July 17, 2016 | Author: mrinalsinha08 | Category: N/A
BMC Software Confidential
BMC Atrium Single Sign-On 8.1
Home
Date:
16-Jan-2014 15:56
URL:
https://docs.bmc.com/docs/display/sso81/Home
Home
BMC Atrium Single Sign-On 8.1
BMC Software Confidential
Page 2 of 389
BMC Software Confidential
Home
Table of Contents 1 Featured content ______________________________________________________________________ 12 2 About BMC Atrium Single Sign-On ________________________________________________________ 12 3 What's new __________________________________________________________________________ 12 3.1 Version 8.1.00 ____________________________________________________________________ 14 3.1.1
Redesigned user interface ______________________________________________________ 15
3.1.2 Predefined authentication module _______________________________________________ 15 3.1.3 New utility to simplify BMC Atrium Single Sign-On and AR System integration ______________ 15 3.1.4 BMC Atrium Orchestrator Platform integration ______________________________________ 16 3.1.5 Click jacking prevention _______________________________________________________ 16 3.2 License entitlements _______________________________________________________________ 16 3.3 Service packs and patches ___________________________________________________________ 17 3.3.1 Patch 3 for version 8.1.00: 8.1.00.03 ______________________________________________ 17 3.3.2 Patch 2 for version 8.1.00: 8.1.00.02 ______________________________________________ 18 3.3.3 Patch 1 for version 8.1.00: 8.1.00.01 ______________________________________________ 19 3.4 Documentation updates after release __________________________________________________ 20 3.4.1 Added BMC Mobility integration documentation ____________________________________ 20 3.4.2 Added BMC EUEM integration documentation ______________________________________ 20 4 Key concepts ________________________________________________________________________ 20 4.1 BMC Atrium Single Sign-On architecture ________________________________________________ 21 4.2 BMC Atrium Single Sign-On and OpenAM _______________________________________________ 22 4.2.1 OpenAM technologies ________________________________________________________ 22 4.2.2 Atrium Single Sign-On user console access ________________________________________ 23 4.3 Administrator password _____________________________________________________________ 23 4.4 Default cookie domain _____________________________________________________________ 23 4.5 Log on and log off behavior _________________________________________________________ 24 4.6 Certificates ______________________________________________________________________ 25 4.6.1 Certificate Signing Request _____________________________________________________ 25 4.6.2 New CA certificates __________________________________________________________ 26 4.6.3 Related topics _______________________________________________________________ 26 4.7 Authentication chaining ____________________________________________________________ 26 4.7.1 Authentication chaining example ________________________________________________ 27 4.8 High Availability deployment _________________________________________________________ 28 4.9 JEE filter-based agents _____________________________________________________________ 29 5 Planning ____________________________________________________________________________ 29 5.1 Checking the compatibility matrix for system requirements and supported configurations __________ 30 5.1.1
To access the compatibility matrixes _____________________________________________ 30
5.2 End-to-end BMC Atrium Single Sign-On procedure _______________________________________ 30 5.3 BMC Atrium Single Sign-On using SAMLv2 deployment example ______________________________ 31
BMC Atrium Single Sign-On 8.1
Page 3 of 389
BMC Software Confidential
Home
5.3.1 Business value _______________________________________________________________ 32 5.3.2 Federated authentication and SAML ______________________________________________ 32 5.3.3 Deployment architecture ______________________________________________________ 33 5.3.4 Deployment model ___________________________________________________________ 35 5.3.5 Deployment tasks ____________________________________________________________ 37 5.3.6 Deployment parameters _______________________________________________________ 38 5.3.7 Related topics _______________________________________________________________ 40 6 Installing ____________________________________________________________________________ 40 6.1 Preparing for installation ____________________________________________________________ 42 6.1.1
Prerequisites for installation ____________________________________________________ 42
6.1.2 Downloading the installation files ________________________________________________ 44 6.2 Installation options ________________________________________________________________ 48 6.3 Configuring Terminal Services and DEP parameters _______________________________________ 48 6.3.1 To update Terminal Services configuration options for Windows Server 2008 ______________ 48 6.4 Installing BMC Atrium Single Sign-On as a standalone _____________________________________ 50 6.4.1 Before you begin _____________________________________________________________ 51 6.4.2 To install BMC Atrium Single Sign-On as a standalone _________________________________ 51 6.4.3 Where to go from here ________________________________________________________ 54 6.5 Installing BMC Atrium Single Sign-On as a High Availability cluster ____________________________ 55 6.5.1 HA prerequisites _____________________________________________________________ 56 6.5.2 HA pre-installation tasks _______________________________________________________ 56 6.5.3 To install BMC Atrium Single Sign-On as an HA cluster ________________________________ 56 6.5.4 HA post-installation activities ___________________________________________________ 57 6.5.5 Installing the first node for an HA cluster on a new Tomcat server _______________________ 57 6.5.6 Installing additional nodes for an HA cluster on a new Tomcat server _____________________ 63 6.5.7 Installing the first node for an HA cluster on an external Tomcat server ___________________ 68 6.5.8 Installing additional nodes for an HA cluster on an external Tomcat server _________________ 70 6.6 Installing BMC Atrium Single Sign-On on an external Tomcat server ___________________________ 72 6.6.1 Before you begin _____________________________________________________________ 73 6.6.2 To install BMC Atrium Single Sign-On on an external Tomcat server ______________________ 73 6.6.3 Where to go from here ________________________________________________________ 74 6.6.4 Policy file additions for external Tomcat installations _________________________________ 75 6.6.5 JVM parameter additions for external Tomcat installations _____________________________ 76 6.6.6 Configuring an external Tomcat instance for FIPS-140 ________________________________ 76 6.6.7 Configuring a JVM for the Tomcat Server __________________________________________ 77 6.6.8 Setting an HTTPS connection ___________________________________________________ 78 6.7 Installing BMC Atrium Single Sign-On with the AR System server and Mid Tier ___________________ 79 6.7.1 Installing video ______________________________________________________________ 80 6.7.2 Overview of installation steps ___________________________________________________ 80 6.7.3 Related topics _______________________________________________________________ 81 6.7.4 Installing BMC Atrium Single Sign-On _____________________________________________ 81 6.7.5 Installing or upgrading AR System server __________________________________________ 84 6.7.6 Installing or upgrading BMC Remedy Mid Tier ______________________________________ 86
BMC Atrium Single Sign-On 8.1
Page 4 of 389
BMC Software Confidential
Home
6.7.7 Running the SSOARIntegration utility on the AR System server __________________________ 88 6.7.8 Reviewing AR server external authentication settings and configuring group mapping ________ 91 6.7.9 Running the SSOMidtierIntegration utility on the Mid Tier _____________________________ 92 6.7.10 Managing the AR System users and groups for authentication __________________________ 97 6.7.11 Running a health check on the BMC Atrium Single Sign-On installation __________________ 109 6.8 Installing silently _________________________________________________________________ 112 6.8.1 Running the installer in silent mode ______________________________________________ 114 6.8.2 Uninstalling in silent mode ____________________________________________________ 114 6.8.3 Example options.txt file _______________________________________________________ 114 6.9 Uninstalling BMC Atrium Single Sign-On _______________________________________________ 117 6.9.1 Running the uninstaller on Windows _____________________________________________ 117 6.9.2 Running the uninstaller on Solaris or Linux ________________________________________ 117 6.9.3 Invocation error during uninstallation ____________________________________________ 118 7 Configuring after installation ____________________________________________________________ 119 7.1 To set up a method for authentication _________________________________________________ 120 7.2 SAMLv2 authentication ____________________________________________________________ 121 7.3 Predefined authentication module ____________________________________________________ 121 7.4 User Profile panel ________________________________________________________________ 122 7.5 Authentication chaining ____________________________________________________________ 122 7.6 Authentication chaining flags ________________________________________________________ 122 7.7 Where to go from here ____________________________________________________________ 122 7.8 Using AR for authentication _________________________________________________________ 122 7.8.1 Before you begin ____________________________________________________________ 123 7.8.2 To configure an AR module ____________________________________________________ 123 7.8.3 To configure an AR user store __________________________________________________ 124 7.9 Using CAC for authentication _______________________________________________________ 126 7.9.1 CAC certificate usage ________________________________________________________ 126 7.9.2 To set up CAC to use for authentication __________________________________________ 127 7.9.3 Modify the Tomcat server _____________________________________________________ 127 7.9.4 Import DoD CA certificates ____________________________________________________ 128 7.9.5 To import certificates ________________________________________________________ 128 7.9.6 Set up CAC certificates _______________________________________________________ 129 7.9.7 If using OCSP, enable OCSP for the server _________________________________________ 131 7.9.8 Where to go from here _______________________________________________________ 131 7.9.9 Related topics ______________________________________________________________ 132 7.10 Using Kerberos for authentication ____________________________________________________ 132 7.10.1 Configuring Kerberos video ____________________________________________________ 133 7.10.2 Before you begin ____________________________________________________________ 133 7.10.3 To set up Kerberos to use for authentication _______________________________________ 133 7.10.4 Where to go from here _______________________________________________________ 133 7.10.5 Generating a keytab for the service principal and mapping the Kerberos service name _______ 134 7.10.6 Configuring the Kerberos module _______________________________________________ 136 7.10.7 Reconfiguring your browser ___________________________________________________ 138
BMC Atrium Single Sign-On 8.1
Page 5 of 389
BMC Software Confidential
Home
7.11 Using LDAP (Active Directory) for authentication _________________________________________ 138 7.11.1 Before you begin ____________________________________________________________ 139 7.11.2 To set up LDAP (AD) for authentication ___________________________________________ 139 7.11.3 LDAP (AD) parameters ________________________________________________________ 139 7.11.4 Where to go from here _______________________________________________________ 141 7.12 Using RSA SecurID for authentication _________________________________________________ 141 7.12.1 To configure the SecurID module _______________________________________________ 141 7.12.2 SecurID parameters __________________________________________________________ 142 7.12.3 To modify the rsa_api.properties file _____________________________________________ 142 7.12.4 Where to go from here _______________________________________________________ 143 7.13 Using SAMLv2 for authentication _____________________________________________________ 143 7.13.1 Configuring SAML V2 video ____________________________________________________ 144 7.13.2 SAMLv2 configuration options _________________________________________________ 144 7.13.3 SAMLv2 implementation ______________________________________________________ 144 7.13.4 Typical SAMLv2 deployment ___________________________________________________ 145 7.13.5 Typical SAMLv2 deployment architecture _________________________________________ 145 7.13.6 Related topics ______________________________________________________________ 146 7.13.7 Configuring BMC Atrium Single Sign-On as an SP ___________________________________ 146 7.13.8 Configuring BMC Atrium Single Sign-On as an IdP __________________________________ 153 7.13.9 Federating user accounts in bulk ________________________________________________ 157 8 Upgrading __________________________________________________________________________ 165 8.1 To upgrade BMC Atrium Single Sign-On _______________________________________________ 166 8.2 To upgrade BMC Atrium Single Sign-On in silent mode ____________________________________ 166 8.3 Preparing to upgrade BMC Analytics for BSM ___________________________________________ 166 8.3.1 To remove the J2EE agent for BMC Analytics for BSM ________________________________ 166 8.4 Upgrading HA nodes ______________________________________________________________ 167 8.4.1 To upgrade HA nodes ________________________________________________________ 167 9 Integrating _________________________________________________________________________ 168 9.1 Integrating BMC Atrium Single Sign-On with AR System Version 8.0.00 _______________________ 169 9.1.1
Configuring external authentication for AR System integration _________________________ 170
9.1.2 Installing BMC Atrium Single Sign-On for AR System integration ________________________ 171 9.1.3 Configuring BMC Atrium Single Sign-On for integration ______________________________ 173 9.1.4 Manually configuring mid tier for BMC Atrium Single Sign-On user authentication __________ 176 9.1.5 Configuring the BMC Atrium Single Sign-On server for AR System integration _____________ 183 9.1.6 Running a health check on the BMC Atrium Single Sign-On integration __________________ 195 9.2 Integrating BMC Dashboards for BSM _________________________________________________ 198 9.2.1 Before you begin ____________________________________________________________ 198 9.2.2 To integrate BMC Dashboards for BSM ___________________________________________ 199 9.3 Integrating BMC Analytics for BSM ___________________________________________________ 199 9.3.1 Before you begin ____________________________________________________________ 199 9.3.2 To integrate BMC Analytics for BSM _____________________________________________ 200 9.4 Integrating BMC ProactiveNet _______________________________________________________ 200 9.4.1 Before you begin ___________________________________________________________ 200
BMC Atrium Single Sign-On 8.1
Page 6 of 389
BMC Software Confidential
Home
9.4.2 To integrate BMC ProactiveNet during installation __________________________________ 201 9.4.3 To integrate BMC ProactiveNet after installation ____________________________________ 201 9.4.4 To define users and groups ____________________________________________________ 202 9.4.5 To create new users _________________________________________________________ 202 9.4.6 To assign users to user groups _________________________________________________ 203 9.4.7 To clean up Web Agent entries when the BMC ProactiveNet Server is uninstalled ___________ 203 9.5 Integrating BMC IT Business Management Suite _________________________________________ 204 9.5.1 Before you begin ___________________________________________________________ 204 9.5.2 To integrate BMC IT Business Management Suite ___________________________________ 204 9.6 Integrating BMC ITBM and WebSphere application server __________________________________ 205 9.6.1 Before you begin ___________________________________________________________ 205 9.6.2 To configure the WebSphere application server to work with the BMC Atrium Single Sign-On server ___________________________________________________________________________ 205 9.7 Integrating BMC Capacity Optimization _______________________________________________ 207 9.7.1 Before you begin ___________________________________________________________ 208 9.7.2 To integrate BMC Capacity Optimization _________________________________________ 208 9.8 Integrating BMC Atrium Orchestrator Platform __________________________________________ 209 9.8.1 Before you begin ____________________________________________________________ 210 9.8.2 BMC Atrium Orchestrator Platform installation worksheet ____________________________ 210 9.8.3 Where to go from here _______________________________________________________ 212 9.9 Integrating BMC Real End User Experience Monitoring ____________________________________ 212 9.9.1 Preparing BMC Atrium SSO server for integration ___________________________________ 212 9.9.2 Preparing the Console component for the BMC Atrium SSO integration __________________ 212 9.10 Integrating BMC Mobility for ITSM 8.1.00 _______________________________________________ 212 9.10.1 Before you begin ____________________________________________________________ 212 9.10.2 Limitations ________________________________________________________________ 213 9.10.3 Integrating BMC Mobility to support SAML authentication ____________________________ 213 9.10.4 Related Topics _____________________________________________________________ 214 10 Using ______________________________________________________________________________ 214 10.1 Navigating the interface ____________________________________________________________ 215 10.1.1 Editor options ______________________________________________________________ 215 10.1.2 Status panel ________________________________________________________________ 215 10.1.3 BMC Realm panel ___________________________________________________________ 216 10.1.4 Sessions panel ______________________________________________________________ 216 10.1.5 Realm Editor _______________________________________________________________ 216 10.1.6 Agent manager _____________________________________________________________ 233 10.1.7 HA Nodes manager __________________________________________________________ 234 10.1.8 Server Configuration Editor ____________________________________________________ 237 10.2 Managing keystores with a keytool utility ______________________________________________ 239 10.2.1 Creating new keystores ______________________________________________________ 240 10.2.2 Using the keytool utility _______________________________________________________ 241 10.2.3 Importing a certificate into the truststore _________________________________________ 243 10.2.4 Generating and importing CA certificates _________________________________________ 245
BMC Atrium Single Sign-On 8.1
Page 7 of 389
BMC Software Confidential
Home
10.2.5 Generating self-signed certificates ______________________________________________ 249 10.2.6 Checking the truststore for certificates ___________________________________________ 250 10.3 Configuring FIPS-140 mode _________________________________________________________ 251 10.3.1 Converting to FIPS-140 mode __________________________________________________ 251 10.3.2 Monitoring FIPS-140 and normal mode conversions _________________________________ 256 10.3.3 Changing FIPS-140 network ciphers _____________________________________________ 257 10.3.4 Converting from FIPS-140 to normal mode _______________________________________ 258 10.4 Using an external LDAP user store ____________________________________________________ 260 10.4.1 To create an external LDAP user store ____________________________________________ 261 10.4.2 To modify an existing external LDAP user store _____________________________________ 261 10.4.3 LDAPv3 User Store parameters _________________________________________________ 261 10.4.4 General tab ________________________________________________________________ 261 10.4.5 Search tab _________________________________________________________________ 262 11 Administering _______________________________________________________________________ 263 11.1 Managing users __________________________________________________________________ 264 11.1.1 To access the User page ______________________________________________________ 265 11.1.2 To add a new user ___________________________________________________________ 265 11.1.3 To search for users __________________________________________________________ 266 11.1.4 To delete users _____________________________________________________________ 266 11.1.5 To modify user information ___________________________________________________ 266 11.1.6 To enable or disable a user account _____________________________________________ 266 11.1.7 To add a group membership to a user account _____________________________________ 267 11.1.8 To remove a group membership from a user account ________________________________ 267 11.1.9 To view user sessions ________________________________________________________ 267 11.1.10To terminate an active user session _____________________________________________ 268 11.2 Managing user groups _____________________________________________________________ 268 11.2.1 To access the Group page ____________________________________________________ 269 11.2.2 To create a new group _______________________________________________________ 269 11.2.3 To delete a group ___________________________________________________________ 269 11.2.4 To assign a group membership _________________________________________________ 270 11.2.5 To remove users from a group _________________________________________________ 270 11.3 Managing authentication modules ____________________________________________________ 271 11.3.1 To manage authentication modules _____________________________________________ 271 11.3.2 To create a new module ______________________________________________________ 271 11.3.3 To edit a module ____________________________________________________________ 271 11.3.4 To delete a module __________________________________________________________ 272 11.3.5 To change the criteria for a module _____________________________________________ 272 11.3.6 To reorder the modules in a chain _______________________________________________ 272 11.4 Managing nodes in a cluster ________________________________________________________ 273 11.4.1 To modify the server configuration on a node ______________________________________ 273 11.4.2 To delete a node from the cluster _______________________________________________ 273 11.4.3 Resynchronizing nodes in a cluster ______________________________________________ 273 11.4.4 Starting nodes in a cluster _____________________________________________________ 274
BMC Atrium Single Sign-On 8.1
Page 8 of 389
BMC Software Confidential
Home
11.4.5 Stopping nodes in a cluster ____________________________________________________ 274 11.5 Managing agents _________________________________________________________________ 275 11.5.1 To edit an agent account _____________________________________________________ 275 11.5.2 To delete an agent account ____________________________________________________ 275 11.6 Managing the server configuration ___________________________________________________ 276 11.6.1 To modify the server configuration ______________________________________________ 276 11.6.2 Server configuration parameters ________________________________________________ 276 11.6.3 Server Configuration Editor parameters __________________________________________ 276 11.6.4 HTTP Only and HTTPS Only ___________________________________________________ 277 11.6.5 Session parameter defaults ____________________________________________________ 278 11.7 Stopping and restarting the BMC Atrium Single Sign-On server ______________________________ 279 11.7.1 Stopping and restarting on Windows ____________________________________________ 279 11.7.2 Stopping and restarting on UNIX or Linux _________________________________________ 279 12 Troubleshooting _____________________________________________________________________ 279 12.1 Collecting diagnostics _____________________________________________________________ 281 12.1.1 To run the support utility _____________________________________________________ 282 12.1.2 Support utility location _______________________________________________________ 282 12.1.3 Log file locations ____________________________________________________________ 282 12.1.4 Using BMC Atrium Single Sign-On for logging _____________________________________ 284 12.2 Working with error messages _______________________________________________________ 285 12.3 Logon and logoff issues ____________________________________________________________ 316 12.3.1 Automatic IdP logon behavior __________________________________________________ 316 12.3.2 URL re-direct issues _________________________________________________________ 316 12.4 Upgrading from 7.6.04 to 8.1 silent installation issue ______________________________________ 317 12.4.1 Upgrading without specifying the host name ______________________________________ 319 12.4.2 Upgrading by re-defining the host name __________________________________________ 319 12.5 Troubleshooting AR authentication ___________________________________________________ 320 12.5.1 User has no profile in this organization ___________________________________________ 320 12.5.2 Error saving user or group edits _________________________________________________ 321 12.5.3 Error in SAML Authentication when Auto Federation is enabled _________________________ 321 12.6 Troubleshooting AR System server and Mid Tier integrations ________________________________ 321 12.6.1 Manually running the SSOARIntegration utility on the AR System server __________________ 321 12.6.2 Manually running the SSOMidtierIntegration utility on the AR System server _______________ 323 12.7 Troubleshooting CAC authentication _________________________________________________ 326 12.7.1 Example of a default logging level error __________________________________________ 327 12.7.2 Example of a debug log error when a certificate is not available ________________________ 327 12.7.3 Changing the clientAuth setting ________________________________________________ 328 12.7.4 Turning on network debug logging ______________________________________________ 328 12.7.5 Example of a client not responding with a certificate ________________________________ 329 12.7.6 Example of a client sending a certificate __________________________________________ 329 12.7.7 Example of a list of certificates sent to the client ___________________________________ 330 12.7.8 Example of URL certificate authentication not enabled _______________________________ 330 12.7.9 Example of OCSP certificate failure ______________________________________________ 331
BMC Atrium Single Sign-On 8.1
Page 9 of 389
BMC Software Confidential
Home
12.7.10Clock skew too great for CAC authentication ______________________________________ 331 12.8 Troubleshooting FIPS-140 conversion _________________________________________________ 331 12.9 Troubleshooting JEE agents ________________________________________________________ 331 12.9.1 To remove a JEE agent from BMC Atrium Single Sign-On _____________________________ 332 12.9.2 To remove a JEE agent from WebSphere _________________________________________ 332 12.9.3 To remove a JEE agent from Tomcat ____________________________________________ 332 12.9.4 To remove a JEE agent from JBoss or WebLogic ___________________________________ 333 12.10Troubleshooting Kerberos authentication ______________________________________________ 333 12.10.1Invalid user name for Kerberos authentication _____________________________________ 334 12.10.2Invalid service principal name for Kerberos authentication ____________________________ 334 12.10.3Invalid keytab index number for Kerberos authentication _____________________________ 335 12.10.4Invalid password for Kerberos authentication ______________________________________ 335 12.10.5Incorrect server name for Kerberos authentication __________________________________ 335 12.10.6Browser sending NTLM instead of Kerberos _______________________________________ 336 12.10.7Browser not correctly configured for Kerberos authentication _________________________ 337 12.10.8Clock skew too great for Kerberos authentication __________________________________ 338 12.10.9Chained authentication failure in Microsoft Internet Explorer __________________________ 338 12.11Troubleshooting an external LDAP user store ___________________________________________ 339 12.11.1No users in User tab _________________________________________________________ 339 12.11.2No groups in Group tab ______________________________________________________ 339 12.12Troubleshooting SAMLv2 __________________________________________________________ 340 12.12.1IdP metadata issues __________________________________________________________ 341 12.12.2SAMLv2 keystore issues _______________________________________________________ 341 12.12.3Metadata issues ____________________________________________________________ 342 12.12.4Certificate issues ___________________________________________________________ 342 12.13Troubleshooting redirect URLs ______________________________________________________ 343 12.13.1Modifying the load balancer (or reverse proxy) for redirect URLs _______________________ 343 12.13.2Using load balancer (or reverse proxy) host names for redirect URLs ____________________ 344 12.13.3Cookie name change for a HA node _____________________________________________ 344 12.14Session sharing in HA mode issue ____________________________________________________ 345 12.14.1To configure point-to-point sessions sharing ______________________________________ 345 12.15Troubleshooting installation or upgrade issues __________________________________________ 346 12.16Resolving installation issues on LINUX operating system ___________________________________ 346 12.16.1Installation failure due to missing libraries ________________________________________ 346 12.16.2Installation failure due to low level of entropy _____________________________________ 346 13 Known and corrected issues ____________________________________________________________ 347 13.1 Installation and upgrade issues ______________________________________________________ 348 13.2 Other issues ____________________________________________________________________ 350 14 Support information __________________________________________________________________ 351 14.1 Contacting Customer Support _______________________________________________________ 351 14.2 Support status ___________________________________________________________________ 351 15 PDFs ______________________________________________________________________________ 352 16 Tracking tools _______________________________________________________________________ 353
BMC Atrium Single Sign-On 8.1
Page 10 of 389
BMC Software Confidential
Home
16.1 Comments dashboard _____________________________________________________________ 353 16.2 Pages without labels in this space ____________________________________________________ 363 16.3 Technical Bulletin SW00448553 _____________________________________________________ 369 16.3.1 BMC Atrium Single Sign-On ___________________________________________________ 369 16.3.2 Issue _____________________________________________________________________ 369 16.3.3 Workaround procedure ______________________________________________________ 369 16.3.4 Workaround scripts __________________________________________________________ 370 16.3.5 Where to get the latest product information _______________________________________ 372 16.4 Enabling multiple realms ___________________________________________________________ 372 16.4.1 Realm panel _______________________________________________________________ 373 16.4.2 To enable multiple realms _____________________________________________________ 374 16.4.3 To create a new realm ________________________________________________________ 374 16.5 Configuring multi-tenancy support ___________________________________________________ 374 16.5.1 Configuring multi-tenancy support ______________________________________________ 375 16.6 Overview steps to install and configure HA Load-Balancing environment with SSO ______________ 378 16.7 Number of pages in space __________________________________________________________ 383 16.8 Installing and managing certificates in BMC Atrium SSO ___________________________________ 383 16.8.1 Installing certificates on a standalone server _______________________________________ 383 16.8.2 Installing certificates in HA load balancing environment ______________________________ 383 16.8.3 Importing a certificate into keystore.p12 __________________________________________ 383 16.8.4 Importing a certificate into cacerts.p12 ___________________________________________ 383 16.8.5 Finding intermediate CA ______________________________________________________ 383 16.8.6 Importing certificate chains and intermediate certificates _____________________________ 383 16.9 Installing certificates after integration with other BMC products _____________________________ 383 17 Index ______________________________________________________________________________ 384
BMC Atrium Single Sign-On 8.1
Page 11 of 389
BMC Software Confidential
Home
This space contains information about the BMC Atrium Single Sign-On 8.1 release.
1 Featured content For information about Patch 1 for 8.1.00, see Patch 1 for version 8.1.00: 8.1.00.01 (see page 19). For information about Patch 2 for 8.1.00, see Patch 2 for version 8.1.00: 8.1.00.02 (see page 18). For information about Patch 3 for 8.1.00, see Patch 3 for version 8.1.00: 8.1.00.03 (see page 17). For Patch 1 for 8.1.00, BMC Atrium Orchestrator Platform version 7.7.00 integrates with BMC Atrium Single Sign-on, see Integrating BMC Atrium Orchestrator Platform (see page 209) and the BMC Atrium Orchestrator Platform online documentation. To understand enhancements for this release, see Version 8.1.00. To understand key concepts associated with BMC Atrium Single Sign-On, see Key concepts (see page 20). To review a high level end-to-end procedure, see End-to-end BMC Atrium Single Sign-On process. To review an end-to-end deployment example for BMC Remedy AR System and the mid tier using SAMLv2 authentication, see BMC Atrium Single Sign-On using SAMLv2 deployment example (see page 31). To review an end-to-end deployment for BMC Remedy AR System and the mid tier using AR authentication, see Installing BMC Atrium Single Sign-On with the AR System server and Mid Tier (see page 79).
2 About BMC Atrium Single Sign-On BMC Atrium Single Sign-On is an authentication system that supports many authentication protocols and provides single sign-on and single sign-off for users of BMC products. BMC Atrium Single Sign-On allows users to present credentials only once for authentication and subsequently be automatically authenticated by every BMC product that is integrated into the system. Using these authentication methods require that you have previously installed the BMC Atrium Single Sign-On server and configured it with an authentication server such as LDAP, RSA SecurID, or others. Not only does BMC Atrium Single Sign-On support authentication with traditional systems such as LDAP or Active Directory, it also supports integration into existing single sign-on systems. BMC Atrium Single Sign-On is the central integration point that performs integration with the local enterprise systems.
3 What's new This section provides information about what is new or changed in this space, including resolved issues, documentation updates, maintenance releases, service packs, and patches. It also provides license entitlement information for the release.
BMC Atrium Single Sign-On 8.1
Page 12 of 389
BMC Software Confidential
Home
Tip To stay informed of changes to this space, place a watch on this page.
The following updates have been added since the release of the space: Date
Title
Summary
July 5, 2013
Patch 3 for version 8.1.00: 8.1.00.03 (see page 17)
Patch 3 for version 8.1.00 provides the following updates: HTTP Only and HTTPS Only (see page 238): T he Server Configuration Editor provides two new options: HTTP Only and HTTPS Only. Security tab: The Security tab provides the following features. Login Failure Lockout Valid Forwarding Domains UserId Format (see page 227): The Kerberos Editor provides the feature modifying the UserId format. Starting this release, BMC Atirum Single Sign-On provides protection against clickjacking by preventing web pages from being embedded within another frame. Clickjacking is a technique of tricking a web user into clicking a web page link which is potentially revealing confidential information or taking control of the user's computer. When the user clicks on a known web page link, the user's information is revealed to the intruder.
Patch 2 for version 8.1.00: 8.1.00.02 (see page 18)
Patch 2 for version 8.1.00 provides the following updates:
Patch 1 for version 8.1.00: 8.1.00.01 (see page 19)
Patch 1 for version 8.1.00 provides fixes related to BMC Atrium Single Sign-On integration with BMC Atrium Orchestrator 7.7 and other BMC products.
Version 8.1.00
Version 2013.02 provides following features:
Configuring BMC Atrium SSO in FIPS-140 Mode (see page 251)
Redesigned user interface Predefined authentication module New utility to simplify BMC Atrium Single Sign-On and AR System integration BMC Atrium Orchestrator Platform integration
BMC Atrium Single Sign-On 8.1
Page 13 of 389
BMC Software Confidential
Home
To obtain a full space export of the BMC Atrium Single Sign-On, see PDFs (see page 352) Three new videos are now uploaded on to our online documentation from the February 14, 2013 BMC Software Webinars 2013 – Atrium Single Sign-On (Atrium SSO) : Installing BMC Atrium Single Sign-On with the AR System server and Mid Tier (see page 79) provides a high-level overview as well as important tips. Using SAMLv2 for authentication describes how to configure SAML V2 Using Kerberos for authentication (see page 132) describes how to configure BMC Atrium SSO to leverage Kerberos.
3.1 Version 8.1.00 BMC Atrium Single Sign-On 8.1 includes the following enhancements. Redesigned user interface (see page 15) Predefined authentication module (see page 15) New utility to simplify BMC Atrium Single Sign-On and AR System integration (see page 15) BMC Atrium Orchestrator Platform integration (see page 16) Click jacking prevention (see page 16)
Tip For information about issues corrected in this release, see Known and corrected issues.
BMC Atrium Single Sign-On 8.1
Page 14 of 389
Home
BMC Software Confidential
Version 8.1.00 was released shortly after version 8.0.00, a major release that contained significantly more enhancements. If you are considering an upgrade from a version prior to 8.0.00, you might be interested in seeing the enhancements listed in the documentation for version 8.0.00.
3.1.1 Redesigned user interface The BMC Atrium Single Sign-On 8.1, has completely redesigned the user interface. This redesign affects the majority of the BMC Atrium Single Sign-On documentation. The following image shows the BMC Atrium SSO Admin Console:
3.1.2 Predefined authentication module To help with the configuration of BMC Atrium Single Sign-On, a predefined Internal LDAP authentication module is provided. This predefined authentication module allows you to quickly configure your system. The Internal LDAP authentication module uses the internal LDAP server as an authentication source in the authentication chain and does not have parameters to configure. For more information about the Internal LDAP module, see Configuring after installation.
3.1.3 New utility to simplify BMC Atrium Single Sign-On and AR System integration The BMC Remedy AR System 8.1 introduces a new utility that greatly simplifies the integration between BMC Atrium Single Sign-On and the AR System server and Mid Tier.
BMC Atrium Single Sign-On 8.1
Page 15 of 389
BMC Software Confidential
Home
The Single Sign-On integration is now removed from the AR System installer. As a result, you no longer have to follow the error-prone steps if you chose to integrate BMC Atrium Single Sign-On after you installed the AR System server and Mid Tier. You use the one utility to integrate both the AR System server and the Mid Tier, but with slightly different inputs. For more information, see Installing BMC Atrium Single Sign-On with the AR System server and Mid Tier (see page 79).
3.1.4 BMC Atrium Orchestrator Platform integration With this release, BMC Atrium Orchestrator Platform 7.7 uses the BMC Atrium Single Sign-On 8.1.00 (Patch1 or later) authentication system to provide single sign-on and single sign-off. For more information about BMC Atrium Orchestrator Platform 7.7, see the BMC Atrium Orchestrator Platform 7.7 online documentation. For more information about integrating BMC Atrium Orchestrator Platform 7.7 with BMC Atrium Single Sign-On, see Integrating BMC Atrium Orchestrator Platform (see page 209).
3.1.5 Click jacking prevention With Patch 3 for version 8.1.00: 8.1.00.03 (see page 17) click jacking prevention is added.
3.2 License entitlements This topic explains the entitlements that apply to licenses you purchase from BMC Software. For information about restrictions to those licenses, please see your Product Order Form.
Note You can download the components mentioned herein from the Electronic Product Distribution website. Use the same user name and password that you use to access the Customer Support website.
If you do not have a current license for the components you want, contact a BMC sales representative by calling 800 793 4262. If you cannot download the components, contact a sales representative and ask for a physical kit to be shipped to you. BMC Atrium Single Sign-On is certified on the configurations explicitly stated in this document. Configurations not listed might still operate properly and so customers can choose to run in a configuration not listed as supported. Such configurations would be considered "unconfirmed". BMC will accept issues reported in unconfirmed configurations but we reserve the right to request customer assistance in problem determination, including recreating the problem on a supported configuration. Reported defects either found to be unique to an unconfirmed configuration or not reproducible within a supported environment will be addressed at the discretion of BMC. Defects requiring time and resources beyond
BMC Atrium Single Sign-On 8.1
Page 16 of 389
BMC Software Confidential
Home
commercially reasonable effort might not be addressed. If a configuration is found to be incompatible with BMC Atrium Single Sign-On, support for that configuration will be specifically documented as not supported (or unsupported). Visit the Customization Policy under the Support Contacts & Policies link on the BMC support website.
3.3 Service packs and patches This section contains information about service packs and patches for BMC Atrium Single Sign-On. Patch 3 for version 8.1.00: 8.1.00.03 (see page 17) Patch 2 for version 8.1.00: 8.1.00.02 (see page 18) Patch 1 for version 8.1.00: 8.1.00.01 (see page 19)
3.3.1 Patch 3 for version 8.1.00: 8.1.00.03 This topic contains information about fixes in BMC Atrium Single Sign-On 8.1.00 Patch 3 (8.1.00.03) and provides instructions for downloading and installing the patch. It is organized as follows: Corrected issues (see page 17) Installing the patch (see page 17)
Note BMC Atrium Orchestrator Platform 7.7 must use BMC Atrium Single Sign-On 8.1.00 Patch 1 or later.
Corrected issues To learn about issues corrected in Patch 3 (8.1.00.03), see Known and Corrected issues. Click the Corrected in column heading to sort the table by version. Patch 3 also includes the fixes from Patch 2 and Patch 1 for version 8.1.00.
Installing the patch Patch 3 for BMC Atrium Single Sign-On 8.1.00 (8.1.00.03) is a full installation. You can download the 8.1.00.03 installation files from the Licensed Products tab on the BMC Electronic Product Distribution (EPD) site and perform your normal installation. For instructions about downloading the files that you need for installation, see Downloading the installation files (see page 44).
Recommendation Backup BMC Atrium Single Sign-On before proceeding with the patch installation.
BMC Atrium Single Sign-On 8.1
Page 17 of 389
BMC Software Confidential
Home
To install BMC Atrium Single Sign-On 8.1.00 Patch 3, see Installing (see page 40). To perform a silent installation, see Installing silently (see page 112). To upgrade to BMC Atrium Single Sign-On 8.1.00 Patch 3 from an earlier version (8.1.00 or 8.1.00.01 or 8.1.00.02), see Upgrading.
3.3.2 Patch 2 for version 8.1.00: 8.1.00.02 This topic contains information about fixes in BMC Atrium Single Sign-On 8.1.00 Patch 2 (8.1.00.02), and provides instructions for downloading and installing the patch. It is organized as follows:
Note BMC Atrium Single Sign-On 8.1.00 Patch 2 (8.1.00.02) has been replaced with Patch 3 (8.1.00.03) and can no longer be downloaded from the BMC Electronic Product Distribution (EPD) site. Patch 3 is a full installation and includes the fixes that were available in Patch 1 (8.1.00.01) and Patch 2 (8.1.00.02). For information about downloading and installing BMC Atrium Single Sign-On 8.1.00 Patch 3, see Patch 3 for version 8.1.00: 8.1.00.03 (see page 17).
Corrected issues (see page 18) Installing the patch (see page 18)
Note BMC Atrium Orchestrator Platform 7.7 must use BMC Atrium Single Sign-On 8.1.00 Patch 1 or later.
Corrected issues To learn about the issues corrected in Patch 2 (8.1.00.02), see Known and corrected issues. Click the Corrected in column heading to sort the table by version.
Installing the patch BMC Atrium Single Sign-On Patch 2 features are included in BMC Atrium Single Sign-On Patch 3 installation. You can download the 8.1.00.03 installation files from the Licensed Products tab on the BMC Electronic Product Distribution (EPD) site and perform your normal installation. For instructions about downloading the files that you need for installation, see Downloading the installation files (see page 44) .
Recommendation Back up BMC Atrium Single Sign-On before proceeding with the patch installation.
BMC Atrium Single Sign-On 8.1
Page 18 of 389
BMC Software Confidential
Home
To install BMC Atrium Single Sign-On 8.1, see Installing (see page 40). To perform a silent installation, see Installing silently (see page 112). To upgrade to BMC Atrium Single Sign-On 8.1.00 Patch 2 from an earlier version (8.1.00 or 8.1.00.01), see Upgrading.
3.3.3 Patch 1 for version 8.1.00: 8.1.00.01 This topic contains information about fixes in BMC Atrium Single Sign-On 8.1.00 Patch 1 (8.1.00.01), and provides instructions for downloading and installing the patch.
Note BMC Atrium Single Sign-On 8.1.00 Patch 1 (8.1.00.01) has been replaced with Patch 3 (8.1.00.03) and can no longer be downloaded from the BMC Electronic Product Distribution (EPD) site. Patch 3 is a full installation and includes the fixes that were available in Patch 1 (8.1.00.01). For information about downloading and installing BMC Atrium Single Sign-On 8.1.00 Patch 3, see Patch 3 for version 8.1.00: 8.1.00.03 (see page 17).
The following topics are provided: Corrected issues (see page 19) Installing the patch (see page 19)
Note BMC Atrium Orchestrator Platform 7.7 must use BMC Atrium Single Sign-On 8.1 Patch 1 or later.
Corrected issues To learn about the issues corrected in Patch 1 (8.1.00.01), see Known and corrected issues. Click the Corrected in column heading to sort the table by version.
Installing the patch BMC Atrium Single Sign-On Patch 1 features are included in BMC Atrium Single Sign-On Patch 3 installation. You can download the 8.1.00.03 installation files from the Licensed Products tab on the BMC Electronic Product Distribution (EPD) site and perform your normal installation. For instructions about downloading the files that you need for installation, see Downloading the installation files (see page 44) .
Recommendation
BMC Atrium Single Sign-On 8.1
Page 19 of 389
BMC Software Confidential
Home
Back up BMC Atrium Single Sign-On before proceeding with the patch installation.
To install BMC Atrium Single Sign-On 8.1, see Installing (see page 40). To perform a silent installation, see Installing silently (see page 112).
3.4 Documentation updates after release This topic contains information about documentation updates for BMC Atrium Single Sign-On that are not related to urgent issues, maintenance releases, service packs, or patches. These updates are added to the documentation independent of any specific release. Added BMC Mobility integration documentation (see page 20) Added BMC EUEM integration documentation (see page 20)
3.4.1 Added BMC Mobility integration documentation You can integrate BMC Atrium Single Sign-On with BMC Mobility for supporting Security Assertion Markup Language (SAML). The typical process for integrating BMC Atrium Single Sign-On with BMC Remedy IT Service Management (ITSM) is to install BMC Atrium Single Sign-On, install BMC Remedy ITSM, and then integrate Atrium SSO with ITSM. For more information, see Integrating BMC Mobility for ITSM 8.1.00 (see page 212).
