ZStack 3.10.0>Product Manuals>Maintenance Manual>System Login

System Login

You can log in to the UI management page through HTTP or HTTPS.
- HTTP defaults to support port 5000. Enter the corresponding URL address (http://your_machine_ip:5000) to open the UI management page. For a better product experience, we recommend that you use Chrome 49, Firefox 52, or their later versions.
- HTTPS is disabled by default. .
When you log in to the Cloud for the first time, the default account name is admin, and the default password is password.
ZStack supports the following login methods:
- Account login: Requires you to enter the account name and the account password.
- User login: Requires you to enter the user name and the user password.
- AD/LDAP login: Requires you to enter the login attribute name and the AD/LDAP password. For AD/LDAP, you need to configure the AD/LDAP server and bind the AD/LDAP account in advance.
- Project login: Requires you to add the License of the Enterprise Management module, and to enter the user name and the password.
Note: If the login fails, check the management node service. Make sure that both the management service and the UI service are running properly.
ZStack provides multiple login interfaces (main login and project login). For Enterprise Management users, you can set the UI login interface by choosing Settings > Global Settings > Advanced.
On the Advanced tab page, locate UI Login Interface Mode, and select a mode as needed.
- If Show All is selected, you can access all login interfaces, including Main Login and Project Login, through the default link http(s)://management node_ip:port .
- If Project Login is selected, you can only access the Project Login interface through the default link http(s)://management node_ip:port. For Main Login, we provide an independent link http(s)://management node_ip:port/#/accountlogin. Please keep this link properly.
To further protect your account security, ZStack supports two factor authentication. If you enable two factor authentication, the Cloud will require you to enter the correct account name, password, and a 6-digit security code provided by the identity authentication APP for each login.
Note:
- After you log in to the Cloud successfully for the first time, the QR code for authenticating your identity will no longer be displayed. Make sure that you save and keep it carefully.
- If the QR code of the administrator is lost, contact the official technical support to obtain another one.
- After you log in to the Cloud successfully as an administrator, you can check the QR code of the regular users on the account detailed page. If the QR code of the regular users is lost, contact the project administrator to obtain another one.
- After you log in to the Cloud successfully as an administrator, you can check the QR code of the project identity authentication on the project detailed page. If the QR code of the project is lost, contact the platform administrator to obtain another one.
- Each regular account or project must use its verification code for authenticating logins.
To increase the security of the login password, the Cloud supports the following password policies:
- Enable the account lock for continuous failed logins. During the locking period, you cannot log in to the Cloud by using the account.
  Method: Go to Settings > Global Settings > Advanced, and enable the account lock for continuous failed logins.
  - On the Advanced tab page, set Lock Login Attempt Maximum to true to enable this feature. Default value: false.
  - On the Advanced tab page, set Maximum Number of Failed Logins to change the maximum number of failed logins. Default value: 6.
  - On the Advanced tab page, set Account Locking Duration of Failed Logins to modify the locking time of failed logins. Default value: 10 minutes.
- Enable the password update cycle to change login passwords regularly.
  Method: Go to Settings > Global Settings > Advanced to set the cycles of password updates.
  - On the Advanced tab page, set Password Update Cycle to true to enable this feature. Default value: false.
  - On the Advanced tab page, enter a value for Password Update Cycle. Default value: 90 days.
- Limit the number of repeated passwords to prevent the new password being duplicated with the old passwords.
  Method: Go to Settings > Global Settings > Advanced to set the number of allowed repeated passwords.
  - On the Advanced tab page, set Password not Repeated Times to true to enable this feature. Default value: false.
  - On the Advanced tab page, enter a value for Password not Repeated Times. If the value is 3, the new password cannot be repeated with the last 3 old passwords you specified before. Default value: 5.
- Enable the password strength to set the length of passwords and to choose whether to enable the password combination policy of numeric, alphabetic, and special characters.
  Method: Go to Settings > Global Settings > Advanced to set the password strength.
  - On the Advanced tab page, set Password Strength to true to enable this feature. Default value: false.
  - On the Advanced tab page, set Password Strength to choose the length of passwords, and to choose whether to enable the password combination policy of numeric, alphabetic, and special characters. Default value: 8-32.
- With the switch for only one login session, you can decide whether to disable the multi-login session. After enabling the switch, only one user can log in to the Cloud, while the historical login sessions will be forced to log out.
  Method: Choose Settings > Global Settings > Advanced, locate Switch for Enable Unique Session, and enable or disable the switch as needed.
After you log in to the Cloud successfully for the first time, select Personal Center > Change Password at the upper right of the UI. Then, you can change your password.

