure uses CentOS Linux release 8.0.1905 as an example to describe how to deploy the CloudBridge authentication provider agent.
     1. Download the deployment package of the authentication provider agent according to the region where the instance is located.
     2. Upload the deployment package to the target server.
     3. Run unzip -od {Directory where the decompressed files are stored} cloudAgent.zip to decompress the deployment package. Specify a unique directory to ensure successful deployment. For details about the deployment package, see Table 4.

        Table 4 Directory structure

        Name	Description
        agent.sh	Automatically runs the CloudBridge agent upon startup.
        cloudAgent-authSource.jar	Serves as the agent deployment package.
        cloudBridge.sh	Used to manually run the agent.
        config	Serves as the directory for storing the agent configuration file (application.yml).
        log	Serves as the directory for storing the agent log file (agent.log).

     4. Go to the directory where the decompressed files are stored, and configure the application.yml file in the config directory. Add a space in front of each attribute value.

        Table 5 Parameter description

        Parameter	Description
        * address	Listening address for CloudBridge startup. The default value is 127.0.0.1.
        * port	The listening port for CloudBridge startup can be modified. Assign different port numbers when starting multiple CloudBridge agents. The default value is 9082.
        * serverAddress	wss://{Domain name of the tenant who needs to use the CloudBridge agent}/api/v1/ws
        * agentId	Automatically generated by the system after the CloudBridge agent is added. For details, see 2.
        * agentSecret	Automatically generated by the system after the CloudBridge agent is added. For details, see 2.
        * urls	Address of the AD server. To obtain this parameter, see Adding an AD Authentication Provider.
        * rootDn	AD node used to authenticate users. To obtain this parameter, see Adding an AD Authentication Provider.
        * domain	If the tenant domain name contains the AD domain name, set this parameter to the AD domain name. Otherwise, do not set this parameter.
        * searchFilter	Query condition. To obtain this parameter, see Adding an AD Authentication Provider.
        * urls	LDAP address. To obtain this parameter, see Adding an LDAP Authentication Provider.
        sslCheck	Whether to perform LDAPS SSL check: If this parameter is not configured or set to true, the SSL certificate will be verified. If the SSL certificate does not need to be checked, set this parameter to false.
        * baseDn	Base DN of a user. To obtain this parameter, see "Adding an LDAP Authentication Provider in OneAccess".
        managerDn	Identifier of the administrator. The default value is cn=Directory Manager.
        managerPassword	ID of the LDAP administrator account.
        userSearchBase	Search path for LDAP users. To obtain this parameter, see Adding an LDAP Authentication Provider.
        userSearchFilter	Filter conditions for matching system users in LDAP. The default value is (&(objectClass=user)(uid={0})). For details, see LDAP Filters. DN-based query takes priority over condition-based query.
        dnPatterns	Search path for LDAP users. The default value is uid={0},ou=people. DN authentication takes priority over other authentication modes.

        

        You can encrypt agentSecret by referring to 3.d.

     5. Once you finish the configuration, run the ./cloudBridge.sh start command to start the agent. If you see the message "Starting Agent Success.", the agent startup is successful.
        

        • Ensure that you have permissions for the deployment package.
        • The message "Starting Agent Fail." indicates that the startup fails. Check the configuration file.
        • To enable automatic startup, run the ./agent.sh install command as the root user. This installation process also verifies the basic system environment to ensure that all service installation requirements are met. You will be prompted to enter the startup user during the installation. If no startup user is specified, the script will be run with the current user. If you see the message "The Agent service installed successfully, need to reboot will take effect.", the installation is successful.
        • To uninstall the agent, run ./agent.sh uninstall. The message "uninstall Agent Success." shows up, indicating that the agent is uninstalled successfully.
     6. Obtain logs from the log/agent.log file.

4. Click View Logs. By default, the connection logs tab is displayed. You can view the time when CloudBridge goes online or offline.

   

5. Click Service Logs. On the displayed page, you can view CloudBridge startup logs in real time.

   

6. Add an AD identity source, an AD authentication provider, and an LDAP authentication provider.
   1. Add an AD identity source.
      1. Log in to the administrator portal.
      2. On the top navigation bar, choose Users > Identity Sources.
      3. On the Identity Sources page, click Add Identity Source in the Operation column of the row that contains AD, enter an identity source name, and click OK.

