FAQ
FAQ by Product
Most Popular
USER_NAME and USER_PASSWORD fields of the profile) or IP (with the CUSTOM_PARAMETERS field of the profile).
For search/retrieval authentication by IP, a value must be placed in the CUSTOM_PARAMETERS tag from the EBSCOEIT* source profile. Again, this is used to connect to and search a certain database. Using this IP authentication, you may be authenticated to a number of databases.
Example :
AUTH_TYPE=ip;IP_PROFILE=eit;IP_ADDRESS=1.2.3.4 your IP which authenticates to EIT.
Please note that your EBSCO account must be specifically enabled in order to use of EIT. The user/pw used for connecting to http://search.ebscohost.com/ will not work for EIT. Also note that the IP_PROFILE will be either eit or eitws; — this string matches the 3rd section of your 3-part EIT authentication string (ex. s123456.main.eit or s123456.main.eitws). Please check with EBSCO if you are not sure which it is.
2) The aforementioned authentication by IP or user/pw gives us access to the EBSCOEIT API, but it does not provide successful link navigation on the record links obtained.
For this, the PROXY_HOST and PROXY_PORT in the profile must be configured. IMPORTANT: authentication to EBSCO for link navigation is only done by IP.
Example :
proxy.you.com
9797 In Muse, there are 2 types of proxy chaining:
a) “ProxyChaining” happens when the MNM chains with the proxy used for source authentication. In a Muse application where we have configured a MNM_HOST to re-write the record links and a PROXY_HOST to use for authentication we have the following scenarios:
1) If the MNM and PROXY fields have different values then at runtime when the end user navigates on a rewritten link the following happens:
– enduser makes HTTP request to MNM_HOST
– the MNM_HOST makes the HTTP request to PROXY_HOST, thus chaining.
– the PROXY_HOST makes the HTTP request to the native data source.
This scenario is described in the Muse Advanced Configuration.pdf document, chapter “Data Services IP Authentication” and applies in all ASP Muse environments where IP authentications are used. For example, this type of proxy chaining is used in all our hosted Muse instances.
2) If the MNM is the same as the PROXY_HOST then the proxy chaining does not occur anymore.
Note that the proxy chaining feature works only if the com.edulib.muse.proxy.filter.ProxyChain filter is enabled in the $MUSE_HOME/proxy/MuseProxy.xml configuration file.
Also note that the proxy chaining feature works with other proxies than Muse Proxy used for source authentication, e,g, when PROXY_HOST is other proxy than Muse Proxy .
b) Another type of proxy chaining is when the Muse Proxy is configured to use another proxy, meaning that it will forward all HTTP requests to the configured proxy. This happens when the following fields from the "$MUSE_HOME/proxy/MuseProxy.xml" file are configured:
Type a) of proxy chaining is the most encountered in the Muse installations.
Load More
Latest
To configure an application that uses username/password authentication method to use also IP authentication, one must do some configurations.
A) For Muse version 2500, the admin console can be used to add/edit the IP authentication of a Muse application:
– log into the MCAA console as a mcaa based user;
– select the desired Muse application, then click Login Modules;
– if the IP module is not enabled already, then click Add and then selectcom.edulib.ice.security.authentication.ICELoginModuleIP login module; click Add;
– click Edit to edit the ICELoginModuleIP module;
– click Edit User Access Rules and then Insert one by one the IP rules. They can consist in IP, IP classes or regular expressions that describe the needed range(s);
– click “Update”.
B) For Muse versions before 2500, the modifications to be done are:
– $MUSE_HOME/use/ice/jaas.config – locate application’s entry in this file. If not found, then you must add an entry for it. Supposing the application’s ID is appid, then the following entry must be added:
appid {
com.edulib.ice.security.authentication.ICELoginModuleXML required passwords="${ICE_HOME}/profiles/passwords.xml";
com.edulib.ice.security.authentication.ICELoginModuleIP required hosts="${ICE_HOME}/profiles/hosts.xml";
};
Note: if the above entry already exists for the appid application, then only the bold line must be added.
– $MUSE_HOME/use/ice/profiles/hosts – an entry like next must be added:
Note: ‘IP or address template’ can be any of the following:
– a regular expression that will be matched against the IP address the connection is coming from. E.g. 217.156.14.* will match IP 217.156.14.2
– a regular expression that will be matched against the domain name of the IP address the connection is coming from. E.g. *.museglobal.ro.
– an address/mask notation that will be matched against the IP address the connection is coming from. The mask can be either a net-work mask or a plain number, specifying the number of 1’s at the left side of the network mask. Thus, a mask of 24 is equivalent to 255.255.255.0.
– E.g. 217.156.14.0/28 will match IP 217.156.14.2 and it is equivalent with 217.156.14.0/255.255.255.240
– E.g. 217.156.14.0/255.255.255.240 will match IP 217.156.14.2
As a consequence of IP authentication, one may want to facilitate IP access to the application without having the user to fill in every time the username/password fields. To do this, one can create a html page located in $MUSE_HOME/web/www/logon/appid/ directory. This page should contain a simple login form that submits itself on page load event. Eg:
The URL to access the autologon page is:
http://Muse_host:PORT/muse/logon/appid/autologon_page.html
where:
- Muse_host is the hostname of the Muse system;
- PORT is the port value on which Muse HTTP / Embedded Apache Tomcat server is configured to listen (default 8000);
- appid is the application ID;
- autologon_page.html is the page which contains the above HTML form.
