BlockID Legacy Authentication Broker
Overview
A BlockID Authentication Broker is installed on a client environment to allow the BlockID Admin Console (running in the cloud) to communicate within a client’s environment. All connections made by the broker are outbound and there is no need for any inbound connectivity into the company's network. The BlockID Authentication Broker is a lightweight JAVA application that provides a mechanism, communicates outbound only, and handles the flow of encrypted traffic between the Credential Provider (on Windows), Network Device Enrollment Service (NDES), Active Directory (AD), and the 1Kosmos cloud.
BlockID Authentication Broker is a proxy enabled, supports proxy authentication, and uses a proxy to connect to the 1Kosmos cloud.
Prerequisites:
You will need the following resources and privileges to complete this installation:
- OS - Linux (supports only Linux), RHEL 7 and above
- JAVA - Java SE version 8, or OpenJDK version 17.02 LTS
- RAM - 2 GB (Minimum)
- Two Virtual CPUs
Permissions:
- Permissions to the installation folder and install the BlockID Authentication Broker application on the Linux server.
- Outbound internet access and permission to communicate with the tenant URL on TCP ports
80
and443
. - Proxy URL in case the enterprise requires that the BlockID Authentication Broker communicate outbound through a proxy.
- Non-authenticated proxy connection.
- Authentication credentials for non-proxy connection.
The BlockID Authentication Broker Installation (.zip) file is named as blockIdSetup-<version number>.zip
. To get the BlockID Authentication Broker installation file, please contact your 1Kosmos representative.
Enable Authentication Broker module and obtain websocket URL from the BlockID Admin Console:
- Login to your BlockID Admin Console, navigate to *Administration Console > Auth Configuration > Authentication Modules*.
- From the All Authentication Modules section, click on the Add this Module
+
icon for the Authentication Broker module. The Authentication Broker module is displayed in the Enabled Authentication Modules section. - Click on the Edit & Configure this Module
pencil
icon for that module. - In the Authentication Broker screen, click Enable.
- Copy the URL generated for the broker websocket and save it.
Installation Steps:
Place and unzip the BlockID Authentication Broker Installation file within a particular folder on the Linux server. This will create the following folders and files within the main folder where the installation file is placed:
Folders:
- Conf: This folder contains the configuration files in the
<configurations_filename>.yml
format. For example,default.yml
. - Libs: This folder contains the required libraries to run the broker.
- Logs: This folder contains the default.log file with all the logs.
- Pid: The broker uses this folder during runtime.
- Conf: This folder contains the configuration files in the
Files:
- startClient.bsh: This is a script file to start the broker.
- stopClient.bsh: This is a script file to stop the Broker.
On the Linux server:
- To start the BlockID Authentication Broker:
- Run
./startClient.bsh
to start the broker. The-P
regulates the port on which the broker will be running. By default, the port is8081
, you can specify this while running./startClient.bsh
.
- Run
- To start the BlockID Authentication Broker:
Open the web browser, enter the Broker Server FQDN URL that is
http://<BROKER_SERVER_HOSTNAME>:8081
in the Address bar, and press Enter. The Configure Websocket Client application screen is displayed. This is the enterprise screen to configure the Broker.In the Configure Websocket Client application screen, it is mandatory to fill in details in all the fields given in the following tabs.
- In the LDAP or AD Configurations tab:
- In the BlockID Broker Core Config section:
- Broker port: Specify the port number on which the broker is running.
- Broker websocket: Enter the websocket URL. This URL is obtained from the BlockID Admin Console application. To check the steps for getting the websocket URL, visit the Enable Authentication Broker module and obtain Websocket URL from the BlockID Admin Console topic.
- Broker Proxy Url: Enter the URL of a proxy server through which the broker can communicate with the Tenant.
- In the LDAP or AD Configuration section, enter your AD configuration details.
- In the BlockID Broker Core Config section:
- In the SCEP Configuration tab, enter your SCEP and NDES server configuration details.
- Click Submit.
