BMC Atrium SSO 8 1

July 17, 2016 | Author: mrinalsinha08 | Category: N/A
Share Embed Donate


Short Description

BMC Atrium Single Sign-On 8.1...

Description

BMC Software Confidential

BMC Atrium Single Sign-On 8.1

Home

Date:

16-Jan-2014 15:56

URL:

https://docs.bmc.com/docs/display/sso81/Home

Home

BMC Atrium Single Sign-On 8.1

BMC Software Confidential

Page 2 of 389

BMC Software Confidential

Home

Table of Contents 1 Featured content ______________________________________________________________________ 12 2 About BMC Atrium Single Sign-On ________________________________________________________ 12 3 What's new __________________________________________________________________________ 12 3.1 Version 8.1.00 ____________________________________________________________________ 14 3.1.1

Redesigned user interface ______________________________________________________ 15

3.1.2 Predefined authentication module _______________________________________________ 15 3.1.3 New utility to simplify BMC Atrium Single Sign-On and AR System integration ______________ 15 3.1.4 BMC Atrium Orchestrator Platform integration ______________________________________ 16 3.1.5 Click jacking prevention _______________________________________________________ 16 3.2 License entitlements _______________________________________________________________ 16 3.3 Service packs and patches ___________________________________________________________ 17 3.3.1 Patch 3 for version 8.1.00: 8.1.00.03 ______________________________________________ 17 3.3.2 Patch 2 for version 8.1.00: 8.1.00.02 ______________________________________________ 18 3.3.3 Patch 1 for version 8.1.00: 8.1.00.01 ______________________________________________ 19 3.4 Documentation updates after release __________________________________________________ 20 3.4.1 Added BMC Mobility integration documentation ____________________________________ 20 3.4.2 Added BMC EUEM integration documentation ______________________________________ 20 4 Key concepts ________________________________________________________________________ 20 4.1 BMC Atrium Single Sign-On architecture ________________________________________________ 21 4.2 BMC Atrium Single Sign-On and OpenAM _______________________________________________ 22 4.2.1 OpenAM technologies ________________________________________________________ 22 4.2.2 Atrium Single Sign-On user console access ________________________________________ 23 4.3 Administrator password _____________________________________________________________ 23 4.4 Default cookie domain _____________________________________________________________ 23 4.5 Log on and log off behavior _________________________________________________________ 24 4.6 Certificates ______________________________________________________________________ 25 4.6.1 Certificate Signing Request _____________________________________________________ 25 4.6.2 New CA certificates __________________________________________________________ 26 4.6.3 Related topics _______________________________________________________________ 26 4.7 Authentication chaining ____________________________________________________________ 26 4.7.1 Authentication chaining example ________________________________________________ 27 4.8 High Availability deployment _________________________________________________________ 28 4.9 JEE filter-based agents _____________________________________________________________ 29 5 Planning ____________________________________________________________________________ 29 5.1 Checking the compatibility matrix for system requirements and supported configurations __________ 30 5.1.1

To access the compatibility matrixes _____________________________________________ 30

5.2 End-to-end BMC Atrium Single Sign-On procedure _______________________________________ 30 5.3 BMC Atrium Single Sign-On using SAMLv2 deployment example ______________________________ 31

BMC Atrium Single Sign-On 8.1

Page 3 of 389

BMC Software Confidential

Home

5.3.1 Business value _______________________________________________________________ 32 5.3.2 Federated authentication and SAML ______________________________________________ 32 5.3.3 Deployment architecture ______________________________________________________ 33 5.3.4 Deployment model ___________________________________________________________ 35 5.3.5 Deployment tasks ____________________________________________________________ 37 5.3.6 Deployment parameters _______________________________________________________ 38 5.3.7 Related topics _______________________________________________________________ 40 6 Installing ____________________________________________________________________________ 40 6.1 Preparing for installation ____________________________________________________________ 42 6.1.1

Prerequisites for installation ____________________________________________________ 42

6.1.2 Downloading the installation files ________________________________________________ 44 6.2 Installation options ________________________________________________________________ 48 6.3 Configuring Terminal Services and DEP parameters _______________________________________ 48 6.3.1 To update Terminal Services configuration options for Windows Server 2008 ______________ 48 6.4 Installing BMC Atrium Single Sign-On as a standalone _____________________________________ 50 6.4.1 Before you begin _____________________________________________________________ 51 6.4.2 To install BMC Atrium Single Sign-On as a standalone _________________________________ 51 6.4.3 Where to go from here ________________________________________________________ 54 6.5 Installing BMC Atrium Single Sign-On as a High Availability cluster ____________________________ 55 6.5.1 HA prerequisites _____________________________________________________________ 56 6.5.2 HA pre-installation tasks _______________________________________________________ 56 6.5.3 To install BMC Atrium Single Sign-On as an HA cluster ________________________________ 56 6.5.4 HA post-installation activities ___________________________________________________ 57 6.5.5 Installing the first node for an HA cluster on a new Tomcat server _______________________ 57 6.5.6 Installing additional nodes for an HA cluster on a new Tomcat server _____________________ 63 6.5.7 Installing the first node for an HA cluster on an external Tomcat server ___________________ 68 6.5.8 Installing additional nodes for an HA cluster on an external Tomcat server _________________ 70 6.6 Installing BMC Atrium Single Sign-On on an external Tomcat server ___________________________ 72 6.6.1 Before you begin _____________________________________________________________ 73 6.6.2 To install BMC Atrium Single Sign-On on an external Tomcat server ______________________ 73 6.6.3 Where to go from here ________________________________________________________ 74 6.6.4 Policy file additions for external Tomcat installations _________________________________ 75 6.6.5 JVM parameter additions for external Tomcat installations _____________________________ 76 6.6.6 Configuring an external Tomcat instance for FIPS-140 ________________________________ 76 6.6.7 Configuring a JVM for the Tomcat Server __________________________________________ 77 6.6.8 Setting an HTTPS connection ___________________________________________________ 78 6.7 Installing BMC Atrium Single Sign-On with the AR System server and Mid Tier ___________________ 79 6.7.1 Installing video ______________________________________________________________ 80 6.7.2 Overview of installation steps ___________________________________________________ 80 6.7.3 Related topics _______________________________________________________________ 81 6.7.4 Installing BMC Atrium Single Sign-On _____________________________________________ 81 6.7.5 Installing or upgrading AR System server __________________________________________ 84 6.7.6 Installing or upgrading BMC Remedy Mid Tier ______________________________________ 86

BMC Atrium Single Sign-On 8.1

Page 4 of 389

BMC Software Confidential

Home

6.7.7 Running the SSOARIntegration utility on the AR System server __________________________ 88 6.7.8 Reviewing AR server external authentication settings and configuring group mapping ________ 91 6.7.9 Running the SSOMidtierIntegration utility on the Mid Tier _____________________________ 92 6.7.10 Managing the AR System users and groups for authentication __________________________ 97 6.7.11 Running a health check on the BMC Atrium Single Sign-On installation __________________ 109 6.8 Installing silently _________________________________________________________________ 112 6.8.1 Running the installer in silent mode ______________________________________________ 114 6.8.2 Uninstalling in silent mode ____________________________________________________ 114 6.8.3 Example options.txt file _______________________________________________________ 114 6.9 Uninstalling BMC Atrium Single Sign-On _______________________________________________ 117 6.9.1 Running the uninstaller on Windows _____________________________________________ 117 6.9.2 Running the uninstaller on Solaris or Linux ________________________________________ 117 6.9.3 Invocation error during uninstallation ____________________________________________ 118 7 Configuring after installation ____________________________________________________________ 119 7.1 To set up a method for authentication _________________________________________________ 120 7.2 SAMLv2 authentication ____________________________________________________________ 121 7.3 Predefined authentication module ____________________________________________________ 121 7.4 User Profile panel ________________________________________________________________ 122 7.5 Authentication chaining ____________________________________________________________ 122 7.6 Authentication chaining flags ________________________________________________________ 122 7.7 Where to go from here ____________________________________________________________ 122 7.8 Using AR for authentication _________________________________________________________ 122 7.8.1 Before you begin ____________________________________________________________ 123 7.8.2 To configure an AR module ____________________________________________________ 123 7.8.3 To configure an AR user store __________________________________________________ 124 7.9 Using CAC for authentication _______________________________________________________ 126 7.9.1 CAC certificate usage ________________________________________________________ 126 7.9.2 To set up CAC to use for authentication __________________________________________ 127 7.9.3 Modify the Tomcat server _____________________________________________________ 127 7.9.4 Import DoD CA certificates ____________________________________________________ 128 7.9.5 To import certificates ________________________________________________________ 128 7.9.6 Set up CAC certificates _______________________________________________________ 129 7.9.7 If using OCSP, enable OCSP for the server _________________________________________ 131 7.9.8 Where to go from here _______________________________________________________ 131 7.9.9 Related topics ______________________________________________________________ 132 7.10 Using Kerberos for authentication ____________________________________________________ 132 7.10.1 Configuring Kerberos video ____________________________________________________ 133 7.10.2 Before you begin ____________________________________________________________ 133 7.10.3 To set up Kerberos to use for authentication _______________________________________ 133 7.10.4 Where to go from here _______________________________________________________ 133 7.10.5 Generating a keytab for the service principal and mapping the Kerberos service name _______ 134 7.10.6 Configuring the Kerberos module _______________________________________________ 136 7.10.7 Reconfiguring your browser ___________________________________________________ 138

BMC Atrium Single Sign-On 8.1

Page 5 of 389

BMC Software Confidential

Home

7.11 Using LDAP (Active Directory) for authentication _________________________________________ 138 7.11.1 Before you begin ____________________________________________________________ 139 7.11.2 To set up LDAP (AD) for authentication ___________________________________________ 139 7.11.3 LDAP (AD) parameters ________________________________________________________ 139 7.11.4 Where to go from here _______________________________________________________ 141 7.12 Using RSA SecurID for authentication _________________________________________________ 141 7.12.1 To configure the SecurID module _______________________________________________ 141 7.12.2 SecurID parameters __________________________________________________________ 142 7.12.3 To modify the rsa_api.properties file _____________________________________________ 142 7.12.4 Where to go from here _______________________________________________________ 143 7.13 Using SAMLv2 for authentication _____________________________________________________ 143 7.13.1 Configuring SAML V2 video ____________________________________________________ 144 7.13.2 SAMLv2 configuration options _________________________________________________ 144 7.13.3 SAMLv2 implementation ______________________________________________________ 144 7.13.4 Typical SAMLv2 deployment ___________________________________________________ 145 7.13.5 Typical SAMLv2 deployment architecture _________________________________________ 145 7.13.6 Related topics ______________________________________________________________ 146 7.13.7 Configuring BMC Atrium Single Sign-On as an SP ___________________________________ 146 7.13.8 Configuring BMC Atrium Single Sign-On as an IdP __________________________________ 153 7.13.9 Federating user accounts in bulk ________________________________________________ 157 8 Upgrading __________________________________________________________________________ 165 8.1 To upgrade BMC Atrium Single Sign-On _______________________________________________ 166 8.2 To upgrade BMC Atrium Single Sign-On in silent mode ____________________________________ 166 8.3 Preparing to upgrade BMC Analytics for BSM ___________________________________________ 166 8.3.1 To remove the J2EE agent for BMC Analytics for BSM ________________________________ 166 8.4 Upgrading HA nodes ______________________________________________________________ 167 8.4.1 To upgrade HA nodes ________________________________________________________ 167 9 Integrating _________________________________________________________________________ 168 9.1 Integrating BMC Atrium Single Sign-On with AR System Version 8.0.00 _______________________ 169 9.1.1

Configuring external authentication for AR System integration _________________________ 170

9.1.2 Installing BMC Atrium Single Sign-On for AR System integration ________________________ 171 9.1.3 Configuring BMC Atrium Single Sign-On for integration ______________________________ 173 9.1.4 Manually configuring mid tier for BMC Atrium Single Sign-On user authentication __________ 176 9.1.5 Configuring the BMC Atrium Single Sign-On server for AR System integration _____________ 183 9.1.6 Running a health check on the BMC Atrium Single Sign-On integration __________________ 195 9.2 Integrating BMC Dashboards for BSM _________________________________________________ 198 9.2.1 Before you begin ____________________________________________________________ 198 9.2.2 To integrate BMC Dashboards for BSM ___________________________________________ 199 9.3 Integrating BMC Analytics for BSM ___________________________________________________ 199 9.3.1 Before you begin ____________________________________________________________ 199 9.3.2 To integrate BMC Analytics for BSM _____________________________________________ 200 9.4 Integrating BMC ProactiveNet _______________________________________________________ 200 9.4.1 Before you begin ___________________________________________________________ 200

BMC Atrium Single Sign-On 8.1

Page 6 of 389

BMC Software Confidential

Home

9.4.2 To integrate BMC ProactiveNet during installation __________________________________ 201 9.4.3 To integrate BMC ProactiveNet after installation ____________________________________ 201 9.4.4 To define users and groups ____________________________________________________ 202 9.4.5 To create new users _________________________________________________________ 202 9.4.6 To assign users to user groups _________________________________________________ 203 9.4.7 To clean up Web Agent entries when the BMC ProactiveNet Server is uninstalled ___________ 203 9.5 Integrating BMC IT Business Management Suite _________________________________________ 204 9.5.1 Before you begin ___________________________________________________________ 204 9.5.2 To integrate BMC IT Business Management Suite ___________________________________ 204 9.6 Integrating BMC ITBM and WebSphere application server __________________________________ 205 9.6.1 Before you begin ___________________________________________________________ 205 9.6.2 To configure the WebSphere application server to work with the BMC Atrium Single Sign-On server ___________________________________________________________________________ 205 9.7 Integrating BMC Capacity Optimization _______________________________________________ 207 9.7.1 Before you begin ___________________________________________________________ 208 9.7.2 To integrate BMC Capacity Optimization _________________________________________ 208 9.8 Integrating BMC Atrium Orchestrator Platform __________________________________________ 209 9.8.1 Before you begin ____________________________________________________________ 210 9.8.2 BMC Atrium Orchestrator Platform installation worksheet ____________________________ 210 9.8.3 Where to go from here _______________________________________________________ 212 9.9 Integrating BMC Real End User Experience Monitoring ____________________________________ 212 9.9.1 Preparing BMC Atrium SSO server for integration ___________________________________ 212 9.9.2 Preparing the Console component for the BMC Atrium SSO integration __________________ 212 9.10 Integrating BMC Mobility for ITSM 8.1.00 _______________________________________________ 212 9.10.1 Before you begin ____________________________________________________________ 212 9.10.2 Limitations ________________________________________________________________ 213 9.10.3 Integrating BMC Mobility to support SAML authentication ____________________________ 213 9.10.4 Related Topics _____________________________________________________________ 214 10 Using ______________________________________________________________________________ 214 10.1 Navigating the interface ____________________________________________________________ 215 10.1.1 Editor options ______________________________________________________________ 215 10.1.2 Status panel ________________________________________________________________ 215 10.1.3 BMC Realm panel ___________________________________________________________ 216 10.1.4 Sessions panel ______________________________________________________________ 216 10.1.5 Realm Editor _______________________________________________________________ 216 10.1.6 Agent manager _____________________________________________________________ 233 10.1.7 HA Nodes manager __________________________________________________________ 234 10.1.8 Server Configuration Editor ____________________________________________________ 237 10.2 Managing keystores with a keytool utility ______________________________________________ 239 10.2.1 Creating new keystores ______________________________________________________ 240 10.2.2 Using the keytool utility _______________________________________________________ 241 10.2.3 Importing a certificate into the truststore _________________________________________ 243 10.2.4 Generating and importing CA certificates _________________________________________ 245

BMC Atrium Single Sign-On 8.1

Page 7 of 389

BMC Software Confidential

Home

10.2.5 Generating self-signed certificates ______________________________________________ 249 10.2.6 Checking the truststore for certificates ___________________________________________ 250 10.3 Configuring FIPS-140 mode _________________________________________________________ 251 10.3.1 Converting to FIPS-140 mode __________________________________________________ 251 10.3.2 Monitoring FIPS-140 and normal mode conversions _________________________________ 256 10.3.3 Changing FIPS-140 network ciphers _____________________________________________ 257 10.3.4 Converting from FIPS-140 to normal mode _______________________________________ 258 10.4 Using an external LDAP user store ____________________________________________________ 260 10.4.1 To create an external LDAP user store ____________________________________________ 261 10.4.2 To modify an existing external LDAP user store _____________________________________ 261 10.4.3 LDAPv3 User Store parameters _________________________________________________ 261 10.4.4 General tab ________________________________________________________________ 261 10.4.5 Search tab _________________________________________________________________ 262 11 Administering _______________________________________________________________________ 263 11.1 Managing users __________________________________________________________________ 264 11.1.1 To access the User page ______________________________________________________ 265 11.1.2 To add a new user ___________________________________________________________ 265 11.1.3 To search for users __________________________________________________________ 266 11.1.4 To delete users _____________________________________________________________ 266 11.1.5 To modify user information ___________________________________________________ 266 11.1.6 To enable or disable a user account _____________________________________________ 266 11.1.7 To add a group membership to a user account _____________________________________ 267 11.1.8 To remove a group membership from a user account ________________________________ 267 11.1.9 To view user sessions ________________________________________________________ 267 11.1.10To terminate an active user session _____________________________________________ 268 11.2 Managing user groups _____________________________________________________________ 268 11.2.1 To access the Group page ____________________________________________________ 269 11.2.2 To create a new group _______________________________________________________ 269 11.2.3 To delete a group ___________________________________________________________ 269 11.2.4 To assign a group membership _________________________________________________ 270 11.2.5 To remove users from a group _________________________________________________ 270 11.3 Managing authentication modules ____________________________________________________ 271 11.3.1 To manage authentication modules _____________________________________________ 271 11.3.2 To create a new module ______________________________________________________ 271 11.3.3 To edit a module ____________________________________________________________ 271 11.3.4 To delete a module __________________________________________________________ 272 11.3.5 To change the criteria for a module _____________________________________________ 272 11.3.6 To reorder the modules in a chain _______________________________________________ 272 11.4 Managing nodes in a cluster ________________________________________________________ 273 11.4.1 To modify the server configuration on a node ______________________________________ 273 11.4.2 To delete a node from the cluster _______________________________________________ 273 11.4.3 Resynchronizing nodes in a cluster ______________________________________________ 273 11.4.4 Starting nodes in a cluster _____________________________________________________ 274

BMC Atrium Single Sign-On 8.1

Page 8 of 389

BMC Software Confidential

Home

11.4.5 Stopping nodes in a cluster ____________________________________________________ 274 11.5 Managing agents _________________________________________________________________ 275 11.5.1 To edit an agent account _____________________________________________________ 275 11.5.2 To delete an agent account ____________________________________________________ 275 11.6 Managing the server configuration ___________________________________________________ 276 11.6.1 To modify the server configuration ______________________________________________ 276 11.6.2 Server configuration parameters ________________________________________________ 276 11.6.3 Server Configuration Editor parameters __________________________________________ 276 11.6.4 HTTP Only and HTTPS Only ___________________________________________________ 277 11.6.5 Session parameter defaults ____________________________________________________ 278 11.7 Stopping and restarting the BMC Atrium Single Sign-On server ______________________________ 279 11.7.1 Stopping and restarting on Windows ____________________________________________ 279 11.7.2 Stopping and restarting on UNIX or Linux _________________________________________ 279 12 Troubleshooting _____________________________________________________________________ 279 12.1 Collecting diagnostics _____________________________________________________________ 281 12.1.1 To run the support utility _____________________________________________________ 282 12.1.2 Support utility location _______________________________________________________ 282 12.1.3 Log file locations ____________________________________________________________ 282 12.1.4 Using BMC Atrium Single Sign-On for logging _____________________________________ 284 12.2 Working with error messages _______________________________________________________ 285 12.3 Logon and logoff issues ____________________________________________________________ 316 12.3.1 Automatic IdP logon behavior __________________________________________________ 316 12.3.2 URL re-direct issues _________________________________________________________ 316 12.4 Upgrading from 7.6.04 to 8.1 silent installation issue ______________________________________ 317 12.4.1 Upgrading without specifying the host name ______________________________________ 319 12.4.2 Upgrading by re-defining the host name __________________________________________ 319 12.5 Troubleshooting AR authentication ___________________________________________________ 320 12.5.1 User has no profile in this organization ___________________________________________ 320 12.5.2 Error saving user or group edits _________________________________________________ 321 12.5.3 Error in SAML Authentication when Auto Federation is enabled _________________________ 321 12.6 Troubleshooting AR System server and Mid Tier integrations ________________________________ 321 12.6.1 Manually running the SSOARIntegration utility on the AR System server __________________ 321 12.6.2 Manually running the SSOMidtierIntegration utility on the AR System server _______________ 323 12.7 Troubleshooting CAC authentication _________________________________________________ 326 12.7.1 Example of a default logging level error __________________________________________ 327 12.7.2 Example of a debug log error when a certificate is not available ________________________ 327 12.7.3 Changing the clientAuth setting ________________________________________________ 328 12.7.4 Turning on network debug logging ______________________________________________ 328 12.7.5 Example of a client not responding with a certificate ________________________________ 329 12.7.6 Example of a client sending a certificate __________________________________________ 329 12.7.7 Example of a list of certificates sent to the client ___________________________________ 330 12.7.8 Example of URL certificate authentication not enabled _______________________________ 330 12.7.9 Example of OCSP certificate failure ______________________________________________ 331

BMC Atrium Single Sign-On 8.1

Page 9 of 389

BMC Software Confidential

Home

12.7.10Clock skew too great for CAC authentication ______________________________________ 331 12.8 Troubleshooting FIPS-140 conversion _________________________________________________ 331 12.9 Troubleshooting JEE agents ________________________________________________________ 331 12.9.1 To remove a JEE agent from BMC Atrium Single Sign-On _____________________________ 332 12.9.2 To remove a JEE agent from WebSphere _________________________________________ 332 12.9.3 To remove a JEE agent from Tomcat ____________________________________________ 332 12.9.4 To remove a JEE agent from JBoss or WebLogic ___________________________________ 333 12.10Troubleshooting Kerberos authentication ______________________________________________ 333 12.10.1Invalid user name for Kerberos authentication _____________________________________ 334 12.10.2Invalid service principal name for Kerberos authentication ____________________________ 334 12.10.3Invalid keytab index number for Kerberos authentication _____________________________ 335 12.10.4Invalid password for Kerberos authentication ______________________________________ 335 12.10.5Incorrect server name for Kerberos authentication __________________________________ 335 12.10.6Browser sending NTLM instead of Kerberos _______________________________________ 336 12.10.7Browser not correctly configured for Kerberos authentication _________________________ 337 12.10.8Clock skew too great for Kerberos authentication __________________________________ 338 12.10.9Chained authentication failure in Microsoft Internet Explorer __________________________ 338 12.11Troubleshooting an external LDAP user store ___________________________________________ 339 12.11.1No users in User tab _________________________________________________________ 339 12.11.2No groups in Group tab ______________________________________________________ 339 12.12Troubleshooting SAMLv2 __________________________________________________________ 340 12.12.1IdP metadata issues __________________________________________________________ 341 12.12.2SAMLv2 keystore issues _______________________________________________________ 341 12.12.3Metadata issues ____________________________________________________________ 342 12.12.4Certificate issues ___________________________________________________________ 342 12.13Troubleshooting redirect URLs ______________________________________________________ 343 12.13.1Modifying the load balancer (or reverse proxy) for redirect URLs _______________________ 343 12.13.2Using load balancer (or reverse proxy) host names for redirect URLs ____________________ 344 12.13.3Cookie name change for a HA node _____________________________________________ 344 12.14Session sharing in HA mode issue ____________________________________________________ 345 12.14.1To configure point-to-point sessions sharing ______________________________________ 345 12.15Troubleshooting installation or upgrade issues __________________________________________ 346 12.16Resolving installation issues on LINUX operating system ___________________________________ 346 12.16.1Installation failure due to missing libraries ________________________________________ 346 12.16.2Installation failure due to low level of entropy _____________________________________ 346 13 Known and corrected issues ____________________________________________________________ 347 13.1 Installation and upgrade issues ______________________________________________________ 348 13.2 Other issues ____________________________________________________________________ 350 14 Support information __________________________________________________________________ 351 14.1 Contacting Customer Support _______________________________________________________ 351 14.2 Support status ___________________________________________________________________ 351 15 PDFs ______________________________________________________________________________ 352 16 Tracking tools _______________________________________________________________________ 353

BMC Atrium Single Sign-On 8.1

Page 10 of 389

BMC Software Confidential

Home

16.1 Comments dashboard _____________________________________________________________ 353 16.2 Pages without labels in this space ____________________________________________________ 363 16.3 Technical Bulletin SW00448553 _____________________________________________________ 369 16.3.1 BMC Atrium Single Sign-On ___________________________________________________ 369 16.3.2 Issue _____________________________________________________________________ 369 16.3.3 Workaround procedure ______________________________________________________ 369 16.3.4 Workaround scripts __________________________________________________________ 370 16.3.5 Where to get the latest product information _______________________________________ 372 16.4 Enabling multiple realms ___________________________________________________________ 372 16.4.1 Realm panel _______________________________________________________________ 373 16.4.2 To enable multiple realms _____________________________________________________ 374 16.4.3 To create a new realm ________________________________________________________ 374 16.5 Configuring multi-tenancy support ___________________________________________________ 374 16.5.1 Configuring multi-tenancy support ______________________________________________ 375 16.6 Overview steps to install and configure HA Load-Balancing environment with SSO ______________ 378 16.7 Number of pages in space __________________________________________________________ 383 16.8 Installing and managing certificates in BMC Atrium SSO ___________________________________ 383 16.8.1 Installing certificates on a standalone server _______________________________________ 383 16.8.2 Installing certificates in HA load balancing environment ______________________________ 383 16.8.3 Importing a certificate into keystore.p12 __________________________________________ 383 16.8.4 Importing a certificate into cacerts.p12 ___________________________________________ 383 16.8.5 Finding intermediate CA ______________________________________________________ 383 16.8.6 Importing certificate chains and intermediate certificates _____________________________ 383 16.9 Installing certificates after integration with other BMC products _____________________________ 383 17 Index ______________________________________________________________________________ 384

BMC Atrium Single Sign-On 8.1

Page 11 of 389

BMC Software Confidential

Home

This space contains information about the BMC Atrium Single Sign-On 8.1 release.

1 Featured content For information about Patch 1 for 8.1.00, see Patch 1 for version 8.1.00: 8.1.00.01 (see page 19). For information about Patch 2 for 8.1.00, see Patch 2 for version 8.1.00: 8.1.00.02 (see page 18). For information about Patch 3 for 8.1.00, see Patch 3 for version 8.1.00: 8.1.00.03 (see page 17). For Patch 1 for 8.1.00, BMC Atrium Orchestrator Platform version 7.7.00 integrates with BMC Atrium Single Sign-on, see Integrating BMC Atrium Orchestrator Platform (see page 209) and the BMC Atrium Orchestrator Platform online documentation. To understand enhancements for this release, see Version 8.1.00. To understand key concepts associated with BMC Atrium Single Sign-On, see Key concepts (see page 20). To review a high level end-to-end procedure, see End-to-end BMC Atrium Single Sign-On process. To review an end-to-end deployment example for BMC Remedy AR System and the mid tier using SAMLv2 authentication, see BMC Atrium Single Sign-On using SAMLv2 deployment example (see page 31). To review an end-to-end deployment for BMC Remedy AR System and the mid tier using AR authentication, see Installing BMC Atrium Single Sign-On with the AR System server and Mid Tier (see page 79).

2 About BMC Atrium Single Sign-On BMC Atrium Single Sign-On is an authentication system that supports many authentication protocols and provides single sign-on and single sign-off for users of BMC products. BMC Atrium Single Sign-On allows users to present credentials only once for authentication and subsequently be automatically authenticated by every BMC product that is integrated into the system. Using these authentication methods require that you have previously installed the BMC Atrium Single Sign-On server and configured it with an authentication server such as LDAP, RSA SecurID, or others. Not only does BMC Atrium Single Sign-On support authentication with traditional systems such as LDAP or Active Directory, it also supports integration into existing single sign-on systems. BMC Atrium Single Sign-On is the central integration point that performs integration with the local enterprise systems.

3 What's new This section provides information about what is new or changed in this space, including resolved issues, documentation updates, maintenance releases, service packs, and patches. It also provides license entitlement information for the release.

BMC Atrium Single Sign-On 8.1

Page 12 of 389

BMC Software Confidential

Home

Tip To stay informed of changes to this space, place a watch on this page.

The following updates have been added since the release of the space: Date

Title

Summary

July 5, 2013

Patch 3 for version 8.1.00: 8.1.00.03 (see page 17)

Patch 3 for version 8.1.00 provides the following updates: HTTP Only and HTTPS Only (see page 238): T he Server Configuration Editor provides two new options: HTTP Only and HTTPS Only. Security tab: The Security tab provides the following features. Login Failure Lockout Valid Forwarding Domains UserId Format (see page 227): The Kerberos Editor provides the feature modifying the UserId format. Starting this release, BMC Atirum Single Sign-On provides protection against clickjacking by preventing web pages from being embedded within another frame. Clickjacking is a technique of tricking a web user into clicking a web page link which is potentially revealing confidential information or taking control of the user's computer. When the user clicks on a known web page link, the user's information is revealed to the intruder.

Patch 2 for version 8.1.00: 8.1.00.02 (see page 18)

Patch 2 for version 8.1.00 provides the following updates:

Patch 1 for version 8.1.00: 8.1.00.01 (see page 19)

Patch 1 for version 8.1.00 provides fixes related to BMC Atrium Single Sign-On integration with BMC Atrium Orchestrator 7.7 and other BMC products.

Version 8.1.00

Version 2013.02 provides following features:

Configuring BMC Atrium SSO in FIPS-140 Mode (see page 251)

Redesigned user interface Predefined authentication module New utility to simplify BMC Atrium Single Sign-On and AR System integration BMC Atrium Orchestrator Platform integration

BMC Atrium Single Sign-On 8.1

Page 13 of 389

BMC Software Confidential

Home

To obtain a full space export of the BMC Atrium Single Sign-On, see PDFs (see page 352) Three new videos are now uploaded on to our online documentation from the February 14, 2013 BMC Software Webinars 2013 – Atrium Single Sign-On (Atrium SSO) : Installing BMC Atrium Single Sign-On with the AR System server and Mid Tier (see page 79) provides a high-level overview as well as important tips. Using SAMLv2 for authentication describes how to configure SAML V2 Using Kerberos for authentication (see page 132) describes how to configure BMC Atrium SSO to leverage Kerberos.

3.1 Version 8.1.00 BMC Atrium Single Sign-On 8.1 includes the following enhancements. Redesigned user interface (see page 15) Predefined authentication module (see page 15) New utility to simplify BMC Atrium Single Sign-On and AR System integration (see page 15) BMC Atrium Orchestrator Platform integration (see page 16) Click jacking prevention (see page 16)

Tip For information about issues corrected in this release, see Known and corrected issues.

BMC Atrium Single Sign-On 8.1

Page 14 of 389

Home

BMC Software Confidential

Version 8.1.00 was released shortly after version 8.0.00, a major release that contained significantly more enhancements. If you are considering an upgrade from a version prior to 8.0.00, you might be interested in seeing the enhancements listed in the documentation for version 8.0.00.

3.1.1 Redesigned user interface The BMC Atrium Single Sign-On 8.1, has completely redesigned the user interface. This redesign affects the majority of the BMC Atrium Single Sign-On documentation. The following image shows the BMC Atrium SSO Admin Console:

3.1.2 Predefined authentication module To help with the configuration of BMC Atrium Single Sign-On, a predefined Internal LDAP authentication module is provided. This predefined authentication module allows you to quickly configure your system. The Internal LDAP authentication module uses the internal LDAP server as an authentication source in the authentication chain and does not have parameters to configure. For more information about the Internal LDAP module, see Configuring after installation.

3.1.3 New utility to simplify BMC Atrium Single Sign-On and AR System integration The BMC Remedy AR System 8.1 introduces a new utility that greatly simplifies the integration between BMC Atrium Single Sign-On and the AR System server and Mid Tier.

BMC Atrium Single Sign-On 8.1

Page 15 of 389

BMC Software Confidential

Home

The Single Sign-On integration is now removed from the AR System installer. As a result, you no longer have to follow the error-prone steps if you chose to integrate BMC Atrium Single Sign-On after you installed the AR System server and Mid Tier. You use the one utility to integrate both the AR System server and the Mid Tier, but with slightly different inputs. For more information, see Installing BMC Atrium Single Sign-On with the AR System server and Mid Tier (see page 79).

3.1.4 BMC Atrium Orchestrator Platform integration With this release, BMC Atrium Orchestrator Platform 7.7 uses the BMC Atrium Single Sign-On 8.1.00 (Patch1 or later) authentication system to provide single sign-on and single sign-off. For more information about BMC Atrium Orchestrator Platform 7.7, see the BMC Atrium Orchestrator Platform 7.7 online documentation. For more information about integrating BMC Atrium Orchestrator Platform 7.7 with BMC Atrium Single Sign-On, see Integrating BMC Atrium Orchestrator Platform (see page 209).

3.1.5 Click jacking prevention With Patch 3 for version 8.1.00: 8.1.00.03 (see page 17) click jacking prevention is added.

3.2 License entitlements This topic explains the entitlements that apply to licenses you purchase from BMC Software. For information about restrictions to those licenses, please see your Product Order Form.

Note You can download the components mentioned herein from the Electronic Product Distribution website. Use the same user name and password that you use to access the Customer Support website.

If you do not have a current license for the components you want, contact a BMC sales representative by calling 800 793 4262. If you cannot download the components, contact a sales representative and ask for a physical kit to be shipped to you. BMC Atrium Single Sign-On is certified on the configurations explicitly stated in this document. Configurations not listed might still operate properly and so customers can choose to run in a configuration not listed as supported. Such configurations would be considered "unconfirmed". BMC will accept issues reported in unconfirmed configurations but we reserve the right to request customer assistance in problem determination, including recreating the problem on a supported configuration. Reported defects either found to be unique to an unconfirmed configuration or not reproducible within a supported environment will be addressed at the discretion of BMC. Defects requiring time and resources beyond

BMC Atrium Single Sign-On 8.1

Page 16 of 389

BMC Software Confidential

Home

commercially reasonable effort might not be addressed. If a configuration is found to be incompatible with BMC Atrium Single Sign-On, support for that configuration will be specifically documented as not supported (or unsupported). Visit the Customization Policy under the Support Contacts & Policies link on the BMC support website.

3.3 Service packs and patches This section contains information about service packs and patches for BMC Atrium Single Sign-On. Patch 3 for version 8.1.00: 8.1.00.03 (see page 17) Patch 2 for version 8.1.00: 8.1.00.02 (see page 18) Patch 1 for version 8.1.00: 8.1.00.01 (see page 19)

3.3.1 Patch 3 for version 8.1.00: 8.1.00.03 This topic contains information about fixes in BMC Atrium Single Sign-On 8.1.00 Patch 3 (8.1.00.03) and provides instructions for downloading and installing the patch. It is organized as follows: Corrected issues (see page 17) Installing the patch (see page 17)

Note BMC Atrium Orchestrator Platform 7.7 must use BMC Atrium Single Sign-On 8.1.00 Patch 1 or later.

Corrected issues To learn about issues corrected in Patch 3 (8.1.00.03), see Known and Corrected issues. Click the Corrected in column heading to sort the table by version. Patch 3 also includes the fixes from Patch 2 and Patch 1 for version 8.1.00.

Installing the patch Patch 3 for BMC Atrium Single Sign-On 8.1.00 (8.1.00.03) is a full installation. You can download the 8.1.00.03 installation files from the Licensed Products tab on the BMC Electronic Product Distribution (EPD) site and perform your normal installation. For instructions about downloading the files that you need for installation, see Downloading the installation files (see page 44).

Recommendation Backup BMC Atrium Single Sign-On before proceeding with the patch installation.

BMC Atrium Single Sign-On 8.1

Page 17 of 389

BMC Software Confidential

Home

To install BMC Atrium Single Sign-On 8.1.00 Patch 3, see Installing (see page 40). To perform a silent installation, see Installing silently (see page 112). To upgrade to BMC Atrium Single Sign-On 8.1.00 Patch 3 from an earlier version (8.1.00 or 8.1.00.01 or 8.1.00.02), see Upgrading.

3.3.2 Patch 2 for version 8.1.00: 8.1.00.02 This topic contains information about fixes in BMC Atrium Single Sign-On 8.1.00 Patch 2 (8.1.00.02), and provides instructions for downloading and installing the patch. It is organized as follows:

Note BMC Atrium Single Sign-On 8.1.00 Patch 2 (8.1.00.02) has been replaced with Patch 3 (8.1.00.03) and can no longer be downloaded from the BMC Electronic Product Distribution (EPD) site. Patch 3 is a full installation and includes the fixes that were available in Patch 1 (8.1.00.01) and Patch 2 (8.1.00.02). For information about downloading and installing BMC Atrium Single Sign-On 8.1.00 Patch 3, see Patch 3 for version 8.1.00: 8.1.00.03 (see page 17).

Corrected issues (see page 18) Installing the patch (see page 18)

Note BMC Atrium Orchestrator Platform 7.7 must use BMC Atrium Single Sign-On 8.1.00 Patch 1 or later.

Corrected issues To learn about the issues corrected in Patch 2 (8.1.00.02), see Known and corrected issues. Click the Corrected in column heading to sort the table by version.

Installing the patch BMC Atrium Single Sign-On Patch 2 features are included in BMC Atrium Single Sign-On Patch 3 installation. You can download the 8.1.00.03 installation files from the Licensed Products tab on the BMC Electronic Product Distribution (EPD) site and perform your normal installation. For instructions about downloading the files that you need for installation, see Downloading the installation files (see page 44) .

Recommendation Back up BMC Atrium Single Sign-On before proceeding with the patch installation.

BMC Atrium Single Sign-On 8.1

Page 18 of 389

BMC Software Confidential

Home

To install BMC Atrium Single Sign-On 8.1, see Installing (see page 40). To perform a silent installation, see Installing silently (see page 112). To upgrade to BMC Atrium Single Sign-On 8.1.00 Patch 2 from an earlier version (8.1.00 or 8.1.00.01), see Upgrading.

3.3.3 Patch 1 for version 8.1.00: 8.1.00.01 This topic contains information about fixes in BMC Atrium Single Sign-On 8.1.00 Patch 1 (8.1.00.01), and provides instructions for downloading and installing the patch.

Note BMC Atrium Single Sign-On 8.1.00 Patch 1 (8.1.00.01) has been replaced with Patch 3 (8.1.00.03) and can no longer be downloaded from the BMC Electronic Product Distribution (EPD) site. Patch 3 is a full installation and includes the fixes that were available in Patch 1 (8.1.00.01). For information about downloading and installing BMC Atrium Single Sign-On 8.1.00 Patch 3, see Patch 3 for version 8.1.00: 8.1.00.03 (see page 17).

The following topics are provided: Corrected issues (see page 19) Installing the patch (see page 19)

Note BMC Atrium Orchestrator Platform 7.7 must use BMC Atrium Single Sign-On 8.1 Patch 1 or later.

Corrected issues To learn about the issues corrected in Patch 1 (8.1.00.01), see Known and corrected issues. Click the Corrected in column heading to sort the table by version.

Installing the patch BMC Atrium Single Sign-On Patch 1 features are included in BMC Atrium Single Sign-On Patch 3 installation. You can download the 8.1.00.03 installation files from the Licensed Products tab on the BMC Electronic Product Distribution (EPD) site and perform your normal installation. For instructions about downloading the files that you need for installation, see Downloading the installation files (see page 44) .

Recommendation

BMC Atrium Single Sign-On 8.1

Page 19 of 389

BMC Software Confidential

Home

Back up BMC Atrium Single Sign-On before proceeding with the patch installation.

To install BMC Atrium Single Sign-On 8.1, see Installing (see page 40). To perform a silent installation, see Installing silently (see page 112).

3.4 Documentation updates after release This topic contains information about documentation updates for BMC Atrium Single Sign-On that are not related to urgent issues, maintenance releases, service packs, or patches. These updates are added to the documentation independent of any specific release. Added BMC Mobility integration documentation (see page 20) Added BMC EUEM integration documentation (see page 20)

3.4.1 Added BMC Mobility integration documentation You can integrate BMC Atrium Single Sign-On with BMC Mobility for supporting Security Assertion Markup Language (SAML). The typical process for integrating BMC Atrium Single Sign-On with BMC Remedy IT Service Management (ITSM) is to install BMC Atrium Single Sign-On, install BMC Remedy ITSM, and then integrate Atrium SSO with ITSM. For more information, see Integrating BMC Mobility for ITSM 8.1.00 (see page 212).

3.4.2 Added BMC EUEM integration documentation BMC Real End User Experience Monitoring (EUEM) uses the BMC Atrium Single Sign-On (SSO) authentication system to provide single sign-on and single sign-off. BMC Atrium Single Sign-On allows to present credentials only once for authentication and subsequently be automatically authenticated by every BMC product that is integrated into the system. For more information, see Integrating BMC Real End User Experience Monitoring (see page 212).

4 Key concepts BMC contributors content For additional information, you can also refer to the following webinar conducted by BMC Support. You can also connect with other users for related discussions on the BMC Community. Use this section to get high-level conceptual knowledge that helps you to use the BMC Atrium Single Sign-On product. The following topics provide key conceptual information about BMC Atrium Single Sign-On:

BMC Atrium Single Sign-On 8.1

Page 20 of 389

BMC Software Confidential

Home

BMC Atrium Single Sign-On architecture BMC Atrium Single Sign-On and OpenAM (see page 22) Administrator password Default cookie domain Log on and log off behavior (see page 24) Certificates Authentication chaining High Availability deployment JEE filter-based agents

4.1 BMC Atrium Single Sign-On architecture The benefit to BMC products that have BMC Atrium Sign-On as an authentication option is that all of the authentication protocols supported by BMC Atrium Sign-On are available to the product and any new protocols added are available without any product changes. The BMC Atrium Sign-On server and agents provide the needed integration into these systems so a product does not need any adjustments. The following diagram shows a high level implementation of BMC Atrium Single Sign-On integration with BMC Dashboards for BSM, BMC Analytics for BSM, and BMC Remedy IT Service Management. BMC Atrium Single Sign-On integration with BMC products

BMC Atrium Single Sign-On 8.1

Page 21 of 389

BMC Software Confidential

Home

4.2 BMC Atrium Single Sign-On and OpenAM BMC Atrium Single Sign-On is built on the open source project OpenAM. This project has a long history of providing authentication and authorization across many different platforms by using many authentication techniques. BMC Atrium Single Sign-On provides a simplified, turnkey system that applies OpenAM technology to BMC products. Configuration of the servers and agents is automated as much as possible, allowing for easy adoption. OpenAM technologies (see page 22) Atrium Single Sign-On user console access (see page 23)

4.2.1 OpenAM technologies BMC Atrium Single Sign-On uses a subset of the technologies within the OpenAM project that are required by BMC products. The current technologies of OpenAM that are certified by BMC Atrium Single Sign-On include: Authentication schemes - Internal, LDAP, BMC Remedy Action Request (AR) System, Active Directory, RSA SecurID, Common Access Cards (CAC), ActivIdentity-based, Kerberos, and SAMLv2

BMC Atrium Single Sign-On 8.1

Page 22 of 389

BMC Software Confidential

Home

Authentication chaining Groups

Important BMC Atrium Single Sign-On is certified on the configurations explicitly stated in this document. Reported defects either found to be unique to an unconfirmed configuration or not reproducible within a supported environment are addressed at the discretion of BMC. Visit the Customization Policy under the Support Contacts & Policies link on the BMC support website.

4.2.2 Atrium Single Sign-On user console access The user console access is through the following URL: https://:/atriumsso/UI/Login?realm=BmcRealm This URL can be used to verify the authentication module configuration. You do not need to rely on an installed and configured BMC application to initiate login in order to test configuration of authentication modules.

4.3 Administrator password The administrator password is used to access BMC Atrium Single Sign-On through a browser. This access allows user accounts to be created and enables other authentication algorithms. Also, the administrator password is used to integrate application servers that have deployed the BMC Atrium Single Sign-On Web agent to integrate with BMC Atrium Single Sign-On.

4.4 Default cookie domain The default cookie domain value is the network domain of the computer you are installing the server on. The default cookie domain specifies the most restrictive access. This value is used to control cookie visibility between servers within the domain. By removing domain elements (lowest sub-domain first), the cookie becomes visible to servers outside of the BMC Atrium Single Sign-On domain. For example, changing the domain adprod.bmc.com to bmc.com gives all of the servers within the bmc.com domain access to the cookies stored by the server in a user's browser. The danger of increasing the cookie visibility is illustrated when the value is changed to com, giving all servers in the internet com domain access to the cookie.

Note

BMC Atrium Single Sign-On 8.1

Page 23 of 389

BMC Software Confidential

Home

You cannot use sibling domains or cross-domains with BMC Atrium Single Sign-On. For example, installing the BMC Atrium Single Sign-On server in the remedy.com domain and the AR System server in the bmc.com domain is not supported. You must move all your computers into the same domain.

4.5 Log on and log off behavior When using a single sign-on system, the normal authentication behavior is altered. The practice of logging on when you start a product is automatically performed when the second product is started. This change happens without any user involvement. When you log off, you are logged off of all BMC Atrium Single Sign-On integrated products. If you want to continue working with other BMC products: Quit the product instead of logging out of BMC Atrium Single Sign-On. If the product supports application-only log off, log off the application and close the browser.

Important When quitting an product, the normal behavior is to log off and then quit. This process results in termination of all the product connections. If you want to continue working with other BMC products, quit the product that you are finished with, but only log off the last product.

With web applications, the BMC Atrium Single Sign-On authentication status is maintained through sessions within the web browsers. When web applications share the same browser session, the authentication state with BMC Atrium Single Sign-On is shared by these applications. To use a different login ID without logging off BMC Atrium Single Sign-On, you must start a new session in the web browser. The following table summarizes how to share current sessions and how to create new sessions with the browsers supported by BMC Atrium Single Sign-On. Session behavior in supported browsers Browser

Share Session

New Session

Firefox 4

New tab, Ctrl-N for new window, or launch from Start menu or shortcut

Use Private Browsing

Internet Explorer 7

New tab or Ctrl-N to create a new window

Launch new browser using Start menu or shortcut

Internet Explorer 8

New tab, Ctrl-N to create a new window, or launch new browser from Start menu or short-cut

Use New Session in File menu

Use New Session in File menu

BMC Atrium Single Sign-On 8.1

Page 24 of 389

BMC Software Confidential

Home

Browser

Share Session

Internet

New tab, Ctrl-N to create a new window, or launch new browser from Start menu

Explorer 9

or short-cut

New Session

When BMC products launch a new application, the applications use the process needed to ensure a shared session and a seamless experience.

4.6 Certificates The default Tomcat server used by BMC Atrium Single Sign-On uses a keystore and a truststore for secure (HTTPS/TLS/SSL) communications. These communications occur by doing one of the following: when accessing the admin console users login or logout of the system. an external LDAP server is accessed with TLS/SSL exchanging SAMLv2 metadata for user authentication (CAC) The keystore contains the information used to identify the BMC Atrium Single Sign-On server to remote servers and users. The truststore is used to hold the certificates of remote servers, users and signing authorities that are to be trusted by the BMC Atrium Single Sign-On server. These files are stored in the following directory: /BMC Software/AtriumSSO/tomcat/conf The initial keystore created during the installation uses a self-signed certificate. This certificate causes browsers and other programs to warn users about the insecure nature of the certificate each time the user authenticates. This certificate warning can be prevented by doing one of the following: Permanently importing the self-signed certificate into the user's truststore. Obtaining and importing a signed identity certificate from a trusted Certificate Authority (CA). The CA vouches for the authenticity of the server's identity when the user visits BMC Atrium Single Sign-On for authentication. In this case, the user has an established trust relationship with the CA, and this relationship is extended to BMC Atrium Single Sign-On after a digitally signed identity certificate is imported.

4.6.1 Certificate Signing Request A CA digitally signed certificate is obtain by generating a Certificate Signing Request (CSR): The output from the command must be sent to the CA for a digital signature. After the signed identity certificate is returned, the next step is to import the signed identity certificate into the keystore where it replaces the current self-signed certificate.

BMC Atrium Single Sign-On 8.1

Page 25 of 389

BMC Software Confidential

Home

The keytool utility is used to obtain a CSR, to obtain a signed certificate, and to import the signed certificate in order to replace the self-signed certificate. This tool is available with Oracle JDKs and BMC Atrium Single Sign-On.

Note When importing the newly signed certificates, you must first import the CA root certificates and intermediate certificates, if required.

4.6.2 New CA certificates Adding another certificate is necessary when: CAC authentication is used LDAP is used with SSL/TLS Department of Defense (DoD) issues new CA certificates CA certificates used to create a signed certificate for the BMC Atrium Single Sign-On server is not already within the truststore The keytool utility is used to import a new CA certificate into the BMC Atrium Single Sign-On truststore.

4.6.3 Related topics Managing keystores with a keytool utility (see page 239) Generating self-signed certificates (see page 249)

4.7 Authentication chaining An Authentication Chain is the object used by BMC Atrium Single Sign-On for specifying how authentication is to be performed. A chain can be a single authentication module or a combination of multiple authentication modules. Chaining allows different modules to act as a single authority. At its simplest form, an authentication chain consists of only a single authentication module. A chain can also be a complex combination of multiple authentication modules joined to validate the credentials that are used to authenticate a user. Through chaining, different modules can be merged to appear as a single authority. For example, if two organizations merge to form a new, single organization, then the authentication system from each organization could be used as a module within a single chain. The effect of combining these modules into this single chain is that the users only provide credentials to a single authority. The chain can be configured to check each of the modules until the user is authenticated.

BMC Atrium Single Sign-On 8.1

Page 26 of 389

BMC Software Confidential

Home

This chaining creates the perception of a merged authority despite the reality of multiple, disparate systems that are actually employed. Authentication chains allow the combination of authentication modules to process authentication requests. One of the best uses for combining modules is to merge different authentication schemes to appear as a single authentication scheme. For example, when two departments have their own LDAP servers, these two servers could be put into a single chain and users would appear to validate against a single authority. The processing of the chain to determine the overall status of authentication is controlled by the criteria specified for each of modules in the chain. The following figure illustrates authentication chaining where authentication modules are tried in an ordered sequence.

4.7.1 Authentication chaining example

The overall status is successful if all of the Required and Requisite modules pass before either the end of the chain or the first successful Sufficient module. When there are no Required or Requisite modules, then at least one Sufficient or Optional module must authenticate the user. See Managing authentication modules (see page 271). In the chaining process for the above example illustration, three LDAP servers combined into a single authority, would be: 1. Check with LDAP A Pass: Stop processing and accept user Fail: Proceed to next 2. Check with LDAP B Pass: Stop processing and accept user Fail: Proceed to next 3. Check with LDAP C Pass: Stop processing and accept user Fail: Stop processing and reject user With this configuration, the first LDAP server is presented the user credentials for authentication. If the authentication succeeds, then processing stops with the user being authenticated. If the user is not within the first LDAP server, then the credentials are passed to the second LDAP server. Each server is checked in the

BMC Atrium Single Sign-On 8.1

Page 27 of 389

BMC Software Confidential

Home

sequence specified until either the user passes and is considered successfully authenticated, or the user fails to authenticate and is rejected.

4.8 High Availability deployment The following figure shows a typical deployment scenario of BMC Atrium Single Sign-On operating in a High Availability (HA) environment. Two BMC Atrium Single Sign-On servers are installed to form a cluster. A load balancer is used as a front end to the cluster, giving the external applications the appearance of a single server. The load balancer distributes requests among BMC Atrium Single Sign-On servers. In the event of a system failure, the load balancer re-directs requests to the remaining servers. When operating as a cluster, BMC Atrium Single Single Sign-On functions as a single virtual server. Therefore, certain configuration information is shared between nodes. For example, when one node is configured, the other nodes have the same information. The following information is global to all nodes in the cluster: Administrative accounts Authentication User profiles Data stores User accounts (internal LDAP) Typical HA deployment

When configured, BMC Atrium Single Sign-On server nodes communicate with each other through the LDAP and

BMC Atrium Single Sign-On 8.1

Page 28 of 389

BMC Software Confidential

Home

HTTPS ports. These ports are specified during installation. The following figure shows the communication between the nodes and the load balancer. Communication between BMC Atrium Single Sign-On nodes and a load balancer

4.9 JEE filter-based agents With this release of BMC Atrium Single Sign-On, a light-weight agent is available for use by BMC applications. This section describes how configuration items apply to this newer agent. In addition to functioning as the central server, BMC Atrium Single Sign-On uses agents which are integrated into each of the BMC products. These agents perform the following functions: Accessing authentication services Coordinating with the server to authenticate users Validating existing authentications For more information about agent configuration parameters, see Agent manager.

5 Planning The following topics provide information and instructions for planning a BMC Atrium Single Sign-On installation and configuration:

BMC Atrium Single Sign-On 8.1

Page 29 of 389

BMC Software Confidential

Home

Note All products that run in BMC Remedy AR System support BMC Atrium Single Sign-On including AR System Mid-tier products (BMC Remedy ITSM, BMC Atrium Core, BMC Atrium CMDB, and so on), BMC Atrium Dashboard and Analytics, BMC IT Business Management Suite, BMC ProActive Performance Management (version 9.0), and BMC Capacity Optimization.

Checking the compatibility matrix for system requirements and supported configurations End-to-end BMC Atrium Single Sign-On process BMC Atrium Single Sign-On using SAMLv2 deployment example (see page 31)

5.1 Checking the compatibility matrix for system requirements and supported configurations Consult the BMC Remedy and BMC Atrium product compatibility information for the 8.0 system configuration information.

5.1.1 To access the compatibility matrixes 1. Navigate to http://www.bmc.com/support/product-availability-compatibility. 2. Click BMC Solution and Product Availability and Compatibility Utility . 3. In the Product Name field, enter the product name, for example: BMC Atrium CMDB Enterprise Manager BMC Atrium CMDB Suite 4. In the Product Version field, enter the version number. 5. In the Select Component field, enter BMC Atrium Single Sign-On. 6. Review the compatibility information listed in the tabs at the bottom of the page.

Note To access the product compatibility information on the Customer Support website, you must have a Support login.

5.2 End-to-end BMC Atrium Single Sign-On procedure This topic provides a high-level process of what you need to do to set up and configure BMC Atrium Single Sign-On with BMC products.

1. BMC Atrium Single Sign-On 8.1

Page 30 of 389

BMC Software Confidential

Home

1. Review the information that you need to understand prior to installing, such as the What's new (see page 12), Key concepts (see page 20), Planning (see page 29), Preparing for installation topics. 2. Install BMC Atrium Single Sign-On. See Installing (see page 40) for the different installation options, such as High Availability (HA). 3. Install other BMC products for integrating with BMC Atrium Single Sign-On. For information about integrating and configuring BMC Remedy AR System version 8.1, see Installing BMC Atrium Single Sign-On with the AR System server and Mid Tier (see page 79). For information about integrating and configuring BMC Remedy AR System version 8.0, see Integrating BMC Atrium Single Sign-On with AR System Version 8.0.00. For information about other BMC product integration, such as BMC Dashboards and Analytics for BSM, see Integrating. 4. Configure your method of authentication. See Configuring after installation. The following are the authentication module sections: Using AR for authentication Using SAMLv2 for authentication Using Kerberos for authentication (see page 132) Using CAC for authentication Using LDAP (Active Directory) for authentication Using RSA SecurID for authentication 5. If you implement multiple authentication methods, see Managing authentication modules (see page 271). 6. Create and manage users and user groups. See Managing users (see page 264) and Managing user groups (see page 268).

5.3 BMC Atrium Single Sign-On using SAMLv2 deployment example This topic provides an example of how BMC Atrium Single Sign-On using Security Assertion Markup Language 2.0 (SAMLv2) can be deployed.

BMC Atrium Single Sign-On 8.1

Page 31 of 389

BMC Software Confidential

Home

Business value (see page 32) Federated authentication and SAML (see page 32) Deployment architecture (see page 33) Deployment model (see page 35) Deployment tasks (see page 37) Deployment parameters (see page 38) Related topics (see page 40)

5.3.1 Business value This deployment example shows you how BMC Atrium Single Sign-On uses SAMLv2 authentication. Single sign-on means that you only need to present credentials once for authentication, and you are subsequently automatically authenticated by every BMC product that is integrated into the system. This means that if you are looking at a report that has links to incident or change records, you can click on the link and go directly to the records without logging in again. An additional important value is that with federated authentication the user logon credentials (for example, user name and password) are not exposed to the Service Provider (SP) and are not sent over the internet. The authentication is done on premise by the Identity Provider (IdP).

5.3.2 Federated authentication and SAML SAMLv2 is an XML-based OASIS standard for exchanging user identity and security attributes information. It uses security tokens containing assertions to pass information about a principal (usually an end user) between an Identify Provider (IdP) and a web service. SAMLv2 enables federated authentication between your environment and the BMC Remedy applications. When using SAMLv2, the BMC Remedy infrastructure is defined as a Service Provider (SP), and your infrastructure that performs the user authentication is the IdP. With SAMLv2 enabled, a user that tries to access BMC Remedy applications without having previously authenticated is redirected to your IdP. After authentication, the user is redirected back to the originally requested resource (BMC Remedy application).

Note Although SAMLv2 supports both IdP-initiated single sign-on and SP-initiated single sign-on, SP-initiated single sign-on is essential to allow specific use cases for deep linking to specific pages and resources in the applications (for example, a notification URL that contains a link to a specific BMC Remedy ITSM form and record).

BMC Atrium Single Sign-On 8.1

Page 32 of 389

BMC Software Confidential

Home

Configuration of SAMLv2 integration is largely the exchange of SAMLv2 metadata between your environment and the BMC Remedy environment. You provide IdP metadata , which defines the URLs that you use for SAMLv2, and the certificate used for validation of assertions. The BMC Remedy infrastructure provides SP metadata to allow you to preregister the BMC Remedy SP in your SAMLv2 infrastructure as required. For more information about SAMLv2, see Using SAMLv2 for authentication.

5.3.3 Deployment architecture This deployment example consists of the following components: In the BMC environment: BMC Remedy web applications supporting BMC Atrium Single Sign-On BMC Atrium Single Sign-On agents which are add-ons to any BMC Remedy web application BMC Atrium Single Sign-On server which serves as the SP and runs as a web application on the Apache Tomcat server In your environment: You use a browser to access BMC Remedy applications. An authentication server is responsible for your users authentication, which is usually located on premise. This is the IdP component. The SAMLv2 IdP server and the BMC Atrium Single Sign-On SP server are connected by a trust relationship (federation) so they can honor each other’s authentication information. The following sequence diagram shows the interactions between BMC Atrium Single Sign-On and SAMLv2 components. These interactions are listed in the sequential order that they occur. BMC Atrium Single Sign-On and SAMLv2 components sequence diagram

BMC Atrium Single Sign-On 8.1

Page 33 of 389

Home

BMC Software Confidential

The following sequence diagram illustrates the flow of events and the interaction between components for single log off (SLO): Single log off sequence diagram

BMC Atrium Single Sign-On 8.1

Page 34 of 389

Home

BMC Software Confidential

5.3.4 Deployment model The following diagram shows the components that are part of this deployment example:

BMC Atrium Single Sign-On 8.1

Page 35 of 389

BMC Software Confidential

Home

A load balancer or reverse proxy routes inbound connections to the appropriate target web server and are put in front of the application servers. Load balancers are used to distribute the workload and optimize application performance. Reverse proxies are used to distribute the workload, optimize application performance, and hide the existence and characteristics of internal servers. BMC Remedy Mid Tier is deployed on a separate virtual machine (VM). A second BMC Remedy Mid Tier and the BMC Atrium Single Sign-On server are deployed on the another VM but on two different Apache Tomcat servers. BMC Dashboards for Business Services Management and BMC Analytics for Business Services Management are deployed on two different VMs to avoid performance issues. You deploy the browser and the SAMLv2 IdP server from your environment.

BMC Atrium Single Sign-On 8.1

Page 36 of 389

BMC Software Confidential

Home

5.3.5 Deployment tasks The following table lists the main steps involved in installing and configuring the deployed BMC Products with BMC Atrium Single Sign-On with SAMLv2 authentication where BMC Atrium Single Sign-On is configured as an SP with a remote IdP.

Note Review the Deployment parameters (see page 38) list before starting the deployment tasks.

Step

Task

1.

Install BMC Atrium Single Sign-On.

2.

Install BMC Remedy AR System server.

3.

Install the BMC Remedy Mid Tier.

4.

(Optional) Configure your load balancer or reverse proxy. Note: For more information, see Troubleshooting redirect URLs (see page 343).

5.

Run the SSOARIntegration utility on the AR System server (see page 88).

6.

Run the SSOMidtierIntegration utility on the BMC Remedy Mid Tier (see page 92).

7.

Configure group mapping for the AR System and BMC Atrium Single Sign-On (see page 91).

8.

Configure the BMC Atrium Single Sign-On server for AR System (see page 97) Note: Though AR authentication module should be configured, you must delete the AR user stores when using SAML v2 for authentication. The AR data store is not needed for authentication in SAMLv2 deployment.

9.

Run a health check on the BMC Atrium Single Sign-On installation.

10.

Configure BMC Atrium Single Sign-On to use SAMLv2 authentication with BMC Atrium Single Sign-On as a Service Provider and a remote Identity Provider. Note: Each time a BMC product is integrated (steps 10 -12) with the BMC Atrium Single Sign-On Service Provider, the J2EE agents configuration must be modified so the integrating product can function in the Federated Single Sign-On.

11.

(Optional) Integrate BMC Dashboards for Business Service Management (see page 198) and configure it. Note: For more information, see the BMC Dashboards for Business Service Management Installation Guide at PDFs.

12.

(Optional) Integrate BMC Analytics for Business Service Management (see page 199) and configure it. Note: For more information, see Installing.

13.

(Optional) Integrate BMC IT Business Management Suite (see page 204). Note: For more information, see Installing.

BMC Atrium Single Sign-On 8.1

Page 37 of 389

BMC Software Confidential

Home

5.3.6 Deployment parameters The deployment environment assumes MS Windows 2008, MS SQL Server 2008, New Tomcats, and the defaults are accepted. It also assumes that BMC Remedy AR system server groups and BMC Atrium Single Sign-On high availability (HA) are not deployed. The BMC Atrium Single Sign-On authentication is SAMLv2 where BMC Atrium Single Sign-On is configured as an Service Provider (SP) with a remote Identity Provider (IdP).

Important BMC recommends that you install the BMC Remedy Mid Tier, BMC Remedy AR System server, and BMC Atrium Single Sign-On server on separate computers. However, if you do install more than one BMC Product on the same computer, ensure that the HTTP, HTTPS, and Shutdown port numbers are different.

The following parameters are set in deployment of the following BMC Products and BMC Atrium Single Sign-On authentication: BMC Remedy AR System BMC Remedy Mid Tier BMC Atrium Single Sign-On SAMLv2 authentication where BMC Atrium Single Sign-On is configured as an SP with a remote IdP. BMC Dashboards for BSM BMC Analytics for BSM Product install/configuration

Parameters

Description

AR System installation

Planning spreadsheet

Complete the Planning Spreadsheet on BMC Remedy AR System 8.1.

Mid Tier installation

Planning spreadsheet

Complete the Planning Spreadsheet on BMC Remedy AR System 8.1.

Atrium SSO installation

FQDN of host name

The Fully Qualified Domain Name (FQDN) for the host. For example, ssoserver.bmc.com.

HTTP, HTTPS, Shutdown port numbers

If BMC Atrium Single Sign-On is installed on the same computer as another BMC Product, provide port numbers that are different from the other BMC Product.

Cookie domain

The cookie name is the name of the cookie that agent will check for the SSO session token. It should match the cookie name of the server configuration. For example, atsso_bmc_com.

Atrium SSO server password

The password for the BMC Atrium Single Sign-On server. Default: amadmin

AR Server Name

The AR server name. For example, arsystemserver.bmc.com

AR System integration

BMC Atrium Single Sign-On 8.1

Page 38 of 389

BMC Software Confidential

Home

Product install/configuration

Parameters

Description

AR Server User

The AR server user. For example, Demo.

AR Server Password

The AR server password. For example, Demo.

AR Server Port

The AR server port. For example, 0.

Atrium SSO URL

URL for the BMC Atrium Single Sign-On server. For example, https://ssoserver.bmc.com:8443/atriumsso

SSO Admin Name

The BMC Single Sign-On administrator name. Default: amadmin.

SSO Admin Password

The BMC Single Sign-On administrator password.

truststore

(Optional) The truststore path.

truststore-password

(Optional) The truststore password.

force

(Optional) If "Yes" is provided then the utility will not wait for the user to shutdown the webserver (if not done already), in case, the webserver is other then tomcat or jboss. Default: No

AR Server Name

The AR Server name from the AR System integration. For example, arsystemserver.bmc.com.

AR Server User

The AR Server user from the AR System integration. For example, Demo.

AR Server Password

The AR Server password from the AR System integration. For example, Demo.

AR Server Port

The AR Server port from the AR System integration. For example, 0.

Container Type

Supported contain types include JBOSSV4, JBOSSV5, SERVLETEXECV5, SERVLETEXECV6, TOMCATV5, TOMCATV6, TOMCATV7, WEBSPHEREV6, WEBSPHEREV7, WEBLOGICV10

Web App URL

The Mid Tier URL if a load balancer is not implemented. Otherwise, the load balancer URL. Be sure the server name is provided with fully qualified domain name and port is also provided in the URL. For example, http://midtierloadbalancer.bmc.com:8080/arsys

webserverhomedirectory

The webserver home directory. For example, C:\Program Files\Apache Software Foundation\Tomcat6.

JREInstallDirectory

Path to the JRE directory. For example, C:\Program Files\Java\jre7

MidtierHome

Mid Tier home directory. For example, C:\Program Files\BMC Software\ARSystem\midtier

serverinstancename

The WebSphere instance name is required for the WebSphere server.

instanceconfigdirectory

The WebSphere configuration directory is required for the WebSphere server.

weblogicdomainhome

The BEA domain home is required for the WebLogic web application.

AR System external authentication group mapping for SSO

AR Group Name LDAP Group Name

Administrator BmcAdmins

Dashboards installation

Fully Qualified Host Name

Fully qualified host name of the BMC Atrium Single Sign-On server.

Mid Tier integration

HTTP, HTTPS, Shutdown Port Number

BMC Atrium Single Sign-On 8.1

Page 39 of 389

BMC Software Confidential

Home

Product install/configuration

Parameters

Description

Port numbers used by the BMC Atrium Single Sign-On server. If BMC Atrium Single Sign-On is installed on the same computer as another BMC Product, provide port numbers that are different from the other BMC Product. Administrator login name

User name and password for the BMC Atrium Single Sign-On server administrator.

and password

Analytics installation

SAMLv2 authentication

BMC Dashboards

User name and password of the BMC Dashboards for BSM administrator user. This user must

administrator Name and Password

exist in BMC Atrium Single Sign-On.

Fully Qualified Host Name

Fully qualified host name of the BMC Atrium Single Sign-On server.

HTTP, HTTPS, Shutdown

Port numbers used by the BMC Atrium Single Sign-On server. If BMC Atrium Single Sign-On is

Port Number

installed on the same computer as another BMC Product, provide port numbers that are different from the other BMC Product.

Administrator login name and password

User name and password for the BMC Atrium Single Sign-On server administrator.

Remote IdP metadata file

The metadata file for the remote Identity Provider (IdP). For example, sso-idp.xml.

BMC Remedy AR System agent Federated login URL & logout URI

Login and logout URIs are the locations that the agent will send the users browsers when the specified function is needed.

BMC Dashboards agent Federated login URL & logout URI

Login and logout URIs are the locations that the agent will send the users browsers when the specified function is needed.

BMC Analytics agent Federated login URL & logout URI

Login and logout URIs are the locations that the agent will send the users browsers when the specified function is needed.

5.3.7 Related topics Using AR for authentication Using SAMLv2 for authentication Agent manager

6 Installing The BMC Atrium Single Sign-On server component is available for download from the BSM EPD site at http://webapps.bmc.com/epd or can be found in the BMC Atrium Shared Components box. The typical method for integrate BMC Atrium Single Sign-On with BMC Remedy AR System or any BMC product is to: 1. BMC Atrium Single Sign-On 8.1

Page 40 of 389

BMC Software Confidential

Home

1. Install BMC Atrium Single Sign-On. 2. Install BMC Remedy AR System or other BMC products. 3. Integrate with BMC Remedy AR System or other BMC products.

Important BMC recommends that you install the BMC Remedy Mid Tier, BMC Remedy AR System server, and BMC Atrium Single Sign-On server on separate computers. However, if you do install more than one BMC Product on the same computer, ensure that the HTTP, HTTPS, and Shutdown port numbers are different.

The following topics provide information and instructions for installing BMC Atrium Single Sign-On:

BMC Atrium Single Sign-On 8.1

Page 41 of 389

BMC Software Confidential

Home

Preparing for installation Installation options (see page 48) Configuring Terminal Services and DEP parameters Installing BMC Atrium Single Sign-On as a standalone (see page 50) Installing BMC Atrium Single Sign-On as a High Availability cluster (see page 55) Installing BMC Atrium Single Sign-On on an external Tomcat server (see page 72) Installing BMC Atrium Single Sign-On with the AR System server and Mid Tier (see page 79) Installing silently (see page 112) Uninstalling BMC Atrium Single Sign-On (see page 117)

6.1 Preparing for installation Review or perform the following tasks before you start installing. 1. Review the Planning (see page 29) topics. 2. Review the Prerequisites for installation (see page 42) and update your environment. 3. Review the Compatibility matrix. 4. Download the installation files (see page 44).

6.1.1 Prerequisites for installation This topic describes the prerequisites for installing BMC Atrium Single Sign-On.

Warning If you have not met all of the requirements before you begin the installation, you might have issues with the installation.You must fulfill the necessary requirements on this page before you begin with installation.

Limitation (see page 42) Access and permissions (see page 43) Disk space requirements (see page 43) Memory requirements (see page 43) Log file memory requirements (see page 43) System requirements (see page 43) Entropy level requirements (see page 44) Firewalls (see page 44)

Limitation Do not deploy BMC Atrium Single Sign-On on an Network File System (NFS) file system.

BMC Atrium Single Sign-On 8.1

Page 42 of 389

BMC Software Confidential

Home

Access and permissions If you are a nonroot runtime user of the BMC Atrium Single Sign-On web container instance, you must be able to write to your own home directory. (Microsoft Windows) You must have administrator privileges. (UNIX) You can be any user. However, root privileges are required to set up auto-startup of the services.

Disk space requirements This section contains information about prerequisite storage space requirements for installation and log files. Before installing BMC Atrium Single Sign-On, you must have at least the following available disk space: (Microsoft Windows) 650 MB (Linux) 750 MB (Oracle Solaris) 850 MB

Memory requirements If you are installing BMC Atrium Single Sign-On on an external Tomcat server, 1024K of RAM is required. For an extremal Tomcat 7 server and JDK 1.7, increase memory an additional 20% for a minimum of 1.2 MB.

Log file memory requirements An additional 7-10 GB of space is recommended for log file growth, depending on the volume of users and products integrating with the BMC Atrium Single Sign-On server. To manage log file storage space effectively, perform the following tasks: Delete the debug log files periodically, especially if the debug level is set to message. Check the .access and .error log files periodically in the logs directory. Consider configuring the log rotation to delete the oldest log files.

System requirements If you are installing BMC Atrium Single Sign-On on Red Hat Enterprise Linux (RHEL) 6.x, you must install the following 32-bit RPM packages to make 32-bit JRE support and the user interface available to the installer: Glibc.i686 libXtst.i686

BMC Atrium Single Sign-On 8.1

Page 43 of 389

BMC Software Confidential

Home

Entropy level requirements If you are installing BMC Atrium Single Sign-On on Red Hat Enterprise Linux computers and the entropy level on the server is under 150, you might experience installation issues. If an installation or silent installation aborts suddenly, finishes very quickly, or takes a long time to complete, the computer might be experiencing low entropy issues. To avoid these issues, perform the following tasks: Verify the level of entropy in the entropy_avail file at the following location: cat /proc/sys/kernel/random/entropy_avail If the level of entropy is less than 150, run the following commands as root user or restart your computer. Running the command is the preferred option as it helps in maintaining the entropy level after installation. If your server has a low entropy level, you should configure your server to run the following commands while starting up your server. rngd yum install rng-tools echo 'EXTRAOPTIONS="-i -o /dev/random -r /dev/urandom -t 10 -W 2048"' >>/etc/sysconfig/rngd chkconfig rngd on service rngd restart

Firewalls The ports that you selected when you installed the BMC Atrium Single Sign-On server must be accessible from the clients that are authenticated through the server. Configure the firewalls to allow access to the HTTPS port used for authentication, as well as the LDAP and Apache MQ ports in the nodes of a cluster.