         

      4. In the AD identity source list, click View Details in the row that contains the target identity source. On the displayed Import Settings page, set Connection Mode to Connect by CloudBridge agent and select the added CloudBridge agent. Up to five CloudBridge agents can be selected. For details about advanced settings and object models, see Adding an AD Identity Source.

         

         Figure 2 Configuring import/export
         
      5. Synchronize data. For details, see Verifying Synchronization of AD Data.
   2. Add an AD authentication provider.
      1. Log in to the administrator portal.
      2. On the top navigation bar, choose Authentication > Authentication Providers. Then click AD.
      3. On the AD Authentication Providers page, click Add Authentication Provider in the upper right and set the required parameters.
         Figure 3 Adding an AD authentication provider
         

         Table 6 Parameter description

         Parameter	Description
         * Display Name	Display name of the authentication provider, for example, AD.
         * Connection Mode	Select Connect by CloudBridge agent.
         * CloudBridge Agent	Select the CloudBridge agent added in 2. You can select a maximum of five CloudBridge agents.
         * Source Attribute	AD user attribute, for example, sAMAccountName.
         * Related User Attribute	The only text type attribute, such as userName, to map the AD user attribute.
         * No User Associated	Operation that will be performed if a user logs in successfully but fails to be associated with a system user.
         * Update Existing Attribute	Determine whether to update the existing user attribute value when a user logs in successfully through AD and is associated with a system user.

         To map other attributes, such as name, set No User Associated to Automatically create users, and click Add Mapping to add the desired mappings. For details, see Table 7.

         Table 7 Mapping parameters

         Parameter	Description
         User Attribute	Attribute in OneAccess to which AD will map. For example, email.
         Mapping Type	How user attributes are mapped between OneAccess and AD. For example, Authentication Provider Attribute.
         Authentication Provider Attribute Name	Name of an AD user attribute.

      4. Enter a test account and password and click Test to check the connectivity.

         If you have selected multiple (up to 5) CloudBridge agents when adding an AD authentication provider, the system checks the connectivity of each agent after you click Test. If the check fails, view the cause.

      5. Enable AD authentication for an application. For details, see Enabling AD Authentication in OneAccess.
      6. Verify login using an AD account. For details, see Logging In to the User Portal Through AD Authentication.
   3. Add an LDAP authentication provider.
      1. Log in to the administrator portal.
      2. On the top navigation bar, choose Authentication > Authentication Providers. Then click LDAP.
      3. On the LDAP Authentication Providers page, click Add Authentication Provider in the upper right corner and set the parameters required.

         Table 8 Parameter description

         Parameter	Description
         * Display Name	Display name of the authentication provider, for example, LDAP.
         * Connection Mode	Select Connect by CloudBridge agent.
         * CloudBridge Agent	Select the CloudBridge agent added in 2. You can select a maximum of five CloudBridge agents.
         * Source Attribute	LDAP user attribute, for example, sAMAccountName.
         * Related User Attribute	The only text attribute, such as userName, to map the LDAP user attribute.
         * No User Associated	Operation that will be performed if a user logs in successfully but fails to be associated with a system user.
         * Update Existing Attribute	Determine whether to update the existing user attribute value when a user logs in successfully through LDAP and is associated with a system user.

         To map other attributes, such as name, set No User Associated to Automatically create users, and click Add Mapping to add the desired mappings. For details, see Table 9.

         Table 9 Mapping parameters

         Parameter	Description
         User Attribute	Attribute in OneAccess to which LDAP will map. For example, email.
         Mapping Type	How user attributes are mapped between OneAccess and LDAP. For example, Authentication Provider Attribute.
         Authentication Provider Attribute Name	Name of an LDAP user attribute.

      4. Enter a test account and password and click Test to check the connectivity.

         If you have selected multiple (up to 5) CloudBridge agents when adding an LDAP authentication provider, the system checks the connectivity of each agent after you click Test. If the check fails, view the cause.

      5. Enable LDAP authentication. For details, see Enabling LDAP Authentication.
      6. Verify login through LDAP authentication. For details, see Logging In to the User Portal Through LDAP Authentication.