UI Login via HTTPS

Default HTTPS Method

This section describes how to log in to the UI via HTTPS by using the default certificate.

In the management node, run the following command to stop the management node service:
```
zstack-ctl stop
```
In the management node, run the following command to configure the certificate:
```
openssl pkcs12 -in /usr/local/zstack/zstack-ui/ui.keystore.p12 -out /usr/local/zstack/zstack-ui/ui.keystore.pem -nodes
```
Note: During the configuration, you need to enter the default password: password.
Modify the zstack.properties configuration file to set the certificate path to an absolute path.
Go to /usr/local/zstack/apache-tomcat/webapps/zstack/WEB-INF/classes/zstack.properties and modify the zstack.properties configuration file to set the certificate path to an absolute path. Note that the absolute path points to the private key password file of the certificate.
```
consoleProxyCertFile = /usr/local/zstack/zstack-ui/ui.keystore.pem
```
Run the following command to configure the HTTPS login mode:
```
zstack-ctl config_ui --enable-ssl True
```
Run the following command to start the management node service:
```
zstack-ctl start
```

Custom HTTPS Method

This section describes how to log in to the UI via HTTPS by using a custom certificate.

Prepare a custom certificate. You can generate a signed certificate by using related tools, or purchase a certificate issued by CA. For example, you can use Keytool, a tool that manages Java data certificates, to generate a signed certificate by running the following command:
```
mkdir certs $JAVA_HOME/bin/keytool -genkey -alias tomcat -storetype PKCS12 -keyalg RSA -keysize 2048 -keystore ./certs/keystore.p12 -validity 365
```
Note: By default, no environment variables are configured by Keytool. You need to add the JRE installation path to the $JRE_HOMNE variable. For example,
```
echo "export JAVA_HOME=/usr/local/jdk1.8.0_181" >> /etc/profile  source /etc/profile
```
In the management node, run the following command to stop the management node service:
```
zstack-ctl stop
```
In the management node, run the following command to configure the certificate:
```
openssl pkcs12 -in ./certs/keystore.p12 -out ui.keystore.pem -nodes
```
Note: During the configuration, you need to enter a password.
Modify the zstack.properties configuration file to set the certificate path to an absolute path.
Go to /usr/local/zstack/apache-tomcat/webapps/zstack/WEB-INF/classes/zstack.properties and modify the zstack.properties configuration file to set the certificate path to an absolute path. Note that the absolute path points to the private key password file of the certificate.
```
consoleProxyCertFile = /usr/local/zstack/zstack-ui/ui.keystore.pem
```

Run the following command to configure the HTTPS login mode:

zstack-ctl config_ui --enable-ssl True \ --ssl-keyalias=tomcat --ssl-keystore=/root/certs/keystore.p12 --ssl-keystore-type=PKCS12 \ --ssl-keystore-password=password --server-port=8888

Run the following command to start the management node service:
```
zstack-ctl start
```

HTTP Method

If you need to cancel the HTTPS method and restore the HTTP login method, follow these steps:

Run the following command to disable the HTTPS login:
```
zstack-ctl config_ui --enable-ssl False
```
Run the following command to restart the management node service:
```
zstack-ctl stop_ui zstack-ctl start_ui
```

Next Chapter:Resource Pool

Products

Solutions

Help & Support

Contact Us