6.1.2 Downloading the installation files This topic provides instructions for downloading the files that you need for installation. The latest BMC Atrium Single Sign-On GA version on the BMC Electronic Product Distribution (EPD) website is 8.1.00. 03 . Files to download (see page 44) To download the files (see page 45) Enabling search in the offline documentation (see page 47) Where to go from here (see page 47)

Files to download The following table provides the product files available on the BMC EPD website for BMC Atrium Single Sign-On. You can find the installer and documentation related to BMC Atrium Single Sign-On version 8.1.00.03 on the Products tab itself.

BMC Atrium Single Sign-On 8.1

Page 44 of 389

BMC Software Confidential

Home

Note The BMC Atrium Single Sign-On is provided with the ESM solution suites. On the BMC EPD website, you must visit the download sections for BMC Remedy IT Service Management, BMC ProactiveNet Performance Management, BMC BladeLogic Automation, or BMC Application Management suites to obtain the the latest version of BMC Atrium Single Sign-On.

You can download the latest installer files from any of the ESM solution suites on the EPD web site. For example, BMC Remedy IT Service Management Suite > BMC Remedy IT Service Management Suite 8.1.00 -

OperatingSystem > BMC Atrium Single Sign-On Version 8.1.00 for OperatingSystem Hyperlink on EPD page

File names on EPD page

BMC Atrium Single Sign-On

BMCAtriumSSO8.1.00.03.windows.zip

Version 8.1.00.03 - Microsoft Windows BMC Atrium Single Sign-On Version 8.1.00.02 - Oracle Solaris

BMCAtriumSSO8.1.00.03.solaris.tar.gz

BMC Atrium Single Sign-On Version 8.1.00.02 - Linux (for AIX)

BMCAtriumSSO8.1.00.03.linux.tar.gz

BMC Atrium Single Sign-On Version 8.1.00.03 Documentation

BMCAtriumSSO_8.1_Patch3_Help.zip This zip file contains an archived version of the online documentation for BMC Atrium Single Sign-On 8.1. For the latest and most comprehensive content, see the BMC Online Technical Documentation portal (docs.bmc.com) for this release.

Note The installation files for BMC Atrium Single Sign-On versions 8.1.00.02 have been replaced with the installation files for version 8.1.00.03, and can no longer be downloaded from the EPD site. Patch 3 for BMC Atrium Single Sign-On 8.1.00 (8.1.00.03) is a full installation and includes the fixes that were available in Patch 1 and Patch 2 (8.1.00.01 and 8.1.00.02). You can download the Patch 3 installation files from the BMC EPD site and perform your normal installation.

To download the files The product files that you download from the EPD website might contain some or all of the patches listed on a product's Customer Support web page. If the EPD page shows that a patch is included in a file you downloaded, you do not need to obtain that patch separately. 1. Create a directory in which to place the downloaded files.

BMC Atrium Single Sign-On 8.1

Page 45 of 389

1.

BMC Software Confidential

Home

Note On Microsoft Windows computers, ensure that the directory is only one level into the directory structure. The EPD package creates a directory in the temporary directory when you extract the files, and the directory that contains the installation image should not be in a directory deeper than two levels into the directory structure.

2. Go to http://www.bmc.com/available/epd.html. 3. At the logon prompt, enter your user ID and password, and click Submit. 4. On the Export Compliance and Access Terms page, provide the required information, agree to the terms of the agreements, and click Continue. 5. If you are accessing this site for the first time, create an EPD profile to specify the languages and platforms that you want to see, per the EPD site help; otherwise, skip to step 6. 6. Verify that the correct profile is displayed for your download purpose, and select the Licensed Products tab.

Note BMC Atrium Single Sign-On 8.1.00 Patch 3 (8.1.00.03) installation files are available on the Licensed Products tab.

7. Locate the solution for which you are using BMC Atrium Single Sign-On, such as BMC Remedy IT Service Management Suite, and expand its entries.

Note As BMC Atrium Single Sign-On is a part of ESM solution suite, you must visit the download sections for BMC Remedy IT Service Management, BMC ProactiveNet Performance Management, BMC BladeLogic Automation, or BMC Application Management suites to obtain the the latest version of BMC Atrium Single Sign-On. For the steps in this process, BMC Remedy IT Service Management is used.

8. Expand the BMC Remedy IT Service Management Suite 8.1.00 directory for the appropriate platform and language. 9. Expand the BMC Atrium Single Sign-On Version 8.1.00 for OperatingSystem directory for the appropriate platform and language. 10. Select the check boxes next to the files and documents that you want to download. 11. Click Download (FTP) or Download Manager: Download (FTP) places the selected items in an FTP directory, and the credentials and FTP instructions are sent to you in an email message.

BMC Atrium Single Sign-On 8.1

Page 46 of 389

11. BMC Software Confidential

Home

Download Manager enables you to download multiple files consecutively and to resume an interrupted download if the connection drops. This method requires a one-time installation of the Akamai NetSession client program on the target computer and is usually the faster and more reliable way to transfer files. A checksum operation is used to verify file integrity automatically.

Enabling search in the offline documentation The Offline Documentation - productName version zip file contains an archived version of the online documentation. For the latest and most comprehensive content, see the BMC Online Technical Documentation Portal. The search contains local files

To enable search in the offline documentation Deploy the offline documentation on a web server by using one of the following methods: If this is the first BMC offline documentation archive that you are installing on the web server, extract the zip file to the web application deployment folder of your web container (servlet container). For example, with an Apache Tomcat web server, extract the zip file to \webapps If at least one BMC offline documentation archive is already installed on the web server, perform the following steps: 1. Extract the zip file to your hard drive. 2. Open the extracted localhelp folder. 3. Copy only the productName version folder and the productName version.map.txt file to the localhelp folder of your web container (servlet container). For example, if you are deploying BMC Asset Management 8.1 documentation to an Apache Tomcat web server, copy the asset81 folder and the BMC Asset Management 8.1.map.txt file to \webapps\localhelp. Do not include the other folders and file.

To view the offline documentation in a browser Type the following URL: http://:/localhelp//Home.html For example: http://SanJoseTomcat:8080/localhelp/ars81/Home.html

Where to go from here Carefully review the Prerequisites for installation (see page 42) for your platform and other tasks necessary specific to the type of installation you choose. For installation instructions, see Installing (see page 40).

BMC Atrium Single Sign-On 8.1

Page 47 of 389

BMC Software Confidential

Home

6.2 Installation options This topic provides information about the various installation options for BMC Atrium Single Sign-On: Goal

Reference

To integrate BMC Atrium Single Sign-On with Terminal Services. If you are using Terminal Services to install BMC Atrium Single Sign-On, you must configure the Terminal Services parameters prior to installation.

Configuring Terminal Services and DEP parameters

To install BMC Atrium Single Sign-On as a standalone on the provided Tomcat.

Installing BMC Atrium Single Sign-On as a standalone (see page 50)

To install BMC Atrium Single Sign-On as a high availability cluster.

Installing BMC Atrium Single Sign-On as a High Availability cluster (see page 55)

To install BMC Atrium Single Sign-On with AR System and Mid Tier. These installation instructions are for BMC Atrium Single Sign-On, AR System, and Mid Tier version 8.1 and later.

Installing BMC Atrium Single Sign-On with the AR System server and Mid Tier (see page 79)

To integrate BMC Atrium Single Sign-On with the AR System (version 8.0.00 only) after BMC Remedy

Integrating BMC Atrium Single Sign-On

AR System has been installed.

with AR System (Version 8.0.00 only)

To install BMC Atrium Single Sign-On on an external Tomcat server.

Installing BMC Atrium Single Sign-On on an external Tomcat server (see page 72)

To install BMC Atrium Single Sign-On on an external Tomcat server and enable FIPS-140 mode. 1. Configuring an external Tomcat instance for FIPS-140 (see page 76) 2. Installing BMC Atrium Single Sign-On on an external Tomcat server (see page 72) 3. Configuring FIPS-140 mode (see page 251)

6.3 Configuring Terminal Services and DEP parameters If you are planning to install BMC Atrium Single Sign-On via Terminal Services (Remote Desktop Services), you must first configure Terminal Services and DEP parameters.

6.3.1 To update Terminal Services configuration options for Windows Server 2008 1. From the Windows Start menu, click Run. 2. Type gpedit.msc, then click OK. 3. Navigate to Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Temporary Folders. 4. Enable the settings for Do not delete temporary folders on exit and Do not use temporary folders per session. 5. BMC Atrium Single Sign-On 8.1

Page 48 of 389

BMC Software Confidential

Home

5. (optional) Restart the computer. 6. If the settings do not take affect, complete the following steps: a. From the Windows Start menu, click Run. b. Type regedit, then click OK. c. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server. d. Update PerSessionTempDir to 0 and DeleteTempDirsOnExit to 0. e. (optional) Restart the computer.

To update Terminal Services configuration options for Windows Server 2003 1. From the Windows Start menu, click Run. 2. Type tscc.msc, then click OK. 3. In Server Settings, set Delete temporary folders on exit to No. 4. Set Use temporary folders per session to No. 5. (optional) Restart the computer. 6. If the settings do not take affect, complete the following steps: a. From the Windows Start menu, click Run. b. Type regedit, then click OK. c. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server. d. Update PerSessionTempDir to 0 and DeleteTempDirsOnExit to 0. e. (optional) Restart the computer.

To configure the DEP feature If you are using the data execution prevention (DEP) feature in Windows, configure DEP for executable programs.

Note If you do not configure these items before you run the installer, an installer panel appears listing the steps required to handle these issues.

1. From the Windows Start menu, click Control Panel; then double-click System. 2. Click the Advanced tab. 3. In the Performance area, click Settings. 4. On the Data Execution Prevention tab, verify if the Turn on DEP for all programs and services except those I select option is selected. If the Turn on DEP for essential Windows programs and services only option is selected, no configuration is required.

Note

BMC Atrium Single Sign-On 8.1

Page 49 of 389

BMC Software Confidential

Home

If you do not select the Turn on DEP for all programs and services except those I select option, and then perform the remaining steps in this procedure, the installer might not run correctly.

5. If the Turn on DEP for all programs and services except for those I select option is selected, click Add. 6. Browse to the executable, and then click Open. The installation program appears in the DEP program area. 7. Click Apply; then click OK. 8. (optional) Restart the computer.

6.4 Installing BMC Atrium Single Sign-On as a standalone This topic provides instructions for performing a BMC Atrium Single Sign-On standalone installation. In this installation, a Tomcat server and JVM are installed and properly configured for use by the BMC Atrium Single Sign-On server. This installation method is the simplest and easiest to perform since all of the administrative and configuration details are performed by the installation program.

BMC Atrium Single Sign-On 8.1

Page 50 of 389

BMC Software Confidential

Home

Before you begin (see page 51) To install BMC Atrium Single Sign-On as a standalone (see page 51) Where to go from here (see page 54)

6.4.1 Before you begin Obtain the zipped BMC Atrium Single Sign-On files from the BMC product package via Electronic Product Download (EPD) or the BMC Atrium Single Sign-On DVD. If there is already an installation of BMC Atrium Single Sign-On on the target computer, the installer will not allow another installation. Uninstall the existing version. Prepare to run the installation program for your operating system. For example, you must update Terminal Services configuration options and configure the DEP feature if you are using Windows. For more information, see Configuring Terminal Services and DEP parameters.

Note The BMC Atrium Single Sign-On Tomcat server cannot be shared with any product (for example, the AR System server or the BMC Remedy Mid Tier) that integrates with BMC Atrium Single Sign-On. BMC recommends that you install BMC Atrium Single Sign-On on a different computer than the computer where you plan to install a BMC product (for example, the AR System server or the BMC Remedy Mid Tier).

6.4.2 To install BMC Atrium Single Sign-On as a standalone 1. Unzip the BMC Atrium Single Sign-On files. 2. Run the installation program. The setup executable is located in the Disk1directory of the extracted files. (Microsoft Windows ) Run setup.cmd. (UNIX ) Run setup.sh (which automatically detects the appropriate subscript to execute). 3. In the lower right corner of the Welcome panel, click Next. 4. Review the license agreement, click I agree to the terms of license agreement, and then click Next. 5. Accept the default destination directory or browse to select a different directory, and then click Next. 6. In the Host Name Information panel, verify that the hostname presented is the Fully Qualified Domain Name (FQDN) for the host, and then click Next. Correct the value as needed. 7. Choose to install non-clustered or clustered Atrium Single Sign-On Server, and then click Next. Non-clustered Atrium Single Sign-On Server – Standalone Single Sign-On Server.

BMC Atrium Single Sign-On 8.1

Page 51 of 389

7.

BMC Software Confidential

Home

Clustered Atrium Single Sign-On Server – Implemented as a redundant system with session failover. Clustered install requires at least two nodes. For more information, see Installing BMC Atrium Single Sign-On as a High Availability cluster (see page 55). 8. Verify that Install New Tomcat is selected, and then click Next. The Tomcat server options are: Install New Tomcat (default) Use External Tomcat. See Installing BMC Atrium Single Sign-On on an external Tomcat server (see page 72) to install with this option.

Note When installing on Linux servers, you must configure JVM for Tomcat after the installation. For more information about configuring JVM, see Configuring a JVM for the Tomcat Server (see page 77).

9. Accept the default Tomcat HTTP port number (8080), HTTPS port number (8443), and Shutdown port number (8005), or enter different port numbers, and then click Next. If any of the port numbers are incorrect, a panel identifies the incorrect port number and requires you to return to the previous page to correct the values before proceeding with the installation.

Note When installing on Linux servers, port selections below 1000 require the server to run as root, or use a port forwarding mechanism.

10. Enter a cookie domain, and then click Next. The domain value of the cookie should be the network domain of BMC Atrium Single Sign-On or one of its parent domains. For more information, see Default cookie domain.

Note The higher the level of the selected parent domain, the higher the risk of user impersonation. Top-level domains are not supported (for example, com or com.ca ). You cannot use sibling domains or cross-domains with BMC Atrium Single Sign-On. For example, installing the BMC Atrium Single Sign-On server in the remedy.com domain and the AR System server in the bmc.com domain is not supported. You must move all your computers into the same domain.

11. BMC Atrium Single Sign-On 8.1

Page 52 of 389

BMC Software Confidential

Home

11. Enter a strong administrator password (at least 8 characters long), confirm the password, and then click Next. The default SSO administrator name is amadmin.

Note Passwords with special characters must be specified in quotes.

For more information, see Administrator password. 12. Review the installation summary and click Install. 13. Verify that your BMC Atrium Single Sign-On installation was successful by accessing the BMC Atrium Single Sign-On URL. a. Navigate to Start > All Programs > BMC Software > BMC Atrium S.SO > Administrator to launch the BMC Atrium SSO Admin Console. The URL to open the BMC Atrium SSO Admin Console is: https://.:/atriumsso For example, https://ssoserver.bmc.com:8443/atriumsso b. When you are prompted that you are connecting to an insecure or untrusted connection, add the exception and then continue. Note: Browsers display this warning because you have not yet configured the SSO authentication as a trusted provider. c. Confirm that you can view the BMC Atrium SSO logon panel. d. Log on with the SSO administrator name (for example, amadmin) and password. The BMC Atrium SSO Admin Console appears. (Click the image to expand it.)

BMC Atrium Single Sign-On 8.1

Page 53 of 389

BMC Software Confidential

Home

14. (Optional) Create an administrative user account for BMC Products to perform search functions on the user store (for example, to list user names and emails). If you are using the BMC Atrium Single Sign-On server's internal LDAP, assign the BMCSearchAdmins group to the new user account. If you are using an external system for authentication (such as AR System, LDAP, or Active Directory), assign the BmcSearchAdmins group to either an already existing user account or a new user account.

6.4.3 Where to go from here Installing or upgrading AR System server To secure certificates with an external CA, see Managing keystores with a keytool utility (see page 239). To configure authentication, see Configuring after installation. For a specific authentication method, see the specific method. For example, for LDAP or Active Directory, see Using LDAP (Active Directory) for authentication.

BMC Atrium Single Sign-On 8.1

Page 54 of 389

Home

BMC Software Confidential

6.5 Installing BMC Atrium Single Sign-On as a High Availability cluster BMC Atrium Single Sign-On a High Availability (HA) cluster environment is implemented as a redundant system with session failover. In this model, if a node fails, the BMC Atrium Single Sign-On load is transitioned to the remaining servers with minimal interruption. When multiple BMC Atrium Single Sign-On servers are installed and configured to operate as a cluster, a system failure is absorbed by the remaining cluster nodes. The BMC best practice is to run BMC Atrium Single Sign-On cluster behind a firewall to protect the communications channels, such as replication, BMC Atrium Single Sign-On sessions, and administrative communications, between the nodes. The communications are encrypted, however, the ports must be exposed for connections from the other clustered machines.

BMC Atrium Single Sign-On 8.1

Page 55 of 389

BMC Software Confidential

Home

HA prerequisites (see page 56) HA pre-installation tasks (see page 56) To install BMC Atrium Single Sign-On as an HA cluster (see page 56) HA post-installation activities (see page 57)

6.5.1 HA prerequisites BMC Atrium Single Sign-On HA requires the following: An installed load balancer. The load balancer must support HTTP traffic. The load balancer must be configured with HTTP session stick mode. The load balancer must be configured for HTTPS communication.

Note HTTP session sticky mode is used to ensure that the first BMC Atrium Single Sign-On server continues to be used for subsequent requests (excluding node failure).

6.5.2 HA pre-installation tasks BMC recommends that you install the provided BMC Atrium Single Sign-On Tomcat server and Java virtual machine (JVM). Although, installation onto an external (customer-provided) Tomcat server and JVM is supported, this configuration is not recommended. Before installing the first node, the following information is needed for cluster setup: URL that the load balancer uses for the cluster. The load balancer uses this URL to disperse calls to the cluster nodes. Port number for the internal LDAP server Port number for the replication of the internal LDAP server The port numbers are used by LDAP for communicating data and for replication information. The specified ports should not be used by other programs and must be accessible from every computer that is part of the cluster.

6.5.3 To install BMC Atrium Single Sign-On as an HA cluster 1. Installing the first node for an HA cluster on a new Tomcat server (see page 57) or Installing the first node for an HA cluster on an external Tomcat server (see page 68).

Note

BMC Atrium Single Sign-On 8.1

Page 56 of 389

1.

BMC Software Confidential

Home

Be sure to copy the configuration file to the additional nodes.

2. Installing additional nodes for an HA cluster on a new Tomcat server (see page 63) or Installing additional nodes for an HA cluster on an external Tomcat server (see page 70).

Note After installing BMC Atrium Single Sign-On in HA mode, verify that the cookie name for all the nodes are the same. For more information about verifying the cookie name, see Managing nodes in a cluster (see page 273).

6.5.4 HA post-installation activities After adding a new additional node: Ensure Load Balancer is configured with the new node Update Apache MQ configuration of new node and existing nodes (if static configuration is used) Restart existing nodes sequentially After a cookie name is changed for a particular BMC Atrium Single Sign-On for the HA cluster, restart the BMC Atrium Single Sign-On server.

Note In some cases, BMC Atrium Single Sign-On server restart, browser cache purge, and cookies cleanup do not help to avoid a multiple redirects error. In that case, reboot OS.

6.5.5 Installing the first node for an HA cluster on a new Tomcat server The following provides information and instructions for installing the first node for an HA cluster on a new Tomcat. Before you begin (see page 57) To install the first node for an HA cluster on a new Tomcat (see page 58) Where to go from here (see page 63)

Before you begin Obtain the zipped BMC Atrium Single Sign-On files from the BMC product package via Electronic Product Download (EPD) or the BMC Atrium Single Sign-On DVD.

BMC Atrium Single Sign-On 8.1

Page 57 of 389

BMC Software Confidential

Home

If there is already an installation of BMC Atrium Single Sign-On on the target computer, the installer will not allow another installation. Uninstall the existing version. Prepare to run the installation program for your operating system. For example, you must update Terminal Services configuration options and configure the DEP feature if you are using Windows. For more information, see Configuring Terminal Services and DEP parameters. You must have a network load balancer configured for creating a HA cluster.

Important The BMC Atrium Single Sign-On Tomcat server cannot be shared with any product (for example, the AR System server or the BMC Remedy Mid Tier) that integrates with BMC Atrium Single Sign-On. BMC recommends that you install BMC Atrium Single Sign-On on a different computer than the computer where you plan to install a BMC product (for example, the AR System server or the BMC Remedy Mid Tier).

To install the first node for an HA cluster on a new Tomcat 1. Run the installation program. The setup executable is located in the Disk1 directory of the extracted files. (Microsoft Windows ) Run setup.cmd (UNIX ) Run setup.sh 2. In the lower right corner of the Welcome panel, click Next. 3. Review the license agreement, click I agree to the terms of license agreement, and then click Next. 4. Accept the default destination directory or browse to select a different directory, and then click Next. 5. In the Host Name Information panel, verify that the hostname presented is the Fully Qualified Domain Name (FQDN) for the host, and then click Next. Correct the value as needed. 6. In the BMC Atrium SSO Server Cluster Options panel, perform the following actions:

BMC Atrium Single Sign-On 8.1

Page 58 of 389

BMC Software Confidential

Home

a. Select Clustered BMC Atrium SSO Server. b. Select New Cluster Installation (First node). c. Click Next. 7. Enter a file name and location for storing the cluster configuration information and click Next. The file can have any extension but it is recommended that you use .cfg as the extension because the file is storing cluster configuration information. For example, clusterconfig.cfg. When you enter the file name and click Next, a config file with that name is automatically created on your computer.

Important This file is needed when subsequent nodes are added to the cluster and it contains sensitive information that is used when installing subsequent nodes.

8. Enter the LDAP port number (8091), LDAP replication port (8092), LDAP administration port (8093), and click Next. 9. BMC Atrium Single Sign-On 8.1

Page 59 of 389

BMC Software Confidential

Home

9. Enter the load balancer URL and click Next. For example: https://loadBalancerFQDN:port/atriumsso https://BMCLoadBalancer.bmc.com:8443/atriumsso

As you are installing BMC Atrium SSO in a cluster environment, you must use the load balancer URL mentioned in this step for integration with other products. For example, when you are integrating BMC Atrium SSO with BMC Remedy Mid Tier, you must add the load balancer URL instead of the BMC Atrium SSO server URL. For more information, see Running the SSOMidtierIntegration utility on the Mid Tier (see page 92).

10. Verify that Install New Tomcat is selected and click Next.

Note The BMC Atrium Single Sign-On Tomcat server cannot be shared with any product that integrates with BMC Atrium Single Sign-On. BMC recommends that BMC Atrium Single Sign-On be the only application on the Tomcat server.

11. Accept the default Tomcat server HTTP port number (8080), HTTPS port number (8443), and Shutdown port number (8005), or enter different port numbers, and click Next. If any of the port numbers are incorrect, a pop-up menu identifies the incorrect port number and allows you to modify the selection. 12. Enter a cookie domain and click Next. The domain value of the cookie should be the network domain of BMC Atrium Single Sign-On or one of its parent domains.

Important The higher the level of the selected parent domain, the higher the risk of user impersonation. You cannot use sibling domains or cross-domains with BMC Atrium Single Sign-On. For example, installing the BMC Atrium Single Sign-On server in the remedy.com domain and the AR System server in the bmc.com domain is not supported. You must move all your computers into the same domain.

13. Enter a strong administrator password, confirm the password, and click Next. The default administrator name is amadmin.

14. BMC Atrium Single Sign-On 8.1

Page 60 of 389

BMC Software Confidential

Home

14. Review the installation summary and click Install. After the first node has been successfully installed, additional nodes can be added to the cluster by using the file created during the first installation. 15. Verify that your BMC Atrium Single Sign-On installation was successful by accessing the BMC Atrium Single Sign-On URL. a. Navigate to Start > All Programs > BMC Software > BMC Atrium SSO > Administrator to launch the BMC Atrium SSO Admin Console . The URL to open the BMC Atrium SSO Admin Console is: https://.:/atriumsso For example: https://ssoServer.bmc.com:8443/atriumsso b. When you are prompted that you are connecting to an untrusted connection, add the exception and then continue.

Note The browsers display this warning because you have not yet configured the SSO authentication as a trusted provider.

c. Confirm that you can view the BMC Atrium Single Sign-On login panel. d. Log on with the SSO administrator name (for example, amadmin) and password. The BMC Atrium SSO Admin Console appears. (Click the image to expand it.)

BMC Atrium Single Sign-On 8.1

Page 61 of 389

BMC Software Confidential

Home

16. Verify that your BMC Atrium Single Sign-On installation was successful by accessing the SSO load balancer. For example: https://ssoloadbalancer.bmc.com:8443/atriumsso} The BMC Atrium SSO login screen appears. After you log on, the SSO server appears in the HA Nodes List.

17. (Optional) Create an administrative user account for BMC Products to perform search functions on the user store (for example, to list user names and emails). If you are using the BMC Atrium Single Sign-On server's internal LDAP, assign the BMCSearchAdmins group to the new user account. If you are using an external system for authentication (such as AR System, LDAP, or Active Directory), assign the BmcSearchAdmins group to either an already existing user account or a new user account.

BMC Atrium Single Sign-On 8.1

Page 62 of 389

BMC Software Confidential

Home

Where to go from here Installing additional nodes for an HA cluster on a new Tomcat server (see page 63) or Installing additional nodes for an HA cluster on an external Tomcat server (see page 70)

6.5.6 Installing additional nodes for an HA cluster on a new Tomcat server The following provides information and instructions for installing additional nodes for an HA cluster on a new Tomcat. Before you begin (see page 63) To install an addition node for an HA cluster on a new Tomcat (see page 63) Where to go from here (see page 68)

Before you begin Install the first node for an HA cluster on a new Tomcat server (see page 57). Obtain the zipped BMC Atrium Single Sign-On files from the BMC product package via Electronic Product Download (EPD) or the BMC Atrium Single Sign-On DVD for the additional nodes. If there is already an installation of BMC Atrium Single Sign-On on the target computer, the installer will not allow another installation. Uninstall the existing version. Ensure that the first node and all the additional nodes are running in the HA cluster. Prepare to run the installation program for your operating system. For example, you must update Terminal Services configuration options and configure the DEP feature if you are using Windows. For more information, see Configuring Terminal Services and DEP parameters.

Important The BMC Atrium Single Sign-On Tomcat server cannot be shared with any product (for example, the AR System server or the BMC Remedy Mid Tier) that integrates with BMC Atrium Single Sign-On. BMC recommends that you install BMC Atrium Single Sign-On on a different computer than the computer where you plan to install a BMC product (for example, the AR System server or the BMC Remedy Mid Tier).

To install an addition node for an HA cluster on a new Tomcat During subsequent node installations, previously installed nodes must be available so the newly added node can fully integrate into the cluster. 1. Ensure that all nodes are running and available.

2. BMC Atrium Single Sign-On 8.1

Page 63 of 389

BMC Software Confidential

Home

2. Copy the cluster configuration file (created during the first node's installation) to the Disk1directory of the extracted files before installing BMC Atrium Single Sign-On on the node.

Note The installation and configuration information of the first node is used when installing additional nodes.

3. Run the installation program. Launch the setup executable located in the Disk1directory of the extracted files. (Microsoft Windows ) Run setup.cmd (UNIX ) Run setup.sh 4. In the lower right corner of the Welcome panel, click Next. 5. Review the license agreement, click I agree to the terms of license agreement, and then click Next. 6. Accept the default destination directory or browse to select a different directory, and then click Next. 7. In the Host Name Information panel, verify that the hostname presented is the Fully Qualified Domain Name (FQDN) for the host, and then click Next. Correct the value as needed. 8. In the BMC Atrium SSO Server Cluster Options panel, perform the following actions:

BMC Atrium Single Sign-On 8.1

Page 64 of 389

BMC Software Confidential

Home

a. Select Clustered Atrium SSO Server. b. Select Add this node to an existing cluster. c. Click Next. 9. In the BMC Atrium SSO Cluster Configuration File Information panel, browse to the Disk1 directory where you copied the file, and then click Next. 10. Enter the LDAP port number (8091), LDAP replication port (8092), LDAP administration port (8093), and click Next. 11. Verify that Install New Tomcat is selected and click Next.

Note The BMC Atrium Single Sign-On Tomcat server cannot be shared with any product that integrates with BMC Atrium Single Sign-On. BMC recommends that BMC Atrium Single Sign-On be the only application on the Tomcat server.

12. Accept the default Tomcat server HTTP port number (8080), HTTPS port number (8443), and Shutdown port number (8005), or enter different port numbers, and click Next. BMC Atrium Single Sign-On 8.1

Page 65 of 389

Home 12.

BMC Software Confidential

If any of the port numbers are incorrect, a pop-up menu identifies the incorrect port number and allows you to modify the selection. 13. Review the installation summary and click Install. After the second node has been successfully installed, additional nodes can be added to the cluster by using the file created during the first installation. 14. Verify that your BMC Atrium Single Sign-On installation was successful by accessing the BMC Atrium Single Sign-On URL. a. Navigate to Start > All Programs > BMC Software > BMC Atrium SSO > Administrator to launch the BMC Atrium SSO Admin Console . The URL to open the BMC Atrium SSO Admin Console is: https://.:/atriumsso/atsso/console/login/Login.html For example: https://ssoServer.bmc.com:8443/atriumsso/atsso/console/login/Login.html b. When you are prompted that you are connecting to an untrusted connection, add the exception and then continue.

Note Browsers display this warning because you have not yet configured the SSO authentication as a trusted provider.

c. Confirm that you can view the BMC Atrium Single Sign-On login panel. d. Log on with the SSO administrator name (for example, amadmin) and password. The BMC Atrium SSO Admin Console appears. (Click the image to expand it.)

BMC Atrium Single Sign-On 8.1

Page 66 of 389

BMC Software Confidential

Home

15. Verify that your BMC Atrium Single Sign-On installation was successful by accessing the SSO load balancer. For example: https://ssoloadbalancer.bmc.com:8443/atriumsso The BMC Atrium SSO login screen appears. After you log on, your SSO servers appear in the HA Nodes List.

16. (Optional) Create an administrative user account for BMC Products to perform search functions on the user store (for example, to list user names and emails). If you are using the BMC Atrium Single Sign-On server's internal LDAP, assign the BMCSearchAdmins group to the new user account. If you are using an external system for authentication (such as AR System, LDAP, or Active Directory), assign the BmcSearchAdmins group to either an already existing user account or a new user account.

BMC Atrium Single Sign-On 8.1

Page 67 of 389

BMC Software Confidential

Home

Where to go from here To install the AR System server, see Installing or upgrading AR System server. To secure certificates with an external CA, see Managing keystores with a keytool utility (see page 239). To configure authentication, see Configuring after installation. For a specific authentication method, see the specific method. For example, for LDAP or Active Directory, see Using LDAP (Active Directory) for authentication.

6.5.7 Installing the first node for an HA cluster on an external Tomcat server The following provides information and instructions for installing the first node for an HA cluster on an external Tomcat. Before you begin (see page 68) To install BMC Atrium Single Sign-On on the first node for an external Tomcat (see page 68) Where to go from here (see page 69)

Before you begin Before installing BMC Atrium Single Sign-On on the first node for an external Tomcat, make sure you have performed the tasks in Prerequisites for installation (see page 42) and the Before you begin section on Installing BMC Atrium Single Sign-On on an external Tomcat server (see page ).

To install BMC Atrium Single Sign-On on the first node for an external Tomcat 1. Run the installation program, autorun. If autorun does not automatically launch the appropriate file, launch the setup executable located in the Disk1 directory of the extracted files. This script automatically detects the appropriate subscript to execute. (Microsoft Windows ) Run setup.cmd (UNIX ) Run setup.sh 2. Accept the default destination directory, or browse to select a different directory, and click Next. 3. Enter the hostname if the provided name is incorrect and click Next. 4. Select Clustered Atrium SSO Server. 5. Select New Cluster Installation (First node), and click Next. 6. Enter a file name and location for storing the cluster configuration information and click Next. This cluster configuration file is needed when subsequent nodes are added to the cluster.

Important This file contains sensitive information.

7. Enter the LDAP port and LDAP replication port, and click Next. 8. BMC Atrium Single Sign-On 8.1

Page 68 of 389

BMC Software Confidential

Home

8. Enter the load balancer URL and click Next. 9. Click Use External Tomcat and click Next.

Note The BMC Atrium Single Sign-On Tomcat server cannot be shared with any product that integrates with BMC Atrium Single Sign-On. BMC recommends that BMC Atrium Single Sign-On be the only application in the Tomcat server.

10. Enter the Tomcat server directory at the prompt and click Next. 11. At the Tomcat Application Server Selection panel, enter the path to the Tomcat server. After the path is entered, the installer verifies that: The directory has a webapps directory that can be written to. The main program, tomcat6.exe, is present (even on UNIX). The server.xml file contains a Connector with port and secure defined and scheme set to https. The installer parses important information from this Connector entry and stores it. The installer deploys the BMC Atrium Single Sign-On web application to the Tomcat server, asking that you start or stop it when necessary. 12. Enter additional information at the prompts. Be prepared with information about: JDK directory location Tomcat server port BMC Atrium Single Sign-On Truststore certificate location and password BMC Atrium Single Sign-On Keystore password, alias, and certificate BMC Atrium Single Sign-On cookie domain BMC Atrium Single Sign-On administrator name and password (Windows ) You will be asked whether your external Tomcat server is started using scripts or as a Windows service. 13. Stop the Tomcat server. 14. After installation is complete, follow the installer directions to restart the Tomcat server. The Tomcat server can now be used as the BMC Atrium Single Sign-On application server. If you make modification to the server configuration, be sure to test each change to ensure that the BMC Atrium Single Sign-On application continues to function correctly. 15. Replace the existing certificate with a Certificate Authority (CA) signed identity certificate. 16. Verify that your BMC Atrium Single Sign-On installation was successful: a. Launch the administrator console. b. Confirm that you can view the BMC Atrium Single Sign-On login panel.

Where to go from here Installing additional nodes for an HA cluster on a new Tomcat server (see page 63) or Installing additional nodes for an HA cluster on an external Tomcat server (see page 70)

BMC Atrium Single Sign-On 8.1

Page 69 of 389

BMC Software Confidential

Home

6.5.8 Installing additional nodes for an HA cluster on an external Tomcat server The following provides information and instructions for installing additional nodes for an HA cluster on an external Tomcat. Before you begin (see page 70) To install BMC Single Sign-On on additional nodes for an external Tomcat (see page 70) Where to go from here (see page 71)

Before you begin Before installing BMC Atrium Single Sign-On on the first node for an external Tomcat, make sure you have performed the tasks in Prerequisites for installation (see page 42) and Before you begin in Installing BMC Atrium Single Sign-On on an external Tomcat server (see page 73). Ensure that the first node and all the additional nodes are running in the HA cluster.

To install BMC Single Sign-On on additional nodes for an external Tomcat During subsequent node installations, previously installed nodes must be available so that the newly added node can fully integrate into the cluster. 1. Ensure that all nodes are up and available. 2. Copy the cluster configuration file (created during the first node's installation) to the local file system prior to installing BMC Atrium Single Sign-On on the node. 3. Run the installation program, autorun. If autorun does not automatically launch the appropriate file, launch the setup executable located in the Disk1 directory of the extracted files. This script automatically detects the appropriate subscript to execute. (Microsoft Windows ) Run setup.cmd (UNIX ) Run setup.sh 4. Accept the default destination directory, or browse to select a different directory, and click Next. 5. Enter the host name if the provided name is incorrect and click Next. 6. Select Clustered Atrium SSO Server. 7. Select Add this node to an existing cluster. 8. Enter the location of the cluster configuration file and click Next. 9. Enter the LDAP port and LDAP replication port, and click Next. 10. Click Use External Tomcat and click Next. The Tomcat server options are: Install New Tomcat (default) Use External Tomcat

Note

BMC Atrium Single Sign-On 8.1

Page 70 of 389

BMC Software Confidential

Home

The BMC Atrium Single Sign-On Tomcat server cannot be shared with any product that integrates with BMC Atrium Single Sign-On. BMC recommends that BMC Atrium Single Sign-On be the only application in the Tomcat server.

11. Enter the Tomcat server directory at the prompt and click Next. 12. At the Tomcat Application Server Selection panel, enter the path to the Tomcat server. After the path is entered, the installer verifies that: The directory has a webapps directory that can be written to. The main program, tomcat6.exe, is present (even on UNIX). The server.xml file contains a Connector with port and secure defined, with scheme set to https. The installer parses important information from this Connector entry and stores it. The installer deploys the BMC Atrium Single Sign-On web application to the Tomcat server, asking that you start or stop it when necessary. 13. Enter additional information at the prompts. Be prepared with information about: JDK directory location Tomcat server port BMC Atrium Single Sign-On Truststore certificate location and password BMC Atrium Single Sign-On Keystore password, alias, and certificate (Windows ) You will be asked whether your external Tomcat is started using scripts or as a Windows service. 14. Stop the Tomcat server. 15. After installation is complete, follow the installer directions to restart the Tomcat server. The Tomcat server can now be used as the BMC Atrium Single Sign-On application server. If you make modification to the server configuration, be sure to test each change to insure that the BMC Atrium Single Sign-On application continues to function correctly. 16. Replace the existing certificate with a Certificate Authority (CA) signed identity certificate. 17. Verify that your BMC Atrium Single Sign-On installation was successful: a. Launch the administrator console. b. Confirm that you can view the BMC Atrium Single Sign-On login panel.

Where to go from here To install the AR System server, see Installing or upgrading AR System server To secure certificates with an external CA, see Managing keystores with a keytool utility (see page 239). To configure authentication, see Configuring after installation. For a specific authentication method, see the specific method. For example, for LDAP or Active Directory, see Using LDAP (Active Directory) for authentication.

BMC Atrium Single Sign-On 8.1

Page 71 of 389

Home

BMC Software Confidential

6.6 Installing BMC Atrium Single Sign-On on an external Tomcat server This section explains how to install BMC Atrium Single Sign-On on an external Tomcat server. This installation option allows the BMC Atrium Single Sign-On server to be installed using versions of Tomcat and Java VM that are different from those provided by the standalone installation option. Using this option allows greater flexibility in choosing the Tomcat server and Java Virtual Machine (JVM), but at the expense of adding administration of the Tomcat server and JVM. In addition, correct version selection must also be performed to avoid incompatibilities. Due to these added responsibilities, BMC recommends that this option be performed only when the default selections are not sufficient.

BMC Atrium Single Sign-On 8.1

Page 72 of 389

BMC Software Confidential

Home

Before you begin (see page 73) To install BMC Atrium Single Sign-On on an external Tomcat server (see page 73) Where to go from here (see page 74)

6.6.1 Before you begin Description Before installation, make sure you have performed the tasks in Prerequisites for installation (see page 42). Verify that no other product or application is installed on your Tomcat server. Note: The BMC Atrium Single Sign-On Tomcat server cannot be shared with any product that integrates with BMC Atrium Single Sign-On. BMC recommends that BMC Atrium Single Sign-On be the only application in the Tomcat server. Modify the external Tomcat policy file. See Policy file additions for external Tomcat installations (see page 75). Configure JVM that will run the Tomcat server. See Configuring a JVM for the Tomcat Server (see page 77). Modify the Tomcat server hosting the BMC Atrium Single Sign-On application to define an HTTPS connection with an explicit truststore and explicit keystore declaration. See Setting an HTTPS connection (see page 78). Add JVM initialization parameters to the JVM that is running the external Tomcat. See JVM parameter additions for external Tomcat installations (see page 76). If you plan to enable FIPS, perform the tasks in Configuring an external Tomcat instance for FIPS-140 (see page 76) and the FIPS-140 preparation steps in Configuring FIPS-140 mode (see page 251).

6.6.2 To install BMC Atrium Single Sign-On on an external Tomcat server 1. If autorun does not automatically launch the appropriate file, launch the setup executable. The setup executable is located in the Disk1directory of the extracted files: (Microsoft Windows) Run setup.cmd. (UNIX) Run setup.sh (which automatically detects the appropriate subscript to execute). 2. Accept the default destination directory or browse to select a different directory and click Next. 3. Verify that the hostname presented is the Fully Qualified Domain Name (FQDN) for the host, correct the value as needed, and click Next. 4. Click Use External Tomcat. The Tomcat server options are: Install New Tomcat (default) Use External Tomcat 5. At the prompt, enter the Tomcat directory (or use the browse button to specify the Tomcat directory) and click Next. 6. At the Tomcat Application Server Selection panel, enter the path to the Tomcat server. After clicking Next, the installer verifies that: The directory has a webapps directory that can be written to. The main program, tomcat6.exe, is present (even on UNIX). BMC Atrium Single Sign-On 8.1

Page 73 of 389

6. BMC Software Confidential

Home

The server.xml file contains a connector with port and secure defined and with scheme set to https. The installer parses important information from this Connector entry and stores it. As the installer deploys the BMC Atrium Single Sign-On web application to the Tomcat server, it will ask that you start or stop it when necessary. 7. (Windows) You will be asked whether your external Tomcat server is started by using scripts or as a Windows service. If the Tomcat server is started as a Windows service, enter the name of this service. 8. Enter additional information at the prompts. Be prepared with information about: JDK directory location Tomcat HTTPS server port Tomcat truststore certificate location and password Tomcat keystore password, alias, and certificate Tomcat cookie domain Tomcat administrator name and password 9. Stop the Tomcat server. 10. During installation, follow the installer directions to restart the Tomcat server. 11. Verify that your BMC Atrium Single Sign-On installation was successful: a. Launch the BMC Atrium Single Sign-On administrator console and confirm that you can view BMC Atrium SSO Admin Console. The Tomcat server can now be used as the BMC Atrium Single Sign-On application server. If you make modifications to the server configuration, be sure to test each change to insure that the BMC Atrium Single Sign-On application functions correctly. 12. (Optional) Create an administrative user account for BMC Products to perform search functions on the user data store (for example, to list user names, emails, and so on).

Note If you are using the BMC Atrium Single Sign-On server's internal LDAP, assign the BMCSearchAdmins group to the new user account.

13. If you are using an external system for authentication (such as AR System, LDAP, or Active Directory), assign the BmcSearchAdmins group to either an already existing user account or a new user account.

6.6.3 Where to go from here To install the AR System server, see Installing AR System server (with BMC Atrium Single Sign-On) To install BMC Atrium Single Sign-On server in silent mode, see Installing silently (see page 112). To secure certificates with an external CA, see Managing keystores with a keytool utility (see page 239). To configure authentication, see Configuring after installation. For a specific authentication method, see the specific method. For example, for LDAP or Active Directory, see Using LDAP (Active Directory) for authentication.

BMC Atrium Single Sign-On 8.1

Page 74 of 389

Home

BMC Software Confidential

6.6.4 Policy file additions for external Tomcat installations If you plan on installing BMC Atrium Single Sign-On on an external Tomcat, the Tomcat policy file, catalina.policy, must be modified. The policy file is located at /tomcat/conf. To configure the policy file for external Tomcat installations, add the following lines to the Tomcat policy file:

// // AtriumSSO additions for tomcat 6/7 // grant { permission java.net.SocketPermission "*", "listen,connect,accept,resolve"; permission java.util.PropertyPermission "*", "read, write"; permission java.lang.RuntimePermission "modifyThreadGroup"; permission java.lang.RuntimePermission "setFactory"; permission java.lang.RuntimePermission "accessClassInPackage.*"; permission java.util.logging.LoggingPermission "control"; permission java.lang.RuntimePermission "shutdownHooks"; permission javax.security.auth.AuthPermission "getLoginConfiguration"; permission javax.security.auth.AuthPermission "setLoginConfiguration"; permission javax.security.auth.AuthPermission "modifyPrincipals"; permission javax.security.auth.AuthPermission "createLoginContext.*"; permission java.io.FilePermission "", "read, write, execute, delete"; permission java.util.PropertyPermission "java.util.logging.config.class", "write"; permission java.security.SecurityPermission "removeProvider.SUN"; permission java.security.SecurityPermission "insertProvider.SUN"; permission javax.security.auth.AuthPermission "doAs"; permission java.util.PropertyPermission "java.security.krb5.realm", "write"; permission java.util.PropertyPermission "java.security.krb5.kdc", "write"; permission java.util.PropertyPermission "java.security.auth.login.config", "write"; permission java.util.PropertyPermission "user.language", "write"; permission javax.security.auth.kerberos.ServicePermission "*", "accept"; permission javax.net.ssl.SSLPermission "setHostnameVerifier"; permission java.security.SecurityPermission "putProviderProperty.IAIK"; permission java.security.SecurityPermission "removeProvider.IAIK"; permission java.security.SecurityPermission "insertProvider.IAIK"; permission java.lang.RuntimePermission "setDefaultUncaughtExceptionHandler"; permission javax.management.MBeanServerPermission "newMBeanServer"; permission javax.management.MBeanPermission "*", "registerMBean"; permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "accessDeclaredMembers"; permission java.lang.RuntimePermission "setContextClassLoader"; permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; permission javax.security.auth.AuthPermission "getSubject"; permission javax.management.MBeanTrustPermission "register"; permission javax.management.MBeanPermission "*" , "*" ; permission java.lang.management.ManagementPermission "monitor"; permission javax.management.MBeanServerPermission "createMBeanServer"; permission java.util.PropertyPermission "javax.xml.soap.MetaFactory", "write"; permission java.util.PropertyPermission "javax.xml.soap.MessageFactory", "write"; permission java.util.PropertyPermission "javax.xml.soap.SOAPConnectionFactory","write"; permission java.util.PropertyPermission "javax.xml.soap.SOAPFactory", "write";

BMC Atrium Single Sign-On 8.1

Page 75 of 389

BMC Software Confidential

Home

permission permission permission permission permission permission permission permission permission };

java.net.NetPermission "getProxySelector"; java.security.SecurityPermission "getProperty.authconfigprovider.factory"; java.security.SecurityPermission "setProperty.authconfigprovider.factory"; javax.security.auth.AuthPermission "doAsPrivileged"; javax.security.auth.AuthPermission "modifyPublicCredentials"; java.security.SecurityPermission "insertProvider.XMLDSig"; java.security.SecurityPermission "putProviderProperty.WSS_TRANSFORM"; java.security.SecurityPermission "insertProvider.WSS_TRANSFORM"; java.security.SecurityPermission "getProperty.ocsp.*";

6.6.5 JVM parameter additions for external Tomcat installations The following initialization parameters must be specified for the JVM that is running an external Tomcat. If Tomcat is controlled via scripts, these JVM parameters can be included in a script file: (Microsoft Windows) setenv.bat (UNIX) setenv.sh When Tomcat is installed as a Windows Service, include these values in the wrapper. When the wrapper is a supplied Apache wrapper (via Tomcat6w.exe or Tomcat7w.exe), the JVM additions are added to the Java tab.

-Dcom.sun.identity.configuration.directory=\webapps\atriumsso\WEB-INF\config -XX:PermSize=64m -XX:MaxPermSize=256m -Dcom.sun.identity.session.connectionfactory.provider=com.bmc.atrium.sso.opensso.extensions.ha.ConnectionFactoryProvi

Note and are the full path and name to the truststore and keystore that were created by the user for use by the Tomcat server.

6.6.6 Configuring an external Tomcat instance for FIPS-140 The Federal Information Processing Standard (FIPS-140) are standards for use in computer systems by all non-military government agencies and government contractors. For example, data encoding and encryption standards. For information about FIPS-140, see Configuring FIPS-140 mode (see page 251).

To configure an external Tomcat instance for FIPS-140 If you plan to enable FIPS-140 and are installing to an external Tomcat server, perform these steps: 1. Configure the Tomcat server for auto-deployment of .war files. 2. Use the same keystore for both non-FIPS and FIPS versions of your server.xml file. 3. Perform the following modifications to the server.xmlfile for non-FIPS and FIPS versions: a. BMC Atrium Single Sign-On 8.1

Page 76 of 389

BMC Software Confidential

Home

3. a. Duplicate the original file to create a FIPS version (named server.xml.fips) and non-FIPS version (named server.xml.nofips). b. In the new FIPS version of the file, use the following ciphers attributes to force a higher level of encryption (or use your own values):

ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA SSL_DHE_DSS_WITH_ DES_EDE_CBC_SHA"

c. Add the XML comment to tag the file as FIPS-140: 4. Perform the following modifications to the java.securityfile for non-FIPS and FIPS versions: a. Duplicate the original file, creating java.security.nofips and java.security.fips versions. b. In java.security.fips, make sure that the provider is the first one in the security providers list, with the remaining providers renumbered. For example, the following list places the JsafeJCE provider at the top of the list with a key suffix of 1, while the providers after JsafeJCE are renumbered to follow the first. The com.rsa.cryptoj.jce.kat.strategy and com.rsa.cryptoj.jce.fips140initialmode properties are placed after the security providers list. For those properties, use the exact values shown in the following example:

security.provider.1=com.rsa.jsafe.provider.JsafeJCE security.provider.2=sun.security.provider.Sun security.provider.3=sun.security.rsa.SunRsaSign security.provider.10=sun.security.mscapi.SunMSCAPI com.rsa.cryptoj.jce.kat.strategy=on.load com.rsa.cryptoj.jce.fips140initialmode=FIPS140_SSL_MODE

6.6.7 Configuring a JVM for the Tomcat Server To configure a JVM that will run the Tomcat server, perform the following steps. The location of the JVM is always determined by the administrator who configures the Tomcat server. E nsure that JAVA_HOME and PATH environment variables are set.

To configure a JVM for the Tomcat server 1. Install the cryptography library (cryptoj.jar) in the following location:

(Microsoft Windows) jdkDirectory\jre\lib\ext (UNIX) jdkDirectory/jre/lib/ext

BMC Atrium Single Sign-On 8.1

Page 77 of 389

BMC Software Confidential

Home

BMC Atrium Single Sign-On uses RSA CryptoJ library (cryptoj.jar) for cryptographic functions. The RSA CryptoJ library can be acquired from Support or through another BMC Atrium Single Sign-On installation (using Tomcat/JVM). 2. Perform the following modifications to the java.security file. Add a new line to the end of providers' definition list, and ensure that the provider is sequentially numbered. security.provider.x=com.rsa.jsafe.provider.JsafeJCE

x specifies the order in which the security providers will be searched. The java.security file can be found at:

(Microsoft Windows) jdkDirectory\jre\lib\security (UNIX) jdkDirectory/jre/lib/security

Note The RSA provider can be the last provider in the security providers list, except when BMC Atrium Single Sign-On is running in FIPS mode. For this configuration, the RSA provider must be first, with the remaining ones renumbered. security.provider.1=com.rsa.jsafe.provider.JsafeJCE

For more information on configuring JVM for running the Tomcat server, see tomcat-6.0-doc and tomcat-7.0-doc.

6.6.8 Setting an HTTPS connection To set up an HTTPS connection, the Tomcat server that hosts the BMC Atrium Single Sign-On server must be modified to define an HTTPS connection with an explicit truststore and an explicit keystore. The default Tomcat server used by BMC Artium Single Sign-On uses a keystore and a truststore for secure (HTTPS, Transport Layer Security) communications. If the Tomcat server does not have a truststore and a keystore, new self-signed certificates must be generated using the keytool. See Managing keystores with a keytool utility (see page 239). The following XML code is an example of the HTTPS connection and is one of the configuration supported. The example shows use of keystore and truststore of type PKCS12, named keystore.p12 and cacerts.p12 along with password "keystore_password" and "truststore_password" respectively.



Note Switch CATALINA_HOME to the full path in the Tomcat directory. The values provided to CATALINA_HOME needs to be adjusted according to the environment.

Related topics Creating new keystores (see page 240) Generating self-signed certificates (see page 249) Generating and importing CA certificates Importing a certificate into the truststore (see page 243)

6.7 Installing BMC Atrium Single Sign-On with the AR System server and Mid Tier This section describes how to perform a BMC Atrium Single Sign-On installation. This topic contains the following information:

BMC Atrium Single Sign-On 8.1

Page 79 of 389

BMC Software Confidential

Home

Installing video (see page 80) Overview of installation steps (see page 80) Related topics (see page 81)

6.7.1 Installing video Click the following BMC Atrium Single Sign-On 8.1 installation video for more information: Watch video on YouTube at http://www.youtube.com/watch?v=gmSZJnin1WM

6.7.2 Overview of installation steps In the 8.1 release, you use a single utility — AtriumSSOIntegrationUtility — installed both with the AR System server and the BMC Remedy Mid Tier to integrate with the BMC single sign-on solution. To perform the integration, you first run the utility on the computer where the AR System server is installed, and then you run the utility a second time on the computer where the Mid Tier is installed. BMC contributors content For additional information, you can also refer to the following webinar conducted by BMC Support. You can also connect with other users for related discussions on the BMC Community. Perform the following steps: 1. Installing BMC Atrium Single Sign-On 2. Installing or upgrading AR System server 3. Installing or upgrading BMC Remedy Mid Tier 4. Running the SSOARIntegration utility on the AR System server (see page 88) 5. Reviewing AR server external authentication settings and configuring group mapping (see page 91) 6. Running the SSOMidtierIntegration utility on the Mid Tier (see page 92) 7. Managing the AR System users and groups for authentication (see page 97) 8. Running a health check on the BMC Atrium Single Sign-On installation

Important BMC recommends that you install the BMC Remedy Mid Tier, BMC Remedy AR System server, and BMC Atrium Single Sign-On server on separate computers. However, if you do install more than one BMC Product on the same computer, ensure that the HTTP, HTTPS, and Shutdown port numbers are different.

BMC Atrium Single Sign-On 8.1

Page 80 of 389

BMC Software Confidential

Home

Note For detailed information on installing and configuring BMC Atrium Service Context, see Setting up BMC Atrium Service Context. As a bare minimum, you must install the Web Services Registry (UDDI), which is required for BMC Atrium Service Context. The Web Services Registry is an option within the BMC Atrium Core installation program.

6.7.3 Related topics Configuring after installation

6.7.4 Installing BMC Atrium Single Sign-On This topic provides instructions for performing a BMC Atrium Single Sign-On standalone installation. In this installation, a Tomcat server and JVM are installed and properly configured for use by the BMC Atrium Single Sign-On server. This installation method is the simplest and easiest to perform since all of the administrative and configuration details are performed by the installation program. Before you begin (see page ) To install BMC Atrium Single Sign-On as a standalone (see page ) Where to go from here (see page )

Before you begin Obtain the zipped BMC Atrium Single Sign-On files from the BMC product package via Electronic Product Download (EPD) or the BMC Atrium Single Sign-On DVD. If there is already an installation of BMC Atrium Single Sign-On on the target computer, the installer will not allow another installation. Uninstall the existing version. Prepare to run the installation program for your operating system. For example, you must update Terminal Services configuration options and configure the DEP feature if you are using Windows. For more information, see Configuring Terminal Services and DEP parameters.  

Note The BMC Atrium Single Sign-On Tomcat server cannot be shared with any product (for example, the AR System server or the BMC Remedy Mid Tier) that integrates with BMC Atrium Single Sign-On. BMC recommends that you install BMC Atrium Single Sign-On on a different computer than the computer where you plan to install a BMC product (for example, the AR System server or the BMC Remedy Mid Tier).

BMC Atrium Single Sign-On 8.1

Page 81 of 389

BMC Software Confidential

Home

 

To install BMC Atrium Single Sign-On as a standalone 1. Unzip the BMC Atrium Single Sign-On files. 2. Run the installation program. The setup executable is located in the Disk1directory of the extracted files. (Microsoft Windows ) Run setup.cmd. (UNIX ) Run setup.sh (which automatically detects the appropriate subscript to execute). 3. In the lower right corner of the Welcome panel, click Next. 4. Review the license agreement, click I agree to the terms of license agreement, and then click Next. 5. Accept the default destination directory or browse to select a different directory, and then click Next. 6. In the Host Name Information panel, verify that the hostname presented is the Fully Qualified Domain Name (FQDN) for the host, and then click Next. Correct the value as needed. 7. Choose to install non-clustered or clustered Atrium Single Sign-On Server, and then click Next. Non-clustered Atrium Single Sign-On Server – Standalone Single Sign-On Server. Clustered Atrium Single Sign-On Server – Implemented as a redundant system with session failover. Clustered install requires at least two nodes. For more information, see Installing BMC Atrium Single Sign-On as a High Availability cluster (see page 55). 8. Verify that Install New Tomcat is selected, and then click Next. The Tomcat server options are: Install New Tomcat (default) Use External Tomcat. See Installing BMC Atrium Single Sign-On on an external Tomcat server (see page 72) to install with this option.  

Note When installing on Linux servers, you must configure JVM for Tomcat after the installation. For more information about configuring JVM, see Configuring a JVM for the Tomcat Server (see page 77).

9. Accept the default Tomcat HTTP port number (8080), HTTPS port number (8443), and Shutdown port number (8005), or enter different port numbers, and then click Next. If any of the port numbers are incorrect, a panel identifies the incorrect port number and requires you to return to the previous page to correct the values before proceeding with the installation.  

Note

BMC Atrium Single Sign-On 8.1

Page 82 of 389

BMC Software Confidential

Home

When installing on Linux servers, port selections below 1000 require the server to run as root, or use a port forwarding mechanism.

10. Enter a cookie domain, and then click Next. The domain value of the cookie should be the network domain of BMC Atrium Single Sign-On or one of its parent domains. For more information, see Default cookie domain.

Note The higher the level of the selected parent domain, the higher the risk of user impersonation. Top-level domains are not supported (for example, com or com.ca ). You cannot use sibling domains or cross-domains with BMC Atrium Single Sign-On. For example, installing the BMC Atrium Single Sign-On server in the remedy.com domain and the AR System server in the bmc.com domain is not supported. You must move all your computers into the same domain.

11. Enter a strong administrator password (at least 8 characters long), confirm the password, and then click Next. The default SSO administrator name is amadmin.

Note Passwords with special characters must be specified in quotes.

For more information, see Administrator password. 12. Review the installation summary and click Install. 13. Verify that your BMC Atrium Single Sign-On installation was successful by accessing the BMC Atrium Single Sign-On URL. a. Navigate to Start > All Programs > BMC Software > BMC Atrium S.SO > Administrator to launch the BMC Atrium SSO Admin Console. The URL to open the BMC Atrium SSO Admin Console is: https://.:/atriumsso For example, https://ssoserver.bmc.com:8443/atriumsso b. When you are prompted that you are connecting to an insecure or untrusted connection, add the exception and then continue. Note: Browsers display this warning because you have not yet configured the SSO authentication as a trusted provider. c. Confirm that you can view the BMC Atrium SSO logon panel.

d. BMC Atrium Single Sign-On 8.1

Page 83 of 389

BMC Software Confidential

Home

d. Log on with the SSO administrator name (for example, amadmin) and password. The BMC Atrium SSO Admin Console appears. (Click the image to expand it.)

14. (Optional) Create an administrative user account for BMC Products to perform search functions on the user store (for example, to list user names and emails). If you are using the BMC Atrium Single Sign-On server's internal LDAP, assign the BMCSearchAdmins group to the new user account. If you are using an external system for authentication (such as AR System, LDAP, or Active Directory), assign the BmcSearchAdmins group to either an already existing user account or a new user account.

Where to go from here Installing or upgrading AR System server To secure certificates with an external CA, see Managing keystores with a keytool utility (see page 239). To configure authentication, see Configuring after installation. For a specific authentication method, see the specific method. For example, for LDAP or Active Directory, see Using LDAP (Active Directory) for authentication.

6.7.5 Installing or upgrading AR System server You must install or upgrade the AR System server to version 8.1 as part of the BMC Atrium Single Sign-On configuration.

BMC Atrium Single Sign-On 8.1

Page 84 of 389

BMC Software Confidential

Home

Recommendation

When you are installing BMC Remedy AR System, BMC recommends: To avoid configuration problems, accept the default values displayed in the installer unless you have a valid reason to modify them. To reduce installation time significantly, do not install the products over the wide area network (WAN). Install BMC Remedy Mid Tier on a separate computer from the AR System server.

Before you begin Install the SSO server. Prepare to run the AR System installer for your operating system. For example, you must update Terminal Services configuration options and configure the DEP feature if you are using Windows. For more information, see Preparing the Windows environment. Make sure that 32-bit or 64-bit JRE is installed. Review the planning spreadsheet for AR System installations.

To install or upgrade the BMC Remedy AR System server 1. Download the AR System installer, or navigate to the installation directory on the CD. 2. Unzip the suite installer (ARSuiteKitWindows.zip). 3. Navigate to the Disk 1 folder. 4. Start the installer. For Windows, run setup.cmd. For UNIX, log in as root and run setup.sh. 5. In the lower right corner of the Welcome panel, click Next. 6. Review the license agreement, click I agree to the terms of license agreement, and then click Next. 7. On the Products selection panel, perform the following actions: a. Select Install. b. Select AR System Server. c. Navigate to the directory in which you want to install the BMC Remedy AR System application. The default location is C:\Program Files\BMC Software\ARSystem. d. Click Next. The installer validates the system resources of your computer and displays a list of available features. 8. Create an AR System administrator user with a strong login name and password to use with Atrium Single Sign-On.

BMC Atrium Single Sign-On 8.1

Page 85 of 389

8. BMC Software Confidential

Home

Note To correctly configure Atrium Single Sign-On, the AR System administrator user requires a password. You cannot use the default installed Demo user with no password.

9. Enter the values from the planning spreadsheet for the features that you want to install. After you have entered the required information, the installer validates your input, and then the Installation Preview panel appears, listing the product and product features that will be installed.

Note Run Sanity Check is selected by default. BMC recommends that you run the additional validation tests of your installation.

10. Click Next. The installer installs the AR System features you have selected. After post-installation cleanup, a summary of the installation appears. 11. Click View Log to review the SEVERE error messages or warnings in the product installer log. See whether errors are due to network, host, or other environment-related issues. You can view a log file of the installation: C:\Users\Administrator\AppData\Local\Temp\arsystem_install_log.txt 12. Close the log when you finish. 13. Click Done to exit the AR System installer.

Where to go from here Installing or upgrading BMC Remedy Mid Tier

Related topics For detailed information on installing the AR System, see: Completing the planning spreadsheet Performing a new installation

6.7.6 Installing or upgrading BMC Remedy Mid Tier You must install the BMC Remedy Mid Tier to version 8.1 as part of the BMC Single Sign-On configuration.

Recommendation

BMC Atrium Single Sign-On 8.1

Page 86 of 389

BMC Software Confidential

Home

When you are installing BMC Remedy AR System, BMC recommends: To avoid configuration problems, accept the default values displayed in the installer unless you have a valid reason to modify them. To reduce installation time significantly, do not install the products over the wide area network (WAN). Install BMC Remedy Mid Tier on a separate computer from the AR System server. Do not install BMC Atrium Single Sign-on and BMC Remedy Mid-Tier on the same computer. BMC Atrium Single Sign-on and BMC Remedy Mid-Tier must use different Tomcat instances because if the mid-tier computer needs to be restarted, all the other applications will be unavailable because BMC Atrium Single Sign-on will be down during the restart.

Before you begin Install the BMC Single Sign-On server. Prepare to run the AR System installer for your operating system. For example, you must update Terminal Services configuration options and configure the DEP feature if you are using Windows. For more information, see Preparing the Windows environment. Install the 32-bit or 64-bit JRE and JDK 1.6.0_23 or higher. Set the JAVA_HOME and JRE_HOME environment variables. For Solaris, JDK7 has a different folder structure than JDK6. For example, set the JDK7 JAVA_HOME to /data1/software/jdk1.7.0_05/bin/sparcv9/. Review the planning worksheet for AR System installations.

To install or upgrade the BMC Remedy Mid Tier 1. Download the AR System installer, or navigate to the installation directory on the CD. 2. Unzip the suite installer (ARSuiteKitWindows.zip). 3. Navigate to the Disk 1 folder. 4. Start the installer. For Windows, run setup.cmd. For UNIX, log in as root and run setup.sh. 5. In the lower right corner of the Welcome panel, click Next. 6. Review the license agreement, click I agree to the terms of license agreement, and then click Next. 7. On the Products selection panel, perform the following actions: a. Select Install. b. Select AR System Mid-Tier. c. Navigate to the directory in which you want to install the BMC Remedy AR System application. The default location is C:\Program Files\BMC Software\ARSystem.

d. BMC Atrium Single Sign-On 8.1

Page 87 of 389

BMC Software Confidential

Home

d. Click Next. The installer validates the system resources of your computer and displays a list of available features. 8. In the AR System Server List panel, perform the following actions: a. Enter the fully-qualified domain names of the AR System servers. b. Enter the remaining values: c. Click Next. 9. Enter the values from the planning worksheets for the features that you want to install. After you have entered the required information, the installer validates your input, and then the Installation Preview panel appears, listing the product and product features that will be installed.

Note Run Sanity Check is selected by default. BMC recommends that you run the additional validation tests of your installation.

10. Click Next. The installer installs the AR System features you have selected. After post-installation cleanup, a summary of the installation appears. 11. Click View Log to review the SEVERE error messages or warnings in the product installer log. See whether errors are due to network, host, or other environment-related issues. You can view a log file of the installation: C:\Users\Administrator\AppData\Local\Temp\arsystem_install_log.txt 12. Close the log when you finish. 13. Click Done to exit the AR System installer. Where to go from here Configuring the BMC Atrium Single Sign-On server for AR System (see page 86)

Related topics For detailed information on installing the AR System, see: Completing the planning spreadsheet Performing a new installation

6.7.7 Running the SSOARIntegration utility on the AR System server Performing the Single Sign-On integration with the AR System server and the BMC Remedy Mid Tier is a two-step sequence: 1. Run the SSOARIntegration utility on the computer where the AR System server is installed (this procedure). 2. Run the SSOMidtierIntegration utility on the computer where the Mid Tier is installed (see page 92).

BMC Atrium Single Sign-On 8.1

Page 88 of 389

BMC Software Confidential

Home

Before you begin Make sure that Oracle JRE 1.6.0_23 or higher is installed on the AR System server. If you have enabled the FIPS-140 mode (see page 251) in BMC Atrium SSO, you must add the -Datsso.sdk.in.fips140.mode=true parameter to the armonitor.conf file on the server where BMC Remedy AR System is installed. For the steps, see Enabling FIPS support for BMC Atrium SSO.

To run the SSOARIntegration utility to integrate Single Sign-On and the AR System server 1. On the computer where the AR System server is installed, navigate to the \artools\AtriumSSOIntegrationUtility directory. For example, navigate to C:\Program Files\BMC Software\ARSystem\artools\AtriumSSOIntegrationUtility. 2. Open the arintegration.txt file and update the parameters for your environment. For example, you can enter the supported container types such as Tomcat 6, JBOSS v4, and so on.

Tip When you are using a BMC Atrium SSO load balancer, you must add the load balancer URL in the --atrium-sso-url parameter instead of adding the server URL.

#AR Server Name, Provide the AR server name. --ar-server-name=arsystemserver.bmc.com

#AR Server User, Provide the AR server user. --ar-server-user=Demo #AR Server Password, Provide the AR server password. --ar-server-password=Demo #AR Server Port, Provide the AR server port. --ar-server-port=0 #Atrium SSO URL, Provide the Atrium SSO URL #and and make sure the server name is #provided with fully qualified domain name #and port is also provided in the URL. --atrium-sso-url=https://ssoserver.bmc.com:8443/atriumsso #Atrium SSO Admin Name --admin-name=amadmin #Atrium SSO Password --admin-pwd=ssoadminpassword

BMC Atrium Single Sign-On 8.1

Page 89 of 389

BMC Software Confidential

Home

#TrustStore Path, Path to the truststore directory. #This is an optional parameter. #Remove # to uncomment and use the below property. #--truststore=truststorepath | Optional parameter. #TrustStore Password. This is an optional parameter. #Remove # to uncomment and use the below property. #--truststore-password=truststorepassword | Optional parameter. #force option, It accepts values as "Yes" or "No" where default is "No". #If "Yes" is provided then utility will not wait #for user to shutdown the webserver, if not shutdown already. #This is true in case, where webserver is other then tomcat or jboss. #Remove # to uncomment and use the below property. #--force=

Note Blank passwords are not supported. Your AR System server user must have a password before you run this utility. Fully-qualified domain names for the AR System server and Atrium SSO URL parameters are required. The --truststore=truststorepath and --truststore-password=truststorepassword parameters are optional when integrating Single Sign-On and the AR System server. The #TrustStore Path is the local java truststore path and the value is used for providing the path of the certificate. This value is added automatically by the SSOARIntegration utility using the local java truststore. The --force=Yes or No parameter is optional. If you pass this input, you are not prompted for any manual inputs to restart the AR System server and the server is started automatically. Otherwise, you are prompted to restart the AR System server. Review the optional inputs carefully for your environment.

3. Open a command window and navigate to the \artools\AtriumSSOIntegrationUtility directory. 4. Enter the following command:

java -jar SSOARIntegration.jar --inputfile arintegration.txt

5. When prompted by the utility, restart the AR System server. 6. Review AR server external authentication settings and group mapping (see page 91) and restart the AR System server. 7. When execution is successfully completed, run the SSOMidtierIntegration utility on the Mid Tier (see page 92). BMC Atrium Single Sign-On 8.1

Page 90 of 389

Home 7.

BMC Software Confidential

Info To troubleshoot installation failures, or for information about log files or configurations performed by the SSOMidtierIntegration utility, see Troubleshooting AR System server and Mid Tier integrations.

Where to go from here Reviewing AR server external authentication settings and configuring group mapping (see page 91) Running the SSOMidtierIntegration utility on the Mid Tier (see page 92)

6.7.8 Reviewing AR server external authentication settings and configuring group mapping Before you can properly configure BMC Atrium Single Sign-On, you must configure group mapping for external authentication in the BMC Remedy AR System server. Before you begin (see page 91) To configure external authentication for AR System (see page 91) Where to go from here (see page 92)

Before you begin Make sure that the AREA LDAP plug-in is properly configured.

To configure external authentication for AR System 1. Use a browser to log on to the AR System server (by using the mid tier). For example: http://midTier:8080/arsys 2. Open the AR System Administration Console. 3. Open the Server Information window by selecting System > General > Server Information. 4. Click the EA tab (Click the following image to expand it.)

BMC Atrium Single Sign-On 8.1

Page 91 of 389

BMC Software Confidential

Home

5. Verify the following information: Field

Value

External Authentication Server RPC Program Number

390695

External Authentication Server Timeout (seconds) RPC

80

External Authentication Server Timeout (seconds) Need To Sync

300 (default)

6. Verify that Authenticate Unregistered Users is selected. 7. Verify that Authentication Chaining Mode is set to ARS-AREA. 8. Set the Group Mapping. For example, you can map the Atrium Single Sign-On group BmcAdmins to the AR group Administrator. 9. Click OK.

Where to go from here Running the SSOMidtierIntegration utility on the Mid Tier (see page 92)

6.7.9 Running the SSOMidtierIntegration utility on the Mid Tier After you ran SSOARIntegration utility on the computer where the AR System server is installed, you must now run the SSOMidtierIntegration utility on the computer where the Mid Tier is installed.

BMC Atrium Single Sign-On 8.1

Page 92 of 389

BMC Software Confidential

Home

Note When BMC Remedy Mid Tier is deployed in cluster environment, you must run the SSOMidtierIntegration utility on the all the computers where the Mid Tier is installed.

This topic contains the following information: Before you begin (see page 93) To run the SSOMidtierIntegration utility to integrate Single Sign-On and the Mid Tier (see page 93) Reverse proxy URLs (see page 97)

Before you begin Make sure that Oracle JRE 1.6.0_23 or higher is installed. Before you begin, perform the BMC Atrium Single Sign-On and AR System server integration (see page 88) . If the Mid Tier web server is not Tomcat or JBoss, verify the Mid Tier URL before passing it as an input; you cannot verify it later when the web server is shut down.

To run the SSOMidtierIntegration utility to integrate Single Sign-On and the Mid Tier 1. On the computer where the Mid Tier is installed, navigate to the \AtriumSSOIntegrationUtility directory. For example, navigate to C:\Program Files\BMC Software\ARSystem\midtier\AtriumSSOIntegrationUtility. 2. Open the midtierintegration.txt file and update the parameters for your environment. For example, you can enter the supported container types such as Tomcat 6, JBOSS v4, and so on.

Tip When you are using a BMC Atrium SSO load balancer, you must add the load balancer URL in the --atrium-sso-url parameter instead of adding the server URL. When you are using a mid tier load balancer or reverse proxy, you must add the --web-app-url and --notify-url URLs. In this case, add the load balancer URL in the --web-app-url parameter and add the mid tier URL in the --notify-url parameter. When you are not using a mid tier load balancer, do not use the --notify-url parameter and add the mid tier URL in the --web-app-url.

