Getting Started

Getting Started with the ABN Active Service Manager

Introduction

Now that the Active Service Manager (ASM) is installed, further Operating System and ASM configuration is required. The guides in this document attempt to assist you getting your ASM fully protected and deployed.

Back to Table of contents

Firewall Configuration

If the ASM is accessable from the WWW, you will likely desire to allow access only to the required ASM functionality, and lock out all other access. A firewall can be used to provide this protection. Here is a sample set of iptables commands to assist in setting up a basic firewall that will accept http and https connections and reject all other connections.

To configure iptables:
  1. log in or su as root in a command shell on the device you are trying to configure
  2. ensure that iptables starts at system start: 
     chkconfig iptables on
  3. ensure that iptables is currently running: 
     service iptables start
  4. enter the following commands to accept only http, and https connections on the public network and accept http, https, and ssh connections on the internal network.
    Note that you may need to adjust the 'eth0' and 'eth1' parameters to match your deployment. 
                      # Clear IPTABLES
                  ################
                  iptables -F
                  iptables -Z
                  iptables -X

                  # Local Loopback
                  ################
                  iptables -A INPUT -i lo -j ACCEPT
                  iptables -A OUTPUT -o lo -j ACCEPT

                  # Accept All Related Connections
                  ################################
                  iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
                  iptables -A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT

                  # Allow all OUT going connection
                  ################################
                  iptables -A OUTPUT -o eth0 -j ACCEPT
                  iptables -A OUTPUT -o eth1 -j ACCEPT

                  # Accept All HTTP and HTTPS Connections
                  # Accept SSH connections on "internal" interface
                  ################################################
                  iptables -A INPUT -i eth0 -p tcp -m state --state NEW -m multiport --dports http,https     -j ACCEPT
                  iptables -A INPUT -i eth1 -p tcp -m state --state NEW -m multiport --dports http,https,ssh -j ACCEPT

                  # Set Default Policies
                  ######################
                  iptables -P INPUT DROP
                  iptables -P OUTPUT DROP
                  iptables -P FORWARD DROP

                  # DROP everything else
                  ######################
                  iptables -A INPUT -j DROP
                  iptables -A OUTPUT -j DROP
    Your device should now accept http and https connections and reject all other connections.
Back to Table of contents

User Authentication Options


The ASM supports two types of user authorization:
  1. LDAP based login
  2. User detection based on incoming IP address
If you do not enable LDAP user authentication, then the ASM will attempt to determine the incoming subscriber by mapping the IP address of the requesting web browser to a subscriber by performing a lookup by Cable Modem MAC address in the ARM system.

If you desire to require your users to provide a username and password, you can enable LDAP authentication. To connect the ASM to an OpenLDAP Server for authentication and subscriber identification.
  1. login with an account that has administrative rights
  2. from the top menu bar, select "Go to|Control Panel"
  3. In the "Portal" section, select "Portal Settings"
  4. select "Authentication" from the "Configuration" section
  5. select "LDAP" from the tab bar
  6. to add an LDAP server, click the [Add] button
  7. Populate the resulting form with your LDAP server information and save.
  8. Here are some sample values:
    • Server Name: a local only identification of this LDAP server
    • Default Values: Leave unselected
    • Base Provider URL: ldap://server:389
    • Base DN: dc=maxcrc,dc=com
    • Principal: cn=Manager,dc=maxcrc,dc=com
    • Credentials: secret
    • Groups:
    • Import serach filter: (objectClass=groupOfNames)
    • user: member
  9. Press the [test ldap connection] button to ensure connectivity
  10. Press the [Test LDAP Users] button to ensure a reasonable user list is available
  11. Press the [Save] button to Save these settings and exit the 'Add Server' form
  12. select "Enabled"
  13. select "Required"
  14. ensure that "Import enabled", and "Export Enabled" are not selected
  15. Press the [Save] button to Save these settings and exit the 'LDAP' form
Adjust default user permissions
  1. click Users from the Configuration section
  2. click the "Default User Associations" tab
  3. In the Roles text edit, remove the "Power User" role, leaving only "User"
  4. Press the [Save] button to Save these settings and exit the form
Back to Table of contents

SSL Configuration

To set up ASM to use the https protocol, you will need to configure the tomcat webserver to use a valid SSL Certificate.

