FAQ
FAQ by Product
Most Popular
Load More
Latest
The out-of-the-box signing and encryption key named only4test
must not be used in production for generating new metadata for the setup of SAML authentication.
A new key pair with long-term (e.g. 10 years) validity must be generated and stored into the ${MUSE_HOME}/proxy/webcontexts/ssoRWP/WEB-INF/classes/security/samlKeystore.jks
keystore.
Oracle Java keytool or other Certificate Management GUI tools such as CERTivity will have to be involved in this process.
In this article we are describing the process of adding a new key pair in the SAML keystore using the CERTivity tool.
1) Access the tool page from the EduLib website:
https://www.edulib.com/tools/keystores-manager/
download it and obtain a license key by filling in the requested details in the Try form. Install the CERTivity tool by following the installation wizzard.
2) Get from the Muse Proxy server, the ${MUSE_HOME}/proxy/webcontexts/ssoRWP/WEB-INF/classes/security/samlKeystore.jks
file, onto the machine where the CERTivity tool is installed.
Open CERTivity, and from the File menu -> Open -> Open KeyStore menu, navigate on the location on disk where the samlKeystore.jks
was saved, and load it.
You will be prompted to enter the password, its value is stored in the ${MUSE_HOME}/proxy/webcontexts/ssoRWP/WEB-INF/securityContext-metadata.xml
file, in the bean
with ID keyManager
, the value of the entry
node with only4test
.
3) Once loaded, click the Generate Key Pair button from the toolbar to open the dialog:
4) In the Generate Key Pair dialog, fill in the requested fields, making sure the validity period is at least 10 years. Below is an example:
When saving the new key pair, you will be asked to enter a password.
5) Save the updated keystore by pressing the Save icon from the application’s toolbar.
6) Copy the updated samlKeystore.jks
file back on the Muse Proxy server, in the following path on disk:
${MUSE_HOME}/proxy/webcontexts/ssoRWP/WEB-INF/classes/security/
overwriting the existing one.
7) On the Muse Proxy server, edit the ${MUSE_HOME}/proxy/webcontexts/ssoRWP/WEB-INF/securityContext-metadata.xml
file, locate the bean
with ID keyManager
, and add a new entry
element in the map
node. This is how the new entry should look like:
(the passwords were removed intentionally for security purposes)
Make sure the file is valid XML after editing.
8) Access the Muse Proxy Administration Console, Configuration -> SAML Authentication and click the Restart SSO button, to restart the SAML servlet to load the updated keystore.
9) When creating new metadata, make sure the newly created key is selected for both Signing key and Encryption key:
There can be cases when you want that an Application Entry Point takes the end-user directly to the remote source without rewriting. For this a boolean flag is used for redirecting after the last but one request by dropping the proxy prefix and parameters and redirecting to the last URL value (after filling in the existent variables, if any) from the source profile.
The following directive must be added into the source’s XML profile:
[for more details check the Muse Proxy Sources Profiling.pdf manual, chapter 6.22 Redirecting to Remote Source]
Follow the instructions from bellow for configuring the authentication for the Muse Search Application with Microsoft’s Azure Active Directory, using SAML.
In this scenario, the Muse Search Application is the Service Provider (SP), while Azure AD is the Identity Provider (IDP).
-
Generate the Service Provider Metadata
Access the administration end point for SAML at an URL of the form:
https://your_domain/muse/saml/web/metadata
where replaceyour_domain
with the actual domain of the Muse installation.
Useadmin
as the username and the configured password.In the Muse SSO Metadata Administration page click on the Generate new service provider button to access the metadata generation page.
In the Metadata Generation page, make sure the Signing key and Encryption key values are the proper ones. Fill in an alias value in the Entity alias input. The rest of configurations should be left with the default values. When done click the Generate metadata button.In the Metadata Details page follow the steps listed in section “In order to permanently store the metadata follow these instructions:“.
After the restart of the Muse web service, access again the Muse SSO Metadata Administration page, the metadata details for the newly added entity and click the Download entity metadata button to download it. -
Setup a new application in the Azure Portal
Access the Azure Portal at:
https://portal.azure.com/
and navigate to Azure Active Directory -> Enterprise applications from the menu and click New Application. Add the custom application by accessing Create your own application link and add the name of the application (e.g. Muse Search), making sure the option Integrate any other application you don’t find in the gallery (Non-gallery) is selected. Then chose the application created and select Setup single sign-on from the Manage menu, and then click the “SAML” button to access the configuration guide.In the new page click the Upload metadata file and select the metadata file which was downloaded at the previous step. All necessary values will be loaded in the Basic SAML Configuration, click the Save button to store them.
From the Set up Single Sign-On with SAML page, copy the value of App Federation Metadata Url to be used at the next step.
Make sure that the necessary user groups and users are configured to access the newly created Azure application. See the below instructions for doing this:
https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/add-application-portal-assign-users -
Generate a new IDP
Access the Muse SSO Metadata Administration pages (as described at #1) and click the Add new identity provider metadata button.
In the Add New IDP Metadata files page, enter the URL copied from the Azure Portal in the Take metadata from URL: input and click the Test IDP metadata button.Next follow the instructions listed in the page to finalize the setup of the new IDP entity.
-
Wire the Muse Search Application for SAML authentication
Follow the instruction from below to finalize the setup of SAML authentication with Microsoft Azure AD.
