- Cisco Unity Tools

Download Report

Transcript - Cisco Unity Tools 

Otomo
End User SSO - TOI
March 2014
Otomo 10.5 – End User SSO Support
Presenter – Aastha Wal (aawal)
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
Table of Contents
 Abbreviations
 Added Functionality in current release
 OAuth API/Endpoints
 Jabber- CUC SSO Flow
 Enterprise parameters
 OAuth token expiry
 Counters
 CLI command to set trace Level
 Collect Logs from RTMT
 Troubleshooting tips
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
Abbreviations
 CUC
: Cisco Unity Connection
 IDP
: Identity Provider
 OAuth
: Authorization protocol / framework
 SAML
: Security Assertion Markup Language
 SP
: Service Provider
 SSO
: Single Sign On
 SSOSP
: CUC specific SP implementation
 RTMT
: Real Time Monitoring Tool
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
Added Functionality in current
release
Oz 10.0
Otomo 10.5
 SAML SSO, only Web Applications
single sign on was possible.
In addition to features present in 10.0, this
release has:
 CUC Admin
 SAML enabled for CUC Serviceability
 CUC Client Web Applications:
- CiscoPCA
OAuth token based access to services
like:
- VMRest (on Unity Connection)
- Web-Inbox
- Mini-inbox
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
OAuth API / Endpoints
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
Enterprise Parameters
 There would be two new Enterprise level parameters specific to OAuth.
1)Enterprise parameter to set OAuth token expiry time in minutes.
2)Enterprise parameter to set a redirect URL for third party client. (no default
value)
 Once the administrator changes the timer, SSOSP web application pick up the new
value instantaneously without having to restart Tomcat or SSOSP web application
Note: Clicking on Enterprise parameter gives the description about the parameter.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
OAuth Token Expiry Settings in CUC
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
OAuth token expiry
 The Authorization service /validate endpoint will return a HTTP 400 Bad Request
for an expired token
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
Counters
 Two new counters introduced to track the number of failed/invalid SAML
Requests/Responses
SAML_FAILED_REQUESTS
SAML_FAILED_RESPONSES
In case of a failed SAML request or a failed response counters will be incremented
(like if request/response has some mandatory field missing etc. )
 OAuth tokens are tracked by the following counters:
OAUTH_TOKENS_ISSUED
OAUTH_TOKENS_ACTIVE
OAUTH_TOKENS_VALIDATED
OAUTH_TOKENS_EXPIRED
OAUTH_TOKENS_REVOKED
 CLI command to get counter values:
show perf query class "SAML SSO"
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
Counters
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
CLI Command to Set Trace Level
Log level can be changed using the following CLI
commands:
 set samltrace level DEBUG
 set samltrace level INFO (default)
 set samltrace level WARNING
 set samltrace level ERROR
 set samltrace level FATAL
Note: They are used for troubleshooting, DEBUG mode is best for troubleshooting
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
Collect Logs from RTMT
Following log files can be collected from RTMT:
•
ssosp.log: ssospxxxxx.log
•
security.log: securityxxxxx.log
•
Tomcat access: localhost_access_log.txt
Below are the steps to follow on RTMT
•
Login to RTMT
•
Goto: System  Tools  Trace  Trace & Log Central
•
For ssosp logs: Click on Collect files  click next  select Cisco SSO  finish
•
For security logs: Click on collect files  click next  select Cisco Tomcat
Security  finish
•
For Tomcat access logs: Click on collect files  click next  select Cisco
Tomcat  finish
Log files will be downloaded <Path will be mentioned on the screen>
Presentation_ID
© 2005,
Cisco
Systems, Inc.
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco
Confidential
Company Confidential
1
Troubleshooting tips
Logs Location
 OAuth endpoint logs: On all the nodes in the cluster
/var/log/active/tomcat/logs/ssosp/log4j/ssosp*
 IMS: On all the nodes in the cluster
/var/log/active/tomcat/logs/security/log4j/security*
 CUC Tomcat access logs:
/var/log/active/tomcat/logs/localhost_access_log.txt
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
Troubleshooting tips for CUC
cont..
 Problem Description
 Solution
1. VMRest API throws 401 response
error
1. Check if OAuth Token has expired
2. Check if OAuth Token is no longer
valid
-If the Tomcat service is
restarted then all previous tokens are no
longer valid and the client have to
request for a new token.
- If the publisher server of Unity
Connection cluster went down then the
token generated on the publisher server
becomes invalid, and clients have to
request the subscriber to generate a new
token.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential