EF Tips and Tricks

EnginFrame is a very powerful HPC and visualization session management portal. In this section we want to highlight some of the features and configuration options of EnginFrame.

A powerful overview of EnginFrame customization options can be found in the Technology Showcase available from the startpage of EnginFrame as administrator user.

Automatic Login

The steps to scrape data from Enginframe through curl are the following:

  1. Get JSESSIONID cookie end CSRF token
  2. Make login (use a license)
  3. Retrieve data
  4. Make log out (to release the license)

The following script implements these steps:

#!/bin/bash

workdir='/tmp/'

curl="curl --silent --insecure \
       --cookie $workdir/cookies.txt \
       --cookie-jar $workdir/cookies.txt"

endpoint='http://localhost:8080'

user='efadmin'
password='123456'

function session {
   $curl --junk-session-cookies "$endpoint/enginframe/admin/com.enginframe.admin.xml" > /dev/null
   $curl -X POST \
       -H "Referer: $endpoint/enginframe" \
       -H "FETCH-CSRF-TOKEN: 1" \
       "$endpoint/enginframe/CsrfGuardServlet" | awk -F ':' '{print $1"=" $2}' > $workdir/csrftoken
}

function login {
   $curl -X POST \
       -H "Referer: $endpoint/enginframe" \
       -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' \
       -H 'Accept-Language: en,it;q=0.5' \
       -H 'Content-Type: application/x-www-form-urlencoded' \
       -H 'Upgrade-Insecure-Requests: 1' \
       --data "_username=$user" \
       --data "_password=$password" \
       --data 'submit=Login' \
       --data $(< $workdir/csrftoken) \
       "$endpoint/enginframe/admin/com.enginframe.admin.xml?_uri=//com.enginframe.admin/server.load" > /dev/null
}

function logout {
   $curl \
       -H "Referer: $endpoint/enginframe" \
       -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' \
       -H 'Accept-Language: en,it;q=0.5' \
       -H 'Content-Type: application/x-www-form-urlencoded' \
       -H 'Upgrade-Insecure-Requests: 1' \
       "$endpoint/enginframe/admin/com.enginframe.admin.xml?_uri=//com.enginframe.system/logout"  > /dev/null
}

function license_status {
   $curl -X POST \
       -H "Referer: $endpoint/enginframe" \
       -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' \
       -H 'Accept-Language: en,it;q=0.5' \
       -H 'Content-Type: application/x-www-form-urlencoded' \
       -H 'Upgrade-Insecure-Requests: 1' \
       --data "$(< $workdir/csrftoken)" \
       "$endpoint/enginframe/admin/com.enginframe.admin.xml?_uri=//com.enginframe.admin/view.license.usage"
}

session
login
license_status
logout

To get human readable results install w3m package and pipe the output of the script to:

w3m -dump  -T text/html

To extract only the numbers you need you can use xmllint with an XPath expression.

Change auth to Active Directory (AD)

You need to edit the file $EF_TOP/conf/plugins/activedirectory/ef.auth.conf ad set these variables:

AD_SERVER="${activedirectory.server}"
AD_PORT="${activedirectory.port}"
AD_BASE="${activedirectory.base}"
AD_LDAPSEARCH="${activedirectory.ldapsearch}"
AD_BINDAS="${activedirectory.bindas}"
AD_BINDPWD="${activedirectory.bindpwd}"

  • AD_SERVER: LDAP Server name or IP address
  • AD_PORT: LDAP Server port
  • AD_BASE: the base DN (Distinguished Name) for the search operation in the Active Directory
    database
  • AD_LDAPSEARCH: the absolute path to the ldapsearch executable
  • AD_BINDAS: user that has permissions to bind to Active Directory Server for queries
  • AD_BINDPWD: password for user binding to Active Directory Server

You can check find more details here: https://dn3uclhgxk1jt.cloudfront.net/enginframe/packages/2019.0/documentation/EFAdminGuide2019.0.pdf

Then you need to update the file /opt/nice/enginframe/conf/enginframe/server.conf from

EF_DEFAULT_AUTHORITY=pam

to

EF_DEFAULT_AUTHORITY=activedirectory 

Add a custom location in EnginFrame File Manager

To add a custom file manager location  in “Files” page, proceed as follows:

  1. Identify the plugin you’re using. E.g. applications, views or demo
    You can also check it by looking at the browser url: it is the string immediately following EnginFrame root context (default: /enginframe), e.g. /enginframe/applications
  2. Log into EnginFrame server node
  3. Change directory to $EF_ROOT/plugins/applications (or your plugin folder), bin subdirectory
  4. Create a file named fm.browse.ui with the following contents:
#!/bin/bash
newFilesLocation=/tmp
 
newFileslabel="Temporary folder"
 
source "${EF_ROOT}/plugins/ef/conf/ef.xmlns.conf"
source "${EF_ROOT}/plugins/ef/lib/xmlfuncs"
 
printf '<ef:ui-configure-widget ui="hydrogen" id="fm-browse" %s %s %s>\n' \
        "${EF_XMLNS_ef}" "${EF_XMLNS_hy}" "${EF_XMLNS_efactions}"
 
vroot=$("${EF_ROOT}/plugins/fm/bin/fm.vroot.create" "${FM_BROWSE_SPOOLER}" 'fm' "file://${newFilesLocation}")
 
printf '<hy:add-vroot id="%s">\n' "${vroot}"
 
printf '<hy:label>%s</hy:label>\n' "$(ef_xml_escape_content --input "${newFileslabel}")"
 
printf '</hy:add-vroot>\n'
printf '</ef:ui-configure-widget>\n'
  1. You can customize the first 2 parameters, the new filesystem location and the associated label in Files page 
  2. Give fm.browse.ui executable permissions:
    chmod +x fm.browse.ui

Multi-Factor-Authentication (MFA) for EnginFrame

EnginFrame SSO and MFA with OKTA

The AWS team has created a guide how to integrate EnginFrame with OKTA to provide Single-Sign-On and MFA.

Add a custom location in EnginFrame File Manager

To add a custom file manager location  in “Files” page, proceed as follows:

  1. Identify the plugin you’re using. E.g. applications, views or demo
    You can also check it by looking at the browser url: it is the string immediately following EnginFrame root context (default: /enginframe), e.g. /enginframe/applications
  2. Log into EnginFrame server node
  3. Change directory to EF_ROOT/plugins/applications (or your plugin folder), bin subdirectory
  4. Create a file named fm.browse.ui with the following contents
#!/bin/bash
newFilesLocation=/tmp
 
newFileslabel="Temporary folder"
 
source "${EF_ROOT}/plugins/ef/conf/ef.xmlns.conf"
source "${EF_ROOT}/plugins/ef/lib/xmlfuncs"
 
printf '<ef:ui-configure-widget ui="hydrogen" id="fm-browse" %s %s %s>\n' \
        "${EF_XMLNS_ef}" "${EF_XMLNS_hy}" "${EF_XMLNS_efactions}"
 
vroot=$("${EF_ROOT}/plugins/fm/bin/fm.vroot.create" "${FM_BROWSE_SPOOLER}" 'fm' "file://${newFilesLocation}")
 
printf '<hy:add-vroot id="%s">\n' "${vroot}"
 
printf '<hy:label>%s</hy:label>\n' "$(ef_xml_escape_content --input "${newFileslabel}")"
 
printf '</hy:add-vroot>\n'
printf '</ef:ui-configure-widget>\n'
  1. You can customize the first 2 parameters, the new filesystem location and the associated label in Files page 
  2. Give fm.browse.ui executable permissions

Some content is inspired by NICE Support articles.

Extend the administration rights to other users

Add the new user in the EF_ADMIN variable:

EF_ADMIN=efadmin,nakagami

You need to do that in two files:

$EF_ROOT/enginframe/conf/enginframe/server.conf
$EF_ROOT/enginframe/conf/enginframe/agent.conf

Replace $EF_ROOT with the base address of your EnginFrame setup.

The you need to restart the service:

systemctl restart enginframe

Session cleanup

To clean persistent of the damaged user, please follow the below steps:

  • Identify all files from the damaged user. As example, the use will be “nisp”.
    ls /opt/nice/enginframe/{repository,sessions,spoolers}/nisp/

    Note: Replace the path with your real EnginFrame path.
  • Stop the EF systemd service:
    systemctl stop enginframe
  • Backup and remove all files and directories found in the previous step.
  • Backup the below files and replace them with original files from fresh users (usually located in /etc/skel directory):
    • .bashrc
    • .bash_profile
    • .profile
  • Then start the EnginFrame again:
    systemctl stop enginframe

Minimizing the built-in account locking mechanism

Edit the file  /opt/nice/enginframe/conf/enginframe/server.conf and set these parameters to mitigate your locking account problem:

ef.account.lockout.after.attempts=1000  # Set an high value
ef.account.lockout.time.admins=0        # Zero disable the lockout for admins
ef.account.lockout.time.users=1         # Minimum time is 1 minute

Then restart the EnginFrame service:

systemctl restart enginframe