# Install mode, it accepts values as "Install" or "Uninstall" and it is case insensitive. # Provide "Install", if you want to install the agent. Provide "Uninstall", if you want to Uninstall the Agent. --install-mode=Install

BMC Atrium Single Sign-On 8.1

Page 93 of 389

BMC Software Confidential

Home

# Container Type, Type of webserver being used to host midtier --container-type=TOMCATV6 # Supported container types include JBOSSV4, JBOSSV5, SERVLETEXECV5, SERVLETEXECV6, # TOMCATV5, TOMCATV6, TOMCATV7, WEBSPHEREV6, WEBSPHEREV7, WEBLOGICV10 #Web App URL, Provide the midtier URL in case load balancer is not there otherwise provide the load balancer url, # and make sure the server name is provided with fully qualified domain name # and port is also provided in the URL. #--web-app-url=MidtierURL or LoadBalancerURL --web-app-url=http://midtierloadbalancer.bmc.com:8080/arsys #Container Base Directory, Provide the webserver home directory. --container-base-dir=C:\Program Files\Apache Software Foundation\Tomcat6.0 #JRE Path, Provide the path to the JRE home and make sure that you haven't provided till "bin". --jre-path=C:\Program Files\Java\jre7 #Midtier Home, Midtier Home Directory --midtier-home=C:\Program Files\BMC Software\ARSystem\midtier #Midtier URL, Provide the midtier URL here in case load balancer is being used. #Remove # to uncomment and use the below property. #--notify-url=http://midtier.bmc.com:8080/arsys #Atrium SSO URL, Provide the Atrium SSO URL and and make sure the server name is # provided with fully qualified domain name and port is also provided in the URL. #If SSO load balancer is used, add the Atrium SSO load balancer URL instead of Atrium SSO server name. --atrium-sso-url=https://ssoserver.bmc.com:8443/atriumsso #Atrium SSO Admin Name --admin-name=amadmin #Atrium SSO Password --admin-pwd=ssoadminpassword #TrustStore Path, Path to the truststore directory. This is an optional parameter. #Remove # to uncomment and use the below property. #--truststore=truststorepath | Optional parameter. #TrustStore Passowrd. This is an optional parameter. #Remove # to uncomment and use the below property. #--truststore-password=truststorepassword | Optional parameter. #The Atrium SSO realm that this agent will use for user authentication. Default is /BmcRealm. #Remove # to uncomment and use the below property. #--agent-realm=RealmName #force option, It accepts values as "Yes" or "No" where default is "No". #If "Yes" is provided then utility will not wait for user to shutdown the webserver, if not done already in case, webserver is other then tomcat

BMC Atrium Single Sign-On 8.1

Page 94 of 389

BMC Software Confidential

Home

or jboss. #Remove # to uncomment and use the below property. --force= #Server Instance Name, Provide the name of Websphere instance name being used. It is required only in case Websphere being used to host the midtier. #Remove # to uncomment and use the below property. #--server-instance-name=WebSphere server instance name #Server Instance Name, Provide the path to the Websphere instance configuration directory. It is required only in case Websphere being used to host the midtier. #Remove # to uncomment and use the below property. #--instance-config-directory=WebSphere server instance configuration directory #Weblogic Domain Name, Provide the Weblogic domain name. It is required only in case WebLogic being used to host the midtier. #Remove # to uncomment and use the below property. #--weblogic-domain-home=Domain Name

Note Blank passwords are not supported. Your AR System server user must have a password before you run this utility. Fully-qualified domain names for the AR System server and BMC Atrium SSO URL parameters are required. If necessary, you can run the SSOMidtierIntegration utility multiple times, for example, to install or uninstall the integration (depending on the install-mode setting in the midtierintegration.txt file). The utility checks if an agent exists from a previous installation. If an agent exists, the utility uninstalls it and then re-installs a new agent. Review the optional inputs carefully for your environment.

3. Save your changes to midtierintegration.txt. 4. At the command prompt or shell window, navigate to the \AtriumSSOIntegrationUtility directory. 5. Enter the following jar command at the command prompt:

java -jar SSOMidtierIntegration.jar --inputfile midtierintegration.txt

6. Manually shut down the web server if you are prompted by the utility.

Note

BMC Atrium Single Sign-On 8.1

Page 95 of 389

6. BMC Software Confidential

Home

The utility automatically shuts down Tomcat and JBoss.

7. When execution is successfully completed, open the BMC Atrium SSO Admin console. The URL to open the BMC Atrium SSO Admin console is: https://.:/atriumsso For example: https://ssoServer.bmc.com:8443/atriumsso/atsso

Note To troubleshoot installation failures, or for information about log files or configurations performed by the SSOMidtierIntegration utility, see Troubleshooting AR System server and Mid Tier integrations.

8. When you are prompted that you are connecting to an insecure or untrusted connection, add the exception and then continue. 9. Under Agents List, verify that the agent was created. For example, /[email protected]:8080 should be present.

BMC Atrium Single Sign-On 8.1

Page 96 of 389

BMC Software Confidential

Home

Reverse proxy URLs Important

Before you pass the reverse proxy URL as input in the utility command, make sure that you can log on to the application using the reverse proxy URL from the Mid-Tier computer where the command is run. If the reverse proxy server and the Mid Tier are installed on the same computer, stop the reverse proxy server before you run the SSOMidtierIntegration utility with the Mid Tier. When the utility completes its operation, restart the reverse proxy server.

If you must use reverse proxy URLs to run the Mid-Tier integration with the SSOMidtierIntegration utility, the utility works with or without ports in the --web-app-url parameter. Where to go from here 1. Configure BMC Atrium Single Sign-On for AR authentication and set up users and groups (see page 97).

Note If you do not plan to use BMC Atrium Single Sign-On AR authentication and plan to use different authentication methods, see Configuring after installation. To use and manage authentication chaining, see Managing authentication modules (see page 271). To set up and manage users and user groups, see Managing users (see page 264) and Managing user groups (see page 268).

2. Run a health check on the BMC Atrium Single Sign-On installation.

6.7.10 Managing the AR System users and groups for authentication The Action Request (AR) authentication module allows BMC Atrium Single Sign-On to use the user accounts within a BMC Remedy AR System server for authentication. This module is normally used in conjunction with the AR Data Store to retrieve group information and other user attributes from the AR System server. Configure the AR module for AR System (see page 98) Configure AR user stores for AR System (see page 101) Managing the AR System users and groups (see page 103)

BMC Atrium Single Sign-On 8.1

Page 97 of 389

BMC Software Confidential

Home

When you enable authentication chaining mode, all authentication methods in the chain are attempted in the specified order until either the authentication succeeds or all the methods in the chain fail.

Note If you plan to use an authentication method other than or in addition to the AR module, see the applicable authentication method in Configuring after installation. For example, Using Kerberos for authentication (see page 132) or Using SAMLv2 for authentication.

Configure the AR module for AR System Click here to expand: Steps (6) 1. On the SSO Server, navigate to Start > All Programs > BMC Software > BMC Atrium SSO > Administrator to launch the BMC Atrium SSO Admin Console and log on. 2. Click Edit BMC Realm to open the Realm Editor. 3. Set User Profile to Dynamic. (Click the image to expand it.)

4. On the Realm Authentication panel, click Add. 5. Click AR. (Click the image to expand it.)

BMC Atrium Single Sign-On 8.1

Page 98 of 389

5. BMC Software Confidential

Home

## Enter the AR parameters (see page ). a. Click Save. 6. On the Realm Authentication panel, set the process order of the authentication chain: a. For the AR module, under Flag, select Sufficient. b. Select the AR module. c. Click Up so that AR is first in the list. d. Set Internal LDAP to Optional. (Click the image to expand it.) BMC Atrium Single Sign-On 8.1

Page 99 of 389

Home

d.

BMC Software Confidential

Sufficient means that, with multiple authentication modules, if you are successfully authenticated with the first module, the remaining modules are skipped. But if the login fails, authentication moves to the next module in the chain. Setting AR to Sufficient and placing it as the first module in the list means that if you are authenticated with the AR System server, you are successfully authenticated by BMC Atrium Single Sign-On and you proceed to the Mid Tier. Note With Single Sign-On, you want to trigger authentication providers in the right order. The order is: Required > Requisite > Sufficient > Optional. If you set both realms to Required, then you would need both authentications to establish the session. For more information on creating an authentication chain, see the Realm Authentication panel described in Realm Editor.

AR parameters Parameters

Description

Server Host Name

(Required) Provide the Full Qualified Domain Name (FQDN) for the server where the AR System server is located. The full host name includes the domain name (bmc.com) of the computer and the individual name of the server (yourServer).

BMC Atrium Single Sign-On 8.1

Page 100 of 389

BMC Software Confidential

Home

Parameters

Description

Server Port

(Required) AR Server Port Number is the location where the AR System server is listening.

Number Note: Enter a value of 0 if the AR System server is using port mapping. Default Authentication

This string is only used when the AR module is placed downstream in a chain from another authentication module which prompts the user only for a name and password. In this situation, the value of this parameter is used to authenticate the user by re-using the

String

credentials provided by the user along with this authentication string.

Allow AR

If enabled, allows unknown or invalid users to authenticate to the AR System server as guests.

Guests

Note When using SAML v2 for authentication, you must not use AR user stores. Though AR authentication module should be configured, the AR data store is not needed for authentication in SAMLv2 deployment.

Configure AR user stores for AR System Click here to expand: Steps (4)

1. BMC Atrium Single Sign-On 8.1

Page 101 of 389

BMC Software Confidential

Home

1. On the User Stores panel, click Add. (Click the image to expand it.)

2. Select AR User Store. 3. Enter the AR User Store parameters (see page ). 4. Click Save.

AR User Store parameters Section

Parameter

Name AR Server

Description Label for the AR user store.

Host Name

Host

(Required) Provide the Full Qualified Domain Name (FQDN) for the server where AR System server is located. The full host name includes the domain name (bmc.com) of the computer and the individual name of the server ( yourServer). Replace the default values (sample.bmc.com) with the host name of your server (for example, yourServer.bmc.com.

Port

(Required) Default: 0 Provide the port number where the AR Server is listening. The value of 0 is used when the AR Server is using port mapping.

Administrative Access

Name

(Required) Provide the user name of an AR Server user store account that has AR System Administrator privileges. Empty or blank passwords for this internal user are not supported with a new user store.

Authentication

Provide the authentication string that is needed when the Administrator account is used to connect with the AR System server.

BMC Atrium Single Sign-On 8.1

Page 102 of 389

BMC Software Confidential

Home

Section

Parameter

Description

Password and

Password for the AR System administrative user of the AR Server user store account (for example, admin).

Confirm Password Connection Pool

Linger Time (seconds)

(Required) Default: 60 Linger Time is the amount of time (in milliseconds) that a connection is allowed to remain unused in the pool before being closed.

Pool size

(Required) Default: 10 The Pool Size is the maximum number of connections the data store uses to service data requests for the AR System server.

Managing the AR System users and groups Click here to expand: Steps (8) BMC Atrium Single Sign-On provides basic user and group management features with the internal LDAP server. These features allow an administrator to manage users, groups, and memberships in the groups. Note When you configure the AR User Store for the AR System, all your AR System users and groups are already listed.

From the User page, the administrator can create, delete, and manage group memberships. To access the User page (see page ) To add a new user (see page ) BMC products can use the group membership capabilities of the BMC Atrium Single Sign-On system to provide authorization and authentication of users. If a BMC product does not use the group memberships of the BMC Atrium Single Sign-On system, then that product's documentation must be consulted to determine groups to privileges mapping. To access the Group page (see page ) To create a new group (see page )

To access the User page Navigate to the following location: 1. Open the Realm Editor. 2. Click the Users tab. New users can only be created when you are using the internal LDAP server for authentication. If an external source is used for authentication, new users must be created within that external system. Note If special characters, such as comma ( , ) , semi-colon ( ; ), or plus sign ( + ) are used in the user ID, the backslash ( \ ) must precede the special character. For example, Baldwin\,bob.

When creating a new user, each field that is marked with an asterisk is a required field.

BMC Atrium Single Sign-On 8.1

Page 103 of 389

BMC Software Confidential

Home

To add a new user 1. In the Realm Editor, click the Users tab. Current AR System users created in your AR System server are already listed.

2. BMC Atrium Single Sign-On 8.1

Page 104 of 389

BMC Software Confidential

Home

2. Click Add to open the User Editor.

3. In the User Id field, enter a unique identifier for the new user. This value is used as the user ID when the user logs in. 4. Specify the user's status. The default is Active. 5. Add the name attributes. The name attributes (First Name, Full Name, and Last Name) can be provided to BMC products to help identify user accounts by using terms that are more user-friendly. The actual use of these attributes, though, is dependent on the BMC product. You must assign an initial password of at least 8 characters when creating the account. After the password is created, the user can log into BMC Atrium Single Sign-On and update the password and their personal information through the following URL: https://FQDNHostName:port/BMC Atrium SSO?realm=BmcRealm 6. Click the Groups tab. 7. From the list of available groups, add the user to group membership (for example, BmcAdmins). 8. Click Save.

BMC Atrium Single Sign-On 8.1

Page 105 of 389

BMC Software Confidential

Home

To access the Group page BMC Atrium Single Sign-On provides predefined groups to help with the Administrator privileges that some BMC products might require. For example, the BmcSearchAdmin group provides privileges that allow a user to connect to the server to perform identity searches. Note Care should be exercised when assigning the BmcSearchAdmin group because these elevated privileges allow greater access to BMC Atrium Single Sign-On than is normally allowed.

Navigate to the following location: 1. Open the Realm Editor. 2. Click the Groups tab.

To create a new group Normally, BMC products install the groups that they need managed into BMC Atrium Single Sign-On as part of their installation. However, a situation might arise in which a group might need to be created or re-created.

1. BMC Atrium Single Sign-On 8.1

Page 106 of 389

BMC Software Confidential

Home

1. In the Realm Editor, click the Groups tab. Current AR System groups created in your AR System server are already listed.

2. BMC Atrium Single Sign-On 8.1

Page 107 of 389

Home

BMC Software Confidential

2. Click Add to open the Group Editor.

3. Enter a new, unique name for the group. 4. Add available users to the new group. 5. Click Save.

Related topics Using SAMLv2 for authentication Using Kerberos for authentication (see page 132) Using CAC for authentication

BMC Atrium Single Sign-On 8.1

Page 108 of 389

BMC Software Confidential

Home

Using LDAP (Active Directory) for authentication Using RSA SecurID for authentication

6.7.11 Running a health check on the BMC Atrium Single Sign-On installation After you finish all these procedures, run a health check of your integration of BMC Atrium Single Sign-On with BMC Remedy AR System.

To run a health check on the BMC Atrium Single Sign-On integration 1. Log on to the BMC Remedy Mid Tier Configuration Tool. The default path is http://:/arsys/shared/config/config.jsp. For example: http://Midtier.bmc.com:8080/arsys/shared/config/config.jsp

Tip Clear the cache on your browser if you see redirect errors.

If your integration is successful, you should see the normal Mid Tier configuration logon, not the BMC Atrium SSO logon screen. (Click the image to expand it.)

BMC Atrium Single Sign-On 8.1

Page 109 of 389

BMC Software Confidential

Home

2. In the AR Server Setting panel, verify that the list of AR System servers includes their fully-qualified domain names. 3. Log on to the AR System server. For example: http://Midtier.bmc.com:8080/arsys The BMC Atrium Single Sign-On server redirects the server URL to the BMC Atrium Single Sign-On server, and the BMC Atrium SSO logon screen appears.

BMC Atrium Single Sign-On 8.1

Page 110 of 389

BMC Software Confidential

Home

4. Enter the User Name and Password of an AR System user and then click Log In. If BMC Atrium Single Sign-On is properly integrated and configured, the Applications startup page appears.

BMC Atrium Single Sign-On 8.1

Page 111 of 389

BMC Software Confidential

Home

6.8 Installing silently In addition to using the GUI interface, the installer and uninstaller programs can be run from scripts. This topic provides examples for installing and uninstalling BMC Atrium Single Sign-On in silent mode by using the setup script from the command line. Running the installer in silent mode (see page 114) Uninstalling in silent mode (see page 114) Example options.txt file (see page 114) The following represents the general command line syntax:

BMC Atrium Single Sign-On 8.1

Page 112 of 389

BMC Software Confidential

Home

setup.sh|setup.cmd -i silent -DOPTIONS_FILE=

Note The full path to the AtriumSSO directory must be specified.

If you are configuring BMC Atrium Single Sign-On as a High Availability (HA) cluster, you must complete the HA prerequistes and HA pre-installation tasks before running the installer in silent mode on the first node and the additional nodes. Before running the installer in silent mode on an additional node, you must also complete the following tasks: Ensure that all nodes are running and available. Copy the configuration file (created during the first node’s installation) to the Disk1 directory of the extracted files before installing BMC Atrium Single Sign-On on the node. You must also complete the HA post-installation activities after you have run the installer in silent mode on all the nodes.

BMC Atrium Single Sign-On 8.1

Page 113 of 389

BMC Software Confidential

Home

For information about the additional parameters that you must add in the SSOSilentInstallOptions.txt file, see Example options.txt file (see page 114).

6.8.1 Running the installer in silent mode 1. Open a command line window. 2. Navigate to the AtriumSSO directory. For example, on Windows, the default location is C:\SSO\AtriumSSO. 3. Create the SSOSilentInstallOptions.txt file with any environment-specific parameters. For details on the file format, see the Silent installation example. 4. Run the setup command with the following syntax:

setup.sh|setup.cmd -i silent -DOPTIONS_FILE=SSOSilentInstallOptions.txt

5. Verify that your BMC Atrium Single Sign-On installation was successful: a. Launch the Administrator console. b. Confirm that you can view the BMC Atrium Single Sign-On logon panel.

Note If you install in silent mode, you must also uninstall in silent mode to uninstall the server.

6.8.2 Uninstalling in silent mode 1. Open a command-line window. 2. Navigate to the AtriumSSO directory. For example, on Windows, the default location is C:\SSO\AtriumSSO. 3. Run UninstallAtrium.exewith the following syntax:

UninstallAtriumSSO.exe -i silent -DOPTIONS_FILE=SSOSilentUninstallOptions.txt

where SSOSilentUninstallOptions.txtcontains:

-silent -U productAtriumSSO -U featureAtriumSSO

6.8.3 Example options.txt file The following Windows example invokes a silent installation where the administrator password is admin123.

BMC Atrium Single Sign-On 8.1

Page 114 of 389

BMC Software Confidential

Home

setup.cmd -i silent -DOPTIONS_FILE=C:\SSO\AtriumSSO\SSOSilentInstallOptions.txt

You can also generate a new administrator password using the following command:

Disk1/support/AtriumSSOMaintenanceTool.sh -silent -encrypt -encrypt -password=test -confirm_password=test DES\:a751b8161238d05108839e457d4e2050

The SSOSilentInstallOptions.txt file contains:

-P -A -J -J -J -J -J -J -J -J

installLocation=C:\SSO\AtriumSSO featureAtriumSSO ATRIUMSSO_TOMCAT_SHUTDOWN_PORT=8005 ATRIUMSSO_TOMCAT_HTTP_PORT=8080 ATRIUMSSO_INSTALL_TOMCAT=true ATRIUMSSO_TOMCAT_HTTPS_PORT=8443 ATRIUMSSO_SERVER_PASSWORD=DES\:3996ba109b2b3f035fb4200116c2339a78ecec52023308de ATRIUMSSO_SERVER_PASSWORD_2=DES\:3996ba109b2b3f035fb4200116c2339a78ecec52023308de ATRIUMSSO_COOKIE_DOMAIN=bmc.com ATRIUMSSO_HOST_NAME=atrium-sso-vm4.bmc.com

The SSOSilentInstallOptions.txt file for installing BMC Atrium Single Sign-On on external Tomcat specifying that the installer will use Tomcat scripts for starting/stopping Tomcat processes contains the following parameters:

-P -A -J -J -J -J -J -J -J -J -J -J -J -J -J -J -J -J

installLocation=/root/bmc/AtriumSSO featureAtriumSSO ATRIUMSSO_INSTALL_TOMCAT=false ATRIUMSSO_TOMCAT_HTTPS_PORT=8443 ATRIUMSSO_SERVER_PASSWORD=DES\:097133405e7ea7a641f019bca8781280 ATRIUMSSO_SERVER_PASSWORD_2=DES\:097133405e7ea7a641f019bca8781280 ATRIUMSSO_COOKIE_DOMAIN=bmc.com ATRIUMSSO_HOST_NAME=vl-aus-rh55-atm-sp01.bmc.com USE_EXTERNAL_SCRIPTS=true CLUSTER_MODE=STANDALONE_STRING ATRIUMSSO_EXISTING_TOMCAT_DIRECTORY=/root/apache-tomcat-6.0.37 TRUSTSTORE_LOCATION=/root/apache-tomcat-6.0.37/conf/cacerts.p12 TRUSTSTORE_PASSWORD=changeit KEYSTORE_LOCATION=/root/apache-tomcat-6.0.37/conf/keystore.p12 KEYSTORE_PASSWORD=changeit KEYSTORE_ALIAS=tomcat JAVA_LOCATION=/usr/jdk64 JDK_LOCATION=/usr/jdk64

The SSOSilentInstallOptions.txt file for installing BMC Atrium Single Sign-On on external Tomcat server specifying the installer uses Windows service of Tomcat server contains the following parameters:

BMC Atrium Single Sign-On 8.1

Page 115 of 389

BMC Software Confidential

Home

-P -A -J -J -J -J -J -J -J -J -J -J -J -J -J -J -J -J -J

installLocation=/root/bmc/AtriumSSO featureAtriumSSO ATRIUMSSO_INSTALL_TOMCAT=false ATRIUMSSO_TOMCAT_HTTPS_PORT=8443 ATRIUMSSO_SERVER_PASSWORD=DES\:097133405e7ea7a641f019bca8781280 ATRIUMSSO_SERVER_PASSWORD_2=DES\:097133405e7ea7a641f019bca8781280 ATRIUMSSO_COOKIE_DOMAIN=bmc.com ATRIUMSSO_HOST_NAME=vl-aus-rh55-atm-sp01.bmc.com USE_EXTERNAL_SCRIPTS=false ATRIUMSSO_EXISTING_TOMCAT_SERVICE=Tomcat CLUSTER_MODE=STANDALONE_STRING ATRIUMSSO_EXISTING_TOMCAT_DIRECTORY=/root/apache-tomcat-6.0.37 TRUSTSTORE_LOCATION=/root/apache-tomcat-6.0.37/conf/cacerts.p12 TRUSTSTORE_PASSWORD=changeit KEYSTORE_LOCATION=/root/apache-tomcat-6.0.37/conf/keystore.p12 KEYSTORE_PASSWORD=changeit KEYSTORE_ALIAS=tomcat JAVA_LOCATION=/usr/jdk64 JDK_LOCATION=/usr/jdk64

When installing BMC Atrium Single Sign-On as a High Availability (HA) cluster, the SSOSilentInstallOptions.txt file must contain some additional parameters. The SSOSilentInstallOptions.txt file for installing the first node for a HA cluster must contain the following parameters:

-P -A -J -J -J -J -J -J -J -J -J -J -J -J -J -J

installLocation=C:\SSO\AtriumSSO featureAtriumSSO ATRIUMSSO_INSTALL_TOMCAT=true CLUSTER_MODE=FIRST_MEMBER_CLUSTER_STRING MEMBER_LOCATION=/home/xuser/5162_node.dat ATRIUMSSO_COOKIE_DOMAIN=bmc.com LOAD_BALANCER_URL=https://iBMC-JBHBBK1.bmc.com:443/atriumsso ATRIUMSSO_LDAP_REPLICATION_PORT=8092 ATRIUMSSO_TOMCAT_SHUTDOWN_PORT=8005 ATRIUMSSO_SERVER_PASSWORD_2=DES\:097133405e7ea7a641f019bca8781280 ATRIUMSSO_TOMCAT_HTTP_PORT=8080 ATRIUMSSO_TOMCAT_HTTPS_PORT=8443 USE_EXTERNAL_SCRIPTS=false ATRIUMSSO_SERVER_PASSWORD=DES\:097133405e7ea7a641f019bca8781280 ATRIUMSSO_HOST_NAME=rlnx-al-vm01.bmc.com ATRIUMSSO_LDAP_PORT=8091

The SSOSilentInstallOptions.txt file for installing additional nodes for a HA cluster must contain the following parameters:

-P installLocation=/opt/bmc/AtriumSSO -A featureAtriumSSO -J ATRIUMSSO_TOMCAT_SHUTDOWN_PORT=8005

BMC Atrium Single Sign-On 8.1

Page 116 of 389

BMC Software Confidential

Home

-J -J -J -J -J -J -J -J -J -J

ATRIUMSSO_TOMCAT_HTTP_PORT=8080 ATRIUMSSO_INSTALL_TOMCAT=true ATRIUMSSO_TOMCAT_HTTPS_PORT=8443 CLUSTER_MODE=ADDITIONAL_MEMBER_CLUSTER_STRING MEMBER_LOCATION=/tmp/SSO/5162_node.dat ATRIUMSSO_COOKIE_DOMAIN=bmc.com ATRIUMSSO_LDAP_REPLICATION_PORT=8092 ATRIUMSSO_HOST_NAME=vm-rhel5-rds1276.bmc.com ATRIUMSSO_LDAP_PORT=8091 USE_EXTERNAL_SCRIPTS=false

6.9 Uninstalling BMC Atrium Single Sign-On During installation, the uninstaller is installed with BMC Atrium Single Sign-On. Running the uninstaller removes BMC Atrium Single Sign-On from the system. Running the uninstaller on Windows (see page 117) Running the uninstaller on Solaris or Linux (see page 117) Invocation error during uninstallation (see page 118)

6.9.1 Running the uninstaller on Windows To uninstall BMC Atrium Single Sign-On from a Microsoft Windows platform, use the Add or Remove Programs option on the control panel. 1. From the control panel, select Add or Remove Programs. 2. Select BMC Atrium Single Sign-On in the list. 3. Click Change or Remove Programs once it is displayed. This last action launches the uninstaller program.

Note Because of varying Windows system dependencies, a reboot might be required to completely the uninstall BMC Atrium Single Sign-On.

6.9.2 Running the uninstaller on Solaris or Linux To run the uninstaller on Oracle Solaris or Linux, the uninstaller must be launched from within a graphical environment, for example, from the console or through an X-Windows server. 1. Change the working directory to the installation directory. The following is the default directory: $ cd /opt/SSO

2. BMC Atrium Single Sign-On 8.1

Page 117 of 389

BMC Software Confidential

Home

2. Run the UninstallAtriumSSO script. $ ./UninstallAtriumAsso If the GUI environment is properly setup, the uninstaller program launches and walks the user through the steps to remove BMC Atrium Single Sign-On.

Important Be sure to select the BMC Atrium Single Sign-On component, otherwise the uninstaller will remove the server.

3. Manually delete the BMC Atrium Single Sign-On log file artifacts. These log files are left in the file system regardless of the reboot.

6.9.3 Invocation error during uninstallation If the GUI environment is incorrectly set up, an invocation error similar to the following occurs when you run the uninstaller:

Invocation of this Java Application has caused an InvocationTargetException. This application will now exit. (LAX) -J ATRIUMSSO_HOST_NAME=atrium-sso-vm4.bmc.com Stack Trace: java.awt.HeadlessException: No X11 DISPLAY variable was set, but this program performed an operation which requires it. at java.awt.GraphicsEnvironment.checkHeadless(Unknown Source) at java.awt.Window.(Unknown Source) at java.awt.Frame.(Unknown Source) at java.awt.Frame.(Unknown Source) at javax.swing.JFrame.(Unknown Source) at com.zerog.ia.installer.LifeCycleManager.g(DashoA8113) at com.zerog.ia.installer.LifeCycleManager.h(DashoA8113) at com.zerog.ia.installer.LifeCycleManager.a(DashoA8113) at com.zerog.ia.installer.Main.main(DashoA8113) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at com.zerog.lax.LAX.launch(DashoA8113) at com.zerog.lax.LAX.main(DashoA8113) This Application has Unexpectedly Quit: Invocation of this Java Application has caused an InvocationTargetException. This application will now exit. (LAX)

BMC Atrium Single Sign-On 8.1

Page 118 of 389

Home

BMC Software Confidential

7 Configuring after installation When initially installed, BMC Atrium Single Sign-On is configured for immediate use. This default configuration uses the internal data store as an authentication source. This configuration is suitable for demonstrations, proof-of-concept deployments, testing, and other small deployment scenarios. However, for a large-scale system, you should configure the use of an external user repository for authentication, such as an LDAP server.

BMC Atrium Single Sign-On 8.1

Page 119 of 389

BMC Software Confidential

Home

To set up a method for authentication (see page 120) SAMLv2 authentication (see page 121) Predefined authentication module (see page 121) User Profile panel (see page 122) Authentication chaining (see page 122) Authentication chaining flags (see page 122) Where to go from here (see page 122)

7.1 To set up a method for authentication To set up the LDAP / Active Directory, Kerberos, Certificate / CAC, RSA SecurId, AR, and Internal LDAP authentication methods, you use the Realm Authentication panel on the BMC Realm. 1. On the BMC Atrium SSO Admin Console, click Edit BMC Realm. 2. On the Main tab (default), select a User Profile type.

Note The User Profile applies to all authentication methods used for authentication.

3. In the Realm Authentication panel, click Add for a new authentication method and select the method. Alternatively, if you want to edit an existing module, select the module and click Edit. 4. Provide the parameters for the method and Save. 5. Set the flag for the authentication method. The following image displays the available authentication methods:

BMC Atrium Single Sign-On 8.1

Page 120 of 389

Home

BMC Software Confidential

7.2 SAMLv2 authentication In BMC Atrium Single Sign-On, SAMLv2 is implemented from the Federation panel in the BMC realm.

7.3 Predefined authentication module To help with the configuration of BMC Atrium Single Sign-On, a predefined Internal LDAP authentication module is provided. This predefined authentication module allows you to quickly configure your system. The Internal LDAP authentication module uses the internal LDAP server as an authentication source in the authentication chain and does not have parameters to configure. When you select the Internal LDAP authentication module, it is added directly to the authentication chain without invoking an editor. The module can't be edited (since it does not have parameters) but it can be moved in priority and the authentication flag for it can be changed. The internal LDAP server is shown in User Stores panel with a name of embedded and type of Internal LDAP.

BMC Atrium Single Sign-On 8.1

Page 121 of 389

BMC Software Confidential

Home

7.4 User Profile panel The User Profile panel allows you to set user profile parameters. Parameter options are: Ignored, Required, or Dynamic. In the User Profile panel, select either Dynamic or Ignored. Dynamic — Specifies that a local Single Sign-On user profile is created after a successful authentication, if it does not already exist Ignored — Specifies that no local Single Sign-On user profile is created or required for authentication Required — Specifies that a local Single Sign-On user profile with the same user ID is required for authentication to be successful

7.5 Authentication chaining In addition, new chains can be created if a complex authentication chain is needed. For more information about authentication chains, see Managing authentication modules (see page 271). The order of authentication is changed by selecting an authentication method and clicking Up or Down.

7.6 Authentication chaining flags Each module allows you to specify the criteria for authentication processing. If you are implementing only one authentication module instance, the flag must be set to Required. The criteria categories are Required, Requisite, Sufficient, and Optional.

7.7 Where to go from here The following topics provide information and instructions associated with configuration methods used with BMC Atrium Single Sign-On: Using AR for authentication Using CAC for authentication Using Kerberos for authentication (see page 132) Using LDAP (Active Directory) for authentication Using RSA SecurID for authentication Using SAMLv2 for authentication

7.8 Using AR for authentication The AR System Data Store plug-in allows group information associated with BMC Remedy AR System server users to be retrieved and provided to BMC products. The AR authentication module and the AR user store are designed

BMC Atrium Single Sign-On 8.1

Page 122 of 389

BMC Software Confidential

Home

to be used together because it provides additional information for users authenticated against the AR System server.

Note The AR user store provides read-only access to the user information stored in AR System server and read-only access to user and group lists and memberships.

Before you begin (see page 123) To configure an AR module (see page 123) To configure an AR user store (see page 124)

7.8.1 Before you begin Ensure that the AR System Data Store plug-in is installed. Ensure that you have the server location and an administrator account since they are required to configure the AR user store..

Note User management functionality, assigning group information that is retrieved from the AR System server to users that exist in another data store (for example, the internal data store), and saving changes involving information retrieved from the AR System server are not available.

7.8.2 To configure an AR module Click to expand 1. On the BMC Atrium SSO Admin Console, click Edit BMC Realm. 2. On the Main tab (default), select a User Profile type.

Note The User Profile applies to all authentication methods used for authentication.

3. In the Realm Authentication panel, click Add for a new authentication method and select the method. Alternatively, if you want to edit an existing module, select the module and click Edit. 4. Provide the parameters for the method and Save. 5. Set the flag for the authentication method.

BMC Atrium Single Sign-On 8.1

Page 123 of 389

BMC Software Confidential

Home

Important For the AR module, the flag is set to Sufficient.

When adding or editing an AR module, the following options are available: Save to save your modifications. Reset to remove your modifications and stay on the editor. Help launches a browser that provides you with online help. Cancel to cancel and return to the launch page. Parameters

Description

Server Host Name

(Required) Provide the Full Qualified Domain Name (FQDN) for the server where the AR System server is located. The full host name includes the domain name (bmc.com) of the computer and the individual name of the server (yourServer).

Server Port Number

(Required) AR Server Port Number is the location where the AR System server is listening. Note: Enter a value of 0 if the AR System server is using port mapping.

Default Authentication String

This string is only used when the AR module is placed downstream in a chain from another authentication module which prompts the user only for a name and password. In this situation, the value of this parameter is used to authenticate the user by re-using the credentials provided by the user along with this authentication string.

Allow AR Guests

If enabled, allows unknown or invalid users to authenticate to the AR System server as guests.

7.8.3 To configure an AR user store Click to expand

Info You must study these points if you want to configure an AR user store. If you are using a persistent NameID element you cannot define AR User Store. You must use transient NameID element to define an AR User Store. Existing profiles within the embedded LDAP User Store should be deleted before adding the AR User Store.

1. Log on to the BMC Atrium SSO Admin Console. 2. Click Edit BMC Realm. 3. On the User Store panel, click Add to create a new AR user stor. Alternatively, if you want to edit an existing AR user store, select the user store and click Edit. 4. BMC Atrium Single Sign-On 8.1

Page 124 of 389

BMC Software Confidential

Home

4. Select AR User Store. 5. Provide the configuration parameters (see page ) for the AR user store. 6. Click Save. The AR User Store Editor is used for both editing an existing user store's parameters and for creating a new AR user store. The AR User Store Editor has the following options: Save to save your modifications Reset to remove your modifications and stay on the LDAP page. Back to Data Stores to navigate back to the Authentication tab. After configuration is finished, the data store is immediately available to provide group information to users who are authenticating with the AR authentication module. Section

Parameter

Name AR Server Host

Description Label for the AR user store.

Host Name

(Required) Provide the Full Qualified Domain Name (FQDN) for the server where AR System server is located. The full host name includes the domain name (bmc.com) of the computer and the individual name of the server ( yourServer). Replace the default values (sample.bmc.com) with the host name of your server (for example, yourServer.bmc.com.

Administrative Access

Port

(Required) Default: 0 Provide the port number where the AR Server is listening. The value of 0 is used when the AR Server is using port mapping.

Name

(Required) Provide the user name of an AR Server user store account that has AR System Administrator privileges. Empty or blank passwords for this internal user are not supported with a new user store.

Authentication

Provide the authentication string that is needed when the Administrator account is used to connect with the AR System server.

Password and Confirm

Password for the AR System administrative user of the AR Server user store account (for example, admin).

Password Connection

Linger Time

(Required) Default: 60 Linger Time is the amount of time (in milliseconds) that a connection is allowed to remain

Pool

(seconds)

unused in the pool before being closed.

Pool size

(Required) Default: 10 The Pool Size is the maximum number of connections the data store uses to service data requests for the AR System server.

For more information about common problems, see Troubleshooting AR authentication (see page 320).

BMC Atrium Single Sign-On 8.1

Page 125 of 389

BMC Software Confidential

Home

7.9 Using CAC for authentication BMC Atrium Single Sign-On supports Common Access Card (CAC) authentication. Beyond the scope of this document is acquiring CACs, the Department of Defense (DoD) Certificate Authority (CA) certificates, and the installation and configuration of card readers and middleware software for these card readers. The administrator who is configuring BMC Atrium Single Sign-On for CAC authentication is assumed to be familiar with these topics.

7.9.1 CAC certificate usage Click to expand In order for CAC authentication to function, the BMC Atrium Single Sign-On server must be prepared with the signer certificates of the identity certificates. These certificates are be presented to the server for authentication. The certificate for the Issuer must be imported into the BMC Atrium Single Sign-On server's truststore before the clients can send their certificates. The server provides a list of certificates that are trusted. When a request is received for a client certification and there are multiple trusted certificates available, you can select the certificate that you want to use. For example, when Firefox receives a request for a client certificate and multiple trusted certificates are provided by the list sent from the server, a User Identification Request popup is displayed which allows the user to select a certificate.

Note For a single user test, the user's certificate (the certificate signed by the Issuer) could be imported into the truststore. However, if this method is used, then every user's certificate must be imported into the truststore.

Certificate signed by the Issuer For example, the following certificate is signed by the Issuer (C=TX, O="BMC Software, Inc.", CN=AtriumSSO):

Owner: C=TX, O="BMC Software, Inc.", OU=AtriumSSO, CN=GoodSSO Issuer: C=TX, O="BMC Software, Inc.", CN=AtriumSSO Serial number: 56acad6af0be9e08 Valid from: Sun Feb 20 17:04:30 CST 2011 until: Tue Feb 19 17:04:30 CST 2013 Certificate fingerprints: MD5: 4A:D6:7C:82:E4:2F:18:0B:8C:48:72:50:E2:56:02:5F SHA1: 96:9E:6F:DD:A1:41:9C:F5:BD:4A:CC:9E:8B:79:41:6E:4C:A2:C9:69 Signature algorithm name: SHA1withRSA Version: 3

BMC Atrium Single Sign-On 8.1

Page 126 of 389

BMC Software Confidential

Home

Certificate for the Issuer For example, the following certificate is the certificate for the Issuer:

Owner: C=TX, O="BMC Software, Inc.", CN=AtriumSSO Issuer: C=TX, O="BMC Software, Inc.", CN=AtriumSSO Serial number: 49b6786d72bb8c34 Valid from: Thu Oct 15 16:01:31 CDT 2009 until: Thu Apr 21 16:01:31 CDT 2016 Certificate fingerprints: MD5: 81:85:78:CD:80:6A:C1:55:09:7A:FB:79:35:9F:06:5C SHA1: 0D:2B:E2:90:ED:9E:24:39:19:B0:93:2F:15:87:3C:8D:F6:D0:03:3D Signature algorithm name: SHA1withRSA Version: 3

7.9.2 To set up CAC to use for authentication BMC Atrium Single Sign-On supports using CACs through the ActivClient software from ActivIdentity. See the ActivClient documentation for the configuration steps needed for clients to use CACs, card readers, and browser setup. 1. Modify the Tomcat server (see page 127) 2. Import DoD CA certificates (see page 128) 3. Set up CAC certificates (see page 129) 4. If using OCSP, enable OCSP for the server (see page 131)

7.9.3 Modify the Tomcat server Click to expand Before setting up CAC authentication, the Tomcat server hosting the BMC Atrium Single Sign-On application must be configured to ask clients for certificates and the Tomcat server's truststore must be set up with the root certificates for the CACs and the Online Certificate Status Protocol (OCSP) server.

To modify the Tomcat server 1. Stop the BMC Atrium Single Sign-On Tomcat server. 2. Edit the following file: /BMC Software/BMC Atrium SSO/tomcat/conf/server.xml 3. Search the file to find the Connector definition used to configure the server's HTTP and HTTPS communications. The tag is similar to the following:



4. Change the clientAuth attribute from "false" to "want". clientAuth="want" The clientAuthattribute enables Tomcat to ask for client certificates.

Important Do not set the clientAuth attribute to "true" because this setting breaks certain BMC Atrium SSO-to-Agent communications.

After the change, the Connector tag is similar to the following:



7.9.4 Import DoD CA certificates Click to expand The DoD CA certificates appropriate for your CACs must be imported into the BMC Atrium Single Sign-On server's truststore before using CAC for authentication. Importing the certificates allows the server to send the appropriate query to the client to return the correct certificate. Refer to the documentation from the supplier of your CACs for the location where the current root certificates can be acquired. The server's truststore (named cacerts.p12 ) is located in the /BMC Software/BMC Atrium SSO/tomcat/conf. The following instructions uses the Oracle keytool utility to import the certificate, but another tool could also be used.

7.9.5 To import certificates 1. Add the bin directory to the PATH environment variable. When BMC Atrium Single Sign-On is installed with its own Tomcat server, a JDK is installed with the server. When using this JDK, the DoD certificate can be imported into the server's truststore by using the keytool

BMC Atrium Single Sign-On 8.1

Page 128 of 389

1. BMC Software Confidential

Home

command (keytool.exe on Windows), located within the JDK's bin directory. This bin directory needs to be added to the PATH environment variable if it is not already a part of that variable. 2. To add the location, run the following command: (UNIX) export PATH=/BMC Software/BMC Atrium SSO/jdk/bin:$PATH (Microsoft Windows) set PATH=\BMC Software\BMC Atrium SSO\jdk\bin;%PATH% 3. Copy the DoD CA certificate file into the following directory: /BMC Software/BMC Atrium SSO/tomcat/conf 4. Use the keytool utility to import the certificate into the truststore using the following parameters: keytool -importcert -keystore cacerts.p12 -file DOD_CA19.car -alias DOD_CA19 -storetype PKCS12 -providername JsafeJCE

Note In this example, the certificate file name, DOD_CA19.cer, may not be appropriate for your use.

5. Enter the password (Default: changeit). 6. Accept the certificate at the prompt. 7. If SSL is used to communicate with an external LDAP server, import that server's certificate into the truststore. Use the keytool utility to import the LDAP server's certificate into the BMC Atrium Single Sign-On truststore. If the LDAP server requires a client certificate, export the BMC Atrium Single Sign-On certificate and import it into the LDAP server's truststore before enabling CAC authentication. If CA signed certificates are used for LDAPs, import the CA signed certificate and any intermediate signing certificates into the truststores instead. 8. If you plan to use OCSP for authentication, import the OCSP responder certificate in the BMC Atrium Single Sign-On truststore with the alias, AtssoOCSP. 9. Restart the Tomcat server.

7.9.6 Set up CAC certificates Click to expand This topic provides instructions for setting up CAC certificates to use for CAC authentication.

To set up CAC certificates 1. On the BMC Atrium SSO Admin Console, click Edit BMC Realm. 2. On the Main tab (default), select a User Profile type.

BMC Atrium Single Sign-On 8.1

Page 129 of 389

BMC Software Confidential

Home

2.

Note The User Profile applies to all authentication methods used for authentication.

3. In the Realm Authentication panel, click Add for a new authentication method and select the method. Alternatively, if you want to edit an existing module, select the module and click Edit. 4. Provide the parameters for the method and Save. 5. Set the flag for the authentication method.

Note You can provide parameter information for OCSP authentication, CRL authentication, or both. BMC does not recommend using the CRL approach due to the performance load experienced with the ever-increasing length of CRL lists.

CAC certificate parameters When adding or editing a CAC certificate module, the following options are available: Save to save your modifications. Reset to remove your modifications and stay on the editor. Help launches a browser that provides you with online help. Cancel to cancel and return to the launch page. Field

Parameters

Description

Name

Name for the Certificate and CAC authentication.

Use OCSP

Click Use OCSP in order to use the OCSP responder. BMC recommends that you use OCSP for validation. Note: The clock skew between the BMC Atrium Single Sign-On server and the OCSP server must not be greater than 15 minutes. Otherwise, the certificate authentication fails. See Clock skew too great for CAC authentication (see page 331).

Certificate Field for User Profile

Select one of the options. Options are Subject CN (Common Name attribute of the Subject DN), Subject DN (Distinguished Name), Subject UID (UID attribute of the Subject DN), Email, None, Other.

Forwarded Certificates

When running behind a load balancer or reverse proxy, the verification of ownership of the private key is not possible thru the SSL/TLS connection. Because of this verification restriction, the BMC Atrium Single Sign-On server requires that the fronting server be listed as a trusted host from which forwarded certificates can be trusted. Forwarded Certificate List

BMC Atrium Single Sign-On 8.1

This is the list of trusted host name that you add via the Trusted Host Name field. To delete a certificate, select the trusted host name and click Remove.

Page 130 of 389

BMC Software Confidential

Home

Field

Parameters

Description

Trusted Host

Enter the name of a host from which a forwarded certificate can be trusted.

Name Certificate

Enter the name of the HTTP header that the forwarded certificate can be passed under.

HTTP Header Name Certificate Revocation

Use CRL

Lists (CRL)

Select Use CRL to use a Certificate Revocation List (CRL). Note: BMC does not recommend using the CRL approach due to the performance load experienced with the ever-increasing length of CRL lists.

LDAP Server Where

Provide the Host and Port for the LDAP server where the certificates are stored. The host name must end with a colon following by the port number for the LDAP server.

Certificates are Stored LDAP Start Search DN

Enter the DN of the node. The DN of the node starts the search within the LDAP server. To connect with the LDAP server, you must have sufficient privileges to perform the search.

LDAP Server Password Confirm LDAP Server Password

Provide and confirm the password to connecting with the LDAP server.

Check CA with CRL

When verifying a certificate, the CA certificate used to sign the certificate can also be verified in the CRL.

Use SSL/TLS

If you are using SSL, the LDAP server certificate must be imported into the BMC Atrium Single Sign-On truststore so that SSL can connect with the LDAP server.

Trusted Certificates

Browse on your desktop to upload the trusted certificates file. Once the file is upload and in the trusted certificates list. You can also select the file, and click Remove to remove the file.

7.9.7 If using OCSP, enable OCSP for the server Click to expand If you plan to use OCSP for authentication, enable OCSP for the server. 1. Verify that the OCSP responder certificate was imported into the BMC Atrium Single Sign-On truststore. 2. On the BMC Atrium SSO Admin Console, click Edit Server Configuration. 3. In the Online Certificate Status Protocol field, select Enable OCSP and provide the server URL. 4. Click Save.

7.9.8 Where to go from here Administering (see page 263) for information about authentication, users, and groups.

BMC Atrium Single Sign-On 8.1

Page 131 of 389

Home

BMC Software Confidential

7.9.9 Related topics Troubleshooting CAC authentication (see page 326)

7.10 Using Kerberos for authentication Kerberos is a network authentication protocol that is designed to provide strong authentication for client/server applications by using strong cryptography so that a client can prove its identity to a server (and vice versa) across an insecure network connection. This topic contains the following information:

BMC Atrium Single Sign-On 8.1

Page 132 of 389

BMC Software Confidential

Home

Configuring Kerberos video (see page 133) Before you begin (see page 133) To set up Kerberos to use for authentication (see page 133) Where to go from here (see page 133)

7.10.1 Configuring Kerberos video Click the following BMC Atrium Single Sign-On 8.1 Kerberos configuration video for more information: Watch video on YouTube at http://www.youtube.com/watch?v=Deo2od9ePRg

7.10.2 Before you begin Before using Kerberos for authentication, a service principal for the BMC Atrium Single Sign-On server must be added to the realm. This service principal is used by clients to request a service ticket when authenticating. The service principal name is based on the host name of the server running BMC Atrium Single Sign-On. To use Kerberos authentication with Active Directory (AD) installed on a Windows 2008 machine, upgrade Windows 2008 to SP2 (at least) or apply the Hotfix for Windows (KB951191). In addition, the identity used for the service principal cannot be the computer identity hosting the Atrium SSO service.

Note Kerberos authentication can not be used to authenticate clients from the same computer where BMC Atrium Single Sign-On is installed.

7.10.3 To set up Kerberos to use for authentication 1. Generating a keytab for the service principal and mapping the Kerberos service name (see page 134) 2. Configuring the Kerberos module 3. Reconfiguring your browser (see page 138) For information about troubleshooting issues with Kerberos, see Troubleshooting Kerberos authentication (see page 333).

7.10.4 Where to go from here For information about managing users, user groups, and authentication modules, see Administering (see page 263).

BMC Atrium Single Sign-On 8.1

Page 133 of 389

BMC Software Confidential

Home

For information about troubleshooting issues with Kerberos, see Troubleshooting Kerberos authentication (see page 333).

7.10.5 Generating a keytab for the service principal and mapping the Kerberos service name After the accounts for the service principals are created, a keytab file must be generated. This file contains sensitive information used by the BMC Atrium Single Sign-On servers when working with the Key Distribution Center (KDC) and Active Directory (AD). For Kerberos, the ktadd command is used to add the sensitive information to the keytab file and to map the Kerberos service name to the Active Directory identity.

Note Anyone with read permissions to a keytab file can use all of the keys it contains. Permissions must be restricted and monitored on the keytab files that you create.

To generate a keytab file for the service principal and map the Kerberos service name 1. In the Active Directory server, run the ktpass command. 2. Map additional SPNs to the Kerberos identity using setspn.exe 3. Copy the generated keytab file to the BMC Atrium Single Sign-On server host.

ktpass command syntax By running the ktpass command, you generate a keytab file and create a mapping that associates the Kerberos service name with the identity in Active Directory. ktpass /out /mapuser /princ HTTP/@ /pass /ptype KRB5_NT_PRINCIPAL /Target /kvno 0 In this case: is the name of the keytab file that you are generating. is the user name of the identity for the Atrium SSO service. is the fully qualified domain name of the host including the internet domain (FQDN). is the password for the principal account. is the Active Directory domain name.

Note

BMC Atrium Single Sign-On 8.1

Page 134 of 389

BMC Software Confidential

Home

The host name can also be modified through the host's file. If you modified the host name through the host's file, the browser and the system might need to be rebooted for the name change to take effect. The internet domain and Active Directory domain are different domains. The internet domain is used to form a hierarchy of compuetr names for mapping a computer name to a host address. The Active Directory (AD) domain is used for grouping users for authentication purposes and maps to a Kerberos realm.

The principal name is case-sensitive. By convention: Kerberos realms (and AD Domains) are written in uppercase. Host names are written in lowercase. Database look ups are case-sensitive.

Important The case-sensitive constraint means that the principal names expressed in the mappings must be written using the same case as those returned by a domain name lookup. The Active Directory is not case-sensitive while MIT Kerberos is case-sensitive.

setspn.exe command syntax The setspn.exe utility program allows manipulation of SPNs within Active Directory. Multiple SPNs may need to be mapped to the Atrium SSO identity, depending upon the network configuration and whether running in HA mode behind a load balancer. Please refer to the Microsoft documentation for further details. To add a new SPN, use the following command syntax: setspn.exe -S /[:] In this case: - For Atrium SSO SPN, always uses HTTP. is the fully qualified name of the host where the Atrium SSO server is running. is the port that Atrium SSO is using. is the name of the user identity for the Atrium SSO service. To check for duplicate SPNs, use the following command syntax: setspn.exe -X This command uses a lot of memory in order to scan a large Active Directory database.

BMC Atrium Single Sign-On 8.1

Page 135 of 389

BMC Software Confidential

Home

ktpass and setspn.exe command example C:\>ktpass /out ssohost.keytab /princ HTTP /[email protected] /ptype KRB5_NT_PRINCIPAL /kvno 0 /mapuser atriumsso This example also illustrates the best-practice for the case of the components of the SPN: HTTP - all uppercase Host name - all lowercase Domain name - all uppercase In addition, note that the user-name does not contain any spaces. While the example does provide the identity that the SPN is going to be mapped to, the setspn.exe command should also be executed to provide a complete mapping. C:\>setspn.exe -A HTTP /[email protected] /atriumsso The setspn.exe should map the above SPN using the Fully Qualified Domain Name (FQDN) of the Atrium SSO server, and an additional SPN using just the host name. In other words, the following SPNs should be mapped: HTTP/[email protected] HTTP/[email protected]

Important When running in HA mode behind a load balancer, the name of the load balancer should be used instead of Atrium SSO server.

A delay occurs in AD, when changes to identities are made. Altering the mapping SPNs can take about 15 minutes before the mappings are pushed out to the affected systems. This delay means that it will take some time after updating the identity SPNs before a login test can be performed.

7.10.6 Configuring the Kerberos module This topic provides instructions for configuring the Kerberos module.

To configure the Kerberos module 1. On the BMC Atrium SSO Admin Console, click Edit BMC Realm. 2. On the Main tab (default), select a User Profile type.

Note

BMC Atrium Single Sign-On 8.1

Page 136 of 389

2. BMC Software Confidential

Home

The User Profile applies to all authentication methods used for authentication.

3. In the Realm Authentication panel, click Add for a new authentication method and select the method. Alternatively, if you want to edit an existing module, select the module and click Edit. 4. Provide the parameters for the method and Save. 5. Set the flag for the authentication method.

Important Restart the BMC Atrium Single Sign-On server after configuring the Kerberos module.

Kerberos configuration parameters When adding or editing a Kerberos module, the following options are available: Save to save your modifications. Reset to remove your modifications and stay on the editor. Help launches a browser that provides you with online help. Cancel to cancel and return to the launch page. Parameters

Description

Service Principal

The Kerberos principal that is used for authentication. The service principal is used by clients to request a service ticket when authenticating. The service principal name is based on the host name of the server running BMC Atrium Single Sign-On.

Keytab File Name

The Kerberos keytab file that is used for authentication and takes the absolute path to the keytab file. The keytab file contains the password for the service principal.

Kerberos Realm

The KDC domain name.

KDC Server

The KDC host name. You must enter the fully qualified domain name (FQDN) of the domain controller.

UserId Format

The following parameters are used: Use Domain Name with Principal: If this check box is selected, the service allows BMC Atrium Single Sign-On to automatically use the Kerberos principal with the domain controller's domain name during authentication. Forced character case: The Forced character case allows you to select the type of character case you want for your user ID. You can choose any of the three options: No change, UPPERCASE and lowercase. The UserId is displayed in the selected format in the user store.

Return UserId to User Store

If this check box is selected, the user store searches will use the original UserId instead of using the value modified by the UserId Format parameter. For example, when you search the userstore the userid from the authentication could be atsso\abcxyz but the value abcxyz will be used to search the User store.

BMC Atrium Single Sign-On 8.1

Page 137 of 389

BMC Software Confidential

Home

7.10.7 Reconfiguring your browser This topic provides instructions for reconfiguring your browser for Kerberos.

To reconfigure Internet Explorer Your Internet Explorer must be version 7 or greater. The following instructions are for Internet Explorer 8. 1. Navigate to Tools > Internet Options > Advanced. 2. On the Advanced tab and in the Security section, select the Enable Integrated Windows Authentication option (requires restart). 3. On the Security tab, select Local Intranet. 4. Click Custom Level. 5. In the User Authentication/Logon section, select Automatic logon only in Intranet zone. 6. Click OK. 7. Click Sites and select all of the options (default). 8. From the Sites popup, click Advanced and add the Access Manager web site to the local zone (the website might be already added). For example, sample.bmc.com. 9. Click Add. 10. Click OK for all of the pop-ups.

To reconfigure Firefox 1. Enter the following URL: about:config 2. Click I'll be careful, I promise! 3. Double click the Preference Name: network.negotiate-auth.trusted-uris 4. Add the Fully Qualified Domain Name (FQDN) of the host, for example, sample.bmc.com. 5. Click OK.

7.11 Using LDAP (Active Directory) for authentication BMC Atrium Single Sign-On provides support for using external Lightweight Directory Access Protocol (LDAP) servers for authentication. Support for LDAP also includes using external Active Directory (AD) servers for authentication. The Active Directory authentication must be configured for the enterprise environment.

BMC Atrium Single Sign-On 8.1

Page 138 of 389

BMC Software Confidential

Home

Before you begin (see page 139) To set up LDAP (AD) for authentication (see page 139) LDAP (AD) parameters (see page 139) Where to go from here (see page 141)

7.11.1 Before you begin If you plan to enabled SSL access, import the certificates and restart the Tomcat server before setting up LDAP (AD) authentication. See Managing keystores with a keytool utility (see page 239) for more information.

7.11.2 To set up LDAP (AD) for authentication 1. On the BMC Atrium SSO Admin Console, click Edit BMC Realm. 2. On the Main tab (default), select a User Profile type.

Note The User Profile applies to all authentication methods used for authentication.

3. In the Realm Authentication panel, click Add for a new authentication method and select the method. Alternatively, if you want to edit an existing module, select the module and click Edit. 4. Provide the parameters for the method and Save. 5. Set the flag for the authentication method.

Note If you enabled SSL Access to the LDAP Server, import the certificates and restart the Tomcat server before enabling LDAP authentication. See Managing keystores with a keytool utility (see page 239) for more information.

7.11.3 LDAP (AD) parameters When adding or editing an LDAP module, the following options are available: Save to save your modifications. Reset to remove your modifications and stay on the editor. Help launches a browser that provides you with online help. Cancel to cancel and return to the launch page.

BMC Atrium Single Sign-On 8.1

Page 139 of 389

BMC Software Confidential

Home

Field

Parameter

Description

Primary

Name

(Required) Enter the host's Full Qualified Domain Name (FQDN) for the primary LDAP server is required.

Port

If the LDAP server is not listening on the default port (389), specify the port number.

Use SSL

(Optional) Enable to use SSL to connect to the LDAP servers. In addition, before communications can be established,

LDAP Server

the certificates for the LDAP servers (primary and secondary) must be imported to the BMC Atrium Single Sign-On Tomcat truststore. For more information on importing certifications into BMC Atrium Single Sign-On truststore, see Importing a certificate into the truststore (see page 243). If the remote LDAP server requires client authentication for SSL, the BMC Atrium Single Sign-On server's certificate might need to be imported into the LDAP server's truststore. Note: If you enabled SSL Access to the LDAP Server, import the certificates and restart the Tomcat server before enabling LDAP authentication. See Managing keystores with a keytool utility (see page 239) for more information. Secondary

Name

LDAP Server

The secondary LDAP server is only used when the primary server is not available. It is not used in parallel or when a user fails to authenticate with the primary server.

Port

If the secondary server is not listening on the default LDAP port, specify the port number.

Use SSL

(Optional) Enable to use SSL to connect with the LDAP servers. In addition, before communications can be established, the certificates for the LDAP servers (primary and secondary) must be imported to the BMC Atrium Single Sign-On Tomcat truststore. For more information on importing certifications into BMC Atrium Single Sign-On truststore, see Importing a certificate into the truststore (see page 243). If the remote LDAP server requires client authentication for SSL, the BMC Atrium Single Sign-On server's certificate might need to be imported into the LDAP server's truststore. Note: If you enabled SSL Access to the LDAP Server, import the certificates and restart the Tomcat server before enabling LDAP authentication. See Managing keystores with a keytool utility (see page 239) for more information.

User Account for Search

Set Recheck Primary Server Interval (minutes)

(Optional) This parameter is the amount of time that the server uses the secondary server before attempting to re-connect with the primary server can be configured.

Distinguished Name, Password, Confirm Password

(Required) The DN is the login name that is used to connect to the LDAP server. A user must have privileges to perform searches on the primary and secondary LDAP servers. Enter the DN for the user, the password, and the password confirmation. For example, you can use the Distinguished Name as CN=bsmuser,CN=users,DC=bsmdsl,DC=bmc,DC=com and choose the password of your choice.

Attributes for User Search

Attribute Name

Add attribute names using the Attribute name parameter or or remove the attribute from the attribute list.

DN to Start Search

Base DN

Add base DN name and remove the name from the attribute list. The search DNs should be as specific as possible for performance reasons. The depth of the search that is performed can be configured. If an Object search is specified, then the DN should be the DN of the node containing the users.

For example, you can add CN as attribute name for User Search.

For example, CN=bsmuser,CN=users,DC=bsmdsl,DC=bmc,DC=com Attribute for User Profile Name

Enter the starting locations within the LDAP directory for performing user searches. For each starting point, enter the login name (DN). The Base DN and attribute for user profile name are additional search parameters.For example, you can use CN as attribute for user profile name.

BMC Atrium Single Sign-On 8.1

Page 140 of 389

BMC Software Confidential

Home

7.11.4 Where to go from here In Administering (see page 263), see managing users, user groups, and authentication modules.

7.12 Using RSA SecurID for authentication RSA SecurID provides a two-factor authentication scheme for user authentication. This approach uses a password that has a very short life span, typically one minute. By combining a passcode with a hardware generated token value, users are authenticated with this short-span password. This method of authentication narrows the opportunity for exploitation by anyone who manages to eavesdrop on the Transport Layer Security (TLS) confidential communications.

Note After authentication, the combination passcode + token is no longer valid.

To configure the SecurID module (see page 141) SecurID parameters (see page 142) To modify the rsa_api.properties file (see page 142) Where to go from here (see page 143)

7.12.1 To configure the SecurID module To use SecurID Chain for user authentication, the module must first be configured with information about the RSA Authentication Manager server. This information is contained in the sdconf.rec file. After being configured, SecurID Chain is enabled for authentication use. 1. Copy the sdconf.rec file retrieved from the RSA SecurID server to the BMC Atrium Single Sign-On server at the following location: /BMC Software/BMC Atrium SSO/tomcat/webapps/BMC Atrium SSO/WEB-INF/config/BMC Atrium SSO/auth/ace/data 2. Configure the SecurID module. a. On the BMC Atrium SSO Admin Console, click Edit BMC Realm. b. On the Main tab (default), select a User Profile type.

Note The User Profile applies to all authentication methods used for authentication.

c. BMC Atrium Single Sign-On 8.1

Page 141 of 389

BMC Software Confidential

Home

c. In the Realm Authentication panel, click Add for a new authentication method and select the method. Alternatively, if you want to edit an existing module, select the module and click Edit. d. Provide the parameters for the method and Save. e. Set the flag for the authentication method. 3. (Optional) Edit the rsa_api.properties file for additional configuration.

7.12.2 SecurID parameters When adding or editing a SecureID module, the following options are available: Save to save your modifications. Reset to remove your modifications and stay on the editor. Help launches a browser that provides you with online help. Cancel to cancel and return to the launch page. Parameters

Description

ACE/Server Configuration Path

Specify the full path for the new location of the sdconf.rec file. The configuration path is used to specify the location of the sdconf.rec file used to contact the RSA SecurID server.

7.12.3 To modify the rsa_api.properties file Additional configuration of the SecurID module communications with the RSA Authentication Manager is available by editing the rsa_api.properties file.

SecurID authentication files and locations RSA SecurID authentication file name

Locations

rsa_api.properties

/BMC Software/BMC Atrium SSO/tomcat/webapps/BMC Atrium SSO/WEB-INF/config/BMC Atrium SSO/auth/ace/data The above location is the default, however, the path is configurable on the SecurID authentication module configuration. installationDirectory is the base configuration directory specified during BMC Atrium Single Sign-On configuration.

sdconf.rec

Located in the same directory as rsa_api.properties (default), but is configurable through the rsa_api.properties file.

Node Secret

Located in the same directory as rsa_api.properties (default), but is configurable through the rsa_api.properties file.

sdstatus.12

Located in the same directory as rsa_api.properties (default), but is configurable through the rsa_api.properties file.

Properties of primary importance (and their default values) SDCONF_FILE (FILE) SDCONF_LOC: //auth/ace/data/sdconf.rec

BMC Atrium Single Sign-On 8.1

Page 142 of 389

BMC Software Confidential

Home

SDSTATUS_TYPE (FILE) SDSTATUS_LOC: //auth/ace/data/sdstatus SDNDSCRT_TYPE (FILE) SDNDSCRT_LOC: //auth/ace/data/secured RSA_LOG_FILE: //debug/rsa_api.log RSA_LOG_LEVEL (INFO; other values are OFF, DEBUG, WARN, ERROR, FATAL) RSA_DEBUG_FILE, if RSA_ENABLE_DEBUG=YES: //debug/rsa_api_debug.log

7.12.4 Where to go from here In Administering (see page 263), see managing users, user groups, and authentication modules.

7.13 Using SAMLv2 for authentication Security Assertion Markup Language (SAML) is an XML-based OASIS standard for exchanging user identity and security attributes information. It uses security tokens containing assertions to pass information about a principal (usually an end user) between an identity provider (IdP) and a web service. SAMLv2 is implemented by grouping a collection of entities to form a Circle of Trust. The Circle of Trust is composed of a Service Provider (SP) and an Identity Provider (IdP). The Identity Provider authenticates the users and provides this information to the Service Provider. The Service Provider hosts services that the user accesses.

BMC Atrium Single Sign-On 8.1

Page 143 of 389

BMC Software Confidential

Home

Configuring SAMLv2 video (see page ) SAMLv2 configuration options (see page 144) SAMLv2 implementation (see page 144) Typical SAMLv2 deployment (see page 145) Typical SAMLv2 deployment architecture (see page 145) Related topics (see page 146)

7.13.1 Configuring SAML V2 video Click the following BMC Atrium Single Sign-On 8.1 SAML V2 configuration video for more information: Watch video on YouTube at http://www.youtube.com/watch?v=ZebEMQuoVhA

7.13.2 SAMLv2 configuration options BMC Atrium Single Sign-On can be configured to perform as an SP or as an IdP. In addition, the user accounts can be federated in bulk. Configuring BMC Atrium Single Sign-On as an SP Configuring BMC Atrium Single Sign-On as an IdP Federating user accounts in bulk (see page 157)

7.13.3 SAMLv2 implementation In BMC Atrium Single Sign-On, SAMLv2 is implemented from the Federation panel in the BMC realm.

BMC Atrium Single Sign-On 8.1

Page 144 of 389

BMC Software Confidential

Home

7.13.4 Typical SAMLv2 deployment In a typical SAMLv2 deployment scenario, the BMC Atrium Single Sign-On server is configured as an SP for BMC products. The BMC Atrium Single Sign-On SP is then added to a Circle of Trust which includes an IdP. The IdP provides the authentication services for the BMC Atrium Single Sign-On system. In addition, the IdP caches authentication information within the browser. This information allows the IdP to automatically re-authenticate a user without the user re-entering their credentials. For more information about automatic logon behavior, see Logon and logoff issues (see page 316).

Note BMC Atrium Single Sign-On SAMLv2 implementation is limited to: SAML 2.0 browser-based transient Federation and Federated SSO Browser-based HTTP GET and POST binding mechanisms of the SAML 2.0 protocol

7.13.5 Typical SAMLv2 deployment architecture The following illustration shows BMC Atrium Single Sign-On configured as an SP. BMC products are integrated with BMC Atrium Single Sign-On which, in turn, hosts the SP for the Circle of Trust. For the IdP, any SAMLv2 IdP can be used. In addition, a second BMC Atrium Single Sign-On server can be configured to host an IdP. BMC Atrium Single Sign-On server configured as an SP

BMC Atrium Single Sign-On 8.1

Page 145 of 389

BMC Software Confidential

Home

7.13.6 Related topics Troubleshooting SAMLv2

7.13.7 Configuring BMC Atrium Single Sign-On as an SP In a Circle of Trust, BMC Atrium Single Sign-On is normally configured as a Service Provider (SP) for BMC products. The Circle of Trust is then completed with an Identity Provider (IdP) to provide authentication for the federated single sign-on. Following topics are provided: Verify that certificates were imported into the truststore (see page 147) Create a local SP (see page 147) Create a remote IdP (see page 149) Modify the JEE agents (see page 150) Agent Editor (see page 151)

BMC Atrium Single Sign-On 8.1

Page 146 of 389

BMC Software Confidential

Home

(Optional) Federate your user accounts in bulk (see page 153) Where to go from here (see page 153)

Verify that certificates were imported into the truststore Before configuring BMC Atrium Single Sign-On with a Service Provider, verify that all the certificates used for network communication (Transport Layer Security) between the servers that are participating in the Circle of Trust have been imported into the truststore of BMC Atrium Single Sign-On. If you are using signed certificates, import only the root CA certificate. If you are using self-signed certificates, import the public certificates into the truststore. For more information about importing certificates, see Managing keystores with a keytool utility (see page 239) and Importing a certificate into the truststore (see page 243).

Create a local SP If you are using a second BMC Atrium Single Sign-On server as an IdP, the certificate from that server must be exported from the /tomcat/conf/keystore.p12 file and imported into the cacerts.p12 of the BMC Atrium Single Sign-On server that is providing the SP role.

To create a local SP 1. On the BMC Atrium SSO Admin Console, click Edit BmcRealm. 2. On the Federation tab, click Add. 3. Select Local Service Provider (SP). 4. Provide the local SP information. 5. Click Save.

Local SP parameters The Local Service Provider (SP) Editor has the following options: Save to save your modifications. Reset to remove your modifications and stay on the editor. Help launches a browser that provides you with online help. Cancel to cancel and return to the launch page. Field

Parameter

Description

Name

Name for the SP or accept the provided SP name. The Name field is pre-populated with a value that reflects the expected SP name.

MetaAlias

The internally generated identifier for the entity. This value is used in the SAMLv2 login URL specified in the agents configuration.

Binding

BMC Atrium Single Sign-On 8.1

Page 147 of 389

BMC Software Confidential

Home

Field

Parameter

Description This option determines the way in which SAML messages will be sent and received between the IdP and the SP. HTTP-Redirect and Post are used when a direction connection between the IdP and SP is not possible. The two bindings differ in the method used to exchange the SAMLv2 messages: HTTP Redirect or XHTML Form with Post.

Artificact

The encoding technique used for Assertion Artifacts. The encoding method is determined by the IdP

Encoding

and is usually related to binding method. From the drop down menu, select URI or FORM.

Sign Messages

Signing Certificate Alias

The alias specifies the certificate that will be used to sign the specified SAML messages. Signing is used to verify the messages have not been altered in transit and that it originated with the SP.

Authentication, Logout

These parameters are the SAMLv2 messages that are to be signed by the SP or are expected to have

Request, Logout Response, Manager

been signed by the SP.

Name ID, Artifact Resolve, and Post Resolve Encrypt Elements

Assertion Time

Encryption Certificate Alias

The alias specifies the private key that will be used to encrypt the secret key used to encrypt the SAMLv2 messages.

Encryption Algorithm

The encryption algorithm used to encrypt SAMLv2 messages. Select an option, None, 3DES, AES-128, or AES-256, from the drop-down menu.

Assertion, Attribute, Name ID

Specifies whether to encrypt the Assertion, Attribute, and Name ID or leave it in plain text.

Not-Before Skew (seconds)

In order to compensate for clock drift between remote machines, this value specifies the amount of time that a message will be considered valid when it is received before the issue time in the message.

Effective Time (seconds)

Amount of time that an assertion is valid counting from the assertion's issue time.

SOAP Basic Authentication

SOAP Basic authentication can be enabled to protect the SOAP SP endpoints. Any provider accessing these endpoints must provide these user name and password values.

Attribute Mapping

Attribute Mapping is used to take user attributes (such as email, phone number, etc.) from the external user store and map them to the attributes used within the BMC Atrium Single Sign-On system. A mapping is defined by entering the name of the SAML Attribute and selecting the Atrium SSO Attribute from the drop down that the external attribute is going to map to, and click Add to put the new mapping into the table.

Auto Federation

Allows BMC Atrium Single Sign-On to use an attribute of the Assertion from the IdP to automatically create an identity within the BMC Atrium Single Sign-On system. The identity is created by passing the initial double-login normally performed when federating a user account with SAMLv2.

Name ID Format

Defines the name identifier formats supported by the service provider. Name identifiers are a way for providers to communicate with each other regarding a user. The Name ID format list is an ordered list, the first Name ID has the highest priority in determining the Name ID format to use. If the user does not specify a Name ID to use when initiating single sign-on, the first one in this list is chosen and supported by the remote Identity Provider. A persistent identifier is saved to a particular user's data store entry as the value of two attributes. A transient identifier is temporary and no data will be written to the user's persistent data store. Note:

BMC Atrium Single Sign-On 8.1

Page 148 of 389

BMC Software Confidential

Home

Field

Parameter

Description

For linking user accounts from SP and IdP (Remote Identity Provider) together, after logging in, the persistent nameID format must be on the top of the list. Authentication

This attribute maps the SAMLv2-defined authentication context classes to the authentication level set

Context

for the user session for the service provider.

Create a remote IdP 1. On the BMC Atrium SSO Admin Console, click Edit BmcRealm. 2. On the Federation panel, click Add. 3. Select Remote Identity Provider (IdP). 4. Before uploading the IdP metadata, you must import a signed certificate into the cot.jks keystore used for SAMLv2 authentication. The location of the cot.jks file is /tomcat directory. 5. Create a name for the remote IdP and upload the IdP metadata on the Create Identity Provider (IdP) pop-up. Parameters

Description

Name

Name for the remote IdP.

URL

Select URL to acquire the remote IdP metadata from the URL location. Specify the FQDN of the host, including the port and any required path information. This URL is IdP-specific. For information on the metadata URL, consult the IdP documentation. For information about providing IdP metadata from another Atrium Single Sign-On server, see Providing IdP metadata from another Atrium Single Sign-On server (see page 149)

File Upload

Select File Upload to upload a file that contains the remote IdP metadata.