– Edit the
${MUSE_HOME}/aas/jaas.config
file and add at the end of the file the below entry:
MuseKnowledge.Azure {
com.edulib.ice.security.authentication.ICELoginModulePropertiesExtractor requisite config="${ICE_HOME}/profiles/ICELoginModulePropertiesExtractor.Azure.xml";
com.edulib.ice.security.authentication.ICELoginModule requisite ;
};
– Download this file and place it in the following location${USE_HOME}/profiles/
. Edit the downloaded file, locate the following placeholders:PLACE_HERE_THE_IDP_ENTITY_ID
,MuseSearchApplicationID
andMuseSearchApplicationPassword
and replace them with the appropriate values.
– Test the integration using an URL of the form:
https://your_domain/muse/servlet/MusePeer/logon/alias/ALIAS?action=logon&userID=MuseKnowledge.Azure&templateFile=passThrough.html&errorTemplate=logon/logon.html&reuseSession=true&idp=IDP_ENTITY_ID
where replaceyour_domain
,ALIAS
andIDP_ENTITY_ID
with the appropriate values.
Statistics are offered as a service to Muse Proxy customers, no matter they are locally hosted or on cloud. The statistics are generated from content of the Muse Proxy log files:
– access log (access.log
).
– statistics log (MuseProxyStatistics.log
).
More details about the Muse Proxy log files in the Muse Proxy Advanced Configuration manual, chapter “2.9 Log Files“.
For the instances hosted by MuseGlobal, there is nothing to be done, we take care of everything.
For the locally hosted instances, the main requirement is to upload from your server on a daily basis the 2 log files – access.log
and MuseProxyStatistics.log
– corresponding to the previous day, onto our FTP repository – ftp.museglobal.com – from where we will further pick them up for processing into the statistics platform.
The log files upload is carried out by means of scripts driven by the system’s scheduler/cron, depending on the Operating System. We provide such scripts.
The main requirement for the upload scripts is to have a single log file per day and with the date stamp in their filenames, e.g. access-yyyyMMdd.log
and MuseProxyStatistics-yyyyMMdd.log
. Refer to this FAQ for making the required logging changes.
Download the patch containing the necessary scripts from here. Copy the downloaded archive into ${MUSE_HOME}
and extract it. The content is deployed into the following location on disk: ${MUSE_HOME}/proxy/tools
.
Windows OS
Make sure that the patch is already deployed.
- Edit the
MuseProxyLogsUpload.xml
file and replace thePLACE_HERE_THE_FTP_USERNAME
andPLACE_HERE_THE_PASSWORD
placeholders with the actual values as provided by the MuseGlobal Support Team. - Open a CMD window, change directory to
%MUSE_HOME%/proxy/tools/
and run theMuseProxyLogsUploadAnt.bat
script. This is for test purposes to make sure the upload script works. - Create a scheduler job in Windows to run the
%MUSE_HOME%/proxy/tools/MuseProxyLogsUploadAnt.bat
script each day after midnight, for example at 1:00 AM. There are many online tutorials for setting up a basic task, like for example here.
Linux OS
Make sure that the patch is already deployed.
- Edit the
MuseProxyLogsUpload.xml
file and replace thePLACE_HERE_THE_FTP_USERNAME
andPLACE_HERE_THE_PASSWORD
placeholders with the actual values as provided by the MuseGlobal Support Team. - Open a shell session on the server, change directory to
${MUSE_HOME}/proxy/tools/
and change the permissions of theMuseProxyLogsUploadAnt.sh
file to allow execution. Make the same for the${MUSE_HOME}/proxy/tools/apache-ant-1.10.13/bin/ant
file. - Edit the
MuseProxyLogsUploadAnt.sh
and make sure the value forMUSE_HOME
points to the correct location on disk of Muse Proxy. - Run the
MuseProxyLogsUploadAnt.sh
script. This is for test purposes to make sure the upload script works. - Create a cron job to run the
${MUSE_HOME}/proxy/tools/MuseProxyLogsUploadAnt.sh
script each day after midnight, for example at 1:00 AM.
The default logger configuration of Muse Proxy is to produce *.log.1
, *.log.2
…*.log.10
files which rotate by size when reaching 10485760 bytes or at midnight, depending on whichever condition is first met:
Follow the instructions below to have a single log file with an entire day of logging and with the date stamp in the filename, e.g. MuseProxy-20230719:
- Stop the Muse Proxy service
-
Edit the Muse Proxy main configuration file:
${MUSE_HOME}/proxy/MuseProxy.xml
(make a backup copy first of this file)
and replace the existing logger sections (see above), with:
NOTICE
com.edulib.ice.util.log.ICETextLog
${MUSE_HOME}/proxy/logs/MuseProxy.log
0
{0, date,yyyy-MM-dd'T'HH:mm:ss.SSS z} {1}: {4}: {3}
365
0
NOTICE
com.edulib.ice.util.log.ICETextLog
${MUSE_HOME}/proxy/logs/access.log
0
%h %A %w %W "%u" %S %t "%r" "%{Content-Type}o" %s %b %e "%{User-Agent}i" "%{Referer}i" %D
90
0
STATISTICS
com.edulib.ice.util.log.ICETextLog
${MUSE_HOME}/proxy/logs/MuseProxyStatistics.log
0
{0, date,yyyy-MM-dd'T'HH:mm:ss.SSS z} {3}
365
0
Attention must be paid when editing to not break the XML file format. - Start the Muse Proxy service