3.4.2 Added BMC EUEM integration documentation BMC Real End User Experience Monitoring (EUEM) uses the BMC Atrium Single Sign-On (SSO) authentication system to provide single sign-on and single sign-off. BMC Atrium Single Sign-On allows to present credentials only once for authentication and subsequently be automatically authenticated by every BMC product that is integrated into the system. For more information, see Integrating BMC Real End User Experience Monitoring (see page 212).
4 Key concepts BMC contributors content For additional information, you can also refer to the following webinar conducted by BMC Support. You can also connect with other users for related discussions on the BMC Community. Use this section to get high-level conceptual knowledge that helps you to use the BMC Atrium Single Sign-On product. The following topics provide key conceptual information about BMC Atrium Single Sign-On:
BMC Atrium Single Sign-On 8.1
Page 20 of 389
BMC Software Confidential
Home
BMC Atrium Single Sign-On architecture BMC Atrium Single Sign-On and OpenAM (see page 22) Administrator password Default cookie domain Log on and log off behavior (see page 24) Certificates Authentication chaining High Availability deployment JEE filter-based agents
4.1 BMC Atrium Single Sign-On architecture The benefit to BMC products that have BMC Atrium Sign-On as an authentication option is that all of the authentication protocols supported by BMC Atrium Sign-On are available to the product and any new protocols added are available without any product changes. The BMC Atrium Sign-On server and agents provide the needed integration into these systems so a product does not need any adjustments. The following diagram shows a high level implementation of BMC Atrium Single Sign-On integration with BMC Dashboards for BSM, BMC Analytics for BSM, and BMC Remedy IT Service Management. BMC Atrium Single Sign-On integration with BMC products
BMC Atrium Single Sign-On 8.1
Page 21 of 389
BMC Software Confidential
Home
4.2 BMC Atrium Single Sign-On and OpenAM BMC Atrium Single Sign-On is built on the open source project OpenAM. This project has a long history of providing authentication and authorization across many different platforms by using many authentication techniques. BMC Atrium Single Sign-On provides a simplified, turnkey system that applies OpenAM technology to BMC products. Configuration of the servers and agents is automated as much as possible, allowing for easy adoption. OpenAM technologies (see page 22) Atrium Single Sign-On user console access (see page 23)
4.2.1 OpenAM technologies BMC Atrium Single Sign-On uses a subset of the technologies within the OpenAM project that are required by BMC products. The current technologies of OpenAM that are certified by BMC Atrium Single Sign-On include: Authentication schemes - Internal, LDAP, BMC Remedy Action Request (AR) System, Active Directory, RSA SecurID, Common Access Cards (CAC), ActivIdentity-based, Kerberos, and SAMLv2
BMC Atrium Single Sign-On 8.1
Page 22 of 389
BMC Software Confidential
Home
Authentication chaining Groups
Important BMC Atrium Single Sign-On is certified on the configurations explicitly stated in this document. Reported defects either found to be unique to an unconfirmed configuration or not reproducible within a supported environment are addressed at the discretion of BMC. Visit the Customization Policy under the Support Contacts & Policies link on the BMC support website.
4.2.2 Atrium Single Sign-On user console access The user console access is through the following URL: https://:/atriumsso/UI/Login?realm=BmcRealm This URL can be used to verify the authentication module configuration. You do not need to rely on an installed and configured BMC application to initiate login in order to test configuration of authentication modules.
4.3 Administrator password The administrator password is used to access BMC Atrium Single Sign-On through a browser. This access allows user accounts to be created and enables other authentication algorithms. Also, the administrator password is used to integrate application servers that have deployed the BMC Atrium Single Sign-On Web agent to integrate with BMC Atrium Single Sign-On.
4.4 Default cookie domain The default cookie domain value is the network domain of the computer you are installing the server on. The default cookie domain specifies the most restrictive access. This value is used to control cookie visibility between servers within the domain. By removing domain elements (lowest sub-domain first), the cookie becomes visible to servers outside of the BMC Atrium Single Sign-On domain. For example, changing the domain adprod.bmc.com to bmc.com gives all of the servers within the bmc.com domain access to the cookies stored by the server in a user's browser. The danger of increasing the cookie visibility is illustrated when the value is changed to com, giving all servers in the internet com domain access to the cookie.
Note
BMC Atrium Single Sign-On 8.1
Page 23 of 389
BMC Software Confidential
Home
You cannot use sibling domains or cross-domains with BMC Atrium Single Sign-On. For example, installing the BMC Atrium Single Sign-On server in the remedy.com domain and the AR System server in the bmc.com domain is not supported. You must move all your computers into the same domain.
4.5 Log on and log off behavior When using a single sign-on system, the normal authentication behavior is altered. The practice of logging on when you start a product is automatically performed when the second product is started. This change happens without any user involvement. When you log off, you are logged off of all BMC Atrium Single Sign-On integrated products. If you want to continue working with other BMC products: Quit the product instead of logging out of BMC Atrium Single Sign-On. If the product supports application-only log off, log off the application and close the browser.
Important When quitting an product, the normal behavior is to log off and then quit. This process results in termination of all the product connections. If you want to continue working with other BMC products, quit the product that you are finished with, but only log off the last product.
With web applications, the BMC Atrium Single Sign-On authentication status is maintained through sessions within the web browsers. When web applications share the same browser session, the authentication state with BMC Atrium Single Sign-On is shared by these applications. To use a different login ID without logging off BMC Atrium Single Sign-On, you must start a new session in the web browser. The following table summarizes how to share current sessions and how to create new sessions with the browsers supported by BMC Atrium Single Sign-On. Session behavior in supported browsers Browser
Share Session
New Session
Firefox 4
New tab, Ctrl-N for new window, or launch from Start menu or shortcut
Use Private Browsing
Internet Explorer 7
New tab or Ctrl-N to create a new window
Launch new browser using Start menu or shortcut
Internet Explorer 8
New tab, Ctrl-N to create a new window, or launch new browser from Start menu or short-cut
Use New Session in File menu
Use New Session in File menu
BMC Atrium Single Sign-On 8.1
Page 24 of 389
BMC Software Confidential
Home
Browser
Share Session
Internet
New tab, Ctrl-N to create a new window, or launch new browser from Start menu
Explorer 9
or short-cut
New Session
When BMC products launch a new application, the applications use the process needed to ensure a shared session and a seamless experience.
4.6 Certificates The default Tomcat server used by BMC Atrium Single Sign-On uses a keystore and a truststore for secure (HTTPS/TLS/SSL) communications. These communications occur by doing one of the following: when accessing the admin console users login or logout of the system. an external LDAP server is accessed with TLS/SSL exchanging SAMLv2 metadata for user authentication (CAC) The keystore contains the information used to identify the BMC Atrium Single Sign-On server to remote servers and users. The truststore is used to hold the certificates of remote servers, users and signing authorities that are to be trusted by the BMC Atrium Single Sign-On server. These files are stored in the following directory: /BMC Software/AtriumSSO/tomcat/conf The initial keystore created during the installation uses a self-signed certificate. This certificate causes browsers and other programs to warn users about the insecure nature of the certificate each time the user authenticates. This certificate warning can be prevented by doing one of the following: Permanently importing the self-signed certificate into the user's truststore. Obtaining and importing a signed identity certificate from a trusted Certificate Authority (CA). The CA vouches for the authenticity of the server's identity when the user visits BMC Atrium Single Sign-On for authentication. In this case, the user has an established trust relationship with the CA, and this relationship is extended to BMC Atrium Single Sign-On after a digitally signed identity certificate is imported.
4.6.1 Certificate Signing Request A CA digitally signed certificate is obtain by generating a Certificate Signing Request (CSR): The output from the command must be sent to the CA for a digital signature. After the signed identity certificate is returned, the next step is to import the signed identity certificate into the keystore where it replaces the current self-signed certificate.
BMC Atrium Single Sign-On 8.1
Page 25 of 389
BMC Software Confidential
Home
The keytool utility is used to obtain a CSR, to obtain a signed certificate, and to import the signed certificate in order to replace the self-signed certificate. This tool is available with Oracle JDKs and BMC Atrium Single Sign-On.
Note When importing the newly signed certificates, you must first import the CA root certificates and intermediate certificates, if required.
4.6.2 New CA certificates Adding another certificate is necessary when: CAC authentication is used LDAP is used with SSL/TLS Department of Defense (DoD) issues new CA certificates CA certificates used to create a signed certificate for the BMC Atrium Single Sign-On server is not already within the truststore The keytool utility is used to import a new CA certificate into the BMC Atrium Single Sign-On truststore.
4.6.3 Related topics Managing keystores with a keytool utility (see page 239) Generating self-signed certificates (see page 249)
4.7 Authentication chaining An Authentication Chain is the object used by BMC Atrium Single Sign-On for specifying how authentication is to be performed. A chain can be a single authentication module or a combination of multiple authentication modules. Chaining allows different modules to act as a single authority. At its simplest form, an authentication chain consists of only a single authentication module. A chain can also be a complex combination of multiple authentication modules joined to validate the credentials that are used to authenticate a user. Through chaining, different modules can be merged to appear as a single authority. For example, if two organizations merge to form a new, single organization, then the authentication system from each organization could be used as a module within a single chain. The effect of combining these modules into this single chain is that the users only provide credentials to a single authority. The chain can be configured to check each of the modules until the user is authenticated.
BMC Atrium Single Sign-On 8.1
Page 26 of 389
BMC Software Confidential
Home
This chaining creates the perception of a merged authority despite the reality of multiple, disparate systems that are actually employed. Authentication chains allow the combination of authentication modules to process authentication requests. One of the best uses for combining modules is to merge different authentication schemes to appear as a single authentication scheme. For example, when two departments have their own LDAP servers, these two servers could be put into a single chain and users would appear to validate against a single authority. The processing of the chain to determine the overall status of authentication is controlled by the criteria specified for each of modules in the chain. The following figure illustrates authentication chaining where authentication modules are tried in an ordered sequence.
4.7.1 Authentication chaining example
The overall status is successful if all of the Required and Requisite modules pass before either the end of the chain or the first successful Sufficient module. When there are no Required or Requisite modules, then at least one Sufficient or Optional module must authenticate the user. See Managing authentication modules (see page 271). In the chaining process for the above example illustration, three LDAP servers combined into a single authority, would be: 1. Check with LDAP A Pass: Stop processing and accept user Fail: Proceed to next 2. Check with LDAP B Pass: Stop processing and accept user Fail: Proceed to next 3. Check with LDAP C Pass: Stop processing and accept user Fail: Stop processing and reject user With this configuration, the first LDAP server is presented the user credentials for authentication. If the authentication succeeds, then processing stops with the user being authenticated. If the user is not within the first LDAP server, then the credentials are passed to the second LDAP server. Each server is checked in the
BMC Atrium Single Sign-On 8.1
Page 27 of 389
BMC Software Confidential
Home
sequence specified until either the user passes and is considered successfully authenticated, or the user fails to authenticate and is rejected.
4.8 High Availability deployment The following figure shows a typical deployment scenario of BMC Atrium Single Sign-On operating in a High Availability (HA) environment. Two BMC Atrium Single Sign-On servers are installed to form a cluster. A load balancer is used as a front end to the cluster, giving the external applications the appearance of a single server. The load balancer distributes requests among BMC Atrium Single Sign-On servers. In the event of a system failure, the load balancer re-directs requests to the remaining servers. When operating as a cluster, BMC Atrium Single Single Sign-On functions as a single virtual server. Therefore, certain configuration information is shared between nodes. For example, when one node is configured, the other nodes have the same information. The following information is global to all nodes in the cluster: Administrative accounts Authentication User profiles Data stores User accounts (internal LDAP) Typical HA deployment
When configured, BMC Atrium Single Sign-On server nodes communicate with each other through the LDAP and
BMC Atrium Single Sign-On 8.1
Page 28 of 389
BMC Software Confidential
Home
HTTPS ports. These ports are specified during installation. The following figure shows the communication between the nodes and the load balancer. Communication between BMC Atrium Single Sign-On nodes and a load balancer
4.9 JEE filter-based agents With this release of BMC Atrium Single Sign-On, a light-weight agent is available for use by BMC applications. This section describes how configuration items apply to this newer agent. In addition to functioning as the central server, BMC Atrium Single Sign-On uses agents which are integrated into each of the BMC products. These agents perform the following functions: Accessing authentication services Coordinating with the server to authenticate users Validating existing authentications For more information about agent configuration parameters, see Agent manager.
5 Planning The following topics provide information and instructions for planning a BMC Atrium Single Sign-On installation and configuration:
BMC Atrium Single Sign-On 8.1
Page 29 of 389
BMC Software Confidential
Home
Note All products that run in BMC Remedy AR System support BMC Atrium Single Sign-On including AR System Mid-tier products (BMC Remedy ITSM, BMC Atrium Core, BMC Atrium CMDB, and so on), BMC Atrium Dashboard and Analytics, BMC IT Business Management Suite, BMC ProActive Performance Management (version 9.0), and BMC Capacity Optimization.
Checking the compatibility matrix for system requirements and supported configurations End-to-end BMC Atrium Single Sign-On process BMC Atrium Single Sign-On using SAMLv2 deployment example (see page 31)
5.1 Checking the compatibility matrix for system requirements and supported configurations Consult the BMC Remedy and BMC Atrium product compatibility information for the 8.0 system configuration information.
5.1.1 To access the compatibility matrixes 1. Navigate to http://www.bmc.com/support/product-availability-compatibility. 2. Click BMC Solution and Product Availability and Compatibility Utility . 3. In the Product Name field, enter the product name, for example: BMC Atrium CMDB Enterprise Manager BMC Atrium CMDB Suite 4. In the Product Version field, enter the version number. 5. In the Select Component field, enter BMC Atrium Single Sign-On. 6. Review the compatibility information listed in the tabs at the bottom of the page.
Note To access the product compatibility information on the Customer Support website, you must have a Support login.
5.2 End-to-end BMC Atrium Single Sign-On procedure This topic provides a high-level process of what you need to do to set up and configure BMC Atrium Single Sign-On with BMC products.
1. BMC Atrium Single Sign-On 8.1
Page 30 of 389
BMC Software Confidential
Home
1. Review the information that you need to understand prior to installing, such as the What's new (see page 12), Key concepts (see page 20), Planning (see page 29), Preparing for installation topics. 2. Install BMC Atrium Single Sign-On. See Installing (see page 40) for the different installation options, such as High Availability (HA). 3. Install other BMC products for integrating with BMC Atrium Single Sign-On. For information about integrating and configuring BMC Remedy AR System version 8.1, see Installing BMC Atrium Single Sign-On with the AR System server and Mid Tier (see page 79). For information about integrating and configuring BMC Remedy AR System version 8.0, see Integrating BMC Atrium Single Sign-On with AR System Version 8.0.00. For information about other BMC product integration, such as BMC Dashboards and Analytics for BSM, see Integrating. 4. Configure your method of authentication. See Configuring after installation. The following are the authentication module sections: Using AR for authentication Using SAMLv2 for authentication Using Kerberos for authentication (see page 132) Using CAC for authentication Using LDAP (Active Directory) for authentication Using RSA SecurID for authentication 5. If you implement multiple authentication methods, see Managing authentication modules (see page 271). 6. Create and manage users and user groups. See Managing users (see page 264) and Managing user groups (see page 268).
5.3 BMC Atrium Single Sign-On using SAMLv2 deployment example This topic provides an example of how BMC Atrium Single Sign-On using Security Assertion Markup Language 2.0 (SAMLv2) can be deployed.
BMC Atrium Single Sign-On 8.1
Page 31 of 389
BMC Software Confidential
Home
Business value (see page 32) Federated authentication and SAML (see page 32) Deployment architecture (see page 33) Deployment model (see page 35) Deployment tasks (see page 37) Deployment parameters (see page 38) Related topics (see page 40)
5.3.1 Business value This deployment example shows you how BMC Atrium Single Sign-On uses SAMLv2 authentication. Single sign-on means that you only need to present credentials once for authentication, and you are subsequently automatically authenticated by every BMC product that is integrated into the system. This means that if you are looking at a report that has links to incident or change records, you can click on the link and go directly to the records without logging in again. An additional important value is that with federated authentication the user logon credentials (for example, user name and password) are not exposed to the Service Provider (SP) and are not sent over the internet. The authentication is done on premise by the Identity Provider (IdP).
5.3.2 Federated authentication and SAML SAMLv2 is an XML-based OASIS standard for exchanging user identity and security attributes information. It uses security tokens containing assertions to pass information about a principal (usually an end user) between an Identify Provider (IdP) and a web service. SAMLv2 enables federated authentication between your environment and the BMC Remedy applications. When using SAMLv2, the BMC Remedy infrastructure is defined as a Service Provider (SP), and your infrastructure that performs the user authentication is the IdP. With SAMLv2 enabled, a user that tries to access BMC Remedy applications without having previously authenticated is redirected to your IdP. After authentication, the user is redirected back to the originally requested resource (BMC Remedy application).
Note Although SAMLv2 supports both IdP-initiated single sign-on and SP-initiated single sign-on, SP-initiated single sign-on is essential to allow specific use cases for deep linking to specific pages and resources in the applications (for example, a notification URL that contains a link to a specific BMC Remedy ITSM form and record).
BMC Atrium Single Sign-On 8.1
Page 32 of 389
BMC Software Confidential
Home
Configuration of SAMLv2 integration is largely the exchange of SAMLv2 metadata between your environment and the BMC Remedy environment. You provide IdP metadata , which defines the URLs that you use for SAMLv2, and the certificate used for validation of assertions. The BMC Remedy infrastructure provides SP metadata to allow you to preregister the BMC Remedy SP in your SAMLv2 infrastructure as required. For more information about SAMLv2, see Using SAMLv2 for authentication.
5.3.3 Deployment architecture This deployment example consists of the following components: In the BMC environment: BMC Remedy web applications supporting BMC Atrium Single Sign-On BMC Atrium Single Sign-On agents which are add-ons to any BMC Remedy web application BMC Atrium Single Sign-On server which serves as the SP and runs as a web application on the Apache Tomcat server In your environment: You use a browser to access BMC Remedy applications. An authentication server is responsible for your users authentication, which is usually located on premise. This is the IdP component. The SAMLv2 IdP server and the BMC Atrium Single Sign-On SP server are connected by a trust relationship (federation) so they can honor each other’s authentication information. The following sequence diagram shows the interactions between BMC Atrium Single Sign-On and SAMLv2 components. These interactions are listed in the sequential order that they occur. BMC Atrium Single Sign-On and SAMLv2 components sequence diagram
BMC Atrium Single Sign-On 8.1
Page 33 of 389
Home
BMC Software Confidential
The following sequence diagram illustrates the flow of events and the interaction between components for single log off (SLO): Single log off sequence diagram
BMC Atrium Single Sign-On 8.1
Page 34 of 389
Home
BMC Software Confidential
5.3.4 Deployment model The following diagram shows the components that are part of this deployment example:
BMC Atrium Single Sign-On 8.1
Page 35 of 389
BMC Software Confidential
Home
A load balancer or reverse proxy routes inbound connections to the appropriate target web server and are put in front of the application servers. Load balancers are used to distribute the workload and optimize application performance. Reverse proxies are used to distribute the workload, optimize application performance, and hide the existence and characteristics of internal servers. BMC Remedy Mid Tier is deployed on a separate virtual machine (VM). A second BMC Remedy Mid Tier and the BMC Atrium Single Sign-On server are deployed on the another VM but on two different Apache Tomcat servers. BMC Dashboards for Business Services Management and BMC Analytics for Business Services Management are deployed on two different VMs to avoid performance issues. You deploy the browser and the SAMLv2 IdP server from your environment.
BMC Atrium Single Sign-On 8.1
Page 36 of 389
BMC Software Confidential
Home
5.3.5 Deployment tasks The following table lists the main steps involved in installing and configuring the deployed BMC Products with BMC Atrium Single Sign-On with SAMLv2 authentication where BMC Atrium Single Sign-On is configured as an SP with a remote IdP.
Note Review the Deployment parameters (see page 38) list before starting the deployment tasks.
Step
Task
1.
Install BMC Atrium Single Sign-On.
2.
Install BMC Remedy AR System server.
3.
Install the BMC Remedy Mid Tier.
4.
(Optional) Configure your load balancer or reverse proxy. Note: For more information, see Troubleshooting redirect URLs (see page 343).
5.
Run the SSOARIntegration utility on the AR System server (see page 88).
6.
Run the SSOMidtierIntegration utility on the BMC Remedy Mid Tier (see page 92).
7.
Configure group mapping for the AR System and BMC Atrium Single Sign-On (see page 91).
8.
Configure the BMC Atrium Single Sign-On server for AR System (see page 97) Note: Though AR authentication module should be configured, you must delete the AR user stores when using SAML v2 for authentication. The AR data store is not needed for authentication in SAMLv2 deployment.
9.
Run a health check on the BMC Atrium Single Sign-On installation.
10.
Configure BMC Atrium Single Sign-On to use SAMLv2 authentication with BMC Atrium Single Sign-On as a Service Provider and a remote Identity Provider. Note: Each time a BMC product is integrated (steps 10 -12) with the BMC Atrium Single Sign-On Service Provider, the J2EE agents configuration must be modified so the integrating product can function in the Federated Single Sign-On.
11.
(Optional) Integrate BMC Dashboards for Business Service Management (see page 198) and configure it. Note: For more information, see the BMC Dashboards for Business Service Management Installation Guide at PDFs.
12.
(Optional) Integrate BMC Analytics for Business Service Management (see page 199) and configure it. Note: For more information, see Installing.
13.
(Optional) Integrate BMC IT Business Management Suite (see page 204). Note: For more information, see Installing.
BMC Atrium Single Sign-On 8.1
Page 37 of 389
BMC Software Confidential
Home
5.3.6 Deployment parameters The deployment environment assumes MS Windows 2008, MS SQL Server 2008, New Tomcats, and the defaults are accepted. It also assumes that BMC Remedy AR system server groups and BMC Atrium Single Sign-On high availability (HA) are not deployed. The BMC Atrium Single Sign-On authentication is SAMLv2 where BMC Atrium Single Sign-On is configured as an Service Provider (SP) with a remote Identity Provider (IdP).
Important BMC recommends that you install the BMC Remedy Mid Tier, BMC Remedy AR System server, and BMC Atrium Single Sign-On server on separate computers. However, if you do install more than one BMC Product on the same computer, ensure that the HTTP, HTTPS, and Shutdown port numbers are different.
The following parameters are set in deployment of the following BMC Products and BMC Atrium Single Sign-On authentication: BMC Remedy AR System BMC Remedy Mid Tier BMC Atrium Single Sign-On SAMLv2 authentication where BMC Atrium Single Sign-On is configured as an SP with a remote IdP. BMC Dashboards for BSM BMC Analytics for BSM Product install/configuration
Parameters
Description
AR System installation
Planning spreadsheet
Complete the Planning Spreadsheet on BMC Remedy AR System 8.1.
Mid Tier installation
Planning spreadsheet
Complete the Planning Spreadsheet on BMC Remedy AR System 8.1.
Atrium SSO installation
FQDN of host name
The Fully Qualified Domain Name (FQDN) for the host. For example, ssoserver.bmc.com.
HTTP, HTTPS, Shutdown port numbers
If BMC Atrium Single Sign-On is installed on the same computer as another BMC Product, provide port numbers that are different from the other BMC Product.
Cookie domain
The cookie name is the name of the cookie that agent will check for the SSO session token. It should match the cookie name of the server configuration. For example, atsso_bmc_com.
Atrium SSO server password
The password for the BMC Atrium Single Sign-On server. Default: amadmin
AR Server Name
The AR server name. For example, arsystemserver.bmc.com
AR System integration
BMC Atrium Single Sign-On 8.1
Page 38 of 389
BMC Software Confidential
Home
Product install/configuration
Parameters
Description
AR Server User
The AR server user. For example, Demo.
AR Server Password
The AR server password. For example, Demo.
AR Server Port
The AR server port. For example, 0.
Atrium SSO URL
URL for the BMC Atrium Single Sign-On server. For example, https://ssoserver.bmc.com:8443/atriumsso
SSO Admin Name
The BMC Single Sign-On administrator name. Default: amadmin.
SSO Admin Password
The BMC Single Sign-On administrator password.
truststore
(Optional) The truststore path.
truststore-password
(Optional) The truststore password.
force
(Optional) If "Yes" is provided then the utility will not wait for the user to shutdown the webserver (if not done already), in case, the webserver is other then tomcat or jboss. Default: No
AR Server Name
The AR Server name from the AR System integration. For example, arsystemserver.bmc.com.
AR Server User
The AR Server user from the AR System integration. For example, Demo.
AR Server Password
The AR Server password from the AR System integration. For example, Demo.
AR Server Port
The AR Server port from the AR System integration. For example, 0.
Container Type
Supported contain types include JBOSSV4, JBOSSV5, SERVLETEXECV5, SERVLETEXECV6, TOMCATV5, TOMCATV6, TOMCATV7, WEBSPHEREV6, WEBSPHEREV7, WEBLOGICV10
Web App URL
The Mid Tier URL if a load balancer is not implemented. Otherwise, the load balancer URL. Be sure the server name is provided with fully qualified domain name and port is also provided in the URL. For example, http://midtierloadbalancer.bmc.com:8080/arsys
webserverhomedirectory
The webserver home directory. For example, C:\Program Files\Apache Software Foundation\Tomcat6.
JREInstallDirectory
Path to the JRE directory. For example, C:\Program Files\Java\jre7
MidtierHome
Mid Tier home directory. For example, C:\Program Files\BMC Software\ARSystem\midtier
serverinstancename
The WebSphere instance name is required for the WebSphere server.
instanceconfigdirectory
The WebSphere configuration directory is required for the WebSphere server.
weblogicdomainhome
The BEA domain home is required for the WebLogic web application.
AR System external authentication group mapping for SSO
AR Group Name LDAP Group Name
Administrator BmcAdmins
Dashboards installation
Fully Qualified Host Name
Fully qualified host name of the BMC Atrium Single Sign-On server.
Mid Tier integration
HTTP, HTTPS, Shutdown Port Number
BMC Atrium Single Sign-On 8.1
Page 39 of 389
BMC Software Confidential
Home
Product install/configuration
Parameters
Description
Port numbers used by the BMC Atrium Single Sign-On server. If BMC Atrium Single Sign-On is installed on the same computer as another BMC Product, provide port numbers that are different from the other BMC Product. Administrator login name
User name and password for the BMC Atrium Single Sign-On server administrator.
and password
Analytics installation
SAMLv2 authentication
BMC Dashboards
User name and password of the BMC Dashboards for BSM administrator user. This user must
administrator Name and Password
exist in BMC Atrium Single Sign-On.
Fully Qualified Host Name
Fully qualified host name of the BMC Atrium Single Sign-On server.
HTTP, HTTPS, Shutdown
Port numbers used by the BMC Atrium Single Sign-On server. If BMC Atrium Single Sign-On is
Port Number
installed on the same computer as another BMC Product, provide port numbers that are different from the other BMC Product.
Administrator login name and password
User name and password for the BMC Atrium Single Sign-On server administrator.
Remote IdP metadata file
The metadata file for the remote Identity Provider (IdP). For example, sso-idp.xml.
BMC Remedy AR System agent Federated login URL & logout URI
Login and logout URIs are the locations that the agent will send the users browsers when the specified function is needed.
BMC Dashboards agent Federated login URL & logout URI
Login and logout URIs are the locations that the agent will send the users browsers when the specified function is needed.
BMC Analytics agent Federated login URL & logout URI
Login and logout URIs are the locations that the agent will send the users browsers when the specified function is needed.
5.3.7 Related topics Using AR for authentication Using SAMLv2 for authentication Agent manager
6 Installing The BMC Atrium Single Sign-On server component is available for download from the BSM EPD site at http://webapps.bmc.com/epd or can be found in the BMC Atrium Shared Components box. The typical method for integrate BMC Atrium Single Sign-On with BMC Remedy AR System or any BMC product is to: 1. BMC Atrium Single Sign-On 8.1
Page 40 of 389
BMC Software Confidential
Home
1. Install BMC Atrium Single Sign-On. 2. Install BMC Remedy AR System or other BMC products. 3. Integrate with BMC Remedy AR System or other BMC products.
Important BMC recommends that you install the BMC Remedy Mid Tier, BMC Remedy AR System server, and BMC Atrium Single Sign-On server on separate computers. However, if you do install more than one BMC Product on the same computer, ensure that the HTTP, HTTPS, and Shutdown port numbers are different.
The following topics provide information and instructions for installing BMC Atrium Single Sign-On:
BMC Atrium Single Sign-On 8.1
Page 41 of 389
BMC Software Confidential
Home
Preparing for installation Installation options (see page 48) Configuring Terminal Services and DEP parameters Installing BMC Atrium Single Sign-On as a standalone (see page 50) Installing BMC Atrium Single Sign-On as a High Availability cluster (see page 55) Installing BMC Atrium Single Sign-On on an external Tomcat server (see page 72) Installing BMC Atrium Single Sign-On with the AR System server and Mid Tier (see page 79) Installing silently (see page 112) Uninstalling BMC Atrium Single Sign-On (see page 117)
6.1 Preparing for installation Review or perform the following tasks before you start installing. 1. Review the Planning (see page 29) topics. 2. Review the Prerequisites for installation (see page 42) and update your environment. 3. Review the Compatibility matrix. 4. Download the installation files (see page 44).
6.1.1 Prerequisites for installation This topic describes the prerequisites for installing BMC Atrium Single Sign-On.
Warning If you have not met all of the requirements before you begin the installation, you might have issues with the installation.You must fulfill the necessary requirements on this page before you begin with installation.
Limitation (see page 42) Access and permissions (see page 43) Disk space requirements (see page 43) Memory requirements (see page 43) Log file memory requirements (see page 43) System requirements (see page 43) Entropy level requirements (see page 44) Firewalls (see page 44)
Limitation Do not deploy BMC Atrium Single Sign-On on an Network File System (NFS) file system.
BMC Atrium Single Sign-On 8.1
Page 42 of 389
BMC Software Confidential
Home
Access and permissions If you are a nonroot runtime user of the BMC Atrium Single Sign-On web container instance, you must be able to write to your own home directory. (Microsoft Windows) You must have administrator privileges. (UNIX) You can be any user. However, root privileges are required to set up auto-startup of the services.
Disk space requirements This section contains information about prerequisite storage space requirements for installation and log files. Before installing BMC Atrium Single Sign-On, you must have at least the following available disk space: (Microsoft Windows) 650 MB (Linux) 750 MB (Oracle Solaris) 850 MB
Memory requirements If you are installing BMC Atrium Single Sign-On on an external Tomcat server, 1024K of RAM is required. For an extremal Tomcat 7 server and JDK 1.7, increase memory an additional 20% for a minimum of 1.2 MB.
Log file memory requirements An additional 7-10 GB of space is recommended for log file growth, depending on the volume of users and products integrating with the BMC Atrium Single Sign-On server. To manage log file storage space effectively, perform the following tasks: Delete the debug log files periodically, especially if the debug level is set to message. Check the .access and .error log files periodically in the logs directory. Consider configuring the log rotation to delete the oldest log files.
System requirements If you are installing BMC Atrium Single Sign-On on Red Hat Enterprise Linux (RHEL) 6.x, you must install the following 32-bit RPM packages to make 32-bit JRE support and the user interface available to the installer: Glibc.i686 libXtst.i686
BMC Atrium Single Sign-On 8.1
Page 43 of 389
BMC Software Confidential
Home
Entropy level requirements If you are installing BMC Atrium Single Sign-On on Red Hat Enterprise Linux computers and the entropy level on the server is under 150, you might experience installation issues. If an installation or silent installation aborts suddenly, finishes very quickly, or takes a long time to complete, the computer might be experiencing low entropy issues. To avoid these issues, perform the following tasks: Verify the level of entropy in the entropy_avail file at the following location: cat /proc/sys/kernel/random/entropy_avail If the level of entropy is less than 150, run the following commands as root user or restart your computer. Running the command is the preferred option as it helps in maintaining the entropy level after installation. If your server has a low entropy level, you should configure your server to run the following commands while starting up your server. rngd yum install rng-tools echo 'EXTRAOPTIONS="-i -o /dev/random -r /dev/urandom -t 10 -W 2048"' >>/etc/sysconfig/rngd chkconfig rngd on service rngd restart
Firewalls The ports that you selected when you installed the BMC Atrium Single Sign-On server must be accessible from the clients that are authenticated through the server. Configure the firewalls to allow access to the HTTPS port used for authentication, as well as the LDAP and Apache MQ ports in the nodes of a cluster.
6.1.2 Downloading the installation files This topic provides instructions for downloading the files that you need for installation. The latest BMC Atrium Single Sign-On GA version on the BMC Electronic Product Distribution (EPD) website is 8.1.00. 03 . Files to download (see page 44) To download the files (see page 45) Enabling search in the offline documentation (see page 47) Where to go from here (see page 47)
Files to download The following table provides the product files available on the BMC EPD website for BMC Atrium Single Sign-On. You can find the installer and documentation related to BMC Atrium Single Sign-On version 8.1.00.03 on the Products tab itself.
BMC Atrium Single Sign-On 8.1
Page 44 of 389
BMC Software Confidential
Home
Note The BMC Atrium Single Sign-On is provided with the ESM solution suites. On the BMC EPD website, you must visit the download sections for BMC Remedy IT Service Management, BMC ProactiveNet Performance Management, BMC BladeLogic Automation, or BMC Application Management suites to obtain the the latest version of BMC Atrium Single Sign-On.
You can download the latest installer files from any of the ESM solution suites on the EPD web site. For example, BMC Remedy IT Service Management Suite > BMC Remedy IT Service Management Suite 8.1.00 -
OperatingSystem > BMC Atrium Single Sign-On Version 8.1.00 for OperatingSystem Hyperlink on EPD page
File names on EPD page
BMC Atrium Single Sign-On
BMCAtriumSSO8.1.00.03.windows.zip
Version 8.1.00.03 - Microsoft Windows BMC Atrium Single Sign-On Version 8.1.00.02 - Oracle Solaris
BMCAtriumSSO8.1.00.03.solaris.tar.gz
BMC Atrium Single Sign-On Version 8.1.00.02 - Linux (for AIX)
BMCAtriumSSO8.1.00.03.linux.tar.gz
BMC Atrium Single Sign-On Version 8.1.00.03 Documentation
BMCAtriumSSO_8.1_Patch3_Help.zip This zip file contains an archived version of the online documentation for BMC Atrium Single Sign-On 8.1. For the latest and most comprehensive content, see the BMC Online Technical Documentation portal (docs.bmc.com) for this release.
Note The installation files for BMC Atrium Single Sign-On versions 8.1.00.02 have been replaced with the installation files for version 8.1.00.03, and can no longer be downloaded from the EPD site. Patch 3 for BMC Atrium Single Sign-On 8.1.00 (8.1.00.03) is a full installation and includes the fixes that were available in Patch 1 and Patch 2 (8.1.00.01 and 8.1.00.02). You can download the Patch 3 installation files from the BMC EPD site and perform your normal installation.
To download the files The product files that you download from the EPD website might contain some or all of the patches listed on a product's Customer Support web page. If the EPD page shows that a patch is included in a file you downloaded, you do not need to obtain that patch separately. 1. Create a directory in which to place the downloaded files.
BMC Atrium Single Sign-On 8.1
Page 45 of 389
1.
BMC Software Confidential
Home
Note On Microsoft Windows computers, ensure that the directory is only one level into the directory structure. The EPD package creates a directory in the temporary directory when you extract the files, and the directory that contains the installation image should not be in a directory deeper than two levels into the directory structure.
2. Go to http://www.bmc.com/available/epd.html. 3. At the logon prompt, enter your user ID and password, and click Submit. 4. On the Export Compliance and Access Terms page, provide the required information, agree to the terms of the agreements, and click Continue. 5. If you are accessing this site for the first time, create an EPD profile to specify the languages and platforms that you want to see, per the EPD site help; otherwise, skip to step 6. 6. Verify that the correct profile is displayed for your download purpose, and select the Licensed Products tab.
Note BMC Atrium Single Sign-On 8.1.00 Patch 3 (8.1.00.03) installation files are available on the Licensed Products tab.
7. Locate the solution for which you are using BMC Atrium Single Sign-On, such as BMC Remedy IT Service Management Suite, and expand its entries.
Note As BMC Atrium Single Sign-On is a part of ESM solution suite, you must visit the download sections for BMC Remedy IT Service Management, BMC ProactiveNet Performance Management, BMC BladeLogic Automation, or BMC Application Management suites to obtain the the latest version of BMC Atrium Single Sign-On. For the steps in this process, BMC Remedy IT Service Management is used.
8. Expand the BMC Remedy IT Service Management Suite 8.1.00 directory for the appropriate platform and language. 9. Expand the BMC Atrium Single Sign-On Version 8.1.00 for OperatingSystem directory for the appropriate platform and language. 10. Select the check boxes next to the files and documents that you want to download. 11. Click Download (FTP) or Download Manager: Download (FTP) places the selected items in an FTP directory, and the credentials and FTP instructions are sent to you in an email message.
BMC Atrium Single Sign-On 8.1
Page 46 of 389
11. BMC Software Confidential
Home
Download Manager enables you to download multiple files consecutively and to resume an interrupted download if the connection drops. This method requires a one-time installation of the Akamai NetSession client program on the target computer and is usually the faster and more reliable way to transfer files. A checksum operation is used to verify file integrity automatically.
Enabling search in the offline documentation The Offline Documentation - productName version zip file contains an archived version of the online documentation. For the latest and most comprehensive content, see the BMC Online Technical Documentation Portal. The search contains local files
To enable search in the offline documentation Deploy the offline documentation on a web server by using one of the following methods: If this is the first BMC offline documentation archive that you are installing on the web server, extract the zip file to the web application deployment folder of your web container (servlet container). For example, with an Apache Tomcat web server, extract the zip file to \webapps If at least one BMC offline documentation archive is already installed on the web server, perform the following steps: 1. Extract the zip file to your hard drive. 2. Open the extracted localhelp folder. 3. Copy only the productName version folder and the productName version.map.txt file to the localhelp folder of your web container (servlet container). For example, if you are deploying BMC Asset Management 8.1 documentation to an Apache Tomcat web server, copy the asset81 folder and the BMC Asset Management 8.1.map.txt file to \webapps\localhelp. Do not include the other folders and file.
To view the offline documentation in a browser Type the following URL: http://:/localhelp//Home.html For example: http://SanJoseTomcat:8080/localhelp/ars81/Home.html
Where to go from here Carefully review the Prerequisites for installation (see page 42) for your platform and other tasks necessary specific to the type of installation you choose. For installation instructions, see Installing (see page 40).
BMC Atrium Single Sign-On 8.1
Page 47 of 389
BMC Software Confidential
Home
6.2 Installation options This topic provides information about the various installation options for BMC Atrium Single Sign-On: Goal
Reference
To integrate BMC Atrium Single Sign-On with Terminal Services. If you are using Terminal Services to install BMC Atrium Single Sign-On, you must configure the Terminal Services parameters prior to installation.
Configuring Terminal Services and DEP parameters
To install BMC Atrium Single Sign-On as a standalone on the provided Tomcat.
Installing BMC Atrium Single Sign-On as a standalone (see page 50)
To install BMC Atrium Single Sign-On as a high availability cluster.
Installing BMC Atrium Single Sign-On as a High Availability cluster (see page 55)
To install BMC Atrium Single Sign-On with AR System and Mid Tier. These installation instructions are for BMC Atrium Single Sign-On, AR System, and Mid Tier version 8.1 and later.
Installing BMC Atrium Single Sign-On with the AR System server and Mid Tier (see page 79)
To integrate BMC Atrium Single Sign-On with the AR System (version 8.0.00 only) after BMC Remedy
Integrating BMC Atrium Single Sign-On
AR System has been installed.
with AR System (Version 8.0.00 only)
To install BMC Atrium Single Sign-On on an external Tomcat server.
Installing BMC Atrium Single Sign-On on an external Tomcat server (see page 72)
To install BMC Atrium Single Sign-On on an external Tomcat server and enable FIPS-140 mode. 1. Configuring an external Tomcat instance for FIPS-140 (see page 76) 2. Installing BMC Atrium Single Sign-On on an external Tomcat server (see page 72) 3. Configuring FIPS-140 mode (see page 251)
6.3 Configuring Terminal Services and DEP parameters If you are planning to install BMC Atrium Single Sign-On via Terminal Services (Remote Desktop Services), you must first configure Terminal Services and DEP parameters.