Providing IdP metadata from another Atrium Single Sign-On server When using another Atrium Single Sign-On server as an IdP, the following URL template is used to access the metadata needed by the SP: https://:/atriumsso/saml2/jsp/exportmetadata.jsp?role=idp&realm=BmcRealm&entityid= In this case:

6. 7. 8. 9. 10.

host is the FQDN of the BMC Atrium Single Sign-On server hosting the IdP. port is the port used for secure communication of the BMC Atrium Single Sign-On server hosting the IdP. entityid is the name of the IdP hosted by the BMC Atrium Single Sign-On server. For example: https://idp.bmc.com:8443/atriumsso/saml2/jsp/exportmetadata.jsp?role=idp&realm=BmcRealm&entityid=https://id Click Save On the Federation panel, select the remote IdP. Click Edit. Provide the remote IdP parameters. Click Save.

BMC Atrium Single Sign-On 8.1

Page 149 of 389

BMC Software Confidential

Home

Remote IdP Editor parameters The Remote Identity Provider (IdP) Editor has the following options: Save to save your modifications. Reset to remove your modifications and stay on the editor. Help launches a browser that provides you with online help. Cancel to cancel and return to the launch page. Field

Parameter

Name

Description Name for the IdP or accept the provided IdP name. The Name field is pre-populated with a value that reflects the expected IdP name.

Binding

This option determines the way in which SAML messages will be sent and received between the IdP and the SP. HTTP-Redirect and Post are used when a direction connection between the IdP and SP is not possible. The two bindings differ in the method used to exchange the SAMLv2 messages: HTTP Redirect or XHTML Form with Post.

Sign Messages

Signing Certificate Alias

The alias specifies the certificate that will be used to sign the specified SAML messages. Signing is used to verify the messages have not been altered in transit and that it originated with the IdP.

Authentication Request, Logout

These parameters are the SAMLv2 messages that are to be signed by the IdP or are expected to

Request, Logout Response, Manager Name ID Request, Manager Name ID

have been signed by the SP.

Response, and Artifact Resolve Encrypt

Encryption Certificate Alias

Elements

The alias specifies the private key that will be used to encrypt the secret key used to encrypt the SAMLv2 messages.

Encryption Algorithm

The encryption algorithm used to encrypt SAMLv2 messages. Select an option, None, 3DES, AES-128, or AES-256, from the drop-down menu.

Name ID

Specifies whether to encrypt the Name ID or leave it in plain text.

Modify the JEE agents As part of configuring BMC Atrium Single Sign-On to host a SP, the J2EE agents configuration must be modified to work with SAMLv2 federation.

Note Each time a BMC product is integrated with the BMC Atrium Single Sign-On SP, the configuration must be modified so the integrating product can function in the Federated SSO.

1. On the BMC Atrium SSO Admin Console, click Agent Details. 2. Select the agents associated with a BMC product integrated with this Atrium Single Sign-On server. For example, [email protected]:8443. 3. Click Edit. a. BMC Atrium Single Sign-On 8.1

Page 150 of 389

BMC Software Confidential

Home

3. a. Delete the URLs in the login URI field.

b. Enter the Federated login URL. For information about the log in URL syntax, see Federated log in URL syntax (see page 152). c. Delete the URLs in the logout URI field. d. Enter the Federated logout URL. For information about the log out URL syntax, see Federated log out URL syntax (see page 152). e. Click Save. The Agent manager provides an Agent panel that allows you to edit, delete, and search for an agent as well as provides the agent name, realm, and the state. The state indicated whether the agent is running or is down. When searching for an agent, *, returns all of the names and applies to all columns in the agent panel. Finding the filter string within any of these values selects the agent to be returned for display. This feature allows you to filter the list of agents to the ones running by specifying "Running".

Agent Editor The Agent Editor allows you to modify the configuration of an agent. By modifying the agent configuration, you can correct problems caused by environment difficulties. For example, with a remote host, the host may report their FQDN (Fully Qualified Domain Name) incorrectly using a plain name such as machine instead of machine.bmc.com. The Agent Editor is launched when you select an agent and click Edit. The Agent Editor has the following options: Save to save your modifications. Reset to remove your modifications and stay on the editor. Help launches a browser that provides you with online help. Cancel to cancel and return to the launch page. Parameter

Description

Notification URL

The URL where the agent will receive notifications from the server about session logouts. It is composed of the products base URI with "/atsso" concatenated to the end. For example, https://sample.bmc.com/arsys/atsso

Status

Determines whether the agent is enforcing SSO authentication (active) or not (inactive).

Logging Level

The level of logging the agent will perform in the product.

Redirect Limit

The number of times that the agent redirects the browser to the server for authentication before signaling an error- 0 means infinite.

Password and Confirm Password

Password used by the agent to access its configuration in the SSO server.

Cookie Name

The cookie name is the name of the cookie that agent will check for the SSO session token. It should match the cookie name of the server configuration. Note: To ensure browser compatibility, the cookie name should contain only alphanumeric and underscore characters.

BMC Atrium Single Sign-On 8.1

Page 151 of 389

BMC Software Confidential

Home

Parameter

Description

Login URI

Login and logout URIs are the locations that the agent will send the users browsers when the specified function is needed. When an

and Logout URI

agent is federated, the login and logout URLs for the agent must be modified to interact with the IdP.

Login Probe and Logout

The probe validates that the destination is accessible before sending the user to the location. If they are not, the agent tells the user that the SSO system is inaccessible. The probe should be turned off in environments where the URI cannot be contacted from the

Probe

agent's environment, such as when the URI contains a host that is to be accessed through a reverse proxy.

Enable

Select this option to enable session cache. Disabling cache has a severe performance impact.

Cache Fully

This FQDN mapping allows the agent to fix the URL used to access the application in order to get the browser to send cookies to the

Qualified Domain

application. The SSO session is identified through cookies. When a URL is not using a FQDN host name, the browser does not know the domain of the server and therefore, won't send any cookies to the server.

Name Mapping FQDN of Agent Host

The FQDN entered is the FQDN of the host where the agent is located. Enabling FQDN mapping causes the agent to perform the forwarding from the entered host names to the entered FQDN.

Trigger host list and Trigger Host Name

The hosts that will trigger the FQDN redirect to occur. The Trigger host list allows you to remove the host from the list. Trigger Host Name allows you to add a host to the Trigger host list.

Not Enforced URI and URI

The Not Enforced URI field allows you to remove URIs from the Not Enforced URI list. The URI field allows you to add a URI to the Not Enforced URI list.

Federated log in URL syntax https://:/atriumsso/spssoinit?metaAlias=/BmcRealm/sp&idpEntityID= In this case:

host is the FQDN of the Atrium Single Sign-On server hosting the SP. port is the port used for secure communication of the Atrium Single Sign-On server hosting the SP. entityId is the name of the IdP to be used by this SP.

Federated log out URL syntax https://:/atriumsso/saml2/jsp/spSingleLogoutInit.jsp?idpEntityID=&RelayState= General > Server Information.

2. BMC Atrium Single Sign-On 8.1

Page 174 of 389

BMC Software Confidential

Home

2. In the AR System Administration: Server Information form, click the Atrium SSO Integration tab. AR System Administration: Server Information form--Atrium SSO Integration tab (Click the image to expand it.)

3. Enter the BMC Atrium Single Sign-On server Location. Host Name--The host name of the computer where BMC Atrium Single Sign-On server is configured. If the AR System server and BMC Atrium Single Sign-On server are in same domain, enter the machine name or the machine name with domain name. Make sure that the BMC Atrium Single Sign-On host name is accessible from the machine where AR System server is installed. If the AR System server and BMC Atrium Single Sign-On server are in different domains, a trust relationship between these two domains must be established before configuring BMC Atrium Single Sign-On server.

Note Use the FQDN for the BMC Atrium Single Sign-On server host name, not simply the host name.

Port number — The port on which BMC Atrium Single Sign-On server is configured (typically 8443).

BMC Atrium Single Sign-On 8.1

Page 175 of 389

BMC Software Confidential

Home

Protocol — (optional parameter) The default value for this parameter is https. However, this field can also be set to http. For example: https://:/ https://ssoServer.bmc.com:8443/atriumsso] 4. Enter the Atrium Single Sign-On Admin User. The BMC Atrium Single Sign-On administrator name, by default, is amadmin. 5. Enter the Atrium Single Sign-On Admin Password. 6. (Optional) Enter the Atrium Single Sign-On Keystore Path. The keystore file location is where the BMC Atrium Single Sign-On keystore is saved. This path includes the keystore file name. Enter this value only if you have configured a keystore. This field is not mandatory and you can define it later.| 7. (Optional) Enter the Atrium Single Sign-On Keystore Password. Enter this value only if you specify the Keystore path. 8. Click Apply. For more information on a full single sign-on solution that includes BMC Atrium, see the Knowledge Base article KA286851. You must have a BMC customer support account to access this information.

The example is not a supported product and there is no implied support if you use it.

Where to go from here Manually configuring mid tier for BMC Atrium Single Sign-On user authentication (see page 176)

9.1.4 Manually configuring mid tier for BMC Atrium Single Sign-On user authentication For the mid tier to communicate with the BMC Atrium Single Sign-On server for user authentication, follow the steps below to manually configure the mid tier.

Note

If you do not select the Configuration of Atrium Single Sign-On option during the AR System server installation or during the stand-alone installation of mid tier, only then perform the steps in this section. BMC recommends, you do not install BMC Atrium Single Sign-on and BMC Remedy Mid-Tier on the same computer. BMC Atrium Single Sign-on and BMC Remedy Mid-Tier must use different Tomcat because if the mid-tier computer needs to be restarted, all the other applications will be unavailable because BMC Atrium Single Sign on will be down during the restart.

BMC Atrium Single Sign-On 8.1

Page 176 of 389

BMC Software Confidential

Home

To manually configure the Mid Tier for BMC Atrium Single Sign-On user authentication 1. Go to the computer where you installed the Mid Tier. 2. Stop the mid tier service, if it is already running. 3. Copy all the jar files from the \webagent\dist\jee\WEB-INF\lib directory to the \WEB-INF\lib directory. For example, copy all the jar files from C:\Program Files\BMC Software\ARSystem\midtier\webagent\dist\jee\WEB-INF\lib to C:\Program Files\BMC Software\ARSystem\midtier\WEB-INF\lib. 4. Go to the \Web-Inf directory and open the web.xml file in an editor. 5. Uncomment the and tags for the Atrium Single Sign-On filter. These tags should look like the following:

Agent com.bmc.atrium.sso.agents.web.SSOFilter Agent /* REQUEST INCLUDE FORWARD ERROR

Make sure that you save your changes to the web.xml file. 6. Go to the \Web-Inf\classes directory (for example, C:\Program Files\BMC Software\ARSystem\midtier\WEB-INF\classes) and open the config.properties file in an editor. 7. Add an attribute in the config.properties file. For this, comment the DefaultAuthenticator line (arsystem.authenticator=com.remedy.arsys. session.DefaultAuthenticator) and add the following line for the Atrium Single Sign-On Authenticator: arsystem.authenticator=com.remedy.arsys.sso.AtriumSSOAuthenticator Make sure that you save your changes to the config.properties file. 8. Go to the computer where you installed the AR System serve and open the ar.cfg (Microsoft Windows) or ar.conf (UNIX or Linux) file in an editor. The default location for Windows is C:\Program Files\BMC Software\ARSystem\Conf. 9. Add the following SSO AREA plug-in entries to the ar.cfgfile: (Unix) Plugin — areaatriumsso.so

BMC Atrium Single Sign-On 8.1

Page 177 of 389

9. BMC Software Confidential

Home

(Windows) Plugin — areaatriumsso.dll For example: Plugin: areaatriumsso.dll Server Plugin Alias — ARSYS.AREA.ATRIUMSSO ARSYS.AREA.ATRIUMSSOFQDN of AR System server

name:PluginPort For example: Server-Plugin-Alias: ARSYS.AREA.ATRIUMSSO ARSYS.AREA.ATRIUMSSO arSystemServer.bmc. com:9999 Make sure that the SSO entries are listed first; otherwise they will not be used by the AR System server.

Plugin: areaatriumsso.dll Plugin: ardbcconf.dll Plugin: reportplugin.dll Plugin: ServerAdmin.dll Server-Plugin-Alias: ARSYS.AREA.ATRIUMSSO ARSYS.AREA.ATRIUMSSO xyz-abc-x28-vm1.dsl.bmc.com:9999 Server-Plugin-Alias: ARSYS.ARF.REGISTRY ARSYS.ARF.REGISTRY xyz-abc-x28-vm1.dsl.bmc.com:9999 Server-Plugin-Alias: ARSYS.ARDBC.REGISTRY ARSYS.ARDBC.REGISTRY xyz-abc-x28-vm1.dsl.bmc.com:9999 Server-Plugin-Alias: ARSYS.ARDBC.ARREPORTENGINE ARSYS.ARDBC.ARREPORTENGINE xyz-abc-x28-vm1.dsl.bmc.com:9999 Server-Plugin-Alias: ARSYS.ARF.QUERYPARSER ARSYS.ARF.QUERYPARSER xyz-abc-x28-vm1.dsl.bmc.com:9999 Server-Plugin-Alias: ARSYS.ALRT.WEBSERVICE ARSYS.ALRT.WEBSERVICE xyz-abc-x28-vm1.dsl.bmc.com:9999 Server-Plugin-Alias: ARSYS.ARF.PARSEPARAMETERS ARSYS.ARF.PARSEPARAMETERS xyz-abc-x28-vm1.dsl.bmc.com:9999 Server-Plugin-Alias: ARSYS.ARF.PUBLISHREPORT ARSYS.ARF.PUBLISHREPORT xyz-abc-x28-vm1.dsl.bmc.com:9999 Server-Plugin-Alias: ARSYS.ARF.REPORTSCHEDULER ARSYS.ARF.REPORTSCHEDULER xyz-abc-x28-vm1.dsl.bmc.com:9999 Server-Plugin-Alias: ARSYS.ARF.RSAKEYPAIRGENERATOR ARSYS.ARF.RSAKEYPAIRGENERATOR xyz-abc-x28-vm1.dsl.bmc.com:9999 Server-Plugin-Alias: ARSYS.ALRT.TWITTER ARSYS.ALRT.TWITTER xyz-abc-x28-vm1.dsl.bmc.com:9999 Server-Plugin-Alias: ARSYS.ARF.TWITTER ARSYS.ARF.TWITTER xyz-abc-x28-vm1.dsl.bmc.com:9999

10. Save your changes to the ar.cfg or ar.conf file. 11. Go back to the computer where you installed the Mid Tier. 12. Copy the cacerts file from the JDK installed location to the Tomcat conf folder. For example, copy cacerts from C:\Program Files\Java\jdk1.7.0_03\jre\lib\security to C:\Program Files\Apache Software Foundation\Tomcat6.0\conf. 13. If your Mid Tier installation does not already include the not-enforced.txt file, save the attached file to the Mid Tier folder. For example, right-click the link, and then select Save link as to the C:\Program Files\BMC Software\ARSystem\midtier folder. A typical not-enforced.txt file contains the URIs listed in the code snippet below. URIs listed in this file are

BMC Atrium Single Sign-On 8.1

Page 178 of 389

13.

BMC Software Confidential

Home

not protected by the agent. Their contents are uploaded into the BMC Atrium Single Sign-On server to become part of the Agent configuration. When you later finish integration, this file is no longer used or needed. If you must update the agent configuration, access Agent Details on the BMC Atrium SSO Admin Console to modify the Not Enforced URI Processing values.

/arsys/services/* /arsys/WSDL/* /arsys/shared/config/* /arsys/shared/doc/* /arsys/shared/images/* /arsys/shared/timer/* /arsys/shared/ar_url_encoder.jsp /arsys/shared/error.jsp /arsys/shared/file_not_found.jsp /arsys/shared/HTTPPost.class /arsys/shared/login.jsp /arsys/shared/login_common.jsp /arsys/shared/view_form.jsp /arsys/shared/logout.jsp /arsys/shared/wait.jsp /arsys/servlet/ConfigServlet /arsys/servlet/GoatConfigServlet /arsys/plugins/*

14. Execute the deployer script to deploy the WebAgent. For this, run the following script through command line interface under the deployer directory ( webagent\deployer):

java -jar deployer.jar --install --container-type -TOMCATversion --atrium-sso-url AtriumSSOURL:/atriumsso --web-app-url MidtierSSOURL:/arsys --container-base-dir AppServerHome --admin-name AtriumServerAdminUsername --admin-pwd AtriumServerAdminPassword --jvm-truststore "JavaHome \jre\lib\security\cacerts" --jvm-truststore-password TruststorePassword --truststore "AppServerHome\conf\cacerts" --truststore-password TruststorePassword --not-enforced-uri-file "midTierPath\not-enforced.txt" --web-app-logout-uri /shared/loggedout.jsp

For example,

java -jar deployer.jar --install --container-type tomcatv6 --atrium-sso-url https://ssoServer.bmc.com:8443/atriumsso --web-app-url http://midTierServer:8080/arsys --container-base-dir "c:\Program Files\Apache Software Foundation\Tomcat6.0" --admin-name amadmin --admin-pwd Let$in09 --jvm-truststore "c:\Program Files\Java\jdk1.7.0_03\jre\lib\security\cacerts" --jvm-truststore-password changeit --truststore "c:\Program Files\Apache Software Foundation\Tomcat6.0\conf\cacerts" --truststore-password changeit --not-enforced-uri-file "C:\Program Files\BMC Software\ARSystem\midtier\not-enforced.txt" --web-app-logout-uri /shared/loggedout.jsp

BMC Atrium Single Sign-On 8.1

Page 179 of 389

BMC Software Confidential

Home

15. Make sure that the deployer script successfully finishes execution and is completed.

Tip If the deployer script fails: a. Delete the /atssoAgents folder (for example, C:\Program Files\Apache Software Foundation\Tomcat6.0\atssoAgents). b. Delete the agent if it exists in Agent Details on the BMC Atrium SSO Admin Console. c. Re-run the deployer script after you fixed the problem (for example, added additional parameters).

16. Start the mid tier service. By default, this plug-in is configured to work with the native plug-in server (C plug-in). You can also use this plug-in directly with the Java plug-in server. For more information on the configuration settings, see Using the Java plug-in server for dynamic plug-in loading in the BMC Remedy AR System 8.1 online documentation.

Note

If the container is not using HTTPS, the truststore and truststore-password parameters can be ignored. For example:

BMC Atrium Single Sign-On 8.1

Page 180 of 389

BMC Software Confidential

Home

java -jar deployer.jar --install --container-type tomcatv6 --atrium-sso-url https://ssoServer.bmc.com:8443/atriumsso --web-app-url http://midTierServer:8080/arsys --container-base-dir "C:\Program Files\Apache Software Foundation\Tomcat6.0" --admin-name amAdmin --admin-pwd bmcAdm1n --jvm-truststore "C:\Program Files\Java\jre6\lib\security\cacerts" --jvm-truststore-password changeit --not-enforced-uri-file "C:\Program Files\BMC Software\ARSystem\midtier\not-enforced.txt" --web-app-logout-uri /shared/loggedout.jsp

If the --web-app-logout-uri parameter is not specified, you can specify the parameter value in Agent Details on the BMC Atrium SSO Admin Console: 1. On the BMC Atrium SSO Admin Console, click Agent Details. 2. Select the agent and click Edit. 3. In the Logout Processing section, replace the default value with /arsys/shared/loggedout.jsp. When you are using a load balancer or reverse proxy, you must add the --web-app-url and --notify-url URLs. In this case, the --web-app-url URL must be the load balancer URL and the --notify-url must be the mid tier URL. For example:

java -jar deployer.jar --install --container-type tomcatv6 --atrium-sso-url https://ssoServer.bmc.com:8443/atriumsso --web-app-url http://loadbalancerURL:8080/arsys ----container-base-dir "C:\Program Files\Apache Software Foundation\Tomcat6.0" --admin-name amAdmin --admin-pwd bmcAdm1n --jvm-truststore "C:\Program Files\Java\jre6\lib\security\cacerts" --jvm-truststore-password changeit --not-enforced-uri-file "C:\Program Files\BMC Software\ARSystem\midtier\not-enforced.txt" --web-app-logout-uri /shared/loggedout.jsp

For more information about containers, agents, and deployer commands, see: Container types, containers, and agents Deployer commands for various JSP engines

Where to go from here Configuring the BMC Atrium Single Sign-On server for AR System integration (see page 183)

Container types, containers, and agents The --container-type parameter specifies not only the type of the container in which the agent is being embedded, but also the type of web agent being used for integration. The TOMCAT and WEBSPHERE types are used exclusively for the original Web Agent. All of the remaining types ( GENERIC, TOMCATV6, and so on) are used exclusively to deploy the newer JEE Filter agent. Make sure that you use the correct type for the agent.

BMC Atrium Single Sign-On 8.1

Page 181 of 389

BMC Software Confidential

Home

Container type

Agent

Container

TOMCAT

Web Agent

Apache Tomcat v6

WEBSPHERE

Web Agent IBM WebSphere v6 IBM WebSphere v7

GENERIC

JEE Agent

Any

JBOSSV4

JEE Agent

RedHat JBoss v4

JBOSSV5

JEE Agent

RedHat JBoss v5

SERVLETEXECV5

JEE Agent

New Atlanta ServletExec AS v5

SERVLETEXECV6

JEE Agent

New Atlanta ServletExec AS v6

TOMCATV5

JEE Agent

Apache Tomcat v5

TOMCATV6

JEE Agent

Apache Tomcat v6

WEBSPHEREV6

JEE Agent

IBM WebSphere v6

WEBSPHEREV7

JEE Agent

IBM WebSphere v7

WEBSPHEREV10

JEE Agent

Oracle WebLogic v10

Deployer commands for various JSP engines The deployer command changes with change in the JSP Engine (Container). The following examples show how the deployer command changes when the following containers are used. Apache Tomcat (see page 182) Red Hat JBoss (see page 182) Oracle WebLogic (see page 183) IBM WebSphere (see page 183)

Apache Tomcat

java -jar deployer.jar --install --container-type -TOMCATversion --atrium-sso-url AtriumSSOURL<

Note Do not use tomcat for --container-type; use tomcatv6 instead.

Red Hat JBoss

"/opt/java1.5/jre/bin/java" -jar deployer.jar --install --container-type JBOSSV4 --atrium-sso-u

BMC Atrium Single Sign-On 8.1

Page 182 of 389

BMC Software Confidential

Home

Oracle WebLogic

"/usr/jdk/instances/jdk1.6.0/bin/java" -jar deployer.jar --install --container-type WEBLOGICV10

IBM WebSphere

"/usr/java5/bin/java" -jar deployer.jar --uninstall --force --container-type WEBSPHEREV7 --atri

9.1.5 Configuring the BMC Atrium Single Sign-On server for AR System integration The Action Request (AR) authentication module allows BMC Atrium Single Sign-On to use the user accounts within a BMC Remedy AR System server for authentication. This module is normally used in conjunction with the AR Data Store to retrieve group information and other user attributes from the AR System server. Configure the AR module for AR System (see page ) Configure AR user stores for AR System (see page ) Managing the AR System users and groups (see page ) When you enable authentication chaining mode, all authentication methods in the chain are attempted in the specified order until either the authentication succeeds or all the methods in the chain fail.

Note If you plan to use an authentication method other than or in addition to the AR module, see the applicable authentication method in Configuring after installation. For example, Using Kerberos for authentication (see page 132) or Using SAMLv2 for authentication.

Configure the AR module for AR System Click here to expand: Steps (6) 1. On the SSO Server, navigate to Start > All Programs > BMC Software > BMC Atrium SSO > Administrator to launch the BMC Atrium SSO Admin Console and log on. 2. Click Edit BMC Realm to open the Realm Editor.

3. BMC Atrium Single Sign-On 8.1

Page 183 of 389

BMC Software Confidential

Home

3. Set User Profile to Dynamic. (Click the image to expand it.)

4. On the Realm Authentication panel, click Add. 5. Click AR. (Click the image to expand it.)

BMC Atrium Single Sign-On 8.1

Page 184 of 389

BMC Software Confidential

Home

## Enter the AR parameters (see page ). a. Click Save. 6. On the Realm Authentication panel, set the process order of the authentication chain: a. For the AR module, under Flag, select Sufficient. b. Select the AR module. c. Click Up so that AR is first in the list. d. Set Internal LDAP to Optional. (Click the image to expand it.) BMC Atrium Single Sign-On 8.1

Page 185 of 389

Home

d.

BMC Software Confidential

Sufficient means that, with multiple authentication modules, if you are successfully authenticated with the first module, the remaining modules are skipped. But if the login fails, authentication moves to the next module in the chain. Setting AR to Sufficient and placing it as the first module in the list means that if you are authenticated with the AR System server, you are successfully authenticated by BMC Atrium Single Sign-On and you proceed to the Mid Tier. Note With Single Sign-On, you want to trigger authentication providers in the right order. The order is: Required > Requisite > Sufficient > Optional. If you set both realms to Required, then you would need both authentications to establish the session. For more information on creating an authentication chain, see the Realm Authentication panel described in Realm Editor.

AR parameters Parameters

Description

Server Host Name

(Required) Provide the Full Qualified Domain Name (FQDN) for the server where the AR System server is located. The full host name includes the domain name (bmc.com) of the computer and the individual name of the server (yourServer).

BMC Atrium Single Sign-On 8.1

Page 186 of 389

BMC Software Confidential

Home

Parameters

Description

Server Port

(Required) AR Server Port Number is the location where the AR System server is listening.

Number Note: Enter a value of 0 if the AR System server is using port mapping. Default Authentication

This string is only used when the AR module is placed downstream in a chain from another authentication module which prompts the user only for a name and password. In this situation, the value of this parameter is used to authenticate the user by re-using the

String

credentials provided by the user along with this authentication string.

Allow AR

If enabled, allows unknown or invalid users to authenticate to the AR System server as guests.

Guests

Note When using SAML v2 for authentication, you must not use AR user stores. Though AR authentication module should be configured, the AR data store is not needed for authentication in SAMLv2 deployment.

Configure AR user stores for AR System Click here to expand: Steps (4)

1. BMC Atrium Single Sign-On 8.1

Page 187 of 389

BMC Software Confidential

Home

1. On the User Stores panel, click Add. (Click the image to expand it.)

2. Select AR User Store. 3. Enter the AR User Store parameters (see page ). 4. Click Save.

AR User Store parameters Section

Parameter

Name AR Server

Description Label for the AR user store.

Host Name

Host

(Required) Provide the Full Qualified Domain Name (FQDN) for the server where AR System server is located. The full host name includes the domain name (bmc.com) of the computer and the individual name of the server ( yourServer). Replace the default values (sample.bmc.com) with the host name of your server (for example, yourServer.bmc.com.

Port

(Required) Default: 0 Provide the port number where the AR Server is listening. The value of 0 is used when the AR Server is using port mapping.

Administrative Access

Name

(Required) Provide the user name of an AR Server user store account that has AR System Administrator privileges. Empty or blank passwords for this internal user are not supported with a new user store.

Authentication

Provide the authentication string that is needed when the Administrator account is used to connect with the AR System server.

BMC Atrium Single Sign-On 8.1

Page 188 of 389

BMC Software Confidential

Home

Section

Parameter

Description

Password and

Password for the AR System administrative user of the AR Server user store account (for example, admin).

Confirm Password Connection Pool

Linger Time (seconds)

(Required) Default: 60 Linger Time is the amount of time (in milliseconds) that a connection is allowed to remain unused in the pool before being closed.

Pool size

(Required) Default: 10 The Pool Size is the maximum number of connections the data store uses to service data requests for the AR System server.

Managing the AR System users and groups Click here to expand: Steps (8) BMC Atrium Single Sign-On provides basic user and group management features with the internal LDAP server. These features allow an administrator to manage users, groups, and memberships in the groups. Note When you configure the AR User Store for the AR System, all your AR System users and groups are already listed.

From the User page, the administrator can create, delete, and manage group memberships. To access the User page (see page ) To add a new user (see page ) BMC products can use the group membership capabilities of the BMC Atrium Single Sign-On system to provide authorization and authentication of users. If a BMC product does not use the group memberships of the BMC Atrium Single Sign-On system, then that product's documentation must be consulted to determine groups to privileges mapping. To access the Group page (see page ) To create a new group (see page )

To access the User page Navigate to the following location: 1. Open the Realm Editor. 2. Click the Users tab. New users can only be created when you are using the internal LDAP server for authentication. If an external source is used for authentication, new users must be created within that external system. Note If special characters, such as comma ( , ) , semi-colon ( ; ), or plus sign ( + ) are used in the user ID, the backslash ( \ ) must precede the special character. For example, Baldwin\,bob.

When creating a new user, each field that is marked with an asterisk is a required field.

BMC Atrium Single Sign-On 8.1

Page 189 of 389

BMC Software Confidential

Home

To add a new user 1. In the Realm Editor, click the Users tab. Current AR System users created in your AR System server are already listed.

2. BMC Atrium Single Sign-On 8.1

Page 190 of 389

BMC Software Confidential

Home

2. Click Add to open the User Editor.

3. In the User Id field, enter a unique identifier for the new user. This value is used as the user ID when the user logs in. 4. Specify the user's status. The default is Active. 5. Add the name attributes. The name attributes (First Name, Full Name, and Last Name) can be provided to BMC products to help identify user accounts by using terms that are more user-friendly. The actual use of these attributes, though, is dependent on the BMC product. You must assign an initial password of at least 8 characters when creating the account. After the password is created, the user can log into BMC Atrium Single Sign-On and update the password and their personal information through the following URL: https://FQDNHostName:port/BMC Atrium SSO?realm=BmcRealm 6. Click the Groups tab. 7. From the list of available groups, add the user to group membership (for example, BmcAdmins). 8. Click Save.

BMC Atrium Single Sign-On 8.1

Page 191 of 389

BMC Software Confidential

Home

To access the Group page BMC Atrium Single Sign-On provides predefined groups to help with the Administrator privileges that some BMC products might require. For example, the BmcSearchAdmin group provides privileges that allow a user to connect to the server to perform identity searches. Note Care should be exercised when assigning the BmcSearchAdmin group because these elevated privileges allow greater access to BMC Atrium Single Sign-On than is normally allowed.

Navigate to the following location: 1. Open the Realm Editor. 2. Click the Groups tab.

To create a new group Normally, BMC products install the groups that they need managed into BMC Atrium Single Sign-On as part of their installation. However, a situation might arise in which a group might need to be created or re-created.

1. BMC Atrium Single Sign-On 8.1

Page 192 of 389

BMC Software Confidential

Home

1. In the Realm Editor, click the Groups tab. Current AR System groups created in your AR System server are already listed.

2. BMC Atrium Single Sign-On 8.1

Page 193 of 389

Home

BMC Software Confidential

2. Click Add to open the Group Editor.

3. Enter a new, unique name for the group. 4. Add available users to the new group. 5. Click Save.

Related topics Using SAMLv2 for authentication Using Kerberos for authentication (see page 132) Using CAC for authentication

BMC Atrium Single Sign-On 8.1

Page 194 of 389

BMC Software Confidential

Home

Using LDAP (Active Directory) for authentication Using RSA SecurID for authentication

Where to go from here Running a health check on the BMC Atrium Single Sign-On integration

9.1.6 Running a health check on the BMC Atrium Single Sign-On integration After you finish all these procedures, run a health check of your integration of BMC Atrium Single Sign-On with BMC Remedy AR System.

To run a health check on the BMC Atrium Single Sign-On integration 1. On the Mid Tier computer, log in to the BMC Remedy Mid Tier Configuration Tool. The default path is http://midTierServer.FQDN:8080/arsys/shared/config/config.jsp. For example: http://vw-pune-bmc-dv88.labs.bmc.com:8080/arsys/shared/config/config.jsp

Tip Clear the cache on your browser if you see redirect errors.

If your integration is successful (for example, by using the not_enforced.txt file during the agent deployment), you should see the normal Mid Tier configuration logon, not the BMC Atrium SSO logon screen.

BMC Atrium Single Sign-On 8.1

Page 195 of 389

BMC Software Confidential

Home

2. Log on to the AR System server. For example: http://vw-pune-bmc-dv88.labs.bmc.com:8080/arsys The BMC Atrium Single Sign-On server redirects the server URL to the BMC Atrium Single Sign-On server, and the BMC Atrium SSO logon screen appears.

BMC Atrium Single Sign-On 8.1

Page 196 of 389

BMC Software Confidential

Home

3. Enter the User Name and Password of an AR System user and then click Log In. Demo is the AR System default logon (without any password). If BMC Atrium Single Sign-On is properly integrated and configured, the Applications startup page appears.

BMC Atrium Single Sign-On 8.1

Page 197 of 389

BMC Software Confidential

Home

9.2 Integrating BMC Dashboards for BSM If you plan to use BMC Atrium Single Sign-On as your method of authentication, you must install and configure the BMC Atrium Sign-On server before installing BMC Dashboards for Business Service Management (BSM). Also, ensure that any users that you want to use in BMC Dashboards for BSM exist in the BMC Atrium Single Sign-On server.

9.2.1 Before you begin Install BMC Atrium Sign-On server and configure with an authentication method before installing BMC Dashboards for BSM. Ensure that the BMC Dashboards for BSM administrator and any users that you want to use in BMC Dashboards for BSM exist in the BMC Atrium Sign-On server. See Managing users (see page 264) and Managing user groups (see page 268).

BMC Atrium Single Sign-On 8.1

Page 198 of 389

BMC Software Confidential

Home

Note For BMC Dashboards for BSM version 7.7.00 and higher, instead of re-installing, you can run the installer again to set the BMC Atrium Single Sign-On parameters.

9.2.2 To integrate BMC Dashboards for BSM When executing the BMC Dashboards for BSM installer, select the BMC Atrium Single Sign-On Authentication method and provide the following information: Field

Description

Fully Qualified Host Name

Fully qualified host name of the BMC Atrium Single Sign-On server.

HTTPS Port Number

HTTPS port number used by the BMC Atrium Single Sign-On server.

Administrator Name and Password

User name and password for the BMC Atrium Single Sign-On server administrator.

BMC Dashboards administrator Name and Password

User name and password of the BMC Dashboards for BSM administrator user. This user must exist in BMC Atrium Single Sign-On.

9.3 Integrating BMC Analytics for BSM If you plan to use BMC Atrium Single Sign-On as your method of authentication, you must install and configure the BMC Atrium Sign-On server before installing BMC Analytics for Business Service Management (BSM). Also, ensure that any users that you want to use in BMC Analytics for BSM exist in the BMC Atrium Single Sign-On server. BMC Analytics for BSM is compatible with Apache Tomcat or Microsoft IIS. If you are using BMC Atrium Sign-On with BMC Analytics for BSM, only Apache Tomcat is supported. Also, when you install using BMC Atrium Sign-On, a new Apache Tomcat service is installed. If you plan to use BMC Analytics for BSM with Apache Tomcat, you should install a new Tomcat during the SAP BusinessObjects installation instead of using an existing Tomcat. If you have an existing Tomcat installation, provide different port numbers. Before you begin (see page 199) To integrate BMC Analytics for BSM (see page 200)

9.3.1 Before you begin Install and configure the BMC Atrium Sign-On server before installing BMC Analytics for BSM. Ensure that any users that you want to use in BMC Analytics for BSM exist in the BMC Atrium Sign-On server. See Managing users (see page 264) and Managing user groups (see page 268). Ensure that your SAP BusinessObjects Enterprise XI host is part of the DNS domain or subdomain of the BMC Atrium Single Sign-On server host.

BMC Atrium Single Sign-On 8.1

Page 199 of 389

BMC Software Confidential

Home

Ensure that BMC Analytics for BSM is installing with a Apache Tomcat. A new Apache Tomcat should be installed during the SAP BusinessObjects installation instead of using an existing Tomcat. If you have an existing Tomcat installation, provide different port numbers.

Note For BMC Analytics for BSM version 7.6.06 and higher, instead of re-installing, you can run the installer again to set the BMC Atrium Single Sign-On parameters.

9.3.2 To integrate BMC Analytics for BSM When executing the BMC Analytics for BSM installer, select BMC Atrium Single Sign-On and provide the following information: Field

Description

Fully Qualified Host Name

Fully qualified host name of the BMC Atrium Single Sign-On server.

HTTPS Port Number

HTTPS port number used by the BMC Atrium Single Sign-On server.

Administrator Name

User name for the BMC Atrium Single Sign-On server administrator.

Administrator Password

Password for the BMC Atrium Single Sign-On server administrator.

9.4 Integrating BMC ProactiveNet BMC ProactiveNet 9.0.00 uses the BMC Atrium Single Sign-On authentication system to provide single sign-on and single sign-off. BMC Atrium Single Sign-On allows users to present credentials only once for authentication and subsequently be automatically authenticated by every BMC product that is integrated into the system. Users, user groups and privileges defined in BMC Atrium Single Sign-On are used for BMC ProactiveNet group mapping. See Managing users (see page 264) and Managing user groups (see page 268).

9.4.1 Before you begin BMC Atrium Single Sign-On must be installed and configured before installing BMC ProactiveNet. Ensure that the BMC ProactiveNet users and user groups are created in BMC Atrium Single Sign-On. See To define users and groups (see page 202). Ensure that the BMC ProactiveNet users are assigned to groups. See To assign users to user groups (see page 203). Users, user groups and privileges defined in BMC Atrium Single Sign-On are used for BMC ProactiveNet group mapping.

BMC Atrium Single Sign-On 8.1

Page 200 of 389

BMC Software Confidential

Home

Note The BMC ProactiveNet Single Sign-On feature can be integrated either during installation, or post-installation.

9.4.2 To integrate BMC ProactiveNet during installation Note The BMC ProactiveNet Server installer prompts for information that must already be defined in BMC Atrium Single Sign-On.

1. Select Single Sign-On (SSO) - Enable and configure 2. Provide the following information: Field

Description

Atrium SSO Server Hostname Domain

Enter the fully qualified name of the BMC Atrium Single Sign-On server.

ProactiveNet Server Hostname Domain

Enter the fully qualified host name of the server where BMC ProactiveNet Server is installed. By default, this field is populated with the host name of the server on which the installer is executed.

Atrium SSO HTTPS Port

Enter the BMC Atrium Single Sign-On secure port number. The default port number is 8443.

Searcher ID

Enter the BMC Atrium Single Sign-On Searcher ID used to search all user names and groups.

Searcher Password

Enter the password of the Searcher ID user.

Atrium SSO AmAdmin Password

Enter the BMC Atrium Single Sign-On server amAdmin password.

9.4.3 To integrate BMC ProactiveNet after installation The BMC Atrium Single Sign-On feature can be configured post-installation in one of two ways: Using the Post Installation Configuration interface in the BMC Proactivenet Operations Console. For more information, see the BMC ProactiveNet User Guide. Using the pw sso commands. For more information, see the BMC ProactiveNet CLI Reference Guide. Once BMC Atrium Single Sign-On is integrated, when you launch BMC ProactiveNet, the BMC Atrium SSO screen appears. Enter your user name and password and BMC ProactiveNet automatically launches.

BMC Atrium Single Sign-On 8.1

Page 201 of 389

BMC Software Confidential

Home

If you launch BMC ProactiveNet and try to log in as a user who is not associated with a valid user group in BMC Atrium Single Sign-On, BMC ProactiveNet displays an error stating "Invalid username/password". If you receive a message that the BMC ProactiveNet Server has restarted, you must close the browser, then re-open the browser and log back in.

9.4.4 To define users and groups To enable single sign on, you must first create BMC ProactiveNet users and user groups in BMC Atrium Single Sign-On. Users and user groups defined in BMC Atrium Single Sign-On are used for BMC ProactiveNet group mapping. During installation of BMC ProactiveNet, the BMC ProactiveNet Server Installer prompts for information that must already be defined in BMC Atrium Single Sign-On. Therefore the minimum required definition in BMC Atrium Single Sign-On, before installing BMC ProactiveNet, is the following: 1. Create a Searcher user and assign the BmcSearchAdmins group. 2. Define the SSO amAdmin user and assign full access privileges. (The SSO amAdmin user is automatically created during installation of BMC Atrium Single Sign-On.) 3. Create an Administrative user group and assign the BmcAdmins group.

9.4.5 To create new users New users can only be created when you are using the internal LDAP server for authentication. If an external source is used for authentication, new users must be created within that external system. 1. Sign onto BMC Atrium Single Sign-On. 2. Click Edit BMC Realm and select the Usertab.

Note When integrating a BMC ProactiveNet Server with an external system such as SSO or LDAP for authentication, ensure that the same user name does not exist in both the external system and the BMC ProactiveNet Server. If the same user exists in both, user group associations defined in BMC ProactiveNet will be considered. a. Click Add. b. In the UserId field, enter a unique identifier for the new user. This value is used as the user ID when the user logs in. If special characters, such as comma ( , ) , semi-colon ( ; ), or plus sign ( + ) are used in the user ID, the backslash () must precede the special character. For example, Baldwin\,bob. c. Enter the user's last name and full name. d. BMC Atrium Single Sign-On 8.1

Page 202 of 389

BMC Software Confidential

Home

d. Enter an initial default password (which the user changes) and confirm this default password. e. In the Status field, verify that the Active radio button is selected (default). f. Click Save.

9.4.6 To assign users to user groups 1. In BMC Atrium Single Sign-On, click Edit BmcRealm and select the Groups tab. 2. Select the group name and click Edit. 3. Select users from the Available Users list. 4. Click Add. 5. Alternatively, you can add all of the users by clicking Add All.

Note An initial password must be provided when creating the account. Once created, the user can log into BMC Atrium Single Sign-On and update the password and their personal information through the following URL:

6. Click Save to save the changes. The membership change is immediately put into effect.

9.4.7 To clean up Web Agent entries when the BMC ProactiveNet Server is uninstalled The following steps are required to delete Web Agent entries on the BMC Atrium Single Sign-On Server when the BMC ProactiveNet Server is uninstalled.

Note Any changes made to a BMC Atrium Single Sign-On user will not be reflected in an active BMC ProactiveNet session. The user must log out and log back in for the changes to be in effect.

1. On BMC Atrium Single Sign-On Console, click Edit BMC Realm. 2. Click Agents Details. A list of the Agents that are registered on the Single Sign-On server displays. 3. BMC Atrium Single Sign-On 8.1

Page 203 of 389

BMC Software Confidential

Home

3. Identify the two Agents corresponding to your BMC ProactiveNet Server host. Search for the following patterns:

/@: /admin@:

4. Mark the Agents to delete by selecting their corresponding checkboxes. 5. Click Delete.

9.5 Integrating BMC IT Business Management Suite BMC Atrium Single Sign-On is an authentication system that supports many authentication protocols and provides single sign-on and single signoff for users of BMC products. A user can present credentials once for authentication and subsequently be automatically authenticated by every BMC Software product that is integrated into the system.

9.5.1 Before you begin You must install BMC Atrium Single Sign-On server before using the BMC IT Business Management Suite installation program to set up the configuration.

9.5.2 To integrate BMC IT Business Management Suite When installing the BMC IT Business Management Suite, select the check box to configure BMC IT Business Management Suite with BMC Atrium Single Sign-On server. Use these options to configure BMC IT Business Management Suite to work with BMC Atrium Single Sign-On. Installation parameter

Value

Atrium SSO Location

Specify the location of the BMC Atrium Single Sign-On server.

Atrium SSO Admin User

Specify the administrative user name.

Atrium SSO Admin Password

Specify the BMC Atrium Single Sign-On server administrative password.

Atrium SSO Keystore Path

Specify the location of the keystore. The default Tomcat server used by the BMC Atrium Single Sign-On server uses a keystore and a truststore for its secure (HTTPS/TLS) communications. These files are stored within the directory at /BMC Software/AtriumSSO/tomcat/conf.

Atrium SSO Keystore Password

Specify the password of the keystore.

BMC Atrium Single Sign-On 8.1

Page 204 of 389

BMC Software Confidential

Home

9.6 Integrating BMC ITBM and WebSphere application server As an option, you can configure the IBM WebSphere application server to work with the BMC Atrium Single Sign-On server. To configure the WebSphere application server to work with the BMC Atrium Single Sign-On server, you must have already installed and set up the BMC Atrium Single Sign-On server.

9.6.1 Before you begin If you have already deployed BMC IT Business Management Suite on WebSphere, you must first undeploy the application and then configure the WebSphere application server to work with the BMC Atrium Single Sign-On server.

9.6.2 To configure the WebSphere application server to work with the BMC Atrium Single Sign-On server 1. Stop the application server. 2. Copy the certificate truststore file (cacerts) from the \java\jre\lib\security directory to the \bin directory. 3. Copy the deployment utility webagent.zip file from the BMC Atrium Single Sign-On server build to the temporary directory called 4. Run the following deployer script from the websphere java directory:

java -jar $\deployer.jar --install --container-type WEBSPHEREV7 --atrium-sso-url https://:/atriumsso --web-app-url http://:/itm --container-base-dir "" --instance-config-directory "" --server-instance-name "" --admin-name amadmin --admin-pwd password --jvm-truststore "\java\jre\lib\security\cacerts" --jvm-truststore-password changeit --truststore "\bin\cacerts" --truststore-password changeit

For example, you can specify the following script:

java -jar "C:\Program Files\BMC Software\ARSystem\midtier\webagent\deployer\deployer.jar" --install --container-type WEBSPHEREV7 --atrium-sso-url https://w8k-itsm-vm16.dsl.bmc.com:8443/atriumsso --web-app-url http://w28-itm-vm02.dsl.bmc.com:9080/itm/ --container-base-dir "C:\Program Files\IBM\WebSphere\AppServer" --instance-config-directory "C:\Program Files\IBM\WebSphere\AppServer\profiles \AppSrv01\config\cells\w28-itm-vm02Node01Cell\nodes\w28-itm-vm02Node01\servers \server1" --server-instance-name "server1" --admin-name amadmin --admin-pwd password

BMC Atrium Single Sign-On 8.1

Page 205 of 389

BMC Software Confidential

Home

--jvm-truststore "C:\Program Files\IBM\WebSphere\AppServer\java\jre\lib\security\cacerts" --jvm-truststore-password changeit --truststore "C:\Program Files\IBM\WebSphere\AppServer\bin\cacerts" --truststore-password changeit

Note When you run the script using the java command, use the WebSphere copy of the java version, not the one from the Oracle JDK.

5. Start the application server. 6. In the WebSphere application logon window, specify the User ID as itmadm and Password as itmadmin and press Enter. 7. In the left navigation pane of the Integrated Solutions console, click Servers > Server Types > WebSphere application servers. 8. In the WebSphere application servers page, click the server on which you have installed BMC IT Business Management Suite. 9. In the Application servers > server page, click Java and Process Management in the Server Infrastructure options on the right. 10. In the Java and Process Management options, click Process definition. 11. In the Process definition page, click Java Virtual Machine in the Additional Properties options. 12. In the Java Virtual Machine page, click Custom properties. 13. To specify a new property, click New. 14. In the Custom properties > New page, specify the following properties and values for custom repository: Name

Value

atsso.configuration.dir

Atrium SSO agents configuration directory. For example, C:\Program Files\IBM\WebSphere\AppServer\atssoAgents

15. Click OK. 16. Click Save in the Message box at the top of the screen to commit the changes. 17. In the left navigation pane of the Integrated Solutions Console, click Security > Global security. 18. In the Global security page, click the Security Configuration Wizard button. 19. In the Specify extent of protection page, select Enable application security and click Next. 20. In the Select user repository page, select the Standalone custom registry option and click Next. 21. Add the following properties and values for the custom repository: Name

Value

sso.installed true cacerts

C:/Program Files/IBM/WebSphere/AppServer/bin/cacerts Note: If your folder path contains spaces, copy cacerts from \bin\cacerts to any temp directory (for example, C:/bmc/).

cacerts.password

BMC Atrium Single Sign-On 8.1

changeit

Page 206 of 389

BMC Software Confidential

Home

Name

Value

sso.acceptAllServerCertificates

true

22. Click Next. 23. Verify the Summary page, and click Finish. 24. Click Save in the Message box at the top of the screen to commit the changes. 25. In the Global security window, click the Available realm definition list and select Standalone custom registry. 26. Click the Set as current button. 27. Click the Java Authentication and Authorization Service option. 28. In Java Authentication and Authorization Service, click System Logins. 29. In the resources list, select the WEB_INBOUND resource. 30. In the JAAS login modules table, click the com.itmsoft.security.auth.module.ITBMLoginModule option. 31. Specify the following custom properties and values: Name

Value

sso.installed true cacerts.path

C:/Program Files/IBM/WebSphere/AppServer/bin/cacerts Note: If your folder path contains spaces, copy cacerts from \bin\cacerts to any temp directory (for example, C:/bmc/).

cacerts.password

changeit

sso.acceptAllServerCertificates

true

32. Click Apply and OK. 33. Click Save in the Message box at the top of the screen to commit the changes. 34. Log out and restart the WebSphere server before deploying the BMC IT Business Management Suite. 35. Deploy BMC IT Business Management Suite on the WebSphere application server.

9.7 Integrating BMC Capacity Optimization This topic provides instructions for integrating BMC Capacity Optimization with the BMC Atrium Single Sign-On.

Notes

For information about compatible versions of these BMC applications, see BSM Interoperability 8.5.1. This topic does not describe how to integrate data from BMC Atrium CMDB into BMC Capacity Optimization using Extract, Transform, and Load tasks (ETL tasks). For information about integrating data from BMC Atrium CMDB into BMC Capacity Optimization, see Integrating BMC Capacity Optimization with BMC Atrium CMDB in the BMC Capacity Optimization online documentation.

BMC Atrium Single Sign-On 8.1

Page 207 of 389

BMC Software Confidential

Home

9.7.1 Before you begin Before you can enable integration with BMC Atrium Single Sign-On, you must have BMC Atrium CMDB installed and running. Before you can enable launching of BMC Capacity Optimization from BMC ProactiveNet when viewing a CI (device) associated with an event, you must integrate BMC ProactiveNet with BMC Atrium CMDB.

9.7.2 To integrate BMC Capacity Optimization 1. Log on to the BMC Capacity Optimization Console as a user with the administrator role. 2. Click the Administration tab. 3. In the Navigation area, expand System. 4. Click Configuration. 5. Click the BMC Environment tab. 6. At the bottom of the BMC Environment tab, click Edit. 7. In the BMC Atrium Single-Sign-On area, next to Atrium Single-Sign-On, select Enable Atrium single sign-on for authentication in BMC Capacity Optimization. BMC Atrium Single Sign-On server information boxes appear. 8. Type the following: Atrium SSO Server Host: Type the address of the BMC Atrium Single Sign-On server host. Atrium SSO Server Port: Type the BMC Atrium Single Sign-On server port number. Atrium SSO Server Username: Type the user name for BMC Atrium Single Sign-On server authentication. Atrium SSO Server Password: Type the password for BMC Atrium Single Sign-On server authentication.

Note The BMC Atrium Single Sign-On server user must be assigned an administrator role.

9. Click Execute. A utility runs that registers BMC Capacity Optimization with the BMC Atrium Single Sign-On server. 10. Click Save. 11. Close your BMC Capacity Optimization Console browser window. 12. Verify that BMC Capacity Optimization services have been restarted (see the Verifying that BMC Capacity Optimization services are running section of Verifying BMC Capacity Optimization installation). 13. Log on to the BMC Capacity Optimization Console (see Accessing the BMC Capacity Optimization console ).

BMC Atrium Single Sign-On 8.1

Page 208 of 389

Home

BMC Software Confidential

9.8 Integrating BMC Atrium Orchestrator Platform BMC Atrium Orchestrator Platform 7.7 uses the BMC Atrium Single Sign-On authentication system to provide single sign-on and single sign-off. BMC Atrium Single Sign-On allows users to present credentials only once for authentication and subsequently be automatically authenticated by every BMC product that is integrated into the system. For more information about BMC Atrium Orchestrator Platform 7.7 installation and integration with BMC Atrium Single Sign-on, see the BMC Atrium Orchestrator Platform 7.7 online documentation. Users, user groups and privileges defined in BMC Atrium Single Sign-On are used for BMC Atrium Orchestrator Platform group mapping. See Managing users (see page 264) and Managing user groups (see page 268).

BMC Atrium Single Sign-On 8.1

Page 209 of 389

BMC Software Confidential

Home

Before you begin (see page 210) BMC Atrium Orchestrator Platform installation worksheet (see page 210) Where to go from here (see page 212)

9.8.1 Before you begin BMC Atrium Single Sign-On version 8.1.00 Patch 1 (8.1.00.01) or later must be installed and configured before installing BMC Atrium Orchestrator Platform 7.7. Download the installation files from the BMC EPD website. Ensure that BMC Atrium Single Sign-On version 8.1.00 Patch 1 (8.1.00.01) or later is implemented. Ensure that the target computer meets the minimum system requirements for your environment. Complete the BMC Atrium Orchestrator Platform installation worksheet (see page 210). Exit all other programs. Log on as an administrator and have administrator rights on the computer where you will install BMC Atrium Single Sign-On. Prepare to run the installation program for your operating system. For example, you must update Terminal Services configuration options and configure the DEP feature if you are using Windows. For more information, see Configuring terminal services on Windows 2008 and Windows 2012 computers and Configuring DEP on Windows computers.

Note The BMC Atrium Single Sign-On Tomcat server cannot be shared with any product that integrates with BMC Atrium Single Sign-On (for example, BMC Atrium Orchestrator). BMC recommends that you install BMC Atrium Single Sign-On on a different computer from the computer where you plan to install a BMC product (for example, the AR System server or the BMC Remedy Mid Tier).

9.8.2 BMC Atrium Orchestrator Platform installation worksheet BMC Atrium Single Sign-On is a required server component that you install first, before any other BMC Atrium Orchestrator components. Before installing BMC Atrium Single Sign-On, use this worksheet to record information specific to your system. The installation parameters in this worksheet correspond to the parameters in the GUI installation and the options file. Directory Selection panel Installation parameter

Default value and notes

Your value

Destination Directory Windows: C:\Program Files\BMC Software\AtriumSSO

BMC Atrium Single Sign-On 8.1

Page 210 of 389

BMC Software Confidential

Home

Installation parameter

Default value and notes

Your value

UNIX: /opt/bmc/atriumsso

Server panel Installation parameter

Default value and notes

Your value

Hostname

Fully qualified host name of the server where you install BMC Atrium Single Sign-On

BMC Atrium SSO Cluster Options panel Installation parameter

Default value and notes

Your value

Non-clustered BMC Atrium SSO Server (Current Setting)

Stand-alone Single Sign-On Server

Clustered BMC Atrium SSO Server

Implemented as a redundant system with session failover. Clustered installation requires at least two nodes

Tomcat Application Server Selection panel Installation parameter

Default value and notes

Your value

Install New Tomcat

Install new Tomcat server on the computer where you install BMC Atrium Single Sign-On

Use External Tomcat

Path where the external Tomcat Application Server resides

Tomcat Application Server Information panel Installation parameter

Default value and notes

HTTP port number

HTTP port number used by the BMC Atrium Single Sign-On server

HTTPS port number

HTTP port number used by the BMC Atrium Single Sign-On server

Shutdown port number

Shutdown port number used by the BMC Atrium Single Sign-On server

Your value

BMC Atrium SSO Server Information panel Installation parameter

Default value and notes

Cookie Domain

Network domain of the computer on which you are installing the server

Password

Password required to log on to BMC Atrium Single Sign-On server

Confirm Password

Confirm the password

BMC Atrium Single Sign-On 8.1

Your value

Page 211 of 389

BMC Software Confidential

Home

9.8.3 Where to go from here Create a BMC Atrium Orchestrator user account and assign the user account to a group in BMC Atrium Single Sign-On. See Managing users (see page 264) and Managing user groups (see page 268). After you create a BMC Atrium Orchestrator group and user, install the BMC Atrium Orchestrator Platform repository.

9.9 Integrating BMC Real End User Experience Monitoring This page has not been approved for publication.

9.9.1 Preparing BMC Atrium SSO server for integration This page has not been approved for publication.

9.9.2 Preparing the Console component for the BMC Atrium SSO integration This page has not been approved for publication.

9.10 Integrating BMC Mobility for ITSM 8.1.00 This topic describes how to integrate BMC Atrium Single Sign-On with BMC Mobility for supporting Security Assertion Markup Language (SAML). The typical process for integrating BMC Atrium Single Sign-On with BMC Remedy IT Service Management (ITSM) is to install BMC Atrium Single Sign-On, install BMC Remedy ITSM, and then integrate Atrium SSO with ITSM. Following topics are provided: Before you begin (see page 212) Limitations (see page 213) Integrating BMC Mobility to support SAML authentication (see page 213) Related Topics (see page 214)

9.10.1 Before you begin Ensure that you have BMC Remedy ITSM installed, before you can enable integration with BMC Atrium Single Sign-On.

BMC Atrium Single Sign-On 8.1

Page 212 of 389

BMC Software Confidential

Home

Ensure that users of BMC Remedy ITSM that you want to use, exist in the BMC Atrium Sign-On server. See Managing users (see page 264) and Managing user groups (see page 268).

9.10.2 Limitations The mobile applications do not support pop-up windows for login. The SAML IdP in Atrium SSO must provide a login page that is compatible with the embedded WebKit browser. The only identity provider (IdP) that BMC Mobility for ITSM supports is BMC Atrium SSO, which is the only supported service provider (SP). Other IdPs and SPs are not supported.

9.10.3 Integrating BMC Mobility to support SAML authentication You must use the following steps for configuring BMC Mobility and BMC Atrium SSO so that BMC Mobility can use single sign-on for logging on to BMC Mobility.

To integrate Atrium SSO support in BMC Mobility Server 1. Stop the BMC Mobility server. 2. Copy all the jar files from the \webagent\dist\jee\WEB-INF\lib directory to the \WEB-INF\lib directory. For example, copy all the jar files from C:\Program Files\BMCSoftware\ARSystem\midtier\webagent\dist\jee\WEB-INF\lib to C:\Program Files\BMCSoftware\ARSystem\midtier\WEB-INF\lib. 3. Uncomment the BMC Atrium Single Sign-On filter in the web.xml file on BMC Mobility server.

To integrate BMC Mobility in BMC Atrium SSO Console 1. Configure the Login URl for the BMC Atrium Single Sign-On server using following steps: a. Log on to the BMC Atrium SSO Admin Console and click Agent Details. b. Select the /MobilityServer@FQDN:portNumber agent and click Edit. c. In the Agent Editor, change the Login URl to be the same as the Mid Tier Agent Login URl (for example, https://serverName:portNumber /atriumsso/spssoinit?metaAlias=/BmcRealm/sp&idpEntityID=idp). Login URl field in the Agent Editor Click the following figure to expand it.

BMC Atrium Single Sign-On 8.1

Page 213 of 389

BMC Software Confidential

Home

2. Configure the Logout URl for the BMC Atrium Single Sign-On server using following steps: a. In the Agent Editor, change the Logout URl to be the same as the Mid Tier Agent Logout URl (for example, https://serverName:portNumber /atriumsso/saml2/jsp/spSingleLogoutInit.jsp?idpEntityID=idp).

To enable SAML logon 1. Open the Mobility Administration: Tenant form in a browser. 2. Search for the record with Tenant ID 000000000000001. 3. Change the SAML Authentication setting to Yes. 4. Save your changes. You must start the BMC Mobility server after making the configuration changes.

9.10.4 Related Topics Agent manager

10 Using The following topics provide information and instructions for using the BMC Atrium Single Sign-On:

BMC Atrium Single Sign-On 8.1

Page 214 of 389

BMC Software Confidential

Home

Navigating the interface Managing keystores with a keytool utility (see page 239) Configuring FIPS-140 mode (see page 251) Using an external LDAP user store (see page 260)

10.1 Navigating the interface On the BMC Atrium SSO Admin Console, you can see the overall health of the Atrium Single Sign-On server and launch into specific areas for management. The Administrator console contains four panels providing server health (Status), access to realms for management (Realm Manager), and access to current sessions for management (Sessions). In addition, the console has a top-level Help button launches a browser that provides you with online help.

Note To access the BMC Atrium SSO Admin Console, use a Fully Qualified Domain Name (FQDN) URL.

Editor options (see page 215) Status panel (see page 215) BMC Realm panel (see page 216) Sessions panel (see page 216)

10.1.1 Editor options Each editor provides the following options when adding or editing items: Save to save your modifications. Reset to remove your modifications and stay on the editor. Help launches a browser that provides you with online help. Cancel to cancel and return to the launch page.

10.1.2 Status panel The Status panel shows the current memory usage of the server, a pie chart showing the number of active/idle sessions, another pie chart showing the up/down status (the server that the agent is defined for) of the agents integrated with this server or cluster. Edit Server Configuration launches the Server Configuration Editor (see page 237) which allows you to edit the server parameters. Agent Details launches the Agent Manager where you can edit agents using the Agent Editor or delete agents.

BMC Atrium Single Sign-On 8.1

Page 215 of 389

BMC Software Confidential

Home

Agents List lists the agents on the system. HA Node Details launches HA Nodes manager (see page 234) where you can edit nodes with the Server Configuration Editor (see page 237) or delete dead nodes. In non-HA systems, you can access the Server Configuration Editor (see page 237) by clicking Edit Server Configuration. This manager provides access to the changing overall operation parameters. HA Node List lists the HA nodes on the system.

10.1.3 BMC Realm panel From the BMC Realm panel, an Edit BMC Realm button is available to access the Realm Editor where the realm can be modified. In addition, Authentication List and User Store List is available that displays the authentication modules and user stores defined for the realm. Edit BMC Realm launches the Realm Editor which allows you to manage realm authentication, federation, user stores (AR and LDAPv3), users, and user groups. Federation and user profile status is provided. Authentication List lists the authentication modules that are established for the realm. User Store List lists the user stores that are established for the realm.

10.1.4 Sessions panel The Sessions panel allows you to view the current sessions and to invalidate any session. The following columns are displayed in the Sessions table: UserId Time Remaining Max Session Time Time Idle Max Idle Time Node Name (the server that the session is defined on)

10.1.5 Realm Editor Use the tabs in the Realm editor to set the user profile, manage the realm authentication modules, federate modules, and manage user stores, as well as manage users and user groups. Main tab (see page 216) User tab (see page 218) Groups tab (see page 218) Security tab (see page 219) Editors available from Realm Editor (see page 221)

Main tab The Main tab provides the following panels for specifying parameters:

BMC Atrium Single Sign-On 8.1

Page 216 of 389

BMC Software Confidential

Home

User Profile panel The User Profile panel allows you to set user profile parameters. Parameter options are: Ignored, Required, or Dynamic. In the User Profile panel, select either Dynamic or Ignored. Dynamic — Specifies that a local Single Sign-On user profile is created after a successful authentication, if it does not already exist Ignored — Specifies that no local Single Sign-On user profile is created or required for authentication Required — Specifies that a local Single Sign-On user profile with the same user ID is required for authentication to be successful Realm Authentication panel The Authentication panel allows you to create, edit, and delete authentication module instances and to establish an authentication chain. An authentication chain is a series of authentication modules through which the user must pass to authenticate. The chain can be constructed to allow complex processing of the modules. For example, you can use authentication chaining to merge multiple LDAP servers into a single authentication unit. Chaining multiple LDAP modules together with a sufficient relationship ensures that each LDAP module is checked to authenticate the user. If any module successfully authenticates the user, the user is identified and given an SSO session. The combination of modules in a chain uses the following flags per module: Required — Identifies modules that are required to succeed. Regardless of whether the authentication succeeds or fails, authentication still proceeds through the authentication chain of modules. Requisite — Identifies modules that are required to succeed. If authentication succeeds, authentication proceeds through the authentication chain of modules. If authentication fails, control immediately returns to the application (authentication does not proceed through the authentication chain of modules). Sufficient — Identifies modules that are not required to succeed. If it does succeed, control immediately returns to the application (authentication does not proceed through the authentication chain of modules). If authentication fails, authentication continues authentication does not proceed through the authentication chain of modules. Optional — Identifies modules that are not required to succeed. Regardless of whether the authentication succeeds or fails, authentication still proceeds through the authentication chain of modules. The Requisite and Sufficient flags are most commonly used. These flags allow the processing to stop when the authentication status of the user is known. The Required and Sufficient flags do not stop the processing but force each module to be evaluated. The overall authentication succeeds only if all modules that are flagged with Required and Requisite succeed.

BMC Atrium Single Sign-On 8.1

Page 217 of 389

BMC Software Confidential

Home

If a module that is flagged with Sufficient succeeds, only the Required and Requisite modules that precede that Sufficient module must have succeeded for the overall authentication to succeed. If no Required or Requisite modules are configured for an application, then at least one Sufficient or Optional module must succeed. Federation panel The Federation panel is used for managing the membership of Local Identity Provider (IdP) and Local Service Provider (SP) entities that belong in a Circle of Trust (COT). The name of the COT is derived from the name of the realm to allow a logical mapping into the OpenAM abstractions. The IdP and SP entities created in the realm are automatically be assigned membership in the single COT for the realm. This panel allows you to add, edit, and federate realms. When you add a realm, you can specify the type of realm (for example, IdP or SP for SAMLv3 authentication). User Stores panel The User Stores panel allows you to manage user stores (add, delete, edit, and reorder). The User Store Manager allows you to define external User Stores from which user attributes (email address, phone numbers, and so forth) and group memberships can be obtained. By default, the internal LDAPv3 data store is configured as a User Store for the BmcRealm. However, external LDAPv3 servers, BMC Remedy AR System servers, and even an RDBMS can be used (with a customer-provided JDBC driver). The User Store Manager allows you to create new User Stores from existing types or existing Templates, edit existing user stores, and delete deprecated ones. Templates are based upon user stores types but include initial configuration values. An example of a template would be to provide meaningful default values for an Active Directory user store.

User tab The User tab allows you to create new users, delete existing users, and edit the attributes and memberships of those users. By selecting a user you can edit or delete the user. When searching for a user /* for each respective panel returns all of the names. A letter such as "m" returns all names with the letter "m" in the user. A short string such as "mc" returns names that have "mc" in the user (for example, McCormick).

Groups tab The Groups tab allows you to create new groups, delete existing groups, and edit the attributes of the group. By selecting an group you can edit or delete the group.

BMC Atrium Single Sign-On 8.1

Page 218 of 389

BMC Software Confidential

Home

When searching for a group /* for each respective panel returns all of the names. A letter such as "d" returns all names with the letter "m". A short string such as "dm" returns names that have "dm" in the group name (for example, admin).

Security tab The Security tab provides the following features:

Login Failure Lockout The Login Failure Lockout feature enables the user to lock the account in order to maintain security of the account. The Login Failure Lockout feature provides following options: Enable Login Lockout - To activate the lockout feature you need to select the Enable Login Lockout check box. The lockout mode is a memory lockout which can be cleared by restarting the BMC Atrium Single Sign-On server, or by disabling the Enable Login Lockout and re-enabling it again. Lockout Duration - Sets the interval (in minutes) that a user must wait after lockout before attempting to authenticate again. Entering a value greater than 0 enables memory lockout and disables physical lockout. Memory lockout locks the user's account in memory for specified number of minutes. The account is unlocked after the period has passed. Number of Login Attempts Before Lockout - Sets the number of incorrect attempts permitted for a user to log on to the account, within the interval set in Lockout Duration, before being locked out The administrator can clear all the users lockouts by disabling the lockout feature and setting the lockout duration to 0. Both operations are necessary. When the lockout feature is disabled, the duration should also be set to 0.

Note To ensure that the administrator always has the access to the server, the account lockout feature is not applicable for the amAdmin account.

Valid Forwarding Domains The Valid Forwarding Domains feature provides a limit to the domains that the BMC Atrium Single Sign-On server will forward to the browser after authentication. To enable this feature, you must provide at least one URL to the list of Valid Forwarding Domains. An empty list indicates that the feature is disabled.

To add a URL to the list of valid forwarding domains 1. Insert the URL in the Trusted Domain field. 2. Click Add. 3. For the changes to take effect, restart the BMC Atrium Single Sign-on server.

BMC Atrium Single Sign-On 8.1

Page 219 of 389

BMC Software Confidential

Home

Note Ensure that you provide the absolute path for the URL that you enter in the list of Valid Forwarding Domains, such as: https://sample.bmc.com:8080/test

If you try to access a URL that is not present in Valid Forwarding Domains, you are redirected to a page that has an error message and a link to log out of the BMC Atrium Single Sign-On server.

BMC Atrium Single Sign-On 8.1

Page 220 of 389

BMC Software Confidential

Home

Editors available from Realm Editor The following editors are used for creating and editing authentication module instances, SAML federation, and user stores.

User and Group editors User Editor Group Editor

Authentication module instance editors AR Editor (see page 223) LDAP (Active Directory) Editor (see page 223) Kerberos Editor (see page 227) SecurID Editor (see page 227) CAC (certificate) Editor

Federation editors Local Service Provider (SP) Editor (see page 230) Create Identity Provider (see page 228) Remote Identity Provider (IdP) Editor Local Identity Provider (IdP) Editor Create Service Provider (see page 229) Remote Service Provider (SP) Editor (see page 232)

User store editors AR User Store Editor LDAPv3 (Active Directory) User Store Editor (see page 225)

User Editor The User Editor allows you to provide specific about the user as well as to set their status (Active or Inactive). Save saves your modifications. Reset removes your modifications. Help accesses online help. Cancel cancels and returns you to the Users tab on the Realm Editor. There are two tabs available from the User Editor: Main tab allows you to create and edit user information. Groups tab allows you to assign users to groups.

BMC Atrium Single Sign-On 8.1

Page 221 of 389

BMC Software Confidential

Home

Tab

Parameters

Description

Main

User ID

The name of the user that you are creating or editing.

 

Status

Active and Inactive status are available.

 

User

Provide the user information. As a minimum, provide the full name, first name, last name, and a default password and

information

confirm password.

Available

The list of groups available on the system.

Groups

Groups  

Member Of

The list of groups of which the user is a member.

Add and Add All allows you to add groups to this user. The group is then listed in the Member Of list rather than the Available Groups list. Remove and Remove All allows you to remove groups from this user. The group is then listed in the Available Groups list rather than the Member Of list.

Group Editor The Group Editor allows you to create a group and to add users to the group. You can add users individually or add all users to the members list and you can delete users individually or delete all users from the members list. Save saves your modifications. Reset removes your modifications and keeps you on the Group Editor. Help accesses the online help. Cancel cancels and returns you to the Groups tab on the Realm Editor. Parameters

Description

Group Name

The name of the group that you are creating or editing.

Available Users

The list of user available on the system. You can filter the available users by any character in their User ID. For example, if a User ID has the letter, "r" in the string, all users with the letter "r" will display in the Available Users list. If there isn't a character in the Filter field, all users are displayed.

Members

The list of users that are members of this group.

Add and Add All allows you to add users to this group. The user is then listed in the Members list rather than the Available Users list. Remove and Remove All allows you to remove users from this group. The user is then listed in the Available Users list rather than the Members list.

BMC Atrium Single Sign-On 8.1

Page 222 of 389

BMC Software Confidential

Home

AR Editor Parameters

Description

Server Host Name

(Required) Provide the Full Qualified Domain Name (FQDN) for the server where the AR System server is located. The full host name includes the domain name (bmc.com) of the computer and the individual name of the server (yourServer).

Server Port Number

(Required) AR Server Port Number is the location where the AR System server is listening. Note: Enter a value of 0 if the AR System server is using port mapping.

Default

This string is only used when the AR module is placed downstream in a chain from another authentication module which prompts

Authentication String

the user only for a name and password. In this situation, the value of this parameter is used to authenticate the user by re-using the credentials provided by the user along with this authentication string.

Allow AR Guests

If enabled, allows unknown or invalid users to authenticate to the AR System server as guests.

AR User Store Editor Section

Parameter

Description

Name

Label for the AR user store.

AR Server Host

Host Name

(Required) Provide the Full Qualified Domain Name (FQDN) for the server where AR System server is located. The full host name includes the domain name (bmc.com) of the computer and the individual name of the server ( yourServer). Replace the default values (sample.bmc.com) with the host name of your server (for example, yourServer.bmc.com.

 

Port

(Required) Default: 0 Provide the port number where the AR Server is listening. The value of 0 is used when the AR Server is using port mapping.

Administrative Access

Name

(Required) Provide the user name of an AR Server user store account that has AR System Administrator privileges. Empty or blank passwords for this internal user are not supported with a new user store.

 

Authentication

Provide the authentication string that is needed when the Administrator account is used to connect with the AR System server.

 

Password and Confirm Password

Password for the AR System administrative user of the AR Server user store account (for example, admin).

Connection Pool

Linger Time (seconds)

(Required) Default: 60 Linger Time is the amount of time (in milliseconds) that a connection is allowed to remain unused in the pool before being closed.

 

Pool size

(Required) Default: 10 The Pool Size is the maximum number of connections the data store uses to service data requests for the AR System server.

LDAP (Active Directory) Editor Field

Parameter

Description

Name

(Required) Enter the host's Full Qualified Domain Name (FQDN) for the primary LDAP server is required.

BMC Atrium Single Sign-On 8.1

Page 223 of 389

BMC Software Confidential

Home

Field

Parameter

Description

Port

If the LDAP server is not listening on the default port (389), specify the port number.