The functioning principle of this authentication scenario is as follows:
– the enduser accesses the provided Muse URL;
– if the enduser’s IP is among the IPs/subnets configured for the desired application then he/she will be successfully logged in;
– if the enduser is not IP authenticated then he/she will be presented with a Muse logon form where to enter the personal LDAP authentication details.
Below are the steps to implement this scenario:
1) configure the necessary Muse login modules for the desired application. Below is their list in order along with the correct flag values:
– ICELoginModuleXML – required;
– ICELoginModuleIP – sufficient;
– ICELoginModuleParametersRemap – required;
– ICELoginModuleLDAP – requisite.
The configuration of the login modules is done through the Muse Console for Applications Administration as follows: select the desired application from the list of application and click on the left menu – “Login Modules”; from this location manage the login modules: add, delete or edit them. The ICELoginModuleParametersRemap login module must have the following attributes and values: ldapUserPwd=”wwwAuthPwd” ldapUserID=”wwwAuthID” (see below).
The context for the desired application in the $ICE_HOME/jaas.config file should look like:
ApplicationID {
com.edulib.ice.security.authentication.ICELoginModuleXML required passwords="${ICE_HOME}/profiles/passwords.xml";
com.edulib.ice.security.authentication.ICELoginModuleIP sufficient hosts="${ICE_HOME}/profiles/hosts.xml";
com.edulib.ice.security.authentication.ICELoginModuleParametersRemap required ldapUserPwd="wwwAuthPwd" ldapUserID="wwwAuthID";
com.edulib.ice.security.authentication.ICELoginModuleLDAP requisite config="${MUSE_HOME}/home/ApplicationID/profiles/ICELoginModuleLDAP.xml";
};
2) Configure the login modules’ properties.
– copy ${ICE_HOME}/profiles/ICELoginModuleLDAP.xml to ${MUSE_HOME}/home/ApplicationID/profiles/ICELoginModuleLDAP.xml (is not already existing);
– for the ICELoginModuleIP login module add a new entry in the ${ICE_HOME}/profiles/hosts.xml file for the desired application along with the list of IPs/subnets that will access the application by IP.
– for the ICELoginModuleLDAP login module make the necessary configurations in the ${MUSE_HOME}/home/ApplicationID/profiles/ICELoginModuleLDAP.xml with the access details and settings for the LDAP server. The following fields from the ${MUSE_HOME}/home/ApplicationID/profiles/ICELoginModuleLDAP.xml must be filled in with proper values: LDAP-URL, BASE-DN and USER-AUTHENTICATION.
3) Add the necessary HTML files for the desired application for handling the IP/LDAP authentication scenario:
– an index (index.html) file which will be the access point for the enduser; the role of this is to transparently submit the username and password of the application.
- a page (index2.html) which presents the logon form for the LDAP details in case the IP authentication fails;
- an error (error.html) page which is displayed in case the LDAP authentication fails too.
Note: replace all ApplicationID and ApplicationPassword occurrences with the exact application ID and application password you wish to configure. Also, the html code above is the basic one, with no formatting. Please format it as needed and enclose it in complete/valid html pages.
This is explained in the “Adding a new slave machine to the environment” chapter from the “Muse Advanced Configuration.pdf” manual.
In a shared Muse environment all files are shared, including the $ICE_HOME/serial.properties file containing licensing information and necessary for the ICE to start.
When adding new servers to a Muse cluster one cannot just run the Registration process to register the new machine because of the following reason: Muse was not installed on the new machine using the Muse setup kit, hence the InstallShield files necessary for running the Registration do not exist.
In the shared Muse environment the Muse files are loaded/mounted from the master machine.
Below are the steps to be performed when a new slave machine is added into the Muse environment after the initial setup an it needs to be registered:
1. An “Extension Request” procedure for the Serial Number is performed to add all IPv4 and IPv6
IPs of the new machine to the Serial Number in use. In case the Serial Number already contains the IPs of the new machine then there is no need to run the “Extension Request” and the Muse servers can be started on the new machine (step 4).
2. After the extension request is processed by MuseGlobal, the Muse Registration Setup must be run on the master machine.
3 A synchronization of the slave machines with the master must be performed in order for the new serial.properties file to get on the new machine.
4 The Muse servers can now be started on the new machine.
The hosts.xml files are used to allow/deny access to different products from some IPs or classes of IPs. The client’s IP is tested against the rules in the hosts.xml file and the first one that matches is applied – all the following rules are ignored.
When getting the hostname related to a given IP the Java mechanism has a spoof protection that, sometimes, will not give optimal results.
The following situation will not give the expected results:
1. Java asks the DNS server for the hostname related to an IP address (reverse DNS)
2. When the DNS server replies with the hostname, Java asks the same DNS server for the IP address of that particular hostname
3. If the initial IP address and the one returned as the result of request #2 above do not match, then Java returns the initial IP address.
This process may interfere with the way we compare the client IP address against the ones stored in the hosts.xml file. Due to the above Java protection, some IP addresses will not match against a given domain even if their reverse DNS name belongs to that particular domain.
When one or more new IPs are added to a machine running Muse ICE, ICE will not start again until the Muse product is re-registered. Running the Muse Registration process ensures that all the current IPs of the machine are added to the serial.properties file, which is required for the Muse ICE server to start successfully.
For more details about the Muse Resistration procedure, please see the "$MUSE_HOME/doc/Muse Install.pdf" document, the “Product Registration” and “Running the Muse Registration Setup” chapters.