To configure tomcat to use a valid SSL Certificate:
  1. SSH into the server hosting the ASM software
  2. Generate a Certificate Signing Request (csr):
    • Create and Navigate to the directory where you will manage your certificate:
            					[root@asm ~]# mkdir /opt/abn/asm/certificates
		      			[root@asm ~]# cd /opt/abn/asm/certificates
    • Create a new Keystore:
            					[root@asm certificates]# keytool -genkey -alias [your_fqdn_here] -keyalg RSA -keysize 2048 -keystore [your_fqdn_here].jks

      You will be prompted to choose a password for the new keystore, followed by your organization's information.

      NOTE: When it asks for first and last name, it is NOT your name. Use the fully qualified domain name for your installation of ASM (www.example.com or *.example.com if you are using a wildcard certificate) You should use the same domain name in place of [your_fqdn_here].
    • Generate a CSR from the new Keystore:
            					[root@asm certificates]# keytool -certreq -alias [your_fqdn_here] -file csr.txt -keystore [your_fqdn_here].jks

      Enter the keystore password you created in the previous step when you are prompted.
  3. Submit the CSR to your SSL certificate provider to receive a PCKS format certificate
  4. Back up the origional [your_fqdn_here].jks file as we will be modifying it, and if something should happen, you will have to go through the process of having a certificate file issued again.
  5. Import your issued PKCS certificate into your Keystore:
          			[root@asm certificates]# keytool -import -alias [your_fqdn_here] -trustcacertificates -file [your_pkcs_file_here] -keystore [your_fqdn_here].jks

    You will be prompted for a password, this is the password that you set up in the Create a new Keystore step.

    NOTE: You must use the same alias as you did when you created the CSR in this step.
  6. Modify the tomcat configuration to use SSL:
          			[root@asm certificates]# cd /opt/abn/asm/conf
      			[root@asm conf]# nano server.xml

    In this example, we use the nano text editor, but you can use whichever editor you are comfortable with.
    Modify the code block in the server.xml that looks like the block below:
          			<Connector executor="tomcatThreadPool"
                    port="443"
                    protocol="org.apache.coyote.http11.Http11NioProtocol"
                    SSLEnabled="true"
                    scheme="https"
                    secure="true"
                    clientAuth="false"
                    sslProtocol="SSLv3"
                    ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA"
                    keystoreFile="${catalina.base}/conf/.keystore"
                    keystorePass="ipdradm"/>

    To look like: 
          			<Connector executor="tomcatThreadPool"
                    protocol="org.apache.coyote.http11.Http11NioProtocol"
                    keystoreType="JKS"
                    keystoreFile="${catalina.base}/newCerts/test/abbKeyStore"
                    keystorePass="[your_keystore_password_here]"
                    keyAlias="[your_fqdn_here]"
                    ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA"
                    port="443"
                    SSLEnabled="true"
                    scheme="https"
                    secure="true"
                    clientAuth="false"/>
  7. Restart the ASM Service: 
          			[root@asm conf]# service abn-asm restart

Active Resource Manager Setup

The ASM needs to communicate with an Active Resource Manager (ARM) to function properly.

To configure your ASM to communicate with an ARM:
  1. login with an account that has administrative rights
  2. select "Add" then "More" from the dockbar at the top of the screen
  3. in the tools window that opens, expand the "Active Broadband Networks" section
  4. click on the "ABN ARM Config" icon and drag it to the page.
  5. click the 'X' at the top of the tools window to dismiss it
  6. pree F5 to refresh the browser window
  7. in the title bar for the ABN ARM Config portlet, you should see a wrench icon, click the wrench and select 'preferences' from the resulting menu
  8. populate the form with the hostname, protocol, username, and password of the ARM to communicate with
  9. note that the default values of 'localhost', 'http', 'username', and 'password' will cause the ASM to not communicate with an ARM system, but return test data
  10. Press the [Apply] button and dismiss the resultant notice
  11. click the 'Return to Full Page' link in the title bar of the ABN ARM Config portlet
Back to Table of contents

Building Your Site

You are now ready to start adding content to your customer portal web site. The tools built in to the Active Service Manager allow this to be a quick excercise.