Use SSL

(Optional) Enable to use SSL to connect to the LDAP servers. In addition, before communications can be established,

Primary LDAP Server

the certificates for the LDAP servers (primary and secondary) must be imported to the BMC Atrium Single Sign-On Tomcat truststore. For more information on importing certifications into BMC Atrium Single Sign-On truststore, see Importing a certificate into the truststore (see page 243). If the remote LDAP server requires client authentication for SSL, the BMC Atrium Single Sign-On server's certificate might need to be imported into the LDAP server's truststore. Note: If you enabled SSL Access to the LDAP Server, import the certificates and restart the Tomcat server before enabling LDAP authentication. See Managing keystores with a keytool utility (see page 239) for more information. Secondary

Name

LDAP Server

The secondary LDAP server is only used when the primary server is not available. It is not used in parallel or when a user fails to authenticate with the primary server.

Port

If the secondary server is not listening on the default LDAP port, specify the port number.

Use SSL

(Optional) Enable to use SSL to connect with the LDAP servers. In addition, before communications can be established, the certificates for the LDAP servers (primary and secondary) must be imported to the BMC Atrium Single Sign-On Tomcat truststore. For more information on importing certifications into BMC Atrium Single Sign-On truststore, see Importing a certificate into the truststore (see page 243). If the remote LDAP server requires client authentication for SSL, the BMC Atrium Single Sign-On server's certificate might need to be imported into the LDAP server's truststore. Note: If you enabled SSL Access to the LDAP Server, import the certificates and restart the Tomcat server before enabling LDAP authentication. See Managing keystores with a keytool utility (see page 239) for more information.

User Account for Search

Set Recheck Primary Server Interval (minutes)

(Optional) This parameter is the amount of time that the server uses the secondary server before attempting to re-connect with the primary server can be configured.

Distinguished Name, Password, Confirm Password

(Required) The DN is the login name that is used to connect to the LDAP server. A user must have privileges to perform searches on the primary and secondary LDAP servers. Enter the DN for the user, the password, and the password confirmation. For example, you can use the Distinguished Name as CN=bsmuser,CN=users,DC=bsmdsl,DC=bmc,DC=com and choose the password of your choice.

Attributes for User Search

Attribute Name

Add attribute names using the Attribute name parameter or or remove the attribute from the attribute list.

DN to Start Search

Base DN

Add base DN name and remove the name from the attribute list. The search DNs should be as specific as possible for performance reasons. The depth of the search that is performed can be configured. If an Object search is specified, then the DN should be the DN of the node containing the users.

For example, you can add CN as attribute name for User Search.

For example, CN=bsmuser,CN=users,DC=bsmdsl,DC=bmc,DC=com Attribute for User Profile Name

Enter the starting locations within the LDAP directory for performing user searches. For each starting point, enter the login name (DN). The Base DN and attribute for user profile name are additional search parameters.For example, you can use CN as attribute for user profile name.

BMC Atrium Single Sign-On 8.1

Page 224 of 389

BMC Software Confidential

Home

LDAPv3 (Active Directory) User Store Editor The LDAPv3 user store uses Active Directory as the user store type. The General tab contains parameters for the LDAP server configuration. The Search tab contain parameters to search for user and group attributes.

General tab Field

Parameter

Description

LDAP Server

Name

(Required) Enter the host's Full Qualified Domain Name (FQDN) for the primary LDAP server is required.

Port

If the LDAP server is not listening on the default port (389), specify the port number.

Use SSL

(Optional) Enable SSL to connect to the LDAP servers. Before enabling SSL: The certificates for the LDAP servers (primary and secondary) must be imported into the JVM truststore and the BMC Atrium Single Sign-On Tomcat truststore. For more information on importing certifications into BMC Atrium Single Sign-On truststore, see Importing a certificate into the truststore (see page 243). If client authentication is required, the BMC Atrium Single Sign-On server's certificate might need to be imported into the LDAP server's truststore. Restart the Tomcat server. For more information about CA certificates, see Managing keystores with a keytool utility (see page 239) .

User Account for Search

Distinguished Name, Password, Confirm Password

(Required) The Distinguished Name (DN) is the login name that is used to connect to the LDAP server. A root user must have privileges to perform searches on the primary and secondary LDAP servers. Enter the DN for the root user, the password, and the password confirmation.

Connection Pool

Minimum Size

The connection pool attributes adjust the performance of BMC Atrium Single Sign-On and the load on the LDAP server. Before modifying the default values, BMC recommends that you complete performance timings to determine appropriate values.

Maximum Size

The connection pool attributes adjust the performance of BMC Atrium Single Sign-On and the load on the LDAP server. Before modifying the default values, BMC recommends that you complete performance timings to determine appropriate values.

External Attribute Atrium SSO Attribute

Attribute Mapping is used to take user attributes (such as email, phone number, etc.) from the external data store and map them to the attributes used within the BMC Atrium Single Sign-On system. A mapping is defined by entering the name of the External Attribute and selecting the Atrium SSO Attribute from the drop down that the external attribute is going to map to, and click Add to put the new mapping into the table.

Attribute Mapping

Search tab Field Search Base DN

Parameter

Description Starting location within the LDAP directory for performing user and group searches. The search DNs should be as specific as possible for performance reasons. The depth of the search that is performed can be configured. If an object search is specified, then the DN should be the DN of the node containing the users. Number of seconds the search is performed before it times out.

BMC Atrium Single Sign-On 8.1

Page 225 of 389

BMC Software Confidential

Home

Field

Parameter

Description

Search Timeout (seconds) Max Search

Maximum number of results that are returned.

Results Users

Search

User attribute on which to perform the search.

Attribute Search

Specifies the filter for user searches. If the specified default class is not used by user entries in the server, then searches fail.

Filter

For example, (objectclass=person).

Users -

Status

Attribute that indicates the user status. For example, userAccountControl.

Status

Attribute Active Value

Identifies the value of the attribute when the account is active.

Inactive Value

Identifies the value of the attribute when the account is inactive.

Container Attribute

Defines the LDAP attribute used to distinguish the container holding the people.

Attribute Value

Specifies the value for that LDAP attribute. If people are not within a container (relative to the group), then these values should be blank.

Users

Attribute Name for Group

Specifies the attribute of the user which identifies the group to which the user belongs. For example, memberOf.

Groups

Search Attribute

Contains the name of the attribute which holds the name of the group. This attribute value is used in searches for user groups.

Search Filter

Be sure to validate that the LDAP Groups Search Filter is correct for the LDAP server. If the class specified is not applicable, update the filter with the correct objectclass name. For example, (objectclass=group).

Container Attribute

Defines the LDAP attribute used to distinguish the container holding the groups.

Attribute Value

Specifies the value for LDAP Groups Container attribute value. If groups are not within a container (relative to the user), then these values should be blank.

Groups

Attribute Name for User

The attribute name of a group within the LDAP system that contains the names of the users that belong to the group.

Caching

Max Age (seconds)

The maximum time that a cached value will continue to be used before the cached value is updated from the external LDAP server.

Cache Size (bytes)

The number of bytes of memory that will be used to hold cached search items from the external LDAP server.

Users People Container

Groups Groups Container

BMC Atrium Single Sign-On 8.1

Page 226 of 389

BMC Software Confidential

Home

Kerberos Editor Parameters

Description

Service

The Kerberos principal that is used for authentication. The service principal is used by clients to request a service ticket when

Principal

authenticating. The service principal name is based on the host name of the server running BMC Atrium Single Sign-On.

Keytab File

The Kerberos keytab file that is used for authentication and takes the absolute path to the keytab file. The keytab file contains the

Name

password for the service principal.

Kerberos

The KDC domain name.

Realm KDC

The KDC host name. You must enter the fully qualified domain name (FQDN) of the domain controller.

Server UserId

The following parameters are used:

Format Use Domain Name with Principal: If this check box is selected, the service allows BMC Atrium Single Sign-On to automatically use the Kerberos principal with the domain controller's domain name during authentication. Forced character case: The Forced character case allows you to select the type of character case you want for your user ID. You can choose any of the three options: No change, UPPERCASE and lowercase. The UserId is displayed in the selected format in the user store.

Return UserId to

If this check box is selected, the user store searches will use the original UserId instead of using the value modified by the UserId Format parameter. For example, when you search the userstore the userid from the authentication could be atsso\abcxyz but the value

User Store

abcxyz will be used to search the User store.

SecurID Editor Parameters

Description

ACE/Server Configuration Path

Specify the full path for the new location of the sdconf.rec file. The configuration path is used to specify the location of the sdconf.rec file used to contact the RSA SecurID server.

CAC (certificate) Editor Field

Parameters

Description

Name

 

Name for the Certificate and CAC authentication.

Use OCSP

 

Click Use OCSP in order to use the OCSP responder. BMC recommends that you use OCSP for validation. Note: The clock skew between the BMC Atrium Single Sign-On server and the OCSP server must not be greater than 15 minutes. Otherwise, the certificate authentication fails. See Clock skew too great for CAC authentication (see page 331).

Certificate Field for User Profile

 

Select one of the options. Options are Subject CN (Common Name attribute of the Subject DN), Subject DN (Distinguished Name), Subject UID (UID attribute of the Subject DN), Email, None, Other.

Forwarded Certificates

 

When running behind a load balancer or reverse proxy, the verification of ownership of the private key is not possible thru the SSL/TLS connection. Because of this verification restriction, the BMC Atrium Single Sign-On server requires that the fronting server be listed as a trusted host from which forwarded certificates can be trusted.

BMC Atrium Single Sign-On 8.1

Page 227 of 389

BMC Software Confidential

Home

Field

Parameters

Description

 

Forwarded

This is the list of trusted host name that you add via the Trusted Host Name field. To delete a certificate, select the

Certificate List

trusted host name and click Remove.

 

Trusted Host Name

Enter the name of a host from which a forwarded certificate can be trusted.

 

Certificate HTTP Header

Enter the name of the HTTP header that the forwarded certificate can be passed under.

Name Certificate

Use CRL

Revocation Lists (CRL)

Select Use CRL to use a Certificate Revocation List (CRL). Note: BMC does not recommend using the CRL approach due to the performance load experienced with the ever-increasing length of CRL lists.

 

LDAP Server

Provide the Host and Port for the LDAP server where the certificates are stored. The host name must end with a colon

Where Certificates are Stored

following by the port number for the LDAP server.

 

LDAP Start Search DN

Enter the DN of the node. The DN of the node starts the search within the LDAP server. To connect with the LDAP server, you must have sufficient privileges to perform the search.

 

LDAP Server Password Confirm LDAP Server Password

Provide and confirm the password to connecting with the LDAP server.

 

Check CA with CRL

When verifying a certificate, the CA certificate used to sign the certificate can also be verified in the CRL.

 

Use SSL/TLS

If you are using SSL, the LDAP server certificate must be imported into the BMC Atrium Single Sign-On truststore so that SSL can connect with the LDAP server.

Trusted Certificates

 

Browse on your desktop to upload the trusted certificates file. Once the file is upload and in the trusted certificates list. You can also select the file, and click Remove to remove the file.

Create Identity Provider Parameters

Description

Name

Name for the remote IdP.

URL

Select URL to acquire the remote IdP metadata from the URL location. Specify the FQDN of the host, including the port and any required path information. This URL is IdP-specific. For information on the metadata URL, consult the IdP documentation. For information about providing IdP metadata from another Atrium Single Sign-On server, see Providing IdP metadata from another Atrium Single Sign-On server (see page 229)

File Upload

Select File Upload to upload a file that contains the remote IdP metadata.

BMC Atrium Single Sign-On 8.1

Page 228 of 389

BMC Software Confidential

Home

Providing IdP metadata from another Atrium Single Sign-On server When using another Atrium Single Sign-On server as an IdP, the following URL template is used to access the metadata needed by the SP: https://:/atriumsso/saml2/jsp/exportmetadata.jsp?role=idp&realm=BmcRealm&entityid= In this case:

host is the FQDN of the BMC Atrium Single Sign-On server hosting the IdP. port is the port used for secure communication of the BMC Atrium Single Sign-On server hosting the IdP. entityid is the name of the IdP hosted by the BMC Atrium Single Sign-On server. For example:

https://idp.bmc.com:8443/atriumsso/saml2/jsp/exportmetadata.jsp?role=idp&realm=BmcRealm&entityid=https://idp:1844

Create Service Provider Parameters

Description

Name

Name for the remote SP.

URL

Select URL to acquire the remote IdP metadata from the URL location. Specify the FQDN of the host, including the port and any required path information. This URL is IdP-specific. For information on the metadata URL, consult the SP documentation. For information about providing SP metadata from another Atrium Single Sign-On server, see Providing SP metadata from another Atrium Single Sign-On server (see page 229)

File Upload

Select File Upload to upload a file that contains the remote SP metadata.

Providing SP metadata from another Atrium Single Sign-On server For accessing SP metadata, the following URL syntax is used: https://:/atriumsso/saml2/jsp/exportmetadata.jsp?role=sp&realm=BmcRealm&entityid= In the case:

host is the FQDN of the server hosting the SP. port is the port used for secure communications of the server hosting the SP. entityid is the name of the SP hosted by the server. For example:

https://sp.bmc.com:8443/atriumsso/saml2/jsp/exportmetadata.jsp?role=sp&realm=BmcRealm&entityid=https://sp:8443/a

Local Identity Provider (IdP) Editor

BMC Atrium Single Sign-On 8.1

Page 229 of 389

BMC Software Confidential

Home

Field

Parameter

Description

Name

 

Name for the IdP or accept the provided IdP name. The Name field is pre-populated with a value that reflects the expected IdP name.

Binding

 

This option determines the way in which SAML messages will be sent and received between the IdP and the SP. HTTP-Redirect and Post are used when a direction connection between the IdP and SP is not possible. The two bindings differ in the method used to exchange the SAMLv2 messages: HTTP Redirect or XHTML Form with Post.

Sign

Signing Certificate Alias

Messages  

The alias specifies the certificate that will be used to sign the specified SAML messages. Signing is used to verify the messages have not been altered in transit and that it originated with the IdP.

Authentication, Logout

These parameters are the SAMLv2 messages that are to be signed by the IdP or are expected to have

Request, Logout Response, Manager Name ID Request,

been signed by the SP.

Manager Name ID Response, and Artifact Resolve Encrypt Elements

Encryption Certificate Alias

The alias specifies the private key that will be used to encrypt the secret key used to encrypt the SAMLv2 messages.

 

Encryption Algorithm

The encryption algorithm used to encrypt SAMLv2 messages. Select an option, None, 3DES, AES-128, or AES-256, from the drop-down menu.

 

Name ID

Specifies whether to encrypt the Name ID or leave it in plain text.

Assertion Time

Not-Before Skew (seconds)

In order to compensate for clock drift between remote machines, this value specifies the amount of time that a message will be considered valid when it is received before the issue time in the message.

 

Effective Time (seconds)

Amount of time that an assertion is valid counting from the assertion's issue time.

Attribute Mapping

 

Attribute Mapping is used to take user attributes (such as email, phone number, etc.) from the external user store and map them to the attributes used within the BMC Atrium Single Sign-On system. A mapping is defined by entering the name of the Name In Assertion and selecting the Local Attribute Name from the drop down that the attribute is going to map to, and click Add to put the new mapping into the table.

Local Service Provider (SP) Editor Field

Parameter

Description

Name

Name for the SP or accept the provided SP name. The Name field is pre-populated with a value that reflects the expected SP name.

MetaAlias

The internally generated identifier for the entity. This value is used in the SAMLv2 login URL specified in the agents configuration.

Binding

This option determines the way in which SAML messages will be sent and received between the IdP and the SP. HTTP-Redirect and Post are used when a direction connection between the IdP and SP is not possible. The two bindings differ in the method used to exchange the SAMLv2 messages: HTTP Redirect or XHTML Form with Post.

Artificact Encoding

The encoding technique used for Assertion Artifacts. The encoding method is determined by the IdP and is usually related to binding method. From the drop down menu, select URI or FORM.

Sign Messages

Signing Certificate Alias

BMC Atrium Single Sign-On 8.1

Page 230 of 389

BMC Software Confidential

Home

Field

Parameter

Description The alias specifies the certificate that will be used to sign the specified SAML messages. Signing is used to verify the messages have not been altered in transit and that it originated with the SP.

Authentication, Logout

These parameters are the SAMLv2 messages that are to be signed by the SP or are expected to have

Request, Logout Response, Manager

been signed by the SP.

Name ID, Artifact Resolve, and Post Resolve Encrypt

Encryption Certificate

The alias specifies the private key that will be used to encrypt the secret key used to encrypt the SAMLv2

Elements

Alias

messages.

Encryption Algorithm

The encryption algorithm used to encrypt SAMLv2 messages. Select an option, None, 3DES, AES-128, or AES-256, from the drop-down menu.

Assertion, Attribute,

Specifies whether to encrypt the Assertion, Attribute, and Name ID or leave it in plain text.

Name ID Assertion Time

Not-Before Skew (seconds)

In order to compensate for clock drift between remote machines, this value specifies the amount of time that a message will be considered valid when it is received before the issue time in the message.

Effective Time (seconds)

Amount of time that an assertion is valid counting from the assertion's issue time.

SOAP Basic Authentication

SOAP Basic authentication can be enabled to protect the SOAP SP endpoints. Any provider accessing these endpoints must provide these user name and password values.

Attribute Mapping

Attribute Mapping is used to take user attributes (such as email, phone number, etc.) from the external user store and map them to the attributes used within the BMC Atrium Single Sign-On system. A mapping is defined by entering the name of the SAML Attribute and selecting the Atrium SSO Attribute from the drop down that the external attribute is going to map to, and click Add to put the new mapping into the table.

Auto Federation

Allows BMC Atrium Single Sign-On to use an attribute of the Assertion from the IdP to automatically create an identity within the BMC Atrium Single Sign-On system. The identity is created by passing the initial double-login normally performed when federating a user account with SAMLv2.

Name ID Format

Defines the name identifier formats supported by the service provider. Name identifiers are a way for providers to communicate with each other regarding a user. The Name ID format list is an ordered list, the first Name ID has the highest priority in determining the Name ID format to use. If the user does not specify a Name ID to use when initiating single sign-on, the first one in this list is chosen and supported by the remote Identity Provider. A persistent identifier is saved to a particular user's data store entry as the value of two attributes. A transient identifier is temporary and no data will be written to the user's persistent data store. Note: For linking user accounts from SP and IdP (Remote Identity Provider) together, after logging in, the persistent nameID format must be on the top of the list.

Authentication Context

BMC Atrium Single Sign-On 8.1

This attribute maps the SAMLv2-defined authentication context classes to the authentication level set for the user session for the service provider.

Page 231 of 389

BMC Software Confidential

Home

Remote Identity Provider (IdP) Editor Field

Parameter

Description

Name

 

Name for the IdP or accept the provided IdP name. The Name field is pre-populated with a value that reflects the expected IdP name.

Binding

 

This option determines the way in which SAML messages will be sent and received between the IdP and the SP. HTTP-Redirect and Post are used when a direction connection between the IdP and SP is not possible. The two bindings differ in the method used to exchange the SAMLv2 messages: HTTP Redirect or XHTML Form with Post.

Sign Messages

Signing Certificate Alias

The alias specifies the certificate that will be used to sign the specified SAML messages. Signing is used to verify the messages have not been altered in transit and that it originated with the IdP.

 

Authentication Request, Logout

These parameters are the SAMLv2 messages that are to be signed by the IdP or are expected to

Request, Logout Response, Manager Name ID Request, Manager Name ID Response, and Artifact Resolve

have been signed by the SP.

Encrypt Elements

Encryption Certificate Alias

The alias specifies the private key that will be used to encrypt the secret key used to encrypt the SAMLv2 messages.

 

Encryption Algorithm

The encryption algorithm used to encrypt SAMLv2 messages. Select an option, None, 3DES, AES-128, or AES-256, from the drop-down menu.

 

Name ID

Specifies whether to encrypt the Name ID or leave it in plain text.

Remote Service Provider (SP) Editor Field

Parameter

Description

Name

Name for the SP or accept the provided SP name. The Name field is pre-populated with a value that reflects the expected SP name.

MetaAlias

The internally generated identifier for the entity. This value is used in the SAMLv2 login URL specified in the agents configuration.

Binding

This option determines the way in which SAML messages will be sent and received between the IdP and the SP. HTTP-Redirect and Post are used when a direction connection between the IdP and SP is not possible. The two bindings differ in the method used to exchange the SAMLv2 messages: HTTP Redirect or XHTML Form with Post.

Artificact Encoding

The encoding technique used for Assertion Artifacts. The encoding method is determined by the IdP and is usually related to binding method. From the drop down menu, select URI or FORM.

Sign Messages

Signing Certificate Alias

The alias specifies the certificate that will be used to sign the specified SAML messages. Signing is used to verify the messages have not been altered in transit and that it originated with the SP.

Authentication Request, Logout Request, Logout Response, Manager Name ID, Artifact Resolve, and Post Resolve

These parameters are the SAMLv2 messages that are to be signed by the SP or are expected to have been signed by the SP.

BMC Atrium Single Sign-On 8.1

Page 232 of 389

BMC Software Confidential

Home

Field

Parameter

Description

Encrypt

Encryption Certificate

The alias specifies the private key that will be used to encrypt the secret key used to encrypt the

Elements

Alias

SAMLv2 messages.

Encryption Algorithm

The encryption algorithm used to encrypt SAMLv2 messages. Select an option, None, 3DES, AES-128, or AES-256, from the drop-down menu.

Assertion, Attribute,

Specifies whether to encrypt the Assertion, Attribute, and Name ID or leave it in plain text.

Name ID SOAP Basic

SOAP Basic authentication can be enabled to protect the SOAP SP endpoints. Any provider accessing

Authentication

these endpoints must provide these user name and password values.

Attribute

Attribute Mapping is used to take user attributes (such as email, phone number, etc.) from the external

Mapping

user store and map them to the attributes used within the BMC Atrium Single Sign-On system. A mapping is defined by entering the name of the SAML Attribute and selecting the Atrium SSO Attribute from the drop down that the external attribute is going to map to, and click Add to put the new mapping into the table.

10.1.6 Agent manager The Agent manager provides an Agent panel that allows you to edit, delete, and search for an agent as well as provides the agent name, realm, and the state. The state indicated whether the agent is running or is down. When searching for an agent, *, returns all of the names and applies to all columns in the agent panel. Finding the filter string within any of these values selects the agent to be returned for display. This feature allows you to filter the list of agents to the ones running by specifying "Running".

Agent Editor The Agent Editor allows you to modify the configuration of an agent. By modifying the agent configuration, you can correct problems caused by environment difficulties. For example, with a remote host, the host may report their FQDN (Fully Qualified Domain Name) incorrectly using a plain name such as machine instead of machine.bmc.com. The Agent Editor is launched when you select an agent and click Edit. The Agent Editor has the following options: Save to save your modifications. Reset to remove your modifications and stay on the editor. Help launches a browser that provides you with online help. Cancel to cancel and return to the launch page. Parameter

Description

Notification URL

The URL where the agent will receive notifications from the server about session logouts. It is composed of the products base URI with "/atsso" concatenated to the end. For example, https://sample.bmc.com/arsys/atsso

Status

Determines whether the agent is enforcing SSO authentication (active) or not (inactive).

Logging Level

The level of logging the agent will perform in the product.

BMC Atrium Single Sign-On 8.1

Page 233 of 389

BMC Software Confidential

Home

Parameter

Description

Redirect

The number of times that the agent redirects the browser to the server for authentication before signaling an error- 0 means infinite.

Limit Password

Password used by the agent to access its configuration in the SSO server.

and Confirm Password Cookie Name

The cookie name is the name of the cookie that agent will check for the SSO session token. It should match the cookie name of the server configuration. Note: To ensure browser compatibility, the cookie name should contain only alphanumeric and underscore characters.

Login URI

Login and logout URIs are the locations that the agent will send the users browsers when the specified function is needed. When an

and Logout URI

agent is federated, the login and logout URLs for the agent must be modified to interact with the IdP.

Login Probe and Logout

The probe validates that the destination is accessible before sending the user to the location. If they are not, the agent tells the user that the SSO system is inaccessible. The probe should be turned off in environments where the URI cannot be contacted from the

Probe

agent's environment, such as when the URI contains a host that is to be accessed through a reverse proxy.

Enable Cache

Select this option to enable session cache. Disabling cache has a severe performance impact.

Fully Qualified Domain Name Mapping

This FQDN mapping allows the agent to fix the URL used to access the application in order to get the browser to send cookies to the application. The SSO session is identified through cookies. When a URL is not using a FQDN host name, the browser does not know the domain of the server and therefore, won't send any cookies to the server.

FQDN of Agent Host

The FQDN entered is the FQDN of the host where the agent is located. Enabling FQDN mapping causes the agent to perform the forwarding from the entered host names to the entered FQDN.

Trigger host list and Trigger Host Name

The hosts that will trigger the FQDN redirect to occur. The Trigger host list allows you to remove the host from the list. Trigger Host Name allows you to add a host to the Trigger host list.

Not Enforced URI and URI

The Not Enforced URI field allows you to remove URIs from the Not Enforced URI list. The URI field allows you to add a URI to the Not Enforced URI list.

10.1.7 HA Nodes manager The HA Nodes manager is launched from the Administrator Console. On the HA Pie Chart, click Expand. The HA Nodes manager provides an HA Nodes panel that allows you to edit, delete, and search for an HA node. In addition, you can click Return to Console to return to the BMC Atrium SSO Admin Console. When searching for an HA node, /* for each respective panel, returns all of the names. A letter such as m, returns all names with the letter m in the host name. A short string such as mc, returns names that have mc in the host name (for example, /atrium-sso-vm2.bmc.com.) You can sort HA Nodes by each of the columns in the panel: Host Name

BMC Atrium Single Sign-On 8.1

Page 234 of 389

BMC Software Confidential

Home

Port Status When you edit a host, the Server Configuration Editor pops up with the following parameters: The Server Configuration Editor provides the parameters that must be updated when you install or configure BMC Atrium Single Sign-On server. The following topics are provided: Server Configuration Editor parameters (see page ) HTTP Only and HTTPS Only (see page )

Server Configuration Editor parameters Field

Parameters

Description

Cookies

Cookie Name

The cookie name is automatically created at install time for the BMC Atrium Single Sign-On server. It is generated based upon the FQDN of the Atrium BMC Atrium Single Sign-On host.

Cookie Domain

The default cookie domain value is the network domain of the computer you are installing the server on. The default cookie domain specifies the most restrictive access. This value is used to control cookie visibility between servers within the domain. For more information about the default cookie domain, see Default cookie domain.

HTTP Only

Select the HTTP Only check box to mark the BMC Atrium Single Sign-On cookie to prevent non-HTTP APIs such as, JavaScript from accessing the cookie. For more information about HTTP Only parameter, see HTTP Only and HTTPS Only (see page 236) .

HTTPS Only

Select the HTTPS Only check box to mark the cookie with the Secure option, which ensures that the cookie is transmitted over only HTTPS connections from the browser to the server. For more information about the HTTPS Only parameter, see HTTP Only and HTTPS Only (see page 236).

Password & Confirm Password

The password for accessing the BMC Atrium Single Sign-On server.

amAdmin

External URL

FQDN for the BMC Atrium Single Sign-On server.

Logging Level

Logging level options are Off, Error, Warning, or Message. Error returns the least amount of information and Message contains the most amount of information.

Enable FIPS-140

Be sure to configure FIPS-140 before enabling, see Configuring FIPS-140 mode (see page 251).

Online Certificate Status Protocol

CAC can use OCSP. If CAC is using OCSP, be sure to configure CAC before enabling. If CAC isn't using OCSP, configuration is not required. To enable, provide the Server URL and select Enable OCSP.

Session

Max Session Time

Time after which your session will be logged out even when you are active. The default time in 120 minutes. The time constraints are automatically enforced when this value is selected. Note: The Max Session Time value should be more than the Idle Timeout value.

BMC Atrium Single Sign-On 8.1

Page 235 of 389

BMC Software Confidential

Home

Field

Parameters

Description

Idle

Time after which your session will be logged out if you are inactive or away. The default time in 30 minutes. The time

Timeout

constraints are automatically enforced when this value is selected. Note: When you have integrated BMC Atrium SSO with BMC Remedy AR System, you the Idle Timeout value should be 3 minutes more than the BMC Mid Tier idle timeout value.

Cache

Time after which the cache will be cleared. Time constraints are automatically enforced. The default time is 3 minutes.

Time Max

Maximum number of concurrent sessions allowed for a user. The default value is 5.

Session Count per

Click Enable to enable Max Session Count per User.

User

When the session limit is exceeded, select the desired behavior. The two options are Delete Oldest or Block New.

HTTP Only and HTTPS Only With the release of BMC Atrium Single Sign-On 8.1 Patch 3, the Server Configuration Editor provides two new options: HTTP Only and HTTPS Only. The HTTP Only parameter marks the BMC Atrium Single Sign-On cookie to prevent non-HTTP APIs such as, JavaScript from accessing the cookie. When you enable the HTTPS Only parameter, it marks the cookie with the Secure option, which ensures that the cookie is transmitted only over HTTPS connections from the browser to the server. The default value of these check boxes is false. When set to true, the option prevents scripts and third-party programs from accessing the cookies.

To secure BMC Atrium Single Sign-On as a stand-alone server 1. Open the Edit Server Configuration tab on the BMC Atrium Single Sign-On Admin Console. 2. Select the HTTP Only and HTTPS Only check boxes, and click Save. 3. Restart the BMC Atrium Single Sign-On server. 4. Clear all the existing cookies from the browser history.

To secure BMC Atrium Single Sign-On as a high-availability cluster 1. Open the HA Node Details tab on the BMC Atrium Single Sign-On Admin Console. 2. Select the node for which the HTTP Only and HTTPS Only options are to be enabled. 3. Select the HTTP Only and HTTPS Only check boxes for each node, and click Save.

Note Configuration warnings appear, saying that the HTTP Only and HTTPS Only features are out of sync for some nodes. You can ignore the warnings and click OK.

4. BMC Atrium Single Sign-On 8.1

Page 236 of 389

BMC Software Confidential

Home

4. Restart the server. 5. Clear all the existing cookies from the browser history.

Note A warning is displayed after the configuration change is saved when the HTTP Only, HTTPS Only, Cookie Name, or Cookie Domain setting is out of sync with other nodes. The warning message includes a list of other nodes that do not match the currently saved value.

10.1.8 Server Configuration Editor The Server Configuration Editor provides the parameters that must be updated when you install or configure BMC Atrium Single Sign-On server. The following topics are provided: Server Configuration Editor parameters (see page 237) HTTP Only and HTTPS Only (see page 238)

Server Configuration Editor parameters Field

Parameters

Description

Cookies

Cookie Name

The cookie name is automatically created at install time for the BMC Atrium Single Sign-On server. It is generated based upon the FQDN of the Atrium BMC Atrium Single Sign-On host.

Cookie Domain

The default cookie domain value is the network domain of the computer you are installing the server on. The default cookie domain specifies the most restrictive access. This value is used to control cookie visibility between servers within the domain. For more information about the default cookie domain, see Default cookie domain.

HTTP Only

Select the HTTP Only check box to mark the BMC Atrium Single Sign-On cookie to prevent non-HTTP APIs such as, JavaScript from accessing the cookie. For more information about HTTP Only parameter, see HTTP Only and HTTPS Only (see page 238) .

amAdmin

HTTPS Only

Select the HTTPS Only check box to mark the cookie with the Secure option, which ensures that the cookie is transmitted over only HTTPS connections from the browser to the server. For more information about the HTTPS Only parameter, see HTTP Only and HTTPS Only (see page 238).

Password & Confirm Password

The password for accessing the BMC Atrium Single Sign-On server.

External URL

FQDN for the BMC Atrium Single Sign-On server.

Logging Level

Logging level options are Off, Error, Warning, or Message. Error returns the least amount of information and Message contains the most amount of information.

Enable FIPS-140

Be sure to configure FIPS-140 before enabling, see Configuring FIPS-140 mode (see page 251).

BMC Atrium Single Sign-On 8.1

Page 237 of 389

BMC Software Confidential

Home

Field

Parameters

Description

Online

CAC can use OCSP. If CAC is using OCSP, be sure to configure CAC before enabling. If CAC isn't using OCSP,

Certificate Status

configuration is not required. To enable, provide the Server URL and select Enable OCSP.

Protocol Session

Max

Time after which your session will be logged out even when you are active. The default time in 120 minutes. The time

Session Time

constraints are automatically enforced when this value is selected.

Idle Timeout

Time after which your session will be logged out if you are inactive or away. The default time in 30 minutes. The time constraints are automatically enforced when this value is selected.

Note: The Max Session Time value should be more than the Idle Timeout value.

Note: When you have integrated BMC Atrium SSO with BMC Remedy AR System, you the Idle Timeout value should be 3 minutes more than the BMC Mid Tier idle timeout value. Cache Time

Time after which the cache will be cleared. Time constraints are automatically enforced. The default time is 3 minutes.

Max Session Count per User

Maximum number of concurrent sessions allowed for a user. The default value is 5. Click Enable to enable Max Session Count per User. When the session limit is exceeded, select the desired behavior. The two options are Delete Oldest or Block New.

HTTP Only and HTTPS Only With the release of BMC Atrium Single Sign-On 8.1 Patch 3, the Server Configuration Editor provides two new options: HTTP Only and HTTPS Only. The HTTP Only parameter marks the BMC Atrium Single Sign-On cookie to prevent non-HTTP APIs such as, JavaScript from accessing the cookie. When you enable the HTTPS Only parameter, it marks the cookie with the Secure option, which ensures that the cookie is transmitted only over HTTPS connections from the browser to the server. The default value of these check boxes is false. When set to true, the option prevents scripts and third-party programs from accessing the cookies.

To secure BMC Atrium Single Sign-On as a stand-alone server 1. Open the Edit Server Configuration tab on the BMC Atrium Single Sign-On Admin Console. 2. Select the HTTP Only and HTTPS Only check boxes, and click Save. 3. Restart the BMC Atrium Single Sign-On server. 4. Clear all the existing cookies from the browser history.

To secure BMC Atrium Single Sign-On as a high-availability cluster 1. Open the HA Node Details tab on the BMC Atrium Single Sign-On Admin Console. 2. Select the node for which the HTTP Only and HTTPS Only options are to be enabled. 3. Select the HTTP Only and HTTPS Only check boxes for each node, and click Save.

BMC Atrium Single Sign-On 8.1

Page 238 of 389

BMC Software Confidential

Home 3.

Note Configuration warnings appear, saying that the HTTP Only and HTTPS Only features are out of sync for some nodes. You can ignore the warnings and click OK.

4. Restart the server. 5. Clear all the existing cookies from the browser history.

Note A warning is displayed after the configuration change is saved when the HTTP Only, HTTPS Only, Cookie Name, or Cookie Domain setting is out of sync with other nodes. The warning message includes a list of other nodes that do not match the currently saved value.

10.2 Managing keystores with a keytool utility The default Tomcat server used by BMC Atrium Single Sign-On uses a keystore and a truststore for secure (HTTPS/Transport Layer Security) communications. These files are stored in the following directory: /BMC Software/AtriumSSO/tomcat/conf For more information about using Certificate Authority (CA) certificates, see: Creating new keystores (see page 240) Using the keytool utility (see page 241) Importing a certificate into the truststore (see page 243) Generating and importing CA certificates Generating self-signed certificates (see page 249) Checking the truststore for certificates The initial keystore created during the installation uses a self-signed certificate. This certificate causes browsers and other programs to warn users about the insecure nature of the certificate each time the user authenticates. The certificate warning can be prevented by doing one of the following: Permanently importing the self-signed certificate into the user's truststore. Obtaining and importing a signed identity certificate from a trusted CA. The CA vouches for the authenticity of the server's identity when the user visits BMC Atrium Single Sign-On for authentication. In this case, the user has an established trust relationship with the CA. This relationship is extended to BMC Atrium Single Sign-On after a digitally signed identity certificate is imported. By default, BMC Atrium Single Sign-On is installed with a self-signed certificate. Although valid, this certificate causes warning messages when

BMC Atrium Single Sign-On 8.1

Page 239 of 389

BMC Software Confidential

Home

users access the server to perform authentication. The warning messages occur because the certificate is not signed by a CA.

10.2.1 Creating new keystores The following topics provide information and instructions for creating new keystores: To create a new keystore (see page 240) Locations of keystore and truststores (see page 241) Example of creating a new keystore (see page 241)

To create a new keystore 1. From the command prompt, change your working directory to \AtriumSSO\tomcat\conf. 2. Create a new keystore by using a new password to secure the certificate:

Microsoft Windows: keytool -genkey -alias tomcat -keyalg RSA -sigalg SHA1withRSA -keystore %CATALINA_HOME%\conf\keystore.p12 -validity 999 -keysize 1024 -storetype pkcs12 -storepass keystore_password -keypass keystore_password -providername JsafeJCE

UNIX: keytool -genkey -alias tomcat -keyalg RSA -sigalg SHA1withRSA -keystore $CATALINA_HOME/conf/keystore.p12 -validity 999 -keysize 1024 -storetype pkcs12 -storepass keystore_password -keypass keystore_password -providername JsafeJCE

Note Based on your requirements, you can use the keysize value as 1024 or 2048.

3. After the keystore has been created, you need to provide six parameters which forms a distinguished name for a certificate associated with the key. CN - Common Name of the certificate owner (usually FQDN of the host) OU - Organizational Unit of the certificate owner O - Organization to which the certificate owner belongs L - Locality name of the certificate owner ST - State or province of the certificate owner C - Country of the certificate owner 4. Update the server.xml file with the new password for the keystore.

BMC Atrium Single Sign-On 8.1

Page 240 of 389

BMC Software Confidential

Home

For details, see the Tomcat documentation at http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html#SSL.

Locations of keystore and truststores With the BMC Atrium Single Sign-On default installation, the keystore and truststores are in the following locations: Keystore: /tomcat/conf/keystore.p12 Tomcat truststore: /tomcat/conf/cacerts.p12 JVM truststore: /jvm/jre/lib/security/cacerts.p12

Example of creating a new keystore The following is an example of how to create a new keystore:

C:\apache-tomcat-6.0.20>keytool -genkey -alias tomcat -keyalg RSA -keystore keystore.p12 –validity 999 -keysize 1024 -storetype pkcs12 -storepass keystore_password -keypass keystore_password Enter keystore password: What is your first and last name? [Unknown]: sample.bmc.com What is the name of your organizational unit? [Unknown]: BMC Atrium SSO What is the name of your organization? [Unknown]: BMC Software, Inc. What is the name of your City or Locality? [Unknown]: Austin What is the name of your State or Province? [Unknown]: TX What is the two-letter country code for this unit? [Unknown]: US Is CN=sample.bmc.com, OU=BMC Atrium SSO, O="BMC Software, Inc.", L=Austin, ST=TX, C=US correct? [no]: yes

10.2.2 Using the keytool utility The keytool utility is used to obtain a digitally signed identity certificate to replace the self-signed certificate. This utility is available with Oracle JDKs and BMC Atrium Atrium Single Sign-On. The keytool utility must be available within the shell command environment to generate a certificate signing request (CSR) or to import a CA signed certificate. The following topics are provided: To verify that the keytool utility is available (see page 242)

BMC Atrium Single Sign-On 8.1

Page 241 of 389

BMC Software Confidential

Home

Setting up the environment (see page 242) Where to go from here (see page 243)

To verify that the keytool utility is available 1. Open a shell command window. 2. In the command prompt, invoke the keytool utility:

On Windows Type keytool.exe, and press Enter. On UNIX: Type keytool and press Enter.

Note The keytool utility from Oracle JDK Java 1.5 or 1.6 can also be used.

3. If the keytool utility is available, a help message is generated that shows the keytool options. The following is the help output relevant to generating the CSR:

-certreq [-v] [-protected] [-alias ] [-sigalg ] [-file ] [-keypass ] [-keystore ] [-storepass ] [-storetype ] [-providername ] [-providerclass [-providerarg ]] ... [-providerpath ]

4. Proceed with generating and importing CA certificates. If the tool is not available, proceed with setting up the environment.

Setting up the environment Before running the keytool utility, the environment variable path must be initialized with the location of the keytool. Update the following path:

Note On UNIX, the keytool program is called keytool. On Windows, the program is keytool.exe.

On Windows \BMC Software\AtriumSSO\jdk/bin BMC Atrium Single Sign-On 8.1

Page 242 of 389

BMC Software Confidential

Home

For example, PATH=\BMC Software\AtriumSSO\jdk\bin;%PATH%

On UNIX /BMC Software/AtriumSSO/jdk/bin For example, PATH=/BMC Software/AtriumSSO/jdk/bin:$PATH

Where to go from here Generating and importing CA certificates

10.2.3 Importing a certificate into the truststore To establish secure communications with a remote server (such as a remote LDAP server), a certificate must be imported into the BMC Atrium Single Sign-On truststore. The certificate must be in printable DER format (file extension .pem ) or in the binary DER format (file extensions .cer, .crt, or .der ).

Note For High Availability installations, the certificate must be imported on each node.

The following topics provide information and instructions for importing a certificate into the truststore: To import the certificate in Windows (see page 243) To import the certificate in UNIX (see page 244) Example of importing a new certificate to the truststore (see page 244) Example of a certificate in DER format (see page 245)

To import the certificate in Windows 1. Copy the file into the BMC Atrium Single Sign-On server's conf directory: \BMC Software\AtriumSSO\tomcat\conf 2. On the command line, change the working directory to: \BMC Software\AtriumSSO\tomcat\conf 3. Modify the environment to use the JDK that is installed with BMC Atrium Single Sign-On. set PATH=\jdk\bin;%PATH% 4. Run the keytool utility with the following parameters:

BMC Atrium Single Sign-On 8.1

Page 243 of 389

4. BMC Software Confidential

Home

keytool -importcert -keystore %CATALINA_HOME%\conf\cacerts.p12 -trustcacerts -alias tomcat -keypass truststore_password -storepass truststore_password -file -storetype PKCS12 -providername JsafeJCE

Note This keytool command is based on a default installation. Other values might be needed if BMC Atrium Single Sign-On was installed in an external Tomcat container or if the default truststore has been altered.

5. Stop and restart the BMC Atrium Single Sign-On server.

To import the certificate in UNIX 1. Copy the file into the BMC Atrium Single Sign-On server's conf directory: /BMC Software/AtriumSSO/tomcat/conf 2. On the command line, change the working directory to: /BMC Software/AtriumSSO/tomcat/conf 3. Modify the environment to use the JDK installed with BMC Atrium Single Sign-On. PATH=/jdk/bin:$PATH;export PATH 4. Run the keytool utility with the following parameters:

keytool -importcert -keystore $CATALINA_HOME/conf/cacerts.p12 -trustcacerts -alias tomcat -keypass truststore_password -storepass truststore_password -file -storetype PKCS12 -providername JsafeJCE

Note This keytool command is based on a default installation. Other values may be needed if BMC Atrium Single Sign-On was installed in an external Tomcat container or if the default truststore has been altered.

5. Stop and restart the BMC Atrium Single Sign-On server.

Example of importing a new certificate to the truststore The following is an example of how to import a certificate to the truststore:

C:\apache-tomcat-6.0.20\conf>keytool -import -keystore cacerts.p12 -trustcacerts -alias tomcat -keypass truststore_password –storepass truststore_password –file mykey.cer -storetype PKCS12

BMC Atrium Single Sign-On 8.1

Page 244 of 389

BMC Software Confidential

Home

-providername JsafeJCE Owner: CN=sample.bmc.com, OU=BMC Atrium SSO, O="BMC Software, Inc.", L=Austin, ST=TX, C=US Issuer: CN=sample.bmc.com, OU=BMC Atrium SSO, O="BMC Software, Inc.", L=Austin, ST=TX, C=US Serial number: 266df6fc Valid from: Sat Jun 15 10:22:28 BST 2013 until: Thu Mar 10 09:22:28 GMT 2016 Certificate fingerprints: MD5: 43:C3:22:11:F1:5B:AD:66:73:C5:24:74:80:EF:4F:78 SHA1: 72:05:0F:FE:25:50:F7:B8:4D:F5:E8:BA:8F:88:89:2B:96:93:BB:14 SHA256: DA:9B:BA:85:2E:D2:45:74:3F:FB:D7:6A:D4:86:74:E8:B9:FA:9F:01:25:35:61:CA:00:D1:8C:2B:F8:F6:77:A4 Signature algorithm name: SHA256withRSA Version: 3 Trust this certificate? [no]: yes Certificate was added to keystore

Example of a certificate in DER format The following is an example of a certificate in printable DER format:

-----BEGIN CERTIFICATE----MIICxTCCAi4CCQCLjB2QrqlKazANBgkqhkiG9w0BAQUFADCBpjELMAkGA1UEBhMC VVMxDjAMBgNVBAgMBVRleGFzMQ8wDQYDVQQHDAZBdXN0aW4xFTATBgNVBAoMDEJN QyBTb2Z0d2FyZTEUMBIGA1UECwwLQXRyaXVtIENvcmUxJDAiBgNVBAMMG2libWMt amJoYmJrMS5hZHByb2QuYm1jLmNvbTEjMCEGCSqGSIb3DQEJARYUYWRhbV9saW5l aGFuQGJtYy5jb20wHhcNMTEwOTAxMjEyNDU4WhcNMzkwMTE3MjEyNDU4WjCBpjEL MAkGA1UEBhMCVVMxDjAMBgNVBAgMBVRleGFzMQ8wDQYDVQQHDAZBdXN0aW4xFTAT BgNVBAoMDEJNQyBTb2Z0d2FyZTEUMBIGA1UECwwLQXRyaXVtIENvcmUxJDAiBgNV BAMMG2libWMtamJoYmJrMS5hZHByb2QuYm1jLmNvbTEjMCEGCSqGSIb3DQEJARYU YWRhbV9saW5laGFuQGJtYy5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB AMtRpEhBcegujENQ7ZefrlnZxmnH54oav9VNxv6nQqneJB8sQVqg1Z+zNUPzuLPF bY2GTn/eSfXbL8RJgDnczGkL21XP8uH5NkOdBBYrcCnlV4pf+ZZxpBvmpJ1g/39L OcEc7r2R0w8D+nST9x5w88g95cOrZV9hGy08XLt0Ep7XAgMBAAEwDQYJKoZIhvcN AQEFBQADgYEAQUekME4Cv+cYCbccKNcUkjk4du8RZpZIM4PtXsqIxRYcjCCK3GQ2 Pr0fOTaAXR/qeL7x55r5ab6IIAmgx7zS9PsvEaFBoVhd26371cQxd7pY3ZOkEEpq EvF8m2WKcJGE9yzFSBWvBndd4k2Vb7EOP/1ORak6LarwfSD24SKyY7M= -----END CERTIFICATE-----

10.2.4 Generating and importing CA certificates The following topics are provided: Generating CSRs (see page 246) Adding and removing a CA certificate (see page 248)

BMC Atrium Single Sign-On 8.1

Page 245 of 389

BMC Software Confidential

Home

By default, BMC Atrium Single Sign-On is installed with a self-signed certificate. Although valid, this certificate causes warning messages when users access the server to perform authentication. The warning messages occur because the certificate is not signed by a CA.

To generate and import a CA signed identity certificate 1. Generate a CSR. The CSR must be sent to a CA to be digitally signed and returned. The CA signs the CSR using a private key which validates the server's identity and returns a signed identity certificate. For more information, see Generating CSRs (see page 246). 2. Import the CA certificate into the BMC Atrium Single Sign-On Tomcat server keystore. Importing a certificate into the truststore (see page 243). 3. Stop and restart the Tomcat server.

Note The new CA certificate does not take effect until the Tomcat server is restarted.

4. Update all integrated application truststores with the new public key. The following command shows how to generate a new certificate with the same algorithm and key size as the certificate generated during the installation. This certificate also includes an alternative server that enables the server to be accessed through a different FQDN, which occurs when the BMC Atrium Single Sign-On server is running behind a load balancer or reverse proxy server or accessed locally from the computer on which the server is executing.

keytool -genkey -alias tomcat -keyalg RSA -sigalg SHA1withRSA -keysize 2048 -keystore "keystore.p12" -storepass internal4bmc -storetype pkcs12 -providername JsafeJCE -dname "CN=loadbalancer.bmc.com, OU=AtriumSSO Server, O=BMC, ST=TX, C=US" -ext "san=DNS:node1.bmc.com,DNS:node2.bmc.com"

The identity of the owner contains the FQDN of the BMC Atrium Single Sign-On server as the CN attribute of the Distinguished Name (DN).

Note The alternative server names can also be specified by the Certificate Authority (CA) when the server certificate is signed.

Generating CSRs To obtain CA signed certificate for BMC Atrium Single Sign-On, you need to generate a CSR.

BMC Atrium Single Sign-On 8.1

Page 246 of 389

BMC Software Confidential

Home

To generate a CSR in Windows (see page 247) To generate a CSR in UNIX (see page 247) CSR Example (see page 247) Importing the signed certificate (see page 248) Where to go from here (see page 248)

To generate a CSR in Windows 1. On the command line, change the working directory to: \BMC Software\AtriumSSO\tomcat\conf 2. Modify the environment to use the JDK that is installed with BMC Atrium Single Sign-On. set PATH=\jdk\bin;%PATH% 3. Run the following keytool command:

keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore keystore.p12 -storepass internal4bmc -storetype PKCS12 -providername JsafeJCE

To generate a CSR in UNIX 1. On the command line, change the working directory to: /BMC Software/AtriumSSO/tomcat/conf 2. Modify the environment to use the JDK installed with BMC Atrium Single Sign-On. PATH=/jdk/bin:$PATH;export PATH 3. Run the following keytool command:

keytool -certreq -alias tomcat -keyalg RSA -file certreq.csr -keystore keystore.p12 -storepass internal4bmc -storetype PKCS12 -providername JsafeJCE

Note For both Windows and UNIX, the supplied default password for the BMC Atrium Single Sign-On Tomcat server is internal4bmc. You will need to provide another password if the keystore is replaced with a locally-generated file.

CSR Example The command generates and saves the CSR in the certreq.csr file. The certreq.csr file is an example and has the following content:

-----BEGIN NEW CERTIFICATE REQUEST----MIIBmDCCAQECAQAwWDEZMBcGA1UECxMQQXRyaXVtU1NPIFNlcnZlcjEVMBMGA1UEChMMQk1DIFNv

BMC Atrium Single Sign-On 8.1

Page 247 of 389

BMC Software Confidential

Home

ZnR3YXJlMSQwIgYDVQQDExtpQk1DLUpCSEJCSzEuYWRwcm9kLmJtYy5jb20wgZ8wDQYJKoZIhvcN AQEBBQADgY0AMIGJAoGBAJABuagV7e12Yu3m0LmNWEmVE4HXrdaB+uOyZFyKLZxO2e+WX3r9vc9q al5VQSE1yME6ml53B9sWS2RWA5d8xDPW8ppQe3dqQdf3QDDzfXQ18MmZAfraSbv6Y2Tj0Oad10Uf c8NUXYCvKNcmdHzkabaHuTOXuhfyGyzyCgFdd/jTAgMBAAGgADANBgkqhkiG9w0BAQUFAAOBgQAx oNCBNvnbYNHD02QOIXEP4eMd9HlfJjvJHtAS6SyibMEd00mq/BD5iV1TewwkmvJRn1BjmzGXNO1c xbasQaHN9l0+HP4X6aWfRIJtq9GOj4d9Y2wb5L6SEsgnCtnvbHDsMR0AEBLPCR7nVJ4vgQsZ9xLj EfQB8idnyyimIfoqqQ== -----END NEW CERTIFICATE REQUEST-----

The toolkit command output must be sent to the CA for a digital signature.

Note The Common Name (CN) of the certificate cannot be modified because the CN must match the host name of the server. If the names do not match, the browser issues a warning that the server is trying to impersonate another site.

Importing the signed certificate After a CSR is signed by a CA, follow the instructions for importing a certificate to the truststore (see page 243). Before importing the signed certificate import the signing root CA and any intermediate signing certificates into the truststore.

Where to go from here Generating and importing CA certificates

Adding and removing a CA certificate Adding another certificate is necessary when: Common Access Card (CAC) authentication is used. The Department of Defense (DoD) issues new CA certificates. Or if you are using SSL with LDAP for authentication. By default, the BMC Atrium Single Sign-On truststore already contains the current certificates for CAC.

Adding a CA certificate To add another CA certificate see, Importing a certificate into the truststore (see page 243).

Note Replacing the self-signed certificate on the BMC Atrium Single Sign-On server invalidates the certificates that are already accepted by users. In addition, you need to install the new certificate into the truststore of all the integrated BMC applications.

BMC Atrium Single Sign-On 8.1

Page 248 of 389

BMC Software Confidential

Home

Removing a CA certificate Before removing a certificate, identify the alias of the certificate by listing the contents of stores.

To list the contents of stores 1. To list the contents of the truststore, use the following command:

keytool -v -list -keystore -cacerts.p12 -storepass changeit -providername JsafeJCE

2. To list the contents of the keystore, use the following command:

keytool -v -list -keystore keystore.p12 -storepass internal4bmc -providername JsafeJCE

To remove an existing certificate 1. To remove an existing certificate (identified by myAlias in this example) from the truststore, use the following command:

keytool -delete -alias myAlias -keystore cacerts.p12 -storepass changeit -providername JsafeJCE

2. To remove a certificate from the keystore, use the following command:

keytool -delete -alias myAlias -keystore keystore.p12 -storepass internal4bmc -providername JsafeJCE

Where to go from here Generating and importing CA certificates

10.2.5 Generating self-signed certificates BMC Atrium Single Sign-On is installed with a self-signed certificate. A self-signed certificate is an identity certificate that is signed by the same entity whose identity it certifies. A self-signed certificate is used: By the initial keystore created during installation of BMC Atrium Single Sign-On. For configuring Secure Sockets Layer (SSL) connection between the agent and the BMC Atrium Single Sign-On server.

BMC Atrium Single Sign-On 8.1

Page 249 of 389

BMC Software Confidential

Home

To create a new self-signed certificate Run the following command: Microsoft Windows

keytool -export -alias tomcat -keystore %CATALINA_HOME%\conf\keystore.p12 -file %CATALINA_HOME%\conf\mykey.cer -storetype pkcs12 -storepass keystore_password -providername JsafeJCE

For example,

C:\Users\>keytool -export -alias tomcat -keystore keystore.p12 -file mykey.cer -storetype pkcs12 -storepass keystore_password -providername JsafeJCE Certificate stored in file

UNIX

keytool -export -alias tomcat -keystore $CATALINA_HOME/conf/keystore.p12 -file $CATALINA_HOME/conf/mykey.cer -storetype pkcs12 -storepass keystore_password -providername JsafeJCE

After you create a self-signed certificate, browsers and other programs issue warnings to users about an insecure certificate each time the user authenticates. You can prevent the certificate warning by permanently importing the self-signed certificate into the user's truststore. See, Importing a certificate into the truststore (see page 243).

10.2.6 Checking the truststore for certificates Check the contents of the BMC Atrium Single Sign-On truststore to verify that the certificate has been imported or that the Issuer (Signer) certificate has been imported. To perform this check, use the keytool utility to place the contents of the truststore into a text file to review the contents. The keytool utility is available in the Java Developer Kit (JDK) that is embedded with a BMC Atrium Single Sign-On installation. BMC recommends that you use this version of keytool.

To check the truststore for certificates 1. From the command prompt or shell window, change your working directory to: \AtriumSSO\tomcat\conf 2. Add the bin directory to the PATH environment variable. (UNIX) PATH=/AtriumSSO/jdk/bin:$PATH; export PATH (Microsoft Windows) SET PATH=\AtriumSSO\jdk\bin;%PATH% 3. BMC Atrium Single Sign-On 8.1

Page 250 of 389

BMC Software Confidential

Home

3. After the PATH variable is set, execute the following keytool command to place the contents into a certs.txt file: keytool -list -v -keystore cacerts.p12 -storepass changeit -storetype PKCS12 -providername JsafeJCE > certs.txt 4. Check the certs.txt file for the certificate. If the certificate is not in the truststore, import the desired certificate into the keystore.

10.3 Configuring FIPS-140 mode The following topics provide information and instructions for configuring FIPS-140 mode: Converting to FIPS-140 mode (see page 251) Monitoring FIPS-140 and normal mode conversions (see page 256) Changing FIPS-140 network ciphers (see page 257) Converting from FIPS-140 to normal mode (see page 258)

10.3.1 Converting to FIPS-140 mode BMC recommends that you monitor the FIPS-140 mode conversion. See Monitoring FIPS-140 and normal mode conversions (see page 256).

To convert from BMC Atrium Single Sign-On to FIPS-140 mode (Click to expand) 1 Before you begin

Before you begin When operating in FIPS-140 mode, BMC Atrium Single Sign-On blocks contact with products which are not also operating in a FIPS-140 compliant mode. Before performing the switch to FIPS-140 mode: Perform a system backup before switching to (or from) FIPS-140 mode. An unexpected hardware or software failure during the conversion can corrupt the server configuration. Verify that the integrated BMC products are capable of operating in a FIPS-140 compliant mode and are capable of making the reconfiguration that is required to continue operating with BMC Atrium Single Sign-On. If you plan to integrate additional products with BMC Atrium Single Sign-On after the switch to FIPS-140 mode is complete, be sure that these products can be integrated with the server. See the BMC Atrium Single Sign-On Product Availability Compatibility on the support website. Ensure that your Internet browser is capable of supporting 256-bit Advanced Encryption Standard (AES) encryption. See #Browser cipher capabilities (see page 252). Obtain the RSA CryptoJ FIPS cryptography module. See #RSA CryptoJ FIPS cryptography module (see page 252).

BMC Atrium Single Sign-On 8.1

Page 251 of 389

BMC Software Confidential

Home

Contact Customer Support for access to the RSA CryptoJ FIPS cryptography module. This library file must be installed into the server's Java Virtual Machine (JVM), replacing the current version which is not certified. Obtain unlimited strength Java policy files. BMC Atrium Single Sign-On uses Oracle JVM 1.7.0_03. The unlimited policy files for this JVM are available for download from the following URL: http://java.sun.com/javase/downloads/index.jsp.

Browser cipher capabilities When operating in FIPS-140 mode with default networking ciphers, the Internet browser must be capable of supporting 256-bit Advanced Encryption Standard (AES) encryption. Otherwise, the browser cannot connect with BMC Atrium Single Sign-On for administrator or user authentication purposes. FireFox 3+ is able to operate at this level. Internet Explorer might not be able to support 256-bit AES depending on the version. You can check your browser cipher capabilities at the following URL: http://www.fortify.net/sslcheck.html. This web site provides the encryption status of your browser.

RSA CryptoJ FIPS cryptography module The FIPS-approved cryptography module used by BMC Atrium Single Sign-On for FIPS-140 compliance is the RSA CryptoJ library version 6.1. The following table shows the algorithms used in normal mode and FIPS-140 mode. Purpose

Normal

FIPS-140

Encryption

DES

AES-256

Hash

MD5, SHA1, SHA256, SHA512

SHA1, SHA256, SHA512

Network protocol

TLS 1.0

TLS 1.0

Network ciphers

Any TLS

TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521, TLS_DHE_DSS_WITH_AES_256_CBC_SHA

Random

SHA1PRNG

FIPS186PRNG

2 Install the unlimited strength policy files

BMC Atrium Single Sign-On 8.1

Page 252 of 389

BMC Software Confidential

Home

To install the unlimited strength policy files BMC Atrium Single Sign-On uses Oracle JVM version 1.7.0_03. By default, this JVM is installed with strong encryption policy files allowing for limited strength settings for encryption algorithms. These limitations prevent BMC Atrium Single Sign-On from running in FIPS-140 mode. To overcome this limitation, the Unlimited Strength Jurisdiction Policy Files must be downloaded from Oracle and installed into the BMC Atrium Single Sign-On JVM.

Warning BMC Atrium Single Sign-On and all integrated products must be shut down before installing the unlimited strength policy files. BMC Atrium Single Sign-On cannot be in use during the conversion to FIPS-140 mode. If possible, a firewall should be employed to block all remote access to the server.

1. Shut down all BMC Atrium Single Sign-On integrated products. 2. Stop BMC Atrium Single Sign-On. 3. If you have not done so already, download the archive that contains the unlimited strength policy files from the following URL: http://java.sun.com/javase/downloads/index.jsp. 4. Extract the contents of the files. 5. Make a backup copy of the currently installed strong strength policy files. 6. Copy the unlimited strength policy files into the BMC Atrium Single Sign-On JVM.

JVM location The JVM is located in the following default location: (Microsoft Windows) C:\Program Files\BMC Software\AtriumSSO\jdk\jre\lib\security (UNIX) /opt/bmc/AtriumSSO/jdk/jre/lib/security If BMC Atrium Single Sign-On has been installed in a non-default location, the location of the JVM can be determined by using the following pattern: (Windows) \AtriumSSO\jdk\jre\lib\security (UNIX) /AtriumSSO/jdk/jre/lib/security In this case, installationDirectory is the base directory selected during the server installation. For BMC Atrium Single Sign-On servers using an external Tomcat server, the location of the JVM was determined by the administrator that configured the Tomcat server. Regardless of the JVM location, the following templates indicate the correct location: (Windows) \jre\lib\security (UNIX) /jre/lib/security In this case, jdkDirectory is the base directory of the JDK used to run BMC Atrium Single Sign-On.

BMC Atrium Single Sign-On 8.1

Page 253 of 389

BMC Software Confidential

Home

3 Install the cryptography library

To install the cryptography library For cryptographic functions in normal mode, BMC Atrium Single Sign-On uses the JVM and a version of the RSA CryptoJ library that is not certified for FIPS-140 operation. However, when placed into FIPS-140 mode, the server reconfigures the JVM to use the RSA CryptoJ provider as the primary provider. In addition, the cryptography needs of the server exclusively uses this provider. For the server to start in FIPS-140 mode successfully, the FIPS-140 certified version of the RSA CryptoJ library must be installed into the JVM, replacing the uncertified version. The versions of the library can be externally identified by the names of the libraries. Normal mode library is cryptoj.jar and the FIPS-140 mode libraries are cryptojce.jar, cryptojcommon.jar, and jcmFIPS.jar.

Note Contact BMC Software support for instructions on accessing the FIPS-140 version of the library.

1. Make a backup copy of the cryptoj.jar file. You might need to restore BMC Atrium Single Sign-On to normal encryption mode. 2. Copy the FIPS-140 mode libraries are cryptojce.jar, cryptojcommon.jar, and jcmFIPS.jar files onto the file system of the computer hosting BMC Atrium Single Sign-On. 3. Copy the FIPS-140 mode libraries are cryptojce.jar, cryptojcommon.jar, and jcmFIPS.jar files to the server's JVM library directory. 4. Remove the cryptoj.jarfile.

Note This is an important step to prevent a collision of the two libraries.

JVM library file location The JVM library is located in the following default location: (Microsoft Windows) C:\Program Files\BMC Software\AtriumSSO\jdk\jre\lib\ext (UNIX) /opt/bmc/AtriumSSO/jdk/jre/lib/ext If BMC Atrium Single Sign-On server has been installed in a non-default location, determine the location of the JVM library using the following pattern: (Windows) \AtriumSSO\jdk\jre\lib\ext (UNIX) /AtriumSSO/jdk/jre/lib/ext

BMC Atrium Single Sign-On 8.1

Page 254 of 389

BMC Software Confidential

Home

In this case, installationDirectory is the base directory selected during the server installation. For BMC Atrium Single Sign-On servers utilizing an external Tomcat server, the location of the JVM was determined by the administrator that configured the Tomcat server. Regardless of the JVM location, the following templates indicate the correct location: (Windows) jdkDirectory\jre\lib\ext (UNIX) jdkDirectory/jre/lib/ext 4 Enable FIPS-140 mode

To enable FIPS-140 mode After restarting BMC Atrium Single Sign-On with the required JVM modifications in place, the server's configuration can be updated to trigger the change of cryptography. Before performing this next step, be sure that the following JVM modifications have been performed: Unlimited strength policy files are installed. The library cryptojce.jar, cryptojcommon.jar, and jcmFIPS.jar files are installed in library directory. The library cryptoj.jar file has been removed from the library directory. 1. (Optional) Update your network ciphers if desired. See Changing FIPS-140 network ciphers (see page 257). 2. Restart BMC Atrium Single Sign-On. 3. Log on to BMC Atrium Single Sign-On administrator console. 4. Click Edit Server Configuration. 5. Select Enable FIPS-140 6. Click Save.

Warning After the configuration has been successfully saved, the conversion process starts. This process cannot be interrupted. Do not stop BMC Atrium Single Sign-On, log on with another Administrator console, log off the current Administrator console, or initiate any other interactions with the server.

This process takes approximately 10 to 20 seconds, depending upon the computer hardware. Be sure that the background task validation process posts a successful conversion message before proceeding to the next step. 7. Monitor the log files for the completion of the cryptography conversion. For more information on how to monitor the conversion, see Monitoring FIPS-140 and normal mode conversions (see page 256). 8. After the conversion process completes, stop and start the server. 9. Verify that the server is properly operating in FIPS-140 mode by viewing the BMC Atrium Single Sign-On log file (for example, atsso.0.log) 10. BMC Atrium Single Sign-On 8.1

Page 255 of 389

BMC Software Confidential

Home

10. Reconfigure all integrated products to operate in FIPS-140 mode.

Note All products which were configured with BMC Atrium Single Sign-On prior to conversion to FIPS-140 mode must be reconfigured to operate in FIPS-140 compliant mode. These integrated products cannot use BMC Atrium Single Sign-On for authentication until they are synchronized with BMC Atrium Single Sign-On.

10.3.2 Monitoring FIPS-140 and normal mode conversions The conversion task communicates through the BMC Atrium Single Sign-On log file (for example, atsso.0.log ). The log file contains messages to signify the start of the conversion, any errors, and the completion of the process. See Managing BMC Atrium Single Sign-On logging (see page 284). Conversion to FIPS-140 mode messages (see page 256) Conversion to normal mode messages (see page 257) Using the default installation locations as an example, the log file is located at: (Microsoft Windows ) C:\Program Files\BMC Software\AtriumSSO\tomcat\temp (UNIX ) /opt/bmc/AtriumSSO/tomcat/conf

Conversion to FIPS-140 mode messages Before starting the conversion, the background task validates that the JVM has been correctly modified and is capable of running in FIPS-140 mode. If the JVM test fails, the task logs an error message indicating the JVM inadequacies and the conversion aborts. In addition, when BMC Atrium Single Sign-On is installed on an external Tomcat server, the background task verifies that the required Tomcat server and JVM configuration files exist. When starting the conversion to FIPS-140 mode, the initial message displayed is:

BMCSSG1599I=Switching Atrium SSO server to FIPS-140 mode

When the conversion process successfully finishes, it posts this message:

BMCSSG1601I=Switch of Atrium SSO server to FIPS-140 mode completed

After saving the configuration change, the conversion process alters the encrypted data within the server. Until the process completes, BMC recommends that you monitor the security page in case the process fails.

BMC Atrium Single Sign-On 8.1

Page 256 of 389

BMC Software Confidential

Home

Conversion to normal mode messages When starting the conversion from FIPS-140 mode to normal mode, the initial message displayed is:

BMCSSG1598I=Switching Atrium SSO server to normal mode (not FIPS-140 mode)

When the conversion process successfully finishes, it posts this message:

BMCSSG1600E=Switch of Atrium SSO server to normal mode completed

10.3.3 Changing FIPS-140 network ciphers The network ciphers can be updated if stronger protection for communication is desired. Although, the network ciphers are independent of FIPS-140 mode, both the unlimited strength policy files and cryptography library are required to modify the network ciphers. The following topics provide information and instruction for changing FIPS-140 network ciphers: Default location for the server.xml file (see page 257) To modify the server.xml file (see page 257) Multiple ciphers example (see page 257) Single cipher example (see page 258)

Default location for the server.xml file The ciphers that the Transport Layer Security (TLS) protocol uses can be adjusted by editing the BMC Atrium Single Sign-On server.xml file. This file is located at the following default locations: (Microsoft Windows) C:\Program Files\BMC Software\AtriumSSO\tomcat\conf (UNIX) /opt/bmc/AtriumSSO/tomcat/conf

To modify the server.xml file 1. Make a backup copy of the server.xml file. 2. Open the server.xml file in your favorite text editor. 3. Search for the Connector tag with the attribute scheme="https". 4. Modify the cipher attribute by adding or removing items.

Multiple ciphers example In the following example, the FIPS-140 version of the server.xml file has multiple ciphers:



Single cipher example In the following example, the FIPS-140 version of the server.xml file has a single cipher (TLS_RSA_WITH_3DES_EDE_CBC_SHA).



10.3.4 Converting from FIPS-140 to normal mode Converting BMC Atrium Single Sign-On to operate in normal mode, (for example, without FIPS-140 cryptography) is the same process as converting the server to FIPS-140 mode, except the Java Virtual Machine (JVM) does not need to modified prior to triggering the conversion.

Note Create a backup of the current server in case of a failure (hardware or software). If the server's configuration becomes corrupted, you can use the backup to restore the original configuration. While converting from FIPS-140 to normal mode, be sure to monitor the conversion. See Monitoring FIPS-140 and normal mode conversions (see page 256) .

BMC Atrium Single Sign-On 8.1

Page 258 of 389

BMC Software Confidential

Home

To convert to normal mode 1. Shut down all integrated products. If possible, use a firewall to block external access to BMC Atrium Single Sign-On. 2. Log on to the BMC Atrium Single Sign-On administrator console. 3. On the BMC Atrium SSO Admin Console, click Edit Server Configuration. 4. De-select FIPS Mode. 5. Click Save.

Warning Once the configuration has been successfully saved, the conversion process is triggered in the background. This process cannot be interrupted. Do not stop BMC Atrium Single Sign-On, log on with another Administrator console, log off the current Administrator console, or initiate any other interactions with the server.

This process usually takes around 10 to 20 seconds, depending upon the computer hardware. 6. Ensure that a successful conversion message is posted.

Important Be sure that the background task validation process posts a successful conversion message before restoring the original encryption files and non-FIPS-140 library.

7. Restore the original encryption files and non-FIPS140 library. a. Stop the BMC Atrium Single Sign-On server. b. Restore the strong encryption file. c. Restore the non-FIPS library. d. Restart BMC Atrium Single Sign-On. e. Verify that the server is properly operating in normal mode by viewing the BMC Atrium Single Sign-On log file (for example, atsso.0.log ) 8. Reconfigure integrated products to operate in normal mode.

Note All integrated products must be reconfigured to operate in normal mode. These integrated products cannot use BMC Atrium Single Sign-On for authentication until they are synchronized with BMC Atrium Single Sign-On.

BMC Atrium Single Sign-On 8.1

Page 259 of 389

Home

BMC Software Confidential

10.4 Using an external LDAP user store This topic describes the process and options available to an BMC Atrium Single Sign-On administrator when using an external Lightweight Directory Access Protocol (LDAP) server to provide group and attribute values for authenticated users. Users and groups cannot be managed from the BMC Atrium Single Sign-On server because the LDAP server access is read-only. Configuring an external user store is primarily needed when access to group membership information is required. The LDAP authentication module can be used to retrieve user attributes without configuring an external user store. For more information, see Using LDAP (Active Directory) for authentication.

BMC Atrium Single Sign-On 8.1

Page 260 of 389

BMC Software Confidential

Home

An external LDAP server is used to augment the information available to BMC products. For more information about the configuration options available with the LDAP user store, see the OpenAM documentation.

10.4.1 To create an external LDAP user store 1. Log on to the BMC Atrium SSO Admin Console 2. Click Edit BMC Realm. 3. On the User Store panel, click Add and select LDAPv3 User Store. 4. On the General tab, provide the LDAP server configuration parameters. 5. On the Search tab, provide the user and group attributes used for searching. 6. Click Save.

10.4.2 To modify an existing external LDAP user store 1. Log on to the BMC Atrium SSO Admin Console 2. Click Edit BMC Realm. 3. On the User Store panel, select the LDAPv3 user store and click Edit. 4. On the General tab, modify your LDAP server configuration parameters. 5. On the Search tab, modify your user and group attributes used for searching. 6. Click Save.

Note The BMC Atrium Single Sign-On server does not need to be re-booted after altering the configuration. After the alterations are committed, the changes go into effect immediately.

10.4.3 LDAPv3 User Store parameters The LDAPv3 user store uses Active Directory as the user store type. The General tab contains parameters for the LDAP server configuration. The Search tab contain parameters to search for user and group attributes.

10.4.4 General tab Field

Parameter

Description

LDAP Server

Name

(Required) Enter the host's Full Qualified Domain Name (FQDN) for the primary LDAP server is required.

Port

If the LDAP server is not listening on the default port (389), specify the port number.