6.3.1 To update Terminal Services configuration options for Windows Server 2008 1. From the Windows Start menu, click Run. 2. Type gpedit.msc, then click OK. 3. Navigate to Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Temporary Folders. 4. Enable the settings for Do not delete temporary folders on exit and Do not use temporary folders per session. 5. BMC Atrium Single Sign-On 8.1
Page 48 of 389
BMC Software Confidential
Home
5. (optional) Restart the computer. 6. If the settings do not take affect, complete the following steps: a. From the Windows Start menu, click Run. b. Type regedit, then click OK. c. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server. d. Update PerSessionTempDir to 0 and DeleteTempDirsOnExit to 0. e. (optional) Restart the computer.
To update Terminal Services configuration options for Windows Server 2003 1. From the Windows Start menu, click Run. 2. Type tscc.msc, then click OK. 3. In Server Settings, set Delete temporary folders on exit to No. 4. Set Use temporary folders per session to No. 5. (optional) Restart the computer. 6. If the settings do not take affect, complete the following steps: a. From the Windows Start menu, click Run. b. Type regedit, then click OK. c. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server. d. Update PerSessionTempDir to 0 and DeleteTempDirsOnExit to 0. e. (optional) Restart the computer.
To configure the DEP feature If you are using the data execution prevention (DEP) feature in Windows, configure DEP for executable programs.
Note If you do not configure these items before you run the installer, an installer panel appears listing the steps required to handle these issues.
1. From the Windows Start menu, click Control Panel; then double-click System. 2. Click the Advanced tab. 3. In the Performance area, click Settings. 4. On the Data Execution Prevention tab, verify if the Turn on DEP for all programs and services except those I select option is selected. If the Turn on DEP for essential Windows programs and services only option is selected, no configuration is required.
Note
BMC Atrium Single Sign-On 8.1
Page 49 of 389
BMC Software Confidential
Home
If you do not select the Turn on DEP for all programs and services except those I select option, and then perform the remaining steps in this procedure, the installer might not run correctly.
5. If the Turn on DEP for all programs and services except for those I select option is selected, click Add. 6. Browse to the executable, and then click Open. The installation program appears in the DEP program area. 7. Click Apply; then click OK. 8. (optional) Restart the computer.
6.4 Installing BMC Atrium Single Sign-On as a standalone This topic provides instructions for performing a BMC Atrium Single Sign-On standalone installation. In this installation, a Tomcat server and JVM are installed and properly configured for use by the BMC Atrium Single Sign-On server. This installation method is the simplest and easiest to perform since all of the administrative and configuration details are performed by the installation program.
BMC Atrium Single Sign-On 8.1
Page 50 of 389
BMC Software Confidential
Home
Before you begin (see page 51) To install BMC Atrium Single Sign-On as a standalone (see page 51) Where to go from here (see page 54)
6.4.1 Before you begin Obtain the zipped BMC Atrium Single Sign-On files from the BMC product package via Electronic Product Download (EPD) or the BMC Atrium Single Sign-On DVD. If there is already an installation of BMC Atrium Single Sign-On on the target computer, the installer will not allow another installation. Uninstall the existing version. Prepare to run the installation program for your operating system. For example, you must update Terminal Services configuration options and configure the DEP feature if you are using Windows. For more information, see Configuring Terminal Services and DEP parameters.
Note The BMC Atrium Single Sign-On Tomcat server cannot be shared with any product (for example, the AR System server or the BMC Remedy Mid Tier) that integrates with BMC Atrium Single Sign-On. BMC recommends that you install BMC Atrium Single Sign-On on a different computer than the computer where you plan to install a BMC product (for example, the AR System server or the BMC Remedy Mid Tier).
6.4.2 To install BMC Atrium Single Sign-On as a standalone 1. Unzip the BMC Atrium Single Sign-On files. 2. Run the installation program. The setup executable is located in the Disk1directory of the extracted files. (Microsoft Windows ) Run setup.cmd. (UNIX ) Run setup.sh (which automatically detects the appropriate subscript to execute). 3. In the lower right corner of the Welcome panel, click Next. 4. Review the license agreement, click I agree to the terms of license agreement, and then click Next. 5. Accept the default destination directory or browse to select a different directory, and then click Next. 6. In the Host Name Information panel, verify that the hostname presented is the Fully Qualified Domain Name (FQDN) for the host, and then click Next. Correct the value as needed. 7. Choose to install non-clustered or clustered Atrium Single Sign-On Server, and then click Next. Non-clustered Atrium Single Sign-On Server – Standalone Single Sign-On Server.
BMC Atrium Single Sign-On 8.1
Page 51 of 389
7.
BMC Software Confidential
Home
Clustered Atrium Single Sign-On Server – Implemented as a redundant system with session failover. Clustered install requires at least two nodes. For more information, see Installing BMC Atrium Single Sign-On as a High Availability cluster (see page 55). 8. Verify that Install New Tomcat is selected, and then click Next. The Tomcat server options are: Install New Tomcat (default) Use External Tomcat. See Installing BMC Atrium Single Sign-On on an external Tomcat server (see page 72) to install with this option.
Note When installing on Linux servers, you must configure JVM for Tomcat after the installation. For more information about configuring JVM, see Configuring a JVM for the Tomcat Server (see page 77).
9. Accept the default Tomcat HTTP port number (8080), HTTPS port number (8443), and Shutdown port number (8005), or enter different port numbers, and then click Next. If any of the port numbers are incorrect, a panel identifies the incorrect port number and requires you to return to the previous page to correct the values before proceeding with the installation.
Note When installing on Linux servers, port selections below 1000 require the server to run as root, or use a port forwarding mechanism.
10. Enter a cookie domain, and then click Next. The domain value of the cookie should be the network domain of BMC Atrium Single Sign-On or one of its parent domains. For more information, see Default cookie domain.
Note The higher the level of the selected parent domain, the higher the risk of user impersonation. Top-level domains are not supported (for example, com or com.ca ). You cannot use sibling domains or cross-domains with BMC Atrium Single Sign-On. For example, installing the BMC Atrium Single Sign-On server in the remedy.com domain and the AR System server in the bmc.com domain is not supported. You must move all your computers into the same domain.
11. BMC Atrium Single Sign-On 8.1
Page 52 of 389
BMC Software Confidential
Home
11. Enter a strong administrator password (at least 8 characters long), confirm the password, and then click Next. The default SSO administrator name is amadmin.
Note Passwords with special characters must be specified in quotes.
For more information, see Administrator password. 12. Review the installation summary and click Install. 13. Verify that your BMC Atrium Single Sign-On installation was successful by accessing the BMC Atrium Single Sign-On URL. a. Navigate to Start > All Programs > BMC Software > BMC Atrium S.SO > Administrator to launch the BMC Atrium SSO Admin Console. The URL to open the BMC Atrium SSO Admin Console is: https://.:/atriumsso For example, https://ssoserver.bmc.com:8443/atriumsso b. When you are prompted that you are connecting to an insecure or untrusted connection, add the exception and then continue. Note: Browsers display this warning because you have not yet configured the SSO authentication as a trusted provider. c. Confirm that you can view the BMC Atrium SSO logon panel. d. Log on with the SSO administrator name (for example, amadmin) and password. The BMC Atrium SSO Admin Console appears. (Click the image to expand it.)
BMC Atrium Single Sign-On 8.1
Page 53 of 389
BMC Software Confidential
Home
14. (Optional) Create an administrative user account for BMC Products to perform search functions on the user store (for example, to list user names and emails). If you are using the BMC Atrium Single Sign-On server's internal LDAP, assign the BMCSearchAdmins group to the new user account. If you are using an external system for authentication (such as AR System, LDAP, or Active Directory), assign the BmcSearchAdmins group to either an already existing user account or a new user account.
6.4.3 Where to go from here Installing or upgrading AR System server To secure certificates with an external CA, see Managing keystores with a keytool utility (see page 239). To configure authentication, see Configuring after installation. For a specific authentication method, see the specific method. For example, for LDAP or Active Directory, see Using LDAP (Active Directory) for authentication.
BMC Atrium Single Sign-On 8.1
Page 54 of 389
Home
BMC Software Confidential
6.5 Installing BMC Atrium Single Sign-On as a High Availability cluster BMC Atrium Single Sign-On a High Availability (HA) cluster environment is implemented as a redundant system with session failover. In this model, if a node fails, the BMC Atrium Single Sign-On load is transitioned to the remaining servers with minimal interruption. When multiple BMC Atrium Single Sign-On servers are installed and configured to operate as a cluster, a system failure is absorbed by the remaining cluster nodes. The BMC best practice is to run BMC Atrium Single Sign-On cluster behind a firewall to protect the communications channels, such as replication, BMC Atrium Single Sign-On sessions, and administrative communications, between the nodes. The communications are encrypted, however, the ports must be exposed for connections from the other clustered machines.
BMC Atrium Single Sign-On 8.1
Page 55 of 389
BMC Software Confidential
Home
HA prerequisites (see page 56) HA pre-installation tasks (see page 56) To install BMC Atrium Single Sign-On as an HA cluster (see page 56) HA post-installation activities (see page 57)
6.5.1 HA prerequisites BMC Atrium Single Sign-On HA requires the following: An installed load balancer. The load balancer must support HTTP traffic. The load balancer must be configured with HTTP session stick mode. The load balancer must be configured for HTTPS communication.
Note HTTP session sticky mode is used to ensure that the first BMC Atrium Single Sign-On server continues to be used for subsequent requests (excluding node failure).
6.5.2 HA pre-installation tasks BMC recommends that you install the provided BMC Atrium Single Sign-On Tomcat server and Java virtual machine (JVM). Although, installation onto an external (customer-provided) Tomcat server and JVM is supported, this configuration is not recommended. Before installing the first node, the following information is needed for cluster setup: URL that the load balancer uses for the cluster. The load balancer uses this URL to disperse calls to the cluster nodes. Port number for the internal LDAP server Port number for the replication of the internal LDAP server The port numbers are used by LDAP for communicating data and for replication information. The specified ports should not be used by other programs and must be accessible from every computer that is part of the cluster.
6.5.3 To install BMC Atrium Single Sign-On as an HA cluster 1. Installing the first node for an HA cluster on a new Tomcat server (see page 57) or Installing the first node for an HA cluster on an external Tomcat server (see page 68).
Note
BMC Atrium Single Sign-On 8.1
Page 56 of 389
1.
BMC Software Confidential
Home
Be sure to copy the configuration file to the additional nodes.
2. Installing additional nodes for an HA cluster on a new Tomcat server (see page 63) or Installing additional nodes for an HA cluster on an external Tomcat server (see page 70).
Note After installing BMC Atrium Single Sign-On in HA mode, verify that the cookie name for all the nodes are the same. For more information about verifying the cookie name, see Managing nodes in a cluster (see page 273).
6.5.4 HA post-installation activities After adding a new additional node: Ensure Load Balancer is configured with the new node Update Apache MQ configuration of new node and existing nodes (if static configuration is used) Restart existing nodes sequentially After a cookie name is changed for a particular BMC Atrium Single Sign-On for the HA cluster, restart the BMC Atrium Single Sign-On server.
Note In some cases, BMC Atrium Single Sign-On server restart, browser cache purge, and cookies cleanup do not help to avoid a multiple redirects error. In that case, reboot OS.
6.5.5 Installing the first node for an HA cluster on a new Tomcat server The following provides information and instructions for installing the first node for an HA cluster on a new Tomcat. Before you begin (see page 57) To install the first node for an HA cluster on a new Tomcat (see page 58) Where to go from here (see page 63)
Before you begin Obtain the zipped BMC Atrium Single Sign-On files from the BMC product package via Electronic Product Download (EPD) or the BMC Atrium Single Sign-On DVD.
BMC Atrium Single Sign-On 8.1
Page 57 of 389
BMC Software Confidential
Home
If there is already an installation of BMC Atrium Single Sign-On on the target computer, the installer will not allow another installation. Uninstall the existing version. Prepare to run the installation program for your operating system. For example, you must update Terminal Services configuration options and configure the DEP feature if you are using Windows. For more information, see Configuring Terminal Services and DEP parameters. You must have a network load balancer configured for creating a HA cluster.
Important The BMC Atrium Single Sign-On Tomcat server cannot be shared with any product (for example, the AR System server or the BMC Remedy Mid Tier) that integrates with BMC Atrium Single Sign-On. BMC recommends that you install BMC Atrium Single Sign-On on a different computer than the computer where you plan to install a BMC product (for example, the AR System server or the BMC Remedy Mid Tier).
To install the first node for an HA cluster on a new Tomcat 1. Run the installation program. The setup executable is located in the Disk1 directory of the extracted files. (Microsoft Windows ) Run setup.cmd (UNIX ) Run setup.sh 2. In the lower right corner of the Welcome panel, click Next. 3. Review the license agreement, click I agree to the terms of license agreement, and then click Next. 4. Accept the default destination directory or browse to select a different directory, and then click Next. 5. In the Host Name Information panel, verify that the hostname presented is the Fully Qualified Domain Name (FQDN) for the host, and then click Next. Correct the value as needed. 6. In the BMC Atrium SSO Server Cluster Options panel, perform the following actions:
BMC Atrium Single Sign-On 8.1
Page 58 of 389
BMC Software Confidential
Home
a. Select Clustered BMC Atrium SSO Server. b. Select New Cluster Installation (First node). c. Click Next. 7. Enter a file name and location for storing the cluster configuration information and click Next. The file can have any extension but it is recommended that you use .cfg as the extension because the file is storing cluster configuration information. For example, clusterconfig.cfg. When you enter the file name and click Next, a config file with that name is automatically created on your computer.
Important This file is needed when subsequent nodes are added to the cluster and it contains sensitive information that is used when installing subsequent nodes.
8. Enter the LDAP port number (8091), LDAP replication port (8092), LDAP administration port (8093), and click Next. 9. BMC Atrium Single Sign-On 8.1
Page 59 of 389
BMC Software Confidential
Home
9. Enter the load balancer URL and click Next. For example: https://loadBalancerFQDN:port/atriumsso https://BMCLoadBalancer.bmc.com:8443/atriumsso
As you are installing BMC Atrium SSO in a cluster environment, you must use the load balancer URL mentioned in this step for integration with other products. For example, when you are integrating BMC Atrium SSO with BMC Remedy Mid Tier, you must add the load balancer URL instead of the BMC Atrium SSO server URL. For more information, see Running the SSOMidtierIntegration utility on the Mid Tier (see page 92).
10. Verify that Install New Tomcat is selected and click Next.
Note The BMC Atrium Single Sign-On Tomcat server cannot be shared with any product that integrates with BMC Atrium Single Sign-On. BMC recommends that BMC Atrium Single Sign-On be the only application on the Tomcat server.
11. Accept the default Tomcat server HTTP port number (8080), HTTPS port number (8443), and Shutdown port number (8005), or enter different port numbers, and click Next. If any of the port numbers are incorrect, a pop-up menu identifies the incorrect port number and allows you to modify the selection. 12. Enter a cookie domain and click Next. The domain value of the cookie should be the network domain of BMC Atrium Single Sign-On or one of its parent domains.
Important The higher the level of the selected parent domain, the higher the risk of user impersonation. You cannot use sibling domains or cross-domains with BMC Atrium Single Sign-On. For example, installing the BMC Atrium Single Sign-On server in the remedy.com domain and the AR System server in the bmc.com domain is not supported. You must move all your computers into the same domain.
13. Enter a strong administrator password, confirm the password, and click Next. The default administrator name is amadmin.
14. BMC Atrium Single Sign-On 8.1
Page 60 of 389
BMC Software Confidential
Home
14. Review the installation summary and click Install. After the first node has been successfully installed, additional nodes can be added to the cluster by using the file created during the first installation. 15. Verify that your BMC Atrium Single Sign-On installation was successful by accessing the BMC Atrium Single Sign-On URL. a. Navigate to Start > All Programs > BMC Software > BMC Atrium SSO > Administrator to launch the BMC Atrium SSO Admin Console . The URL to open the BMC Atrium SSO Admin Console is: https://.:/atriumsso For example: https://ssoServer.bmc.com:8443/atriumsso b. When you are prompted that you are connecting to an untrusted connection, add the exception and then continue.
Note The browsers display this warning because you have not yet configured the SSO authentication as a trusted provider.
c. Confirm that you can view the BMC Atrium Single Sign-On login panel. d. Log on with the SSO administrator name (for example, amadmin) and password. The BMC Atrium SSO Admin Console appears. (Click the image to expand it.)
BMC Atrium Single Sign-On 8.1
Page 61 of 389
BMC Software Confidential
Home
16. Verify that your BMC Atrium Single Sign-On installation was successful by accessing the SSO load balancer. For example: https://ssoloadbalancer.bmc.com:8443/atriumsso} The BMC Atrium SSO login screen appears. After you log on, the SSO server appears in the HA Nodes List.
17. (Optional) Create an administrative user account for BMC Products to perform search functions on the user store (for example, to list user names and emails). If you are using the BMC Atrium Single Sign-On server's internal LDAP, assign the BMCSearchAdmins group to the new user account. If you are using an external system for authentication (such as AR System, LDAP, or Active Directory), assign the BmcSearchAdmins group to either an already existing user account or a new user account.
BMC Atrium Single Sign-On 8.1
Page 62 of 389
BMC Software Confidential
Home
Where to go from here Installing additional nodes for an HA cluster on a new Tomcat server (see page 63) or Installing additional nodes for an HA cluster on an external Tomcat server (see page 70)
6.5.6 Installing additional nodes for an HA cluster on a new Tomcat server The following provides information and instructions for installing additional nodes for an HA cluster on a new Tomcat. Before you begin (see page 63) To install an addition node for an HA cluster on a new Tomcat (see page 63) Where to go from here (see page 68)
Before you begin Install the first node for an HA cluster on a new Tomcat server (see page 57). Obtain the zipped BMC Atrium Single Sign-On files from the BMC product package via Electronic Product Download (EPD) or the BMC Atrium Single Sign-On DVD for the additional nodes. If there is already an installation of BMC Atrium Single Sign-On on the target computer, the installer will not allow another installation. Uninstall the existing version. Ensure that the first node and all the additional nodes are running in the HA cluster. Prepare to run the installation program for your operating system. For example, you must update Terminal Services configuration options and configure the DEP feature if you are using Windows. For more information, see Configuring Terminal Services and DEP parameters.
Important The BMC Atrium Single Sign-On Tomcat server cannot be shared with any product (for example, the AR System server or the BMC Remedy Mid Tier) that integrates with BMC Atrium Single Sign-On. BMC recommends that you install BMC Atrium Single Sign-On on a different computer than the computer where you plan to install a BMC product (for example, the AR System server or the BMC Remedy Mid Tier).
To install an addition node for an HA cluster on a new Tomcat During subsequent node installations, previously installed nodes must be available so the newly added node can fully integrate into the cluster. 1. Ensure that all nodes are running and available.
2. BMC Atrium Single Sign-On 8.1
Page 63 of 389
BMC Software Confidential
Home
2. Copy the cluster configuration file (created during the first node's installation) to the Disk1directory of the extracted files before installing BMC Atrium Single Sign-On on the node.
Note The installation and configuration information of the first node is used when installing additional nodes.
3. Run the installation program. Launch the setup executable located in the Disk1directory of the extracted files. (Microsoft Windows ) Run setup.cmd (UNIX ) Run setup.sh 4. In the lower right corner of the Welcome panel, click Next. 5. Review the license agreement, click I agree to the terms of license agreement, and then click Next. 6. Accept the default destination directory or browse to select a different directory, and then click Next. 7. In the Host Name Information panel, verify that the hostname presented is the Fully Qualified Domain Name (FQDN) for the host, and then click Next. Correct the value as needed. 8. In the BMC Atrium SSO Server Cluster Options panel, perform the following actions:
BMC Atrium Single Sign-On 8.1
Page 64 of 389
BMC Software Confidential
Home
a. Select Clustered Atrium SSO Server. b. Select Add this node to an existing cluster. c. Click Next. 9. In the BMC Atrium SSO Cluster Configuration File Information panel, browse to the Disk1 directory where you copied the file, and then click Next. 10. Enter the LDAP port number (8091), LDAP replication port (8092), LDAP administration port (8093), and click Next. 11. Verify that Install New Tomcat is selected and click Next.
Note The BMC Atrium Single Sign-On Tomcat server cannot be shared with any product that integrates with BMC Atrium Single Sign-On. BMC recommends that BMC Atrium Single Sign-On be the only application on the Tomcat server.
12. Accept the default Tomcat server HTTP port number (8080), HTTPS port number (8443), and Shutdown port number (8005), or enter different port numbers, and click Next. BMC Atrium Single Sign-On 8.1
Page 65 of 389
Home 12.
BMC Software Confidential
If any of the port numbers are incorrect, a pop-up menu identifies the incorrect port number and allows you to modify the selection. 13. Review the installation summary and click Install. After the second node has been successfully installed, additional nodes can be added to the cluster by using the file created during the first installation. 14. Verify that your BMC Atrium Single Sign-On installation was successful by accessing the BMC Atrium Single Sign-On URL. a. Navigate to Start > All Programs > BMC Software > BMC Atrium SSO > Administrator to launch the BMC Atrium SSO Admin Console . The URL to open the BMC Atrium SSO Admin Console is: https://.:/atriumsso/atsso/console/login/Login.html For example: https://ssoServer.bmc.com:8443/atriumsso/atsso/console/login/Login.html b. When you are prompted that you are connecting to an untrusted connection, add the exception and then continue.
Note Browsers display this warning because you have not yet configured the SSO authentication as a trusted provider.
c. Confirm that you can view the BMC Atrium Single Sign-On login panel. d. Log on with the SSO administrator name (for example, amadmin) and password. The BMC Atrium SSO Admin Console appears. (Click the image to expand it.)
BMC Atrium Single Sign-On 8.1
Page 66 of 389
BMC Software Confidential
Home
15. Verify that your BMC Atrium Single Sign-On installation was successful by accessing the SSO load balancer. For example: https://ssoloadbalancer.bmc.com:8443/atriumsso The BMC Atrium SSO login screen appears. After you log on, your SSO servers appear in the HA Nodes List.
16. (Optional) Create an administrative user account for BMC Products to perform search functions on the user store (for example, to list user names and emails). If you are using the BMC Atrium Single Sign-On server's internal LDAP, assign the BMCSearchAdmins group to the new user account. If you are using an external system for authentication (such as AR System, LDAP, or Active Directory), assign the BmcSearchAdmins group to either an already existing user account or a new user account.
BMC Atrium Single Sign-On 8.1
Page 67 of 389
BMC Software Confidential
Home
Where to go from here To install the AR System server, see Installing or upgrading AR System server. To secure certificates with an external CA, see Managing keystores with a keytool utility (see page 239). To configure authentication, see Configuring after installation. For a specific authentication method, see the specific method. For example, for LDAP or Active Directory, see Using LDAP (Active Directory) for authentication.
6.5.7 Installing the first node for an HA cluster on an external Tomcat server The following provides information and instructions for installing the first node for an HA cluster on an external Tomcat. Before you begin (see page 68) To install BMC Atrium Single Sign-On on the first node for an external Tomcat (see page 68) Where to go from here (see page 69)
Before you begin Before installing BMC Atrium Single Sign-On on the first node for an external Tomcat, make sure you have performed the tasks in Prerequisites for installation (see page 42) and the Before you begin section on Installing BMC Atrium Single Sign-On on an external Tomcat server (see page ).
To install BMC Atrium Single Sign-On on the first node for an external Tomcat 1. Run the installation program, autorun. If autorun does not automatically launch the appropriate file, launch the setup executable located in the Disk1 directory of the extracted files. This script automatically detects the appropriate subscript to execute. (Microsoft Windows ) Run setup.cmd (UNIX ) Run setup.sh 2. Accept the default destination directory, or browse to select a different directory, and click Next. 3. Enter the hostname if the provided name is incorrect and click Next. 4. Select Clustered Atrium SSO Server. 5. Select New Cluster Installation (First node), and click Next. 6. Enter a file name and location for storing the cluster configuration information and click Next. This cluster configuration file is needed when subsequent nodes are added to the cluster.
Important This file contains sensitive information.
7. Enter the LDAP port and LDAP replication port, and click Next. 8. BMC Atrium Single Sign-On 8.1
Page 68 of 389
BMC Software Confidential
Home
8. Enter the load balancer URL and click Next. 9. Click Use External Tomcat and click Next.
Note The BMC Atrium Single Sign-On Tomcat server cannot be shared with any product that integrates with BMC Atrium Single Sign-On. BMC recommends that BMC Atrium Single Sign-On be the only application in the Tomcat server.
10. Enter the Tomcat server directory at the prompt and click Next. 11. At the Tomcat Application Server Selection panel, enter the path to the Tomcat server. After the path is entered, the installer verifies that: The directory has a webapps directory that can be written to. The main program, tomcat6.exe, is present (even on UNIX). The server.xml file contains a Connector with port and secure defined and scheme set to https. The installer parses important information from this Connector entry and stores it. The installer deploys the BMC Atrium Single Sign-On web application to the Tomcat server, asking that you start or stop it when necessary. 12. Enter additional information at the prompts. Be prepared with information about: JDK directory location Tomcat server port BMC Atrium Single Sign-On Truststore certificate location and password BMC Atrium Single Sign-On Keystore password, alias, and certificate BMC Atrium Single Sign-On cookie domain BMC Atrium Single Sign-On administrator name and password (Windows ) You will be asked whether your external Tomcat server is started using scripts or as a Windows service. 13. Stop the Tomcat server. 14. After installation is complete, follow the installer directions to restart the Tomcat server. The Tomcat server can now be used as the BMC Atrium Single Sign-On application server. If you make modification to the server configuration, be sure to test each change to ensure that the BMC Atrium Single Sign-On application continues to function correctly. 15. Replace the existing certificate with a Certificate Authority (CA) signed identity certificate. 16. Verify that your BMC Atrium Single Sign-On installation was successful: a. Launch the administrator console. b. Confirm that you can view the BMC Atrium Single Sign-On login panel.
Where to go from here Installing additional nodes for an HA cluster on a new Tomcat server (see page 63) or Installing additional nodes for an HA cluster on an external Tomcat server (see page 70)
BMC Atrium Single Sign-On 8.1
Page 69 of 389
BMC Software Confidential
Home
6.5.8 Installing additional nodes for an HA cluster on an external Tomcat server The following provides information and instructions for installing additional nodes for an HA cluster on an external Tomcat. Before you begin (see page 70) To install BMC Single Sign-On on additional nodes for an external Tomcat (see page 70) Where to go from here (see page 71)
Before you begin Before installing BMC Atrium Single Sign-On on the first node for an external Tomcat, make sure you have performed the tasks in Prerequisites for installation (see page 42) and Before you begin in Installing BMC Atrium Single Sign-On on an external Tomcat server (see page 73). Ensure that the first node and all the additional nodes are running in the HA cluster.
To install BMC Single Sign-On on additional nodes for an external Tomcat During subsequent node installations, previously installed nodes must be available so that the newly added node can fully integrate into the cluster. 1. Ensure that all nodes are up and available. 2. Copy the cluster configuration file (created during the first node's installation) to the local file system prior to installing BMC Atrium Single Sign-On on the node. 3. Run the installation program, autorun. If autorun does not automatically launch the appropriate file, launch the setup executable located in the Disk1 directory of the extracted files. This script automatically detects the appropriate subscript to execute. (Microsoft Windows ) Run setup.cmd (UNIX ) Run setup.sh 4. Accept the default destination directory, or browse to select a different directory, and click Next. 5. Enter the host name if the provided name is incorrect and click Next. 6. Select Clustered Atrium SSO Server. 7. Select Add this node to an existing cluster. 8. Enter the location of the cluster configuration file and click Next. 9. Enter the LDAP port and LDAP replication port, and click Next. 10. Click Use External Tomcat and click Next. The Tomcat server options are: Install New Tomcat (default) Use External Tomcat
Note
BMC Atrium Single Sign-On 8.1
Page 70 of 389
BMC Software Confidential
Home
The BMC Atrium Single Sign-On Tomcat server cannot be shared with any product that integrates with BMC Atrium Single Sign-On. BMC recommends that BMC Atrium Single Sign-On be the only application in the Tomcat server.
11. Enter the Tomcat server directory at the prompt and click Next. 12. At the Tomcat Application Server Selection panel, enter the path to the Tomcat server. After the path is entered, the installer verifies that: The directory has a webapps directory that can be written to. The main program, tomcat6.exe, is present (even on UNIX). The server.xml file contains a Connector with port and secure defined, with scheme set to https. The installer parses important information from this Connector entry and stores it. The installer deploys the BMC Atrium Single Sign-On web application to the Tomcat server, asking that you start or stop it when necessary. 13. Enter additional information at the prompts. Be prepared with information about: JDK directory location Tomcat server port BMC Atrium Single Sign-On Truststore certificate location and password BMC Atrium Single Sign-On Keystore password, alias, and certificate (Windows ) You will be asked whether your external Tomcat is started using scripts or as a Windows service. 14. Stop the Tomcat server. 15. After installation is complete, follow the installer directions to restart the Tomcat server. The Tomcat server can now be used as the BMC Atrium Single Sign-On application server. If you make modification to the server configuration, be sure to test each change to insure that the BMC Atrium Single Sign-On application continues to function correctly. 16. Replace the existing certificate with a Certificate Authority (CA) signed identity certificate. 17. Verify that your BMC Atrium Single Sign-On installation was successful: a. Launch the administrator console. b. Confirm that you can view the BMC Atrium Single Sign-On login panel.
Where to go from here To install the AR System server, see Installing or upgrading AR System server To secure certificates with an external CA, see Managing keystores with a keytool utility (see page 239). To configure authentication, see Configuring after installation. For a specific authentication method, see the specific method. For example, for LDAP or Active Directory, see Using LDAP (Active Directory) for authentication.
BMC Atrium Single Sign-On 8.1
Page 71 of 389
Home
BMC Software Confidential
6.6 Installing BMC Atrium Single Sign-On on an external Tomcat server This section explains how to install BMC Atrium Single Sign-On on an external Tomcat server. This installation option allows the BMC Atrium Single Sign-On server to be installed using versions of Tomcat and Java VM that are different from those provided by the standalone installation option. Using this option allows greater flexibility in choosing the Tomcat server and Java Virtual Machine (JVM), but at the expense of adding administration of the Tomcat server and JVM. In addition, correct version selection must also be performed to avoid incompatibilities. Due to these added responsibilities, BMC recommends that this option be performed only when the default selections are not sufficient.
BMC Atrium Single Sign-On 8.1
Page 72 of 389
BMC Software Confidential
Home
Before you begin (see page 73) To install BMC Atrium Single Sign-On on an external Tomcat server (see page 73) Where to go from here (see page 74)
6.6.1 Before you begin Description Before installation, make sure you have performed the tasks in Prerequisites for installation (see page 42). Verify that no other product or application is installed on your Tomcat server. Note: The BMC Atrium Single Sign-On Tomcat server cannot be shared with any product that integrates with BMC Atrium Single Sign-On. BMC recommends that BMC Atrium Single Sign-On be the only application in the Tomcat server. Modify the external Tomcat policy file. See Policy file additions for external Tomcat installations (see page 75). Configure JVM that will run the Tomcat server. See Configuring a JVM for the Tomcat Server (see page 77). Modify the Tomcat server hosting the BMC Atrium Single Sign-On application to define an HTTPS connection with an explicit truststore and explicit keystore declaration. See Setting an HTTPS connection (see page 78). Add JVM initialization parameters to the JVM that is running the external Tomcat. See JVM parameter additions for external Tomcat installations (see page 76). If you plan to enable FIPS, perform the tasks in Configuring an external Tomcat instance for FIPS-140 (see page 76) and the FIPS-140 preparation steps in Configuring FIPS-140 mode (see page 251).
6.6.2 To install BMC Atrium Single Sign-On on an external Tomcat server 1. If autorun does not automatically launch the appropriate file, launch the setup executable. The setup executable is located in the Disk1directory of the extracted files: (Microsoft Windows) Run setup.cmd. (UNIX) Run setup.sh (which automatically detects the appropriate subscript to execute). 2. Accept the default destination directory or browse to select a different directory and click Next. 3. Verify that the hostname presented is the Fully Qualified Domain Name (FQDN) for the host, correct the value as needed, and click Next. 4. Click Use External Tomcat. The Tomcat server options are: Install New Tomcat (default) Use External Tomcat 5. At the prompt, enter the Tomcat directory (or use the browse button to specify the Tomcat directory) and click Next. 6. At the Tomcat Application Server Selection panel, enter the path to the Tomcat server. After clicking Next, the installer verifies that: The directory has a webapps directory that can be written to. The main program, tomcat6.exe, is present (even on UNIX). BMC Atrium Single Sign-On 8.1
Page 73 of 389
6. BMC Software Confidential
Home
The server.xml file contains a connector with port and secure defined and with scheme set to https. The installer parses important information from this Connector entry and stores it. As the installer deploys the BMC Atrium Single Sign-On web application to the Tomcat server, it will ask that you start or stop it when necessary. 7. (Windows) You will be asked whether your external Tomcat server is started by using scripts or as a Windows service. If the Tomcat server is started as a Windows service, enter the name of this service. 8. Enter additional information at the prompts. Be prepared with information about: JDK directory location Tomcat HTTPS server port Tomcat truststore certificate location and password Tomcat keystore password, alias, and certificate Tomcat cookie domain Tomcat administrator name and password 9. Stop the Tomcat server. 10. During installation, follow the installer directions to restart the Tomcat server. 11. Verify that your BMC Atrium Single Sign-On installation was successful: a. Launch the BMC Atrium Single Sign-On administrator console and confirm that you can view BMC Atrium SSO Admin Console. The Tomcat server can now be used as the BMC Atrium Single Sign-On application server. If you make modifications to the server configuration, be sure to test each change to insure that the BMC Atrium Single Sign-On application functions correctly. 12. (Optional) Create an administrative user account for BMC Products to perform search functions on the user data store (for example, to list user names, emails, and so on).
Note If you are using the BMC Atrium Single Sign-On server's internal LDAP, assign the BMCSearchAdmins group to the new user account.
13. If you are using an external system for authentication (such as AR System, LDAP, or Active Directory), assign the BmcSearchAdmins group to either an already existing user account or a new user account.
6.6.3 Where to go from here To install the AR System server, see Installing AR System server (with BMC Atrium Single Sign-On) To install BMC Atrium Single Sign-On server in silent mode, see Installing silently (see page 112). To secure certificates with an external CA, see Managing keystores with a keytool utility (see page 239). To configure authentication, see Configuring after installation. For a specific authentication method, see the specific method. For example, for LDAP or Active Directory, see Using LDAP (Active Directory) for authentication.
BMC Atrium Single Sign-On 8.1
Page 74 of 389
Home
BMC Software Confidential
6.6.4 Policy file additions for external Tomcat installations If you plan on installing BMC Atrium Single Sign-On on an external Tomcat, the Tomcat policy file, catalina.policy, must be modified. The policy file is located at /tomcat/conf. To configure the policy file for external Tomcat installations, add the following lines to the Tomcat policy file:
// // AtriumSSO additions for tomcat 6/7 // grant { permission java.net.SocketPermission "*", "listen,connect,accept,resolve"; permission java.util.PropertyPermission "*", "read, write"; permission java.lang.RuntimePermission "modifyThreadGroup"; permission java.lang.RuntimePermission "setFactory"; permission java.lang.RuntimePermission "accessClassInPackage.*"; permission java.util.logging.LoggingPermission "control"; permission java.lang.RuntimePermission "shutdownHooks"; permission javax.security.auth.AuthPermission "getLoginConfiguration"; permission javax.security.auth.AuthPermission "setLoginConfiguration"; permission javax.security.auth.AuthPermission "modifyPrincipals"; permission javax.security.auth.AuthPermission "createLoginContext.*"; permission java.io.FilePermission "", "read, write, execute, delete"; permission java.util.PropertyPermission "java.util.logging.config.class", "write"; permission java.security.SecurityPermission "removeProvider.SUN"; permission java.security.SecurityPermission "insertProvider.SUN"; permission javax.security.auth.AuthPermission "doAs"; permission java.util.PropertyPermission "java.security.krb5.realm", "write"; permission java.util.PropertyPermission "java.security.krb5.kdc", "write"; permission java.util.PropertyPermission "java.security.auth.login.config", "write"; permission java.util.PropertyPermission "user.language", "write"; permission javax.security.auth.kerberos.ServicePermission "*", "accept"; permission javax.net.ssl.SSLPermission "setHostnameVerifier"; permission java.security.SecurityPermission "putProviderProperty.IAIK"; permission java.security.SecurityPermission "removeProvider.IAIK"; permission java.security.SecurityPermission "insertProvider.IAIK"; permission java.lang.RuntimePermission "setDefaultUncaughtExceptionHandler"; permission javax.management.MBeanServerPermission "newMBeanServer"; permission javax.management.MBeanPermission "*", "registerMBean"; permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "accessDeclaredMembers"; permission java.lang.RuntimePermission "setContextClassLoader"; permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; permission javax.security.auth.AuthPermission "getSubject"; permission javax.management.MBeanTrustPermission "register"; permission javax.management.MBeanPermission "*" , "*" ; permission java.lang.management.ManagementPermission "monitor"; permission javax.management.MBeanServerPermission "createMBeanServer"; permission java.util.PropertyPermission "javax.xml.soap.MetaFactory", "write"; permission java.util.PropertyPermission "javax.xml.soap.MessageFactory", "write"; permission java.util.PropertyPermission "javax.xml.soap.SOAPConnectionFactory","write"; permission java.util.PropertyPermission "javax.xml.soap.SOAPFactory", "write";
BMC Atrium Single Sign-On 8.1
Page 75 of 389
BMC Software Confidential
Home
permission permission permission permission permission permission permission permission permission };
java.net.NetPermission "getProxySelector"; java.security.SecurityPermission "getProperty.authconfigprovider.factory"; java.security.SecurityPermission "setProperty.authconfigprovider.factory"; javax.security.auth.AuthPermission "doAsPrivileged"; javax.security.auth.AuthPermission "modifyPublicCredentials"; java.security.SecurityPermission "insertProvider.XMLDSig"; java.security.SecurityPermission "putProviderProperty.WSS_TRANSFORM"; java.security.SecurityPermission "insertProvider.WSS_TRANSFORM"; java.security.SecurityPermission "getProperty.ocsp.*";
6.6.5 JVM parameter additions for external Tomcat installations The following initialization parameters must be specified for the JVM that is running an external Tomcat. If Tomcat is controlled via scripts, these JVM parameters can be included in a script file: (Microsoft Windows) setenv.bat (UNIX) setenv.sh When Tomcat is installed as a Windows Service, include these values in the wrapper. When the wrapper is a supplied Apache wrapper (via Tomcat6w.exe or Tomcat7w.exe), the JVM additions are added to the Java tab.
-Dcom.sun.identity.configuration.directory=\webapps\atriumsso\WEB-INF\config -XX:PermSize=64m -XX:MaxPermSize=256m -Dcom.sun.identity.session.connectionfactory.provider=com.bmc.atrium.sso.opensso.extensions.ha.ConnectionFactoryProvi
Note and are the full path and name to the truststore and keystore that were created by the user for use by the Tomcat server.
6.6.6 Configuring an external Tomcat instance for FIPS-140 The Federal Information Processing Standard (FIPS-140) are standards for use in computer systems by all non-military government agencies and government contractors. For example, data encoding and encryption standards. For information about FIPS-140, see Configuring FIPS-140 mode (see page 251).