Back to Table of contents

Provided Sample Site

Here is a sample site available for import to get started. Download the 'lar' file to your local machine, then use the page import utility in the control panel to import the site.
To import the site:
  1. Download the sample site file
  2. Select Go to|Control Panel from the dock bar
  3. Click the Site Pages link in the "a-bb.net" section
  4. Click the [Import] button
  5. Click "browse" and choose the recently dowloaded file "abnSample.zip"
  6. Make sure to enable "Permissions" importing in the "Other" section
  7. click the [Import] button
  8. click "Back to a-bb.net" in the dockbar


Back to Table of contents

Linking from another site

If you wish to add these portlets to a different site instead of allowing direct access to the ASM, that is also easy. Using the "Add|More" window, drag portlets to a page in the ASM and configure each portlet as desired using the 'preferences' menu. Once youve configured a portlet to your desired look, click the wrench icon and select 'Configuration' from the menu. In the dialog that opens, select the 'sharing' tab, and follow the on screen instructions.

Back to Table of contents

Removing 'guest' from the URL



To replace the word "guest" in the URL path:
  1. Login with an account that has administrative rights.
  2. Select "Manage" then "Site Settings" from the dockbar at the top of the screen.
  3. In the "Site Settings" window that opens, select "Site URL" from the "Basic Information" menu.
  4. In the "Friendly URL" textbox, replace "guest" with your preferred text.


Back to Table of contents

Considerations for a Pre Paid Service System

There are some additional steps you should take to configure the ASM as a prepaid service provider.
Here is a sample site available for import to get started. Download the 'lar' file to your local machine, then use the page import utility in the control panel to import the site.
To import the site:
  1. Download the sample ppss site file
  2. Select Go to|Control Panel from the dock bar
  3. Click the Site Pages link in the "a-bb.net" section
  4. Click the [Import] button
  5. Click "browse" and choose the recently dowloaded file "abnSamplePpss.zip"
  6. Make sure to enable "Permissions" importing in the "Other" section
  7. click the [Import] button
  8. click "Back to a-bb.net" in the dockbar

Events
As items of interest occur on the ASM, it will post events. These events may be viewed in the "Event Viewer", and may be configured to send an SNMP trap or an SMTP Email as well. The SNMP and SMTP configuration is modified by using the "Event Notification Configuration" portlet available in the Active Broadband Networks section of the page building toolbox.

Coupons
You may want to allow some of your customers to purchase access via coupons as well as credit cards. The PPSS allows the system administrator to add coupons one at a time from the ASM User Interface or in bulk via a web service. Each coupon has a time span and a coupon code. Drag the ABN PPSS Coupon Manager portlet to an ASM page from the component toolbox. This display shows all of the coupons in the system as well as allowing you to add single coupons. To add multiple coupons, create an XML file with the coupons you would like to add and perform an HTTP PUT of that file content to the web service URL. Sample XML File: (coupons.xml) Sample http put: 

         curl -X PUT --header "Content-Type: application/xml" -d @coupons.xml http://SERVER/abn-portlet-ppss/rest/ppss/coupon

Merchant Account Configuration
In order to collect credit card payment, you must attach the ABN PPSS system to your Authorize.net account. The Authorize.Net account should be configured to use the "Advanced Integration Method (AIM)" supported by Authorize.Net. Enter your Authorize.net API Login ID, and your current API Transaction key into the provided fields in the Merchant Account Configuration. Do not forget to update these fields should you change your transaction key in your Authorize.Net account.

Soap Server Settings
The ABN PPSS system activates and de-activates cable modems by executing a series of SOAP calls to a SOAP server. The ABN PPSS system needs to know the location of the SOAP server and the parameters to pass to the web service calls. Enter the appropriate information into the provided fields of the SOAP Server Setttings Screen.

Temporary Service Activation
The "Temporary Service Activation" portlet has 2 views - an administrative view and an end user view. The Administrative view allows the system administrator to set and change the price of service charged to the end user for both week and month durations. The Administrative view also allows the system administrator to set the up and down stream service class names used by the PCMM to activate the cable modem.

The Temporary Service Activation User View is the only screen that the end user is likely to see. This form allows the end user to activate their modem. Fields require name, address, phone, email as well as payment information.



Back to Table of contents