- In the LDAP or AD Configurations tab:
To verify that the BlockID Authentication Broker has started successfully:
- Run the
tail -f logs/default.log
command. You will get the default connection logs that show the connection has been established to the broker, the broker has started up successfully, and the broker can communicate with the tenant.- For example, you will get the following logs:
isHealthyProxy checking host: <YOUR_TENANT_URL> using proxyUrl: <YOUR_PROXY_URL>
MessageHandlerTask PING
MessageHandlerTask PONG received from server
- For example, you will get the following logs:
- Run the
To establish a successful connection between the BlockID Authentication Broker and the tenant, you need to perform the following tasks in the BlockID Admin Console:
- Navigate to *Administration Console > Auth Configuration > Authentication Scheme*.
- Click on the Edit button for the default authentication scheme.
- Select Modules: select
broker
. - Select Criteria: select
Required
. - Click Save.
- Navigate to *Administration Console > Enterprise Configuration > SCEP Configuration*, enable the Simple Certificate Enrollment Protocol Broker option and click Save & Apply. The BlockID Authentication Broker has successfully been installed and configured on your server.
- Navigate to *Administration Console > Auth Configuration > Authentication Scheme*.
Follow the below steps to install and configure the second broker:
- You will require a different server to install a second broker. Perform the BlockID Authentication Broker installation steps.
- Perform the AD/LDAP configurations in the Configure Websocket Client application screen of your broker.
- Note that, there is no need to perform any configurations in the BlockID Admin Console.
Test the Broker Connection:
- In your browser, enter your tenant’s URL for the BlockID Admin Console.
- In the login screen, enter your AD username and password details. The BlockID Authentication Broker will authenticate your details against your AD and grant access to the BlockID Admin Console upon successful authentication.
Troubleshooting Steps:
- If BlockID Authentication Broker is not connected and you are not receiving the PING and PONG messages in the default.log file in the logs folder, then perform the following steps:
- Check the broker URL is entered correctly in the broker configuration.
- Check whether the proxy is preventing the broker from communicating with the tenant.
- Check the Proxy logs and allow the broker to communicate with the tenant.
- During authentication, if the user is not getting authenticated successfully in the BlockID Admin Console:
- In the broker logs, check if the broker can connect to Active Directory (AD).
- Check if the broker can connect to CA and NDES servers properly.
- To check whether the broker is running or not:
- Navigate to the Broker Configuration screen and refresh the screen to check whether it has got stopped or not.
- Check the broker logs:
- Run
tail -f logs/default.log
- Run
- The broker is a java application, hence, to check whether any JAVA process is running on the Unix machine:
- Run
ps -ef | grep java
This will show you all the java processes that are running on the Unix machine.
- Run
BlockID Legacy Authentication Broker User Guide
The BlockID Authentication Broker is a lightweight JAVA application that provides a mechanism, communicates outbound only, and handles the flow of encrypted traffic between the Credential Provider (on Windows), Network Device Enrollment Service (NDES), Active Directory (AD), and the 1Kosmos cloud.
This document describes the following fundamental concepts supported by the BlockID Authentication Broker:
- Multiple Broker Support
- Broker Legacy AD Password Reset Support
Multiple Broker Support
1Kosmos provides multiple brokers setup for BlockID Admin Console. To achieve this, install each broker on a separate Linux/Unix machine, and in each broker configuration, add the same broker auth module’s WebSocket URL and AD/LDAP details of BlockID Admin Console.
When a BlockID Admin Console is connected to multiple brokers, it will detect if a broker is brought off-line and automatically route requests to the other connected brokers. Also, additional brokers can be added to the system to provide additional performance and availability.
The BlockID Admin Console will randomly select any broker and establish a connection with it at a time (until that broker stops working) out of the number of linked brokers. This allows the BlockID Admin Console to provide a high level of performance and uptime that cannot be achieved when just a single broker is providing service.
The BlockID Admin Console will detect if a broker is brought off-line or stopped and automatically route the requests to the other linked brokers. Also, additional brokers can be added to the system to provide additional performance and availability.
To Install and configure more than one broker for best performance and availability, they should all be on separate Linux/Unix machines.
To configure multiple brokers support for the BlockID Admin Console:
BlockID Admin Console configurations:
- Login to the BlockID Admin Console.
- Navigate to Administration Console > Auth Configuration > Authentication Modules.
- From the Enabled Authentication Modules section, click on the Edit & Configure this Module
pencil
icon for the enabled authentication broker module. - Copy the websocket URL generated for the broker and save it.