To configure an external Tomcat instance for FIPS-140 If you plan to enable FIPS-140 and are installing to an external Tomcat server, perform these steps: 1. Configure the Tomcat server for auto-deployment of .war files. 2. Use the same keystore for both non-FIPS and FIPS versions of your server.xml file. 3. Perform the following modifications to the server.xmlfile for non-FIPS and FIPS versions: a. BMC Atrium Single Sign-On 8.1
Page 76 of 389
BMC Software Confidential
Home
3. a. Duplicate the original file to create a FIPS version (named server.xml.fips) and non-FIPS version (named server.xml.nofips). b. In the new FIPS version of the file, use the following ciphers attributes to force a higher level of encryption (or use your own values):
ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA SSL_DHE_DSS_WITH_ DES_EDE_CBC_SHA"
c. Add the XML comment to tag the file as FIPS-140: 4. Perform the following modifications to the java.securityfile for non-FIPS and FIPS versions: a. Duplicate the original file, creating java.security.nofips and java.security.fips versions. b. In java.security.fips, make sure that the provider is the first one in the security providers list, with the remaining providers renumbered. For example, the following list places the JsafeJCE provider at the top of the list with a key suffix of 1, while the providers after JsafeJCE are renumbered to follow the first. The com.rsa.cryptoj.jce.kat.strategy and com.rsa.cryptoj.jce.fips140initialmode properties are placed after the security providers list. For those properties, use the exact values shown in the following example:
security.provider.1=com.rsa.jsafe.provider.JsafeJCE security.provider.2=sun.security.provider.Sun security.provider.3=sun.security.rsa.SunRsaSign security.provider.10=sun.security.mscapi.SunMSCAPI com.rsa.cryptoj.jce.kat.strategy=on.load com.rsa.cryptoj.jce.fips140initialmode=FIPS140_SSL_MODE
6.6.7 Configuring a JVM for the Tomcat Server To configure a JVM that will run the Tomcat server, perform the following steps. The location of the JVM is always determined by the administrator who configures the Tomcat server. E nsure that JAVA_HOME and PATH environment variables are set.
To configure a JVM for the Tomcat server 1. Install the cryptography library (cryptoj.jar) in the following location:
(Microsoft Windows) jdkDirectory\jre\lib\ext (UNIX) jdkDirectory/jre/lib/ext
BMC Atrium Single Sign-On 8.1
Page 77 of 389
BMC Software Confidential
Home
BMC Atrium Single Sign-On uses RSA CryptoJ library (cryptoj.jar) for cryptographic functions. The RSA CryptoJ library can be acquired from Support or through another BMC Atrium Single Sign-On installation (using Tomcat/JVM). 2. Perform the following modifications to the java.security file. Add a new line to the end of providers' definition list, and ensure that the provider is sequentially numbered. security.provider.x=com.rsa.jsafe.provider.JsafeJCE
x specifies the order in which the security providers will be searched. The java.security file can be found at:
(Microsoft Windows) jdkDirectory\jre\lib\security (UNIX) jdkDirectory/jre/lib/security
Note The RSA provider can be the last provider in the security providers list, except when BMC Atrium Single Sign-On is running in FIPS mode. For this configuration, the RSA provider must be first, with the remaining ones renumbered. security.provider.1=com.rsa.jsafe.provider.JsafeJCE
For more information on configuring JVM for running the Tomcat server, see tomcat-6.0-doc and tomcat-7.0-doc.
6.6.8 Setting an HTTPS connection To set up an HTTPS connection, the Tomcat server that hosts the BMC Atrium Single Sign-On server must be modified to define an HTTPS connection with an explicit truststore and an explicit keystore. The default Tomcat server used by BMC Artium Single Sign-On uses a keystore and a truststore for secure (HTTPS, Transport Layer Security) communications. If the Tomcat server does not have a truststore and a keystore, new self-signed certificates must be generated using the keytool. See Managing keystores with a keytool utility (see page 239). The following XML code is an example of the HTTPS connection and is one of the configuration supported. The example shows use of keystore and truststore of type PKCS12, named keystore.p12 and cacerts.p12 along with password "keystore_password" and "truststore_password" respectively.
Note Switch CATALINA_HOME to the full path in the Tomcat directory. The values provided to CATALINA_HOME needs to be adjusted according to the environment.
Related topics Creating new keystores (see page 240) Generating self-signed certificates (see page 249) Generating and importing CA certificates Importing a certificate into the truststore (see page 243)
6.7 Installing BMC Atrium Single Sign-On with the AR System server and Mid Tier This section describes how to perform a BMC Atrium Single Sign-On installation. This topic contains the following information:
BMC Atrium Single Sign-On 8.1
Page 79 of 389
BMC Software Confidential
Home
Installing video (see page 80) Overview of installation steps (see page 80) Related topics (see page 81)
6.7.1 Installing video Click the following BMC Atrium Single Sign-On 8.1 installation video for more information: Watch video on YouTube at http://www.youtube.com/watch?v=gmSZJnin1WM
6.7.2 Overview of installation steps In the 8.1 release, you use a single utility — AtriumSSOIntegrationUtility — installed both with the AR System server and the BMC Remedy Mid Tier to integrate with the BMC single sign-on solution. To perform the integration, you first run the utility on the computer where the AR System server is installed, and then you run the utility a second time on the computer where the Mid Tier is installed. BMC contributors content For additional information, you can also refer to the following webinar conducted by BMC Support. You can also connect with other users for related discussions on the BMC Community. Perform the following steps: 1. Installing BMC Atrium Single Sign-On 2. Installing or upgrading AR System server 3. Installing or upgrading BMC Remedy Mid Tier 4. Running the SSOARIntegration utility on the AR System server (see page 88) 5. Reviewing AR server external authentication settings and configuring group mapping (see page 91) 6. Running the SSOMidtierIntegration utility on the Mid Tier (see page 92) 7. Managing the AR System users and groups for authentication (see page 97) 8. Running a health check on the BMC Atrium Single Sign-On installation
Important BMC recommends that you install the BMC Remedy Mid Tier, BMC Remedy AR System server, and BMC Atrium Single Sign-On server on separate computers. However, if you do install more than one BMC Product on the same computer, ensure that the HTTP, HTTPS, and Shutdown port numbers are different.
BMC Atrium Single Sign-On 8.1
Page 80 of 389
BMC Software Confidential
Home
Note For detailed information on installing and configuring BMC Atrium Service Context, see Setting up BMC Atrium Service Context. As a bare minimum, you must install the Web Services Registry (UDDI), which is required for BMC Atrium Service Context. The Web Services Registry is an option within the BMC Atrium Core installation program.
6.7.3 Related topics Configuring after installation
6.7.4 Installing BMC Atrium Single Sign-On This topic provides instructions for performing a BMC Atrium Single Sign-On standalone installation. In this installation, a Tomcat server and JVM are installed and properly configured for use by the BMC Atrium Single Sign-On server. This installation method is the simplest and easiest to perform since all of the administrative and configuration details are performed by the installation program. Before you begin (see page ) To install BMC Atrium Single Sign-On as a standalone (see page ) Where to go from here (see page )
Before you begin Obtain the zipped BMC Atrium Single Sign-On files from the BMC product package via Electronic Product Download (EPD) or the BMC Atrium Single Sign-On DVD. If there is already an installation of BMC Atrium Single Sign-On on the target computer, the installer will not allow another installation. Uninstall the existing version. Prepare to run the installation program for your operating system. For example, you must update Terminal Services configuration options and configure the DEP feature if you are using Windows. For more information, see Configuring Terminal Services and DEP parameters.
Note The BMC Atrium Single Sign-On Tomcat server cannot be shared with any product (for example, the AR System server or the BMC Remedy Mid Tier) that integrates with BMC Atrium Single Sign-On. BMC recommends that you install BMC Atrium Single Sign-On on a different computer than the computer where you plan to install a BMC product (for example, the AR System server or the BMC Remedy Mid Tier).
BMC Atrium Single Sign-On 8.1
Page 81 of 389
BMC Software Confidential
Home
To install BMC Atrium Single Sign-On as a standalone 1. Unzip the BMC Atrium Single Sign-On files. 2. Run the installation program. The setup executable is located in the Disk1directory of the extracted files. (Microsoft Windows ) Run setup.cmd. (UNIX ) Run setup.sh (which automatically detects the appropriate subscript to execute). 3. In the lower right corner of the Welcome panel, click Next. 4. Review the license agreement, click I agree to the terms of license agreement, and then click Next. 5. Accept the default destination directory or browse to select a different directory, and then click Next. 6. In the Host Name Information panel, verify that the hostname presented is the Fully Qualified Domain Name (FQDN) for the host, and then click Next. Correct the value as needed. 7. Choose to install non-clustered or clustered Atrium Single Sign-On Server, and then click Next. Non-clustered Atrium Single Sign-On Server – Standalone Single Sign-On Server. Clustered Atrium Single Sign-On Server – Implemented as a redundant system with session failover. Clustered install requires at least two nodes. For more information, see Installing BMC Atrium Single Sign-On as a High Availability cluster (see page 55). 8. Verify that Install New Tomcat is selected, and then click Next. The Tomcat server options are: Install New Tomcat (default) Use External Tomcat. See Installing BMC Atrium Single Sign-On on an external Tomcat server (see page 72) to install with this option.
Note When installing on Linux servers, you must configure JVM for Tomcat after the installation. For more information about configuring JVM, see Configuring a JVM for the Tomcat Server (see page 77).
9. Accept the default Tomcat HTTP port number (8080), HTTPS port number (8443), and Shutdown port number (8005), or enter different port numbers, and then click Next. If any of the port numbers are incorrect, a panel identifies the incorrect port number and requires you to return to the previous page to correct the values before proceeding with the installation.
Note
BMC Atrium Single Sign-On 8.1
Page 82 of 389
BMC Software Confidential
Home
When installing on Linux servers, port selections below 1000 require the server to run as root, or use a port forwarding mechanism.
10. Enter a cookie domain, and then click Next. The domain value of the cookie should be the network domain of BMC Atrium Single Sign-On or one of its parent domains. For more information, see Default cookie domain.
Note The higher the level of the selected parent domain, the higher the risk of user impersonation. Top-level domains are not supported (for example, com or com.ca ). You cannot use sibling domains or cross-domains with BMC Atrium Single Sign-On. For example, installing the BMC Atrium Single Sign-On server in the remedy.com domain and the AR System server in the bmc.com domain is not supported. You must move all your computers into the same domain.
11. Enter a strong administrator password (at least 8 characters long), confirm the password, and then click Next. The default SSO administrator name is amadmin.
Note Passwords with special characters must be specified in quotes.
For more information, see Administrator password. 12. Review the installation summary and click Install. 13. Verify that your BMC Atrium Single Sign-On installation was successful by accessing the BMC Atrium Single Sign-On URL. a. Navigate to Start > All Programs > BMC Software > BMC Atrium S.SO > Administrator to launch the BMC Atrium SSO Admin Console. The URL to open the BMC Atrium SSO Admin Console is: https://.:/atriumsso For example, https://ssoserver.bmc.com:8443/atriumsso b. When you are prompted that you are connecting to an insecure or untrusted connection, add the exception and then continue. Note: Browsers display this warning because you have not yet configured the SSO authentication as a trusted provider. c. Confirm that you can view the BMC Atrium SSO logon panel.
d. BMC Atrium Single Sign-On 8.1
Page 83 of 389
BMC Software Confidential
Home
d. Log on with the SSO administrator name (for example, amadmin) and password. The BMC Atrium SSO Admin Console appears. (Click the image to expand it.)
14. (Optional) Create an administrative user account for BMC Products to perform search functions on the user store (for example, to list user names and emails). If you are using the BMC Atrium Single Sign-On server's internal LDAP, assign the BMCSearchAdmins group to the new user account. If you are using an external system for authentication (such as AR System, LDAP, or Active Directory), assign the BmcSearchAdmins group to either an already existing user account or a new user account.
Where to go from here Installing or upgrading AR System server To secure certificates with an external CA, see Managing keystores with a keytool utility (see page 239). To configure authentication, see Configuring after installation. For a specific authentication method, see the specific method. For example, for LDAP or Active Directory, see Using LDAP (Active Directory) for authentication.
6.7.5 Installing or upgrading AR System server You must install or upgrade the AR System server to version 8.1 as part of the BMC Atrium Single Sign-On configuration.
BMC Atrium Single Sign-On 8.1
Page 84 of 389
BMC Software Confidential
Home
Recommendation
When you are installing BMC Remedy AR System, BMC recommends: To avoid configuration problems, accept the default values displayed in the installer unless you have a valid reason to modify them. To reduce installation time significantly, do not install the products over the wide area network (WAN). Install BMC Remedy Mid Tier on a separate computer from the AR System server.
Before you begin Install the SSO server. Prepare to run the AR System installer for your operating system. For example, you must update Terminal Services configuration options and configure the DEP feature if you are using Windows. For more information, see Preparing the Windows environment. Make sure that 32-bit or 64-bit JRE is installed. Review the planning spreadsheet for AR System installations.
To install or upgrade the BMC Remedy AR System server 1. Download the AR System installer, or navigate to the installation directory on the CD. 2. Unzip the suite installer (ARSuiteKitWindows.zip). 3. Navigate to the Disk 1 folder. 4. Start the installer. For Windows, run setup.cmd. For UNIX, log in as root and run setup.sh. 5. In the lower right corner of the Welcome panel, click Next. 6. Review the license agreement, click I agree to the terms of license agreement, and then click Next. 7. On the Products selection panel, perform the following actions: a. Select Install. b. Select AR System Server. c. Navigate to the directory in which you want to install the BMC Remedy AR System application. The default location is C:\Program Files\BMC Software\ARSystem. d. Click Next. The installer validates the system resources of your computer and displays a list of available features. 8. Create an AR System administrator user with a strong login name and password to use with Atrium Single Sign-On.
BMC Atrium Single Sign-On 8.1
Page 85 of 389
8. BMC Software Confidential
Home
Note To correctly configure Atrium Single Sign-On, the AR System administrator user requires a password. You cannot use the default installed Demo user with no password.
9. Enter the values from the planning spreadsheet for the features that you want to install. After you have entered the required information, the installer validates your input, and then the Installation Preview panel appears, listing the product and product features that will be installed.
Note Run Sanity Check is selected by default. BMC recommends that you run the additional validation tests of your installation.
10. Click Next. The installer installs the AR System features you have selected. After post-installation cleanup, a summary of the installation appears. 11. Click View Log to review the SEVERE error messages or warnings in the product installer log. See whether errors are due to network, host, or other environment-related issues. You can view a log file of the installation: C:\Users\Administrator\AppData\Local\Temp\arsystem_install_log.txt 12. Close the log when you finish. 13. Click Done to exit the AR System installer.
Where to go from here Installing or upgrading BMC Remedy Mid Tier
Related topics For detailed information on installing the AR System, see: Completing the planning spreadsheet Performing a new installation
6.7.6 Installing or upgrading BMC Remedy Mid Tier You must install the BMC Remedy Mid Tier to version 8.1 as part of the BMC Single Sign-On configuration.
Recommendation
BMC Atrium Single Sign-On 8.1
Page 86 of 389
BMC Software Confidential
Home
When you are installing BMC Remedy AR System, BMC recommends: To avoid configuration problems, accept the default values displayed in the installer unless you have a valid reason to modify them. To reduce installation time significantly, do not install the products over the wide area network (WAN). Install BMC Remedy Mid Tier on a separate computer from the AR System server. Do not install BMC Atrium Single Sign-on and BMC Remedy Mid-Tier on the same computer. BMC Atrium Single Sign-on and BMC Remedy Mid-Tier must use different Tomcat instances because if the mid-tier computer needs to be restarted, all the other applications will be unavailable because BMC Atrium Single Sign-on will be down during the restart.
Before you begin Install the BMC Single Sign-On server. Prepare to run the AR System installer for your operating system. For example, you must update Terminal Services configuration options and configure the DEP feature if you are using Windows. For more information, see Preparing the Windows environment. Install the 32-bit or 64-bit JRE and JDK 1.6.0_23 or higher. Set the JAVA_HOME and JRE_HOME environment variables. For Solaris, JDK7 has a different folder structure than JDK6. For example, set the JDK7 JAVA_HOME to /data1/software/jdk1.7.0_05/bin/sparcv9/. Review the planning worksheet for AR System installations.
To install or upgrade the BMC Remedy Mid Tier 1. Download the AR System installer, or navigate to the installation directory on the CD. 2. Unzip the suite installer (ARSuiteKitWindows.zip). 3. Navigate to the Disk 1 folder. 4. Start the installer. For Windows, run setup.cmd. For UNIX, log in as root and run setup.sh. 5. In the lower right corner of the Welcome panel, click Next. 6. Review the license agreement, click I agree to the terms of license agreement, and then click Next. 7. On the Products selection panel, perform the following actions: a. Select Install. b. Select AR System Mid-Tier. c. Navigate to the directory in which you want to install the BMC Remedy AR System application. The default location is C:\Program Files\BMC Software\ARSystem.
d. BMC Atrium Single Sign-On 8.1
Page 87 of 389
BMC Software Confidential
Home
d. Click Next. The installer validates the system resources of your computer and displays a list of available features. 8. In the AR System Server List panel, perform the following actions: a. Enter the fully-qualified domain names of the AR System servers. b. Enter the remaining values: c. Click Next. 9. Enter the values from the planning worksheets for the features that you want to install. After you have entered the required information, the installer validates your input, and then the Installation Preview panel appears, listing the product and product features that will be installed.
Note Run Sanity Check is selected by default. BMC recommends that you run the additional validation tests of your installation.
10. Click Next. The installer installs the AR System features you have selected. After post-installation cleanup, a summary of the installation appears. 11. Click View Log to review the SEVERE error messages or warnings in the product installer log. See whether errors are due to network, host, or other environment-related issues. You can view a log file of the installation: C:\Users\Administrator\AppData\Local\Temp\arsystem_install_log.txt 12. Close the log when you finish. 13. Click Done to exit the AR System installer. Where to go from here Configuring the BMC Atrium Single Sign-On server for AR System (see page 86)
Related topics For detailed information on installing the AR System, see: Completing the planning spreadsheet Performing a new installation
6.7.7 Running the SSOARIntegration utility on the AR System server Performing the Single Sign-On integration with the AR System server and the BMC Remedy Mid Tier is a two-step sequence: 1. Run the SSOARIntegration utility on the computer where the AR System server is installed (this procedure). 2. Run the SSOMidtierIntegration utility on the computer where the Mid Tier is installed (see page 92).
BMC Atrium Single Sign-On 8.1
Page 88 of 389
BMC Software Confidential
Home
Before you begin Make sure that Oracle JRE 1.6.0_23 or higher is installed on the AR System server. If you have enabled the FIPS-140 mode (see page 251) in BMC Atrium SSO, you must add the -Datsso.sdk.in.fips140.mode=true parameter to the armonitor.conf file on the server where BMC Remedy AR System is installed. For the steps, see Enabling FIPS support for BMC Atrium SSO.
To run the SSOARIntegration utility to integrate Single Sign-On and the AR System server 1. On the computer where the AR System server is installed, navigate to the \artools\AtriumSSOIntegrationUtility directory. For example, navigate to C:\Program Files\BMC Software\ARSystem\artools\AtriumSSOIntegrationUtility. 2. Open the arintegration.txt file and update the parameters for your environment. For example, you can enter the supported container types such as Tomcat 6, JBOSS v4, and so on.
Tip When you are using a BMC Atrium SSO load balancer, you must add the load balancer URL in the --atrium-sso-url parameter instead of adding the server URL.
#AR Server Name, Provide the AR server name. --ar-server-name=arsystemserver.bmc.com
#AR Server User, Provide the AR server user. --ar-server-user=Demo #AR Server Password, Provide the AR server password. --ar-server-password=Demo #AR Server Port, Provide the AR server port. --ar-server-port=0 #Atrium SSO URL, Provide the Atrium SSO URL #and and make sure the server name is #provided with fully qualified domain name #and port is also provided in the URL. --atrium-sso-url=https://ssoserver.bmc.com:8443/atriumsso #Atrium SSO Admin Name --admin-name=amadmin #Atrium SSO Password --admin-pwd=ssoadminpassword
BMC Atrium Single Sign-On 8.1
Page 89 of 389
BMC Software Confidential
Home
#TrustStore Path, Path to the truststore directory. #This is an optional parameter. #Remove # to uncomment and use the below property. #--truststore=truststorepath | Optional parameter. #TrustStore Password. This is an optional parameter. #Remove # to uncomment and use the below property. #--truststore-password=truststorepassword | Optional parameter. #force option, It accepts values as "Yes" or "No" where default is "No". #If "Yes" is provided then utility will not wait #for user to shutdown the webserver, if not shutdown already. #This is true in case, where webserver is other then tomcat or jboss. #Remove # to uncomment and use the below property. #--force=
Note Blank passwords are not supported. Your AR System server user must have a password before you run this utility. Fully-qualified domain names for the AR System server and Atrium SSO URL parameters are required. The --truststore=truststorepath and --truststore-password=truststorepassword parameters are optional when integrating Single Sign-On and the AR System server. The #TrustStore Path is the local java truststore path and the value is used for providing the path of the certificate. This value is added automatically by the SSOARIntegration utility using the local java truststore. The --force=Yes or No parameter is optional. If you pass this input, you are not prompted for any manual inputs to restart the AR System server and the server is started automatically. Otherwise, you are prompted to restart the AR System server. Review the optional inputs carefully for your environment.
3. Open a command window and navigate to the \artools\AtriumSSOIntegrationUtility directory. 4. Enter the following command:
java -jar SSOARIntegration.jar --inputfile arintegration.txt
5. When prompted by the utility, restart the AR System server. 6. Review AR server external authentication settings and group mapping (see page 91) and restart the AR System server. 7. When execution is successfully completed, run the SSOMidtierIntegration utility on the Mid Tier (see page 92). BMC Atrium Single Sign-On 8.1
Page 90 of 389
Home 7.
BMC Software Confidential
Info To troubleshoot installation failures, or for information about log files or configurations performed by the SSOMidtierIntegration utility, see Troubleshooting AR System server and Mid Tier integrations.
Where to go from here Reviewing AR server external authentication settings and configuring group mapping (see page 91) Running the SSOMidtierIntegration utility on the Mid Tier (see page 92)
6.7.8 Reviewing AR server external authentication settings and configuring group mapping Before you can properly configure BMC Atrium Single Sign-On, you must configure group mapping for external authentication in the BMC Remedy AR System server. Before you begin (see page 91) To configure external authentication for AR System (see page 91) Where to go from here (see page 92)
Before you begin Make sure that the AREA LDAP plug-in is properly configured.
To configure external authentication for AR System 1. Use a browser to log on to the AR System server (by using the mid tier). For example: http://midTier:8080/arsys 2. Open the AR System Administration Console. 3. Open the Server Information window by selecting System > General > Server Information. 4. Click the EA tab (Click the following image to expand it.)
BMC Atrium Single Sign-On 8.1
Page 91 of 389
BMC Software Confidential
Home
5. Verify the following information: Field
Value
External Authentication Server RPC Program Number
390695
External Authentication Server Timeout (seconds) RPC
80
External Authentication Server Timeout (seconds) Need To Sync
300 (default)
6. Verify that Authenticate Unregistered Users is selected. 7. Verify that Authentication Chaining Mode is set to ARS-AREA. 8. Set the Group Mapping. For example, you can map the Atrium Single Sign-On group BmcAdmins to the AR group Administrator. 9. Click OK.
Where to go from here Running the SSOMidtierIntegration utility on the Mid Tier (see page 92)
6.7.9 Running the SSOMidtierIntegration utility on the Mid Tier After you ran SSOARIntegration utility on the computer where the AR System server is installed, you must now run the SSOMidtierIntegration utility on the computer where the Mid Tier is installed.
BMC Atrium Single Sign-On 8.1
Page 92 of 389
BMC Software Confidential
Home
Note When BMC Remedy Mid Tier is deployed in cluster environment, you must run the SSOMidtierIntegration utility on the all the computers where the Mid Tier is installed.
This topic contains the following information: Before you begin (see page 93) To run the SSOMidtierIntegration utility to integrate Single Sign-On and the Mid Tier (see page 93) Reverse proxy URLs (see page 97)
Before you begin Make sure that Oracle JRE 1.6.0_23 or higher is installed. Before you begin, perform the BMC Atrium Single Sign-On and AR System server integration (see page 88) . If the Mid Tier web server is not Tomcat or JBoss, verify the Mid Tier URL before passing it as an input; you cannot verify it later when the web server is shut down.
To run the SSOMidtierIntegration utility to integrate Single Sign-On and the Mid Tier 1. On the computer where the Mid Tier is installed, navigate to the \AtriumSSOIntegrationUtility directory. For example, navigate to C:\Program Files\BMC Software\ARSystem\midtier\AtriumSSOIntegrationUtility. 2. Open the midtierintegration.txt file and update the parameters for your environment. For example, you can enter the supported container types such as Tomcat 6, JBOSS v4, and so on.
Tip When you are using a BMC Atrium SSO load balancer, you must add the load balancer URL in the --atrium-sso-url parameter instead of adding the server URL. When you are using a mid tier load balancer or reverse proxy, you must add the --web-app-url and --notify-url URLs. In this case, add the load balancer URL in the --web-app-url parameter and add the mid tier URL in the --notify-url parameter. When you are not using a mid tier load balancer, do not use the --notify-url parameter and add the mid tier URL in the --web-app-url.
# Install mode, it accepts values as "Install" or "Uninstall" and it is case insensitive. # Provide "Install", if you want to install the agent. Provide "Uninstall", if you want to Uninstall the Agent. --install-mode=Install
BMC Atrium Single Sign-On 8.1
Page 93 of 389
BMC Software Confidential
Home
# Container Type, Type of webserver being used to host midtier --container-type=TOMCATV6 # Supported container types include JBOSSV4, JBOSSV5, SERVLETEXECV5, SERVLETEXECV6, # TOMCATV5, TOMCATV6, TOMCATV7, WEBSPHEREV6, WEBSPHEREV7, WEBLOGICV10 #Web App URL, Provide the midtier URL in case load balancer is not there otherwise provide the load balancer url, # and make sure the server name is provided with fully qualified domain name # and port is also provided in the URL. #--web-app-url=MidtierURL or LoadBalancerURL --web-app-url=http://midtierloadbalancer.bmc.com:8080/arsys #Container Base Directory, Provide the webserver home directory. --container-base-dir=C:\Program Files\Apache Software Foundation\Tomcat6.0 #JRE Path, Provide the path to the JRE home and make sure that you haven't provided till "bin". --jre-path=C:\Program Files\Java\jre7 #Midtier Home, Midtier Home Directory --midtier-home=C:\Program Files\BMC Software\ARSystem\midtier #Midtier URL, Provide the midtier URL here in case load balancer is being used. #Remove # to uncomment and use the below property. #--notify-url=http://midtier.bmc.com:8080/arsys #Atrium SSO URL, Provide the Atrium SSO URL and and make sure the server name is # provided with fully qualified domain name and port is also provided in the URL. #If SSO load balancer is used, add the Atrium SSO load balancer URL instead of Atrium SSO server name. --atrium-sso-url=https://ssoserver.bmc.com:8443/atriumsso #Atrium SSO Admin Name --admin-name=amadmin #Atrium SSO Password --admin-pwd=ssoadminpassword #TrustStore Path, Path to the truststore directory. This is an optional parameter. #Remove # to uncomment and use the below property. #--truststore=truststorepath | Optional parameter. #TrustStore Passowrd. This is an optional parameter. #Remove # to uncomment and use the below property. #--truststore-password=truststorepassword | Optional parameter. #The Atrium SSO realm that this agent will use for user authentication. Default is /BmcRealm. #Remove # to uncomment and use the below property. #--agent-realm=RealmName #force option, It accepts values as "Yes" or "No" where default is "No". #If "Yes" is provided then utility will not wait for user to shutdown the webserver, if not done already in case, webserver is other then tomcat
BMC Atrium Single Sign-On 8.1
Page 94 of 389
BMC Software Confidential
Home
or jboss. #Remove # to uncomment and use the below property. --force= #Server Instance Name, Provide the name of Websphere instance name being used. It is required only in case Websphere being used to host the midtier. #Remove # to uncomment and use the below property. #--server-instance-name=WebSphere server instance name #Server Instance Name, Provide the path to the Websphere instance configuration directory. It is required only in case Websphere being used to host the midtier. #Remove # to uncomment and use the below property. #--instance-config-directory=WebSphere server instance configuration directory #Weblogic Domain Name, Provide the Weblogic domain name. It is required only in case WebLogic being used to host the midtier. #Remove # to uncomment and use the below property. #--weblogic-domain-home=Domain Name
Note Blank passwords are not supported. Your AR System server user must have a password before you run this utility. Fully-qualified domain names for the AR System server and BMC Atrium SSO URL parameters are required. If necessary, you can run the SSOMidtierIntegration utility multiple times, for example, to install or uninstall the integration (depending on the install-mode setting in the midtierintegration.txt file). The utility checks if an agent exists from a previous installation. If an agent exists, the utility uninstalls it and then re-installs a new agent. Review the optional inputs carefully for your environment.
3. Save your changes to midtierintegration.txt. 4. At the command prompt or shell window, navigate to the \AtriumSSOIntegrationUtility directory. 5. Enter the following jar command at the command prompt:
java -jar SSOMidtierIntegration.jar --inputfile midtierintegration.txt
6. Manually shut down the web server if you are prompted by the utility.
Note
BMC Atrium Single Sign-On 8.1
Page 95 of 389
6. BMC Software Confidential
Home
The utility automatically shuts down Tomcat and JBoss.
7. When execution is successfully completed, open the BMC Atrium SSO Admin console. The URL to open the BMC Atrium SSO Admin console is: https://.:/atriumsso For example: https://ssoServer.bmc.com:8443/atriumsso/atsso
Note To troubleshoot installation failures, or for information about log files or configurations performed by the SSOMidtierIntegration utility, see Troubleshooting AR System server and Mid Tier integrations.
8. When you are prompted that you are connecting to an insecure or untrusted connection, add the exception and then continue. 9. Under Agents List, verify that the agent was created. For example, /
[email protected]:8080 should be present.
BMC Atrium Single Sign-On 8.1
Page 96 of 389
BMC Software Confidential
Home
Reverse proxy URLs Important
Before you pass the reverse proxy URL as input in the utility command, make sure that you can log on to the application using the reverse proxy URL from the Mid-Tier computer where the command is run. If the reverse proxy server and the Mid Tier are installed on the same computer, stop the reverse proxy server before you run the SSOMidtierIntegration utility with the Mid Tier. When the utility completes its operation, restart the reverse proxy server.
If you must use reverse proxy URLs to run the Mid-Tier integration with the SSOMidtierIntegration utility, the utility works with or without ports in the --web-app-url parameter. Where to go from here 1. Configure BMC Atrium Single Sign-On for AR authentication and set up users and groups (see page 97).
Note If you do not plan to use BMC Atrium Single Sign-On AR authentication and plan to use different authentication methods, see Configuring after installation. To use and manage authentication chaining, see Managing authentication modules (see page 271). To set up and manage users and user groups, see Managing users (see page 264) and Managing user groups (see page 268).
2. Run a health check on the BMC Atrium Single Sign-On installation.
6.7.10 Managing the AR System users and groups for authentication The Action Request (AR) authentication module allows BMC Atrium Single Sign-On to use the user accounts within a BMC Remedy AR System server for authentication. This module is normally used in conjunction with the AR Data Store to retrieve group information and other user attributes from the AR System server. Configure the AR module for AR System (see page 98) Configure AR user stores for AR System (see page 101) Managing the AR System users and groups (see page 103)
BMC Atrium Single Sign-On 8.1
Page 97 of 389
BMC Software Confidential
Home
When you enable authentication chaining mode, all authentication methods in the chain are attempted in the specified order until either the authentication succeeds or all the methods in the chain fail.
Note If you plan to use an authentication method other than or in addition to the AR module, see the applicable authentication method in Configuring after installation. For example, Using Kerberos for authentication (see page 132) or Using SAMLv2 for authentication.
Configure the AR module for AR System Click here to expand: Steps (6) 1. On the SSO Server, navigate to Start > All Programs > BMC Software > BMC Atrium SSO > Administrator to launch the BMC Atrium SSO Admin Console and log on. 2. Click Edit BMC Realm to open the Realm Editor. 3. Set User Profile to Dynamic. (Click the image to expand it.)
4. On the Realm Authentication panel, click Add. 5. Click AR. (Click the image to expand it.)
BMC Atrium Single Sign-On 8.1
Page 98 of 389
5. BMC Software Confidential
Home
## Enter the AR parameters (see page ). a. Click Save. 6. On the Realm Authentication panel, set the process order of the authentication chain: a. For the AR module, under Flag, select Sufficient. b. Select the AR module. c. Click Up so that AR is first in the list. d. Set Internal LDAP to Optional. (Click the image to expand it.) BMC Atrium Single Sign-On 8.1
Page 99 of 389
Home
d.
BMC Software Confidential
Sufficient means that, with multiple authentication modules, if you are successfully authenticated with the first module, the remaining modules are skipped. But if the login fails, authentication moves to the next module in the chain. Setting AR to Sufficient and placing it as the first module in the list means that if you are authenticated with the AR System server, you are successfully authenticated by BMC Atrium Single Sign-On and you proceed to the Mid Tier. Note With Single Sign-On, you want to trigger authentication providers in the right order. The order is: Required > Requisite > Sufficient > Optional. If you set both realms to Required, then you would need both authentications to establish the session. For more information on creating an authentication chain, see the Realm Authentication panel described in Realm Editor.
AR parameters Parameters
Description
Server Host Name
(Required) Provide the Full Qualified Domain Name (FQDN) for the server where the AR System server is located. The full host name includes the domain name (bmc.com) of the computer and the individual name of the server (yourServer).
BMC Atrium Single Sign-On 8.1
Page 100 of 389
BMC Software Confidential
Home
Parameters
Description
Server Port
(Required) AR Server Port Number is the location where the AR System server is listening.
Number Note: Enter a value of 0 if the AR System server is using port mapping. Default Authentication
This string is only used when the AR module is placed downstream in a chain from another authentication module which prompts the user only for a name and password. In this situation, the value of this parameter is used to authenticate the user by re-using the
String
credentials provided by the user along with this authentication string.
Allow AR
If enabled, allows unknown or invalid users to authenticate to the AR System server as guests.
Guests
Note When using SAML v2 for authentication, you must not use AR user stores. Though AR authentication module should be configured, the AR data store is not needed for authentication in SAMLv2 deployment.
Configure AR user stores for AR System Click here to expand: Steps (4)
1. BMC Atrium Single Sign-On 8.1
Page 101 of 389
BMC Software Confidential
Home
1. On the User Stores panel, click Add. (Click the image to expand it.)
2. Select AR User Store. 3. Enter the AR User Store parameters (see page ). 4. Click Save.
AR User Store parameters Section
Parameter
Name AR Server
Description Label for the AR user store.
Host Name
Host
(Required) Provide the Full Qualified Domain Name (FQDN) for the server where AR System server is located. The full host name includes the domain name (bmc.com) of the computer and the individual name of the server ( yourServer). Replace the default values (sample.bmc.com) with the host name of your server (for example, yourServer.bmc.com.
Port
(Required) Default: 0 Provide the port number where the AR Server is listening. The value of 0 is used when the AR Server is using port mapping.
Administrative Access
Name
(Required) Provide the user name of an AR Server user store account that has AR System Administrator privileges. Empty or blank passwords for this internal user are not supported with a new user store.
Authentication
Provide the authentication string that is needed when the Administrator account is used to connect with the AR System server.
BMC Atrium Single Sign-On 8.1
Page 102 of 389
BMC Software Confidential
Home
Section
Parameter
Description
Password and
Password for the AR System administrative user of the AR Server user store account (for example, admin).
Confirm Password Connection Pool
Linger Time (seconds)
(Required) Default: 60 Linger Time is the amount of time (in milliseconds) that a connection is allowed to remain unused in the pool before being closed.
Pool size
(Required) Default: 10 The Pool Size is the maximum number of connections the data store uses to service data requests for the AR System server.
Managing the AR System users and groups Click here to expand: Steps (8) BMC Atrium Single Sign-On provides basic user and group management features with the internal LDAP server. These features allow an administrator to manage users, groups, and memberships in the groups. Note When you configure the AR User Store for the AR System, all your AR System users and groups are already listed.
From the User page, the administrator can create, delete, and manage group memberships. To access the User page (see page ) To add a new user (see page ) BMC products can use the group membership capabilities of the BMC Atrium Single Sign-On system to provide authorization and authentication of users. If a BMC product does not use the group memberships of the BMC Atrium Single Sign-On system, then that product's documentation must be consulted to determine groups to privileges mapping. To access the Group page (see page ) To create a new group (see page )
To access the User page Navigate to the following location: 1. Open the Realm Editor. 2. Click the Users tab. New users can only be created when you are using the internal LDAP server for authentication. If an external source is used for authentication, new users must be created within that external system. Note If special characters, such as comma ( , ) , semi-colon ( ; ), or plus sign ( + ) are used in the user ID, the backslash ( \ ) must precede the special character. For example, Baldwin\,bob.
When creating a new user, each field that is marked with an asterisk is a required field.
BMC Atrium Single Sign-On 8.1
Page 103 of 389
BMC Software Confidential
Home
To add a new user 1. In the Realm Editor, click the Users tab. Current AR System users created in your AR System server are already listed.
2. BMC Atrium Single Sign-On 8.1
Page 104 of 389
BMC Software Confidential
Home
2. Click Add to open the User Editor.
3. In the User Id field, enter a unique identifier for the new user. This value is used as the user ID when the user logs in. 4. Specify the user's status. The default is Active. 5. Add the name attributes. The name attributes (First Name, Full Name, and Last Name) can be provided to BMC products to help identify user accounts by using terms that are more user-friendly. The actual use of these attributes, though, is dependent on the BMC product. You must assign an initial password of at least 8 characters when creating the account. After the password is created, the user can log into BMC Atrium Single Sign-On and update the password and their personal information through the following URL: https://FQDNHostName:port/BMC Atrium SSO?realm=BmcRealm 6. Click the Groups tab. 7. From the list of available groups, add the user to group membership (for example, BmcAdmins). 8. Click Save.
BMC Atrium Single Sign-On 8.1
Page 105 of 389
BMC Software Confidential
Home
To access the Group page BMC Atrium Single Sign-On provides predefined groups to help with the Administrator privileges that some BMC products might require. For example, the BmcSearchAdmin group provides privileges that allow a user to connect to the server to perform identity searches. Note Care should be exercised when assigning the BmcSearchAdmin group because these elevated privileges allow greater access to BMC Atrium Single Sign-On than is normally allowed.
Navigate to the following location: 1. Open the Realm Editor. 2. Click the Groups tab.
To create a new group Normally, BMC products install the groups that they need managed into BMC Atrium Single Sign-On as part of their installation. However, a situation might arise in which a group might need to be created or re-created.
1. BMC Atrium Single Sign-On 8.1
Page 106 of 389
BMC Software Confidential
Home
1. In the Realm Editor, click the Groups tab. Current AR System groups created in your AR System server are already listed.
2. BMC Atrium Single Sign-On 8.1
Page 107 of 389
Home
BMC Software Confidential
2. Click Add to open the Group Editor.
3. Enter a new, unique name for the group. 4. Add available users to the new group. 5. Click Save.
Related topics Using SAMLv2 for authentication Using Kerberos for authentication (see page 132) Using CAC for authentication
BMC Atrium Single Sign-On 8.1
Page 108 of 389
BMC Software Confidential
Home
Using LDAP (Active Directory) for authentication Using RSA SecurID for authentication
6.7.11 Running a health check on the BMC Atrium Single Sign-On installation After you finish all these procedures, run a health check of your integration of BMC Atrium Single Sign-On with BMC Remedy AR System.
To run a health check on the BMC Atrium Single Sign-On integration 1. Log on to the BMC Remedy Mid Tier Configuration Tool. The default path is http://:/arsys/shared/config/config.jsp. For example: http://Midtier.bmc.com:8080/arsys/shared/config/config.jsp
Tip Clear the cache on your browser if you see redirect errors.
If your integration is successful, you should see the normal Mid Tier configuration logon, not the BMC Atrium SSO logon screen. (Click the image to expand it.)
BMC Atrium Single Sign-On 8.1
Page 109 of 389
BMC Software Confidential
Home
2. In the AR Server Setting panel, verify that the list of AR System servers includes their fully-qualified domain names. 3. Log on to the AR System server. For example: http://Midtier.bmc.com:8080/arsys The BMC Atrium Single Sign-On server redirects the server URL to the BMC Atrium Single Sign-On server, and the BMC Atrium SSO logon screen appears.
BMC Atrium Single Sign-On 8.1
Page 110 of 389
BMC Software Confidential
Home
4. Enter the User Name and Password of an AR System user and then click Log In. If BMC Atrium Single Sign-On is properly integrated and configured, the Applications startup page appears.