Use SSL

(Optional) Enable SSL to connect to the LDAP servers. Before enabling SSL:

BMC Atrium Single Sign-On 8.1

Page 261 of 389

BMC Software Confidential

Home

Field

Parameter

Description The certificates for the LDAP servers (primary and secondary) must be imported into the JVM truststore and the BMC Atrium Single Sign-On Tomcat truststore. For more information on importing certifications into BMC Atrium Single Sign-On truststore, see Importing a certificate into the truststore (see page 243). If client authentication is required, the BMC Atrium Single Sign-On server's certificate might need to be imported into the LDAP server's truststore. Restart the Tomcat server. For more information about CA certificates, see Managing keystores with a keytool utility (see page 239) .

User Account for Search

Distinguished Name, Password, Confirm Password

(Required) The Distinguished Name (DN) is the login name that is used to connect to the LDAP server. A root user must have privileges to perform searches on the primary and secondary LDAP servers. Enter the DN for the root user, the password, and the password confirmation.

Connection Pool

Minimum Size

The connection pool attributes adjust the performance of BMC Atrium Single Sign-On and the load on the LDAP server. Before modifying the default values, BMC recommends that you complete performance timings to determine appropriate values.

Maximum Size

The connection pool attributes adjust the performance of BMC Atrium Single Sign-On and the load on the LDAP server. Before modifying the default values, BMC recommends that you complete performance timings to determine appropriate values.

External Attribute Atrium SSO Attribute

Attribute Mapping is used to take user attributes (such as email, phone number, etc.) from the external data store and map them to the attributes used within the BMC Atrium Single Sign-On system. A mapping is defined by entering the name of the External Attribute and selecting the Atrium SSO Attribute from the drop down that the external attribute is going to map to, and click Add to put the new mapping into the table.

Attribute Mapping

10.4.5 Search tab Field

Parameter

Search Base DN

Description Starting location within the LDAP directory for performing user and group searches. The search DNs should be as specific as possible for performance reasons. The depth of the search that is performed can be configured. If an object search is specified, then the DN should be the DN of the node containing the users.

Search Timeout (seconds)

Number of seconds the search is performed before it times out.

Max Search Results

Maximum number of results that are returned.

Users

Users Status

Search Attribute

User attribute on which to perform the search.

Search Filter

Specifies the filter for user searches. If the specified default class is not used by user entries in the server, then searches fail. For example, (objectclass=person).

Status Attribute

Attribute that indicates the user status. For example, userAccountControl.

Identifies the value of the attribute when the account is active.

BMC Atrium Single Sign-On 8.1

Page 262 of 389

BMC Software Confidential

Home

Field

Parameter

Description

Active Value Inactive

Identifies the value of the attribute when the account is inactive.

Value Users -

Container

People Container

Attribute

Users

Defines the LDAP attribute used to distinguish the container holding the people.

Attribute Value

Specifies the value for that LDAP attribute. If people are not within a container (relative to the group), then these values should be blank.

Attribute Name for

Specifies the attribute of the user which identifies the group to which the user belongs. For example, memberOf.

Group Groups

Search Attribute

Contains the name of the attribute which holds the name of the group. This attribute value is used in searches for user groups.

Search Filter

Be sure to validate that the LDAP Groups Search Filter is correct for the LDAP server. If the class specified is not applicable, update the filter with the correct objectclass name. For example, (objectclass=group).

Container Attribute

Defines the LDAP attribute used to distinguish the container holding the groups.

Attribute Value

Specifies the value for LDAP Groups Container attribute value. If groups are not within a container (relative to the user), then these values should be blank.

Groups

Attribute Name for User

The attribute name of a group within the LDAP system that contains the names of the users that belong to the group.

Caching

Max Age (seconds)

The maximum time that a cached value will continue to be used before the cached value is updated from the external LDAP server.

Cache Size (bytes)

The number of bytes of memory that will be used to hold cached search items from the external LDAP server.

Groups Groups Container

11 Administering The following topics provide information and instructions for administering BMC Atrium Single Sign-On:

BMC Atrium Single Sign-On 8.1

Page 263 of 389

BMC Software Confidential

Home

Managing users (see page 264) Managing user groups (see page 268) Managing authentication modules (see page 271) Managing nodes in a cluster (see page 273) Managing agents (see page 275) Managing the server configuration (see page 276) Stopping and restarting the BMC Atrium Single Sign-On server (see page 279)

11.1 Managing users BMC Atrium Single Sign-On provides basic user and group management features with the internal LDAP server. These features allow an administrator to manage users, groups, and memberships in the groups. From the User tab, the administrator can create, delete, and manage user account information including group memberships. From the Groups tab, the administrator can manage group memberships. BMC Atrium Single Sign-On is configured to use an internal LDAP for user authentication (default). While not recommended for large-scale deployments, the internal database can be used for small deployments, demonstrations, and other Proof-Of-Concept (POC) work. For larger deployments, BMC recommends that you use an external authentication server, such as another LDAP server.

BMC Atrium Single Sign-On 8.1

Page 264 of 389

BMC Software Confidential

Home

To access the User page (see page 265) To add a new user (see page 265) To search for users (see page 266) To delete users (see page 266) To modify user information (see page 266) To enable or disable a user account (see page 266) To add a group membership to a user account (see page 267) To remove a group membership from a user account (see page 267) To view user sessions (see page 267) To terminate an active user session (see page 268)

11.1.1 To access the User page 1. On the BMC Atrium SSO Admin Console, click Edit BMC Realm. 2. Select the User tab. New users can only be created when you are using the internal LDAP server for authentication. If an external source is used for authentication, new users must be created within that external system.

Note If special characters, such as comma ( , ) , semi-colon ( ; ), or plus sign ( + ) are used in the user ID, the backslash () must precede the special character. For example, Baldwin\,bob.

When creating a new user, each field that is marked with an asterisk is a required field.

11.1.2 To add a new user 1. On the BMC Atrium SSO Admin Console, click Edit BMC Realm. 2. Select the User tab. 3. Click New. 4. In the ID field, enter a unique identifier for the new user. This value is used as the user ID when the user logs in. 5. Enter the user's last name and full name. 6. Enter the password and confirm this password. 7. In the Status field, verify that the Active radio button is selected (default). 8. Click Save. The name attributes (First, Full, and Last) can be provided to BMC products to help identify user accounts by using terms that are more user-friendly. The actual use of these attributes, though, is dependent on the BMC product.

BMC Atrium Single Sign-On 8.1

Page 265 of 389

BMC Software Confidential

Home

11.1.3 To search for users If the number of users in the Available list is too large to find the user that you want to modify, use the search function. The asterisk (*) returns all user accounts. Enter part of the user ID to refine the user account list. For example, the pattern, "b*", returns users starting with the letter "b" (case-insensitive) such as "bob" and "Baldwin".

11.1.4 To delete users User accounts can only be deleted if BMC Atrium Single Sign-On is using the internal LDAP server for user authentication needs. 1. On the BMC Atrium SSO Admin Console, click Edit BMC Realm. 2. Select the User tab. 3. Select the check box next to each user account in the User list that should be deleted. 4. Click Delete. 5. Click Ok.

11.1.5 To modify user information 1. On the BMC Atrium SSO Admin Console, click Edit BMC Realm. 2. Select the User tab. 3. Select the user link that you want modify. 4. Click Edit 5. Modify the user's information. 6. Click Save.

11.1.6 To enable or disable a user account The user account can be enabled or disabled by changing the user status. 1. On the BMC Atrium SSO Admin Console, click Edit BMC Realm. 2. Select the User tab. 3. Select the user that you want modify. 4. In the Status field, click Active to enable or Inactiveto disable a user account.

Note When a user account is disabled, the user cannot authenticate without losing any of the user attributes, such as group memberships. A user loses group memberships when the user account is deleted.

BMC Atrium Single Sign-On 8.1

Page 266 of 389

BMC Software Confidential

Home

11.1.7 To add a group membership to a user account A user is added to a group from the Group tab, however, the Group tab can be accessed from the User Editor pop-up. 1. On the BMC Atrium SSO Admin Console, click Edit BMC Realm. 2. Select the User tab. 3. Select the user that you want modify. 4. Select the Group tab. 5. Select a group from the Available Groups list. 6. Click Add. Alternatively, click Add All to add all of the available groups to the user account. 7. Click Save.

Important Be selective when adding users to a group, such the Predefined groups, so that elevated privileges are not accidentally assigned to a user. For example, BmcSearchAdmin has privileges to perform searches and BmcAgents has privileges to read configuration information.

11.1.8 To remove a group membership from a user account A user is removed from a group from the Group tab, however, the Group tab can be accessed from the User Editor pop-up. 1. On the BMC Atrium SSO Admin Console, click Edit BMC Realm. 2. Select the User tab. 3. Select the user that you want modify. 4. Select the Group tab. 5. Select a group from the Member of list. 6. Click Remove. Alternatively, click Remove All to remove all of the available groups from the user account. 7. Click Save.

11.1.9 To view user sessions 1. Log on to the BMC Atrium SSO Admin Console. 2. See the Sessions panel.

Note

BMC Atrium Single Sign-On 8.1

Page 267 of 389

BMC Software Confidential

Home

The Sessions panel displays the sessions that are in the memory of the server. The replication across nodes of the HA cluster is caused when the load balancer selects a different node from the login node for validating a session. For example, when the AR server validates the SSO session when mid-tier is accessed. So, a single session may be shown multiple times which confirms that the session has been replicated on the additional nodes. The number of sessions retrieved from the server are displayed in pages. You may not be able to view all the sessions that are in the memory at a single time due to the maximum limit set for the Sessions table. This limit does not restrict the number of sessions that are supported by the server but restricts the number sessions that you can view in the Sessions table. To view a specific session which is not available due to maximum limit, you can filter the sessions based on your requirements.

11.1.10 To terminate an active user session 1. On the BMC Atrium SSO Admin Console. 2. In the Sessions panel, select the check box associated with the user session that you want to terminate. 3. Click Invalidate Session.

Important Care should be exercised to not accidentally terminate the session that is used to access the console or sessions that are used by BMC agents. These agent sessions use the following naming convention: @: or @. Terminating these sessions will, at best, close the console the administrator is using or, at worst, prevent users from accessing the BMC products that the agent is protecting.

11.2 Managing user groups BMC products can use the group membership capabilities of the BMC Atrium Single Sign-On system to provide authorization of users as well as authentication. If a BMC product does use the group memberships of the BMC Atrium Single Sign-On system, then that product's documentation must be consulted to determine which groups to privileges mapping.

BMC Atrium Single Sign-On 8.1

Page 268 of 389

BMC Software Confidential

Home

To access the Group page (see page 269) To create a new group (see page 269) To delete a group (see page 269) To assign a group membership (see page 270) To remove users from a group (see page 270)

11.2.1 To access the Group page BMC Atrium Single Sign-On provides predefined groups to help with the Administrator privileges that some BMC products might require. For example, the BmcSearchAdmin group provides privileges that allow a user to connect to the server to perform identity searches.

Note Care should be exercised when assigning this group as these elevated privileges allow greater access to BMC Atrium Single Sign-On than is normally provided.

11.2.2 To create a new group 1. On the BMC Atrium SSO Admin Console, click Edit BMC Realm. 2. Select the Groups tab. 3. Click Add. 4. Enter a new, unique name for the group. 5. From the Available Users list, select a user, click Add. Alternatively, click Add All to add all of the users to the group. 6. Click Save. Normally, BMC products install the groups that they need managed into BMC Atrium Single Sign-On as part of their installation. However, a situation might arise in which a group might need to be created (or re-created).

11.2.3 To delete a group 1. On the BMC Atrium SSO Admin Console, click Edit BMC Realm. 2. Select the Groups tab. 3. Select the check box for the group that you want to delete. 4. Click Delete. If too many groups are visible within the Group list to efficiently find the groups that you want to delete, use the search function to filter out undesired groups. For example, by changing the search filter to "D", the group IDs that start with the letter "d" (case-insensitive) are displayed.

BMC Atrium Single Sign-On 8.1

Page 269 of 389

BMC Software Confidential

Home

When you delete a group, the group is removed from BMC Atrium Single Sign-On. Users that are members of the group also have their group membership removed.

Important Deleting groups that have been installed by other BMC products is not recommended. Doing so might cause the product to malfunction or block access to the product itself.

11.2.4 To assign a group membership 1. On the BMC Atrium SSO Admin Console, click Edit BMC Realm. 2. Select the Groups tab. 3. Select a group name. 4. Select a user from the Available Users list. 5. Click Add. The user is added to the Members list. Alternatively, click Add All to add all of the users to the group. 6. Click Save. Multiple users can be assigned to a group from the Group page. The membership change is immediately put into effect.

Important Care should be exercised when adding users to a group, such as the Predefined groups, so that elevated privileges are not accidentally assigned to a user. For example, BmcSearchAdmin has privileges to perform searches and BmcAgents has privileges to read configuration information.

11.2.5 To remove users from a group Users can be removed from a group from the Group page. 1. On the BMC Atrium SSO Admin Console, click Edit BMC Realm. 2. Select the Groups tab. 3. Select the group name. 4. Select a user from the Members list and click Remove. Alternatively, click Remove All to remove all of the users from the group. 5. Click Save. The membership change is immediately put into effect.

BMC Atrium Single Sign-On 8.1

Page 270 of 389

BMC Software Confidential

Home

11.3 Managing authentication modules The basic building block of authentication in BMC Atrium Single Sign-On is the authentication module. These modules specify the type of authentication (LDAP, RSA SecurID, and so on) as well as deployment-specific values such as host names and port numbers. To manage authentication modules (see page 271) To create a new module (see page 271) To edit a module (see page 271) To delete a module (see page 272) To change the criteria for a module (see page 272) To reorder the modules in a chain (see page 272)

11.3.1 To manage authentication modules Module instances can be created, edited, and deleted from the Realm Authentication panel. The Realm Authentication panel is on the Main tab of the realm. Add allows you to create a new module instance. Edit allows you to modify the module instance parameters. Delete allows you to remove the selected module instance. Up and Down allows you to re-order a module instance in the authentication chain.

11.3.2 To create a new module 1. On the BMC Atrium SSO Admin Console, click Edit BMC Realm. 2. Click Add. 3. Select the type of new module instance. 4. Type a unique name for the module instance. The name should be composed of alphanumeric characters and a few punctuation characters such as the underscore, but no spaces, commas, or ampersands. 5. Provide the module parameters. 6. Click Save. 7. If you want to change the module configuration, edit the module. The module's configuration must be edited before it can be used within an authentication chain.

11.3.3 To edit a module 1. On the BMC Atrium SSO Admin Console, click Edit BmcRealm. 2. Select the module instance check box.

3. BMC Atrium Single Sign-On 8.1

Page 271 of 389

BMC Software Confidential

Home

3. Click Edit. A pop-up is launched that allows you to configure module attributes.

Note See the sections on configuring that particular type of module. For example, Using LDAP (Active Directory) for authentication.

11.3.4 To delete a module 1. On the BMC Atrium SSO Admin Console, click Edit BmcRealm. 2. Select the module instance check box. 3. Click Delete.

11.3.5 To change the criteria for a module 1. On the BMC Atrium SSO Admin Console, click Edit BMC Realm. 2. On the Flag option for the module, select a new criteria from the drop down menu. The criteria for a module alters the authentication status of the chain. The criteria categories are Required, Requisite, Sufficient, and Optional. Required — This module must authenticate the user. Regardless of pass or fail, processing of the chain continues. Requisite — This module must authenticate the user. When authentication fails, processing of the chain aborts. Sufficient — This module might authenticate the user. If authentication passes, processing of the chain stops, otherwise processing continues. Optional — This module might authenticate the user. Processing continues regardless of success or failure. The overall status is successful if all of the Required and Requisite modules pass before either the end of the chain or the first successful Sufficient module. When there are no Required or Requisite modules, then at least one Sufficient or Optional module must authenticate the user.

11.3.6 To reorder the modules in a chain 1. On the BMC Atrium SSO Admin Console, click Edit BMC Realm. 2. Select the Module instance that you want to move. 3. Click Up or Down to change the order in which the module instances are processed.

BMC Atrium Single Sign-On 8.1

Page 272 of 389

BMC Software Confidential

Home

11.4 Managing nodes in a cluster To manage nodes in a cluster including modifying the server configuration on each node or by deleting the node. To modify the server configuration on a node (see page 273) To delete a node from the cluster (see page 273) The following topics provide additional information and instructions for managing nodes in a cluster: Resynchronizing nodes in a cluster Starting nodes in a cluster (see page 274) Stopping nodes in a cluster (see page 274)

11.4.1 To modify the server configuration on a node 1. On the BMC Atrium SSO Admin Console, click HA Node Console. 2. Select the node that you want to modify. 3. Click Edit, modify the server parameters. 4. Click Save.

11.4.2 To delete a node from the cluster Removing a node from a cluster deletes the node permanently from the cluster. When a node cannot be brought back online, the node must be removed from the cluster configuration. For example, a node cannot be brought back online when there is a complete hardware failure. 1. On the BMC Atrium SSO Admin Console, click HA Node Details. 2. Select the node that you want to remove. 3. Click Delete. 4. When prompted with "Delete selected nodes?", click OK.

11.4.3 Resynchronizing nodes in a cluster When a node is unable to join a cluster, the information within the node becomes stale and out-of-sync with the other nodes of the cluster. In this circumstance, the node must be brought up-to-date with the cluster before it can participate.

To resynchronize a node in a cluster 1. Block access at the load balancer. 2. Execute the dsreplication utility from the command line:

dsreplication initialize -baseDN "dc=opensso,dc=java,dc=net" -adminUID -portSource -hostDestination -portDestination -n

BMC Atrium Single Sign-On 8.1

-adminPassword

-hostSource

Page 273 of 389

2.

BMC Software Confidential

Home

The dsreplication utility is in the following location: (Microsoft Windows) \tomcat\webapps\atriumsso\WEB-INF\config\opends\bat (UNIX ) /tomcat/webapps/atriumsso/WEB-INF/config/opends/bin 3. Select menu option 3. 4. Stop and start the node. 5. Restore the load balancer.

11.4.4 Starting nodes in a cluster This topic provides instructions for starting nodes in a cluster.

To start a Microsoft Windows node in a cluster 1. Block access at the load balancer. 2. To start the BMC Atrium Single Sign-On server, use the Windows Services Control Panel. You can start nodes in any order. 3. Restore the load balancer.

To start a UNIX node in a cluster 1. Block access at the load balancer. 2. Execute the following command from the command line: (You can start nodes in any order.) startup-tomcat.sh 3. Restore the load balancer.

11.4.5 Stopping nodes in a cluster This topic provides instruction for stopping nodes in a cluster.

To stop a Microsoft Windows node in a cluster 1. Block access at the load balancer. 2. To stop the BMC Atrium Single Sign-On server, use the Windows Services Control Panel. You can stop nodes in any order. 3. Restore the load balancer.

To stop a UNIX node in a cluster 1. Block access at the load balancer. 2. Execute the following command from the command line: (You can stop nodes in any order.) shutdown-tomcat.sh 3. BMC Atrium Single Sign-On 8.1

Page 274 of 389

BMC Software Confidential

Home

3. Restore the load balancer.

11.5 Managing agents BMC Atrium Single Sign-On allows you to edit and delete agents from the Agent Manager. The names for the agent and user are based on the host name and port of the URL for the BMC product server where the agent resides. This name uses the following template: BMCJEE@: or @.

host is the FQDN of the host. port is the main port number. uri is the URI of the application.

11.5.1 To edit an agent account For information about the Agent Manager and agent parameters that can be modified, see Agent manager. 1. On the BMC Atrium SSO Admin Console, click Agent Details. 2. Select the agent that you want to edit. 3. Click Edit. 4. Modify the parameters and click Save.

11.5.2 To delete an agent account If a product has become unusable and the uninstall utility can no longer be used to perform an orderly cleanup and de-integration with BMC Atrium Single Sign-On, you might need to perform a manual cleanup.

Note If all products within the JEE server no longer need authentication or you want to permanently block access from the JEE server, deleting the agent accounts effectively terminates access by the agent. To do so, both the J2EE agent and the user must be deleted from the root realm.

1. On the BMC Atrium SSO Admin Console, click Agent Details. 2. Select the J2EE agent that you want to delete. 3. Click Delete. 4. On the BMC Atrium SSO Admin Console, select the user session that has the same name as the J2EE agent (if one exists). 5. Click Invalidate Selected.

BMC Atrium Single Sign-On 8.1

Page 275 of 389

BMC Software Confidential

Home

11.6 Managing the server configuration BMC Atrium Single Sign-On server parameters can be modified or enabled including the server session, cookie name and domain, the password for accessing the server, the FQDN, logging level, FIPS-140 enablement, CAC usage of Online Certificate Status Protocol (OCSP) enablement. To modify the server configuration (see page 276) Server configuration parameters (see page 276) Server Configuration Editor parameters (see page 276) HTTP Only and HTTPS Only (see page 277) Session parameter defaults (see page 278)

11.6.1 To modify the server configuration 1. On the BMC Atrium SSO Admin Console, click Edit Server Configuration. 2. Modify the BMC Atrium Single Sign-On server parameters. 3. Click Save. Committed changes take effect immediately. A server restart is not necessary.

11.6.2 Server configuration parameters The Server Configuration Editor provides the parameters that must be updated when you install or configure BMC Atrium Single Sign-On server. The following topics are provided: Server Configuration Editor parameters (see page ) HTTP Only and HTTPS Only (see page )

11.6.3 Server Configuration Editor parameters Field

Parameters

Description

Cookies

Cookie Name

The cookie name is automatically created at install time for the BMC Atrium Single Sign-On server. It is generated based upon the FQDN of the Atrium BMC Atrium Single Sign-On host.

Cookie Domain

The default cookie domain value is the network domain of the computer you are installing the server on. The default cookie domain specifies the most restrictive access. This value is used to control cookie visibility between servers within the domain. For more information about the default cookie domain, see Default cookie domain.

HTTP Only

Select the HTTP Only check box to mark the BMC Atrium Single Sign-On cookie to prevent non-HTTP APIs such as, JavaScript from accessing the cookie. For more information about HTTP Only parameter, see HTTP Only and HTTPS Only (see page 277) .

HTTPS Only

Select the HTTPS Only check box to mark the cookie with the Secure option, which ensures that the cookie is transmitted over only HTTPS connections from the browser to the server. For more information about the HTTPS Only parameter, see HTTP Only and HTTPS Only (see page 277).

BMC Atrium Single Sign-On 8.1

Page 276 of 389

BMC Software Confidential

Home

Field

Parameters

Description

amAdmin

Password

The password for accessing the BMC Atrium Single Sign-On server.

& Confirm Password External URL

FQDN for the BMC Atrium Single Sign-On server.

Logging Level

Logging level options are Off, Error, Warning, or Message. Error returns the least amount of information and Message contains the most amount of information.

Enable FIPS-140

Be sure to configure FIPS-140 before enabling, see Configuring FIPS-140 mode (see page 251).

Online Certificate

CAC can use OCSP. If CAC is using OCSP, be sure to configure CAC before enabling. If CAC isn't using OCSP, configuration is not required.

Status Protocol

To enable, provide the Server URL and select Enable OCSP.

Session

Max Session Time

Time after which your session will be logged out even when you are active. The default time in 120 minutes. The time constraints are automatically enforced when this value is selected.

Idle Timeout

Time after which your session will be logged out if you are inactive or away. The default time in 30 minutes. The time constraints are automatically enforced when this value is selected.

Note: The Max Session Time value should be more than the Idle Timeout value.

Note: When you have integrated BMC Atrium SSO with BMC Remedy AR System, you the Idle Timeout value should be 3 minutes more than the BMC Mid Tier idle timeout value. Cache Time

Time after which the cache will be cleared. Time constraints are automatically enforced. The default time is 3 minutes.

Max Session Count per User

Maximum number of concurrent sessions allowed for a user. The default value is 5. Click Enable to enable Max Session Count per User. When the session limit is exceeded, select the desired behavior. The two options are Delete Oldest or Block New.

11.6.4 HTTP Only and HTTPS Only With the release of BMC Atrium Single Sign-On 8.1 Patch 3, the Server Configuration Editor provides two new options: HTTP Only and HTTPS Only. The HTTP Only parameter marks the BMC Atrium Single Sign-On cookie to prevent non-HTTP APIs such as, JavaScript from accessing the cookie. When you enable the HTTPS Only parameter, it marks the cookie with the Secure option, which ensures that the cookie is transmitted only over HTTPS connections from the browser to the server. The default value of these check boxes is false. When set to true, the option prevents scripts and third-party programs from accessing the cookies.

BMC Atrium Single Sign-On 8.1

Page 277 of 389

BMC Software Confidential

Home

To secure BMC Atrium Single Sign-On as a stand-alone server 1. Open the Edit Server Configuration tab on the BMC Atrium Single Sign-On Admin Console. 2. Select the HTTP Only and HTTPS Only check boxes, and click Save. 3. Restart the BMC Atrium Single Sign-On server. 4. Clear all the existing cookies from the browser history.

To secure BMC Atrium Single Sign-On as a high-availability cluster 1. Open the HA Node Details tab on the BMC Atrium Single Sign-On Admin Console. 2. Select the node for which the HTTP Only and HTTPS Only options are to be enabled. 3. Select the HTTP Only and HTTPS Only check boxes for each node, and click Save.

Note Configuration warnings appear, saying that the HTTP Only and HTTPS Only features are out of sync for some nodes. You can ignore the warnings and click OK.

4. Restart the server. 5. Clear all the existing cookies from the browser history.

Note A warning is displayed after the configuration change is saved when the HTTP Only, HTTPS Only, Cookie Name, or Cookie Domain setting is out of sync with other nodes. The warning message includes a list of other nodes that do not match the currently saved value.

11.6.5 Session parameter defaults The session parameters defaults for the BMC Atrium Single Sign-On server are: Max Session Time (Default: 120 minutes) Idle Timeout (Default: 30 minutes) Cache Time (Default: 3 minutes) Max Session Count per User (Default: 5)

BMC Atrium Single Sign-On 8.1

Page 278 of 389

BMC Software Confidential

Home

11.7 Stopping and restarting the BMC Atrium Single Sign-On server This section describes how to stop and restart the BMC Atrium Single Sign-On server on Microsoft Windows, UNIX, and Linux.

11.7.1 Stopping and restarting on Windows 1. From the desktop of the application server host, use the Control Panel to go to the Administrator Tools' Component Services dialog box. 2. Expand the Services folder. 3. Select BMC Atrium SSO. 4. Click Stop. 5. To restart BMC Atrium Single Sign-On, click Start.

11.7.2 Stopping and restarting on UNIX or Linux Ensure that your Java processes are stopped before restarting BMC Atrium Single Sign-On. Start the UNIX or Linux services by performing the following steps: 1. Navigate to the /AtriumSSO/bin directory. 2. To shut down the services, type the following command:

shutdown-tomcat.sh

3. To start the services, type the following command:

startup-tomcat.sh

12 Troubleshooting BMC Atrium Single Sign-On (default) supports logging on both the server and agents. Logging is used for auditing purposes and for general debugging of connection issues. The logging system supports rotation of the agent audit log files. By default, these log files are not used or rotated because audit logging also occurs on the server. If rotation is disabled, the file system might be consumed with log files.

Note

BMC Atrium Single Sign-On 8.1

Page 279 of 389

BMC Software Confidential

Home

The logging system can be modified for each component of BMC Atrium Single Sign-On.

The following topics provide information about various issues that can occur with BMC Atrium Single Sign-On:

BMC Atrium Single Sign-On 8.1

Page 280 of 389

BMC Software Confidential

Home

Collecting diagnostics (see page 281) Working with error messages (see page 285) Logon and logoff issues (see page 316) Upgrading from 7.6.04 to 8.1 silent installation issue (see page 317) Troubleshooting AR authentication (see page 320) Troubleshooting AR System server and Mid Tier integrations Troubleshooting CAC authentication (see page 326) Troubleshooting FIPS-140 conversion Troubleshooting JEE agents (see page 331) Troubleshooting Kerberos authentication (see page 333) Troubleshooting an external LDAP user store Troubleshooting SAMLv2 Troubleshooting redirect URLs (see page 343) Session sharing in HA mode issue (see page 345) Troubleshooting installation or upgrade issues (see page 346) Resolving installation issues on LINUX operating system (see page 346)

12.1 Collecting diagnostics BMC Atrium Single Sign-On as a distributed system creates log files placed in many locations. The locations for the log files generally depend on the component of the system (server or agents). To help gather log files and other information that is critical to providing quality support, a Java utility is available that has many of the components. This utility requires a modern Java 6 JVM. To run the support utility (see page 282) Support utility location (see page 282)

BMC Atrium Single Sign-On 8.1

Page 281 of 389

BMC Software Confidential

Home

Log file locations (see page 282) Using BMC Atrium Single Sign-On for logging (see page 284)

12.1.1 To run the support utility 1. On the command line, navigate to the directory containing the jar support utility. 2. Enter the following jar command:

java -jar atssoSupport.jar

After the utility completes, all of the gathered information is stored in the atssoSupport.zip file.

12.1.2 Support utility location The server and the web agent places the jar support utility in a pre-defined location. Products which use the Thick Agents for integration do not have a pre-defined location, but instead rely on a product-specific location. The location within the server is: /tomcat/webapps/atriumsso/WEB-INF/tools The location within the agent is: /atssoAgents/bin

installationDirectory is the location where BMC Atrium Single Sign-On has been installed. container is the base directory of the JEE container in which the agent has been installed.

12.1.3 Log file locations BMC Atrium Single Sign-On has two main logging directories: /tomcat/webapps/atriumsso/WEB-INF/config/atriumsso/log /tomcat/webapps/atriumsso/WEB-INF/config/atriumsso/debug Of the log and debug directory component files, the files that are most commonly used to resolve BMC Atrium Single Sign-On issues are the Authentication and CoreSystem log files. These files contain the error entries about failures to communicate with the authentication modules, with the exception of RSA SecurID. RSA SecurID also uses the rsa_api.log and rsa_api_debug.log for additional logging. Additional server log file locations (see page 283) Install program log files (see page 283) Log directory (see page 283) BMC Atrium Single Sign-On 8.1

Page 282 of 389

BMC Software Confidential

Home

Debug directory (see page 283)

Additional server log file locations Additional server log files are located at: /tomcat/logs /tomcat/temp

Install program log files The install program log files are in the temporary file system: /atriumsso_install_log.txt /AtriumSSOInstalledConfiguration.xml /AtriumSSOInstallingConfiguration.xml

Log directory The log directory contains log files that are useful for auditing purposes. Each component of BMC Atrium Single Sign-On creates two files within this directory, one for successful entries and the other for error entries. The following components typically have files in this logging directory: amAuthentication amConsole amPolicy IDFF WSFederation amPolicyDelegation amSSO

Debug directory The debug directory contains additional log files that are geared towards problem resolution. The following BMC Atrium Single Sign-On components typically have files in this logging directory: Authentication CoreSystem Entitlement IdRepo Session rsa_api_debug.log rsa_api.log

BMC Atrium Single Sign-On 8.1

Page 283 of 389

BMC Software Confidential

Home

12.1.4 Using BMC Atrium Single Sign-On for logging BMC Atrium Single Sign-On provides logging level options at the server level and at the agent level. In addition, debug logging can be enabled for RSA SecurID. To enable logging at the server level (see page 284) To enable logging at the agent level (see page 284) To modify the rsa_api.properties file (see page 285) The logging level options at both the server and agent level include: Off — Turns off logging. Error (default) — Returns the least amount of information. The logging level is typically kept at this default. Message — Generates the most verbose logs but severely impacts server performance. Message level should only be used when an issue is being worked on. Warning — Returns more information than Error, but less than Message.

Note BMC recommends that for normal operation, set Logging Level to either Off or Error.

To enable logging at the server level 1. On the BMC Atrium SSO Admin Console, click Edit Server Configuration. 2. In the Logging Level section, select your logging level from the drop down menu. 3. Click Save. 4. Restart the server for the logging configuration change to take effect. The default log file location is in the following directory: /tomcat/webapps/atriumsso/WEB-INF/config/atriumsso/debug

To enable logging at the agent level 1. On the BMC Atrium SSO Admin Console, click Agent Details. 2. Select the agent that you want to update. 3. In the Logging Level section, select your logging level from the drop down menu. 4. Click Save. 5. Restart the agent for the logging configuration change to take effect. The default location for the log files generated by the agent is the temporary directory of the web container where the agent is deployed. For example, for the Tomcat server, the location is the CATALINA_HOME directory and for IBM WebSphere, the location is the AppServer directory.

BMC Atrium Single Sign-On 8.1

Page 284 of 389

BMC Software Confidential

Home

To modify the rsa_api.properties file For RSA SecurID, additional debug logging is available by modifying the rsa_api.properties file. 1. Navigate to /tomcat/webapps/atriumsso/WEB-INF/config/atriumsso/auth/ace/data 2. Edit the rsa_api.properties file. 3. Change the RSA_ENABLE_DEBUG property from NO to YES. Changing this property increases the volume of debugging information supplied by the RSA SecurID module. 4. Access the rsa_api_debug.log file in the debug logging directory for this information.

12.2 Working with error messages Error number

Message

BMCSSG0000E

Undefined error message. Contact BMC Software, Inc.

BMCSSO1000E

Undefined error message. Contact BMC Software, Inc.

BMCSSO1001I

OpenSSO agent configuration override is on.

BMCSSO1002E

Cannot find config.properties in directory specified (%s)

BMCSSO1003I

BMC Atrium SSO agent is disabled.

BMCSSO1004I

No disabled user id specified, and user not already authenticated. Using user id "nobody".

BMCSSO1005E

Failed to configure logging: %s

BMCSSO1006E

Destination directory for templates does not exist: %s

BMCSSO1007E

Destination directory for templates is not a directory: %s

BMCSSO1008E

Required parameter not specified for configuration (%s). Internal Error. Contact BMC Software, Inc.

BMCSSG1009E

Failed to generated configuration for OpenSSO Agent.

BMCSSO1010E

BMC Atrium SSO security not configured.

BMCSSO1011E

BMC Atrium SSO security improperly configured. Internal error. Contact BMC Software, Inc.

BMCSSG1012E

BMC Atrium SSO security not integrated with server. Internal error. Contact BMC Software, Inc.

BMCSSO1013E

Failed internal agent configuration. Internal error. Contact BMC Software, Inc.

BMCSSO1014E

Failed internal agent configuration. Internal error. Contact BMC Software, Inc.

BMCSSO1015E

Agent configuration file (%s) already exists. Either delete agent or use replace agent.

BMCSSO1016W

Failed to get canonicalized host name.

BMCSSO1017E

Agent configuration file (%s) must be located within WEB-INF directory structure.

BMCSSO1018E

Failed agent confidentiality algorithm (%s). Contact BMC Software, Inc.

BMC Atrium Single Sign-On 8.1

Page 285 of 389

BMC Software Confidential

Home

Error number

Message

BMCSSO1019E

Failed agent confidentiality algorithm (%s). Contact BMC Software, Inc.

BMCSSO1020E

Failed agent confidentiality algorithm (%s). Contact BMC Software, Inc.

BMCSSG1021E

Cannot delete agent because configuration file specified does not exist.

BMCSSG1022E

Cannot delete agent because configuration file does not contain BMC Atrium SSO server information.

BMCSSG1023E

Error while processing deployer command (%s): %s

BMCSSG1024E

Failed to register agent with BMC Atrium SSO server (%s).

BMCSSG1025E

BMC Atrium SSO agent already registered with BMC Atrium SSO server. Must either replace or delete this agent.

BMCSSG1026E

File system location of container lib could not be identified. Specify through the property BMC Atrium SSO.container.lib.dir.

BMCSSG1027E

Failure generating or updating agent config.properties file (%s).

BMCSSG1028E

The web.xml file specified could not be found. Verify agent file system location supplied.

BMCSSG1029W

Agent configuration was disabled. Re-enabling security.

BMCSSG1030E

The web.xml file is not configured for FORM login. Please change the configuration to FORM login for BMC Atrium SSO Agent configuration.

BMCSSG1031E

Failed administrator logon: %s

BMCSSG1032E

Failed agent logon: %s

BMCSSG1033E

Failed to find agent configuration file.

BMCSSG1034E

Parsing error while processing file %s.

BMCSSG1035E

Could not access configuration template file (%s). Internal error. Contact BMC Software, Inc.

BMCSSG1036E

Could not find configuration template file. Internal error. Contact BMC Software, Inc.

BMCSSG1037E

Failed to create container control. Internal error. Contact BMC Software, Inc.

BMCSSG1038E

Failed to create container control for unknown type(%s). Internal error. Contact BMC Software, Inc.

BMCSSG1039E

Administrative function (%s) failed. Internal error. Contact BMC Software, Inc.

BMCSSG1040E

Tomcat cookie adjustment failed. Internal error. Contact BMC Software, Inc.

BMCSSG1041E

Failed to bounce container. Internal error. Contact BMC Software, Inc.

BMCSSG1042E

Invalid hostname specified for BMC Atrium SSO URL (%s). Must use FQDN.

BMCSSG1043E

Failed to resolve configuration path (%s) to canonical.

BMCSSG1044E

Failed domain lookup of hostname supplied for BMC Atrium SSO URL.

BMCSSG1045E

Failed to find configurator template. Internal Error. Contact BMC Software, Inc.

BMCSSG1046E

Failed to load configurator template. Internal Error. Contact BMC Software, Inc.

BMC Atrium Single Sign-On 8.1

Page 286 of 389

BMC Software Confidential

Home

Error number

Message

BMCSSG1047E

Failed to load configurator template. Internal Error. Contact BMC Software, Inc.

BMCSSG1048E

Failed to execute configurator.

BMCSSG1049E

Execution of configurator failed with status code(%s).

BMCSSG1050E

Configuration of CAC was interrupted.

BMCSSG1051E

Configuration of CAC failed (%s).

BMCSSG1052E

Setup of administrative tool was interrupted.

BMCSSG1053E

Setup of administrative tool failed (%s).

BMCSSG1054E

Setup of administrative tool finished with non-zero result code (%s).

BMCSSG1055E

Invalid URL specified for BMC Atrium SSO server (%s).

BMCSSG1056E

BMC Atrium SSO configuration failed (%s).

BMCSSG1057I

Successfully configured BMC Atrium SSO server.

BMCSSG1058E

Invalid container home specified for BMC Atrium SSO server (%s).

BMCSSG1059E

Administrative password cannot be null or empty.

BMCSSG1060E

LDAP port specified is out of range (%d), must be 1..65534.

BMCSSG1061E

Failed to find executable jar file within classpath (%s).

BMCSSG1062E

Failed to connect with BMC Atrium SSO container. Container must be running with BMC Atrium SSO.war deployed before configuration.

BMCSSG1063E

Invalid URL type (%s).

BMCSSG1064E

Error connecting with BMC Atrium SSO container (%s)- is it running?

BMCSSG1065E

Failed to create temporary file for configuration (%s).

BMCSSG1066E

Failed to write to temporary file for configuration (%s).

BMCSSG1067E

Failed reconfiguration of BMC Atrium SSO server.

BMCSSG1068E

Invalid cookie domain specified (%s).

BMCSSG1069E

Failed to rewrite server URL to include proper context URI.

BMCSSG1070E

Agent password or name is empty/null. Internal error. Contact BMC Software, Inc.

BMCSSG1071E

Administrator password or name is empty/null. Internal error. Contact BMC Software, Inc.

BMCSSG1072E

Failed to create agent profile (response code: %s).

BMCSSG1073E

Configuration for agents failed (%s).

BMCSSG1074E

Configuration for agents was interrupted.

BMCSSG1075E

Failed to create cache dir.

BMC Atrium Single Sign-On 8.1

Page 287 of 389

BMC Software Confidential

Home

Error number

Message

BMCSSG1076E

Failed to create authentication context (%s). Is the BMC Atrium SSO server running?

BMCSSG1077E

Failed to begin login (%s).

BMCSSG1078E

Default BMC Atrium SSO server not specified with environment variable .

BMCSSG1079E

Badly formed URL for default BMC Atrium SSO server.

BMCSSG1080E

Failed to retrieve SSOToken (%s).

BMCSSG1081E

Failed to retrieve idle time (%s).

BMCSSG1082E

Failed to retrieve max idle time (%s).

BMCSSG1083E

Failed to retrieve max session time (%s).

BMCSSG1084E

Failed to retrieve principal (%s).

BMCSSG1085E

Failed to retrieve time left (%s).

BMCSSG1086E

Failed to logout (%s).

BMCSSG1087E

Failed to register for token events (%s).

BMCSSG1088E

Failed to get token event type (%s).

BMCSSG1089E

Failed to validate SSO token (%s).

BMCSSG1090E

Administrative password must be at least 8 characters in length.

BMCSSG1091E

Token cache too large to load (%d).

BMCSSG1092E

Failed to read fully from cache file (%s).

BMCSSG1093E

Failed to delete cache.

BMCSSG1094E

Failed to convert to XML. Internal Error. Contact BMC Software, Inc.

BMCSSG1095E

Failed to create lock on cache (%s).

BMCSSG1096E

Interrupted during create lock on cache (%s).

BMCSSG1097E

Failed to extract data from possibly corrupted cache (%s).

BMCSSG1098E

Failed to write to cache (%s).

BMCSSG1099E

Failed to write to cache (%s). Internal Error. Contact BMC Software, Inc.

BMCSSG1200E

Default BMC Atrium SSO server is not specified.

BMCSSG1201E

Default BMC Atrium SSO server URL is not specified correctly (%s).

BMCSSG1202E

Failed to retrieve SSOToken using token id. Is server certificate in truststore? (%s).

BMCSSG1203E

Login failed (%s).

BMCSSG1204E

Must authenticate a user before requesting token.

BMCSSG1205E

Failed to retrieve token (%s).

BMC Atrium Single Sign-On 8.1

Page 288 of 389

BMC Software Confidential

Home

Error number

Message

BMCSSG1206E

System callback handler is not specified.

BMCSSG1207E

Failed to load class for callback handler.

BMCSSG1208E

Failed to create an instance of the class for callback handler (%s).

BMCSSG1209E

Unknown UIHandler specified: %s

BMCSSG1210E

Failure during login (%s).

BMCSSG1211E

Failure during login (%s).

BMCSSG1212W

Please enter a value for the password.

BMCSSG1213E

Failed to logout from BMC Atrium SSO server (%s).

BMCSSG1214E

Failed to abort from BMC Atrium SSO server (%s).

BMCSSG1215E

Invalid naming URL: %s

BMCSSG1216E

Invalid BMC Atrium SSO URL specified (%s).

BMCSSG1217E

Already logged into BMC Atrium SSO server. Logout before trying to login again.

BMCSSG1218E

Context must be reset before being used for another login.

BMCSSG1219E

Failed to find userid within Principal (%s).

BMCSSG1220E

Failed to create context from token (%s).

BMCSSG1221E

Improper response received from BMC Atrium SSO server (%d).

BMCSSG1222E

Failed to connect with BMC Atrium SSO server.

BMCSSG1223E

Invalid security provider specified (%s).

BMCSSG1224E

Invalid security algorithm specified (%s).

BMCSSG1225E

Could not resolve hostname for BMC Atrium SSO server (%s).

BMCSSG1226E

Failed to access user specified keystore file (%s): %s

BMCSSG1227E

Failed to execute keytool to generate certificate.

BMCSSG1228E

Keytool finished with non-zero status code (%d).

BMCSSG1229E

Keystore password not specified.

BMCSSG1230E

Keystore password not specified.

BMCSSG1231E

Trying to use insecure communications protocol HTTP instead of HTTPS. Must use HTTPS for server URL (%s).

BMCSSG1232E

Could not find configuration utility. Has BMC Atrium SSO war file been deployed?

BMCSSG1233E

Could not connect using HTTPS and keystore specifications.

BMCSSG1234E

Failed to create TLS socket factory for HTTPS communications (%s).

BMC Atrium Single Sign-On 8.1

Page 289 of 389

BMC Software Confidential

Home

Error number

Message

BMCSSG1235E

Specified insecure HTTP protocol for BMC Atrium SSO but configuration is blocking usage.

BMCSSG1236E

Failed to initialize HTTPS protocol using keystore specified (%s).

BMCSSG1237E

Failed to initialize HTTPS protocol using certificate file specified (%s).

BMCSSG1238E

Configuration for HTTPS protocol is incomplete- a keystore or certificate is required.

BMCSSG1239E

Error while loading keystore specified for web agent deployment and configuration.

BMCSSG1240E

Error while loading server certificate specified for web agent deployment and configuration.

BMCSSG1241E

Failed to connect with BMC Atrium SSO server for HTTPS certificate download (%s).

BMCSSG1242E

Failed to retrieve certificate from BMC Atrium SSO server for HTTPS configuration.

BMCSSG1243E

Failed to write retrieved certificate to cache (%s).

BMCSSG1244E

Failed to use HTTPS certificates for agent delete (%s).

BMCSSG1245W

Specified insecure HTTP protocol for BMC Atrium SSO server (%s).

BMCSSG1246E

Failed to load users keystore (%s).

BMCSSG1247E

Failed to create keystore manager(%s).

BMCSSG1248E

Failed to add new certificate to keystore(%s).

BMCSSG1250E

Failed to lock file for keystore update (%s).

BMCSSG1251E

Failed to unlock file after keystore update (%s).

BMCSSG1252E

Login failed. Verify user credentials and try again.

BMCSSG1253E

Failed to create LDAP chain (%s).

BMCSSG1254E

Failed to load keystore (%s).

BMCSSG1255E

Invalid token specified for BMC Atrium SSO server connection.

BMCSSG1256E

Alias cannot be null. Internal error. Contact BMC Software, Inc.

BMCSSG1257E

Failed to update keystore because of failure to delete original keystore file.

BMCSSG1258E

Failed to rename new keystore to replace original keystore.

BMCSSG1259E

Failed to load keystore from file (%s).

BMCSSG1260E

Failed to read data from file (%s). Keystore has been corrupted.

BMCSSG1261E

If keystore specified, then keystore type and password must also be provided.

BMCSSG1262E

No keystore available for private keys.

BMCSSG1263E

Failed to setup trust manager (%s).

BMCSSG1264E

Failed to bounce container after configuration step (%s).

BMCSSG1265E

Authentication callback failed to provide credentials (%s).

BMC Atrium Single Sign-On 8.1

Page 290 of 389

BMC Software Confidential

Home

Error number

Message

BMCSSG1266E

BMC Atrium SSO URL is not specified through environment or system properties.

BMCSSG1267E

Invalid BMC Atrium SSO URL specified (%s).

BMCSSG1268E

A realm must be specified when connecting with BMC Atrium SSO (cannot be null).

BMCSSG1269E

A callback handler must be specified when connecting with BMC Atrium SSO (cannot be null).

BMCSSG1270E

Failed to find UID within DN (%s).

BMCSSG1271E

Empty DN provided for principal.

BMCSSG1272E

Failed to load JVM KeyStore(%s).

BMCSSG1273E

Missing store password for keystore file.

BMCSSG1274E

Malformed forwarding URL received (%s).

BMCSSG1275E

Failed to configure SecurID module (%s).

BMCSSG1276E

Failed creating ActiveDirectory chain (%s).

BMCSSG1277E

Failed adding ActiveDirectory module to ActiveDirectory chain (%s).

BMCSSG1278E

Failed creating ActiveDirectory module (%s).

BMCSSG1279E

Failed updating LDAP module (%s).

BMCSSG1280E

Failed updating AD module (%s).

BMCSSG1281E

Failed to create directory for file lock (%s).

BMCSSG1282E

Keytool finished with non-zero status code (%d).

BMCSSG1283E

Failed to execute keytool to export certificate.

BMCSSG1284E

Keytool finished with non-zero status code (%d).

BMCSSG1285E

Failed to connect with Identity REST services (%s).

BMCSSG1286E

Not connected with Identity REST services. Internal Error. Contact BMC Software, Inc.

BMCSSG1287E

Failed to fetch attributes from server (%s).

BMCSSG1288E

Failed to retrieve client host name(%s).

BMCSSG1289E

Failed to parse LDAP value (%s).

BMCSSG1290E

Failed to deserialize group file (%s).

BMCSSG1291E

Groups file (%s) does not exist.

BMCSSG1292E

Failed to upload groups to server (%s).

BMCSSG1293I

User canceled login.

BMCSSG1294E

Authentication failed for unknown reason.

BMCSSG1295E

Failed to find class (%s) in launching jar. Internal Error. Contact BMC Software, Inc.

BMC Atrium Single Sign-On 8.1

Page 291 of 389

BMC Software Confidential

Home

Error number

Message

BMCSSG1296E

Failed to parse jar file URL (%s). Internal Error. Contact BMC Software, Inc.

BMCSSG1297E

Failed to locate jar entry in jar URL (%s). Internal Error. Contact BMC Software, Inc.

BMCSSG1298E

Failed to get jar URL (%s). Internal Error. Contact BMC Software, Inc.

BMCSSG1299E

Agent zip directory (%s) not found in jar file directory (%s). Internal Error. Contact BMC Software, Inc.

BMCSSG1300E

Agent action option must be specified (install, migrate, uninstall).

BMCSSG1301E

Failed to create temporary response file (%s).

BMCSSG1302E

When truststore option is specified, the password, type and alias must also be specified.

BMCSSG1303E

Truststore specified does not exist(%s).

BMCSSG1304E

JEE container base directory specified does not exist (%s).

BMCSSG1305E

JEE container base directory specified is not a directory (%s).

BMCSSG1306E

Couldn't find websphere agent zip (%s).

BMCSSG1307E

Websphere server instance configuration directory doesn't exist (%s).

BMCSSG1308E

Couldn't create temporary server certificate file (%s).

BMCSSG1309E

Failed to load response file from input stream (%s). Internal Error. Contact BMC Software, Inc.

BMCSSG1310E

Failed to open response file source file (%s). Internal Error. Contact BMC Software, Inc.

BMCSSG1311E

Failed to load response file from string (%s). Internal Error. Contact BMC Software, Inc.

BMCSSG1312E

Failed to open response file (%s). Internal Error. Contact BMC Software, Inc.

BMCSSG1313E

Failed to write into response file (%s). Internal Error. Contact BMC Software, Inc.

BMCSSG1314E

Missing value for variable (%s). Internal Error. Contact BMC Software, Inc.

BMCSSG1315E

Failed to generate random sequence (%s).

BMCSSG1316E

Failed to create temporary file (%s).

BMCSSG1317I

Successfully finished execution.

BMCSSG1318I

Deployer execution completed.

BMCSSG1319E

Failed deployer execution.

BMCSSG1320E

Failed to load agent configuration (%s).

BMCSSG1321E

Failed to save agent configuration (%s).

BMCSSG1322I

Detected agent installation.

BMCSSG1323I

Agent installation not detected.

BMCSSG1324E

Agent installation detected, but failed to instantiate (%s).

BMC Atrium Single Sign-On 8.1

Page 292 of 389

BMC Software Confidential

Home

Error number

Message

BMCSSG1325E

Agent installation detected, but failed to instantiate (%s).

BMCSSG1326E

Failed to parse deployer options (%s).

BMCSSG1327E

Failed to access template file (%s).

BMCSSG1328E

Failed to find worker for task. Internal Error. Contact BMC Software, Inc.

BMCSSG1329E

Invalid parameter values.

BMCSSG1330E

Subscript execution failed (%s) (formerly code BMCSDG1330E).

BMCSSG1331E

Failed to create agent installation directory (%s).

BMCSSG1332E

Failed to connect with BMC Atrium SSO server (%s).

BMCSSG1333E

JEE container cannot be running during installation. Please stop the server and retry agent installation.

BMCSSG1334E

BMC Atrium SSO server (%s) cannot be contacted. It must be running during agent installation.

BMCSSG1335E

Failed to netstat for JEE container ports (%s).

BMCSSG1336E

Failed to create agent account (%s).

BMCSSG1337E

Failed to create logout url (%s).

BMCSSG1338E

Failed to create BMC Agent (%s).

BMCSSG1339E

Failed to convert agent data (%s).

BMCSSG1340E

Agent installation finished with errors (formerly code BMCSDG1340E).

BMCSSG1341E

Agent already installed and configured for URL (%s). Use "--force" option to override.

BMCSSG1342E

Unknown agent specified for URL (%s). Use "--force" option to override.

BMCSSG1343E

Failed to update BMC Agent after uninstall (%s).

BMCSSG1344E

JEE truststore specified does not exist (%s).

BMCSSG1345E

JVM truststore specified does not exist (%s).

BMCSSG1346E

JEE password must be specified when JEE truststore is specified.

BMCSSG1347E

JVM password must be specified when JVM truststore is specified.

BMCSSG1348E

Couldn't find tomcat agent zip (%s).

BMCSSG1349E

BMC Atrium SSO filter experienced internal error processing security: %s

BMCSSG1350E

BMC Atrium SSO cannot be contacted. Contact security administrator.

BMCSSG1351E

Failed to create BmcRealm (%s).

BMCSSG1352E

Failed to create temporary file for property update (%s): %s

BMCSSG1353E

Failed to open stream to new property file (%s).

BMC Atrium Single Sign-On 8.1

Page 293 of 389

BMC Software Confidential

Home

Error number

Message

BMCSSG1354E

Failed adding LDAP module to LDAP chain (%s).

BMCSSG1355E

Failed to write to new property file (%s).

BMCSSG1356E

Failed to update keystore for login(%s).

BMCSSG1357E

Failure during server certificate acceptance (%s).

BMCSSG1358E

Failure during server certificate acceptance (%s).

BMCSSG1359E

Used declined certificate from server (%s).

BMCSSG1360E

Failure checking server certificate against keystore (%s).

BMCSSG1361E

Wow, couldn't generate a unique filename for old file (%s).

BMCSSG1362E

Failed to rename old configuration file.

BMCSSG1363E

Server presented certificate unusable for server verification. CN must be hostname.

BMCSSG1364E

Failed setting auth level on in DataStore module (%s).

BMCSSG1365E

Failed to set CAC server configuration (%s).

BMCSSG1366E

Failed to create CAC module (%s).

BMCSSG1367E

Failed to set OCSP on in CAC module (%s).

BMCSSG1368E

Failed to create CAC chain (%s).

BMCSSG1369E

Failed to add CAC module to CAC chain (%s).

BMCSSG1370E

Failed to rollback to old configuration file.

BMCSSG1371E

Failed to create access to keystores (%s).

BMCSSG1372E

Failed to load MS-CAPI (%s).

BMCSSG1373E

A certificate is required for login, but none found. Is CAC card inserted?

BMCSSG1374E

Failed to prepare script for unix execution (%s).

BMCSSG1375E

Failed registering SecurID authentication module (%s).

BMCSSG1376E

Failed creating SecurID service (%s).

BMCSSG1377E

Failed to connect with BMC Atrium SSO server (%s).

BMCSSG1378E

Failed to connect with BMC Atrium SSO server (%s).

BMCSSG1379E

Failed to logout from BMC Atrium SSO server (%s).

BMCSSG1380E

Failed to commit log in with BMC Atrium SSO server (%s).

BMCSSG1381E

Failed to create SecurID module (%s).

BMCSSG1382E

Failed to create SecurID chain (%s).

BMCSSG1383E

Failed to add SecurID module to SecurID chain (%s).

BMC Atrium Single Sign-On 8.1

Page 294 of 389

BMC Software Confidential

Home

Error number

Message

BMCSSG1284E

Failed to get encoding for certificate (%s).

BMCSSG1385E

Failed to deserialize subjects file (%s).

BMCSSG1386E

Subjects file (%s) does not exist.

BMCSSG1387E

Failed to serialize subjects file (%s).

BMCSSG1388E

BMC Atrium SSO URL specified is invalid (%s).

BMCSSG1389E

File to import doesn't exist (%s).

BMCSSG1390E

Failed subject import(%s).

BMCSSG1391E

Failed subject export(%s).

BMCSSG1392E

The GET operation is not supported for this service.

BMCSSG1393E

The POST operation is not supported for this service.

BMCSSG1394E

The PUT operation is not supported for this service.

BMCSSG1395E

The DELETE operation is not supported for this service.

BMCSSG1396E

Failed to return JSON message for exception (%s).

BMCSSG1397E

Unsupported media type requested from REST services (%s).

BMCSSG1398E

Failed to convert exception to JSON object (%s).

BMCSSG1399E

Failed to add info to JSON object (%s).

BMCSSG1400E

Failed to add FIPS info to JSON object (%s).

BMCSSG1401E

Missing required parameter for REST service (%s).

BMCSSG1402E

Missing required parameters for REST service (%s).

BMCSSG1403E

Failure performing identity search (%s).

BMCSSG1404E

Failure creating JSON object for identity search (%s).

BMCSSG1405E

Invalid URI specified for remote notification (%s).

BMCSSG1406E

Failed to register for token notifications (%s).

BMCSSG1407E

Invalid tokenid passed for notifications (%s).

BMCSSG1408E

A URI must be specified for notifications.

BMCSSG1409E

At least one tokenid must be specified to register for notifications.

BMCSSG1410E

Notification URI already registered to receive notifications.

BMCSSG1411E

The URI specified is not registered for notifications (%s).

BMCSSG1412E

The URI specified was terminated due to failure to retrieve notifications in a timely manner (%s).

BMCSSG1413E

The URL specified for remote HTTP client failed to parse (%s): %s

BMC Atrium Single Sign-On 8.1

Page 295 of 389

BMC Software Confidential

Home

Error number

Message

BMCSSG1414E

Failed to create JSON message for notification (%s).

BMCSSG1415E

Received unsuccessful result code (%s) from HTTP send: %s

BMCSSG1416E

Test remote connection failed (%s).

BMCSSG1417W

Reverse remote client is not connected to receive messages (%s).

BMCSSG1418E

Invalid hostname specified for remote client (%s).

BMCSSG1419E

Failed to create TLS context (%s).

BMCSSG1420E

Failed to create reader/writers for socket notifications (%s).

BMCSSG1421E

Failed to build JSON object (%s).

BMCSSG1422E

Failed REST call to BMC Atrium SSO server (%s).

BMCSSG1423E

Internal error, no response code returned (%s).

BMCSSG1424E

Failed REST call with exception(%s): %s.

BMCSSG1425E

Internal error, no principal within session token (%s).

BMCSSG1426E

Internal error, no groups within session token (%s).

BMCSSG1427E

Internal error, no field %s within session token (%s).

BMCSSG1428E

Only agents and administrators can register for notifications on non-owner sessions.

BMCSSG1429E

Invalid URL specified (%s).

BMCSSG1430E

Failed to get BMC Atrium SSO server URL from notification (%s).

BMCSSG1431E

Failed to parse session notification from server (%s).

BMCSSG1432E

Error opening notification socket (%s).

BMCSSG1433E

Timed-out opening notification socket (%s).

BMCSSG1434E

Failed to create TLS socket (%s).

BMCSSG1435E

Failed to acquire FQDN for local host (%s).

BMCSSG1436E

Failed to compose URI for notifications (%s).

BMCSSG1437E

Failed to use reverse messenger with server (%s).

BMCSSG1438E

Failed to retrieve server version from info reply (%s).

BMCSSG1439E

Failed to retrieve server build date from info reply (%s).

BMCSSG1440E

BMC Atrium SSO server release is too old- does not support remote notification.

BMCSSG1441E

The URI specified was not registered for notification events (%s).

BMCSSG1442E

Failed to create messenger for reverse protocol (%s).

BMCSSG1443E

Invalid client certificate presented for notification (%s).

BMC Atrium Single Sign-On 8.1

Page 296 of 389

BMC Software Confidential

Home

Error number

Message

BMCSSG1444E

Failed to create dynamic client certificate (%s).

BMCSSG1445E

Unknown user attribute specified for export (%s).

BMCSSG1446E

Failed to connect with BMC Atrium SSO internal LDAP server (%s).

BMCSSG1447E

Failed to create unload directory (%s).

BMCSSG1448E

Failure during configuration dump (%s).

BMCSSG1449E

Failure during properties dump (%s).

BMCSSG1450E

Invalid server URL specified (%s).

BMCSSG1451E

Dump directory does not exist(%s).

BMCSSG1452E

Invalid dump directory (%s).

BMCSSG1453E

Failure loading configuration (%s).

BMCSSG1454I

Successfully unloaded BMC Atrium SSO data.

BMCSSG1455I

Successfully loaded BMC Atrium SSO data.

BMCSSG1456E

Failed to unload BMC Atrium SSO data (%s).

BMCSSG1457E

Failed to load BMC Atrium SSO data (%s).

BMCSSG1458E

Failed to unload group data (%s).

BMCSSG1459E

Failed to unload user data (%s).

BMCSSG1460E

Failed to find amserver.jar for update (%s).

BMCSSG1461E

Failed to access updated amserver.jar from classpath. Internal error. Contact BMC Software, Inc.

BMCSSG1462E

Failed to write data to amserver.jar (%s).

BMCSSG1463E

Failed to open temporary file for updated jar contents (%s).

BMCSSG1464E

Failed to rename old amserver.jar to %s.

BMCSSG1465E

Failed to rename new file to amserver.jar.

BMCSSG1466E

Failed to stop SSO container (%s).

BMCSSG1467E

Failed to start SSO container (%s).

BMCSSG1468E

Failed to access LDAP config (%s).

BMCSSG1469E

Failed to save modified LDAP config (%s).

BMCSSG1470E

Failed agent confidentiality algorithm (%s). Internal error. Contact BMC Software, Inc.

BMCSSG1471E

Failed agent confidentiality algorithm (%s). Internal error. Contact BMC Software, Inc.

BMCSSG1472E

Failed agent confidentiality algorithm (%s). Internal error. Contact BMC Software, Inc.

BMCSSG1473E

Failed to stop service for child process (%s).

BMC Atrium Single Sign-On 8.1

Page 297 of 389

BMC Software Confidential

Home

Error number

Message

BMCSSG1474E

Unable to access LDAP configuration (%s). Internal error. Contact BMC Software, Inc.

BMCSSG1475E

Missing property from configuration file (%s).

BMCSSG1476E

Failed to connect agent due to unsupported callback type.

BMCSSG1477E

Failed to retrieve cookie name from server (%s).

BMCSSG1478E

Failed to access configuration file (%s).

BMCSSG1479E

Failed to load from configuration file (%s).

BMCSSG1480E

Failed to open configuration file (%s).

BMCSSG1481E

Failed to store to configuration file (%s).

BMCSSG1482E

Failed to store secret key in keystore (%s).

BMCSSG1483E

Failed to generate secret key (%s).

BMCSSG1484E

Failed to encrypt with secret key (%s).

BMCSSG1485E

Configuration directory name is not specified in system property (%s).

BMCSSG1486E

Configuration directory does not exist (%s).

BMCSSG1487E

Web application configuration directory does not exist (%s).

BMCSSG1488E

Configuration file does not exist (%s).

BMCSSG1489E

Failed to find Tomcat v6 bin directory (%s).

BMCSSG1490E

Failed to access script file for JEE Agent integration (%s).

BMCSSG1491E

Failed to find Tomcat v6 bin directory (%s).

BMCSSG1492E

Failed to access script file for JEE Agent integration (%s).

BMCSSG1493E

Agent configuration directory for webapp already exists. If agent not currently deployed, delete directory and try again (%s).

BMCSSG1494E

Failed to create script file for JEE Agent integration (%s).

BMCSSG1495E

Failed to connect with BMC Atrium SSO server for token attributes (%s).

BMCSSG1496E

Incompatible message type received from BMC Atrium SSO server for token attributes (%s).

BMCSSG1497E

Failed to delete agent from BMC Atrium SSO server (%s).

BMCSSG1498E

Failed to delete agent user account from SSO server (%s).

BMCSSG1499E

Failed to decode agent password (%s).

BMCSSG1500E

Entry in keystore does not refer to secret key (%s).

BMCSSG1501E

Failed to get secret key (%s).

BMCSSG1502E

Failed to get agent token id (%s).

BMC Atrium Single Sign-On 8.1

Page 298 of 389

BMC Software Confidential

Home

Error number

Message

BMCSSG1503E

Failed to get cookie name from server (%s).

BMCSSG1504E

Failed to get FIPS mode from server reply (%s).

BMCSSG1505E

Failed to get FIPS mode from server (%s).

BMCSSG1506E

BMC Atrium SSO server is operating in FIPS mode but this agent is not in FIPS mode.

BMCSSG1507E

BMC Atrium SSO server is not operating in FIPS mode but this agent is in FIPS mode.

BMCSSG1508E

BMC Atrium SSO server is currently not available.

BMCSSG1509E

Failed to convert URL to URI (%s).

BMCSSG1510E

Failed to compose notification URL (%s).

BMCSSG1511E

Failed to access agent attribute (%s) from server (%s).

BMCSSG1512E

Exceeded redirection limit.

BMCSSG1513E

Failed to decode cookie (%s).

BMCSSG1514E

Required identity event attribute missing (%s).

BMCSSG1515E

Failed to get repository for identity listener (%s).

BMCSSG1516E

Required token event attribute missing (%s).

BMCSSG1517E

Failed to download and configure agent (%s).

BMCSSG1518E

Agent was renamed- local configuration must be updated.

BMCSSG1519E

Agent was deleted- local configuration must be updated.

BMCSSG1520E

Failed to get time from server reply (%s).

BMCSSG1521E

Failed to create TLS socket factory (%s).

BMCSSG1522E

Failed to start web receiver thread (%s).

BMCSSG1523E

Failed to find Tomcat v5 bin directory (%s).

BMCSSG1524E

Failed to access script file for JEE Agent integration (%s).

BMCSSG1525E

Failed to create script file for JEE Agent integration (%s).

BMCSSG1526E

Unable to get servlet context path. Use atsso.context.path in servlet init parameter.

BMCSSG1527E

Unknown contain type specified (%s).

BMCSSG1528E

Failed to find WebSphere script. Internal error. Contact BMC Software, Inc.

BMCSSG1529E

Failed to parse command line options for WebSphere7 (%s).

BMCSSG1530E

Instance directory specified does not exist (%s).

BMCSSG1531E

Failed to load WebSphere script (%s). Internal error. Contact BMC Software, Inc.

BMCSSG1532E

Failed to execute WebSphere script (%s).

BMC Atrium Single Sign-On 8.1

Page 299 of 389

BMC Software Confidential

Home

Error number

Message

BMCSSG1533E

WebSphere script failed.

BMCSSG1534E

Failed to store support utility program.

BMCSSG1535E

Failed to parse command line options for JBoss (%s).

BMCSSG1536E

Failed to find run.conf file (%s).

BMCSSG1537E

Failed to connect with BMC Atrium SSO server (%s). Is it running? Are the credentials correct?

BMCSSG1538E

Failed creating AR service (%s).

BMCSSG1539E

Failed to configure AR module (%s).

BMCSSG1540E

Failed creating AR module (%s).

BMCSSG1541E

Failed creating AR chain (%s).

BMCSSG1542E

Failed adding AR module to AR chain (%s).

BMCSSG1543E

Failed authentication with AR server (%s).

BMCSSG1544E

Failed to connect with AR server.

BMCSSG1545E

Unsupported type for operation with AR Server data source.

BMCSSG1546E

Failed to get groups for user (%s).

BMCSSG1547E

AR Server data source only supports group memberships.

BMCSSG1548E

AR Server host name not configured.

BMCSSG1549E

AR Server port number not configured.

BMCSSG1550E

Failed to create new agent account (%s) in BMC Atrium SSO server. Delete agent in administrator console and try again.

BMCSSG1551E

Failed adding DataStore module to AR chain (%s).

BMCSSG1552E

Data store failed to connect to AR Server using administrator account.

BMCSSG1553I

AR authentication allowed guest login but that option is blocked.

BMCSSG1554E

Failed to convert file for UNIX execution.

BMCSSG1555E

Failed to load provider for keystore type (%s).

BMCSSG1556E

Failed to load provider for truststore type (%s).

BMCSSG1557E

Failed to load keystore (%s).

BMCSSG1558E

Failed to load truststore (%s).

BMCSSG1559E

Failed to transfer public certificate to truststore (%s).

BMCSSG1560E

Failed to save truststore (%s).

BMCSSG1561E

Failed to remove old truststore.

BMC Atrium Single Sign-On 8.1

Page 300 of 389

BMC Software Confidential

Home

Error number

Message

BMCSSG1562E

Failed to replace old truststore.

BMCSSG1563E

BMC Atrium SSO server is in FIPS mode but RSA library is not FIPS compliant.

BMCSSG1564E

Failed to load specified provider class (%s): %s

BMCSSG1565E

Failed initializing to non-FIPS mode (%s).

BMCSSG1566E

Failed initializing to setup socket factory for LDAP (%s).

BMCSSG1567E

Failed to create socket for LDAP (%s).

BMCSSG1568E

Failed to initialize service.

BMCSSG1569E

Invalid parameter.

BMCSSG1570E

Failed to initialize service (%s).

BMCSSG1571E

Failed to initialize to receive notifications of FIPS service changes (%s).

BMCSSG1572E

BMC Atrium SSO server FIPS configuration is out of sync with server environment.

BMCSSG1573E

Not enforced file specified doesn't exist.

BMCSSG1574E

Failed to extract agent certificate from keystore (%s).

BMCSSG1575E

Source file name for conversion cannot be null.

BMCSSG1576E

Source type for conversion cannot be null.

BMCSSG1577E

Destination type for conversion cannot be null.

BMCSSG1578E

Failed to create temporary file for conversion (%s).

BMCSSG1579E

Destination file already exists.

BMCSSG1580E

Failed to open source keystore (%s).

BMCSSG1581E

Failed to create destination keystore (%s).

BMCSSG1582E

Failed to load destination keystore (%s).

BMCSSG1583E

Failed to get item from source keystore (%s).

BMCSSG1584E

Failed to move items into destination keystore (%s).

BMCSSG1585E

Failed to save destination keystore (%s).

BMCSSG1586E

Failed to open destination keystore (%s).

BMCSSG1587E

Failed to delete old destination keystore (%s).

BMCSSG1588E

Failed to rename new destination keystore (%s).

BMCSSG1589E

Failed to capture BMC Atrium SSO server certificate (%s).

BMCSSG1590E

Unload directory doesn't exist.

BMCSSG1591E

Failed to parse Tomcat server.xml;

BMC Atrium Single Sign-On 8.1

Page 301 of 389

BMC Software Confidential

Home

Error number

Message

BMCSSG1592E

Failed to setup truststore (%s).

BMCSSG1593E

BMC Atrium SSO server is running in FIPS140 mode, but the SDK is not configured for FIPS140.

BMCSSG1594E

BMC Atrium SSO server is not running in FIPS140 mode, but the SDK is configured for FIPS140.

BMCSSG1595E

Upgrade utility failed to connect with BMC Atrium SSO Server.

BMCSSG1596E

Failed to open server defaults (%s).

BMCSSG1597E

Failed to switch FIPS-140 mode (%s).

BMCSSG1598I

Switching Atrium SSO server to normal mode (not FIPS-140 mode).

BMCSSG1599I

Switching Atrium SSO server to FIPS-140 mode.

BMCSSG1600E

Switch of Atrium SSO server to normal mode completed.

BMCSSG1601I

Switch of Atrium SSO server to FIPS-140 mode completed.

BMCSSG1602E

Failed to update bootstrap information to FIPS-140 mode (has FIPS certified jar been installed?): %s

BMCSSG1603E

Failed to update bootstrap information to normal mode: %s

BMCSSG1604E

Failed to update server configuration to FIPS-140 mode: %s

BMCSSG1605E

Failed to update JVM configuration to FIPS-140 mode: %s

BMCSSG1606E

Failed to update server configuration to normal mode: %s

BMCSSG1607E

Failed to update JVM configuration to normal mode: %s

BMCSSG1608W

Detected CryptoJ library is not FIPS-140 compliant.

BMCSSG1609E

{{Failed to get FIPS-140 cipher for switch: %s }}

BMCSSG1610E

Failed to get normal cipher for switch: %s

BMCSSG1611E

Failed to switch FIPS mode: %s

BMCSSG1612E

Failed to update services information for switch to FIPS-140 mode: %s

BMCSSG1613E

Failed to update services information for switch to normal mode: %s

BMCSSG1614E

Failed JVM test for FIPS-140 cryptography. Please validate unlimited strength policy files and cryptojFIPS.jar have been installed into server JVM.

BMCSSG1615E

Failed JVM test for FIPS-140 cryptography with exception (%s). Please validate unlimited strength policy files and cryptojFIPS.jar have been installed into server JVM.

BMCSSG1616E

Failure converting cryptography for FIPS-140 switch (%s).

BMCSSG1617E

Failed JVM test for FIPS-140 cryptography. Please validate unlimited strength policy files and that RSA FIPS jars have been installed into server JVM.

BMCSSG1618E

Failed JVM test for FIPS-140 cryptography with exception (%s). Please validate unlimited strength policy files and RSA FIPS jars have been installed into server JVM.

BMC Atrium Single Sign-On 8.1

Page 302 of 389

BMC Software Confidential

Home

BMCSSG1619E

Failed JVM test for FIPS-140 cryptography. Please validate unlimited strength policy files and that RSA FIPS jars have been installed into JVM.

BMCSSG1620E

Failed JVM test for FIPS-140 cryptography with exception (%s). Please validate unlimited strength policy files and RSA FIPS jars have been installed into JVM.

BMCSSG1621E

Failed to connect with Atrium SSO server (%s). Is server running in FIPS-140 mode?