Broker configurations:
- On the Linux/Unix server, start the BlockID Authentication Broker.
- Open the web browser, enter the Broker Server FQDN URL that is
http://<BROKER_SERVER_HOSTNAME>:<port>
in the Address bar, and press Enter. The Configure Websocket Client application screen is displayed. This is the enterprise screen to configure the broker. - In the Configure Websocket Client application screen:
- Navigate to LDAP or AD Configurations > BlockID Broker Core Config > Broker WebSocket, enter the same websocket URL copied from the BlockID Admin console.
- Navigate to LDAP or AD Configurations > LDAP or AD Configuration, enter the similar AD configuration details added within the other brokers LDAP section.
- Click
Submit
.
Note that, multiple brokers should include the same WebSocket configurations to provide support to the same BlockID Admin Console.
Broker Legacy AD Password Reset Support
This feature allows the user to reset his/her password. For example, the BlockID mobile app has a reset credentials feature, that would use the password reset if the broker was configured for the authentication. The BlockID Admin console also has a password reset feature. The broker searches for the user using the config parameters and if the searched user is found, the broker binds it as the administrative user to the configured directory and modifies the password of the user.
Active Directory password resets always require an SSL/TLS connection from the broker to the AD server. LDAP directories may or may not require SSL/TLS depending on how they are configured.
To reset the password, perform the following steps:
- From the BlockID app:
- Open the BlockID mobile app, click
RESET AD CREDENTIALS
.- Update password for below userid: It shows the username of the persona.
- New Password: Enter the new password.
- Confirm Password: Enter the new password again.
- Click
Reset Ad Credentials
. This will reset the password for the selected persona within the application.
- Open the BlockID mobile app, click
- From the BlockID Admin Console:
- Login to BlockID Admin Console.
- From the top right corner, click on the User Account list (third list) and click Profile.
- Click on the Password Management tab.
- In the Password Management tab:
- Password: Enter the new password.
- Confirm Password: Enter the new password again.
- Click Update Password. This will update the password for the selected user profile within the application.
Upgrading BlockID Authentication Broker
In order to ensure this is seamless, download the latest broker, and perform the following steps for the upgrade. The following steps will assist you in manually installing the broker for LDAP/AD connectivity.
The expected duration of the activity is approximately 20-30 minutes.
Linux Virtual Machine (VM) Server Requirements
- OS - Linux (supports only Linux), RHEL 7 and above
- JAVA:
- OpenJDK version 17.02 LTS or higher
- Oracle Java SE 8 or higher
- RAM - 2 GB (Minimum)
- Two Virtual CPUs
- Port for you broker interface
- Web proxy should allow outbound WebSocket connections
Steps to be performed:
- Log in to the Linux machine with the userid that was used for the broker installation.
- Before you begin, ensure that the broker you are trying to upgrade is stopped. To stop the BlockID Authentication broker:
- Run the
./stopClient.bsh
command.
- Run the
- Please take a backup of the entire broker folder within the server. Our standard installation instructions ask for the broker to be installed within the
/opt/1kosmos/broker
directory. - Download and copy the BlockID Authentication Broker Installation .zip file to the Linux machine from the location provided to you.
- Unzip the BlockID Authentication Broker Installation file within a designated folder on the Linux server. You will be prompted to choose which files to replace.
- Select YES for all files other than
default.yml
. - If you have made changes to the start or stop scripts, select NO for those prompts.
- Select YES for all files other than
- Start the BlockID Authentication broker:
- Run
./startClient.bsh -consoleDns <tenantname> -community <communityname> -licenseKey <licensekey> -tenantTag <tag> -p <port> -t <time-in-seconds>
command.
- Run
- Navigate to the logs folder and tail the latest broker log:
- Run
tail -f logs/default_<dateandtime>.log
command.
- Run
- Repeat the steps across all of your brokers.
Test the broker connection
- Login to the BlockID Admin Console as an administrator.
- Navigate to Administration Console > Auth Configuration > Authentication Modules.
- From the Enabled Authentication Modules section, click on Authentication Broker.
- Check and confirm the indicator in green next to the newly upgraded broker.
- Log out from the BlockID Admin Console and log in again as a regular user. The My Profile screen is displayed for the user.