BMC Atrium Single Sign-On 8.1
Page 111 of 389
BMC Software Confidential
Home
6.8 Installing silently In addition to using the GUI interface, the installer and uninstaller programs can be run from scripts. This topic provides examples for installing and uninstalling BMC Atrium Single Sign-On in silent mode by using the setup script from the command line. Running the installer in silent mode (see page 114) Uninstalling in silent mode (see page 114) Example options.txt file (see page 114) The following represents the general command line syntax:
BMC Atrium Single Sign-On 8.1
Page 112 of 389
BMC Software Confidential
Home
setup.sh|setup.cmd -i silent -DOPTIONS_FILE=
Note The full path to the AtriumSSO directory must be specified.
If you are configuring BMC Atrium Single Sign-On as a High Availability (HA) cluster, you must complete the HA prerequistes and HA pre-installation tasks before running the installer in silent mode on the first node and the additional nodes. Before running the installer in silent mode on an additional node, you must also complete the following tasks: Ensure that all nodes are running and available. Copy the configuration file (created during the first node’s installation) to the Disk1 directory of the extracted files before installing BMC Atrium Single Sign-On on the node. You must also complete the HA post-installation activities after you have run the installer in silent mode on all the nodes.
BMC Atrium Single Sign-On 8.1
Page 113 of 389
BMC Software Confidential
Home
For information about the additional parameters that you must add in the SSOSilentInstallOptions.txt file, see Example options.txt file (see page 114).
6.8.1 Running the installer in silent mode 1. Open a command line window. 2. Navigate to the AtriumSSO directory. For example, on Windows, the default location is C:\SSO\AtriumSSO. 3. Create the SSOSilentInstallOptions.txt file with any environment-specific parameters. For details on the file format, see the Silent installation example. 4. Run the setup command with the following syntax:
setup.sh|setup.cmd -i silent -DOPTIONS_FILE=SSOSilentInstallOptions.txt
5. Verify that your BMC Atrium Single Sign-On installation was successful: a. Launch the Administrator console. b. Confirm that you can view the BMC Atrium Single Sign-On logon panel.
Note If you install in silent mode, you must also uninstall in silent mode to uninstall the server.
6.8.2 Uninstalling in silent mode 1. Open a command-line window. 2. Navigate to the AtriumSSO directory. For example, on Windows, the default location is C:\SSO\AtriumSSO. 3. Run UninstallAtrium.exewith the following syntax:
UninstallAtriumSSO.exe -i silent -DOPTIONS_FILE=SSOSilentUninstallOptions.txt
where SSOSilentUninstallOptions.txtcontains:
-silent -U productAtriumSSO -U featureAtriumSSO
6.8.3 Example options.txt file The following Windows example invokes a silent installation where the administrator password is admin123.
BMC Atrium Single Sign-On 8.1
Page 114 of 389
BMC Software Confidential
Home
setup.cmd -i silent -DOPTIONS_FILE=C:\SSO\AtriumSSO\SSOSilentInstallOptions.txt
You can also generate a new administrator password using the following command:
Disk1/support/AtriumSSOMaintenanceTool.sh -silent -encrypt -encrypt -password=test -confirm_password=test DES\:a751b8161238d05108839e457d4e2050
The SSOSilentInstallOptions.txt file contains:
-P -A -J -J -J -J -J -J -J -J
installLocation=C:\SSO\AtriumSSO featureAtriumSSO ATRIUMSSO_TOMCAT_SHUTDOWN_PORT=8005 ATRIUMSSO_TOMCAT_HTTP_PORT=8080 ATRIUMSSO_INSTALL_TOMCAT=true ATRIUMSSO_TOMCAT_HTTPS_PORT=8443 ATRIUMSSO_SERVER_PASSWORD=DES\:3996ba109b2b3f035fb4200116c2339a78ecec52023308de ATRIUMSSO_SERVER_PASSWORD_2=DES\:3996ba109b2b3f035fb4200116c2339a78ecec52023308de ATRIUMSSO_COOKIE_DOMAIN=bmc.com ATRIUMSSO_HOST_NAME=atrium-sso-vm4.bmc.com
The SSOSilentInstallOptions.txt file for installing BMC Atrium Single Sign-On on external Tomcat specifying that the installer will use Tomcat scripts for starting/stopping Tomcat processes contains the following parameters:
-P -A -J -J -J -J -J -J -J -J -J -J -J -J -J -J -J -J
installLocation=/root/bmc/AtriumSSO featureAtriumSSO ATRIUMSSO_INSTALL_TOMCAT=false ATRIUMSSO_TOMCAT_HTTPS_PORT=8443 ATRIUMSSO_SERVER_PASSWORD=DES\:097133405e7ea7a641f019bca8781280 ATRIUMSSO_SERVER_PASSWORD_2=DES\:097133405e7ea7a641f019bca8781280 ATRIUMSSO_COOKIE_DOMAIN=bmc.com ATRIUMSSO_HOST_NAME=vl-aus-rh55-atm-sp01.bmc.com USE_EXTERNAL_SCRIPTS=true CLUSTER_MODE=STANDALONE_STRING ATRIUMSSO_EXISTING_TOMCAT_DIRECTORY=/root/apache-tomcat-6.0.37 TRUSTSTORE_LOCATION=/root/apache-tomcat-6.0.37/conf/cacerts.p12 TRUSTSTORE_PASSWORD=changeit KEYSTORE_LOCATION=/root/apache-tomcat-6.0.37/conf/keystore.p12 KEYSTORE_PASSWORD=changeit KEYSTORE_ALIAS=tomcat JAVA_LOCATION=/usr/jdk64 JDK_LOCATION=/usr/jdk64
The SSOSilentInstallOptions.txt file for installing BMC Atrium Single Sign-On on external Tomcat server specifying the installer uses Windows service of Tomcat server contains the following parameters:
BMC Atrium Single Sign-On 8.1
Page 115 of 389
BMC Software Confidential
Home
-P -A -J -J -J -J -J -J -J -J -J -J -J -J -J -J -J -J -J
installLocation=/root/bmc/AtriumSSO featureAtriumSSO ATRIUMSSO_INSTALL_TOMCAT=false ATRIUMSSO_TOMCAT_HTTPS_PORT=8443 ATRIUMSSO_SERVER_PASSWORD=DES\:097133405e7ea7a641f019bca8781280 ATRIUMSSO_SERVER_PASSWORD_2=DES\:097133405e7ea7a641f019bca8781280 ATRIUMSSO_COOKIE_DOMAIN=bmc.com ATRIUMSSO_HOST_NAME=vl-aus-rh55-atm-sp01.bmc.com USE_EXTERNAL_SCRIPTS=false ATRIUMSSO_EXISTING_TOMCAT_SERVICE=Tomcat CLUSTER_MODE=STANDALONE_STRING ATRIUMSSO_EXISTING_TOMCAT_DIRECTORY=/root/apache-tomcat-6.0.37 TRUSTSTORE_LOCATION=/root/apache-tomcat-6.0.37/conf/cacerts.p12 TRUSTSTORE_PASSWORD=changeit KEYSTORE_LOCATION=/root/apache-tomcat-6.0.37/conf/keystore.p12 KEYSTORE_PASSWORD=changeit KEYSTORE_ALIAS=tomcat JAVA_LOCATION=/usr/jdk64 JDK_LOCATION=/usr/jdk64
When installing BMC Atrium Single Sign-On as a High Availability (HA) cluster, the SSOSilentInstallOptions.txt file must contain some additional parameters. The SSOSilentInstallOptions.txt file for installing the first node for a HA cluster must contain the following parameters:
-P -A -J -J -J -J -J -J -J -J -J -J -J -J -J -J
installLocation=C:\SSO\AtriumSSO featureAtriumSSO ATRIUMSSO_INSTALL_TOMCAT=true CLUSTER_MODE=FIRST_MEMBER_CLUSTER_STRING MEMBER_LOCATION=/home/xuser/5162_node.dat ATRIUMSSO_COOKIE_DOMAIN=bmc.com LOAD_BALANCER_URL=https://iBMC-JBHBBK1.bmc.com:443/atriumsso ATRIUMSSO_LDAP_REPLICATION_PORT=8092 ATRIUMSSO_TOMCAT_SHUTDOWN_PORT=8005 ATRIUMSSO_SERVER_PASSWORD_2=DES\:097133405e7ea7a641f019bca8781280 ATRIUMSSO_TOMCAT_HTTP_PORT=8080 ATRIUMSSO_TOMCAT_HTTPS_PORT=8443 USE_EXTERNAL_SCRIPTS=false ATRIUMSSO_SERVER_PASSWORD=DES\:097133405e7ea7a641f019bca8781280 ATRIUMSSO_HOST_NAME=rlnx-al-vm01.bmc.com ATRIUMSSO_LDAP_PORT=8091
The SSOSilentInstallOptions.txt file for installing additional nodes for a HA cluster must contain the following parameters:
-P installLocation=/opt/bmc/AtriumSSO -A featureAtriumSSO -J ATRIUMSSO_TOMCAT_SHUTDOWN_PORT=8005
BMC Atrium Single Sign-On 8.1
Page 116 of 389
BMC Software Confidential
Home
-J -J -J -J -J -J -J -J -J -J
ATRIUMSSO_TOMCAT_HTTP_PORT=8080 ATRIUMSSO_INSTALL_TOMCAT=true ATRIUMSSO_TOMCAT_HTTPS_PORT=8443 CLUSTER_MODE=ADDITIONAL_MEMBER_CLUSTER_STRING MEMBER_LOCATION=/tmp/SSO/5162_node.dat ATRIUMSSO_COOKIE_DOMAIN=bmc.com ATRIUMSSO_LDAP_REPLICATION_PORT=8092 ATRIUMSSO_HOST_NAME=vm-rhel5-rds1276.bmc.com ATRIUMSSO_LDAP_PORT=8091 USE_EXTERNAL_SCRIPTS=false
6.9 Uninstalling BMC Atrium Single Sign-On During installation, the uninstaller is installed with BMC Atrium Single Sign-On. Running the uninstaller removes BMC Atrium Single Sign-On from the system. Running the uninstaller on Windows (see page 117) Running the uninstaller on Solaris or Linux (see page 117) Invocation error during uninstallation (see page 118)
6.9.1 Running the uninstaller on Windows To uninstall BMC Atrium Single Sign-On from a Microsoft Windows platform, use the Add or Remove Programs option on the control panel. 1. From the control panel, select Add or Remove Programs. 2. Select BMC Atrium Single Sign-On in the list. 3. Click Change or Remove Programs once it is displayed. This last action launches the uninstaller program.
Note Because of varying Windows system dependencies, a reboot might be required to completely the uninstall BMC Atrium Single Sign-On.
6.9.2 Running the uninstaller on Solaris or Linux To run the uninstaller on Oracle Solaris or Linux, the uninstaller must be launched from within a graphical environment, for example, from the console or through an X-Windows server. 1. Change the working directory to the installation directory. The following is the default directory: $ cd /opt/SSO
2. BMC Atrium Single Sign-On 8.1
Page 117 of 389
BMC Software Confidential
Home
2. Run the UninstallAtriumSSO script. $ ./UninstallAtriumAsso If the GUI environment is properly setup, the uninstaller program launches and walks the user through the steps to remove BMC Atrium Single Sign-On.
Important Be sure to select the BMC Atrium Single Sign-On component, otherwise the uninstaller will remove the server.
3. Manually delete the BMC Atrium Single Sign-On log file artifacts. These log files are left in the file system regardless of the reboot.
6.9.3 Invocation error during uninstallation If the GUI environment is incorrectly set up, an invocation error similar to the following occurs when you run the uninstaller:
Invocation of this Java Application has caused an InvocationTargetException. This application will now exit. (LAX) -J ATRIUMSSO_HOST_NAME=atrium-sso-vm4.bmc.com Stack Trace: java.awt.HeadlessException: No X11 DISPLAY variable was set, but this program performed an operation which requires it. at java.awt.GraphicsEnvironment.checkHeadless(Unknown Source) at java.awt.Window.(Unknown Source) at java.awt.Frame.(Unknown Source) at java.awt.Frame.(Unknown Source) at javax.swing.JFrame.(Unknown Source) at com.zerog.ia.installer.LifeCycleManager.g(DashoA8113) at com.zerog.ia.installer.LifeCycleManager.h(DashoA8113) at com.zerog.ia.installer.LifeCycleManager.a(DashoA8113) at com.zerog.ia.installer.Main.main(DashoA8113) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at com.zerog.lax.LAX.launch(DashoA8113) at com.zerog.lax.LAX.main(DashoA8113) This Application has Unexpectedly Quit: Invocation of this Java Application has caused an InvocationTargetException. This application will now exit. (LAX)
BMC Atrium Single Sign-On 8.1
Page 118 of 389
Home
BMC Software Confidential
7 Configuring after installation When initially installed, BMC Atrium Single Sign-On is configured for immediate use. This default configuration uses the internal data store as an authentication source. This configuration is suitable for demonstrations, proof-of-concept deployments, testing, and other small deployment scenarios. However, for a large-scale system, you should configure the use of an external user repository for authentication, such as an LDAP server.
BMC Atrium Single Sign-On 8.1
Page 119 of 389
BMC Software Confidential
Home
To set up a method for authentication (see page 120) SAMLv2 authentication (see page 121) Predefined authentication module (see page 121) User Profile panel (see page 122) Authentication chaining (see page 122) Authentication chaining flags (see page 122) Where to go from here (see page 122)
7.1 To set up a method for authentication To set up the LDAP / Active Directory, Kerberos, Certificate / CAC, RSA SecurId, AR, and Internal LDAP authentication methods, you use the Realm Authentication panel on the BMC Realm. 1. On the BMC Atrium SSO Admin Console, click Edit BMC Realm. 2. On the Main tab (default), select a User Profile type.
Note The User Profile applies to all authentication methods used for authentication.
3. In the Realm Authentication panel, click Add for a new authentication method and select the method. Alternatively, if you want to edit an existing module, select the module and click Edit. 4. Provide the parameters for the method and Save. 5. Set the flag for the authentication method. The following image displays the available authentication methods:
BMC Atrium Single Sign-On 8.1
Page 120 of 389
Home
BMC Software Confidential
7.2 SAMLv2 authentication In BMC Atrium Single Sign-On, SAMLv2 is implemented from the Federation panel in the BMC realm.
7.3 Predefined authentication module To help with the configuration of BMC Atrium Single Sign-On, a predefined Internal LDAP authentication module is provided. This predefined authentication module allows you to quickly configure your system. The Internal LDAP authentication module uses the internal LDAP server as an authentication source in the authentication chain and does not have parameters to configure. When you select the Internal LDAP authentication module, it is added directly to the authentication chain without invoking an editor. The module can't be edited (since it does not have parameters) but it can be moved in priority and the authentication flag for it can be changed. The internal LDAP server is shown in User Stores panel with a name of embedded and type of Internal LDAP.
BMC Atrium Single Sign-On 8.1
Page 121 of 389
BMC Software Confidential
Home
7.4 User Profile panel The User Profile panel allows you to set user profile parameters. Parameter options are: Ignored, Required, or Dynamic. In the User Profile panel, select either Dynamic or Ignored. Dynamic — Specifies that a local Single Sign-On user profile is created after a successful authentication, if it does not already exist Ignored — Specifies that no local Single Sign-On user profile is created or required for authentication Required — Specifies that a local Single Sign-On user profile with the same user ID is required for authentication to be successful
7.5 Authentication chaining In addition, new chains can be created if a complex authentication chain is needed. For more information about authentication chains, see Managing authentication modules (see page 271). The order of authentication is changed by selecting an authentication method and clicking Up or Down.
7.6 Authentication chaining flags Each module allows you to specify the criteria for authentication processing. If you are implementing only one authentication module instance, the flag must be set to Required. The criteria categories are Required, Requisite, Sufficient, and Optional.
7.7 Where to go from here The following topics provide information and instructions associated with configuration methods used with BMC Atrium Single Sign-On: Using AR for authentication Using CAC for authentication Using Kerberos for authentication (see page 132) Using LDAP (Active Directory) for authentication Using RSA SecurID for authentication Using SAMLv2 for authentication
7.8 Using AR for authentication The AR System Data Store plug-in allows group information associated with BMC Remedy AR System server users to be retrieved and provided to BMC products. The AR authentication module and the AR user store are designed
BMC Atrium Single Sign-On 8.1
Page 122 of 389
BMC Software Confidential
Home
to be used together because it provides additional information for users authenticated against the AR System server.
Note The AR user store provides read-only access to the user information stored in AR System server and read-only access to user and group lists and memberships.
Before you begin (see page 123) To configure an AR module (see page 123) To configure an AR user store (see page 124)
7.8.1 Before you begin Ensure that the AR System Data Store plug-in is installed. Ensure that you have the server location and an administrator account since they are required to configure the AR user store..
Note User management functionality, assigning group information that is retrieved from the AR System server to users that exist in another data store (for example, the internal data store), and saving changes involving information retrieved from the AR System server are not available.
7.8.2 To configure an AR module Click to expand 1. On the BMC Atrium SSO Admin Console, click Edit BMC Realm. 2. On the Main tab (default), select a User Profile type.
Note The User Profile applies to all authentication methods used for authentication.
3. In the Realm Authentication panel, click Add for a new authentication method and select the method. Alternatively, if you want to edit an existing module, select the module and click Edit. 4. Provide the parameters for the method and Save. 5. Set the flag for the authentication method.
BMC Atrium Single Sign-On 8.1
Page 123 of 389
BMC Software Confidential
Home
Important For the AR module, the flag is set to Sufficient.
When adding or editing an AR module, the following options are available: Save to save your modifications. Reset to remove your modifications and stay on the editor. Help launches a browser that provides you with online help. Cancel to cancel and return to the launch page. Parameters
Description
Server Host Name
(Required) Provide the Full Qualified Domain Name (FQDN) for the server where the AR System server is located. The full host name includes the domain name (bmc.com) of the computer and the individual name of the server (yourServer).
Server Port Number
(Required) AR Server Port Number is the location where the AR System server is listening. Note: Enter a value of 0 if the AR System server is using port mapping.
Default Authentication String
This string is only used when the AR module is placed downstream in a chain from another authentication module which prompts the user only for a name and password. In this situation, the value of this parameter is used to authenticate the user by re-using the credentials provided by the user along with this authentication string.
Allow AR Guests
If enabled, allows unknown or invalid users to authenticate to the AR System server as guests.
7.8.3 To configure an AR user store Click to expand
Info You must study these points if you want to configure an AR user store. If you are using a persistent NameID element you cannot define AR User Store. You must use transient NameID element to define an AR User Store. Existing profiles within the embedded LDAP User Store should be deleted before adding the AR User Store.
1. Log on to the BMC Atrium SSO Admin Console. 2. Click Edit BMC Realm. 3. On the User Store panel, click Add to create a new AR user stor. Alternatively, if you want to edit an existing AR user store, select the user store and click Edit. 4. BMC Atrium Single Sign-On 8.1
Page 124 of 389
BMC Software Confidential
Home
4. Select AR User Store. 5. Provide the configuration parameters (see page ) for the AR user store. 6. Click Save. The AR User Store Editor is used for both editing an existing user store's parameters and for creating a new AR user store. The AR User Store Editor has the following options: Save to save your modifications Reset to remove your modifications and stay on the LDAP page. Back to Data Stores to navigate back to the Authentication tab. After configuration is finished, the data store is immediately available to provide group information to users who are authenticating with the AR authentication module. Section
Parameter
Name AR Server Host
Description Label for the AR user store.
Host Name
(Required) Provide the Full Qualified Domain Name (FQDN) for the server where AR System server is located. The full host name includes the domain name (bmc.com) of the computer and the individual name of the server ( yourServer). Replace the default values (sample.bmc.com) with the host name of your server (for example, yourServer.bmc.com.
Administrative Access
Port
(Required) Default: 0 Provide the port number where the AR Server is listening. The value of 0 is used when the AR Server is using port mapping.
Name
(Required) Provide the user name of an AR Server user store account that has AR System Administrator privileges. Empty or blank passwords for this internal user are not supported with a new user store.
Authentication
Provide the authentication string that is needed when the Administrator account is used to connect with the AR System server.
Password and Confirm
Password for the AR System administrative user of the AR Server user store account (for example, admin).
Password Connection
Linger Time
(Required) Default: 60 Linger Time is the amount of time (in milliseconds) that a connection is allowed to remain
Pool
(seconds)
unused in the pool before being closed.
Pool size
(Required) Default: 10 The Pool Size is the maximum number of connections the data store uses to service data requests for the AR System server.
For more information about common problems, see Troubleshooting AR authentication (see page 320).
BMC Atrium Single Sign-On 8.1
Page 125 of 389
BMC Software Confidential
Home
7.9 Using CAC for authentication BMC Atrium Single Sign-On supports Common Access Card (CAC) authentication. Beyond the scope of this document is acquiring CACs, the Department of Defense (DoD) Certificate Authority (CA) certificates, and the installation and configuration of card readers and middleware software for these card readers. The administrator who is configuring BMC Atrium Single Sign-On for CAC authentication is assumed to be familiar with these topics.
7.9.1 CAC certificate usage Click to expand In order for CAC authentication to function, the BMC Atrium Single Sign-On server must be prepared with the signer certificates of the identity certificates. These certificates are be presented to the server for authentication. The certificate for the Issuer must be imported into the BMC Atrium Single Sign-On server's truststore before the clients can send their certificates. The server provides a list of certificates that are trusted. When a request is received for a client certification and there are multiple trusted certificates available, you can select the certificate that you want to use. For example, when Firefox receives a request for a client certificate and multiple trusted certificates are provided by the list sent from the server, a User Identification Request popup is displayed which allows the user to select a certificate.
Note For a single user test, the user's certificate (the certificate signed by the Issuer) could be imported into the truststore. However, if this method is used, then every user's certificate must be imported into the truststore.
Certificate signed by the Issuer For example, the following certificate is signed by the Issuer (C=TX, O="BMC Software, Inc.", CN=AtriumSSO):
Owner: C=TX, O="BMC Software, Inc.", OU=AtriumSSO, CN=GoodSSO Issuer: C=TX, O="BMC Software, Inc.", CN=AtriumSSO Serial number: 56acad6af0be9e08 Valid from: Sun Feb 20 17:04:30 CST 2011 until: Tue Feb 19 17:04:30 CST 2013 Certificate fingerprints: MD5: 4A:D6:7C:82:E4:2F:18:0B:8C:48:72:50:E2:56:02:5F SHA1: 96:9E:6F:DD:A1:41:9C:F5:BD:4A:CC:9E:8B:79:41:6E:4C:A2:C9:69 Signature algorithm name: SHA1withRSA Version: 3
BMC Atrium Single Sign-On 8.1
Page 126 of 389
BMC Software Confidential
Home
Certificate for the Issuer For example, the following certificate is the certificate for the Issuer:
Owner: C=TX, O="BMC Software, Inc.", CN=AtriumSSO Issuer: C=TX, O="BMC Software, Inc.", CN=AtriumSSO Serial number: 49b6786d72bb8c34 Valid from: Thu Oct 15 16:01:31 CDT 2009 until: Thu Apr 21 16:01:31 CDT 2016 Certificate fingerprints: MD5: 81:85:78:CD:80:6A:C1:55:09:7A:FB:79:35:9F:06:5C SHA1: 0D:2B:E2:90:ED:9E:24:39:19:B0:93:2F:15:87:3C:8D:F6:D0:03:3D Signature algorithm name: SHA1withRSA Version: 3
7.9.2 To set up CAC to use for authentication BMC Atrium Single Sign-On supports using CACs through the ActivClient software from ActivIdentity. See the ActivClient documentation for the configuration steps needed for clients to use CACs, card readers, and browser setup. 1. Modify the Tomcat server (see page 127) 2. Import DoD CA certificates (see page 128) 3. Set up CAC certificates (see page 129) 4. If using OCSP, enable OCSP for the server (see page 131)
7.9.3 Modify the Tomcat server Click to expand Before setting up CAC authentication, the Tomcat server hosting the BMC Atrium Single Sign-On application must be configured to ask clients for certificates and the Tomcat server's truststore must be set up with the root certificates for the CACs and the Online Certificate Status Protocol (OCSP) server.
To modify the Tomcat server 1. Stop the BMC Atrium Single Sign-On Tomcat server. 2. Edit the following file: /BMC Software/BMC Atrium SSO/tomcat/conf/server.xml 3. Search the file to find the Connector definition used to configure the server's HTTP and HTTPS communications. The tag is similar to the following:
4. Change the clientAuth attribute from "false" to "want". clientAuth="want" The clientAuthattribute enables Tomcat to ask for client certificates.
Important Do not set the clientAuth attribute to "true" because this setting breaks certain BMC Atrium SSO-to-Agent communications.
After the change, the Connector tag is similar to the following:
7.9.4 Import DoD CA certificates Click to expand The DoD CA certificates appropriate for your CACs must be imported into the BMC Atrium Single Sign-On server's truststore before using CAC for authentication. Importing the certificates allows the server to send the appropriate query to the client to return the correct certificate. Refer to the documentation from the supplier of your CACs for the location where the current root certificates can be acquired. The server's truststore (named cacerts.p12 ) is located in the /BMC Software/BMC Atrium SSO/tomcat/conf. The following instructions uses the Oracle keytool utility to import the certificate, but another tool could also be used.
7.9.5 To import certificates 1. Add the bin directory to the PATH environment variable. When BMC Atrium Single Sign-On is installed with its own Tomcat server, a JDK is installed with the server. When using this JDK, the DoD certificate can be imported into the server's truststore by using the keytool
BMC Atrium Single Sign-On 8.1
Page 128 of 389
1. BMC Software Confidential
Home
command (keytool.exe on Windows), located within the JDK's bin directory. This bin directory needs to be added to the PATH environment variable if it is not already a part of that variable. 2. To add the location, run the following command: (UNIX) export PATH=/BMC Software/BMC Atrium SSO/jdk/bin:$PATH (Microsoft Windows) set PATH=\BMC Software\BMC Atrium SSO\jdk\bin;%PATH% 3. Copy the DoD CA certificate file into the following directory: /BMC Software/BMC Atrium SSO/tomcat/conf 4. Use the keytool utility to import the certificate into the truststore using the following parameters: keytool -importcert -keystore cacerts.p12 -file DOD_CA19.car -alias DOD_CA19 -storetype PKCS12 -providername JsafeJCE
Note In this example, the certificate file name, DOD_CA19.cer, may not be appropriate for your use.
5. Enter the password (Default: changeit). 6. Accept the certificate at the prompt. 7. If SSL is used to communicate with an external LDAP server, import that server's certificate into the truststore. Use the keytool utility to import the LDAP server's certificate into the BMC Atrium Single Sign-On truststore. If the LDAP server requires a client certificate, export the BMC Atrium Single Sign-On certificate and import it into the LDAP server's truststore before enabling CAC authentication. If CA signed certificates are used for LDAPs, import the CA signed certificate and any intermediate signing certificates into the truststores instead. 8. If you plan to use OCSP for authentication, import the OCSP responder certificate in the BMC Atrium Single Sign-On truststore with the alias, AtssoOCSP. 9. Restart the Tomcat server.
7.9.6 Set up CAC certificates Click to expand This topic provides instructions for setting up CAC certificates to use for CAC authentication.
To set up CAC certificates 1. On the BMC Atrium SSO Admin Console, click Edit BMC Realm. 2. On the Main tab (default), select a User Profile type.
BMC Atrium Single Sign-On 8.1
Page 129 of 389
BMC Software Confidential
Home
2.
Note The User Profile applies to all authentication methods used for authentication.
3. In the Realm Authentication panel, click Add for a new authentication method and select the method. Alternatively, if you want to edit an existing module, select the module and click Edit. 4. Provide the parameters for the method and Save. 5. Set the flag for the authentication method.
Note You can provide parameter information for OCSP authentication, CRL authentication, or both. BMC does not recommend using the CRL approach due to the performance load experienced with the ever-increasing length of CRL lists.
CAC certificate parameters When adding or editing a CAC certificate module, the following options are available: Save to save your modifications. Reset to remove your modifications and stay on the editor. Help launches a browser that provides you with online help. Cancel to cancel and return to the launch page. Field
Parameters
Description
Name
Name for the Certificate and CAC authentication.
Use OCSP
Click Use OCSP in order to use the OCSP responder. BMC recommends that you use OCSP for validation. Note: The clock skew between the BMC Atrium Single Sign-On server and the OCSP server must not be greater than 15 minutes. Otherwise, the certificate authentication fails. See Clock skew too great for CAC authentication (see page 331).
Certificate Field for User Profile
Select one of the options. Options are Subject CN (Common Name attribute of the Subject DN), Subject DN (Distinguished Name), Subject UID (UID attribute of the Subject DN), Email, None, Other.
Forwarded Certificates
When running behind a load balancer or reverse proxy, the verification of ownership of the private key is not possible thru the SSL/TLS connection. Because of this verification restriction, the BMC Atrium Single Sign-On server requires that the fronting server be listed as a trusted host from which forwarded certificates can be trusted. Forwarded Certificate List
BMC Atrium Single Sign-On 8.1
This is the list of trusted host name that you add via the Trusted Host Name field. To delete a certificate, select the trusted host name and click Remove.
Page 130 of 389
BMC Software Confidential
Home
Field
Parameters
Description
Trusted Host
Enter the name of a host from which a forwarded certificate can be trusted.
Name Certificate
Enter the name of the HTTP header that the forwarded certificate can be passed under.
HTTP Header Name Certificate Revocation
Use CRL
Lists (CRL)
Select Use CRL to use a Certificate Revocation List (CRL). Note: BMC does not recommend using the CRL approach due to the performance load experienced with the ever-increasing length of CRL lists.
LDAP Server Where
Provide the Host and Port for the LDAP server where the certificates are stored. The host name must end with a colon following by the port number for the LDAP server.
Certificates are Stored LDAP Start Search DN
Enter the DN of the node. The DN of the node starts the search within the LDAP server. To connect with the LDAP server, you must have sufficient privileges to perform the search.
LDAP Server Password Confirm LDAP Server Password
Provide and confirm the password to connecting with the LDAP server.
Check CA with CRL
When verifying a certificate, the CA certificate used to sign the certificate can also be verified in the CRL.
Use SSL/TLS
If you are using SSL, the LDAP server certificate must be imported into the BMC Atrium Single Sign-On truststore so that SSL can connect with the LDAP server.
Trusted Certificates
Browse on your desktop to upload the trusted certificates file. Once the file is upload and in the trusted certificates list. You can also select the file, and click Remove to remove the file.
7.9.7 If using OCSP, enable OCSP for the server Click to expand If you plan to use OCSP for authentication, enable OCSP for the server. 1. Verify that the OCSP responder certificate was imported into the BMC Atrium Single Sign-On truststore. 2. On the BMC Atrium SSO Admin Console, click Edit Server Configuration. 3. In the Online Certificate Status Protocol field, select Enable OCSP and provide the server URL. 4. Click Save.
7.9.8 Where to go from here Administering (see page 263) for information about authentication, users, and groups.
BMC Atrium Single Sign-On 8.1
Page 131 of 389
Home
BMC Software Confidential
7.9.9 Related topics Troubleshooting CAC authentication (see page 326)
7.10 Using Kerberos for authentication Kerberos is a network authentication protocol that is designed to provide strong authentication for client/server applications by using strong cryptography so that a client can prove its identity to a server (and vice versa) across an insecure network connection. This topic contains the following information:
BMC Atrium Single Sign-On 8.1
Page 132 of 389
BMC Software Confidential
Home
Configuring Kerberos video (see page 133) Before you begin (see page 133) To set up Kerberos to use for authentication (see page 133) Where to go from here (see page 133)
7.10.1 Configuring Kerberos video Click the following BMC Atrium Single Sign-On 8.1 Kerberos configuration video for more information: Watch video on YouTube at http://www.youtube.com/watch?v=Deo2od9ePRg
7.10.2 Before you begin Before using Kerberos for authentication, a service principal for the BMC Atrium Single Sign-On server must be added to the realm. This service principal is used by clients to request a service ticket when authenticating. The service principal name is based on the host name of the server running BMC Atrium Single Sign-On. To use Kerberos authentication with Active Directory (AD) installed on a Windows 2008 machine, upgrade Windows 2008 to SP2 (at least) or apply the Hotfix for Windows (KB951191). In addition, the identity used for the service principal cannot be the computer identity hosting the Atrium SSO service.
Note Kerberos authentication can not be used to authenticate clients from the same computer where BMC Atrium Single Sign-On is installed.
7.10.3 To set up Kerberos to use for authentication 1. Generating a keytab for the service principal and mapping the Kerberos service name (see page 134) 2. Configuring the Kerberos module 3. Reconfiguring your browser (see page 138) For information about troubleshooting issues with Kerberos, see Troubleshooting Kerberos authentication (see page 333).
7.10.4 Where to go from here For information about managing users, user groups, and authentication modules, see Administering (see page 263).
BMC Atrium Single Sign-On 8.1
Page 133 of 389
BMC Software Confidential
Home
For information about troubleshooting issues with Kerberos, see Troubleshooting Kerberos authentication (see page 333).
7.10.5 Generating a keytab for the service principal and mapping the Kerberos service name After the accounts for the service principals are created, a keytab file must be generated. This file contains sensitive information used by the BMC Atrium Single Sign-On servers when working with the Key Distribution Center (KDC) and Active Directory (AD). For Kerberos, the ktadd command is used to add the sensitive information to the keytab file and to map the Kerberos service name to the Active Directory identity.
Note Anyone with read permissions to a keytab file can use all of the keys it contains. Permissions must be restricted and monitored on the keytab files that you create.
To generate a keytab file for the service principal and map the Kerberos service name 1. In the Active Directory server, run the ktpass command. 2. Map additional SPNs to the Kerberos identity using setspn.exe 3. Copy the generated keytab file to the BMC Atrium Single Sign-On server host.
ktpass command syntax By running the ktpass command, you generate a keytab file and create a mapping that associates the Kerberos service name with the identity in Active Directory. ktpass /out /mapuser /princ HTTP/@ /pass /ptype KRB5_NT_PRINCIPAL /Target /kvno 0 In this case: is the name of the keytab file that you are generating. is the user name of the identity for the Atrium SSO service. is the fully qualified domain name of the host including the internet domain (FQDN). is the password for the principal account. is the Active Directory domain name.
Note
BMC Atrium Single Sign-On 8.1
Page 134 of 389
BMC Software Confidential
Home
The host name can also be modified through the host's file. If you modified the host name through the host's file, the browser and the system might need to be rebooted for the name change to take effect. The internet domain and Active Directory domain are different domains. The internet domain is used to form a hierarchy of compuetr names for mapping a computer name to a host address. The Active Directory (AD) domain is used for grouping users for authentication purposes and maps to a Kerberos realm.
The principal name is case-sensitive. By convention: Kerberos realms (and AD Domains) are written in uppercase. Host names are written in lowercase. Database look ups are case-sensitive.
Important The case-sensitive constraint means that the principal names expressed in the mappings must be written using the same case as those returned by a domain name lookup. The Active Directory is not case-sensitive while MIT Kerberos is case-sensitive.
setspn.exe command syntax The setspn.exe utility program allows manipulation of SPNs within Active Directory. Multiple SPNs may need to be mapped to the Atrium SSO identity, depending upon the network configuration and whether running in HA mode behind a load balancer. Please refer to the Microsoft documentation for further details. To add a new SPN, use the following command syntax: setspn.exe -S /[:] In this case: - For Atrium SSO SPN, always uses HTTP. is the fully qualified name of the host where the Atrium SSO server is running. is the port that Atrium SSO is using. is the name of the user identity for the Atrium SSO service. To check for duplicate SPNs, use the following command syntax: setspn.exe -X This command uses a lot of memory in order to scan a large Active Directory database.
BMC Atrium Single Sign-On 8.1
Page 135 of 389
BMC Software Confidential
Home
ktpass and setspn.exe command example C:\>ktpass /out ssohost.keytab /princ HTTP /
[email protected] /ptype KRB5_NT_PRINCIPAL /kvno 0 /mapuser atriumsso This example also illustrates the best-practice for the case of the components of the SPN: HTTP - all uppercase Host name - all lowercase Domain name - all uppercase In addition, note that the user-name does not contain any spaces. While the example does provide the identity that the SPN is going to be mapped to, the setspn.exe command should also be executed to provide a complete mapping. C:\>setspn.exe -A HTTP /
[email protected] /atriumsso The setspn.exe should map the above SPN using the Fully Qualified Domain Name (FQDN) of the Atrium SSO server, and an additional SPN using just the host name. In other words, the following SPNs should be mapped: HTTP/
[email protected] HTTP/
[email protected]
Important When running in HA mode behind a load balancer, the name of the load balancer should be used instead of Atrium SSO server.
A delay occurs in AD, when changes to identities are made. Altering the mapping SPNs can take about 15 minutes before the mappings are pushed out to the affected systems. This delay means that it will take some time after updating the identity SPNs before a login test can be performed.
7.10.6 Configuring the Kerberos module This topic provides instructions for configuring the Kerberos module.
To configure the Kerberos module 1. On the BMC Atrium SSO Admin Console, click Edit BMC Realm. 2. On the Main tab (default), select a User Profile type.
Note
BMC Atrium Single Sign-On 8.1
Page 136 of 389
2. BMC Software Confidential
Home
The User Profile applies to all authentication methods used for authentication.
3. In the Realm Authentication panel, click Add for a new authentication method and select the method. Alternatively, if you want to edit an existing module, select the module and click Edit. 4. Provide the parameters for the method and Save. 5. Set the flag for the authentication method.
Important Restart the BMC Atrium Single Sign-On server after configuring the Kerberos module.
Kerberos configuration parameters When adding or editing a Kerberos module, the following options are available: Save to save your modifications. Reset to remove your modifications and stay on the editor. Help launches a browser that provides you with online help. Cancel to cancel and return to the launch page. Parameters
Description
Service Principal
The Kerberos principal that is used for authentication. The service principal is used by clients to request a service ticket when authenticating. The service principal name is based on the host name of the server running BMC Atrium Single Sign-On.
Keytab File Name
The Kerberos keytab file that is used for authentication and takes the absolute path to the keytab file. The keytab file contains the password for the service principal.
Kerberos Realm
The KDC domain name.
KDC Server
The KDC host name. You must enter the fully qualified domain name (FQDN) of the domain controller.
UserId Format
The following parameters are used: Use Domain Name with Principal: If this check box is selected, the service allows BMC Atrium Single Sign-On to automatically use the Kerberos principal with the domain controller's domain name during authentication. Forced character case: The Forced character case allows you to select the type of character case you want for your user ID. You can choose any of the three options: No change, UPPERCASE and lowercase. The UserId is displayed in the selected format in the user store.
Return UserId to User Store
If this check box is selected, the user store searches will use the original UserId instead of using the value modified by the UserId Format parameter. For example, when you search the userstore the userid from the authentication could be atsso\abcxyz but the value abcxyz will be used to search the User store.
BMC Atrium Single Sign-On 8.1
Page 137 of 389
BMC Software Confidential
Home
7.10.7 Reconfiguring your browser This topic provides instructions for reconfiguring your browser for Kerberos.
To reconfigure Internet Explorer Your Internet Explorer must be version 7 or greater. The following instructions are for Internet Explorer 8. 1. Navigate to Tools > Internet Options > Advanced. 2. On the Advanced tab and in the Security section, select the Enable Integrated Windows Authentication option (requires restart). 3. On the Security tab, select Local Intranet. 4. Click Custom Level. 5. In the User Authentication/Logon section, select Automatic logon only in Intranet zone. 6. Click OK. 7. Click Sites and select all of the options (default). 8. From the Sites popup, click Advanced and add the Access Manager web site to the local zone (the website might be already added). For example, sample.bmc.com. 9. Click Add. 10. Click OK for all of the pop-ups.
To reconfigure Firefox 1. Enter the following URL: about:config 2. Click I'll be careful, I promise! 3. Double click the Preference Name: network.negotiate-auth.trusted-uris 4. Add the Fully Qualified Domain Name (FQDN) of the host, for example, sample.bmc.com. 5. Click OK.
7.11 Using LDAP (Active Directory) for authentication BMC Atrium Single Sign-On provides support for using external Lightweight Directory Access Protocol (LDAP) servers for authentication. Support for LDAP also includes using external Active Directory (AD) servers for authentication. The Active Directory authentication must be configured for the enterprise environment.
BMC Atrium Single Sign-On 8.1
Page 138 of 389
BMC Software Confidential
Home
Before you begin (see page 139) To set up LDAP (AD) for authentication (see page 139) LDAP (AD) parameters (see page 139) Where to go from here (see page 141)
7.11.1 Before you begin If you plan to enabled SSL access, import the certificates and restart the Tomcat server before setting up LDAP (AD) authentication. See Managing keystores with a keytool utility (see page 239) for more information.