BMCSSG1622E

Failed to switch from FIPS-140 mode.

BMCSSG1623E

Failed to switch to FIPS-140 mode.

BMCSSG1624I

Atrium SSO server is running in FIPS-140 mode.

BMCSSG1625I

Validated JVM ability for FIPS.

BMCSSG1626E

Failed to initialize cryptography (%s).

BMCSSG1627E

Failed to load LDAP configuration (%s).

BMCSSG1628E

Failed to parse LDAP configuration (%s).

BMCSSG1629E

Failed to update LDAP configuration (%s).

BMCSSG1630E

Failed to find ServletExec script file for modification (%s).

BMCSSG1631E

FIPS switch blocked due to missing server.xml.fips/server.xml.nofips and java.security.fips/java.security.nofips files not available. For information about file requirements, see Configuring an external Tomcat instance for FIPS-140.

BMCSSG1632E

Failed to parse configuration (%s).

BMCSSG1633E

Failed to extract OpenDS utilities (%s). Internal Error. Contact BMC Software, Inc.

BMCSSG1634E

Cluster configuration file specified does not exist (%s).

BMCSSG1635E

Cluster configuration file specified already exists (%s). Delete file or specify a non-existent name.

BMCSSG1636E

Cluster save-config and read-config cannot be specified during the same configuration.

BMCSSG1637E

Failed to load properties from cluster config file (%s).

BMCSSG1638E

Failed to save properties to cluster configuration file (%s).

BMCSSG1639E

LDAP Replication port must be specified when cluster file is specified.

BMCSSG1640E

Cluster save or read file must be specified when LDAP replication port is specified.

BMCSSG1641E

LDAP Replication port must be between 1 and 65535, inclusive (%s).

BMCSSG1642E

Failed to delete internal LDAP configuration template (%s). Internal Error. Contact BMC Software, Inc.

BMCSSG1643E

Failed to copy internal LDAP configuration template for clustered server. Internal Error. Contact BMC Software, Inc.

BMCSSG1644E

Failed to create directories for internal LDAP keystore (%s). Internal Error. Contact BMC Software, Inc.

BMC Atrium Single Sign-On 8.1

Page 303 of 389

BMC Software Confidential

Home

BMCSSG1645E

Failed to create keystore for internal LDAP keystore (%s). Internal Error. Contact BMC Software, Inc.

BMCSSG1646E

Failed to create keystore for internal LDAP keystore (%s). Internal Error. Contact BMC Software, Inc.

BMCSSG1647E

Failed to save keystore for internal LDAP keystore (%s). Internal Error. Contact BMC Software, Inc.

BMCSSG1648E

Failed to save keystore pin for internal LDAP keystore (%s). Internal Error. Contact BMC Software, Inc.

BMCSSG1649E

Failed to format clustered OpenDS configuration template (%s). Internal Error. Contact BMC Software, Inc.

BMCSSG1650E

Failed to remove old LDAP truststore.

BMCSSG1651E

Failed to replace old LDAP truststore.

BMCSSG1652E

Failed to save LDAP truststore (%s).

BMCSSG1653E

Failed to transfer certificate (%s).

BMCSSG1654E

Failed to load LDAP truststore (%s).

BMCSSG1655E

Failed to get Keystore provider for type %s (%s).

BMCSSG1656E

Failed to get free port for internal LDAP communications (%s).

BMCSSG1657E

Failed to get LDAP keystore type (%s): %s

BMCSSG1658E

Failed to open LDAP keystore (%s).

BMCSSG1659E

LDAP keystore doesn't contain alias (%s).

BMCSSG1660E

Failed to pull certificate from LDAP keystore (%s).

BMCSSG1661E

Failed to get JVM truststore type (%s): %s

BMCSSG1662E

Failed to load JVM truststore (%s).

BMCSSG1663E

Failed to add LDAP certificate to JVM truststore (%s).

BMCSSG1664E

Failed to save JVM truststore (%s).

BMCSSG1665E

Failed to remove old JVM truststore.

BMCSSG1666E

Failed to replace old JVM truststore.

BMCSSG1667E

Invalid URL specified for Load Balancer (%s).

BMCSSG1668E

Both lb-url and lb-site-name parameters must be specified, or neither should be specified.

BMCSSG1669E

This host cannot be in the cluster because it is not in the same domain (or sub-domain) of the cookie domain (%s).

BMCSSG1670E

Failed to update OpenDS java home scripts (%s). Internal Error. Contact BMC Software, Inc.

BMCSSG1671E

Failed to create message handler for message type %s. Internal Error. Contact BMC Software, Inc.

BMCSSG1672E

Failed to build message for queue: %s

BMC Atrium Single Sign-On 8.1

Page 304 of 389

BMC Software Confidential

Home

BMCSSG1673E

Failed to parse received message from queue: %s

BMCSSG1674E

Failed to access DB Meta topics for sync: %s

BMCSSG1675E

Failed to access DB Meta topics for messages: %s

BMCSSG1676E

Failed to lookup local site id: %s

BMCSSG1677E

Failed to create connection to DB: %s

BMCSSG1678E

Failed to initialized embedded Apache MQ: %s

BMCSSG1679E

Failed to access DB response topic: %s

BMCSSG1680E

Failed to access DB requests topic: %s

BMCSSG1681E

Failed to create publisher for DB Meta topic: %s

BMCSSG1682E

Failed to create subscriber for DB Meta topic: %s

BMCSSG1683E

Failed to start message queue processing: %s

BMCSSG1684E

Message type does not match type in message (%s). Internal Error. Contact BMC Software, Inc.

BMCSSG1685E

Primary key not specified before generating response.

BMCSSG1686E

Secondary key not specified before generating response.

BMCSSG1687E

Failed to use message queue URI's specified (%s), and failed to use default VM message queue.

BMCSSG1688E

Failed setting message queue implementation (%s).

BMCSSG1689E

Failed creating stand-alone site (%s).

BMCSSG1690E

Failed setting site message queue attributes (%s).

BMCSSG1691E

Failed adding single server to site (%s).

BMCSSG1692E

Failed to reform ssoadm scripts (%s).

BMCSSG1693E

Failed to remove discover from ActiveMQ configuration (%s).

BMCSSG1694E

This Atrium SSO server does not support GROUP identity search (version of server is too old). Please upgrade the Atrium SSO server.

BMCSSG1695E

Failed to get identities from search reply (%s).

BMCSSG1696E

Failed call to Atrium SSO server (%s).

BMCSSG1697I

Authentication process aborted.

BMCSSG1698E

Failed to build dialog in event thread (%s).

BMCSSG1699E

Failure during login (%s).

BMCSSG1700E

Cannot logout- context not logged in.

BMCSSG1701E

Authentication callback failed to provide credentials (%s).

BMCSSG1702E

Failed to parse session creation date/time (%s): %s

BMC Atrium Single Sign-On 8.1

Page 305 of 389

BMC Software Confidential

Home

BMCSSG1703E

Invalid cluster URL specified in cluster configuration. Internal Error. Contact BMC Software. (%s)

BMCSSG1704E

Cannot convert parameters to proper encoding (%s).

BMCSSG1705E

Failed to convert authentication request into XML (%s). Internal Error. Contact BMC Software.

BMCSSG1706E

Failed to convert XML binary into UTF8 charset (%s). Internal Error. Contact BMC Software.

BMCSSG1707E

Failed to convert authentication response into Java (%s). Internal Error. Contact BMC Software.

BMCSSG1708E

No more callback requirements.

BMCSSG1709E

Authentication failure (%s): %s

BMCSSG1710E

Failed to re-initialize JEEFilter agent (%s).

BMCSSG1711E

Failed to find custom Callback class (%s): %s

BMCSSG1712E

Failed to load custom Callback class (%s): %s

BMCSSG1713E

HP-UX is not a supported JVM for Kerberos authentication.

BMCSSG1714E

Failed to get service ticket (%s).

BMCSSG1715E

Failed Kerberos login (%s).

BMCSSG1716E

Failed to create context for Kerberos login (%s).

BMCSSG1717E

Failed call to Atrium SSO server, return code: %s.

BMCSSG1718E

Failed to load Cookie Manager for JVM (%s).

BMCSSG1719E

Invalid container home specified for Atrium SSO server (%s).

BMCSSG1720E

Invalid container home specified for Atrium SSO server (%s).

BMCSSG1721E

Administrative password must be at least 8 characters in length.

BMCSSG1722E

Administrative password must be at least 8 characters in length.

BMCSSG1723E

LDAP port specified is out of range (%d), must be 1..65534.

BMCSSG1724E

LDAP port specified is out of range (%d), must be 1..65534.

BMCSSG1725E

Both lb-url and lb-site-name parameters must be specified, or neither should be specified.

BMCSSG1726E

Both lb-url and lb-site-name parameters must be specified, or neither should be specified.

BMCSSG1727E

Failed to rewrite server URL to include proper context URI.

BMCSSG1728E

Failed to rewrite server URL to include proper context URI.

BMCSSG1729E

Failed removing single server from site (%s).

BMCSSG1730E

Execution of dsreplication failed (%s).

BMCSSG1731E

Execution of dsreplication failed.

BMCSSG1732E

Failed to set OCSP server configuration (%s).

BMCSSG1733E

Failed getting local truststore (%s).

BMC Atrium Single Sign-On 8.1

Page 306 of 389

BMC Software Confidential

Home

BMCSSG1734E

Failed loading local truststore.

BMCSSG1735E

Failed getting site members (%s).

BMCSSG1736E

Failed getting site members (%s).

BMCSSG1737E

Failed Agent authentication with Atrium SSO server. May need to re-integrate application with the Atrium SSO server.

BMCSSG1738E

Failed to convert LDAP port during upgrade (%s).

BMCSSG1739E

Failed to stop server (%s). Internal error. Contact BMC Software.

BMCSSG1740E

Main command line option unrecognized.

BMCSSG1741E

Invalid sub-options encountered.

BMCSSG1742E

Failed to read the input file: %s

BMCSSG1742E

Failed to read the input file: %s

BMCSSG1743E

IO error encountered when attempting to create the user: %s

BMCSSG1744E

Process was interrupted when attempting to create the user: %s

BMCSSG1745E

IO error encountered when attempting to federate users identities.

BMCSSG1746E

Process was interrupted when attempting to federate user identities.

BMCSSG1747E

IO error encountered when attempting to import federation data.

BMCSSG1748E

Process was interrupted when attempting to import federation data.

BMCSSG1749E

Illegal universal identifier: %s

BMCSSG1750E

Failed to write response file: %s

BMCSSG1751E

Local ID is missing or empty for line (%s): %s

BMCSSG1752E

Failed to create the temporary user ID mapping file.

BMCSSG1753E

Failed to create the temporary name ID mapping file.

BMCSSG1754E

Failed to save the temporary user ID mapping file.

BMCSSG1755E

Failed to save the name ID mapping file.

BMCSSG1756E

Failed to delete the temporary name ID mapping file.

BMCSSG1757E

Integration with Atrium SSO is failing. Please contact %s support team for help with resolving this integration problem (%s).

BMCSSG1758E

Failed to start container (%s). Internal error. Contact BMC Software.

BMCSSG1759E

Process inputs not supported in ssoadm. Internal error. Contact BMC Software.

BMCSSG1760E

Failed to initialize comm with Atrium SSO server: (%s)

BMCSSG1761E

Failed execution of command (%s) returning %s.

BMCSSG1762E

Failed execution of command (%s) returning %s.

BMC Atrium Single Sign-On 8.1

Page 307 of 389

BMC Software Confidential

Home

BMCSSG1763E

Export service configuration not supported remotely. Internal error. Contact BMC Software.

BMCSSG1764E

Local certificate out of sync with remote server.

BMCSSG1765E

No certificate for remote server.

BMCSSG1766E

Local Atrium SSO certificate does not match remote server certificate. Agent may need to be re-integrated with the Atrium SSO server.

BMCSSG1767E

Failed to setup temporary truststore (%s). Internal error. Contact BMC Software.

BMCSSG1768E

Failed to configure Atrium SSO server. Internal error. Contact BMC Software.

BMCSSG1769E

Error during configuration of Atrium SSO server (%s).

BMCSSG1770E

Atrium SSO failed to update the Data Store with the federation account information (%s).

BMCSSG1771E

Invalid response received from IdP (%s).

BMCSSG1772E

Atrium SSO failed to map the attributes received from the IdP (%s).

BMCSSG1773E

Your user account on the Atrium SSO SP has expired (%s). Please contact your administrator for assistance.

BMCSSG1774E

Your user account on the Atrium SSO SP is inactive (%s). Please contact your administrator for assistance.

BMCSSG1775E

Your user account on the Atrium SSO SP is locked (%s). Please contact your administrator for assistance.

BMCSSG1776E

Failed to get Atrium SSO SP configuration for realm %s (%s).

BMCSSG1777E

Atrium SSO failed to find the federated user account specified (%s).

BMCSSG1778E

Atrium SSO failed to access session information (%s).

BMCSSG1779E

Atrium SSO failed to create a new session for federated user (%s).

BMCSSG1780E

An unexpected failure occurred while processing the SAMLv2 authentication (%s).

BMCSSG1781E

Failed to get SAMLv2 XML response: %s

BMCSSG1782E

Failed to get SAMLv2 XML request: %s

BMCSSG1783E

Failed to create site during upgrade (%s).

BMCSSG1784E

Error while trying to find server configuration name (%s).

BMCSSG1785E

Failed to find server configuration name.

BMCSSG1786E

Failed to delete site during upgrade (%s).

BMCSSG1787E

Failed to preserve SAMLv2 keystore (%s).

BMCSSG1788E

Failed to restore SAMLv2 keystore (%s).

BMCSSG1789E

Failed to parse ssoadm reply (%s). Internal error. Contact BMC Software.

BMCSSG1790E

SsoAdm state switch returned invalid reply: %s

BMCSSG1791E

Execution of dsconfig failed (%s).

BMC Atrium Single Sign-On 8.1

Page 308 of 389

BMC Software Confidential

Home

BMCSSG1792E

Execution of dsconfig failed.

BMCSSG1793E

Failed to remove JMX communications (%s).

BMCSSG1794E

Failed to restrict admin connections to localhost only (%s).

BMCSSG1795E

Failed to restrict LDAP connections to localhost only (%s).

BMCSSG1796E

Login failed.

BMCSSG1797E

Failed to get token (%s).

BMCSSG1798E

Failed to get token from session (%s).

BMCSSG1799E

Insufficient privileges.

BMCSSG1800E

Failure while processing authentications for realm (%s). Internal Error. Contact BMC Software.

BMCSSG1801E

Failed to get list of user stores for realm access (%s). Internal Error. Contact BMC Software.

BMCSSG1802E

Failed to fetch COT for realm %s. Internal Error. Contact BMC Software.

BMCSSG1803E

Failed to verify if realm is Federated (%s). Internal Error. Contact BMC Software.

BMCSSG1804E

Failed to access realm attributes (%s). Internal Error. Contact BMC Software.

BMCSSG1805E

Failed to get authentication chain for realm (%s). Internal Error. Contact BMC Software.

BMCSSG1806E

Failed to convert authentication control value (%s). Internal Error. Contact BMC Software.

BMCSSG1807E

Failed to get federated information for realm (%s): %s. Internal Error. Contact BMC Software.

BMCSSG1808E

Failed to get federation information (%s). Internal Error. Contact BMC Software.

BMCSSG1809E

Failed to get user store information (%s). Internal Error. Contact BMC Software.

BMCSSG1810E

Failed to update user profile (%s).

BMCSSG1811E

Failed to get admin token (%s).

BMCSSG1812E

Failed to convert auth chain (%s).

BMCSSG1813E

Failed to save auth chain (%s).

BMCSSG1814E

Failed to remove unused datastore from realm (%s).

BMCSSG1815E

Failed to get federated entity list (%s).

BMCSSG1816E

Failed to find authentication module instance for realm (%s).

BMCSSG1817E

Failed to set authentication module attributes (%s).

BMCSSG1818E

Failed to create authentication module instance (%s).

BMCSSG1819E

Failed to create authentication module instance with unique name.

BMCSSG1820W

Unknown host name specified.

BMCSSG1821W

Host specified cannot be contacted.

BMCSSG1821E

Port must be in the range 1..65535 or not specified.

BMC Atrium Single Sign-On 8.1

Page 309 of 389

BMC Software Confidential

Home

BMCSSG1822W

Could not connect to remote server on port specified.

BMCSSG1823E

Value cannot be empty.

BMCSSG1824E

Distinguished Name not valid.

BMCSSG1825E

The value must be a positive, non-zero value.

BMCSSG1826E

Invalid LDAP attribute name.

BMCSSG1827W

Unable to bind to LDAP server.

BMCSSG1828E

Failed to search for agents (%s).

BMCSSG1829E

Failed search for agent (%s).

BMCSSG1830E

Failed to get attributes for agent (%s).

BMCSSG1831W

Passwords should not be blank.

BMCSSG1832E

Invalid hostname specified.

BMCSSG1833E

Invalid URI specified.

BMCSSG1834E

Invalid URL specified.

BMCSSG1835E

Failed to update agent active status.

BMCSSG1836E

Failed to update agent attributes.

BMCSSG1837W

Agent not found (deleted?).

BMCSSG1838E

Cookie name cannot be reserved word: "expires", "domain", "path", "secure"

BMCSSG1839E

Cookie name cannot contain semi-colon, comma, white space or control characters.

BMCSSG1840W

It is recommended for best browser compatibilty that cookie name should only contain alphanumeric characters and the underscore.

BMCSSG1841E

Cookie name cannot be over 4K in length.

BMCSSG1842E

Failed to process SAML keystore (%s).

BMCSSG1843E

Failed to process SAML keystore (%s).

BMCSSG1844E

Failed to load SAML keystore (%s).

BMCSSG1845E

Failed to access SAML entity (%s).

BMCSSG1846E

Failed to get IdP entity for realm (%s).

BMCSSG1847E

Failed to get encryption lists for realm (%s).

BMCSSG1848E

Failed to commit entity changes (%s).

BMCSSG1849E

Failed to create SAMLv2 idp (%s).

BMCSSG1850E

Failed to get SAMLv2 manager (%s).

BMCSSG1851E

Failed to create realm COT (%s).

BMC Atrium Single Sign-On 8.1

Page 310 of 389

BMC Software Confidential

Home

BMCSSG1852E

Failed to update IdP encryption (%s).

BMCSSG1853E

When an encryption alias is specified, an encryption algorithm must also be specified.

BMCSSG1854E

Failed to search user stores (%s).

BMCSSG1855E

Failed to get user attributes (%s).

BMCSSG1856E

Failed to get user repo (%s).

BMCSSG1857I

Successfully created IdP.

BMCSSG1858W

Failed to verify host is accessible (%s).

BMCSSG1859E

Failed to verify AR host name.

BMCSSG1860E

File specified does not exist.

BMCSSG1861W

File specified does not exist.

BMCSSG1862E

File path specified refers to a directory.

BMCSSG1863E

File is not readable.

BMCSSG1864E

File path specified refers to a file.

BMCSSG1865E

Directory specified does not exist.

BMCSSG1866W

Directory specified does not exist.

BMCSSG1867E

Failed to create remote IdP (%s).

BMCSSG1868E

Realm for new IdP was not provided.

BMCSSG1869E

Name for new IdP was not provided.

BMCSSG1870E

XML for new IdP was not provided.

BMCSSG1871E

Failed to create remote SAMLv2 idp (%s).

BMCSSG1872E

Failed to create remote SAMLv2 idp (%s).

BMCSSG1873E

Invalid protocol specified for URL- only HTTP or HTTPS permitted.

BMCSSG1874E

Invalid URL specified.

BMCSSG1875E

Failed SSL/TLS negotiations. Verify IdP server certificate is in Atrium SSO truststore.

BMCSSG1876E

Failure connecting with remote IdP (%s).

BMCSSG1877E

Failure connecting with remote IdP (%s).

BMCSSG1878W

Service Principal doesn't start with primary HTTP.

BMCSSG1879E

Service Principal doesn't contain a Realm.

BMCSSG1880E

Service Principal doesn't contain a host name.

BMCSSG1881E

Invalid Service Principal- expected HTTP/hostname.domainname@dc_domain_name.

BMCSSG1882E

No Service Prinicipals found in keytab file specified.

BMC Atrium Single Sign-On 8.1

Page 311 of 389

BMC Software Confidential

Home

BMCSSG1883E

Multiple Service Prinicipals found in keytab file specified.

BMCSSG1884E

Invalid token passed (%s).

BMCSSG1885E

Administrative token required.

BMCSSG1886E

Failed to fetch realms (%s).

BMCSSG1887E

Failed to parse realms response (%s).

BMCSSG1888E

Failed to get realm from token (%s).

BMCSSG1889E

Failed to get user attributes (%s).

BMCSSG1890E

UserId already exists.

BMCSSG1891E

Failed to get users groups (%s).

BMCSSG1892E

Failed to update user active status (%s).

BMCSSG1893E

Failed to update user active status (%s).

BMCSSG1894E

Failed to create new identity (%s).

BMCSSG1895E

Failed to commit user update (%s).

BMCSSG1896E

Failed to update user password (%s).

BMCSSG1897E

Failed to get token from session (%s).

BMCSSG1898E

Failed to get token manager (%s).

BMCSSG1899E

Failed to get server list (%s).

BMCSSG1900E

Failed to get server configuration (%s).

BMCSSG1901E

Invalid session idle timeout.

BMCSSG1902E

Invalid maximum session count.

BMCSSG1903E

Invalid maximum session time.

BMCSSG1904E

Invalid session cache time.

BMCSSG1905E

Top-level domains cannot be specified for the cookie domain.

BMCSSG1906E

Invalid cookie domain specified.

BMCSSG1907E

Failed to create token for realm access (%s).

BMCSSG1908E

Failed to delete federated entity (%s).

BMCSSG1909E

Failed to update server properties (%s).

BMCSSG1910E

Failed to update server site (%s).

BMCSSG1911E

Failed to update session dynamic attributes (%s).

BMCSSG1912E

Failed to update session global attributes (%s).

BMCSSG1913E

Failed to update session global attributes (%s).

BMC Atrium Single Sign-On 8.1

Page 312 of 389

BMC Software Confidential

Home

BMCSSG1914E

Failed to update amAdmin password (%s).

BMCSSG1915E

Failed to save auth chain (%s).

BMCSSG1916E

Unknown realm passed for user store access (%s).

BMCSSG1917E

Unknown user store requested (%s).

BMCSSG1918E

Failed to acquire AM authentication manager object (%s).

BMCSSG1919E

Failed to create user store (%s).

BMCSSG1920E

Failed to update user store (%s).

BMCSSG1921E

Failed to delete user store (%s).

BMCSSG1922E

Value must be 1 or greater.

BMCSSG1923E

Minimum must be greater than maximum.

BMCSSG1924E

The cache max age must be at least 1 (default 600).

BMCSSG1925E

The cache size must be at least 1 (default 10240).

BMCSSG1926W

Failed to connect with AR server (%s).

BMCSSG1927W

Failed to connect with AR server.

BMCSSG1928E

The AR pool linger time cannot be less than or equal to zero.

BMCSSG1929E

The AR pool size cannot be less than or equal to zero.

BMCSSG1930E

Failed to get SP entity for realm (%s).

BMCSSG1931E

Failed to get encryption lists for realm (%s).

BMCSSG1932E

Skew must be greater than zero.

BMCSSG1933E

Failed to create hosted SAMLv2 sp (%s).

BMCSSG1934E

Failed to get SP entity for realm (%s).

BMCSSG1935E

Failed SSL/TLS negotiations. Verify SP server certificate is in Atrium SSO truststore.

BMCSSG1936E

Failure connecting with remote SP (%s).

BMCSSG1937E

Failure connecting with remote SP (%s).

BMCSSG1938I

Successfully created SP.

BMCSSG1939E

Failed to create remote SAMLv2 SP (%s).

BMCSSG1940E

Failed to create remote SAMLv2 SP (%s).

BMCSSG1941E

Realm for new SP was not provided.

BMCSSG1942E

XML for new SP was not provided.

BMCSSG1943E

Wild card attribute mapping only valid with * for both key and value.

BMCSSG1944E

Failed to add attribute to SP (%s).

BMC Atrium Single Sign-On 8.1

Page 313 of 389

BMC Software Confidential

Home

BMCSSG1945E

Failed to get HA nodes (%s).

BMCSSG1946E

The server node cannot used for the admin console cannot be deleted (%s).

BMCSSG1947E

Failed to get server site name (%s).

BMCSSG1948E

Failed to delete node from site (%s).

BMCSSG1949E

Failed to delete node (%s).

BMCSSG1950E

Only super-admin is allowed to delete nodes.

BMCSSG1951E

Failed to access internal configuration.

BMCSSG1952E

Failed to prepare for disabling replication (%s).

BMCSSG1953W

Connect to AR with guest user- admin privileges are needed for user store operation.

BMCSSG1954E

Failed to write agent certificate to PEM file (%s).

BMCSSG1955E

Failed to write agent key to PEM file (%s).

BMCSSG1956E

Failed to write Atrium SSO certificate to PEM file (%s).

BMCSSG1957E

Unknow realm specified for agent (%s).

BMCSSG1958E

Failed to load keystore (%s).

BMCSSG1959E

Failed to write certificate to PEM format (%s).

BMCSSG1960E

Failed to read PEM certificate from PEM format (%s).

BMCSSG1961E

Failed to import certificate (%s).

BMCSSG1962I

Successfully uploaded certificate.

BMCSSG1963E

Failed to convert uploaded file (%s).

BMCSSG1964E

Failed to convert DER to certificate (%s).

BMCSSG1965E

Failed to check truststore for replacements (%s).

BMCSSG1966E

Failed to load default values for user store (%s).

BMCSSG1967E

Failed to load certs from truststore (%s).

BMCSSG1968E

Failed to get group attributes (%s).

BMCSSG1969E

Failed to get group users (%s).

BMCSSG1970E

Group already exists.

BMCSSG1971E

Failed to add user (%s) to group (%s).

BMCSSG1972E

Failed to update group membership (%s).

BMCSSG1973E

Failed to set realm to use upgrade chain (%s).

BMCSSG1974E

Failed to dump realm auth properties (%s).

BMCSSG1975E

Failed to find auth type (%s).

BMC Atrium Single Sign-On 8.1

Page 314 of 389

BMC Software Confidential

Home

BMCSSG1976E

Failed to dump realm ds properties (%s).

BMCSSG1977E

Failed to write realm auth properties (%s).

BMCSSG1978E

Failed to dump agent properties (%s).

BMCSSG1979E

Failed to write agent properties (%s).

BMCSSG1980E

Failed to dump realm auth properties (%s).

BMCSSG1981E

Failed to instantiate encryption (%s).

BMCSSG1982E

Failed creating upgrade chain (%s).

BMCSSG1983E

Failed to load agent properties file (%s).

BMCSSG1984E

Failed to load agent properties (%s).

BMCSSG1985E

Failed to get current auth instances (%s).

BMCSSG1986E

Failed to remove collision auth cfg (%s).

BMCSSG1987E

Failed to create realm (%s).

BMCSSG1988E

Failed to list user realms (%s).

BMCSSG1989E

Failed to delete many of the user realms.

BMCSSG1990E

Failed to delete these realms (%s).

BMCSSG1991E

Failed to create new realms web pages (%s).

BMCSSG1992E

Failed to delete new realms web pages (%s).

BMCSSG1993E

Failed to connect with internal LDAP (%s).

BMCSSG1994E

Failed to create realm container LDAP directory for realm (%s).

BMCSSG1995E

Failed to create people container in LDAP directory for realm (%s).

BMCSSG1996E

Failed to create people container in LDAP directory for realm (%s).

BMCSSG1997E

Failed to create new admin identity (%s).

BMCSSG1998E

Failed to create new search admin identity (%s).

BMCSSG1999E

Invalid demo password specified- must be at least 8 characters.

BMCSSG2000E

Failed to create demo identity (%s).

BMCSSG2001E

Failed help URL lookup (%s).

BMCSSG2002E

Root realm cannot be specified for agents.

BMC Atrium Single Sign-On 8.1

Page 315 of 389

BMC Software Confidential

Home

12.3 Logon and logoff issues Logon and logoff issues can occur (or appear to occur) associated with URL re-directs and normal Identity Provider (IdP) behavior.

12.3.1 Automatic IdP logon behavior With SAMLv2 authentication configurations, an automatic logon can occur after you have terminated your single sign-on (SSO) session. This behavior gives the impression that the user was not logged out. In SAMLv2 configurations, the IdP caches authentication information within the browser. This information allows the IdP to automatically re-authenticate a user without the user re-entering their credentials. The effect is that when a user logs out of a SAMLv2 system, a browser refresh can automatically log the user back into the system. For this type of system, to ensure that the user is permanently logged off the system, close all browser windows and tabs. For example, when a user has two browser windows (or tabs) open, one with BMC Remedy Mid Tier and the other with BMC Analytics and the user logs off of BMC Remedy Mid Tier and closes the window, the user terminates their SSO session. If the user goes to the BMC Analytics window and refreshes the browser (for example, clicks on a link), then the browser performs the action as through the user was still logged onto the system. What transpired was that a new SSO session was created automatically for the user (due to the auto-logon of the IdP).

12.3.2 URL re-direct issues Logon and logoff issues can occur (typically with a SAMLv2 configuration) when too many URL re-directs happen between the browser and servers during logon and logoff processing. 1. Capture the HTTP traffic between the browser and servers using a capture tool such as Fiddler, ieHttpHeaders, or Live HTTP Headers. 2. Identify potential configuration changes to the reverse proxy, load balancer, or BMC Atrium Single Sign-On. 3. Modify the configuration: If the re-direct is from https://sample.bmc.com/arsys to https://sample.bmc.com/arsys/ (a forward-slash after arsys), check and modify the agent log on and log out URL configuration to include the forward-slash. If the re-direct is associated with Reverse Proxy or Load Balancer where a protocol switch from HTTPS to HTTP occurs (for example, the browser communicates on HTTPS to the Reverse Proxy which then communicates to the server using HTTP), configure the Reverse Proxy or Load Balancer to include the HTTP AtssoReturnLocation header with the value https://. In this case, the agent in the server uses the HTTP protocol for the return address which causes the re-direct.

BMC Atrium Single Sign-On 8.1

Page 316 of 389

BMC Software Confidential

Home

12.4 Upgrading from 7.6.04 to 8.1 silent installation issue When upgrading BMC Atrium Single sign-On from version 7.6 to 8.1 version, if version 7.6 was installed through the UI and version 8.1 was installed by a silent installation, and error occurs because of differences in the host names provided during these installs (uppercase versus lowercase). In a BMC Atrium Single Sign-On UI installation, uppercase host names are the default, for example, KBP1-DHP-F48200.synapse.com. In a BMC Atrium Single Sign-On silent installation, lowercase host names are the default, for example, kbp1-dhp-f48200.synapse.com. Two methods are provided for upgrading BMC Atrium Single Sign-On where version 7.6 was installed using the UI and version 8.1 uses a silent installation. Upgrading without specifying the host name (see page 319) Upgrading by re-defining the host name (see page 319) Different case values for only the browser works correctly because there is no difference between uppercase and lowercase addresses. However, the host name value is used for BMC Atrium Single Sign-On administration configuration where as host names are case-sensitive. The case-sensitive difference causes an error during the upgrade. BMC Atrium Single Sign-On version 7.6 UI installation example

BMC Atrium Single Sign-On 8.1

Page 317 of 389

Home

BMC Software Confidential

BMC Atrium Single Sign-On version 8.1 silent installation example

BMC Atrium Single Sign-On 8.1

Page 318 of 389

BMC Software Confidential

Home

12.4.1 Upgrading without specifying the host name During the BMC Atrium Single Sign-On version 8.1 UI upgrade, if you do not provide values for the following parameters, the upgrade Installer fills in the values from the previous installation. Destination Directory Hostname Tomcat, tomcat ports Cookie domain 1. Delete the ATRIUMSSO_HOST_NAME property from the SSOSilentInstallOptions.txt file. 2. Run the silent installation without providing the above parameters..

12.4.2 Upgrading by re-defining the host name Alternatively, re-define the host name in the SSOSilentInstallOptions.txt file. 1. Before running the BMC Atrium Single Sign-On version 8.1 silent installation, run the mod.bat/mod.sh command to obtain the BMC Atrium Single Sign-On server name. For example, (Microsoft Windows):

\tomcat\webapps\atriumsso\WEB-INF\tools\ssoadm\atriumsso\bin\mod.bat list-servers -u amadmin -f D:\pass.txt

BMC Atrium Single Sign-On 8.1

Page 319 of 389

BMC Software Confidential

Home

Where pass.txt is the file with the non-encrypted password for the BMC Atrium Single Sign-On administrator user (amadmin).

2. Edit the SSOSilentInstallOptions.txt file and modify the ATRIUM_HOST_NAME parameter to reflect only the BMC Atrium Single Sign-On server name. On the following example, KBP1-DHP-F48200.synapse.com is the correct value.

12.5 Troubleshooting AR authentication This topic explains common errors associated with AR System authentication.

12.5.1 User has no profile in this organization If the User Profile for the BMC Realm is set to Required instead of Dynamic or Ignored, the following error message occurs when logging into a BMC product: User has no profile in this organization To modify the User Profile setting 1. BMC Atrium Single Sign-On 8.1

Page 320 of 389

BMC Software Confidential

Home

1. On the BMC Atrium SSO Admin Console, click Edit BMC Realm. 2. Select either Dynamic or Ignored.

12.5.2 Error saving user or group edits An exception error occurs when you try to update user attributes or assign groups to users with information that was retrieved from the AR Server. The AR Server Data Store provides read-only access to the user and group information. The error indicates that a search base entry does not exist.

12.5.3 Error in SAML Authentication when Auto Federation is enabled Atrium Single-SignOn fails to find the federated user account specified and creates an exception error (BMCSSG1777E) if Auto Federation is enabled and an AR user store is used. Workaround: Delete the AR user store. For more information, see Using AR for authentication.

12.6 Troubleshooting AR System server and Mid Tier integrations Performing the BMC Atrium Single Sign-On integration with the BMC Remedy AR System server and the BMC Remedy Mid Tier is a two-step sequence. If you have problems with BMC Atrium Single Sign-On installation and configuration, review the following information.The BMC Atrium Core solution works with other BMC Atrium solutions to facilitate the alignment of your IT organization with business priorities. BMC Atrium Core provides tight integration across management tools used in your IT environment, saving your IT organization time and money. Manually running the SSOARIntegration utility on the AR System server (see page 321) Manually running the SSOMidtierIntegration utility on the AR System server (see page 323)

12.6.1 Manually running the SSOARIntegration utility on the AR System server The SSOARIntegration utility uses the following inputs in the arintegration.txt file to integrate BMC Atrium Single Sign-On and the AR System server:

[--ar-server-name=ARServerName] [--ar-server-user=ARServerUser] [--ar-server-password=ARServerPassword]

BMC Atrium Single Sign-On 8.1

Page 321 of 389

BMC Software Confidential

Home

[--ar-server-port=ARServerPort] [--atrium-sso-url=AtriumSSOURL] [--admin-name=SSOAdminName] [--admin-pwd=SSOAdminPassword] [--truststore=truststorepath | Optional parameter] [--truststore-password=truststorepassword | Optional parameter] [--force= Restart AR Server automatically | Optional parameter]

If needed, you can manually run the SSOARIntegration utility on the AR System server. 1. On the computer where the AR System server is installed, navigate to the \artools\AtriumSSOIntegrationUtility directory. For example, navigate to C:\Program Files\BMC Software\ARSystem\artools\AtriumSSOIntegrationUtility. 2. Enter the following command:

java -jar SSOARIntegration.jar --ar-server-name ARServerName --ar-server-user ARServerUser --ar-server-password ARServerPassword --ar-server-port ARServerPort --atrium-sso-url AtriumSSOURL --admin-name SSOAdminName --admin-pwd SSOAdminPassword

For example:

java -jar C:\Program Files\BMC Software\ARSystem\artools\AtriumSSOIntegrationUtility\SSOARIntegration.jar --ar-server-name ARServer.labs.bmc.com --ar-server-user Demo --ar-server-password Demo --ar-server-port 0 --atrium-sso-url https://ssoServer.bmc.com:8443/atriumsso --admin-name amAdmin --admin-pwd bmcAdm1n

Tip Copy and paste this example into a text editor, and modify the values for your own environment. Then copy the final version into your command window.

3. Review the utility logs at \artools\AtriumSSOIntegrationUtility\Logs\AtriumSSOIntegrationUtility.log. If successful, the SSOARIntegrationutility performs the following actions on the AR System server: Validates the user inputs and returns any errors. Configures the SSO AREA plug-in with a Java plug-in entry in ar.cfg/ar.conf:

Server-Plugin-Alias: AREA AREA VW-PUN-REM-QA5J.pune-labs.bmc.com:9999

Configures the EA form for BMC Atrium Single Sign-On with the following entries in the ar.cfgfile:

BMC Atrium Single Sign-On 8.1

Page 322 of 389

BMC Software Confidential

Home

Use-Password-File: T Crossref-Blank-Password: T External-Authentication-RPC-Socket: 390695 Authentication-Chaining-Mode: 1

Verifies the BMC Atrium Single Sign-On username and password by connecting with the BMC Atrium Single Sign-On server and returns any errors. Configures single sign-on with the following entries in the ar.cfgfile:

Atrium-SSO-Location: Atrium-SSO-Admin-User: SSOAdminName Atrium-SSO-Admin-Password: SSOAdminPassword Atrium-SSO-Keystore-Password: truststorepassword Atrium-SSO-Keystore-Path: truststorepath

Restarts the AR System server.

12.6.2 Manually running the SSOMidtierIntegration utility on the AR System server The SSOMidtierIntegration utility uses the following inputs to integrate BMC Atrium Single Sign-On and the AR System server:

[--install-mode=Install or Uninstall] [--ar-server-name=ARServerName] [--ar-server-user=ARServerUser] [--ar-server-password=ARServerPassword] [--ar-server-port=ARServerPort] [--container-type=containertype] [--web-app-url=MidtierURL or LoadBalancerURL] [--container-base-dir=webserverhomedirectory] [--jre-path=JREInstallDirectory] [--midtier-home=MidtierHome] [--notify-url=MidTierURL] [--agent-realm=RealmName] [--force SuppressAllManualInputs] [--server-instance-name WebSphereinstancename required input for WebSphere server] [--instance-config-directory WebSphereconfigdirectory required input for WebSphere server] [--weblogic-domain-home BEAdomainhome required input for WebLogic web application]

Note If you are using IBM WebSphere, pass the IBM Java path as an input for the --jre-path input parameter.

BMC Atrium Single Sign-On 8.1

Page 323 of 389

BMC Software Confidential

Home

Possible parameters for container-type and container-base-dir For --container-type, specify one of the following possible values: JBOSSV4 JBOSSV5 SERVLETEXECV5 SERVLETEXECV6 TOMCATV5 TOMCATV6 TOMCATV7 WEBSPHEREV6 WEBSPHEREV7 WEBLOGICV10 If you are using the Apache or IIS web application server, specify --container-base-dir as instead of the Apache or IIS directory, and specify the --container-type as TOMCAT instead of Apache or IIS.

Additional parameters for IBM WebSphere For IBM WebSphere, you can set these additional parameters:

[--server-instance-name WebSphereServerInstanceName] [--instance-config-directory WebSphereServerInstanceConfigurationDirectory]

For example:

[--server-instance-name server1] [--instance-config-directory /AppServer/profiles/AppSrv01/config/cells/Node01Cell/nodes/Node01/servers/server1]

Additional parameters for Oracle WebLogic For Oracle WebLogic, you can set these additional parameters:

[--weblogic-domain-home DomainHomeDirectoryForDomainWhereWebAppIsDeployed]

For example:

[ --weblogic-domain-home /user_projects/domains/base_domain]

BMC Atrium Single Sign-On 8.1

Page 324 of 389

BMC Software Confidential

Home

If needed, you can manually run the SSOMidtierIntegration utility on the AR System server. 1. On the computer where the AR System server is installed, navigate to the \artools\AtriumSSOIntegrationUtility directory. For example, navigate to C:\Program Files\BMC Software\ARSystem\artools\AtriumSSOIntegrationUtility. 2. Enter the following command:

java -jar SSOMidtierIntegration.jar --midtierintegration --ar-server-name ARServerName --ar-server-user ARServerUser --ar-server-password ARServerPassword --ar-server-port ARServerPort --install --container-type containertype --web-app-url MidtierURL --container-base-dir webserverhomedirectory --jre-path JREInstallDirectory --midtier-home MidtierHome

For example:

java -jar C:\Program Files\BMC Software\ARSystem\midtier\AtriumSSOIntegrationUtility\SSOMidtierIntegration.jar --midtierintegration --ar-server-name ARServer.labs.bmc.com --ar-server-user Demo --ar-server-password Demo --ar-server-port 0 --install --container-type TOMCATV6 --web-app-url http://Midtier.bmc.com:8080/arsys --container-base-dir "C:\Program Files\Apache Software Foundation\Tomcat6.0" --jre-path "C:\Program Files\Java\jre7" --midtier-home "C:\Program Files\BMC Software\ARSystem\midtier"

Tip Copy and paste this example into a text editor, and modify the values for your own environment. Then copy the final version into your command window.

3. Review the utility logs at \artools\AtriumSSOIntegrationUtility\Logs\AtriumSSOIntegrationUtility.log. 4. Review the web.xml file (located at C:\Program Files\BMC Software\ARSystem\midtier\WEB-INF) to verify that the following settings are present:

Agent com.bmc.atrium.sso.agents.web.SSOFilter Agent /*

5. Review the config.properties file (located at C:\Program Files\BMC Software\ARSystem\midtier\WEB-INF\classes) to verify that the following entry is present:

BMC Atrium Single Sign-On 8.1

Page 325 of 389

5.

BMC Software Confidential

Home

arsystem.authenticator=com.remedy.arsys.sso.AtriumSSOAuthenticator

The SSOMidtierIntegration utility performs the following actions on the Mid Tier: Validates the user inputs and returns any errors. Checks if you are installing or uninstalling. Connects to AR System server and fetches SSO values. If successful, performs AR System server and BMC Atrium Single Sign-On integration. Otherwise, returns an AR-SSO integration is not done error. Checks if Mid Tier is running and, if so, shuts it down before running the utility. Copies files to Mid Tier and performs other modifications to the Mid Tier.

12.7 Troubleshooting CAC authentication If authentication fails, there are several log directories and several debug methods that you can use to resolve issues. If you discover that a certificate is not in the truststore, import the certificate into the keystore. With the default logging level, check for errors in the normal BMC Atrium Single Sign-On log files in the log directory: \AtriumSSO\tomcat\webapps\atriumsso\WEB-INF\config\atriumsso\log Check the Authentication file in the debug directory after setting the logging level to Message: \AtriumSSO\tomcat\webapps\atriumsso\WEB-INF\config\atriumsso\debug Check the Authentication directory: BMC Atrium SSO \WEB-INF\config\Atrium SSO\debug\Authentication Change the clientAuth setting in the Tomcat server.xml configuration file to True. Turn on network debug logging. Check the BMC Atrium Single Sign-On truststore to verify that the certificate has been imported or that the Issuer (in other words, the Signer) certificate has been imported. The following troubleshooting topics are addressed here:

BMC Atrium Single Sign-On 8.1

Page 326 of 389

BMC Software Confidential

Home

Example of a default logging level error Example of a debug log error when a certificate is not available Changing the clientAuth setting Turning on network debug logging (see page 328) Example of a client not responding with a certificate Example of a client sending a certificate Example of a list of certificates sent to the client Example of URL certificate authentication not enabled Example of OCSP certificate failure Clock skew too great for CAC authentication (see page 331)

12.7.1 Example of a default logging level error A sign of the certificate issue can be seen in the normal BMC Atrium Single Sign-On log files with the default logging level. The following error log comes from the amAuthentication.error file located in the following log directory: \AtriumSSO\tomcat\webapps\atriumsso\WEB-INF\config\atriumsso\log

"2011-05-26 20:00:20" "Login Failed" "Not Available" "Not Available" 172.22.33.64 INFO o=bmcrealm,ou=services,dc=opensso,dc=java,dc=net "cn=dsameuser,ou=DSAME Users,dc=opensso,dc=java,dc=net" AUTHENTICATION-200 CAC "Not Available" 172.22.33.64

12.7.2 Example of a debug log error when a certificate is not available After debug logging is enabled, a log entry is available in the Authentication file from the debug directory: \AtriumSSO\tomcat\webapps\atriumsso\WEB-INF\config\atriumsso\debug The CAC module logs an error when a certificate is not available for authentication. The following is a sample log error:

LOGINFAILED Error.... amAuth:05/26/2011 06:28:47:604 PM CDT: Thread[http-8443-4,5,main] Exception : com.sun.identity.authentication.spi.AuthLoginException(1):null com.sun.identity.authentication.spi.AuthLoginException(2):User certificate not found com.sun.identity.authentication.spi.AuthLoginException: User certificate not found at com.sun.identity.authentication.modules.cert.Cert.process(Cert.java:415) at com.sun.identity.authentication.spi.AMLoginModule.wrapProcess(AMLoginModule.java:866) at com.sun.identity.authentication.spi.AMLoginModule.login(AMLoginModule.java:965) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)

BMC Atrium Single Sign-On 8.1

Page 327 of 389

BMC Software Confidential

Home

at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) .... MORE TRACE DELETED

12.7.3 Changing the clientAuth setting The simplest approach for identifying why a CAC or certificate login failed is to change the clientAuth setting in the Tomcat server.xml configuration file to True. This change makes the certificate exchange a required value. If the Transport Layer Security (TLS) handshake fails, the browser presents an error message. For example, the following message is displayed by Firefox when the TLS handshake fails:

*Secure Connection Failed* An error occurred during a connection to SSL peer cannot verify your certificate (Error code: ssl_error_bad_cert_alert)

12.7.4 Turning on network debug logging If a more detailed examination of the communication between the client and the server is necessary, turn on network debug logging to gather detailed information. To turn on detailed network debug logging (see page 328) To edit the service definition in Microsoft Windows (see page 328) To edit the service definition in UNIX (see page 329)

To turn on detailed network debug logging 1. Stop the BMC Atrium Single Sign-On server. 2. Edit the service definition. 3. Restart the BMC Atrium Single Sign-On server. 4. Attempt to log on using either the CAC card or a client certificate.

To edit the service definition in Microsoft Windows 1. From the command prompt, change your working directory to \AtriumSSO\tomcat\bin. 2. Run the following command: tomcat6w.exe //ES//BMCAtriumSSOTomcat 3. On the Java tab, add the following Java Virtual Machine (JVM) specification to the Java Options input field: -Djavax.net.debug=ssl,handshake 4. On the Logging tab, enter the file names for the stdout and stderr fields. For example, c:\stdout.txt and c:\stderr.txt. 5. BMC Atrium Single Sign-On 8.1

Page 328 of 389

BMC Software Confidential

Home

5. Click either OK or Apply.

To edit the service definition in UNIX 1. From a shell window, change your working directory to /AtriumSSO/tomcat/bin. 2. Edit the setenv.sh shell file and add the JVM directory to the existing CATALINA_OPTS definition: -Djavax.net.debug=ssl,handshake

12.7.5 Example of a client not responding with a certificate The following log from the Transport Layer Security (TLS) debug logs shows an example of when the client does not respond with a certificate. In this example, there is a lack of logging between *** Certificate chain and the *** section terminator.

*** ServerHelloDone http-8443-1, WRITE: TLSv1 Handshake, length = 1606 http-8443-1, READ: TLSv1 Handshake, length = 109 *** Certificate chain *** http-8443-1, SEND TLSv1 ALERT: fatal, description = bad_certificate http-8443-1, WRITE: TLSv1 Alert, length = 2 http-8443-1, called closeSocket() http-8443-1, handling exception: javax.net.ssl.SSLHandshakeException: null cert chain

12.7.6 Example of a client sending a certificate The following is an example of a certificate chain when a client sends a certificate:

*** Certificate chain chain [0] = [ [ Version: V3 Subject: CN=iBMC-JBHBBK1.adprod.bmc.com, O=BMC Software, OU=AtriumSSO Server Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 \\ \\ Key: Sun RSA public key, 1024 bits modulus: 1153476415046747080545705726032711211661968880193177355336120528259205179 8701885413352651439456472027242135383823079486221876201099852580433674612 2095506217482528174781177916973132898161752304402048808946927230955649506 8627650608058272169958226152224835413140850196651094714261111749419276023 57110513103177317 public exponent: 65537 Validity: [From: Thu May 26 17:35:59 CDT 2011, To: Sun May 23 17:35:59 CDT 2021] Issuer: CN=iBMC-JBHBBK1.adprod.bmc.com, O=BMC Software, OU=AtriumSSO Server

BMC Atrium Single Sign-On 8.1

Page 329 of 389

BMC Software Confidential

Home

SerialNumber: [ 4dded5cf] \\ \\ ] Algorithm: [SHA1withRSA] Signature: 0000: 65 CC 79 95 9C F3 5A 66 0010: AC 12 A6 3F A2 E8 9B 47 0020: 3A 7C 33 D3 87 4D FD 8D 0030: 31 6E C9 66 AD 02 C5 9F 0040: 68 2A 3B 9C 4E 50 0B 2D 0050: 6E 91 6F C3 CD 6E AC 66 0060: B9 6B 96 1E 0A 90 67 05 0070: DF AD 3D 5F 1F DF 09 32 0070: DF AD 3D 5F 1F DF 09 32 ] ***

59 65 55 04 8F 6E A0 77 77

B1 D7 84 CE C5 92 1A F0 F0

3F F5 FA 10 CB E3 F1 39 39

53 23 E5 66 7D 1E 2B 13 13

EC 06 AB 2C BB B5 55 46 46

AD A9 55 46 76 19 35 94 94

F7 6B FB C0 E0 06 07 DD DD

CD 17 12 FA 75 17 D5 D7 D7

e.y...ZfY.?S.... ...?...Ge..#..k. :.3..M..U....U.. 1n.f.......f,F.. h*;.NP.-.....v.u n.o..n.fn....... .k....g....+U5.. ..=_...2w.9.F... ..=_...2w.9.F...

12.7.7 Example of a list of certificates sent to the client The client receives a list of certificates from the server that the client uses when determining which certificates to respond with. This list of certificates is sent at the end of the servers hello reply. The client uses this list to scan its truststore for a certificate that is an exact match (for example, a self-signed certificate), or for a certificate that is signed by one of these certificates. If no match is found, no certificate is sent and the login fails.

*** CertificateRequest Cert Types: RSA, DSS, ECDSA Cert Authorities:*** ServerHelloDone

12.7.8 Example of URL certificate authentication not enabled If the BMC Atrium Single Sign-On WEB-INF\config\Atrium SSO\debug\Authentication directory contains the following error messages, then the Common Access Card (CAC) certificate was not passed in from the client. Ensure that the certificates, or the correct certificates, were imported into the cacerts.p12 file.

amAuthCert:11/18/2009 01:17:37:922 PM CST: Thread[http-8443-6,5,main] ERROR: Certificate: cert passed in URL not enabled for this client amAuthCert:11/18/2009 01:17:37:922 PM CST: Thread[http-8443-6,5,main] ERROR: Certificate: exiting validate with exception com.sun.identity.authentication.spi.AuthLoginException: URL certificate authentication not enabled. at com.sun.identity.authentication.modules.cert.Cert.process(Cert.java:383) at com.sun.identity.authentication.spi.AMLoginModule.wrapProcess(AMLoginModule.java:866) at com.sun.identity.authentication.spi.AMLoginModule.login(AMLoginModule.java:926) at sun.reflect.GeneratedMethodAccessor57.invoke(Unknown Source) ....

BMC Atrium Single Sign-On 8.1

Page 330 of 389

BMC Software Confidential

Home

12.7.9 Example of OCSP certificate failure If you receive the following errors, verify that you imported the Online Certificate Status Protocol (OCSP) certificates into the cacerts.p12 file:

amAuthCert:11/18/2009 02:45:58:004 PM CST: Thread[http-8443-3,5,main] ERROR: CertPath:verify failed. amAuthCert:11/18/2009 02:45:58:004 PM CST: Thread[http-8443-3,5,main] ERROR: X509Certificate:CRL / OCSP verify failed.

12.7.10 Clock skew too great for CAC authentication Clock skew is the range of time allowed for a server to accept authentication. If the clock skew too far off, you will receive a clock skew too great error message. The clock skew between the BMC Atrium Single Sign-On server and the OCSP server must not be more than 15 minutes, otherwise OCSP validation fails. This error indicates that the clock on one or both of the servers has the wrong time. To resolve this issue either use a time server to synchronize the computers, or manually set the clock on one or both of the computers to the correct time.

12.8 Troubleshooting FIPS-140 conversion If the conversion process fails: 1. From the BMC Atrium Single Sign-On administrator console, restore FIPS mode back to normal mode. For more information about restoring normal mode, see Converting from FIPS-140 to normal mode (see page 258). 2. Save the configuration change. 3. Address the cause of the failure. If any errors occurred during the conversion, they are posted after the initial BMCSSG1599I message. 4. Retry the FIPS-140 conversion after resolving the cause of the previous attempts failure.

12.9 Troubleshooting JEE agents This following topics provide instruction for manually removing a JEE agent from BMC Atrium Single Sign-On. These steps only involve BMC Atrium Single Sign-On configuration. Additional steps might be required for full removal.

BMC Atrium Single Sign-On 8.1

Page 331 of 389

BMC Software Confidential

Home

To remove a JEE agent from BMC Atrium Single Sign-On (see page 332) To remove a JEE agent from WebSphere (see page 332) To remove a JEE agent from Tomcat (see page 332) To remove a JEE agent from JBoss or WebLogic (see page 333)

12.9.1 To remove a JEE agent from BMC Atrium Single Sign-On 1. On the BMC Atrium SSO Admin Console, click Agent Details. 2. Select the agent you want to delete. 3. Click Delete.

12.9.2 To remove a JEE agent from WebSphere 1. Stop IBM WebSphere Application Server (WAS). 2. Delete /AppServer/atssoAgents. 3. Delete /AppServer/.amAgentLocator. 4. Edit \AppServer\profiles\AppSrv01\config\cells\\nodes\\servers\server1\server.xml a. Navigate to process:Server > processDefinitions > jvmEntries. b. Remove from attribute genericJvmArguments the system property declarations (for example, -Dcom.iplanet.services.debug.level=on ). c. A sub tag of jvmEntries, classpath, contains the classpath for the JVM. Remove the BMC Atrium Single Sign-On entries. 5. Restart WAS.

12.9.3 To remove a JEE agent from Tomcat 1. Stop Tomcat. 2. Delete /atssoAgents. The following steps may not be applicable, depending on the agent used by the web application: 3. Delete /.amAgentLocator. 4. Edit conf/server.xml/and remove the realm definition. For example:

="com.sun.identity.agents.tomcat.v6.AmTomcatRealm" debug="99"/

5. Edit bin/setclasspath.sh (or catalinaHomebin/setclasspath.bat). a. Delete the inclusion of setAgentclasspath.sh (or setAgentclasspath.bat ). b. Delete bin/setAgentclasspath.bat. 6. Restart Tomcat.

BMC Atrium Single Sign-On 8.1

Page 332 of 389

BMC Software Confidential

Home

12.9.4 To remove a JEE agent from JBoss or WebLogic 1. Stop the relevant application server. 2. Delete /atssoAgents. 3. Restart the relevant application server.

12.10 Troubleshooting Kerberos authentication When diagnosing Kerberos authentication failures, access the logs on the Ticket Granting Server (TGS) to identify failure root causes. In addition, install a utility program (for example, HTTPHeaders for Internet Explorer and Live HTTP Headers for Firefox) into the browser to display headers that are sent between the browser and the BMC Atrium Single Sign-On server. Headers help identify failure points. The following commands are useful for troubleshooting: klist tickets lists open tickets with TGS klist purge closes tickets with TGS Problems with the module configuration can be detected by turning on BMC Atrium Single Sign-On debug logging and attempting to log in by using a test URL. Log entries are generated in the debug.out log file when message level debugging is configured. The following troubleshooting topics are addressed here:

BMC Atrium Single Sign-On 8.1

Page 333 of 389

BMC Software Confidential

Home

Invalid user name for Kerberos authentication Invalid service principal name for Kerberos authentication Invalid keytab index number for Kerberos authentication Invalid password for Kerberos authentication Incorrect server name for Kerberos authentication Browser sending NTLM instead of Kerberos (see page 336) Browser not correctly configured for Kerberos authentication Clock skew too great for Kerberos authentication Chained authentication failure in Microsoft Internet Explorer (see page 338)

12.10.1 Invalid user name for Kerberos authentication This error message indicates that the user name does not match the entry in the keytab file. Validate that the full principal name is used and the correct service type, domain, and so on are specified.

New Service Login ... amAuthWindowsDesktopSSO:06/24/2011 12:40:11:670 PM CDT: Thread[http-8443-2,5,main] ERROR: Service Login Error: amAuthWindowsDesktopSSO:06/24/2011 12:40:11:670 PM CDT: Thread[http-8443-2,5,main] Stack trace: javax.security.auth.login.LoginException: Unable to obtain password from user at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:789) at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:654) ...

12.10.2 Invalid service principal name for Kerberos authentication This error messages indicates a possible failure due to a discrepancy between the service principal name in the keytab file and the actual service principal name in the TGS or Active Directory. This error can be caused by renaming the service principal in the TGS without updating the keytab file. Validate the name (case-sensitive) and re-generate the keytab file if the service principal name has changed.

amAuthWindowsDesktopSSO:06/28/2011 04:24:33:854 PM CDT: Thread[http-8443-1,5,main] New Service Login ... amAuthWindowsDesktopSSO:06/28/2011 04:24:33:870 PM CDT: Thread[http-8443-1,5,main] ERROR: Service Login Error: amAuthWindowsDesktopSSO:06/28/2011 04:24:33:870 PM CDT: Thread[http-8443-1,5,main] Stack trace: javax.security.auth.login.LoginException: Client not found in Kerberos database (6) at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:696) at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:542)

BMC Atrium Single Sign-On 8.1

Page 334 of 389

Home

BMC Software Confidential

12.10.3 Invalid keytab index number for Kerberos authentication This exception failure is generated in the logs when the keytab file was generated with a KVNO value different from the one specified in the ticket. The solution is to regenerate the keytab file. Be sure to specify the /kvno 0 option; this ensures that the KVNO value is compatible.

amJAAS:10/18/2011 09:35:00:435 AM PDT: Thread[http-8443-1,5,main] Exception: com.sun.identity.authentication.spi.AuthLoginException: Failed to authentication. Failure unspecified at GSS-API level (Mechanism level: Specified version of key is not available (44))

12.10.4 Invalid password for Kerberos authentication This error message from the Active Directory server indicates that the password in the keytab file is incorrect for the specified principal. Verify that the password is correct and generate the keytab file if it is not correct or has been changed since the file was generated.

amAuthWindowsDesktopSSO:06/24/2011 02:18:31:590 PM CDT: Thread[http-8443-1,5,main] ERROR: Service Login Error: amAuthWindowsDesktopSSO:06/24/2011 02:18:31:590 PM CDT: Thread[http-8443-1,5,main] Stack trace: javax.security.auth.login.LoginException: Pre-authentication information was invalid (24) at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:696) at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:542)

12.10.5 Incorrect server name for Kerberos authentication This exception failure indicates that the server host name specified for the module configuration is incorrect, or that the server is not accessible through the network. Validate the server name and that the server can be contacted through the network.

amAuth:06/24/2011 05:48:57:828 PM CDT: Thread[http-8443-2,5,main] LOGINFAILED Error.... amAuth:06/24/2011 05:48:57:828 PM CDT: Thread[http-8443-2,5,main] Exception : com.sun.identity.authentication.spi.AuthLoginException(1):null com.sun.identity.authentication.spi.AuthLoginException(2):Service authentication failed. javax.security.auth.login.LoginException(3):Receive timed out javax.security.auth.login.LoginException: Receive timed out at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:700) at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:542)

BMC Atrium Single Sign-On 8.1

Page 335 of 389

Home

BMC Software Confidential

12.10.6 Browser sending NTLM instead of Kerberos The following entry in the debug log files indicates that the token received from the client is a Microsoft Windows NT LAN Manager (NTLM) token, not a Kerberos token as required. Verify that the BMC Atrium Single Sign-On server has been set up correctly as a service principal and that the client and successfully request a Ticket for the Service.

amAuthWindowsDesktopSSO:06/28/2011 06:46:14:877 PM CDT: Thread[http-8443-1,5,main] Retrieved config params from cache. amAuthWindowsDesktopSSO:06/28/2011 06:46:14:877 PM CDT: Thread[http-8443-1,5,main] WARNING: Authentication token is NTLM. amAuthWindowsDesktopSSO:06/28/2011 06:46:14:877 PM CDT: Thread[http-8443-1,5,main] SPNEGO token: 4e 54 4c 4d 53 53 50 00 01 00 00 00 07 82 08 a2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 05 02 ce 0e 00 00 00 0f

When a browser is sending an NTLM token instead of a Kerberos token, the failure could be caused by a problem obtaining a service token for the BMC Atrium Single Sign-On server. For example, failure to find a case-sensitive lookup of the principal name results in an NTLM token being sent. When debugging a client failure, enable the Kerberos event logging to identify failures. Disabling Kerberos event logging after diagnosing the failure is important. For more information about how to enable Kerberos event logging, see http://support.microsoft.com/kb/262177. The following trace from an exchange between an Internet Explorer browser and the BMC Atrium Single Sign-On server shows a successful negotiation.

GET /atriumsso/UI/Login?gx_charset=UTF-8&realm=BmcRealm HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, / Accept-Language: en-us UA-CPU: x86 Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) Host: ibmc-jbhbbk1.adprod.bmc.com:8443 Connection: Keep-Alive Cookie: s_pers=%20s_lv%3D1270043963949%7C1364651963949%3B%20s_lv_s%3DFirst%2520Visit%7C1270045763949%3B%20s_nr%3D127004396396 s_vi=[CS]v1|25D9AA60851D2F18-60000104E00EF3FE[CE]; __utma=246752535.599385143.1270043842.1270043842.1270043842.1 HTTP/1.1 401 Unauthorized Server: Apache-Coyote/1.1 Pragma: no-cache

BMC Atrium Single Sign-On 8.1

Page 336 of 389

Home

BMC Software Confidential

Cache-Control: no-cache Expires: 0 Cache-Control: private X-DSAMEVersion: Atrium SSO 7.6.04(2011-June-28 13:47) AM_CLIENT_TYPE: genericHTML

Set-Cookie: AMAuthCookie=AQIC5wM2LY4SfcwV3%2FNDDybcVGsdeW%2B%2BRnGC93rfcaw%2FEf8%3D%40AAJTSQACMDIAAlNLAAkxOTE4MzI0NTIAAlMxAAIwMQ% Domain=.bmc.com; Path=/ Set-Cookie: amlbcookie=01; Domain=.bmc.com; Path=/ WWW-Authenticate: Negotiate Content-Type: text/html;charset=utf-8 Content-Length: 954 Date: Wed, 29 Jun 2011 00:09:46 GMT GET /atriumsso/UI/Login?gx_charset=UTF-8&realm=BmcRealm HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, / Accept-Language: en-us UA-CPU: x86 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) Host: ibmc-jbhbbk1.adprod.bmc.com:8443 Connection: Keep-Alive Authorization: Negotiate YIIE7gYGKwYBBQUCoIIE4jCCBN6gJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKw YBBAGCNwICCqKCBLQEggSwYIIErAYJKoZIhvcSAQICAQBuggSbMIIEl6ADAgEFoQMCAQ6iBwMFACAAAACjggO/ YYIDuzCCA7egAwIBBaEQGw5CU01EU0wuQk1DLkNPTaIuMCygAwIBAqElMCMbBEhUVFAbG2libWMtamJoYmJrMS5h ZHByb2QuYm1jLmNvbaOCA2wwggNooAMCARehAwIBA6KCA1oEggNWF2cjeeJwxrbN85nRgZ6kQQ49s7I54ndjXLJD jdc62pRQqDDYaMn6KUBR5zPfwuvNRlL4e3n0MXtNLbUMgMGWiDBZlLVLRJg6p3tydxJC9eEiWYFu ...

12.10.7 Browser not correctly configured for Kerberos authentication This stack trace indicates that the browser is not sending the Kerberos token. Validate that the browser is configured for Kerberos authentication with the BMC Atrium Single Sign-On server. Verify that the principals in the BMC Atrium Single Sign-On Kerberos configuration and the user account running the browser are all in the same realm. Lastly, when multiple services are running on the same host or non-standard ports are being used for HTTP and HTTPS connections, review the following Microsoft article for more information, see http://support.microsoft.com/kb/908209.

amJAAS:06/24/2011 02:35:46:834 PM CDT: Thread[http-8443-2,5,main] Exception: com.sun.identity.authentication.spi.AuthLoginException: Invalid Kerberos token. amJAAS:06/24/2011 02:35:46:834 PM CDT: Thread[http-8443-2,5,main] Set firstRequiredError to com.sun.identity.authentication.spi.AuthLoginException: Invalid Kerberos token. amLoginModule:06/24/2011 02:35:46:834 PM CDT: Thread[http-8443-2,5,main]

BMC Atrium Single Sign-On 8.1

Page 337 of 389

BMC Software Confidential

Home

ABORT return.... false amJAAS:06/24/2011 02:35:46:834 PM CDT: Thread[http-8443-2,5,main] abort ignored amAuth:06/24/2011 02:35:46:834 PM CDT: Thread[http-8443-2,5,main] LOGINFAILED Error.... amAuth:06/24/2011 02:35:46:834 PM CDT: Thread[http-8443-2,5,main] Exception : com.sun.identity.authentication.spi.AuthLoginException(1):null com.sun.identity.authentication.spi.AuthLoginException(2):Invalid Kerberos token. com.sun.identity.authentication.spi.AuthLoginException: Invalid Kerberos token. at com.sun.identity.authentication.modules.windowsdesktopsso.WindowsDesktopSSO.process(WindowsDesktopSSO.java:146) at com.sun.identity.authentication.spi.AMLoginModule.wrapProcess(AMLoginModule.java:866)

12.10.8 Clock skew too great for Kerberos authentication The time difference between the BMC Atrium Single Sign-On server and the Key Distribution Center (KDC) (or ActiveDirectory domain controller) is too great. Normally, the time difference should be no great than 5 minutes. Use a time server to synchronize the computers or adjust the time manually to be closer in sync.

Error: javax.security.auth.login.LoginException(3):Clock skew too great (37)

12.10.9 Chained authentication failure in Microsoft Internet Explorer When Kerberos is chained together with LDAP or AR for authentication and you enter your credentials for login in Internet Explorer (IE) browser, the authentication fails. You can detect the issue by removing Kerberos module from the authentication chain. The authentication works correctly when Kerberos is removed from the authentication chain. You might be facing this issue due to an optimization feature that Microsoft have added to IE that causes IE to not send the user entered credentials to the BMC Atrium Single Sign-On server.

Tip The problem can be avoided by using Mozilla Firefox or other compatible browsers.

Resolution By disabling this optimization, the credentials are sent and the user is successfully authenticated.

Steps to follow from the KB article To resolve this issue from the client side, use Registry Editor (Regedt32.exe) to add a value to the following registry key: HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Internet Settings/

BMC Atrium Single Sign-On 8.1

Page 338 of 389

BMC Software Confidential

Home

Note The above registry key is one path; it has been wrapped for readability.

Add the following registry value: Value Name: DisableNTLMPreAuth Data Type: REG_DWORD Value: 1 For more information about disabling the optimization feature, refer to the knowledge base (KB) article from Microsoft, Restricting data to be posted to specific website.

Note The KB also mentions about disabling Kerberos or Integrated Windows Authentication which should be ignored.

12.11 Troubleshooting an external LDAP user store This topic provides information to help you correct issues that might arise with configuring to use an external LDAP user store.

12.11.1 No users in User tab If there are no users in the User tab: 1. On the BMC Atrium SSO Admin Console, click Edit BMC Realm. 2. In the User Stores panel, select the LDAP user store, and click Edit. 3. Select the Search tab. 4. Verify that the Users Search Filter field value is correct for the LDAP server. Specifically, the default filter must contain a class which is part of the LDAP structure. 5. If values were specified for the People Container Container Attribute and Attribute Value, remove those values (leave those fields blank).

12.11.2 No groups in Group tab If there are no groups in the Group tab: 1. On the BMC Atrium SSO Admin Console, click Edit BMC Realm. 2. BMC Atrium Single Sign-On 8.1

Page 339 of 389

BMC Software Confidential

Home

2. In the User Stores panel, select the LDAP user store, and click Edit. 3. Select the Search tab. 4. Verify that the Groups Search Filter field value is correct (the class selected is used in LDAP server). 5. Verify that the Groups Container Container Attribute and Attribute Value information are both correct. Alternatively, try blank values (no characters).

12.12 Troubleshooting SAMLv2 This section includes the following issues:

BMC Atrium Single Sign-On 8.1

Page 340 of 389

BMC Software Confidential

Home

IdP metadata issues SAMLv2 keystore issues (see page 341) Metadata issues (see page 342) Certificate issues

12.12.1 IdP metadata issues When using Atrium Single Sign-On server as an Identity Provider (IdP), the server needs to be able to provide the metadata to Service Providers (SP) that are part of the Circle of Trust. The configuration of the IdP can be verified by using this URL with a browser: https://sample.bmc.com:8443/atriumsso/saml2/jsp/exportmetadata.jsp If the Atrium Single Sign-On server is correctly configured, the server returns an XML document which is the metadata for the IdP.

libCOT:03/03/2011 02:55:51:194 PM CST: Thread[http-18443-6,5,main] ERROR: COTManager.createCircleOfTrust: com.sun.identity.plugin.configuration.ConfigurationException: Unable to create configuration of component "LIBCOT" for realm "/BmcRealm".

This error usually indicates that the certificates from the IdP have not been stored into the truststore of the BMC Atrium Single Sign-On server that is hosting the SP.

12.12.2 SAMLv2 keystore issues If the SAMLv2 keystore is not correctly configured, the following error is displayed on the top of the page when attempting to create a new IdP or SP: Check the Federation log file in the following location: /tomcat/webapps/atriumsso/WEB-INF/config/atriumsso/debug The following error messages indicate that the keystore is of the wrong format (For SAMLv2, only keystores that are in JKS format are supported. This keystore is used for holding certificates and private keys for signing and encryption):

ERROR: mapPk2Cert.JKSKeyProvider: java.io.IOException: Invalid keystore format ERROR: mapPk2Cert.JKSKeyProvider: java.lang.NullPointerException

BMC Atrium Single Sign-On 8.1

Page 341 of 389

BMC Software Confidential

Home

ERROR: mapPk2Cert.JKSKeyProvider: java.io.IOException: Keystore was tampered with, or password was incorrect

The following message indicates that the files containing the passwords for the store or the key do not contain the correct values (the values must be encoded before being stored within the files):

libSAML:03/02/2011 12:42:23:418 ERROR: JKSKeyProvider: keystore libSAML:03/02/2011 12:42:23:418 ERROR: JKSKeyProvider: keystore

PM CST: Thread[main,5,main] file does not exist PM CST: Thread[main,5,main] password is null

The following message (displayed in the browser) indicates that the keystore file is incorrectly defined or missing:

HTTP Status 400 - Error processing AuthnRequest. Error retrieving meta data. HTTP Status 400 - Error processing AuthnRequest. Error retrieving meta data.

12.12.3 Metadata issues An error occurs when the BMC Atrium Single Sign-On server cannot find the Identity Provider (idP), or the request sent by the client was syntactically incorrect. In the status report, the following message is displayed: Error processing AuthnRequest. Error retrieving meta data At log n, the browser displays the following message: HTTP Status 500 -

To resolve metadata issues 1. Verify that the agent URL for login has the IdP spelled correctly. 2. Verify that the IdP is defined in the BMC Atrium Single Sign-On server.

12.12.4 Certificate issues In an exception report, the following message displays:

The server encountered an internal error () that prevented it from fulfilling this request.

This problem is usually caused by the HTTPS certificate or the root CA-signed certificate from the IdP or SP server. The certificate might not be stored in the BMC Atrium Single Sign-On server's truststore.