7.11.2 To set up LDAP (AD) for authentication 1. On the BMC Atrium SSO Admin Console, click Edit BMC Realm. 2. On the Main tab (default), select a User Profile type.
Note The User Profile applies to all authentication methods used for authentication.
3. In the Realm Authentication panel, click Add for a new authentication method and select the method. Alternatively, if you want to edit an existing module, select the module and click Edit. 4. Provide the parameters for the method and Save. 5. Set the flag for the authentication method.
Note If you enabled SSL Access to the LDAP Server, import the certificates and restart the Tomcat server before enabling LDAP authentication. See Managing keystores with a keytool utility (see page 239) for more information.
7.11.3 LDAP (AD) parameters When adding or editing an LDAP module, the following options are available: Save to save your modifications. Reset to remove your modifications and stay on the editor. Help launches a browser that provides you with online help. Cancel to cancel and return to the launch page.
BMC Atrium Single Sign-On 8.1
Page 139 of 389
BMC Software Confidential
Home
Field
Parameter
Description
Primary
Name
(Required) Enter the host's Full Qualified Domain Name (FQDN) for the primary LDAP server is required.
Port
If the LDAP server is not listening on the default port (389), specify the port number.
Use SSL
(Optional) Enable to use SSL to connect to the LDAP servers. In addition, before communications can be established,
LDAP Server
the certificates for the LDAP servers (primary and secondary) must be imported to the BMC Atrium Single Sign-On Tomcat truststore. For more information on importing certifications into BMC Atrium Single Sign-On truststore, see Importing a certificate into the truststore (see page 243). If the remote LDAP server requires client authentication for SSL, the BMC Atrium Single Sign-On server's certificate might need to be imported into the LDAP server's truststore. Note: If you enabled SSL Access to the LDAP Server, import the certificates and restart the Tomcat server before enabling LDAP authentication. See Managing keystores with a keytool utility (see page 239) for more information. Secondary
Name
LDAP Server
The secondary LDAP server is only used when the primary server is not available. It is not used in parallel or when a user fails to authenticate with the primary server.
Port
If the secondary server is not listening on the default LDAP port, specify the port number.
Use SSL
(Optional) Enable to use SSL to connect with the LDAP servers. In addition, before communications can be established, the certificates for the LDAP servers (primary and secondary) must be imported to the BMC Atrium Single Sign-On Tomcat truststore. For more information on importing certifications into BMC Atrium Single Sign-On truststore, see Importing a certificate into the truststore (see page 243). If the remote LDAP server requires client authentication for SSL, the BMC Atrium Single Sign-On server's certificate might need to be imported into the LDAP server's truststore. Note: If you enabled SSL Access to the LDAP Server, import the certificates and restart the Tomcat server before enabling LDAP authentication. See Managing keystores with a keytool utility (see page 239) for more information.
User Account for Search
Set Recheck Primary Server Interval (minutes)
(Optional) This parameter is the amount of time that the server uses the secondary server before attempting to re-connect with the primary server can be configured.
Distinguished Name, Password, Confirm Password
(Required) The DN is the login name that is used to connect to the LDAP server. A user must have privileges to perform searches on the primary and secondary LDAP servers. Enter the DN for the user, the password, and the password confirmation. For example, you can use the Distinguished Name as CN=bsmuser,CN=users,DC=bsmdsl,DC=bmc,DC=com and choose the password of your choice.
Attributes for User Search
Attribute Name
Add attribute names using the Attribute name parameter or or remove the attribute from the attribute list.
DN to Start Search
Base DN
Add base DN name and remove the name from the attribute list. The search DNs should be as specific as possible for performance reasons. The depth of the search that is performed can be configured. If an Object search is specified, then the DN should be the DN of the node containing the users.
For example, you can add CN as attribute name for User Search.
For example, CN=bsmuser,CN=users,DC=bsmdsl,DC=bmc,DC=com Attribute for User Profile Name
Enter the starting locations within the LDAP directory for performing user searches. For each starting point, enter the login name (DN). The Base DN and attribute for user profile name are additional search parameters.For example, you can use CN as attribute for user profile name.
BMC Atrium Single Sign-On 8.1
Page 140 of 389
BMC Software Confidential
Home
7.11.4 Where to go from here In Administering (see page 263), see managing users, user groups, and authentication modules.
7.12 Using RSA SecurID for authentication RSA SecurID provides a two-factor authentication scheme for user authentication. This approach uses a password that has a very short life span, typically one minute. By combining a passcode with a hardware generated token value, users are authenticated with this short-span password. This method of authentication narrows the opportunity for exploitation by anyone who manages to eavesdrop on the Transport Layer Security (TLS) confidential communications.
Note After authentication, the combination passcode + token is no longer valid.
To configure the SecurID module (see page 141) SecurID parameters (see page 142) To modify the rsa_api.properties file (see page 142) Where to go from here (see page 143)
7.12.1 To configure the SecurID module To use SecurID Chain for user authentication, the module must first be configured with information about the RSA Authentication Manager server. This information is contained in the sdconf.rec file. After being configured, SecurID Chain is enabled for authentication use. 1. Copy the sdconf.rec file retrieved from the RSA SecurID server to the BMC Atrium Single Sign-On server at the following location: /BMC Software/BMC Atrium SSO/tomcat/webapps/BMC Atrium SSO/WEB-INF/config/BMC Atrium SSO/auth/ace/data 2. Configure the SecurID module. a. On the BMC Atrium SSO Admin Console, click Edit BMC Realm. b. On the Main tab (default), select a User Profile type.
Note The User Profile applies to all authentication methods used for authentication.
c. BMC Atrium Single Sign-On 8.1
Page 141 of 389
BMC Software Confidential
Home
c. In the Realm Authentication panel, click Add for a new authentication method and select the method. Alternatively, if you want to edit an existing module, select the module and click Edit. d. Provide the parameters for the method and Save. e. Set the flag for the authentication method. 3. (Optional) Edit the rsa_api.properties file for additional configuration.
7.12.2 SecurID parameters When adding or editing a SecureID module, the following options are available: Save to save your modifications. Reset to remove your modifications and stay on the editor. Help launches a browser that provides you with online help. Cancel to cancel and return to the launch page. Parameters
Description
ACE/Server Configuration Path
Specify the full path for the new location of the sdconf.rec file. The configuration path is used to specify the location of the sdconf.rec file used to contact the RSA SecurID server.
7.12.3 To modify the rsa_api.properties file Additional configuration of the SecurID module communications with the RSA Authentication Manager is available by editing the rsa_api.properties file.
SecurID authentication files and locations RSA SecurID authentication file name
Locations
rsa_api.properties
/BMC Software/BMC Atrium SSO/tomcat/webapps/BMC Atrium SSO/WEB-INF/config/BMC Atrium SSO/auth/ace/data The above location is the default, however, the path is configurable on the SecurID authentication module configuration. installationDirectory is the base configuration directory specified during BMC Atrium Single Sign-On configuration.
sdconf.rec
Located in the same directory as rsa_api.properties (default), but is configurable through the rsa_api.properties file.
Node Secret
Located in the same directory as rsa_api.properties (default), but is configurable through the rsa_api.properties file.
sdstatus.12
Located in the same directory as rsa_api.properties (default), but is configurable through the rsa_api.properties file.
Properties of primary importance (and their default values) SDCONF_FILE (FILE) SDCONF_LOC: //auth/ace/data/sdconf.rec
BMC Atrium Single Sign-On 8.1
Page 142 of 389
BMC Software Confidential
Home
SDSTATUS_TYPE (FILE) SDSTATUS_LOC: //auth/ace/data/sdstatus SDNDSCRT_TYPE (FILE) SDNDSCRT_LOC: //auth/ace/data/secured RSA_LOG_FILE: //debug/rsa_api.log RSA_LOG_LEVEL (INFO; other values are OFF, DEBUG, WARN, ERROR, FATAL) RSA_DEBUG_FILE, if RSA_ENABLE_DEBUG=YES: //debug/rsa_api_debug.log
7.12.4 Where to go from here In Administering (see page 263), see managing users, user groups, and authentication modules.
7.13 Using SAMLv2 for authentication Security Assertion Markup Language (SAML) is an XML-based OASIS standard for exchanging user identity and security attributes information. It uses security tokens containing assertions to pass information about a principal (usually an end user) between an identity provider (IdP) and a web service. SAMLv2 is implemented by grouping a collection of entities to form a Circle of Trust. The Circle of Trust is composed of a Service Provider (SP) and an Identity Provider (IdP). The Identity Provider authenticates the users and provides this information to the Service Provider. The Service Provider hosts services that the user accesses.
BMC Atrium Single Sign-On 8.1
Page 143 of 389
BMC Software Confidential
Home
Configuring SAMLv2 video (see page ) SAMLv2 configuration options (see page 144) SAMLv2 implementation (see page 144) Typical SAMLv2 deployment (see page 145) Typical SAMLv2 deployment architecture (see page 145) Related topics (see page 146)
7.13.1 Configuring SAML V2 video Click the following BMC Atrium Single Sign-On 8.1 SAML V2 configuration video for more information: Watch video on YouTube at http://www.youtube.com/watch?v=ZebEMQuoVhA
7.13.2 SAMLv2 configuration options BMC Atrium Single Sign-On can be configured to perform as an SP or as an IdP. In addition, the user accounts can be federated in bulk. Configuring BMC Atrium Single Sign-On as an SP Configuring BMC Atrium Single Sign-On as an IdP Federating user accounts in bulk (see page 157)
7.13.3 SAMLv2 implementation In BMC Atrium Single Sign-On, SAMLv2 is implemented from the Federation panel in the BMC realm.
BMC Atrium Single Sign-On 8.1
Page 144 of 389
BMC Software Confidential
Home
7.13.4 Typical SAMLv2 deployment In a typical SAMLv2 deployment scenario, the BMC Atrium Single Sign-On server is configured as an SP for BMC products. The BMC Atrium Single Sign-On SP is then added to a Circle of Trust which includes an IdP. The IdP provides the authentication services for the BMC Atrium Single Sign-On system. In addition, the IdP caches authentication information within the browser. This information allows the IdP to automatically re-authenticate a user without the user re-entering their credentials. For more information about automatic logon behavior, see Logon and logoff issues (see page 316).
Note BMC Atrium Single Sign-On SAMLv2 implementation is limited to: SAML 2.0 browser-based transient Federation and Federated SSO Browser-based HTTP GET and POST binding mechanisms of the SAML 2.0 protocol
7.13.5 Typical SAMLv2 deployment architecture The following illustration shows BMC Atrium Single Sign-On configured as an SP. BMC products are integrated with BMC Atrium Single Sign-On which, in turn, hosts the SP for the Circle of Trust. For the IdP, any SAMLv2 IdP can be used. In addition, a second BMC Atrium Single Sign-On server can be configured to host an IdP. BMC Atrium Single Sign-On server configured as an SP
BMC Atrium Single Sign-On 8.1
Page 145 of 389
BMC Software Confidential
Home
7.13.6 Related topics Troubleshooting SAMLv2
7.13.7 Configuring BMC Atrium Single Sign-On as an SP In a Circle of Trust, BMC Atrium Single Sign-On is normally configured as a Service Provider (SP) for BMC products. The Circle of Trust is then completed with an Identity Provider (IdP) to provide authentication for the federated single sign-on. Following topics are provided: Verify that certificates were imported into the truststore (see page 147) Create a local SP (see page 147) Create a remote IdP (see page 149) Modify the JEE agents (see page 150) Agent Editor (see page 151)
BMC Atrium Single Sign-On 8.1
Page 146 of 389
BMC Software Confidential
Home
(Optional) Federate your user accounts in bulk (see page 153) Where to go from here (see page 153)
Verify that certificates were imported into the truststore Before configuring BMC Atrium Single Sign-On with a Service Provider, verify that all the certificates used for network communication (Transport Layer Security) between the servers that are participating in the Circle of Trust have been imported into the truststore of BMC Atrium Single Sign-On. If you are using signed certificates, import only the root CA certificate. If you are using self-signed certificates, import the public certificates into the truststore. For more information about importing certificates, see Managing keystores with a keytool utility (see page 239) and Importing a certificate into the truststore (see page 243).
Create a local SP If you are using a second BMC Atrium Single Sign-On server as an IdP, the certificate from that server must be exported from the /tomcat/conf/keystore.p12 file and imported into the cacerts.p12 of the BMC Atrium Single Sign-On server that is providing the SP role.
To create a local SP 1. On the BMC Atrium SSO Admin Console, click Edit BmcRealm. 2. On the Federation tab, click Add. 3. Select Local Service Provider (SP). 4. Provide the local SP information. 5. Click Save.
Local SP parameters The Local Service Provider (SP) Editor has the following options: Save to save your modifications. Reset to remove your modifications and stay on the editor. Help launches a browser that provides you with online help. Cancel to cancel and return to the launch page. Field
Parameter
Description
Name
Name for the SP or accept the provided SP name. The Name field is pre-populated with a value that reflects the expected SP name.
MetaAlias
The internally generated identifier for the entity. This value is used in the SAMLv2 login URL specified in the agents configuration.
Binding
BMC Atrium Single Sign-On 8.1
Page 147 of 389
BMC Software Confidential
Home
Field
Parameter
Description This option determines the way in which SAML messages will be sent and received between the IdP and the SP. HTTP-Redirect and Post are used when a direction connection between the IdP and SP is not possible. The two bindings differ in the method used to exchange the SAMLv2 messages: HTTP Redirect or XHTML Form with Post.
Artificact
The encoding technique used for Assertion Artifacts. The encoding method is determined by the IdP
Encoding
and is usually related to binding method. From the drop down menu, select URI or FORM.
Sign Messages
Signing Certificate Alias
The alias specifies the certificate that will be used to sign the specified SAML messages. Signing is used to verify the messages have not been altered in transit and that it originated with the SP.
Authentication, Logout
These parameters are the SAMLv2 messages that are to be signed by the SP or are expected to have
Request, Logout Response, Manager
been signed by the SP.
Name ID, Artifact Resolve, and Post Resolve Encrypt Elements
Assertion Time
Encryption Certificate Alias
The alias specifies the private key that will be used to encrypt the secret key used to encrypt the SAMLv2 messages.
Encryption Algorithm
The encryption algorithm used to encrypt SAMLv2 messages. Select an option, None, 3DES, AES-128, or AES-256, from the drop-down menu.
Assertion, Attribute, Name ID
Specifies whether to encrypt the Assertion, Attribute, and Name ID or leave it in plain text.
Not-Before Skew (seconds)
In order to compensate for clock drift between remote machines, this value specifies the amount of time that a message will be considered valid when it is received before the issue time in the message.
Effective Time (seconds)
Amount of time that an assertion is valid counting from the assertion's issue time.
SOAP Basic Authentication
SOAP Basic authentication can be enabled to protect the SOAP SP endpoints. Any provider accessing these endpoints must provide these user name and password values.
Attribute Mapping
Attribute Mapping is used to take user attributes (such as email, phone number, etc.) from the external user store and map them to the attributes used within the BMC Atrium Single Sign-On system. A mapping is defined by entering the name of the SAML Attribute and selecting the Atrium SSO Attribute from the drop down that the external attribute is going to map to, and click Add to put the new mapping into the table.
Auto Federation
Allows BMC Atrium Single Sign-On to use an attribute of the Assertion from the IdP to automatically create an identity within the BMC Atrium Single Sign-On system. The identity is created by passing the initial double-login normally performed when federating a user account with SAMLv2.
Name ID Format
Defines the name identifier formats supported by the service provider. Name identifiers are a way for providers to communicate with each other regarding a user. The Name ID format list is an ordered list, the first Name ID has the highest priority in determining the Name ID format to use. If the user does not specify a Name ID to use when initiating single sign-on, the first one in this list is chosen and supported by the remote Identity Provider. A persistent identifier is saved to a particular user's data store entry as the value of two attributes. A transient identifier is temporary and no data will be written to the user's persistent data store. Note:
BMC Atrium Single Sign-On 8.1
Page 148 of 389
BMC Software Confidential
Home
Field
Parameter
Description
For linking user accounts from SP and IdP (Remote Identity Provider) together, after logging in, the persistent nameID format must be on the top of the list. Authentication
This attribute maps the SAMLv2-defined authentication context classes to the authentication level set
Context
for the user session for the service provider.
Create a remote IdP 1. On the BMC Atrium SSO Admin Console, click Edit BmcRealm. 2. On the Federation panel, click Add. 3. Select Remote Identity Provider (IdP). 4. Before uploading the IdP metadata, you must import a signed certificate into the cot.jks keystore used for SAMLv2 authentication. The location of the cot.jks file is /tomcat directory. 5. Create a name for the remote IdP and upload the IdP metadata on the Create Identity Provider (IdP) pop-up. Parameters
Description
Name
Name for the remote IdP.
URL
Select URL to acquire the remote IdP metadata from the URL location. Specify the FQDN of the host, including the port and any required path information. This URL is IdP-specific. For information on the metadata URL, consult the IdP documentation. For information about providing IdP metadata from another Atrium Single Sign-On server, see Providing IdP metadata from another Atrium Single Sign-On server (see page 149)
File Upload
Select File Upload to upload a file that contains the remote IdP metadata.
Providing IdP metadata from another Atrium Single Sign-On server When using another Atrium Single Sign-On server as an IdP, the following URL template is used to access the metadata needed by the SP: https://:/atriumsso/saml2/jsp/exportmetadata.jsp?role=idp&realm=BmcRealm&entityid= In this case:
6. 7. 8. 9. 10.
host is the FQDN of the BMC Atrium Single Sign-On server hosting the IdP. port is the port used for secure communication of the BMC Atrium Single Sign-On server hosting the IdP. entityid is the name of the IdP hosted by the BMC Atrium Single Sign-On server. For example: https://idp.bmc.com:8443/atriumsso/saml2/jsp/exportmetadata.jsp?role=idp&realm=BmcRealm&entityid=https://id Click Save On the Federation panel, select the remote IdP. Click Edit. Provide the remote IdP parameters. Click Save.
BMC Atrium Single Sign-On 8.1
Page 149 of 389
BMC Software Confidential
Home
Remote IdP Editor parameters The Remote Identity Provider (IdP) Editor has the following options: Save to save your modifications. Reset to remove your modifications and stay on the editor. Help launches a browser that provides you with online help. Cancel to cancel and return to the launch page. Field
Parameter
Name
Description Name for the IdP or accept the provided IdP name. The Name field is pre-populated with a value that reflects the expected IdP name.
Binding
This option determines the way in which SAML messages will be sent and received between the IdP and the SP. HTTP-Redirect and Post are used when a direction connection between the IdP and SP is not possible. The two bindings differ in the method used to exchange the SAMLv2 messages: HTTP Redirect or XHTML Form with Post.
Sign Messages
Signing Certificate Alias
The alias specifies the certificate that will be used to sign the specified SAML messages. Signing is used to verify the messages have not been altered in transit and that it originated with the IdP.
Authentication Request, Logout
These parameters are the SAMLv2 messages that are to be signed by the IdP or are expected to
Request, Logout Response, Manager Name ID Request, Manager Name ID
have been signed by the SP.
Response, and Artifact Resolve Encrypt
Encryption Certificate Alias
Elements
The alias specifies the private key that will be used to encrypt the secret key used to encrypt the SAMLv2 messages.
Encryption Algorithm
The encryption algorithm used to encrypt SAMLv2 messages. Select an option, None, 3DES, AES-128, or AES-256, from the drop-down menu.
Name ID
Specifies whether to encrypt the Name ID or leave it in plain text.
Modify the JEE agents As part of configuring BMC Atrium Single Sign-On to host a SP, the J2EE agents configuration must be modified to work with SAMLv2 federation.
Note Each time a BMC product is integrated with the BMC Atrium Single Sign-On SP, the configuration must be modified so the integrating product can function in the Federated SSO.
1. On the BMC Atrium SSO Admin Console, click Agent Details. 2. Select the agents associated with a BMC product integrated with this Atrium Single Sign-On server. For example,
[email protected]:8443. 3. Click Edit. a. BMC Atrium Single Sign-On 8.1
Page 150 of 389
BMC Software Confidential
Home
3. a. Delete the URLs in the login URI field.
b. Enter the Federated login URL. For information about the log in URL syntax, see Federated log in URL syntax (see page 152). c. Delete the URLs in the logout URI field. d. Enter the Federated logout URL. For information about the log out URL syntax, see Federated log out URL syntax (see page 152). e. Click Save. The Agent manager provides an Agent panel that allows you to edit, delete, and search for an agent as well as provides the agent name, realm, and the state. The state indicated whether the agent is running or is down. When searching for an agent, *, returns all of the names and applies to all columns in the agent panel. Finding the filter string within any of these values selects the agent to be returned for display. This feature allows you to filter the list of agents to the ones running by specifying "Running".
Agent Editor The Agent Editor allows you to modify the configuration of an agent. By modifying the agent configuration, you can correct problems caused by environment difficulties. For example, with a remote host, the host may report their FQDN (Fully Qualified Domain Name) incorrectly using a plain name such as machine instead of machine.bmc.com. The Agent Editor is launched when you select an agent and click Edit. The Agent Editor has the following options: Save to save your modifications. Reset to remove your modifications and stay on the editor. Help launches a browser that provides you with online help. Cancel to cancel and return to the launch page. Parameter
Description
Notification URL
The URL where the agent will receive notifications from the server about session logouts. It is composed of the products base URI with "/atsso" concatenated to the end. For example, https://sample.bmc.com/arsys/atsso
Status
Determines whether the agent is enforcing SSO authentication (active) or not (inactive).
Logging Level
The level of logging the agent will perform in the product.
Redirect Limit
The number of times that the agent redirects the browser to the server for authentication before signaling an error- 0 means infinite.
Password and Confirm Password
Password used by the agent to access its configuration in the SSO server.
Cookie Name
The cookie name is the name of the cookie that agent will check for the SSO session token. It should match the cookie name of the server configuration. Note: To ensure browser compatibility, the cookie name should contain only alphanumeric and underscore characters.
BMC Atrium Single Sign-On 8.1
Page 151 of 389
BMC Software Confidential
Home
Parameter
Description
Login URI
Login and logout URIs are the locations that the agent will send the users browsers when the specified function is needed. When an
and Logout URI
agent is federated, the login and logout URLs for the agent must be modified to interact with the IdP.
Login Probe and Logout
The probe validates that the destination is accessible before sending the user to the location. If they are not, the agent tells the user that the SSO system is inaccessible. The probe should be turned off in environments where the URI cannot be contacted from the
Probe
agent's environment, such as when the URI contains a host that is to be accessed through a reverse proxy.
Enable
Select this option to enable session cache. Disabling cache has a severe performance impact.
Cache Fully
This FQDN mapping allows the agent to fix the URL used to access the application in order to get the browser to send cookies to the
Qualified Domain
application. The SSO session is identified through cookies. When a URL is not using a FQDN host name, the browser does not know the domain of the server and therefore, won't send any cookies to the server.
Name Mapping FQDN of Agent Host
The FQDN entered is the FQDN of the host where the agent is located. Enabling FQDN mapping causes the agent to perform the forwarding from the entered host names to the entered FQDN.
Trigger host list and Trigger Host Name
The hosts that will trigger the FQDN redirect to occur. The Trigger host list allows you to remove the host from the list. Trigger Host Name allows you to add a host to the Trigger host list.
Not Enforced URI and URI
The Not Enforced URI field allows you to remove URIs from the Not Enforced URI list. The URI field allows you to add a URI to the Not Enforced URI list.
Federated log in URL syntax https://:/atriumsso/spssoinit?metaAlias=/BmcRealm/sp&idpEntityID= In this case:
host is the FQDN of the Atrium Single Sign-On server hosting the SP. port is the port used for secure communication of the Atrium Single Sign-On server hosting the SP. entityId is the name of the IdP to be used by this SP.
Federated log out URL syntax https://:/atriumsso/saml2/jsp/spSingleLogoutInit.jsp?idpEntityID=&RelayState= General > Server Information.
2. BMC Atrium Single Sign-On 8.1
Page 174 of 389
BMC Software Confidential
Home
2. In the AR System Administration: Server Information form, click the Atrium SSO Integration tab. AR System Administration: Server Information form--Atrium SSO Integration tab (Click the image to expand it.)
3. Enter the BMC Atrium Single Sign-On server Location. Host Name--The host name of the computer where BMC Atrium Single Sign-On server is configured. If the AR System server and BMC Atrium Single Sign-On server are in same domain, enter the machine name or the machine name with domain name. Make sure that the BMC Atrium Single Sign-On host name is accessible from the machine where AR System server is installed. If the AR System server and BMC Atrium Single Sign-On server are in different domains, a trust relationship between these two domains must be established before configuring BMC Atrium Single Sign-On server.
Note Use the FQDN for the BMC Atrium Single Sign-On server host name, not simply the host name.
Port number — The port on which BMC Atrium Single Sign-On server is configured (typically 8443).
BMC Atrium Single Sign-On 8.1
Page 175 of 389
BMC Software Confidential
Home
Protocol — (optional parameter) The default value for this parameter is https. However, this field can also be set to http. For example: https://:/ https://ssoServer.bmc.com:8443/atriumsso] 4. Enter the Atrium Single Sign-On Admin User. The BMC Atrium Single Sign-On administrator name, by default, is amadmin. 5. Enter the Atrium Single Sign-On Admin Password. 6. (Optional) Enter the Atrium Single Sign-On Keystore Path. The keystore file location is where the BMC Atrium Single Sign-On keystore is saved. This path includes the keystore file name. Enter this value only if you have configured a keystore. This field is not mandatory and you can define it later.| 7. (Optional) Enter the Atrium Single Sign-On Keystore Password. Enter this value only if you specify the Keystore path. 8. Click Apply. For more information on a full single sign-on solution that includes BMC Atrium, see the Knowledge Base article KA286851. You must have a BMC customer support account to access this information.
The example is not a supported product and there is no implied support if you use it.
Where to go from here Manually configuring mid tier for BMC Atrium Single Sign-On user authentication (see page 176)
9.1.4 Manually configuring mid tier for BMC Atrium Single Sign-On user authentication For the mid tier to communicate with the BMC Atrium Single Sign-On server for user authentication, follow the steps below to manually configure the mid tier.
Note
If you do not select the Configuration of Atrium Single Sign-On option during the AR System server installation or during the stand-alone installation of mid tier, only then perform the steps in this section. BMC recommends, you do not install BMC Atrium Single Sign-on and BMC Remedy Mid-Tier on the same computer. BMC Atrium Single Sign-on and BMC Remedy Mid-Tier must use different Tomcat because if the mid-tier computer needs to be restarted, all the other applications will be unavailable because BMC Atrium Single Sign on will be down during the restart.
BMC Atrium Single Sign-On 8.1
Page 176 of 389
BMC Software Confidential
Home
To manually configure the Mid Tier for BMC Atrium Single Sign-On user authentication 1. Go to the computer where you installed the Mid Tier. 2. Stop the mid tier service, if it is already running. 3. Copy all the jar files from the \webagent\dist\jee\WEB-INF\lib directory to the \WEB-INF\lib directory. For example, copy all the jar files from C:\Program Files\BMC Software\ARSystem\midtier\webagent\dist\jee\WEB-INF\lib to C:\Program Files\BMC Software\ARSystem\midtier\WEB-INF\lib. 4. Go to the \Web-Inf directory and open the web.xml file in an editor. 5. Uncomment the and tags for the Atrium Single Sign-On filter. These tags should look like the following:
Agent com.bmc.atrium.sso.agents.web.SSOFilter Agent /* REQUEST INCLUDE FORWARD ERROR
Make sure that you save your changes to the web.xml file. 6. Go to the \Web-Inf\classes directory (for example, C:\Program Files\BMC Software\ARSystem\midtier\WEB-INF\classes) and open the config.properties file in an editor. 7. Add an attribute in the config.properties file. For this, comment the DefaultAuthenticator line (arsystem.authenticator=com.remedy.arsys. session.DefaultAuthenticator) and add the following line for the Atrium Single Sign-On Authenticator: arsystem.authenticator=com.remedy.arsys.sso.AtriumSSOAuthenticator Make sure that you save your changes to the config.properties file. 8. Go to the computer where you installed the AR System serve and open the ar.cfg (Microsoft Windows) or ar.conf (UNIX or Linux) file in an editor. The default location for Windows is C:\Program Files\BMC Software\ARSystem\Conf. 9. Add the following SSO AREA plug-in entries to the ar.cfgfile: (Unix) Plugin — areaatriumsso.so
BMC Atrium Single Sign-On 8.1
Page 177 of 389
9. BMC Software Confidential
Home
(Windows) Plugin — areaatriumsso.dll For example: Plugin: areaatriumsso.dll Server Plugin Alias — ARSYS.AREA.ATRIUMSSO ARSYS.AREA.ATRIUMSSOFQDN of AR System server
name:PluginPort For example: Server-Plugin-Alias: ARSYS.AREA.ATRIUMSSO ARSYS.AREA.ATRIUMSSO arSystemServer.bmc. com:9999 Make sure that the SSO entries are listed first; otherwise they will not be used by the AR System server.
Plugin: areaatriumsso.dll Plugin: ardbcconf.dll Plugin: reportplugin.dll Plugin: ServerAdmin.dll Server-Plugin-Alias: ARSYS.AREA.ATRIUMSSO ARSYS.AREA.ATRIUMSSO xyz-abc-x28-vm1.dsl.bmc.com:9999 Server-Plugin-Alias: ARSYS.ARF.REGISTRY ARSYS.ARF.REGISTRY xyz-abc-x28-vm1.dsl.bmc.com:9999 Server-Plugin-Alias: ARSYS.ARDBC.REGISTRY ARSYS.ARDBC.REGISTRY xyz-abc-x28-vm1.dsl.bmc.com:9999 Server-Plugin-Alias: ARSYS.ARDBC.ARREPORTENGINE ARSYS.ARDBC.ARREPORTENGINE xyz-abc-x28-vm1.dsl.bmc.com:9999 Server-Plugin-Alias: ARSYS.ARF.QUERYPARSER ARSYS.ARF.QUERYPARSER xyz-abc-x28-vm1.dsl.bmc.com:9999 Server-Plugin-Alias: ARSYS.ALRT.WEBSERVICE ARSYS.ALRT.WEBSERVICE xyz-abc-x28-vm1.dsl.bmc.com:9999 Server-Plugin-Alias: ARSYS.ARF.PARSEPARAMETERS ARSYS.ARF.PARSEPARAMETERS xyz-abc-x28-vm1.dsl.bmc.com:9999 Server-Plugin-Alias: ARSYS.ARF.PUBLISHREPORT ARSYS.ARF.PUBLISHREPORT xyz-abc-x28-vm1.dsl.bmc.com:9999 Server-Plugin-Alias: ARSYS.ARF.REPORTSCHEDULER ARSYS.ARF.REPORTSCHEDULER xyz-abc-x28-vm1.dsl.bmc.com:9999 Server-Plugin-Alias: ARSYS.ARF.RSAKEYPAIRGENERATOR ARSYS.ARF.RSAKEYPAIRGENERATOR xyz-abc-x28-vm1.dsl.bmc.com:9999 Server-Plugin-Alias: ARSYS.ALRT.TWITTER ARSYS.ALRT.TWITTER xyz-abc-x28-vm1.dsl.bmc.com:9999 Server-Plugin-Alias: ARSYS.ARF.TWITTER ARSYS.ARF.TWITTER xyz-abc-x28-vm1.dsl.bmc.com:9999
10. Save your changes to the ar.cfg or ar.conf file. 11. Go back to the computer where you installed the Mid Tier. 12. Copy the cacerts file from the JDK installed location to the Tomcat conf folder. For example, copy cacerts from C:\Program Files\Java\jdk1.7.0_03\jre\lib\security to C:\Program Files\Apache Software Foundation\Tomcat6.0\conf. 13. If your Mid Tier installation does not already include the not-enforced.txt file, save the attached file to the Mid Tier folder. For example, right-click the link, and then select Save link as to the C:\Program Files\BMC Software\ARSystem\midtier folder. A typical not-enforced.txt file contains the URIs listed in the code snippet below. URIs listed in this file are
BMC Atrium Single Sign-On 8.1
Page 178 of 389
13.
BMC Software Confidential
Home
not protected by the agent. Their contents are uploaded into the BMC Atrium Single Sign-On server to become part of the Agent configuration. When you later finish integration, this file is no longer used or needed. If you must update the agent configuration, access Agent Details on the BMC Atrium SSO Admin Console to modify the Not Enforced URI Processing values.
/arsys/services/* /arsys/WSDL/* /arsys/shared/config/* /arsys/shared/doc/* /arsys/shared/images/* /arsys/shared/timer/* /arsys/shared/ar_url_encoder.jsp /arsys/shared/error.jsp /arsys/shared/file_not_found.jsp /arsys/shared/HTTPPost.class /arsys/shared/login.jsp /arsys/shared/login_common.jsp /arsys/shared/view_form.jsp /arsys/shared/logout.jsp /arsys/shared/wait.jsp /arsys/servlet/ConfigServlet /arsys/servlet/GoatConfigServlet /arsys/plugins/*
14. Execute the deployer script to deploy the WebAgent. For this, run the following script through command line interface under the deployer directory ( webagent\deployer):
java -jar deployer.jar --install --container-type -TOMCATversion --atrium-sso-url AtriumSSOURL:/atriumsso --web-app-url MidtierSSOURL:/arsys --container-base-dir AppServerHome --admin-name AtriumServerAdminUsername --admin-pwd AtriumServerAdminPassword --jvm-truststore "JavaHome \jre\lib\security\cacerts" --jvm-truststore-password TruststorePassword --truststore "AppServerHome\conf\cacerts" --truststore-password TruststorePassword --not-enforced-uri-file "midTierPath\not-enforced.txt" --web-app-logout-uri /shared/loggedout.jsp
For example,
java -jar deployer.jar --install --container-type tomcatv6 --atrium-sso-url https://ssoServer.bmc.com:8443/atriumsso --web-app-url http://midTierServer:8080/arsys --container-base-dir "c:\Program Files\Apache Software Foundation\Tomcat6.0" --admin-name amadmin --admin-pwd Let$in09 --jvm-truststore "c:\Program Files\Java\jdk1.7.0_03\jre\lib\security\cacerts" --jvm-truststore-password changeit --truststore "c:\Program Files\Apache Software Foundation\Tomcat6.0\conf\cacerts" --truststore-password changeit --not-enforced-uri-file "C:\Program Files\BMC Software\ARSystem\midtier\not-enforced.txt" --web-app-logout-uri /shared/loggedout.jsp
BMC Atrium Single Sign-On 8.1
Page 179 of 389
BMC Software Confidential
Home
15. Make sure that the deployer script successfully finishes execution and is completed.
Tip If the deployer script fails: a. Delete the /atssoAgents folder (for example, C:\Program Files\Apache Software Foundation\Tomcat6.0\atssoAgents). b. Delete the agent if it exists in Agent Details on the BMC Atrium SSO Admin Console. c. Re-run the deployer script after you fixed the problem (for example, added additional parameters).
16. Start the mid tier service. By default, this plug-in is configured to work with the native plug-in server (C plug-in). You can also use this plug-in directly with the Java plug-in server. For more information on the configuration settings, see Using the Java plug-in server for dynamic plug-in loading in the BMC Remedy AR System 8.1 online documentation.
Note
If the container is not using HTTPS, the truststore and truststore-password parameters can be ignored. For example:
BMC Atrium Single Sign-On 8.1
Page 180 of 389
BMC Software Confidential
Home
java -jar deployer.jar --install --container-type tomcatv6 --atrium-sso-url https://ssoServer.bmc.com:8443/atriumsso --web-app-url http://midTierServer:8080/arsys --container-base-dir "C:\Program Files\Apache Software Foundation\Tomcat6.0" --admin-name amAdmin --admin-pwd bmcAdm1n --jvm-truststore "C:\Program Files\Java\jre6\lib\security\cacerts" --jvm-truststore-password changeit --not-enforced-uri-file "C:\Program Files\BMC Software\ARSystem\midtier\not-enforced.txt" --web-app-logout-uri /shared/loggedout.jsp
If the --web-app-logout-uri parameter is not specified, you can specify the parameter value in Agent Details on the BMC Atrium SSO Admin Console: 1. On the BMC Atrium SSO Admin Console, click Agent Details. 2. Select the agent and click Edit. 3. In the Logout Processing section, replace the default value with /arsys/shared/loggedout.jsp. When you are using a load balancer or reverse proxy, you must add the --web-app-url and --notify-url URLs. In this case, the --web-app-url URL must be the load balancer URL and the --notify-url must be the mid tier URL. For example:
java -jar deployer.jar --install --container-type tomcatv6 --atrium-sso-url https://ssoServer.bmc.com:8443/atriumsso --web-app-url http://loadbalancerURL:8080/arsys ----container-base-dir "C:\Program Files\Apache Software Foundation\Tomcat6.0" --admin-name amAdmin --admin-pwd bmcAdm1n --jvm-truststore "C:\Program Files\Java\jre6\lib\security\cacerts" --jvm-truststore-password changeit --not-enforced-uri-file "C:\Program Files\BMC Software\ARSystem\midtier\not-enforced.txt" --web-app-logout-uri /shared/loggedout.jsp
For more information about containers, agents, and deployer commands, see: Container types, containers, and agents Deployer commands for various JSP engines
Where to go from here Configuring the BMC Atrium Single Sign-On server for AR System integration (see page 183)
Container types, containers, and agents The --container-type parameter specifies not only the type of the container in which the agent is being embedded, but also the type of web agent being used for integration. The TOMCAT and WEBSPHERE types are used exclusively for the original Web Agent. All of the remaining types ( GENERIC, TOMCATV6, and so on) are used exclusively to deploy the newer JEE Filter agent. Make sure that you use the correct type for the agent.
BMC Atrium Single Sign-On 8.1
Page 181 of 389
BMC Software Confidential
Home
Container type
Agent
Container
TOMCAT
Web Agent
Apache Tomcat v6
WEBSPHERE
Web Agent IBM WebSphere v6 IBM WebSphere v7
GENERIC
JEE Agent
Any
JBOSSV4
JEE Agent
RedHat JBoss v4
JBOSSV5
JEE Agent
RedHat JBoss v5
SERVLETEXECV5
JEE Agent
New Atlanta ServletExec AS v5
SERVLETEXECV6
JEE Agent
New Atlanta ServletExec AS v6
TOMCATV5
JEE Agent
Apache Tomcat v5
TOMCATV6
JEE Agent
Apache Tomcat v6
WEBSPHEREV6
JEE Agent
IBM WebSphere v6
WEBSPHEREV7
JEE Agent
IBM WebSphere v7
WEBSPHEREV10
JEE Agent
Oracle WebLogic v10
Deployer commands for various JSP engines The deployer command changes with change in the JSP Engine (Container). The following examples show how the deployer command changes when the following containers are used. Apache Tomcat (see page 182) Red Hat JBoss (see page 182) Oracle WebLogic (see page 183) IBM WebSphere (see page 183)
Apache Tomcat
java -jar deployer.jar --install --container-type -TOMCATversion --atrium-sso-url AtriumSSOURL<
Note Do not use tomcat for --container-type; use tomcatv6 instead.
Red Hat JBoss
"/opt/java1.5/jre/bin/java" -jar deployer.jar --install --container-type JBOSSV4 --atrium-sso-u
BMC Atrium Single Sign-On 8.1
Page 182 of 389
BMC Software Confidential
Home
Oracle WebLogic
"/usr/jdk/instances/jdk1.6.0/bin/java" -jar deployer.jar --install --container-type WEBLOGICV10
IBM WebSphere
"/usr/java5/bin/java" -jar deployer.jar --uninstall --force --container-type WEBSPHEREV7 --atri
9.1.5 Configuring the BMC Atrium Single Sign-On server for AR System integration The Action Request (AR) authentication module allows BMC Atrium Single Sign-On to use the user accounts within a BMC Remedy AR System server for authentication. This module is normally used in conjunction with the AR Data Store to retrieve group information and other user attributes from the AR System server. Configure the AR module for AR System (see page ) Configure AR user stores for AR System (see page ) Managing the AR System users and groups (see page ) When you enable authentication chaining mode, all authentication methods in the chain are attempted in the specified order until either the authentication succeeds or all the methods in the chain fail.
Note If you plan to use an authentication method other than or in addition to the AR module, see the applicable authentication method in Configuring after installation. For example, Using Kerberos for authentication (see page 132) or Using SAMLv2 for authentication.