BMC Atrium Single Sign-On 8.1

Page 342 of 389

BMC Software Confidential

Home

To resolve certificate issues 1. Import the appropriate certificate into the truststore: /tomcat/conf/cacerts.p12 2. Restart the BMC Atrium Single Sign-On server. The following message indicates the exception:

javax.servlet.ServletException: AMSetupFilter.doFilter com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:118)

The following message indicates the root cause:

com.sun.identity.saml2.common.SAML2Exception: java.security.PrivilegedActionException: com.sun.xml.messaging.saaj.SOAPExceptionImpl: Message send failed com.sun.identity.saml2.profile.SPACSUtils.getResponseFromArtifact(SPACSUtils.java:382) com.sun.identity.saml2.profile.SPACSUtils.getResponseFromGet(SPACSUtils.java:247) com.sun.identity.saml2.profile.SPACSUtils.getResponse(SPACSUtils.java:161) org.apache.jsp.saml2.jsp.spAssertionConsumer_jsp._jspService(spAssertionConsumer_jsp.java:180) org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) javax.servlet.http.HttpServlet.service(HttpServlet.java:717) org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:374) org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:342) org.apache.jasper.servlet.JspServlet.service(JspServlet.java:267) javax.servlet.http.HttpServlet.service(HttpServlet.java:717) com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:91)

12.13 Troubleshooting redirect URLs Multiple redirect URLs can occur when a load balancer or reverse proxy is implemented. Modifying the load balancer (or reverse proxy) for redirect URLs (see page 343) Using load balancer (or reverse proxy) host names for redirect URLs (see page 344) Cookie name change for a HA node (see page 344)

12.13.1 Modifying the load balancer (or reverse proxy) for redirect URLs If a BMC product is deployed behind a load balancer (or a reverse proxy), then the load balancer (or reverse proxy) must specify a BMC Atrium Single Sign-On redirect URL for the product agent. This modification is valid for both High Availability (HA) and non-HA environments.

BMC Atrium Single Sign-On 8.1

Page 343 of 389

BMC Software Confidential

Home

Specify an HTTP Header with the name AtssoReturnLocation using the following syntax for the header value: ://:

Note Note: To ensure browser compatibility, the load balancer hostname should contain not contain underscore characters.

12.13.2 Using load balancer (or reverse proxy) host names for redirect URLs If BMC Atrium Single Sign-On is deployed behind a load balancer (or reverse proxy), the product agent logon and logoff configuration can be modified to use the load balancer (or reverse proxy) host names instead of the real FQDN host names. In this case, the client browser is forwarded to the load balancer (or reverse proxy) host name of the BMC Atrium Single Sign-On server. This modification is valid for both HA and non-HA environments. Log into the BMC Atrium Single Sign-On Administrator console and edit the product agent's configuration. Use the following template for the new logon and logoff URLs, respectively: URL formats Login

://:(port>/atriumsso/UI/Login?realm=

Logout

://:(port>/atriumsso/UI/Logout?realm=

12.13.3 Cookie name change for a HA node In a BMC Atrium Single Sign-on HA environment, if a cookie name is changed for a particular BMC Atrium Single Sign-On node, restart the BMC Atrium Single Sign-On server.

Note In some cases, BMC Atrium Single Sign-On server restart, browser cache purge, and cookies cleanup do not help to avoid a multiple redirects error. In that case, reboot the OS.

BMC Atrium Single Sign-On 8.1

Page 344 of 389

BMC Software Confidential

Home

12.14 Session sharing in HA mode issue In BMC Atrium Single Sign-On High Availability (HA) mode, session sharing can fail in some specific network environments when the default protocol (multicast) is used by ApacheMQ. ApacheMQ is a third party component which is used by Atrium Single Sign-On to inform all nodes in the cluster about sessions’ creation and termination events. If session sharing fails, change the configuration settings to an alternative protocol.

12.14.1 To configure point-to-point sessions sharing Perform the following on each node in the HA cluster. 1. Navigate to the /tomcat/webapps/atriumsso/WEB-INF/classes/ directory. 2. Edit the activemq.xml file. 3. Replace the following tag: with:

where:

hostname — The host name of the current node. port — The port which will be used for the sessions sharing on this node. 4. Replace the following tag: with: where:

hostname — The host name of another node in the HA cluster. port — The port which is used by another node for session sharing.

Note The : pair is specified on another node in the tag.

5. Save the file.

BMC Atrium Single Sign-On 8.1

Page 345 of 389

BMC Software Confidential

Home

Note

Shutdown all the nodes in the cluster after configuring point-to-point session sharing. Do not start all the nodes at the same time. Start each node beginning from the first node only after the previous node is fully started.

12.15 Troubleshooting installation or upgrade issues This page has not been approved for publication.

12.16 Resolving installation issues on LINUX operating system You may face the following issues during installation of BMC Atrium Single Sign-On on the Red Hat Enterprise Linux computers. Following topics are provided: Installation failure due to missing libraries (see page 346) Installation failure due to low level of entropy (see page 346)

12.16.1 Installation failure due to missing libraries If you are installing BMC Atrium Single Sign-On on Red Hat Enterprise Linux (RHEL) 6.x and the installer aborts suddenly, then the following 32-bit RPM packages must be installed to make 32-bit JRE support and the user interface available to the installer: Glibc.i686 libXtst.i686

12.16.2 Installation failure due to low level of entropy In computing, entropy is the considered as the randomness collected by an operating system or an application for use in cryptography or other uses that require random data. This randomness is often collected from hardware sources, either existing ones such as mouse movements or specially provided randomness generators. When the entropy level in an application decreases beyond a certain level, the linux operating systems running BMC Atrium Single Sign-On (SSO) installer may face the following issue. During installation BMC Atrium Single Sign-On (SSO) logs the entropy level for maintenance purpose. For successful installation of BMC Atrium SSO, the entropy level should be substantially higher than 150. If an

BMC Atrium Single Sign-On 8.1

Page 346 of 389

BMC Software Confidential

Home

installation or silent installation aborts suddenly, finishes very quickly, or takes a long time to complete, you may be facing low entropy issues. When the entropy level on the computers running BMC Atrium SSO installer is less than 150, the installation fails with the following error message: There is potential problem with performance on this computer. The level of entropy is 150 and the random data generation time is 6 milliseconds. You may run the following command as root user: 'rngd -b -r /dev/urandom -o /dev/random' or prefer to restart the computer.

Info You can verify the level of entropy at the following location on the linux computers using the following command: cat/proc/sys/kernel/random/entropy_avail.

Workaround For restoring the level of entropy and installing BMC Atrium SSO, you can use any of the the following options: Run the following commands as root user. This option is preferred as it helps in maintaining the entropy level after installation as well. If your server has a low entropy level, you should configure your server to run the following commands while starting up your server. rngd yum install rng-tools echo 'EXTRAOPTIONS="-i -o /dev/random -r /dev/urandom -t 10 -W 2048"' /etc/sysconfig/rngd chkconfig rngd on service rngd restart

Restart your computer. This option in not recommended and will increase the entropy level temporarily. This option can be used to identify if entropy is the only issue for installation failure.

13 Known and corrected issues The following issues pertain to this release of BMC Atrium Core Single Sign-On and its service packs and patches. They are divided as follows: Installation and upgrade issues (see page ) Other issues (see page )

BMC Atrium Single Sign-On 8.1

Page 347 of 389

BMC Software Confidential

Home

To see all open issues, or to see the issues corrected in a specific release, service pack, or patch, sort the table by the Corrected in column. An issue with no version number listed here remains open. Version numbers are given in the format MajorRelease.MinorRelease.ServicePack.Patch. For example, 8.2.04.01 is patch 1 for service pack 4 of minor release 8.2.

13.1 Installation and upgrade issues Known and corrected issues related to installation or upgrade Click any column heading to sort this table or change sort direction

Defect ID

Description

Affected versions

SW00452251

If you try to install BMC Atrium Single Sign-On version 8.1 on a volume where 8dot3 is disabled, the installation fails.

8.1.00.03

Corrected in

Workaround: Enable 8dot3 names on the volume on which BMC Atrium Single Sign-On is installed. To enable 8dot3 naming: 1. Execute the following command in the command window with the elevated privileges: fsutil.exe behaviour set disabled 8dot3 0 2. Recreate installation folders in order to force the generation of 8dot3 names.

SW00452338

The BMC Atrium Single Sign-On upgrade fails when the default password is changed in the server.xml and if the certificate stores are not pointing to the default locations.

SW00443582

When you install BMC Atrium Single Sign-On with amadmin as login and password including special characters, the authentication fails.

SW00425820

BMC Atrium Single Sign-On installer always shows the Keystore as "tomcat" when installing on an external Tomcat server. This could be an issue if you have configured an external Tomcat server for BMC Atrium Single Sign-On installation which has a keystore alias as other than "tomcat".

8.1.00.03

8.1.00.03

8.0.00 8.1.00

Workaround: Manually change the Keystore alias in the BMC Atrium Single Sign-On installer screen to the alias you set while configuring your Tomcat server. SW00447285

If you installed Tomcat 7 with the .exe installer, the SSO integration utility cannot stop and restart Tomcat. Workaround: Perform one of the following workarounds:

8.1.00

Manually stop Tomcat before you run the utility. You can ignore the exception at the end of excecution: Error while starting Tomcat Manually perform the integration.

SW00448578

The BMC Atrium Single Sign-On 8.1 documentation does not mention that before installing BMC Atrium Single Sign-On 8.1.00 or later on Red Hat Enterprise Linux 6.x, you must install the following 32-bit RPM packages:

8.1.00

8.1.00.02

Glibc.i686 libXtst.i686

BMC Atrium Single Sign-On 8.1

Page 348 of 389

BMC Software Confidential

Home

Defect ID

Description

Affected versions

Corrected in

This information is now documented in the "System requirements" section on the Prerequisites for installation (see page 42) page. SW00450616

When you upgrade the following versions of BMC Atrium Single Sign-On, user assignments to custom groups are not retained: Version 8.1.00 to 8.1.00.01 or later Versions 8.1.00 or 8.1.00.01 to 8.1.00.02 or later

8.1.00.01 8.1.00.02 8.1.00.03

Workaround: You must reassign users to the appropriate groups after the upgrade. SW00448219

When you upgrade BMC Atrium Single Sign-On using an upgrade path of BMC Atrium Single Sign-On version 8.1.00 to version 8.1.00.02 or later, and you have deployed BMC SSO in HA mode on Red Hat Enterprise Linux Server release 6.2 operating system, the upgrade fails.

8.1.00.02

SW00446188

If you are installing BMC Atrium Single Sign-On on a Japanese or a Chinese locale, the installer fails.

8.1.00.02

SW00443648

While logging to the BMC Atrium Single Sign-On Administration page, in certain scenarios the Open AM page gets displayed.

8.1.00.02

SW00447605

During the fresh installation of BMC Atrium Single Sign-On a non critical error message gets displayed, which can be ignored.

8.1.00.02

SW00449708

During the fresh install of BMC Atrium Single Sign-On if there is a space in the name of the installation folder, the installation fails.

8.1.00.02

SW00447623 SW00449894

Version 8.1.00.02 corrected defects related to BMC Atrium Single Sign-On in HA mode. These fixes include sessions failover, replication of the configuration, and so on.

8.1.00.03

8.1.00.02

SW00449987 SW00450188 SW00450242 SW00450296 SW00450318 SW00451056 SW00451254 SW00451490 SW00455079

The signing and encryption certificates in the SAMLv2 keystore are lost during the upgrade of BMC Atrium Single Sign-On version 8.0.00 to version 8.1.00.

8.1.00.03

Workaround: You must manually preserve the SAMLv2 keystore before the upgrade and restore it after the upgrade is done. To preserve the SAMLv2 keystore manually: 1. Create a backup of the SAMLv2 keystore outside the installation directory before performing the upgrade. Note: In BMC Atrium Single Sign-On server version 8.0 the keystore is stored in file named keystore.jks which is located at /tomcat/webapps/atriumsso/WEB-INF/config/atriumsso 2. After upgrade, rename the keystore.jks to cot.jks. 3. Replace the newly installed cot.jks located in /tomcat directory. 4. Copy the .keypass and .storepass files to the /tomcat directory, if the keystore passwords are altered from the default value. 5. Restart the BMC Atrium Single Sign-On server. 6. Open the Admin Console and edit the Local Service Provider editor to verify the proper certificate alias has been created.

BMC Atrium Single Sign-On 8.1

Page 349 of 389

BMC Software Confidential

Home

Defect ID

Description

Affected versions

SW00455119

The user account federations are lost after you upgrade to BMC Atrium Single Sign-On version 8.1.00.03.

8.1.00.03

Corrected in

Workaround: You must re-federate your account the first time you login to BMC Atrium Single Sign-On server version 8.1.00.03.

13.2 Other issues Known and corrected issues for areas other than installation and upgrade Click any column heading to sort this table or change sort direction

Defect ID

Description

Affected versions

Corrected in

SW00440868

During a log out operation, if one user logged out, the BMC Atrium Single Sign-On logged out all the users.

8.1.00.03

SW00451947

When you create a new local Service Provider (SP), only PasswordProtectedTransport chack box is enabled in the Default Authentication Context list present on the Local Service Provider (SP) Editor.

8.1.00.03

SW00451946

The User Editor does not show the groups from an external LDAP user store for the user from the same external LDAP user store.

8.1.00.03

SW00447267

The validity of the agent certificate generated for BMC Atrium Single Sign-On is for 2 to 3 months, which causes issues on some environment.

8.1.00.03

SW00450560

The BMC Atrium Single Sign-On agent requires some changes to support the network load balancers.

8.1.00.03

SW00451673

In the case of two or more authentication chains in BMC Atrium Single Sign-On, login is not successful

8.1.00.03

without displaying the second login page. SW00451952

The BMC Atrium Single Sign-On does not provide the ability to select the Default Authentication Context in

8.1.00.03

the SAML Local Service Provider (SP) editor. SW00453492

In the Administrator Console of the BMC Atrium Single Sign-On the Name ID option that allows the

8.1.00.03

selection of name ID formats and the ordering of those selections are missing from the Local Service Provider (SP) editor window. SW00452001

The values for member attributes between users and groups in external LDAP are stored incorrectly in BMC Atrium Single Sign-On server.

SW00447654

Multi-threading issues occur while retrieving certificates from the BMC Atrium Single Sign-On server.

8.1.00

8.1.00.01

SW00448326

Cannot create users and groups with names similar (subset) to existing users and groups.

8.1.00

8.1.00.01

SW00448607

BMC Atrium Single Sign-On users cannot authenticate with BMC Atrium Orchestrator when integrated with BMC Atrium Single Sign-On.

8.1.00

8.1.00.01

SW00448553

In a BMC Atrium Single Sign-On High Availability (HA) configuration, the replication of configuration modules does not work correctly.

8.1.00

8.1.00.02

SW00450113

If you added the AR authentication module on the second place in the authentication chain for a realm for which the user profile was set to Dynamic, users cannot successfully log on to that realm.

8.1.00

8.1.00.02

8.1.00

8.1.00.02

SW00450144

BMC Atrium Single Sign-On 8.1

8.1.00.03

Page 350 of 389

BMC Software Confidential

Home

Defect ID

Description

Affected versions

Corrected in

8.1.00.02

8.1.00.03

8.1.00

8.1.00.03

In a BMC Atrium Single Sign-On High Availability (HA) configuration, when you restart an HA node and then add a new module on another HA node that is not restarted, "unknown" authentication modules are displayed in the authentication chain for the HA node that you restart. SW00450660

In a BMC Atrium Single Sign-on High Availability (HA) configuration, when you try to log on to an application that has been integrated with BMC Atrium Single Sign-On, the following error message might be displayed: User has no profile in this realm. Contact administrator Workaround: If you could previously log on to the application successfully, restarting the BMC Atrium SSO service and logging on to the application again resolves the issue.

SW00450313

In a BMC Atrium Single Sign-On High Availability (HA) configuration, when you log on to the Admin Console of two different nodes using the same browser, log out from one of the Admin Consoles, and refresh the page of the other Admin Console, you are logged on to both the Admin Consoles again without entering credentials.

8.1.00.01 8.1.00.02

14 Support information This topic contains information about how to contact Customer Support and the support status for this and other releases.

14.1 Contacting Customer Support If you have problems with or questions about a BMC product, or for the latest support policies, see the Customer Support website at http://www.bmc.com/support. You can access product documents, search the Knowledge Base for help with an issue, and download products and maintenance. If you do not have access to the web and you are in the United States or Canada, contact Customer Support at 800 537 1813. Outside the United States or Canada, contact your local BMC office or agent.

14.2 Support status Based on the support policy adopted September 1, 2011, for releases from that date forward, BMC provides technical support for a product based on time rather than number of releases. The previous release-based policy applies to releases before September 1, 2011. The support status for BMC Atrium Single Sign-On is the same as the support status for BMC Atrium CMDB Suite. To view the support status for this release, see the BMC Atrium CMDB Suite Support page.

BMC Atrium Single Sign-On 8.1

Page 351 of 389

BMC Software Confidential

Home

15 PDFs Ready-made PDFs Snapshot

Date

File size

BMC Atrium Single Sign-On Version 8.1.00.01

03-21-2013

3.90 MB

BMC Atrium Single Sign-On 8.1

Page 352 of 389

BMC Software Confidential

Home

16 Tracking tools Comments dashboard (see page 353) No Labels report (see page 363) Technical Bulletin SW00448553 (see page 369) Enabling multiple realms (see page 372) Configuring multi-tenancy support Overview steps to install and configure HA Load-Balancing environment with SSO (see page 378) Number of pages in space (see page 383) Installing and managing certificates in BMC Atrium SSO (see page 383) Installing certificates after integration with other BMC products (see page 383)

16.1 Comments dashboard Date and time

Page

Author

Comment

Thu May 23

Managing the server configuration (see page 276)

Krassimir

(see page )Error:

Stoianov

com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Dixie Pine

(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to

07:56:33 CDT 2013 Fri Mar 15 18:26:28 CDT

Installation options (see page 48)

2013

com.atlassian.confluence.pages.AbstractPage

Mon Sep 16

Troubleshooting Kerberos authentication (see

Keith

(see page )Error:

11:08:03 CDT 2013

page 333)

Linehan

com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Mon Aug 19 03:30:16 CDT

Installing silently (see page 112)

Hemant Baliwala

(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to

2013

com.atlassian.confluence.pages.AbstractPage

Wed Mar 20 16:20:34 CDT 2013

Example of a debug log error when a certificate is not available

Dixie Pine

Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Wed Mar 20 16:21:37 CDT 2013

Changing the clientAuth setting

Dixie Pine

Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Wed Mar 20 16:22:39 CDT 2013

Turning on network debug logging (see page 328)

Dixie Pine

(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Wed Mar 20 16:24:03 CDT 2013

Example of a client sending a certificate

Dixie Pine

Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Example of a list of certificates sent to the client

Dixie Pine

BMC Atrium Single Sign-On 8.1

Page 353 of 389

BMC Software Confidential

Home

Date and time

Page

Author

Comment

Wed Mar 20

Error: com.atlassian.confluence.pages.Comment cannot be

16:25:17 CDT 2013

cast to com.atlassian.confluence.pages.AbstractPage

Wed Mar 20 16:26:53 CDT

Example of URL certificate authentication not enabled

Dixie Pine

Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Example of OCSP certificate failure

Dixie Pine

Error: com.atlassian.confluence.pages.Comment cannot be

2013 Wed Mar 20 16:28:09 CDT 2013 Wed Mar 20 16:36:10 CDT

cast to com.atlassian.confluence.pages.AbstractPage

Clock skew too great for CAC authentication (see page 331)

Dixie Pine

2013 Wed Mar 20

(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Troubleshooting FIPS-140 conversion

Dixie Pine

16:46:37 CDT 2013

Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Wed Mar 20 16:47:58 CDT 2013

Troubleshooting JEE agents (see page 331)

Dixie Pine

(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Wed Mar 20 16:19:09 CDT 2013

Example of a default logging level error

Dixie Pine

Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Thu Jan 31 17:42:16 CST 2013

Reviewing AR server external authentication settings and configuring group mapping (see page 91)

Ruth Harris

(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Fri Mar 15 12:13:35 CDT 2013

BMC Atrium Single Sign-On using SAMLv2 deployment example (see page 31)

Ruth Harris

(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Wed Mar 20 16:54:42 CDT 2013

Clock skew too great for Kerberos authentication

Dixie Pine

Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Mon Mar 18 18:02:11 CDT 2013

Integrating BMC Dashboards for BSM (see page 198)

Volker Scheithauer

(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Tue Jan 29 18:08:31 CST 2013

BMC Atrium Single Sign-On using SAMLv2 deployment example (see page 31)

Ruth Harris

(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Tue Sep 03 05:09:42 CDT 2013

Stopping and restarting the BMC Atrium Single Sign-On server (see page 279)

Abhay Chokshi

(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Tue Sep 03 07:51:02 CDT 2013

Checking the compatibility matrix for system requirements and supported configurations

Abhay Chokshi

Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

IdP metadata issues

BMC Atrium Single Sign-On 8.1

Page 354 of 389

BMC Software Confidential

Home

Date and time

Author

Comment

Fri Jul 26

Keith

Error: com.atlassian.confluence.pages.Comment cannot be

18:37:00 CDT 2013

Linehan

cast to com.atlassian.confluence.pages.AbstractPage

IdP metadata issues

Keith Linehan

Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Thu Sep 05

BMC Atrium Single Sign-On using SAMLv2

Abhay

(see page )Error:

07:42:58 CDT 2013

deployment example (see page 31)

Chokshi

com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Tue Sep 03 05:09:06 CDT

Stopping and restarting the BMC Atrium Single Sign-On server (see page 279)

Abhay Chokshi

(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to

Fri Jul 26 19:23:12 CDT

Page

2013

2013

com.atlassian.confluence.pages.AbstractPage

Tue Mar 19

Integrating BMC Dashboards for BSM (see page

15:47:42 CDT 2013

198)

Ruth Harris

(see page )Error:

Sun Oct 27 15:03:36 CDT 2013

BMC Atrium Single Sign-On using SAMLv2 deployment example (see page 31)

Abhay Chokshi

(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Tue Jul 02 19:41:07 CDT 2013

Setting an HTTPS connection (see page 78)

Melanie Boston

(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Tue Jul 02 19:51:58 CDT 2013

Configuring a JVM for the Tomcat Server (see page 77)

Melanie Boston

(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Wed Mar 20 15:58:32 CDT 2013

Collecting diagnostics (see page 281)

Dixie Pine

(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Fri Mar 15 12:13:14 CDT 2013

BMC Atrium Single Sign-On using SAMLv2 deployment example (see page 31)

Ruth Harris

(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Mon Oct 28 07:24:34 CDT 2013

Configuring a JVM for the Tomcat Server (see page 77)

Abhay Chokshi

(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Tue Sep 03 07:55:12 CDT 2013

Checking the compatibility matrix for system requirements and supported configurations

Abhay Chokshi

Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Wed Nov 06 04:22:43 CST 2013

Managing the server configuration (see page 276)

Abhay Chokshi

(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Wed Mar 20 16:13:37 CDT 2013

Troubleshooting CAC authentication (see page 326)

Dixie Pine

(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Deepa Bhat

BMC Atrium Single Sign-On 8.1

Page 355 of 389

BMC Software Confidential

Home

Date and time

Page

Author

Tue Mar 26

Checking the compatibility matrix for system

Error: com.atlassian.confluence.pages.Comment cannot be

06:09:03 CDT 2013

requirements and supported configurations

cast to com.atlassian.confluence.pages.AbstractPage

Mon Feb 04 16:12:56 CST

Installing BMC Atrium Single Sign-On as a standalone (see page 50)

Ruth Harris

2013

Comment

(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Wed Sep 04

Checking the compatibility matrix for system

Abhay

Error: com.atlassian.confluence.pages.Comment cannot be

01:02:35 CDT 2013

requirements and supported configurations

Chokshi

cast to com.atlassian.confluence.pages.AbstractPage

Thu Jan 31 17:40:57 CST

Reviewing AR server external authentication settings and configuring group mapping (see page

Ruth Harris

(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to

2013

91)

Tue Jan 29

BMC Atrium Single Sign-On using SAMLv2

18:12:34 CST 2013

deployment example (see page 31)

Tue Jan 29 23:05:33 CST 2013

Installing BMC Atrium Single Sign-On as a standalone (see page 50)

Shweta Hardikar

(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Thu Jan 17 18:19:34 CST 2013

Reviewing AR server external authentication settings and configuring group mapping (see page 91)

John Stamps

(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Thu Aug 29 02:22:14 CDT 2013

IdP metadata issues

Ivan Pirishanchin

Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Thu Jan 24 17:20:22 CST 2013

Reviewing AR server external authentication settings and configuring group mapping (see page 91)

Shlomi Afia

(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Wed Oct 30 14:20:49 CDT 2013

Managing the server configuration (see page 276)

Keith Linehan

(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Tue Mar 19 23:32:47 CDT 2013

HA Nodes manager (see page 234)

Dixie Pine

(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Wed Mar 20 17:01:59 CDT 2013

Troubleshooting redirect URLs (see page 343)

Dixie Pine

(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Wed Mar 20 17:16:50 CDT 2013

End-to-end BMC Atrium Single Sign-On process

Dixie Pine

Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Mon Mar 18 17:22:19 CDT 2013

Installing BMC Atrium Single Sign-On as a standalone (see page 50)

Dixie Pine

(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

BMC Atrium Single Sign-On 8.1

com.atlassian.confluence.pages.AbstractPage Ruth Harris

(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Page 356 of 389

BMC Software Confidential

Home

Date and time

Page

Author

Comment

Tue Jul 16

Configuring a JVM for the Tomcat Server (see

Nicholas

(see page )Error:

12:41:29 CDT 2013

page 77)

Butler

com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Tue Sep 03 05:46:53 CDT

Prerequisites for installation (see page 42)

Abhay Chokshi

(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to

2013 Tue Sep 03

com.atlassian.confluence.pages.AbstractPage Prerequisites for installation (see page 42)

05:47:54 CDT 2013 Fri Nov 15 07:41:24 CST

Prerequisites for installation (see page 42)

Abhay

(see page )Error:

Chokshi

com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Abhay Chokshi

(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to

2013 Fri Nov 15

com.atlassian.confluence.pages.AbstractPage Prerequisites for installation (see page 42)

07:42:35 CST 2013

Abhay

(see page )Error:

Chokshi

com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Mon Nov 25 07:09:23 CST 2013

Prerequisites for installation (see page 42)

Abhay Chokshi

(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Mon Nov 25 07:10:07 CST 2013

Prerequisites for installation (see page 42)

Abhay Chokshi

(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Mon Jan 21 17:10:52 CST 2013

Installing BMC Atrium Single Sign-On with the AR System server and Mid Tier (see page 79)

John Stamps

(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Wed Dec 11 05:27:44 CST 2013

Managing users (see page 264)

Abhay Chokshi

(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Tue Dec 10 09:57:33 CST 2013

Managing users (see page 264)

Keith Linehan

(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Tue Dec 10 10:07:37 CST 2013

Managing users (see page 264)

Keith Linehan

(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Tue Apr 23 08:41:21 CDT 2013

BMC Atrium Single Sign-On and OpenAM (see page 22)

Hemant Baliwala

(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Wed Jul 17 09:40:26 CDT 2013

BMC Atrium Single Sign-On and OpenAM (see page 22)

Hemant Baliwala

(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Mon Apr 15 13:01:06 CDT 2013

Patch 2 for version 8.1.00: 8.1.00.02 (see page 18 )

Kelly Holcomb

(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

BMC Atrium Single Sign-On 8.1

Page 357 of 389

BMC Software Confidential

Home

Date and time

Page

Author

Comment

Tue Apr 16

Patch 2 for version 8.1.00: 8.1.00.02 (see page 18

Shubhangi

(see page )Error:

03:03:35 CDT 2013

)

Apte

com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Tue Feb 12 09:23:24 CST

Downloading the installation files (see page 44)

Ranganath Samudrala

(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to

2013 Mon Mar 18

com.atlassian.confluence.pages.AbstractPage Downloading the installation files (see page 44)

Ruth Harris

17:47:52 CDT 2013 Mon Dec 23 06:27:34 CST

com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage Downloading the installation files (see page 44)

Abhay Chokshi

2013 Mon Mar 25

(see page )Error:

(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Downloading the installation files (see page 44)

10:14:53 CDT 2013

Ranganath

(see page )Error:

Samudrala

com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Tue Mar 26 09:40:33 CDT 2013

Downloading the installation files (see page 44)

Ruth Harris

(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Mon Dec 23 06:26:39 CST 2013

Downloading the installation files (see page 44)

Abhay Chokshi

(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Mon Dec 23 06:25:43 CST 2013

Downloading the installation files (see page 44)

Abhay Chokshi

(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Mon Dec 23 06:24:55 CST 2013

Downloading the installation files (see page 44)

Abhay Chokshi

(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Thu Jun 27 10:27:48 CDT 2013

Downloading the installation files (see page 44)

Benoit Ischia

(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Mon Dec 23 06:24:10 CST 2013

Downloading the installation files (see page 44)

Abhay Chokshi

(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Wed Jul 24 03:09:54 CDT 2013

Downloading the installation files (see page 44)

Hemant Baliwala

(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Tue Oct 01 05:57:24 CDT 2013

Downloading the installation files (see page 44)

Abhay Chokshi

(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Tue Jul 02 18:58:53 CDT 2013

Server Configuration Editor (see page 237)

Melanie Boston

(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Realm Editor

Dixie Pine

BMC Atrium Single Sign-On 8.1

Page 358 of 389

BMC Software Confidential

Home

Date and time

Page

Author

Comment

Tue Mar 19

Error: com.atlassian.confluence.pages.Comment cannot be

23:26:24 CDT 2013

cast to com.atlassian.confluence.pages.AbstractPage

Tue Jul 02 18:27:39 CDT

Realm Editor

Melanie Boston

Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Using LDAP (Active Directory) for authentication

Boris Ioffe

Error: com.atlassian.confluence.pages.Comment cannot be

2013 Tue Jun 04 14:56:25 CDT 2013 Thu Jul 11 12:08:14 CDT

cast to com.atlassian.confluence.pages.AbstractPage

Using LDAP (Active Directory) for authentication

Keith Linehan

Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Using LDAP (Active Directory) for authentication

Nick Smith

Error: com.atlassian.confluence.pages.Comment cannot be

2013 Wed Jul 17 10:04:36 CDT 2013

cast to com.atlassian.confluence.pages.AbstractPage

Thu Jul 18 07:33:25 CDT 2013

Using LDAP (Active Directory) for authentication

Hemant Baliwala

Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Tue Sep 03 05:37:24 CDT 2013

Using LDAP (Active Directory) for authentication

Abhay Chokshi

Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Tue Sep 03 06:00:30 CDT 2013

Configuring BMC Atrium Single Sign-On as an SP

Abhay Chokshi

Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Tue Sep 03 06:15:32 CDT 2013

Configuring BMC Atrium Single Sign-On as an SP

Abhay Chokshi

Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Sun Oct 27 14:39:02 CDT 2013

Configuring BMC Atrium Single Sign-On as an SP

Abhay Chokshi

Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Mon Mar 18 17:16:34 CDT 2013

Configuring Terminal Services and DEP parameters

Dixie Pine

Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Tue Mar 19 23:00:40 CDT 2013

Running a health check on the BMC Atrium Single Sign-On integration

Dixie Pine

Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Thu Sep 12 08:54:13 CDT 2013

Using SAMLv2 for authentication

Abhay Chokshi

Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Thu Sep 12 09:45:54 CDT 2013

Using SAMLv2 for authentication

Abhay Chokshi

Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Ruth Harris

BMC Atrium Single Sign-On 8.1

Page 359 of 389

BMC Software Confidential

Home

Date and time

Page

Author

Mon Mar 18

Installing BMC Atrium Single Sign-On as a High

(see page )Error:

18:15:30 CDT 2013

Availability cluster (see page 55)

com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Mon Mar 18 18:14:08 CDT

Installing BMC Atrium Single Sign-On as a High Availability cluster (see page 55)

Ruth Harris

2013

Comment

(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Fri Sep 06

Installing BMC Atrium Single Sign-On as a High

Keith

(see page )Error:

09:46:03 CDT 2013

Availability cluster (see page 55)

Linehan

com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Fri Sep 06 09:55:28 CDT

Installing BMC Atrium Single Sign-On as a High Availability cluster (see page 55)

Keith Linehan

(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to

2013

com.atlassian.confluence.pages.AbstractPage

Thu Sep 12

Installing BMC Atrium Single Sign-On as a High

Abhay

(see page )Error:

09:31:20 CDT 2013

Availability cluster (see page 55)

Chokshi

com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Thu Jan 24 14:56:39 CST 2013

Managing the AR System users and groups for authentication (see page 97)

Shlomi Afia

(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Thu Jan 31 17:51:14 CST 2013

Managing the AR System users and groups for authentication (see page 97)

Ruth Harris

(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Fri Feb 01 15:11:11 CST 2013

Managing the AR System users and groups for authentication (see page 97)

John Stamps

(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Wed Jun 12 09:55:05 CDT 2013

Managing the AR System users and groups for authentication (see page 97)

Koray Kusat

(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Tue Mar 19 22:58:56 CDT 2013

Configuring the BMC Atrium Single Sign-On server for AR System integration (see page 183)

Dixie Pine

(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Mon Mar 18 17:53:55 CDT 2013

Configuring after installation

Dixie Pine

Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Wed Mar 20 15:48:51 CDT 2013

Troubleshooting (see page 279)

Dixie Pine

(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Tue Mar 19 23:24:23 CDT 2013

Navigating the interface

Dixie Pine

Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Fri Jul 05 10:30:52 CDT 2013

Managing keystores with a keytool utility (see page 239)

Tetiana Pustovit

(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

BMC Atrium Single Sign-On 8.1

Page 360 of 389

BMC Software Confidential

Home

Date and time

Page

Author

Comment

Mon Jul 08

Managing keystores with a keytool utility (see

Hemant

(see page )Error:

02:37:01 CDT 2013

page 239)

Baliwala

com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Mon Jul 08 04:34:41 CDT

Managing keystores with a keytool utility (see page 239)

Tetiana Pustovit

(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to

2013 Wed Mar 20

com.atlassian.confluence.pages.AbstractPage Using the keytool utility (see page 241)

Dixie Pine

00:09:53 CDT 2013 Mon Jul 08 04:32:49 CDT

com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage Using the keytool utility (see page 241)

Tetiana Pustovit

2013 Mon Jul 08

(see page )Error:

(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Using the keytool utility (see page 241)

04:53:55 CDT 2013

Hemant

(see page )Error:

Baliwala

com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Tue Jul 02 19:31:30 CDT 2013

Generating self-signed certificates (see page 249)

Melanie Boston

(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Wed Jan 08 10:20:44 CST 2014

Resynchronizing nodes in a cluster

Milan Franzkowski

Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Wed Jan 08 10:21:55 CST 2014

Resynchronizing nodes in a cluster

Milan Franzkowski

Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Thu Mar 14 11:59:45 CDT 2013

Integrating BMC Atrium Orchestrator Platform (see page 209)

Deepa Bhat

(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Thu Mar 14 13:16:49 CDT 2013

Integrating BMC Atrium Orchestrator Platform (see page 209)

Ruth Harris

(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Thu Mar 14 22:20:17 CDT 2013

Integrating BMC Atrium Orchestrator Platform (see page 209)

Deepa Bhat

(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Tue Apr 16 10:26:03 CDT 2013

Integrating BMC Atrium Orchestrator Platform (see page 209)

Melody Locke

(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Tue Apr 16 23:51:49 CDT 2013

Integrating BMC Atrium Orchestrator Platform (see page 209)

Deepa Bhat

(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Thu May 09 13:08:59 CDT 2013

Generating CSRs (see page 246)

Anil Premlall

(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Generating CSRs (see page 246)

Anil Premlall

BMC Atrium Single Sign-On 8.1

Page 361 of 389

BMC Software Confidential

Home

Date and time

Page

Author

Comment

Thu May 09

(see page )Error:

16:09:00 CDT 2013

com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Thu Jan 09 07:05:25 CST

Generating CSRs (see page 246)

Abhay Chokshi

2014 Fri Jul 19

com.atlassian.confluence.pages.AbstractPage Configuring multi-tenancy support

Gourav Jain

03:57:27 CDT 2013 Fri Jul 19 04:18:57 CDT

(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to

Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Configuring multi-tenancy support

Hemant Baliwala

Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Configuring multi-tenancy support

Gourav Jain

Error: com.atlassian.confluence.pages.Comment cannot be

2013 Wed Aug 21 06:39:24 CDT 2013

cast to com.atlassian.confluence.pages.AbstractPage

Fri Sep 06 06:19:40 CDT 2013

Configuring multi-tenancy support

Shrihari Sn

Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Thu Sep 12 08:48:03 CDT 2013

Configuring multi-tenancy support

Abhay Chokshi

Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Thu Jan 31 17:37:33 CST 2013

Overview steps to install and configure HA Load-Balancing environment with SSO (see page 378)

Ruth Harris

(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Fri Mar 15 19:48:39 CDT 2013

Technical Bulletin SW00448553 (see page 369)

Dixie Pine

(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Tue Mar 19 17:14:04 CDT 2013

Integrating

Ruth Harris

Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Tue Mar 19 17:10:47 CDT 2013

Integrating

Ruth Harris

Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Thu Sep 05 07:41:32 CDT 2013

Integrating

Abhay Chokshi

Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Wed Mar 20 16:17:09 CDT 2013

Checking the truststore for certificates

Dixie Pine

Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Mon Feb 04 13:37:00 CST 2013

Running the SSOMidtierIntegration utility on the Mid Tier (see page 92)

John Stamps

(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

BMC Atrium Single Sign-On 8.1

Page 362 of 389

BMC Software Confidential

Home

Date and time

Page

Author

Comment

Wed Jul 03

Adding and removing a CA certificate (see page

Melanie

(see page )Error:

12:03:23 CDT 2013

248)

Boston

com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Thu Jul 04 04:05:55 CDT

Adding and removing a CA certificate (see page 248)

Prachi Kalyani

(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to

2013

com.atlassian.confluence.pages.AbstractPage

Tue Oct 22

Troubleshooting Kerberos authentication (see

Abhay

(see page )Error:

03:19:49 CDT 2013

page 333)

Chokshi

com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Mon Jan 13 14:39:28 CST

Reconfiguring your browser (see page 138)

Anil Premlall

(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to

2014 Tue Jan 14

com.atlassian.confluence.pages.AbstractPage Reconfiguring your browser (see page 138)

14:44:49 CST 2014

Abhay

(see page )Error:

Chokshi

com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Thu Jan 16 05:05:09 CST 2014

Enabling multiple realms (see page 372)

Abhay Chokshi

(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Thu Jan 16 04:32:29 CST 2014

LDAP (Active Directory) Editor (see page 223)

Abhay Chokshi

(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Thu Jan 16 08:13:16 CST 2014

LDAP (Active Directory) Editor (see page 223)

Abhay Chokshi

(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Thu Jul 11 05:20:58 CDT 2013

Running the SSOARIntegration utility on the AR System server (see page 88)

Koray Kusat

(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Thu Jul 18 08:18:33 CDT 2013

Running the SSOARIntegration utility on the AR System server (see page 88)

Hemant Baliwala

(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Sat Oct 26 19:31:41 CDT 2013

Running the SSOARIntegration utility on the AR System server (see page 88)

Srivamsi Patchipulusu

(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

Mon Oct 28 10:56:32 CDT 2013

Running the SSOARIntegration utility on the AR System server (see page 88)

Abhay Chokshi

(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage

16.2 Pages without labels in this space This table contains all pages in this space that do not have labels, sorted by branch. Print | Word

BMC Atrium Single Sign-On 8.1

Page 363 of 389

BMC Software Confidential

Home

Parent

Page Title

Last modified by

Manually configuring mid tier for BMC Atrium Single Sign-On user authentication (see page 176)

Container types, containers, and agents

John Stamps

Troubleshooting Kerberos authentication (see page 333)

Invalid service principal name for Kerberos authentication

Gary Beason

Troubleshooting Kerberos authentication (see page 333)

Invalid keytab index number for Kerberos authentication

Gary Beason

Troubleshooting Kerberos authentication (see page 333)

Invalid password for Kerberos authentication

Gary Beason

Federating user accounts in bulk (see page 157)

Federate command results output file

Ruth Harris

Troubleshooting Kerberos authentication (see page 333)

Browser sending NTLM instead of Kerberos (see page 336)

Prachi Kalyani

Troubleshooting Kerberos authentication (see page 333)

Invalid user name for Kerberos authentication

Gary Beason

Federating user accounts in bulk (see page 157)

Create command results output file

Ruth Harris

Federating user accounts in bulk (see page 157)

Create-federate command results output file

Ruth Harris

Realm Editor

AR Editor (see page 223)

Dixie Pine

Realm Editor

LDAPv3 (Active Directory) User Store Editor (see page 225)

Prachi Kalyani

Realm Editor

AR User Store Editor

John Stamps

Realm Editor

User Editor

Ruth Harris

Realm Editor

Group Editor

Ruth Harris

Realm Editor

Local Identity Provider (IdP) Editor

Ruth Harris

Navigating the interface

HA Nodes manager (see page 234)

Dixie Pine

Realm Editor

Remote Service Provider (SP) Editor (see page 232)

Dixie Pine

Realm Editor

SecurID Editor (see page 227)

Dixie Pine

Troubleshooting CAC authentication (see page 326)

Example of a list of certificates sent to the client

Confluence Admin

Managing nodes in a cluster (see page 273)

Stopping nodes in a cluster (see page 274)

Dixie Pine

Federating user accounts in bulk (see page 157)

Import command results output file

Ruth Harris

Federating user accounts in bulk (see page 157)

Error messages for bulk federation of user accounts

Ruth Harris

Troubleshooting (see page 279)

Troubleshooting redirect URLs (see page 343)

Abhay Chokshi

BMC Atrium Single Sign-On 8.1

Page 364 of 389

BMC Software Confidential

Home

Parent

Page Title

Last modified by

Federating user accounts in bulk (see page 157)

Create-import command results output file

Ruth Harris

Troubleshooting (see page 279)

Troubleshooting installation or upgrade issues (see page 346)

Abhay Chokshi

Troubleshooting (see page 279)

Session sharing in HA mode issue (see page 345)

Abhay Chokshi

Managing nodes in a cluster (see page 273)

Starting nodes in a cluster (see page 274)

Dixie Pine

Realm Editor

Remote Identity Provider (IdP) Editor

Ruth Harris

Upgrading

Preparing to upgrade BMC Analytics for BSM

Ruth Harris

Realm Editor

Local Service Provider (SP) Editor (see page 230)

Hemant Baliwala

Troubleshooting CAC authentication (see page 326)

Example of a client not responding with a certificate

Ruth Harris

Troubleshooting CAC authentication (see page 326)

Changing the clientAuth setting

Ruth Harris

Troubleshooting CAC authentication (see page 326)

Example of a client sending a certificate

Gary Beason

Troubleshooting CAC authentication (see page 326)

Turning on network debug logging (see page 328)

Ruth Harris

Troubleshooting SAMLv2

IdP metadata issues

Ruth Harris

Installing BMC Atrium Single Sign-On on an external Tomcat server (see page 72)

Policy file additions for external Tomcat installations (see page 75 )

Prachi Kalyani

Upgrading

Upgrading HA nodes

Ruth Harris

Realm Editor

Create Service Provider (see page 229)

Ruth Harris

Realm Editor

Create Identity Provider (see page 228)

Ruth Harris

Troubleshooting CAC authentication (see page 326)

Clock skew too great for CAC authentication (see page 331)

Dixie Pine

Planning (see page 29)

Checking the compatibility matrix for system requirements and supported configurations

Abhay Chokshi

Integrating

Integrating BMC Mobility for ITSM 8.1.00 (see page 212)

Abhay Chokshi

Federating user accounts in bulk (see page 157)

Identity files for user accounts (see page 160)

Ruth Harris

Realm Editor

CAC (certificate) Editor

Ruth Harris

Troubleshooting (see page 279)

Logon and logoff issues (see page 316)

Dixie Pine

Troubleshooting Kerberos authentication (see page 333)

Clock skew too great for Kerberos authentication

Ruth Harris

Integrating BMC Real End User Experience Monitoring (see page 212)

Preparing the Console component for the BMC Atrium SSO integration (see page 212)

Abhay Chokshi

Federating user accounts in bulk (see page 157)

bulkFederation command parameters (see page 161)

Dixie Pine

BMC Atrium Single Sign-On 8.1

Page 365 of 389

BMC Software Confidential

Home

Parent

Page Title

Last modified by

Installing BMC Atrium Single Sign-On with the AR System server

Reviewing AR server external authentication settings and

and Mid Tier (see page 79)

configuring group mapping (see page 91)

Installing BMC Atrium Single Sign-On as a High Availability

Installing additional nodes for an HA cluster on an external Tomcat

Hemant

cluster (see page 55)

server (see page 70)

Baliwala

Troubleshooting CAC authentication (see page 326)

Example of a debug log error when a certificate is not available

Ruth Harris

Troubleshooting SAMLv2

Metadata issues (see page 342)

Dixie Pine

Troubleshooting (see page 279)

Troubleshooting SAMLv2

Ruth Harris

Troubleshooting SAMLv2

Certificate issues

Ruth Harris

Troubleshooting CAC authentication (see page 326)

Example of OCSP certificate failure

Ruth Harris

Installing BMC Atrium Single Sign-On as a High Availability cluster (see page 55)

Installing additional nodes for an HA cluster on a new Tomcat server (see page 63)

Hemant Baliwala

Troubleshooting CAC authentication (see page 326)

Example of URL certificate authentication not enabled

Dixie Pine

Installing BMC Atrium Single Sign-On on an external Tomcat server (see page 72)

Configuring an external Tomcat instance for FIPS-140 (see page 76)

Prachi Kalyani

Installing BMC Atrium Single Sign-On as a High Availability cluster (see page 55)

Installing the first node for an HA cluster on an external Tomcat server (see page 68)

Ruth Harris

Installing (see page 40)

Preparing for installation

Ruth Harris

Integrating BMC Atrium Single Sign-On with AR System Version 8.0.00

Configuring external authentication for AR System integration (see page 170)

Dixie Pine

Troubleshooting Kerberos authentication (see page 333)

Browser not correctly configured for Kerberos authentication

Ruth Harris

Troubleshooting Kerberos authentication (see page 333)

Incorrect server name for Kerberos authentication

Gary Beason

Installing BMC Atrium Single Sign-On with the AR System server and Mid Tier (see page 79)

Installing BMC Atrium Single Sign-On

Ruth Harris

Troubleshooting (see page 279)

Resolving installation issues on LINUX operating system (see page 346)

Abhay Chokshi

Integrating

Integrating BMC Real End User Experience Monitoring (see page 212)

Abhay Chokshi

Integrating BMC Real End User Experience Monitoring (see page 212)

Preparing BMC Atrium SSO server for integration (see page 212)

Abhay Chokshi

Using Kerberos for authentication (see page 132)

Generating a keytab for the service principal and mapping the Kerberos service name (see page 134)

Abhay Chokshi

Troubleshooting (see page 279)

Upgrading from 7.6.04 to 8.1 silent installation issue (see page 317)

Ruth Harris

Planning (see page 29)

End-to-end BMC Atrium Single Sign-On process

Abhay Chokshi

BMC Atrium Single Sign-On 8.1

Ruth Harris

Page 366 of 389

BMC Software Confidential

Home

Parent

Page Title

Last modified by

Legal notices

Ruth Harris

Installing BMC Atrium Single Sign-On on an external Tomcat server (see page 72)

JVM parameter additions for external Tomcat installations (see page 76)

Prachi Kalyani

Troubleshooting CAC authentication (see page 326)

Example of a default logging level error

Ruth Harris

Integrating BMC Atrium Single Sign-On with AR System Version

Manually configuring mid tier for BMC Atrium Single Sign-On user

Abhay

8.0.00

authentication (see page 176)

Chokshi

Troubleshooting SAMLv2

SAMLv2 keystore issues (see page 341)

Abhay Chokshi

Service packs and patches (see page 17)

Patch 3 for version 8.1.00: 8.1.00.03 (see page 17)

Prachi Kalyani

What's new (see page 12)

Documentation updates after release (see page 20)

Abhay Chokshi

Service packs and patches (see page 17)

Patch 2 for version 8.1.00: 8.1.00.02 (see page 18)

Abhay Chokshi

Navigating the interface

Server Configuration Editor (see page 237)

Abhay Chokshi

Navigating the interface

Agent manager

Melanie Boston

Navigating the interface

Realm Editor

Prachi Kalyani

Installing BMC Atrium Single Sign-On with the AR System server and Mid Tier (see page 79)

Running a health check on the BMC Atrium Single Sign-On installation

John Stamps

Using SAMLv2 for authentication

Configuring BMC Atrium Single Sign-On as an IdP

Ruth Harris

Manually configuring mid tier for BMC Atrium Single Sign-On user authentication (see page 176)

Deployer commands for various JSP engines

Ruth Harris

Integrating BMC Atrium Single Sign-On with AR System Version 8.0.00

Configuring BMC Atrium Single Sign-On for integration

Prachi Kalyani

Integrating BMC Atrium Single Sign-On with AR System Version 8.0.00

Installing BMC Atrium Single Sign-On for AR System integration

Prachi Kalyani

Integrating BMC Atrium Single Sign-On with AR System Version 8.0.00

Running a health check on the BMC Atrium Single Sign-On integration

Ruth Harris

Troubleshooting (see page 279)

Troubleshooting AR System server and Mid Tier integrations

Ruth Harris

Realm Editor

Kerberos Editor (see page 227)

Abhay Chokshi

Integrating BMC Atrium Single Sign-On with AR System Version 8.0.00

Configuring the BMC Atrium Single Sign-On server for AR System integration (see page 183)

Abhay Chokshi

BMC Atrium Single Sign-On 8.1

Page 367 of 389

BMC Software Confidential

Home

Parent

Page Title

Last modified by

Using (see page 214)

Navigating the interface

Ruth Harris

Home (see page 11)

Using (see page 214)

Dixie Pine

Managing keystores with a keytool utility (see page 239)

Using the keytool utility (see page 241)

Hemant Baliwala

Managing nodes in a cluster (see page 273)

Resynchronizing nodes in a cluster

Ruth Harris

Integrating

Integrating BMC Atrium Orchestrator Platform (see page 209)

Abhay Chokshi

Tracking tools (see page 353)

Comments dashboard (see page 353)

Ruth Harris

Tracking tools (see page 353)

No Labels report (see page 363)

Ruth Harris

Tracking tools (see page 353)

Number of pages in space (see page 383)

Bruce Cane

Tracking tools (see page 353)

Installing and managing certificates in BMC Atrium SSO (see page 383)

Abhay Chokshi

Tracking tools (see page 353)

Installing certificates after integration with other BMC products (see page 383)

Abhay Chokshi

Managing keystores with a keytool utility (see page 239)

Generating and importing CA certificates

Abhay Chokshi

Managing keystores with a keytool utility (see page 239)

Checking the truststore for certificates

Ruth Harris

Installing BMC Atrium Single Sign-On with the AR System server and Mid Tier (see page 79)

Running the SSOMidtierIntegration utility on the Mid Tier (see page 92)

Abhay Chokshi

Installing and managing certificates in BMC Atrium SSO (see page 383)

Finding intermediate CA (see page 383)

Abhay Chokshi

Installing and managing certificates in BMC Atrium SSO (see page 383)

Importing a certificate into cacerts.p12 (see page 383)

Abhay Chokshi

Installing and managing certificates in BMC Atrium SSO (see page 383)

Importing a certificate into keystore.p12 (see page 383)

Abhay Chokshi

Installing and managing certificates in BMC Atrium SSO (see page 383)

Importing certificate chains and intermediate certificates (see page 383)

Abhay Chokshi

Installing and managing certificates in BMC Atrium SSO (see page 383)

Installing certificates in HA load balancing environment (see page 383)

Abhay Chokshi

Installing and managing certificates in BMC Atrium SSO (see page 383)

Installing certificates on a standalone server (see page 383)

Abhay Chokshi

Installing BMC Atrium Single Sign-On as a High Availability cluster (see page 55)

Installing the first node for an HA cluster on a new Tomcat server (see page 57)

Abhay Chokshi

Troubleshooting Kerberos authentication (see page 333)

Chained authentication failure in Microsoft Internet Explorer (see page 338)

Abhay Chokshi

Using Kerberos for authentication (see page 132)

Reconfiguring your browser (see page 138)

BMC Atrium Single Sign-On 8.1

Page 368 of 389

BMC Software Confidential

Home

Parent

Page Title

Last modified by Prachi Kalyani

Tracking tools (see page 353)

Enabling multiple realms (see page 372)

Dixie Pine

Realm Editor

LDAP (Active Directory) Editor (see page 223)

Abhay Chokshi

Installing BMC Atrium Single Sign-On with the AR System server and Mid Tier (see page 79)

Running the SSOARIntegration utility on the AR System server (see page 88)

Abhay Chokshi

16.3 Technical Bulletin SW00448553 16.3.1 BMC Atrium Single Sign-On Version 8.1.00 March 14, 2013 Defect SW00448553 BMC Software is alerting users of BMC Atrium Single Sign-On version 8.1.00 to a workaround for defect SW00448553, which is associated with configuration replication in BMC Atrium Single Sign-On High Availability (HA) configurations. This technical bulletin describes how to implement the workaround. If you have any questions about the workaround, contact BMC Software Customer Support at 800 537 1813 (United States or Canada) or call your local support center. Issue (see page 369) Workaround procedure (see page 369) Workaround scripts (see page 370) Where to get the latest product information (see page 372)

16.3.2 Issue In a BMC Atrium Single Sign-On High Availability (HA) configuration, replication of configuration modules does not work correctly.

16.3.3 Workaround procedure When multiple nodes are used as a primary server in a BMC Atrium Single Sign-On High Availability configuration do the following: 1. Disable replication on all of the BMC Atrium Single Sign-On servers in the HA cluster by using the dereplicate.bat script. 2. BMC Atrium Single Sign-On 8.1

Page 369 of 389

BMC Software Confidential

Home

2. Log on to each BMC Atrium Single Sign-On servers in the HA cluster and review the HA Node list in the BMC Atrium SSO Admin Console HA Node list. 3. Select the BMC Atrium Single Sign-On server that lists all the nodes as primary server. If more than one server lists all of the nodes as primary server, select any one as primary server. 4. Stop all the BMC Atrium Single Sign-On servers in the HA cluster except the primary server that you selected. 5. Back up the primary server by using the backup.bat script. 6. Restore the primary server by using the restore.bat script. Execute this command on all BMC Atrium Single Sign-On servers in the HA cluster. 7. Repeat steps 4 - 6 if you change the configuration on the primary server. The following three scripts are used for this workaround: dereplicate.bat — Disables replication on all servers in HA cluster. backup.bat — Backs up the primary server. restore.bat — Restores the primary server.

16.3.4 Workaround scripts dereplicate.bat script set ATRIUM_SSO_DIR=D:\APPS\BMC Software\AtriumSSO set OPENDS_DIR=%ATRIUM_SSO_DIR%\tomcat\webapps\atriumsso\WEB-INF\config\opends set DSREPLICATION_PATH=%OPENDS_DIR%\bat\dsreplication.bat set PASSWORD=admin123 set HOST1=kbp1-dhp-f48202.synapse.com set ADMIN_PORT1=40444 set REPL_PORT1=40636 set HOST2=kbp1-dhp-f48202.synapse.com set ADMIN_PORT2=41444 set REPL_PORT2=41636 call "%DSREPLICATION_PATH%" disable \--disableAll \-h %HOST1% \-p %ADMIN_PORT1% \--bindDN "cn=Directory Manager" \--adminPassword %PASSWORD% \-X \-n call "%DSREPLICATION_PATH%" disable \--disableAll \-h %HOST2% \-p %ADMIN_PORT2% \--bindDN "cn=Directory Manager" \--adminPassword %PASSWORD% \-X \-n

backup.bat script set ATRIUM_SSO_DIR=D:\APPS\BMC Software\AtriumSSO set OPENDS_DIR=%ATRIUM_SSO_DIR%\tomcat\webapps\atriumsso\WEB-INF\config\opends set DESTINATION_EXEC_DIR=%OPENDS_DIR%\bat

BMC Atrium Single Sign-On 8.1

Page 370 of 389

Home

BMC Software Confidential

@rem @rem ****************************************************************************************** @rem Set the BACKUP_DIR as commonly accessible drive among the members in the HA environemnt @rem ****************************************************************************************** @rem set BACKUP_DIR=\atsso_opends_clone set SOURCE_HOST=kbp1-dhp-f48202.synapse.com set SOURCE_ADMIN_PORT=40444 set PASSWORD=admin123 rd "%BACKUP_DIR%" /S /Q call "%DESTINATION_EXEC_DIR%\backup" --backendID userRoot --backupDirectory "%BACKUP_DIR%" -h %SOURCE_HOST% -p %SOURCE_ADMIN_PORT% -D "cn=directory manager" -w %PASSWORD% --hash -X

restore.bat script set ATRIUM_SSO_DIR=D:\APPS\BMC Software\AtriumSSO set OPENDS_DIR=%ATRIUM_SSO_DIR%\tomcat\webapps\atriumsso\WEB-INF\config\opends set DESTINATION_EXEC_DIR=%OPENDS_DIR%\bat @rem @rem \*****************************************************************************************\* @rem Set the BACKUP_DIR to the primary server's mapped drive @rem e.g., map the primary server location to Z: @rem \*****************************************************************************************\* @rem set BACKUP_DIR= @rem @rem \**********************************************************\* @rem Set the LOCAL_BACKUP_DIR as a folder on the current machine @rem \**********************************************************\* @rem set LOCAL_BACKUP_DIR=\atsso_opends_working_config rd "%LOCAL_BACKUP_DIR%" /S /Q md "%LOCAL_BACKUP_DIR%" @rem @rem copy the current working configuration folder @rem cd "%LOCAL_BACKUP_DIR%" && xcopy "%OPENDS_DIR%\db" /e

@rem @rem copy the current working configuration folder @rem cd "%LOCAL_BACKUP_DIR%\db" && xcopy "%OPENDS_DIR%\db" /e

BMC Atrium Single Sign-On 8.1

Page 371 of 389

BMC Software Confidential

Home

@rem @rem before restoring let's make a copy of the existing configuration @rem call "%DESTINATION_EXEC_DIR%\restore" \--backupDirectory "%BACKUP_DIR%"

16.3.5 Where to get the latest product information To view the latest BMC product documents, see the Customer Support website at http://www.bmc.com/support. Notices, such as flashes, technical bulletins, and release notes, are available on the website. You can subscribe to proactive alerts to receive email messages when notices are issued or updated. For more information about proactive alerts, see the Customer Support website.

16.4 Enabling multiple realms BMC Atrium Single Sign-On allows you to configure for multiple realms. Realm panel (see page 373) To enable multiple realms (see page 374) To create a new realm (see page 374) The following image shows the BMC Atrium SSO Admin Console when configured for multiple realms:

BMC Atrium Single Sign-On 8.1

Page 372 of 389

BMC Software Confidential

Home

16.4.1 Realm panel For the Remedy OnDemand solution, BMC Atrium Single Sign-On allows multiple realms. In this case, the Realm panel replaces the BMC Realm panel in the BMC Atrium SSO Admin Console. The Realm panel displays the realm name along with its user profile and status. Each realm has the same capability as the BmcRealm in terms of managing realm authentication, federation, user stores (AR and LDAPv3), users, and user groups.

Note BmcRealm is the default realm and can not be deleted.

Add launches the Create Realm Editor which allows you to add a realm to the system. Edit launches the Realm Editor which allows you to manage that particular realm's authentication, federation, user stores (AR and LDAPv3), users, and user groups. Delete allows you to remove the realm from the system. Filter field allows you to display specific realms based on your search criteria.

BMC Atrium Single Sign-On 8.1

Page 373 of 389

Home

BMC Software Confidential

The following image shows a realm panel:

16.4.2 To enable multiple realms 1. Stop the BMC Atrium Single Sign-On server. 2. Edit the web.xml file. 3. Search for the parameter name "allow.multiple.realms". 4. Change the parameter value from false to true. 5. Save and exit the file. 6. Restart the BMC Atrium Single Sign-On server. For more information about restarting the server, see Stopping and restarting the BMC Atrium Single Sign-On server (see page 279).

16.4.3 To create a new realm 1. On the Realm panel, click Add. The Create Realm Editor pops up.

2. In the Realm Name field, provide a name for the new realm. 3. In the User Profile field, select a user profile. 4. Click Save.

16.5 Configuring multi-tenancy support Writer notes (Shubhangi Apte) on April 12, 2013

BMC Atrium Single Sign-On 8.1

Page 374 of 389

Home

BMC Software Confidential

Ruth Harris had documented this information on the initial page for SSO 8.1.00 Patch 2. However, when I followed up with Volodymyr Zaporozhets he said that the team will not be announcing multi-tenancy support in patch 2. The team had initially talked about disabling this feature as the plan was to deliver it to BMC Remedy OnDemand only. However, RoD later decided to wait until 8.8 for different reasons. I have removed the following content from the SSO 8.1.00 Patch 2 page and have added it under Tracking tools (in case this information is required for later releases).

16.5.1 Configuring multi-tenancy support Patch 2 for version 8.1.00 supports multi-tenancy for Remedy onDemand (RoD). Deployment involves using BMC Atrium Single Sign-On as a shared service which is implemented in High Availability (HA) mode. Each realm is mapped to one web agent in the BMC Remedy Mid Tier whereas each customer has a Mid Tier. Deploying multiple realms for customers is supported through an enhanced Web Agent. To update the Web Agent without re-deployment, a script, upgrade-wa, is provided. The following diagram illustrates the deployment architecture:

BMC Atrium Single Sign-On 8.1

Page 375 of 389

BMC Software Confidential

Home

The Web Agent maps the server hostname (which is used by user to access a protected application) to the full logon and logout URLs. The logon and logout URLs contain the information (for example, realm name and IdP ID) required to separate different tenants from each other. The mapping is specified in the configuration file.

Note When multi-tenancy support is enabled, the login and logout URLs specified for the Web Agent configuration from the BMC Atrium SSO Console is not used.

Following diagram illustrates the authentication process when the mutli-tenant web-agent is used:

Configuration file Configuration file is a properties file which contains records with the following format: |= Configuration file example pepsi.onbmc.com|login=https://sso.onbmc.com:8443/atriumsso/UI/Login?realm=/PepsiRealm pepsi.onbmc.com|logout=https://sso.onbmc.com:8443/atriumsso/UI/Logout?realm=/PepsiRealm coke.onbmc.com|login=https://sso.onbmc.com:8443/atriumsso/UI/Login?realm=/CokeRealm coke.onbmc.com|logout=https://sso.onbmc.com:8443/atriumsso/UI/Logout?realm=/CokeRealm

To enable multi-tenancy support place multitenancy.cfg.properties file (in build #24 and below place multitenancy.cfg.poperties file instead) in the WebAgent configuration directory (e.g. atssoAgents/). disable FQDN check in the WebAgent configuration properties in the AtriumSSO console.

BMC Atrium Single Sign-On 8.1

Page 376 of 389

BMC Software Confidential

Home

To disable multi-tenancy support Remove configuration file.

Note It is not necessary to restart the container with the WebAgent when enabling or disabling multi-tenency support or to make changes its configuration. WebAgent periodically polls its configuration file. Poll time configured via atsso.server.check.delay system property, default poll time - 2 minutes.

Web agent script A script for updating the web agent without re-deployment is provided as part of the BMC Atrium Single Sign-On 8.1.00 Patch 2 release. The script is located in the webagent.zip/upgrade folder with both Microsoft Windows (.bat) and Linux (.sh) versions available.

Note In the upgrade folder is a README.txt file with the following content: You can use the upgrade-wa script to upgrade WebAgent libraries without WebAgent re-deployment.

Usage upgrade-wa [upgrade_lib_path] webapp_path

Parameters upgrade_lib_path — Path to the libraries that are used during the upgrade (optional) webapp_path — Path to the web application with the deployed WebAgent (required)

Load balancer configuration Load balancer should be setup before the WebAgent, not Atrium SSO. In load balancer should be enabled preserving of the HTTP host header during performing requests to the back-end servers. In Apache Httpd this could be configured in the configuration file: add or replace ProxyPreserveHost On option to the necessary VirtualHost sections. add or replace DefaultType None option to the global configuration. httpd.conf

BMC Atrium Single Sign-On 8.1

Page 377 of 389

BMC Software Confidential

Home

. . . ProxyPreserveHost On . . . . . . DefaultType None . . .

16.6 Overview steps to install and configure HA Load-Balancing environment with SSO This topic provides a high-level road map for installing and configuring a high-availability (HA) Load-Balancing server group environment with SSO. Click the links to "drill down" to more specific instructions. 1. Create a comprehensive list of all the computers in your environment . For example, list all your load-balancers, AR System servers, Mid Tiers, SSO servers, and so on.

BMC Atrium Single Sign-On 8.1

Page 378 of 389

BMC Software Confidential

Home

Create a list in a text file for each server and its IP address, as well as all accepted fully qualified names. 2. Set up your load-balancers. a. Configure the AR System server load-balancer with all your servers in the server group. Make sure that your AR System server load-balancer includes all the computers on which you will install AR System servers. Otherwise, you encounter various errors when you configure the Mid Tier to use the AR System server load-balancer (see page 381). b. Configure the Mid Tier load-balancer. Make sure that your Mid Tier load-balancer includes all the computers on which you will install Mid Tiers. c. BMC Atrium Single Sign-On 8.1

Page 379 of 389

BMC Software Confidential

Home

c. Configure the SSO server load-balancer. Make sure that your SSO load-balancer includes all the computers on which you will install SSO servers. 3. Install the server group. a. Install the first AR System server. b. Install the first Mid Tier. c. Obtain BMC Remedy license keys. d. Testing the mid tier in your server group. This step is temporary, to test the installation of the first AR System server. e. Configuring the first server to be a server group member. f. Testing and confirming that the first server is working properly. g. Installing the next AR System server in the server group. h. Configuring the next server for the server group. i. Configure the Mid Tier to include all the AR System servers you just installed. This step is temporary, to test the installations of the remaining AR System servers. j. Testing and confirming that the current server is working properly. Use the AR System Server Group Operation Ranking form to distribute the load between the AR System servers and the load balancer.

BMC Atrium Single Sign-On 8.1

Page 380 of 389

BMC Software Confidential

Home

k. Configure the Mid Tier to use the AR System server load-balancer. Remove the first AR System from the Mid Tier and add the name of the virtual host of the AR System server load balancer (for example, remedyssoservergroup). l. Log on to the Mid Tier. Make sure that the Mid Tier resolves to the AR System server load balancer.

BMC Atrium Single Sign-On 8.1

Page 381 of 389

BMC Software Confidential

Home

You should be able to access, for example, the BMC Remedy AR System Administration Console. m. Install the remaining Mid Tiers for your environment. 4. Configure the Mid Tier load-balancer with all your Mid Tiers in the server group. When you log on to the Mid Tier load balancer, then Mid Tier load balancer should resolve to the AR System server load balancer.

5. Install the SSO servers. a. Installing BMC Atrium Single Sign-On. b. Managing the AR System users and groups for authentication (see page 97). c. Running the SSOARIntegration utility on the AR System server (see page 88) d. Running the SSOMidtierIntegration utility on the Mid Tier (see page 92). You configure the SSO AREA plug-in with a Java plug-in entry, along with other External Authentication parameters. 6. Define additional SSO authentication methods.

BMC Atrium Single Sign-On 8.1

Page 382 of 389

Home

BMC Software Confidential

16.7 Number of pages in space Number of pages in this space: 206

16.8 Installing and managing certificates in BMC Atrium SSO This page has not been approved for publication.

16.8.1 Installing certificates on a standalone server This page has not been approved for publication.

16.8.2 Installing certificates in HA load balancing environment This page has not been approved for publication.

16.8.3 Importing a certificate into keystore.p12 This page has not been approved for publication.

16.8.4 Importing a certificate into cacerts.p12 This page has not been approved for publication.

16.8.5 Finding intermediate CA This page has not been approved for publication.

16.8.6 Importing certificate chains and intermediate certificates This page has not been approved for publication.

16.9 Installing certificates after integration with other BMC products This page has not been approved for publication.

BMC Atrium Single Sign-On 8.1

Page 383 of 389

Home

BMC Software Confidential

Index a adding 248 administration 263, 264, 268, 271, 273, 275 agents 263, 275, 279, 331 ar 97 architecture 20 ar system 320 authentication 97, 132, 263, 271, 320, 326, 333 authentication chains 263 authentication modules 271

b bmc analytics 199 bmc atrium sso 11, 79, 284, 331 bmc capacity optimization 207 bmc dashboards 198 bmc internal 353, 369, 378 bmc itbm 204, 205 bmc proactivenet 200 bmc remedy ar system 31, 79, 97 bulkfederation 157

c ca 248 cac 326 ca certificates 239 certificates 20, 239, 243, 246, 248, 249 ciphers 257 configuration 132, 251, 276 configuring jvm 77 console 22 conversion 251, 256 cookie domain 20 BMC Atrium Single Sign-On 8.1

Page 384 of 389

Home

BMC Software Confidential

csr 246 customer support 351

d data 260 deployment 20, 31 diagnostics 279, 281 downloads 44

e errors 279, 285 external tomcat 72

f features 12 federating 157, 263 fips 251, 251, 256, 257, 258 fips 140 251, 251, 256, 257, 258 fixes 12, 17, 19

g generate csr 246 group membership 264 groups 97, 263, 268

h ha 20, 55, 112, 263, 273 high availability 20, 55, 112, 263, 273 home 11

i import 243 importing certificates 246 BMC Atrium Single Sign-On 8.1

Page 385 of 389

Home

BMC Software Confidential

installation 40, 42, 48, 50, 55, 72, 79, 112 integration 198, 199, 200, 204, 205, 207 issues 12, 17, 19

j jboss 331 jee 20, 279, 331

k kerberos 132, 333 keystore 239, 240 keytool 239

l ldap 260 licensing 12 linux 117 logs 282, 284

m mid tier 31, 79 monitoring 256

n network ciphers 257 new 12, 17, 19 nodes 263, 273 normal mode 258

o openam 22

BMC Atrium Single Sign-On 8.1

Page 386 of 389

Home

BMC Software Confidential

p passwords 20 patches 12, 17, 19 pdfs 352 planning 29 prerequisites 42 product agents 275

r realms 20 reference 31, 351 release notes 12 rsa api properties 284

s saml 31 self signed 249 server 77 session behavior 20, 24 session parameters 263, 276 setting http connection 78 silent 112 sso 11, 22 sso server 263, 279 starting 279 stopping 279 store 260 supported 351

t tomcat 77, 331 troubleshooting 279, 320, 326, 331, 333 truststore 239, 243

u BMC Atrium Single Sign-On 8.1

Page 387 of 389

Home

BMC Software Confidential

uninstalling 112, 117 unix 117 updates 12, 17, 19 user 260, 263 user accounts 157, 263 user groups 268 users 97, 264

v versions 351

w weblogic 331 websphere 205, 331 windows 117

© Copyright 2013 BMC Software, Inc. © Copyright 2013 BladeLogic, Inc. BMC, BMC Software, and the BMC Software logo are the exclusive properties of BMC Software, Inc., are registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other BMC trademarks, service marks, and logos may be registered or pending registration in the U.S. or in other countries. All other trademarks or registered trademarks are the property of their respective owners. BladeLogic and the BladeLogic logo are the exclusive properties of BladeLogic, Inc. The BladeLogic trademark is registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other BladeLogic trademarks, service marks, and logos may be registered or pending registration in the U.S. or in other countries. All other trademarks or registered trademarks are the property of their respective owners. All Cisco trademarks that are referred to or displayed in the space are registered trademarks or trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries. All IBM trademarks that are referred to or displayed in the space are trademarks of International Business Machines Corporation in the United States, other countries, or both. IT Infrastructure Library® is a registered trade mark of the Cabinet Office. ITIL® is a registered trade mark of the Cabinet Office. Linux is the registered trademark of Linus Torvalds. Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners. PinkVERIFY and PinkVERIFY logo Trademark Pink Elephant. Used under license from Pink Elephant. All SAP trademarks that are referred to or displayed in the document are trademarks or registered trademarks of SAP AG in Germany and in several other countries. UNIX is the registered trademark of The Open Group in the US and other countries.

BMC Atrium Single Sign-On 8.1

Page 388 of 389

Home

BMC Software Confidential

The information included in this documentation is the proprietary and confidential information of BMC Software, Inc., its affiliates, or licensors. Your use of this information is subject to the terms and conditions of the applicable End User License agreement for the product and to the proprietary and restricted rights notices included in the product documentation. Restricted rights legend U.S. Government Restricted Rights to Computer Software. UNPUBLISHED—RIGHTS RESERVED UNDER THE COPYRIGHT LAWS OF THE UNITED STATES. Use, duplication, or disclosure of any data and computer software by the U.S. Government is subject to restrictions, as applicable, set forth in FAR Section 52.227-14, DFARS 252.227-7013, DFARS 252.227-7014, DFARS 252.227-7015, and DFARS 252.227-7025, as amended from time to time. Contractor/Manufacturer is BMC SOFTWARE INC, 2101 CITYWEST BLVD, HOUSTON TX 77042-2827, USA. Any contract notices should be sent to this address. BMC Software Inc. 2101 CityWest Blvd, Houston TX 77042-2827, USA 713 918 8800 Customer Support: 800 537 1813 or contact your local support center

BMC Atrium Single Sign-On 8.1

Page 389 of 389

View more...

Comments

Copyright ©2017 KUPDF Inc.
SUPPORT KUPDF