Configure the AR module for AR System Click here to expand: Steps (6) 1. On the SSO Server, navigate to Start > All Programs > BMC Software > BMC Atrium SSO > Administrator to launch the BMC Atrium SSO Admin Console and log on. 2. Click Edit BMC Realm to open the Realm Editor.
3. BMC Atrium Single Sign-On 8.1
Page 183 of 389
BMC Software Confidential
Home
3. Set User Profile to Dynamic. (Click the image to expand it.)
4. On the Realm Authentication panel, click Add. 5. Click AR. (Click the image to expand it.)
BMC Atrium Single Sign-On 8.1
Page 184 of 389
BMC Software Confidential
Home
## Enter the AR parameters (see page ). a. Click Save. 6. On the Realm Authentication panel, set the process order of the authentication chain: a. For the AR module, under Flag, select Sufficient. b. Select the AR module. c. Click Up so that AR is first in the list. d. Set Internal LDAP to Optional. (Click the image to expand it.) BMC Atrium Single Sign-On 8.1
Page 185 of 389
Home
d.
BMC Software Confidential
Sufficient means that, with multiple authentication modules, if you are successfully authenticated with the first module, the remaining modules are skipped. But if the login fails, authentication moves to the next module in the chain. Setting AR to Sufficient and placing it as the first module in the list means that if you are authenticated with the AR System server, you are successfully authenticated by BMC Atrium Single Sign-On and you proceed to the Mid Tier. Note With Single Sign-On, you want to trigger authentication providers in the right order. The order is: Required > Requisite > Sufficient > Optional. If you set both realms to Required, then you would need both authentications to establish the session. For more information on creating an authentication chain, see the Realm Authentication panel described in Realm Editor.
AR parameters Parameters
Description
Server Host Name
(Required) Provide the Full Qualified Domain Name (FQDN) for the server where the AR System server is located. The full host name includes the domain name (bmc.com) of the computer and the individual name of the server (yourServer).
BMC Atrium Single Sign-On 8.1
Page 186 of 389
BMC Software Confidential
Home
Parameters
Description
Server Port
(Required) AR Server Port Number is the location where the AR System server is listening.
Number Note: Enter a value of 0 if the AR System server is using port mapping. Default Authentication
This string is only used when the AR module is placed downstream in a chain from another authentication module which prompts the user only for a name and password. In this situation, the value of this parameter is used to authenticate the user by re-using the
String
credentials provided by the user along with this authentication string.
Allow AR
If enabled, allows unknown or invalid users to authenticate to the AR System server as guests.
Guests
Note When using SAML v2 for authentication, you must not use AR user stores. Though AR authentication module should be configured, the AR data store is not needed for authentication in SAMLv2 deployment.
Configure AR user stores for AR System Click here to expand: Steps (4)
1. BMC Atrium Single Sign-On 8.1
Page 187 of 389
BMC Software Confidential
Home
1. On the User Stores panel, click Add. (Click the image to expand it.)
2. Select AR User Store. 3. Enter the AR User Store parameters (see page ). 4. Click Save.
AR User Store parameters Section
Parameter
Name AR Server
Description Label for the AR user store.
Host Name
Host
(Required) Provide the Full Qualified Domain Name (FQDN) for the server where AR System server is located. The full host name includes the domain name (bmc.com) of the computer and the individual name of the server ( yourServer). Replace the default values (sample.bmc.com) with the host name of your server (for example, yourServer.bmc.com.
Port
(Required) Default: 0 Provide the port number where the AR Server is listening. The value of 0 is used when the AR Server is using port mapping.
Administrative Access
Name
(Required) Provide the user name of an AR Server user store account that has AR System Administrator privileges. Empty or blank passwords for this internal user are not supported with a new user store.
Authentication
Provide the authentication string that is needed when the Administrator account is used to connect with the AR System server.
BMC Atrium Single Sign-On 8.1
Page 188 of 389
BMC Software Confidential
Home
Section
Parameter
Description
Password and
Password for the AR System administrative user of the AR Server user store account (for example, admin).
Confirm Password Connection Pool
Linger Time (seconds)
(Required) Default: 60 Linger Time is the amount of time (in milliseconds) that a connection is allowed to remain unused in the pool before being closed.
Pool size
(Required) Default: 10 The Pool Size is the maximum number of connections the data store uses to service data requests for the AR System server.
Managing the AR System users and groups Click here to expand: Steps (8) BMC Atrium Single Sign-On provides basic user and group management features with the internal LDAP server. These features allow an administrator to manage users, groups, and memberships in the groups. Note When you configure the AR User Store for the AR System, all your AR System users and groups are already listed.
From the User page, the administrator can create, delete, and manage group memberships. To access the User page (see page ) To add a new user (see page ) BMC products can use the group membership capabilities of the BMC Atrium Single Sign-On system to provide authorization and authentication of users. If a BMC product does not use the group memberships of the BMC Atrium Single Sign-On system, then that product's documentation must be consulted to determine groups to privileges mapping. To access the Group page (see page ) To create a new group (see page )
To access the User page Navigate to the following location: 1. Open the Realm Editor. 2. Click the Users tab. New users can only be created when you are using the internal LDAP server for authentication. If an external source is used for authentication, new users must be created within that external system. Note If special characters, such as comma ( , ) , semi-colon ( ; ), or plus sign ( + ) are used in the user ID, the backslash ( \ ) must precede the special character. For example, Baldwin\,bob.
When creating a new user, each field that is marked with an asterisk is a required field.
BMC Atrium Single Sign-On 8.1
Page 189 of 389
BMC Software Confidential
Home
To add a new user 1. In the Realm Editor, click the Users tab. Current AR System users created in your AR System server are already listed.
2. BMC Atrium Single Sign-On 8.1
Page 190 of 389
BMC Software Confidential
Home
2. Click Add to open the User Editor.
3. In the User Id field, enter a unique identifier for the new user. This value is used as the user ID when the user logs in. 4. Specify the user's status. The default is Active. 5. Add the name attributes. The name attributes (First Name, Full Name, and Last Name) can be provided to BMC products to help identify user accounts by using terms that are more user-friendly. The actual use of these attributes, though, is dependent on the BMC product. You must assign an initial password of at least 8 characters when creating the account. After the password is created, the user can log into BMC Atrium Single Sign-On and update the password and their personal information through the following URL: https://FQDNHostName:port/BMC Atrium SSO?realm=BmcRealm 6. Click the Groups tab. 7. From the list of available groups, add the user to group membership (for example, BmcAdmins). 8. Click Save.
BMC Atrium Single Sign-On 8.1
Page 191 of 389
BMC Software Confidential
Home
To access the Group page BMC Atrium Single Sign-On provides predefined groups to help with the Administrator privileges that some BMC products might require. For example, the BmcSearchAdmin group provides privileges that allow a user to connect to the server to perform identity searches. Note Care should be exercised when assigning the BmcSearchAdmin group because these elevated privileges allow greater access to BMC Atrium Single Sign-On than is normally allowed.
Navigate to the following location: 1. Open the Realm Editor. 2. Click the Groups tab.
To create a new group Normally, BMC products install the groups that they need managed into BMC Atrium Single Sign-On as part of their installation. However, a situation might arise in which a group might need to be created or re-created.
1. BMC Atrium Single Sign-On 8.1
Page 192 of 389
BMC Software Confidential
Home
1. In the Realm Editor, click the Groups tab. Current AR System groups created in your AR System server are already listed.
2. BMC Atrium Single Sign-On 8.1
Page 193 of 389
Home
BMC Software Confidential
2. Click Add to open the Group Editor.
3. Enter a new, unique name for the group. 4. Add available users to the new group. 5. Click Save.
Related topics Using SAMLv2 for authentication Using Kerberos for authentication (see page 132) Using CAC for authentication
BMC Atrium Single Sign-On 8.1
Page 194 of 389
BMC Software Confidential
Home
Using LDAP (Active Directory) for authentication Using RSA SecurID for authentication
Where to go from here Running a health check on the BMC Atrium Single Sign-On integration
9.1.6 Running a health check on the BMC Atrium Single Sign-On integration After you finish all these procedures, run a health check of your integration of BMC Atrium Single Sign-On with BMC Remedy AR System.
To run a health check on the BMC Atrium Single Sign-On integration 1. On the Mid Tier computer, log in to the BMC Remedy Mid Tier Configuration Tool. The default path is http://midTierServer.FQDN:8080/arsys/shared/config/config.jsp. For example: http://vw-pune-bmc-dv88.labs.bmc.com:8080/arsys/shared/config/config.jsp
Tip Clear the cache on your browser if you see redirect errors.
If your integration is successful (for example, by using the not_enforced.txt file during the agent deployment), you should see the normal Mid Tier configuration logon, not the BMC Atrium SSO logon screen.
BMC Atrium Single Sign-On 8.1
Page 195 of 389
BMC Software Confidential
Home
2. Log on to the AR System server. For example: http://vw-pune-bmc-dv88.labs.bmc.com:8080/arsys The BMC Atrium Single Sign-On server redirects the server URL to the BMC Atrium Single Sign-On server, and the BMC Atrium SSO logon screen appears.
BMC Atrium Single Sign-On 8.1
Page 196 of 389
BMC Software Confidential
Home
3. Enter the User Name and Password of an AR System user and then click Log In. Demo is the AR System default logon (without any password). If BMC Atrium Single Sign-On is properly integrated and configured, the Applications startup page appears.
BMC Atrium Single Sign-On 8.1
Page 197 of 389
BMC Software Confidential
Home
9.2 Integrating BMC Dashboards for BSM If you plan to use BMC Atrium Single Sign-On as your method of authentication, you must install and configure the BMC Atrium Sign-On server before installing BMC Dashboards for Business Service Management (BSM). Also, ensure that any users that you want to use in BMC Dashboards for BSM exist in the BMC Atrium Single Sign-On server.
9.2.1 Before you begin Install BMC Atrium Sign-On server and configure with an authentication method before installing BMC Dashboards for BSM. Ensure that the BMC Dashboards for BSM administrator and any users that you want to use in BMC Dashboards for BSM exist in the BMC Atrium Sign-On server. See Managing users (see page 264) and Managing user groups (see page 268).
BMC Atrium Single Sign-On 8.1
Page 198 of 389
BMC Software Confidential
Home
Note For BMC Dashboards for BSM version 7.7.00 and higher, instead of re-installing, you can run the installer again to set the BMC Atrium Single Sign-On parameters.
9.2.2 To integrate BMC Dashboards for BSM When executing the BMC Dashboards for BSM installer, select the BMC Atrium Single Sign-On Authentication method and provide the following information: Field
Description
Fully Qualified Host Name
Fully qualified host name of the BMC Atrium Single Sign-On server.
HTTPS Port Number
HTTPS port number used by the BMC Atrium Single Sign-On server.
Administrator Name and Password
User name and password for the BMC Atrium Single Sign-On server administrator.
BMC Dashboards administrator Name and Password
User name and password of the BMC Dashboards for BSM administrator user. This user must exist in BMC Atrium Single Sign-On.
9.3 Integrating BMC Analytics for BSM If you plan to use BMC Atrium Single Sign-On as your method of authentication, you must install and configure the BMC Atrium Sign-On server before installing BMC Analytics for Business Service Management (BSM). Also, ensure that any users that you want to use in BMC Analytics for BSM exist in the BMC Atrium Single Sign-On server. BMC Analytics for BSM is compatible with Apache Tomcat or Microsoft IIS. If you are using BMC Atrium Sign-On with BMC Analytics for BSM, only Apache Tomcat is supported. Also, when you install using BMC Atrium Sign-On, a new Apache Tomcat service is installed. If you plan to use BMC Analytics for BSM with Apache Tomcat, you should install a new Tomcat during the SAP BusinessObjects installation instead of using an existing Tomcat. If you have an existing Tomcat installation, provide different port numbers. Before you begin (see page 199) To integrate BMC Analytics for BSM (see page 200)
9.3.1 Before you begin Install and configure the BMC Atrium Sign-On server before installing BMC Analytics for BSM. Ensure that any users that you want to use in BMC Analytics for BSM exist in the BMC Atrium Sign-On server. See Managing users (see page 264) and Managing user groups (see page 268). Ensure that your SAP BusinessObjects Enterprise XI host is part of the DNS domain or subdomain of the BMC Atrium Single Sign-On server host.
BMC Atrium Single Sign-On 8.1
Page 199 of 389
BMC Software Confidential
Home
Ensure that BMC Analytics for BSM is installing with a Apache Tomcat. A new Apache Tomcat should be installed during the SAP BusinessObjects installation instead of using an existing Tomcat. If you have an existing Tomcat installation, provide different port numbers.
Note For BMC Analytics for BSM version 7.6.06 and higher, instead of re-installing, you can run the installer again to set the BMC Atrium Single Sign-On parameters.
9.3.2 To integrate BMC Analytics for BSM When executing the BMC Analytics for BSM installer, select BMC Atrium Single Sign-On and provide the following information: Field
Description
Fully Qualified Host Name
Fully qualified host name of the BMC Atrium Single Sign-On server.
HTTPS Port Number
HTTPS port number used by the BMC Atrium Single Sign-On server.
Administrator Name
User name for the BMC Atrium Single Sign-On server administrator.
Administrator Password
Password for the BMC Atrium Single Sign-On server administrator.
9.4 Integrating BMC ProactiveNet BMC ProactiveNet 9.0.00 uses the BMC Atrium Single Sign-On authentication system to provide single sign-on and single sign-off. BMC Atrium Single Sign-On allows users to present credentials only once for authentication and subsequently be automatically authenticated by every BMC product that is integrated into the system. Users, user groups and privileges defined in BMC Atrium Single Sign-On are used for BMC ProactiveNet group mapping. See Managing users (see page 264) and Managing user groups (see page 268).
9.4.1 Before you begin BMC Atrium Single Sign-On must be installed and configured before installing BMC ProactiveNet. Ensure that the BMC ProactiveNet users and user groups are created in BMC Atrium Single Sign-On. See To define users and groups (see page 202). Ensure that the BMC ProactiveNet users are assigned to groups. See To assign users to user groups (see page 203). Users, user groups and privileges defined in BMC Atrium Single Sign-On are used for BMC ProactiveNet group mapping.
BMC Atrium Single Sign-On 8.1
Page 200 of 389
BMC Software Confidential
Home
Note The BMC ProactiveNet Single Sign-On feature can be integrated either during installation, or post-installation.
9.4.2 To integrate BMC ProactiveNet during installation Note The BMC ProactiveNet Server installer prompts for information that must already be defined in BMC Atrium Single Sign-On.
1. Select Single Sign-On (SSO) - Enable and configure 2. Provide the following information: Field
Description
Atrium SSO Server Hostname Domain
Enter the fully qualified name of the BMC Atrium Single Sign-On server.
ProactiveNet Server Hostname Domain
Enter the fully qualified host name of the server where BMC ProactiveNet Server is installed. By default, this field is populated with the host name of the server on which the installer is executed.
Atrium SSO HTTPS Port
Enter the BMC Atrium Single Sign-On secure port number. The default port number is 8443.
Searcher ID
Enter the BMC Atrium Single Sign-On Searcher ID used to search all user names and groups.
Searcher Password
Enter the password of the Searcher ID user.
Atrium SSO AmAdmin Password
Enter the BMC Atrium Single Sign-On server amAdmin password.
9.4.3 To integrate BMC ProactiveNet after installation The BMC Atrium Single Sign-On feature can be configured post-installation in one of two ways: Using the Post Installation Configuration interface in the BMC Proactivenet Operations Console. For more information, see the BMC ProactiveNet User Guide. Using the pw sso commands. For more information, see the BMC ProactiveNet CLI Reference Guide. Once BMC Atrium Single Sign-On is integrated, when you launch BMC ProactiveNet, the BMC Atrium SSO screen appears. Enter your user name and password and BMC ProactiveNet automatically launches.
BMC Atrium Single Sign-On 8.1
Page 201 of 389
BMC Software Confidential
Home
If you launch BMC ProactiveNet and try to log in as a user who is not associated with a valid user group in BMC Atrium Single Sign-On, BMC ProactiveNet displays an error stating "Invalid username/password". If you receive a message that the BMC ProactiveNet Server has restarted, you must close the browser, then re-open the browser and log back in.
9.4.4 To define users and groups To enable single sign on, you must first create BMC ProactiveNet users and user groups in BMC Atrium Single Sign-On. Users and user groups defined in BMC Atrium Single Sign-On are used for BMC ProactiveNet group mapping. During installation of BMC ProactiveNet, the BMC ProactiveNet Server Installer prompts for information that must already be defined in BMC Atrium Single Sign-On. Therefore the minimum required definition in BMC Atrium Single Sign-On, before installing BMC ProactiveNet, is the following: 1. Create a Searcher user and assign the BmcSearchAdmins group. 2. Define the SSO amAdmin user and assign full access privileges. (The SSO amAdmin user is automatically created during installation of BMC Atrium Single Sign-On.) 3. Create an Administrative user group and assign the BmcAdmins group.
9.4.5 To create new users New users can only be created when you are using the internal LDAP server for authentication. If an external source is used for authentication, new users must be created within that external system. 1. Sign onto BMC Atrium Single Sign-On. 2. Click Edit BMC Realm and select the Usertab.
Note When integrating a BMC ProactiveNet Server with an external system such as SSO or LDAP for authentication, ensure that the same user name does not exist in both the external system and the BMC ProactiveNet Server. If the same user exists in both, user group associations defined in BMC ProactiveNet will be considered. a. Click Add. b. In the UserId field, enter a unique identifier for the new user. This value is used as the user ID when the user logs in. If special characters, such as comma ( , ) , semi-colon ( ; ), or plus sign ( + ) are used in the user ID, the backslash () must precede the special character. For example, Baldwin\,bob. c. Enter the user's last name and full name. d. BMC Atrium Single Sign-On 8.1
Page 202 of 389
BMC Software Confidential
Home
d. Enter an initial default password (which the user changes) and confirm this default password. e. In the Status field, verify that the Active radio button is selected (default). f. Click Save.
9.4.6 To assign users to user groups 1. In BMC Atrium Single Sign-On, click Edit BmcRealm and select the Groups tab. 2. Select the group name and click Edit. 3. Select users from the Available Users list. 4. Click Add. 5. Alternatively, you can add all of the users by clicking Add All.
Note An initial password must be provided when creating the account. Once created, the user can log into BMC Atrium Single Sign-On and update the password and their personal information through the following URL:
6. Click Save to save the changes. The membership change is immediately put into effect.
9.4.7 To clean up Web Agent entries when the BMC ProactiveNet Server is uninstalled The following steps are required to delete Web Agent entries on the BMC Atrium Single Sign-On Server when the BMC ProactiveNet Server is uninstalled.
Note Any changes made to a BMC Atrium Single Sign-On user will not be reflected in an active BMC ProactiveNet session. The user must log out and log back in for the changes to be in effect.
1. On BMC Atrium Single Sign-On Console, click Edit BMC Realm. 2. Click Agents Details. A list of the Agents that are registered on the Single Sign-On server displays. 3. BMC Atrium Single Sign-On 8.1
Page 203 of 389
BMC Software Confidential
Home
3. Identify the two Agents corresponding to your BMC ProactiveNet Server host. Search for the following patterns:
/@: /admin@:
4. Mark the Agents to delete by selecting their corresponding checkboxes. 5. Click Delete.
9.5 Integrating BMC IT Business Management Suite BMC Atrium Single Sign-On is an authentication system that supports many authentication protocols and provides single sign-on and single signoff for users of BMC products. A user can present credentials once for authentication and subsequently be automatically authenticated by every BMC Software product that is integrated into the system.
9.5.1 Before you begin You must install BMC Atrium Single Sign-On server before using the BMC IT Business Management Suite installation program to set up the configuration.
9.5.2 To integrate BMC IT Business Management Suite When installing the BMC IT Business Management Suite, select the check box to configure BMC IT Business Management Suite with BMC Atrium Single Sign-On server. Use these options to configure BMC IT Business Management Suite to work with BMC Atrium Single Sign-On. Installation parameter
Value
Atrium SSO Location
Specify the location of the BMC Atrium Single Sign-On server.
Atrium SSO Admin User
Specify the administrative user name.
Atrium SSO Admin Password
Specify the BMC Atrium Single Sign-On server administrative password.
Atrium SSO Keystore Path
Specify the location of the keystore. The default Tomcat server used by the BMC Atrium Single Sign-On server uses a keystore and a truststore for its secure (HTTPS/TLS) communications. These files are stored within the directory at /BMC Software/AtriumSSO/tomcat/conf.
Atrium SSO Keystore Password
Specify the password of the keystore.
BMC Atrium Single Sign-On 8.1
Page 204 of 389
BMC Software Confidential
Home
9.6 Integrating BMC ITBM and WebSphere application server As an option, you can configure the IBM WebSphere application server to work with the BMC Atrium Single Sign-On server. To configure the WebSphere application server to work with the BMC Atrium Single Sign-On server, you must have already installed and set up the BMC Atrium Single Sign-On server.
9.6.1 Before you begin If you have already deployed BMC IT Business Management Suite on WebSphere, you must first undeploy the application and then configure the WebSphere application server to work with the BMC Atrium Single Sign-On server.
9.6.2 To configure the WebSphere application server to work with the BMC Atrium Single Sign-On server 1. Stop the application server. 2. Copy the certificate truststore file (cacerts) from the \java\jre\lib\security directory to the \bin directory. 3. Copy the deployment utility webagent.zip file from the BMC Atrium Single Sign-On server build to the temporary directory called 4. Run the following deployer script from the websphere java directory:
java -jar $\deployer.jar --install --container-type WEBSPHEREV7 --atrium-sso-url https://:/atriumsso --web-app-url http://:/itm --container-base-dir "" --instance-config-directory "" --server-instance-name "" --admin-name amadmin --admin-pwd password --jvm-truststore "\java\jre\lib\security\cacerts" --jvm-truststore-password changeit --truststore "\bin\cacerts" --truststore-password changeit
For example, you can specify the following script:
java -jar "C:\Program Files\BMC Software\ARSystem\midtier\webagent\deployer\deployer.jar" --install --container-type WEBSPHEREV7 --atrium-sso-url https://w8k-itsm-vm16.dsl.bmc.com:8443/atriumsso --web-app-url http://w28-itm-vm02.dsl.bmc.com:9080/itm/ --container-base-dir "C:\Program Files\IBM\WebSphere\AppServer" --instance-config-directory "C:\Program Files\IBM\WebSphere\AppServer\profiles \AppSrv01\config\cells\w28-itm-vm02Node01Cell\nodes\w28-itm-vm02Node01\servers \server1" --server-instance-name "server1" --admin-name amadmin --admin-pwd password
BMC Atrium Single Sign-On 8.1
Page 205 of 389
BMC Software Confidential
Home
--jvm-truststore "C:\Program Files\IBM\WebSphere\AppServer\java\jre\lib\security\cacerts" --jvm-truststore-password changeit --truststore "C:\Program Files\IBM\WebSphere\AppServer\bin\cacerts" --truststore-password changeit
Note When you run the script using the java command, use the WebSphere copy of the java version, not the one from the Oracle JDK.
5. Start the application server. 6. In the WebSphere application logon window, specify the User ID as itmadm and Password as itmadmin and press Enter. 7. In the left navigation pane of the Integrated Solutions console, click Servers > Server Types > WebSphere application servers. 8. In the WebSphere application servers page, click the server on which you have installed BMC IT Business Management Suite. 9. In the Application servers > server page, click Java and Process Management in the Server Infrastructure options on the right. 10. In the Java and Process Management options, click Process definition. 11. In the Process definition page, click Java Virtual Machine in the Additional Properties options. 12. In the Java Virtual Machine page, click Custom properties. 13. To specify a new property, click New. 14. In the Custom properties > New page, specify the following properties and values for custom repository: Name
Value
atsso.configuration.dir
Atrium SSO agents configuration directory. For example, C:\Program Files\IBM\WebSphere\AppServer\atssoAgents
15. Click OK. 16. Click Save in the Message box at the top of the screen to commit the changes. 17. In the left navigation pane of the Integrated Solutions Console, click Security > Global security. 18. In the Global security page, click the Security Configuration Wizard button. 19. In the Specify extent of protection page, select Enable application security and click Next. 20. In the Select user repository page, select the Standalone custom registry option and click Next. 21. Add the following properties and values for the custom repository: Name
Value
sso.installed true cacerts
C:/Program Files/IBM/WebSphere/AppServer/bin/cacerts Note: If your folder path contains spaces, copy cacerts from \bin\cacerts to any temp directory (for example, C:/bmc/).
cacerts.password
BMC Atrium Single Sign-On 8.1
changeit
Page 206 of 389
BMC Software Confidential
Home
Name
Value
sso.acceptAllServerCertificates
true
22. Click Next. 23. Verify the Summary page, and click Finish. 24. Click Save in the Message box at the top of the screen to commit the changes. 25. In the Global security window, click the Available realm definition list and select Standalone custom registry. 26. Click the Set as current button. 27. Click the Java Authentication and Authorization Service option. 28. In Java Authentication and Authorization Service, click System Logins. 29. In the resources list, select the WEB_INBOUND resource. 30. In the JAAS login modules table, click the com.itmsoft.security.auth.module.ITBMLoginModule option. 31. Specify the following custom properties and values: Name
Value
sso.installed true cacerts.path
C:/Program Files/IBM/WebSphere/AppServer/bin/cacerts Note: If your folder path contains spaces, copy cacerts from \bin\cacerts to any temp directory (for example, C:/bmc/).
cacerts.password
changeit
sso.acceptAllServerCertificates
true
32. Click Apply and OK. 33. Click Save in the Message box at the top of the screen to commit the changes. 34. Log out and restart the WebSphere server before deploying the BMC IT Business Management Suite. 35. Deploy BMC IT Business Management Suite on the WebSphere application server.
9.7 Integrating BMC Capacity Optimization This topic provides instructions for integrating BMC Capacity Optimization with the BMC Atrium Single Sign-On.
Notes
For information about compatible versions of these BMC applications, see BSM Interoperability 8.5.1. This topic does not describe how to integrate data from BMC Atrium CMDB into BMC Capacity Optimization using Extract, Transform, and Load tasks (ETL tasks). For information about integrating data from BMC Atrium CMDB into BMC Capacity Optimization, see Integrating BMC Capacity Optimization with BMC Atrium CMDB in the BMC Capacity Optimization online documentation.
BMC Atrium Single Sign-On 8.1
Page 207 of 389
BMC Software Confidential
Home
9.7.1 Before you begin Before you can enable integration with BMC Atrium Single Sign-On, you must have BMC Atrium CMDB installed and running. Before you can enable launching of BMC Capacity Optimization from BMC ProactiveNet when viewing a CI (device) associated with an event, you must integrate BMC ProactiveNet with BMC Atrium CMDB.
9.7.2 To integrate BMC Capacity Optimization 1. Log on to the BMC Capacity Optimization Console as a user with the administrator role. 2. Click the Administration tab. 3. In the Navigation area, expand System. 4. Click Configuration. 5. Click the BMC Environment tab. 6. At the bottom of the BMC Environment tab, click Edit. 7. In the BMC Atrium Single-Sign-On area, next to Atrium Single-Sign-On, select Enable Atrium single sign-on for authentication in BMC Capacity Optimization. BMC Atrium Single Sign-On server information boxes appear. 8. Type the following: Atrium SSO Server Host: Type the address of the BMC Atrium Single Sign-On server host. Atrium SSO Server Port: Type the BMC Atrium Single Sign-On server port number. Atrium SSO Server Username: Type the user name for BMC Atrium Single Sign-On server authentication. Atrium SSO Server Password: Type the password for BMC Atrium Single Sign-On server authentication.
Note The BMC Atrium Single Sign-On server user must be assigned an administrator role.
9. Click Execute. A utility runs that registers BMC Capacity Optimization with the BMC Atrium Single Sign-On server. 10. Click Save. 11. Close your BMC Capacity Optimization Console browser window. 12. Verify that BMC Capacity Optimization services have been restarted (see the Verifying that BMC Capacity Optimization services are running section of Verifying BMC Capacity Optimization installation). 13. Log on to the BMC Capacity Optimization Console (see Accessing the BMC Capacity Optimization console ).
BMC Atrium Single Sign-On 8.1
Page 208 of 389
Home
BMC Software Confidential
9.8 Integrating BMC Atrium Orchestrator Platform BMC Atrium Orchestrator Platform 7.7 uses the BMC Atrium Single Sign-On authentication system to provide single sign-on and single sign-off. BMC Atrium Single Sign-On allows users to present credentials only once for authentication and subsequently be automatically authenticated by every BMC product that is integrated into the system. For more information about BMC Atrium Orchestrator Platform 7.7 installation and integration with BMC Atrium Single Sign-on, see the BMC Atrium Orchestrator Platform 7.7 online documentation. Users, user groups and privileges defined in BMC Atrium Single Sign-On are used for BMC Atrium Orchestrator Platform group mapping. See Managing users (see page 264) and Managing user groups (see page 268).
BMC Atrium Single Sign-On 8.1
Page 209 of 389
BMC Software Confidential
Home
Before you begin (see page 210) BMC Atrium Orchestrator Platform installation worksheet (see page 210) Where to go from here (see page 212)
9.8.1 Before you begin BMC Atrium Single Sign-On version 8.1.00 Patch 1 (8.1.00.01) or later must be installed and configured before installing BMC Atrium Orchestrator Platform 7.7. Download the installation files from the BMC EPD website. Ensure that BMC Atrium Single Sign-On version 8.1.00 Patch 1 (8.1.00.01) or later is implemented. Ensure that the target computer meets the minimum system requirements for your environment. Complete the BMC Atrium Orchestrator Platform installation worksheet (see page 210). Exit all other programs. Log on as an administrator and have administrator rights on the computer where you will install BMC Atrium Single Sign-On. Prepare to run the installation program for your operating system. For example, you must update Terminal Services configuration options and configure the DEP feature if you are using Windows. For more information, see Configuring terminal services on Windows 2008 and Windows 2012 computers and Configuring DEP on Windows computers.
Note The BMC Atrium Single Sign-On Tomcat server cannot be shared with any product that integrates with BMC Atrium Single Sign-On (for example, BMC Atrium Orchestrator). BMC recommends that you install BMC Atrium Single Sign-On on a different computer from the computer where you plan to install a BMC product (for example, the AR System server or the BMC Remedy Mid Tier).
9.8.2 BMC Atrium Orchestrator Platform installation worksheet BMC Atrium Single Sign-On is a required server component that you install first, before any other BMC Atrium Orchestrator components. Before installing BMC Atrium Single Sign-On, use this worksheet to record information specific to your system. The installation parameters in this worksheet correspond to the parameters in the GUI installation and the options file. Directory Selection panel Installation parameter
Default value and notes
Your value
Destination Directory Windows: C:\Program Files\BMC Software\AtriumSSO
BMC Atrium Single Sign-On 8.1
Page 210 of 389
BMC Software Confidential
Home
Installation parameter
Default value and notes
Your value
UNIX: /opt/bmc/atriumsso
Server panel Installation parameter
Default value and notes
Your value
Hostname
Fully qualified host name of the server where you install BMC Atrium Single Sign-On
BMC Atrium SSO Cluster Options panel Installation parameter
Default value and notes
Your value
Non-clustered BMC Atrium SSO Server (Current Setting)
Stand-alone Single Sign-On Server
Clustered BMC Atrium SSO Server
Implemented as a redundant system with session failover. Clustered installation requires at least two nodes
Tomcat Application Server Selection panel Installation parameter
Default value and notes
Your value
Install New Tomcat
Install new Tomcat server on the computer where you install BMC Atrium Single Sign-On
Use External Tomcat
Path where the external Tomcat Application Server resides
Tomcat Application Server Information panel Installation parameter
Default value and notes
HTTP port number
HTTP port number used by the BMC Atrium Single Sign-On server
HTTPS port number
HTTP port number used by the BMC Atrium Single Sign-On server
Shutdown port number
Shutdown port number used by the BMC Atrium Single Sign-On server
Your value
BMC Atrium SSO Server Information panel Installation parameter
Default value and notes
Cookie Domain
Network domain of the computer on which you are installing the server
Password
Password required to log on to BMC Atrium Single Sign-On server
Confirm Password
Confirm the password
BMC Atrium Single Sign-On 8.1
Your value
Page 211 of 389
BMC Software Confidential
Home
9.8.3 Where to go from here Create a BMC Atrium Orchestrator user account and assign the user account to a group in BMC Atrium Single Sign-On. See Managing users (see page 264) and Managing user groups (see page 268). After you create a BMC Atrium Orchestrator group and user, install the BMC Atrium Orchestrator Platform repository.
9.9 Integrating BMC Real End User Experience Monitoring This page has not been approved for publication.
9.9.1 Preparing BMC Atrium SSO server for integration This page has not been approved for publication.
9.9.2 Preparing the Console component for the BMC Atrium SSO integration This page has not been approved for publication.
9.10 Integrating BMC Mobility for ITSM 8.1.00 This topic describes how to integrate BMC Atrium Single Sign-On with BMC Mobility for supporting Security Assertion Markup Language (SAML). The typical process for integrating BMC Atrium Single Sign-On with BMC Remedy IT Service Management (ITSM) is to install BMC Atrium Single Sign-On, install BMC Remedy ITSM, and then integrate Atrium SSO with ITSM. Following topics are provided: Before you begin (see page 212) Limitations (see page 213) Integrating BMC Mobility to support SAML authentication (see page 213) Related Topics (see page 214)
9.10.1 Before you begin Ensure that you have BMC Remedy ITSM installed, before you can enable integration with BMC Atrium Single Sign-On.
BMC Atrium Single Sign-On 8.1
Page 212 of 389
BMC Software Confidential
Home
Ensure that users of BMC Remedy ITSM that you want to use, exist in the BMC Atrium Sign-On server. See Managing users (see page 264) and Managing user groups (see page 268).
9.10.2 Limitations The mobile applications do not support pop-up windows for login. The SAML IdP in Atrium SSO must provide a login page that is compatible with the embedded WebKit browser. The only identity provider (IdP) that BMC Mobility for ITSM supports is BMC Atrium SSO, which is the only supported service provider (SP). Other IdPs and SPs are not supported.
9.10.3 Integrating BMC Mobility to support SAML authentication You must use the following steps for configuring BMC Mobility and BMC Atrium SSO so that BMC Mobility can use single sign-on for logging on to BMC Mobility.
To integrate Atrium SSO support in BMC Mobility Server 1. Stop the BMC Mobility server. 2. Copy all the jar files from the \webagent\dist\jee\WEB-INF\lib directory to the \WEB-INF\lib directory. For example, copy all the jar files from C:\Program Files\BMCSoftware\ARSystem\midtier\webagent\dist\jee\WEB-INF\lib to C:\Program Files\BMCSoftware\ARSystem\midtier\WEB-INF\lib. 3. Uncomment the BMC Atrium Single Sign-On filter in the web.xml file on BMC Mobility server.
To integrate BMC Mobility in BMC Atrium SSO Console 1. Configure the Login URl for the BMC Atrium Single Sign-On server using following steps: a. Log on to the BMC Atrium SSO Admin Console and click Agent Details. b. Select the /MobilityServer@FQDN:portNumber agent and click Edit. c. In the Agent Editor, change the Login URl to be the same as the Mid Tier Agent Login URl (for example, https://serverName:portNumber /atriumsso/spssoinit?metaAlias=/BmcRealm/sp&idpEntityID=idp). Login URl field in the Agent Editor Click the following figure to expand it.
BMC Atrium Single Sign-On 8.1
Page 213 of 389
BMC Software Confidential
Home
2. Configure the Logout URl for the BMC Atrium Single Sign-On server using following steps: a. In the Agent Editor, change the Logout URl to be the same as the Mid Tier Agent Logout URl (for example, https://serverName:portNumber /atriumsso/saml2/jsp/spSingleLogoutInit.jsp?idpEntityID=idp).
To enable SAML logon 1. Open the Mobility Administration: Tenant form in a browser. 2. Search for the record with Tenant ID 000000000000001. 3. Change the SAML Authentication setting to Yes. 4. Save your changes. You must start the BMC Mobility server after making the configuration changes.
9.10.4 Related Topics Agent manager
10 Using The following topics provide information and instructions for using the BMC Atrium Single Sign-On:
BMC Atrium Single Sign-On 8.1
Page 214 of 389
BMC Software Confidential
Home
Navigating the interface Managing keystores with a keytool utility (see page 239) Configuring FIPS-140 mode (see page 251) Using an external LDAP user store (see page 260)
10.1 Navigating the interface On the BMC Atrium SSO Admin Console, you can see the overall health of the Atrium Single Sign-On server and launch into specific areas for management. The Administrator console contains four panels providing server health (Status), access to realms for management (Realm Manager), and access to current sessions for management (Sessions). In addition, the console has a top-level Help button launches a browser that provides you with online help.
Note To access the BMC Atrium SSO Admin Console, use a Fully Qualified Domain Name (FQDN) URL.
Editor options (see page 215) Status panel (see page 215) BMC Realm panel (see page 216) Sessions panel (see page 216)
10.1.1 Editor options Each editor provides the following options when adding or editing items: Save to save your modifications. Reset to remove your modifications and stay on the editor. Help launches a browser that provides you with online help. Cancel to cancel and return to the launch page.
10.1.2 Status panel The Status panel shows the current memory usage of the server, a pie chart showing the number of active/idle sessions, another pie chart showing the up/down status (the server that the agent is defined for) of the agents integrated with this server or cluster. Edit Server Configuration launches the Server Configuration Editor (see page 237) which allows you to edit the server parameters. Agent Details launches the Agent Manager where you can edit agents using the Agent Editor or delete agents.
BMC Atrium Single Sign-On 8.1
Page 215 of 389
BMC Software Confidential
Home
Agents List lists the agents on the system. HA Node Details launches HA Nodes manager (see page 234) where you can edit nodes with the Server Configuration Editor (see page 237) or delete dead nodes. In non-HA systems, you can access the Server Configuration Editor (see page 237) by clicking Edit Server Configuration. This manager provides access to the changing overall operation parameters. HA Node List lists the HA nodes on the system.
10.1.3 BMC Realm panel From the BMC Realm panel, an Edit BMC Realm button is available to access the Realm Editor where the realm can be modified. In addition, Authentication List and User Store List is available that displays the authentication modules and user stores defined for the realm. Edit BMC Realm launches the Realm Editor which allows you to manage realm authentication, federation, user stores (AR and LDAPv3), users, and user groups. Federation and user profile status is provided. Authentication List lists the authentication modules that are established for the realm. User Store List lists the user stores that are established for the realm.
10.1.4 Sessions panel The Sessions panel allows you to view the current sessions and to invalidate any session. The following columns are displayed in the Sessions table: UserId Time Remaining Max Session Time Time Idle Max Idle Time Node Name (the server that the session is defined on)
10.1.5 Realm Editor Use the tabs in the Realm editor to set the user profile, manage the realm authentication modules, federate modules, and manage user stores, as well as manage users and user groups. Main tab (see page 216) User tab (see page 218) Groups tab (see page 218) Security tab (see page 219) Editors available from Realm Editor (see page 221)
Main tab The Main tab provides the following panels for specifying parameters:
BMC Atrium Single Sign-On 8.1
Page 216 of 389
BMC Software Confidential
Home
User Profile panel The User Profile panel allows you to set user profile parameters. Parameter options are: Ignored, Required, or Dynamic. In the User Profile panel, select either Dynamic or Ignored. Dynamic — Specifies that a local Single Sign-On user profile is created after a successful authentication, if it does not already exist Ignored — Specifies that no local Single Sign-On user profile is created or required for authentication Required — Specifies that a local Single Sign-On user profile with the same user ID is required for authentication to be successful Realm Authentication panel The Authentication panel allows you to create, edit, and delete authentication module instances and to establish an authentication chain. An authentication chain is a series of authentication modules through which the user must pass to authenticate. The chain can be constructed to allow complex processing of the modules. For example, you can use authentication chaining to merge multiple LDAP servers into a single authentication unit. Chaining multiple LDAP modules together with a sufficient relationship ensures that each LDAP module is checked to authenticate the user. If any module successfully authenticates the user, the user is identified and given an SSO session. The combination of modules in a chain uses the following flags per module: Required — Identifies modules that are required to succeed. Regardless of whether the authentication succeeds or fails, authentication still proceeds through the authentication chain of modules. Requisite — Identifies modules that are required to succeed. If authentication succeeds, authentication proceeds through the authentication chain of modules. If authentication fails, control immediately returns to the application (authentication does not proceed through the authentication chain of modules). Sufficient — Identifies modules that are not required to succeed. If it does succeed, control immediately returns to the application (authentication does not proceed through the authentication chain of modules). If authentication fails, authentication continues authentication does not proceed through the authentication chain of modules. Optional — Identifies modules that are not required to succeed. Regardless of whether the authentication succeeds or fails, authentication still proceeds through the authentication chain of modules. The Requisite and Sufficient flags are most commonly used. These flags allow the processing to stop when the authentication status of the user is known. The Required and Sufficient flags do not stop the processing but force each module to be evaluated. The overall authentication succeeds only if all modules that are flagged with Required and Requisite succeed.
BMC Atrium Single Sign-On 8.1
Page 217 of 389
BMC Software Confidential
Home
If a module that is flagged with Sufficient succeeds, only the Required and Requisite modules that precede that Sufficient module must have succeeded for the overall authentication to succeed. If no Required or Requisite modules are configured for an application, then at least one Sufficient or Optional module must succeed. Federation panel The Federation panel is used for managing the membership of Local Identity Provider (IdP) and Local Service Provider (SP) entities that belong in a Circle of Trust (COT). The name of the COT is derived from the name of the realm to allow a logical mapping into the OpenAM abstractions. The IdP and SP entities created in the realm are automatically be assigned membership in the single COT for the realm. This panel allows you to add, edit, and federate realms. When you add a realm, you can specify the type of realm (for example, IdP or SP for SAMLv3 authentication). User Stores panel The User Stores panel allows you to manage user stores (add, delete, edit, and reorder). The User Store Manager allows you to define external User Stores from which user attributes (email address, phone numbers, and so forth) and group memberships can be obtained. By default, the internal LDAPv3 data store is configured as a User Store for the BmcRealm. However, external LDAPv3 servers, BMC Remedy AR System servers, and even an RDBMS can be used (with a customer-provided JDBC driver). The User Store Manager allows you to create new User Stores from existing types or existing Templates, edit existing user stores, and delete deprecated ones. Templates are based upon user stores types but include initial configuration values. An example of a template would be to provide meaningful default values for an Active Directory user store.
User tab The User tab allows you to create new users, delete existing users, and edit the attributes and memberships of those users. By selecting a user you can edit or delete the user. When searching for a user /* for each respective panel returns all of the names. A letter such as "m" returns all names with the letter "m" in the user. A short string such as "mc" returns names that have "mc" in the user (for example, McCormick).
Groups tab The Groups tab allows you to create new groups, delete existing groups, and edit the attributes of the group. By selecting an group you can edit or delete the group.
BMC Atrium Single Sign-On 8.1
Page 218 of 389
BMC Software Confidential
Home
When searching for a group /* for each respective panel returns all of the names. A letter such as "d" returns all names with the letter "m". A short string such as "dm" returns names that have "dm" in the group name (for example, admin).
Security tab The Security tab provides the following features:
Login Failure Lockout The Login Failure Lockout feature enables the user to lock the account in order to maintain security of the account. The Login Failure Lockout feature provides following options: Enable Login Lockout - To activate the lockout feature you need to select the Enable Login Lockout check box. The lockout mode is a memory lockout which can be cleared by restarting the BMC Atrium Single Sign-On server, or by disabling the Enable Login Lockout and re-enabling it again. Lockout Duration - Sets the interval (in minutes) that a user must wait after lockout before attempting to authenticate again. Entering a value greater than 0 enables memory lockout and disables physical lockout. Memory lockout locks the user's account in memory for specified number of minutes. The account is unlocked after the period has passed. Number of Login Attempts Before Lockout - Sets the number of incorrect attempts permitted for a user to log on to the account, within the interval set in Lockout Duration, before being locked out The administrator can clear all the users lockouts by disabling the lockout feature and setting the lockout duration to 0. Both operations are necessary. When the lockout feature is disabled, the duration should also be set to 0.
Note To ensure that the administrator always has the access to the server, the account lockout feature is not applicable for the amAdmin account.
Valid Forwarding Domains The Valid Forwarding Domains feature provides a limit to the domains that the BMC Atrium Single Sign-On server will forward to the browser after authentication. To enable this feature, you must provide at least one URL to the list of Valid Forwarding Domains. An empty list indicates that the feature is disabled.
To add a URL to the list of valid forwarding domains 1. Insert the URL in the Trusted Domain field. 2. Click Add. 3. For the changes to take effect, restart the BMC Atrium Single Sign-on server.
BMC Atrium Single Sign-On 8.1
Page 219 of 389
BMC Software Confidential
Home
Note Ensure that you provide the absolute path for the URL that you enter in the list of Valid Forwarding Domains, such as: https://sample.bmc.com:8080/test
If you try to access a URL that is not present in Valid Forwarding Domains, you are redirected to a page that has an error message and a link to log out of the BMC Atrium Single Sign-On server.
BMC Atrium Single Sign-On 8.1
Page 220 of 389
BMC Software Confidential
Home
Editors available from Realm Editor The following editors are used for creating and editing authentication module instances, SAML federation, and user stores.
User and Group editors User Editor Group Editor
Authentication module instance editors AR Editor (see page 223) LDAP (Active Directory) Editor (see page 223) Kerberos Editor (see page 227) SecurID Editor (see page 227) CAC (certificate) Editor
Federation editors Local Service Provider (SP) Editor (see page 230) Create Identity Provider (see page 228) Remote Identity Provider (IdP) Editor Local Identity Provider (IdP) Editor Create Service Provider (see page 229) Remote Service Provider (SP) Editor (see page 232)
User store editors AR User Store Editor LDAPv3 (Active Directory) User Store Editor (see page 225)
User Editor The User Editor allows you to provide specific about the user as well as to set their status (Active or Inactive). Save saves your modifications. Reset removes your modifications. Help accesses online help. Cancel cancels and returns you to the Users tab on the Realm Editor. There are two tabs available from the User Editor: Main tab allows you to create and edit user information. Groups tab allows you to assign users to groups.
BMC Atrium Single Sign-On 8.1
Page 221 of 389
BMC Software Confidential
Home
Tab
Parameters
Description
Main
User ID
The name of the user that you are creating or editing.
Status
Active and Inactive status are available.
User
Provide the user information. As a minimum, provide the full name, first name, last name, and a default password and
information
confirm password.
Available
The list of groups available on the system.
Groups
Groups
Member Of
The list of groups of which the user is a member.
Add and Add All allows you to add groups to this user. The group is then listed in the Member Of list rather than the Available Groups list. Remove and Remove All allows you to remove groups from this user. The group is then listed in the Available Groups list rather than the Member Of list.
Group Editor The Group Editor allows you to create a group and to add users to the group. You can add users individually or add all users to the members list and you can delete users individually or delete all users from the members list. Save saves your modifications. Reset removes your modifications and keeps you on the Group Editor. Help accesses the online help. Cancel cancels and returns you to the Groups tab on the Realm Editor. Parameters
Description
Group Name
The name of the group that you are creating or editing.
Available Users
The list of user available on the system. You can filter the available users by any character in their User ID. For example, if a User ID has the letter, "r" in the string, all users with the letter "r" will display in the Available Users list. If there isn't a character in the Filter field, all users are displayed.
Members
The list of users that are members of this group.
Add and Add All allows you to add users to this group. The user is then listed in the Members list rather than the Available Users list. Remove and Remove All allows you to remove users from this group. The user is then listed in the Available Users list rather than the Members list.
BMC Atrium Single Sign-On 8.1
Page 222 of 389
BMC Software Confidential
Home
AR Editor Parameters
Description
Server Host Name
(Required) Provide the Full Qualified Domain Name (FQDN) for the server where the AR System server is located. The full host name includes the domain name (bmc.com) of the computer and the individual name of the server (yourServer).
Server Port Number
(Required) AR Server Port Number is the location where the AR System server is listening. Note: Enter a value of 0 if the AR System server is using port mapping.
Default
This string is only used when the AR module is placed downstream in a chain from another authentication module which prompts
Authentication String
the user only for a name and password. In this situation, the value of this parameter is used to authenticate the user by re-using the credentials provided by the user along with this authentication string.
Allow AR Guests
If enabled, allows unknown or invalid users to authenticate to the AR System server as guests.
AR User Store Editor Section
Parameter
Description
Name
Label for the AR user store.
AR Server Host
Host Name
(Required) Provide the Full Qualified Domain Name (FQDN) for the server where AR System server is located. The full host name includes the domain name (bmc.com) of the computer and the individual name of the server ( yourServer). Replace the default values (sample.bmc.com) with the host name of your server (for example, yourServer.bmc.com.
Port
(Required) Default: 0 Provide the port number where the AR Server is listening. The value of 0 is used when the AR Server is using port mapping.
Administrative Access
Name
(Required) Provide the user name of an AR Server user store account that has AR System Administrator privileges. Empty or blank passwords for this internal user are not supported with a new user store.
Authentication
Provide the authentication string that is needed when the Administrator account is used to connect with the AR System server.
Password and Confirm Password
Password for the AR System administrative user of the AR Server user store account (for example, admin).
Connection Pool
Linger Time (seconds)
(Required) Default: 60 Linger Time is the amount of time (in milliseconds) that a connection is allowed to remain unused in the pool before being closed.
Pool size
(Required) Default: 10 The Pool Size is the maximum number of connections the data store uses to service data requests for the AR System server.
LDAP (Active Directory) Editor Field
Parameter
Description
Name
(Required) Enter the host's Full Qualified Domain Name (FQDN) for the primary LDAP server is required.
BMC Atrium Single Sign-On 8.1
Page 223 of 389
BMC Software Confidential
Home
Field
Parameter
Description
Port
If the LDAP server is not listening on the default port (389), specify the port number.
Use SSL
(Optional) Enable to use SSL to connect to the LDAP servers. In addition, before communications can be established,
Primary LDAP Server
the certificates for the LDAP servers (primary and secondary) must be imported to the BMC Atrium Single Sign-On Tomcat truststore. For more information on importing certifications into BMC Atrium Single Sign-On truststore, see Importing a certificate into the truststore (see page 243). If the remote LDAP server requires client authentication for SSL, the BMC Atrium Single Sign-On server's certificate might need to be imported into the LDAP server's truststore. Note: If you enabled SSL Access to the LDAP Server, import the certificates and restart the Tomcat server before enabling LDAP authentication. See Managing keystores with a keytool utility (see page 239) for more information. Secondary
Name
LDAP Server
The secondary LDAP server is only used when the primary server is not available. It is not used in parallel or when a user fails to authenticate with the primary server.
Port
If the secondary server is not listening on the default LDAP port, specify the port number.
Use SSL
(Optional) Enable to use SSL to connect with the LDAP servers. In addition, before communications can be established, the certificates for the LDAP servers (primary and secondary) must be imported to the BMC Atrium Single Sign-On Tomcat truststore. For more information on importing certifications into BMC Atrium Single Sign-On truststore, see Importing a certificate into the truststore (see page 243). If the remote LDAP server requires client authentication for SSL, the BMC Atrium Single Sign-On server's certificate might need to be imported into the LDAP server's truststore. Note: If you enabled SSL Access to the LDAP Server, import the certificates and restart the Tomcat server before enabling LDAP authentication. See Managing keystores with a keytool utility (see page 239) for more information.
User Account for Search
Set Recheck Primary Server Interval (minutes)
(Optional) This parameter is the amount of time that the server uses the secondary server before attempting to re-connect with the primary server can be configured.
Distinguished Name, Password, Confirm Password
(Required) The DN is the login name that is used to connect to the LDAP server. A user must have privileges to perform searches on the primary and secondary LDAP servers. Enter the DN for the user, the password, and the password confirmation. For example, you can use the Distinguished Name as CN=bsmuser,CN=users,DC=bsmdsl,DC=bmc,DC=com and choose the password of your choice.
Attributes for User Search
Attribute Name
Add attribute names using the Attribute name parameter or or remove the attribute from the attribute list.
DN to Start Search
Base DN
Add base DN name and remove the name from the attribute list. The search DNs should be as specific as possible for performance reasons. The depth of the search that is performed can be configured. If an Object search is specified, then the DN should be the DN of the node containing the users.
For example, you can add CN as attribute name for User Search.
For example, CN=bsmuser,CN=users,DC=bsmdsl,DC=bmc,DC=com Attribute for User Profile Name
Enter the starting locations within the LDAP directory for performing user searches. For each starting point, enter the login name (DN). The Base DN and attribute for user profile name are additional search parameters.For example, you can use CN as attribute for user profile name.
BMC Atrium Single Sign-On 8.1
Page 224 of 389
BMC Software Confidential
Home
LDAPv3 (Active Directory) User Store Editor The LDAPv3 user store uses Active Directory as the user store type. The General tab contains parameters for the LDAP server configuration. The Search tab contain parameters to search for user and group attributes.
General tab Field
Parameter
Description
LDAP Server
Name
(Required) Enter the host's Full Qualified Domain Name (FQDN) for the primary LDAP server is required.
Port
If the LDAP server is not listening on the default port (389), specify the port number.
Use SSL
(Optional) Enable SSL to connect to the LDAP servers. Before enabling SSL: The certificates for the LDAP servers (primary and secondary) must be imported into the JVM truststore and the BMC Atrium Single Sign-On Tomcat truststore. For more information on importing certifications into BMC Atrium Single Sign-On truststore, see Importing a certificate into the truststore (see page 243). If client authentication is required, the BMC Atrium Single Sign-On server's certificate might need to be imported into the LDAP server's truststore. Restart the Tomcat server. For more information about CA certificates, see Managing keystores with a keytool utility (see page 239) .
User Account for Search
Distinguished Name, Password, Confirm Password
(Required) The Distinguished Name (DN) is the login name that is used to connect to the LDAP server. A root user must have privileges to perform searches on the primary and secondary LDAP servers. Enter the DN for the root user, the password, and the password confirmation.
Connection Pool
Minimum Size
The connection pool attributes adjust the performance of BMC Atrium Single Sign-On and the load on the LDAP server. Before modifying the default values, BMC recommends that you complete performance timings to determine appropriate values.
Maximum Size
The connection pool attributes adjust the performance of BMC Atrium Single Sign-On and the load on the LDAP server. Before modifying the default values, BMC recommends that you complete performance timings to determine appropriate values.
External Attribute Atrium SSO Attribute
Attribute Mapping is used to take user attributes (such as email, phone number, etc.) from the external data store and map them to the attributes used within the BMC Atrium Single Sign-On system. A mapping is defined by entering the name of the External Attribute and selecting the Atrium SSO Attribute from the drop down that the external attribute is going to map to, and click Add to put the new mapping into the table.
Attribute Mapping
Search tab Field Search Base DN
Parameter
Description Starting location within the LDAP directory for performing user and group searches. The search DNs should be as specific as possible for performance reasons. The depth of the search that is performed can be configured. If an object search is specified, then the DN should be the DN of the node containing the users. Number of seconds the search is performed before it times out.
BMC Atrium Single Sign-On 8.1
Page 225 of 389
BMC Software Confidential
Home
Field
Parameter
Description
Search Timeout (seconds) Max Search
Maximum number of results that are returned.
Results Users
Search
User attribute on which to perform the search.
Attribute Search
Specifies the filter for user searches. If the specified default class is not used by user entries in the server, then searches fail.
Filter
For example, (objectclass=person).
Users -
Status
Attribute that indicates the user status. For example, userAccountControl.
Status
Attribute Active Value
Identifies the value of the attribute when the account is active.
Inactive Value
Identifies the value of the attribute when the account is inactive.
Container Attribute
Defines the LDAP attribute used to distinguish the container holding the people.
Attribute Value
Specifies the value for that LDAP attribute. If people are not within a container (relative to the group), then these values should be blank.
Users
Attribute Name for Group
Specifies the attribute of the user which identifies the group to which the user belongs. For example, memberOf.
Groups
Search Attribute
Contains the name of the attribute which holds the name of the group. This attribute value is used in searches for user groups.
Search Filter
Be sure to validate that the LDAP Groups Search Filter is correct for the LDAP server. If the class specified is not applicable, update the filter with the correct objectclass name. For example, (objectclass=group).
Container Attribute
Defines the LDAP attribute used to distinguish the container holding the groups.
Attribute Value
Specifies the value for LDAP Groups Container attribute value. If groups are not within a container (relative to the user), then these values should be blank.
Groups
Attribute Name for User
The attribute name of a group within the LDAP system that contains the names of the users that belong to the group.
Caching
Max Age (seconds)
The maximum time that a cached value will continue to be used before the cached value is updated from the external LDAP server.
Cache Size (bytes)
The number of bytes of memory that will be used to hold cached search items from the external LDAP server.
Users People Container
Groups Groups Container
BMC Atrium Single Sign-On 8.1
Page 226 of 389
BMC Software Confidential
Home
Kerberos Editor Parameters
Description
Service
The Kerberos principal that is used for authentication. The service principal is used by clients to request a service ticket when
Principal
authenticating. The service principal name is based on the host name of the server running BMC Atrium Single Sign-On.
Keytab File
The Kerberos keytab file that is used for authentication and takes the absolute path to the keytab file. The keytab file contains the
Name
password for the service principal.
Kerberos
The KDC domain name.
Realm KDC
The KDC host name. You must enter the fully qualified domain name (FQDN) of the domain controller.
Server UserId
The following parameters are used:
Format Use Domain Name with Principal: If this check box is selected, the service allows BMC Atrium Single Sign-On to automatically use the Kerberos principal with the domain controller's domain name during authentication. Forced character case: The Forced character case allows you to select the type of character case you want for your user ID. You can choose any of the three options: No change, UPPERCASE and lowercase. The UserId is displayed in the selected format in the user store.
Return UserId to
If this check box is selected, the user store searches will use the original UserId instead of using the value modified by the UserId Format parameter. For example, when you search the userstore the userid from the authentication could be atsso\abcxyz but the value
User Store
abcxyz will be used to search the User store.
SecurID Editor Parameters
Description
ACE/Server Configuration Path
Specify the full path for the new location of the sdconf.rec file. The configuration path is used to specify the location of the sdconf.rec file used to contact the RSA SecurID server.
CAC (certificate) Editor Field
Parameters
Description
Name
Name for the Certificate and CAC authentication.
Use OCSP
Click Use OCSP in order to use the OCSP responder. BMC recommends that you use OCSP for validation. Note: The clock skew between the BMC Atrium Single Sign-On server and the OCSP server must not be greater than 15 minutes. Otherwise, the certificate authentication fails. See Clock skew too great for CAC authentication (see page 331).
Certificate Field for User Profile
Select one of the options. Options are Subject CN (Common Name attribute of the Subject DN), Subject DN (Distinguished Name), Subject UID (UID attribute of the Subject DN), Email, None, Other.
Forwarded Certificates
When running behind a load balancer or reverse proxy, the verification of ownership of the private key is not possible thru the SSL/TLS connection. Because of this verification restriction, the BMC Atrium Single Sign-On server requires that the fronting server be listed as a trusted host from which forwarded certificates can be trusted.
BMC Atrium Single Sign-On 8.1
Page 227 of 389
BMC Software Confidential
Home
Field
Parameters
Description
Forwarded
This is the list of trusted host name that you add via the Trusted Host Name field. To delete a certificate, select the
Certificate List
trusted host name and click Remove.
Trusted Host Name
Enter the name of a host from which a forwarded certificate can be trusted.
Certificate HTTP Header
Enter the name of the HTTP header that the forwarded certificate can be passed under.
Name Certificate
Use CRL
Revocation Lists (CRL)
Select Use CRL to use a Certificate Revocation List (CRL). Note: BMC does not recommend using the CRL approach due to the performance load experienced with the ever-increasing length of CRL lists.
LDAP Server
Provide the Host and Port for the LDAP server where the certificates are stored. The host name must end with a colon
Where Certificates are Stored
following by the port number for the LDAP server.
LDAP Start Search DN
Enter the DN of the node. The DN of the node starts the search within the LDAP server. To connect with the LDAP server, you must have sufficient privileges to perform the search.
LDAP Server Password Confirm LDAP Server Password
Provide and confirm the password to connecting with the LDAP server.
Check CA with CRL
When verifying a certificate, the CA certificate used to sign the certificate can also be verified in the CRL.
Use SSL/TLS
If you are using SSL, the LDAP server certificate must be imported into the BMC Atrium Single Sign-On truststore so that SSL can connect with the LDAP server.
Trusted Certificates
Browse on your desktop to upload the trusted certificates file. Once the file is upload and in the trusted certificates list. You can also select the file, and click Remove to remove the file.
Create Identity Provider Parameters
Description
Name
Name for the remote IdP.
URL
Select URL to acquire the remote IdP metadata from the URL location. Specify the FQDN of the host, including the port and any required path information. This URL is IdP-specific. For information on the metadata URL, consult the IdP documentation. For information about providing IdP metadata from another Atrium Single Sign-On server, see Providing IdP metadata from another Atrium Single Sign-On server (see page 229)
File Upload
Select File Upload to upload a file that contains the remote IdP metadata.
BMC Atrium Single Sign-On 8.1
Page 228 of 389
BMC Software Confidential
Home
Providing IdP metadata from another Atrium Single Sign-On server When using another Atrium Single Sign-On server as an IdP, the following URL template is used to access the metadata needed by the SP: https://:/atriumsso/saml2/jsp/exportmetadata.jsp?role=idp&realm=BmcRealm&entityid= In this case:
host is the FQDN of the BMC Atrium Single Sign-On server hosting the IdP. port is the port used for secure communication of the BMC Atrium Single Sign-On server hosting the IdP. entityid is the name of the IdP hosted by the BMC Atrium Single Sign-On server. For example:
https://idp.bmc.com:8443/atriumsso/saml2/jsp/exportmetadata.jsp?role=idp&realm=BmcRealm&entityid=https://idp:1844
Create Service Provider Parameters
Description
Name
Name for the remote SP.
URL
Select URL to acquire the remote IdP metadata from the URL location. Specify the FQDN of the host, including the port and any required path information. This URL is IdP-specific. For information on the metadata URL, consult the SP documentation. For information about providing SP metadata from another Atrium Single Sign-On server, see Providing SP metadata from another Atrium Single Sign-On server (see page 229)
File Upload
Select File Upload to upload a file that contains the remote SP metadata.
Providing SP metadata from another Atrium Single Sign-On server For accessing SP metadata, the following URL syntax is used: https://:/atriumsso/saml2/jsp/exportmetadata.jsp?role=sp&realm=BmcRealm&entityid= In the case:
host is the FQDN of the server hosting the SP. port is the port used for secure communications of the server hosting the SP. entityid is the name of the SP hosted by the server. For example:
https://sp.bmc.com:8443/atriumsso/saml2/jsp/exportmetadata.jsp?role=sp&realm=BmcRealm&entityid=https://sp:8443/a
Local Identity Provider (IdP) Editor
BMC Atrium Single Sign-On 8.1
Page 229 of 389
BMC Software Confidential
Home
Field
Parameter
Description
Name
Name for the IdP or accept the provided IdP name. The Name field is pre-populated with a value that reflects the expected IdP name.
Binding
This option determines the way in which SAML messages will be sent and received between the IdP and the SP. HTTP-Redirect and Post are used when a direction connection between the IdP and SP is not possible. The two bindings differ in the method used to exchange the SAMLv2 messages: HTTP Redirect or XHTML Form with Post.
Sign
Signing Certificate Alias
Messages
The alias specifies the certificate that will be used to sign the specified SAML messages. Signing is used to verify the messages have not been altered in transit and that it originated with the IdP.
Authentication, Logout
These parameters are the SAMLv2 messages that are to be signed by the IdP or are expected to have
Request, Logout Response, Manager Name ID Request,
been signed by the SP.
Manager Name ID Response, and Artifact Resolve Encrypt Elements
Encryption Certificate Alias
The alias specifies the private key that will be used to encrypt the secret key used to encrypt the SAMLv2 messages.
Encryption Algorithm
The encryption algorithm used to encrypt SAMLv2 messages. Select an option, None, 3DES, AES-128, or AES-256, from the drop-down menu.
Name ID
Specifies whether to encrypt the Name ID or leave it in plain text.
Assertion Time
Not-Before Skew (seconds)
In order to compensate for clock drift between remote machines, this value specifies the amount of time that a message will be considered valid when it is received before the issue time in the message.
Effective Time (seconds)
Amount of time that an assertion is valid counting from the assertion's issue time.
Attribute Mapping
Attribute Mapping is used to take user attributes (such as email, phone number, etc.) from the external user store and map them to the attributes used within the BMC Atrium Single Sign-On system. A mapping is defined by entering the name of the Name In Assertion and selecting the Local Attribute Name from the drop down that the attribute is going to map to, and click Add to put the new mapping into the table.
Local Service Provider (SP) Editor Field
Parameter
Description
Name
Name for the SP or accept the provided SP name. The Name field is pre-populated with a value that reflects the expected SP name.
MetaAlias
The internally generated identifier for the entity. This value is used in the SAMLv2 login URL specified in the agents configuration.
Binding
This option determines the way in which SAML messages will be sent and received between the IdP and the SP. HTTP-Redirect and Post are used when a direction connection between the IdP and SP is not possible. The two bindings differ in the method used to exchange the SAMLv2 messages: HTTP Redirect or XHTML Form with Post.
Artificact Encoding
The encoding technique used for Assertion Artifacts. The encoding method is determined by the IdP and is usually related to binding method. From the drop down menu, select URI or FORM.
Sign Messages
Signing Certificate Alias
BMC Atrium Single Sign-On 8.1
Page 230 of 389
BMC Software Confidential
Home
Field
Parameter
Description The alias specifies the certificate that will be used to sign the specified SAML messages. Signing is used to verify the messages have not been altered in transit and that it originated with the SP.
Authentication, Logout
These parameters are the SAMLv2 messages that are to be signed by the SP or are expected to have
Request, Logout Response, Manager
been signed by the SP.
Name ID, Artifact Resolve, and Post Resolve Encrypt
Encryption Certificate
The alias specifies the private key that will be used to encrypt the secret key used to encrypt the SAMLv2
Elements
Alias
messages.
Encryption Algorithm
The encryption algorithm used to encrypt SAMLv2 messages. Select an option, None, 3DES, AES-128, or AES-256, from the drop-down menu.
Assertion, Attribute,
Specifies whether to encrypt the Assertion, Attribute, and Name ID or leave it in plain text.
Name ID Assertion Time
Not-Before Skew (seconds)
In order to compensate for clock drift between remote machines, this value specifies the amount of time that a message will be considered valid when it is received before the issue time in the message.
Effective Time (seconds)
Amount of time that an assertion is valid counting from the assertion's issue time.
SOAP Basic Authentication
SOAP Basic authentication can be enabled to protect the SOAP SP endpoints. Any provider accessing these endpoints must provide these user name and password values.
Attribute Mapping
Attribute Mapping is used to take user attributes (such as email, phone number, etc.) from the external user store and map them to the attributes used within the BMC Atrium Single Sign-On system. A mapping is defined by entering the name of the SAML Attribute and selecting the Atrium SSO Attribute from the drop down that the external attribute is going to map to, and click Add to put the new mapping into the table.
Auto Federation
Allows BMC Atrium Single Sign-On to use an attribute of the Assertion from the IdP to automatically create an identity within the BMC Atrium Single Sign-On system. The identity is created by passing the initial double-login normally performed when federating a user account with SAMLv2.
Name ID Format
Defines the name identifier formats supported by the service provider. Name identifiers are a way for providers to communicate with each other regarding a user. The Name ID format list is an ordered list, the first Name ID has the highest priority in determining the Name ID format to use. If the user does not specify a Name ID to use when initiating single sign-on, the first one in this list is chosen and supported by the remote Identity Provider. A persistent identifier is saved to a particular user's data store entry as the value of two attributes. A transient identifier is temporary and no data will be written to the user's persistent data store. Note: For linking user accounts from SP and IdP (Remote Identity Provider) together, after logging in, the persistent nameID format must be on the top of the list.
Authentication Context
BMC Atrium Single Sign-On 8.1
This attribute maps the SAMLv2-defined authentication context classes to the authentication level set for the user session for the service provider.
Page 231 of 389
BMC Software Confidential
Home
Remote Identity Provider (IdP) Editor Field
Parameter
Description
Name
Name for the IdP or accept the provided IdP name. The Name field is pre-populated with a value that reflects the expected IdP name.
Binding
This option determines the way in which SAML messages will be sent and received between the IdP and the SP. HTTP-Redirect and Post are used when a direction connection between the IdP and SP is not possible. The two bindings differ in the method used to exchange the SAMLv2 messages: HTTP Redirect or XHTML Form with Post.
Sign Messages
Signing Certificate Alias
The alias specifies the certificate that will be used to sign the specified SAML messages. Signing is used to verify the messages have not been altered in transit and that it originated with the IdP.
Authentication Request, Logout
These parameters are the SAMLv2 messages that are to be signed by the IdP or are expected to
Request, Logout Response, Manager Name ID Request, Manager Name ID Response, and Artifact Resolve
have been signed by the SP.
Encrypt Elements
Encryption Certificate Alias
The alias specifies the private key that will be used to encrypt the secret key used to encrypt the SAMLv2 messages.
Encryption Algorithm
The encryption algorithm used to encrypt SAMLv2 messages. Select an option, None, 3DES, AES-128, or AES-256, from the drop-down menu.
Name ID
Specifies whether to encrypt the Name ID or leave it in plain text.
Remote Service Provider (SP) Editor Field
Parameter
Description
Name
Name for the SP or accept the provided SP name. The Name field is pre-populated with a value that reflects the expected SP name.
MetaAlias
The internally generated identifier for the entity. This value is used in the SAMLv2 login URL specified in the agents configuration.
Binding
This option determines the way in which SAML messages will be sent and received between the IdP and the SP. HTTP-Redirect and Post are used when a direction connection between the IdP and SP is not possible. The two bindings differ in the method used to exchange the SAMLv2 messages: HTTP Redirect or XHTML Form with Post.
Artificact Encoding
The encoding technique used for Assertion Artifacts. The encoding method is determined by the IdP and is usually related to binding method. From the drop down menu, select URI or FORM.
Sign Messages
Signing Certificate Alias
The alias specifies the certificate that will be used to sign the specified SAML messages. Signing is used to verify the messages have not been altered in transit and that it originated with the SP.
Authentication Request, Logout Request, Logout Response, Manager Name ID, Artifact Resolve, and Post Resolve
These parameters are the SAMLv2 messages that are to be signed by the SP or are expected to have been signed by the SP.
BMC Atrium Single Sign-On 8.1
Page 232 of 389
BMC Software Confidential
Home
Field
Parameter
Description
Encrypt
Encryption Certificate
The alias specifies the private key that will be used to encrypt the secret key used to encrypt the
Elements
Alias
SAMLv2 messages.
Encryption Algorithm
The encryption algorithm used to encrypt SAMLv2 messages. Select an option, None, 3DES, AES-128, or AES-256, from the drop-down menu.
Assertion, Attribute,
Specifies whether to encrypt the Assertion, Attribute, and Name ID or leave it in plain text.
Name ID SOAP Basic
SOAP Basic authentication can be enabled to protect the SOAP SP endpoints. Any provider accessing
Authentication
these endpoints must provide these user name and password values.
Attribute
Attribute Mapping is used to take user attributes (such as email, phone number, etc.) from the external
Mapping
user store and map them to the attributes used within the BMC Atrium Single Sign-On system. A mapping is defined by entering the name of the SAML Attribute and selecting the Atrium SSO Attribute from the drop down that the external attribute is going to map to, and click Add to put the new mapping into the table.
10.1.6 Agent manager The Agent manager provides an Agent panel that allows you to edit, delete, and search for an agent as well as provides the agent name, realm, and the state. The state indicated whether the agent is running or is down. When searching for an agent, *, returns all of the names and applies to all columns in the agent panel. Finding the filter string within any of these values selects the agent to be returned for display. This feature allows you to filter the list of agents to the ones running by specifying "Running".
Agent Editor The Agent Editor allows you to modify the configuration of an agent. By modifying the agent configuration, you can correct problems caused by environment difficulties. For example, with a remote host, the host may report their FQDN (Fully Qualified Domain Name) incorrectly using a plain name such as machine instead of machine.bmc.com. The Agent Editor is launched when you select an agent and click Edit. The Agent Editor has the following options: Save to save your modifications. Reset to remove your modifications and stay on the editor. Help launches a browser that provides you with online help. Cancel to cancel and return to the launch page. Parameter
Description
Notification URL
The URL where the agent will receive notifications from the server about session logouts. It is composed of the products base URI with "/atsso" concatenated to the end. For example, https://sample.bmc.com/arsys/atsso
Status
Determines whether the agent is enforcing SSO authentication (active) or not (inactive).
Logging Level
The level of logging the agent will perform in the product.
BMC Atrium Single Sign-On 8.1
Page 233 of 389
BMC Software Confidential
Home
Parameter
Description
Redirect
The number of times that the agent redirects the browser to the server for authentication before signaling an error- 0 means infinite.
Limit Password
Password used by the agent to access its configuration in the SSO server.
and Confirm Password Cookie Name
The cookie name is the name of the cookie that agent will check for the SSO session token. It should match the cookie name of the server configuration. Note: To ensure browser compatibility, the cookie name should contain only alphanumeric and underscore characters.
Login URI
Login and logout URIs are the locations that the agent will send the users browsers when the specified function is needed. When an
and Logout URI
agent is federated, the login and logout URLs for the agent must be modified to interact with the IdP.
Login Probe and Logout
The probe validates that the destination is accessible before sending the user to the location. If they are not, the agent tells the user that the SSO system is inaccessible. The probe should be turned off in environments where the URI cannot be contacted from the
Probe
agent's environment, such as when the URI contains a host that is to be accessed through a reverse proxy.
Enable Cache
Select this option to enable session cache. Disabling cache has a severe performance impact.
Fully Qualified Domain Name Mapping
This FQDN mapping allows the agent to fix the URL used to access the application in order to get the browser to send cookies to the application. The SSO session is identified through cookies. When a URL is not using a FQDN host name, the browser does not know the domain of the server and therefore, won't send any cookies to the server.
FQDN of Agent Host
The FQDN entered is the FQDN of the host where the agent is located. Enabling FQDN mapping causes the agent to perform the forwarding from the entered host names to the entered FQDN.
Trigger host list and Trigger Host Name
The hosts that will trigger the FQDN redirect to occur. The Trigger host list allows you to remove the host from the list. Trigger Host Name allows you to add a host to the Trigger host list.
Not Enforced URI and URI
The Not Enforced URI field allows you to remove URIs from the Not Enforced URI list. The URI field allows you to add a URI to the Not Enforced URI list.
10.1.7 HA Nodes manager The HA Nodes manager is launched from the Administrator Console. On the HA Pie Chart, click Expand. The HA Nodes manager provides an HA Nodes panel that allows you to edit, delete, and search for an HA node. In addition, you can click Return to Console to return to the BMC Atrium SSO Admin Console. When searching for an HA node, /* for each respective panel, returns all of the names. A letter such as m, returns all names with the letter m in the host name. A short string such as mc, returns names that have mc in the host name (for example, /atrium-sso-vm2.bmc.com.) You can sort HA Nodes by each of the columns in the panel: Host Name
BMC Atrium Single Sign-On 8.1
Page 234 of 389
BMC Software Confidential
Home
Port Status When you edit a host, the Server Configuration Editor pops up with the following parameters: The Server Configuration Editor provides the parameters that must be updated when you install or configure BMC Atrium Single Sign-On server. The following topics are provided: Server Configuration Editor parameters (see page ) HTTP Only and HTTPS Only (see page )
Server Configuration Editor parameters Field
Parameters
Description
Cookies
Cookie Name
The cookie name is automatically created at install time for the BMC Atrium Single Sign-On server. It is generated based upon the FQDN of the Atrium BMC Atrium Single Sign-On host.
Cookie Domain
The default cookie domain value is the network domain of the computer you are installing the server on. The default cookie domain specifies the most restrictive access. This value is used to control cookie visibility between servers within the domain. For more information about the default cookie domain, see Default cookie domain.
HTTP Only
Select the HTTP Only check box to mark the BMC Atrium Single Sign-On cookie to prevent non-HTTP APIs such as, JavaScript from accessing the cookie. For more information about HTTP Only parameter, see HTTP Only and HTTPS Only (see page 236) .
HTTPS Only
Select the HTTPS Only check box to mark the cookie with the Secure option, which ensures that the cookie is transmitted over only HTTPS connections from the browser to the server. For more information about the HTTPS Only parameter, see HTTP Only and HTTPS Only (see page 236).
Password & Confirm Password
The password for accessing the BMC Atrium Single Sign-On server.
amAdmin
External URL
FQDN for the BMC Atrium Single Sign-On server.
Logging Level
Logging level options are Off, Error, Warning, or Message. Error returns the least amount of information and Message contains the most amount of information.
Enable FIPS-140
Be sure to configure FIPS-140 before enabling, see Configuring FIPS-140 mode (see page 251).
Online Certificate Status Protocol
CAC can use OCSP. If CAC is using OCSP, be sure to configure CAC before enabling. If CAC isn't using OCSP, configuration is not required. To enable, provide the Server URL and select Enable OCSP.
Session
Max Session Time
Time after which your session will be logged out even when you are active. The default time in 120 minutes. The time constraints are automatically enforced when this value is selected. Note: The Max Session Time value should be more than the Idle Timeout value.
BMC Atrium Single Sign-On 8.1
Page 235 of 389
BMC Software Confidential
Home
Field
Parameters
Description
Idle
Time after which your session will be logged out if you are inactive or away. The default time in 30 minutes. The time
Timeout
constraints are automatically enforced when this value is selected. Note: When you have integrated BMC Atrium SSO with BMC Remedy AR System, you the Idle Timeout value should be 3 minutes more than the BMC Mid Tier idle timeout value.
Cache
Time after which the cache will be cleared. Time constraints are automatically enforced. The default time is 3 minutes.
Time Max
Maximum number of concurrent sessions allowed for a user. The default value is 5.
Session Count per
Click Enable to enable Max Session Count per User.
User
When the session limit is exceeded, select the desired behavior. The two options are Delete Oldest or Block New.
HTTP Only and HTTPS Only With the release of BMC Atrium Single Sign-On 8.1 Patch 3, the Server Configuration Editor provides two new options: HTTP Only and HTTPS Only. The HTTP Only parameter marks the BMC Atrium Single Sign-On cookie to prevent non-HTTP APIs such as, JavaScript from accessing the cookie. When you enable the HTTPS Only parameter, it marks the cookie with the Secure option, which ensures that the cookie is transmitted only over HTTPS connections from the browser to the server. The default value of these check boxes is false. When set to true, the option prevents scripts and third-party programs from accessing the cookies.
To secure BMC Atrium Single Sign-On as a stand-alone server 1. Open the Edit Server Configuration tab on the BMC Atrium Single Sign-On Admin Console. 2. Select the HTTP Only and HTTPS Only check boxes, and click Save. 3. Restart the BMC Atrium Single Sign-On server. 4. Clear all the existing cookies from the browser history.
To secure BMC Atrium Single Sign-On as a high-availability cluster 1. Open the HA Node Details tab on the BMC Atrium Single Sign-On Admin Console. 2. Select the node for which the HTTP Only and HTTPS Only options are to be enabled. 3. Select the HTTP Only and HTTPS Only check boxes for each node, and click Save.
Note Configuration warnings appear, saying that the HTTP Only and HTTPS Only features are out of sync for some nodes. You can ignore the warnings and click OK.
4. BMC Atrium Single Sign-On 8.1
Page 236 of 389
BMC Software Confidential
Home
4. Restart the server. 5. Clear all the existing cookies from the browser history.
Note A warning is displayed after the configuration change is saved when the HTTP Only, HTTPS Only, Cookie Name, or Cookie Domain setting is out of sync with other nodes. The warning message includes a list of other nodes that do not match the currently saved value.
10.1.8 Server Configuration Editor The Server Configuration Editor provides the parameters that must be updated when you install or configure BMC Atrium Single Sign-On server. The following topics are provided: Server Configuration Editor parameters (see page 237) HTTP Only and HTTPS Only (see page 238)
Server Configuration Editor parameters Field
Parameters
Description
Cookies
Cookie Name
The cookie name is automatically created at install time for the BMC Atrium Single Sign-On server. It is generated based upon the FQDN of the Atrium BMC Atrium Single Sign-On host.
Cookie Domain
The default cookie domain value is the network domain of the computer you are installing the server on. The default cookie domain specifies the most restrictive access. This value is used to control cookie visibility between servers within the domain. For more information about the default cookie domain, see Default cookie domain.
HTTP Only
Select the HTTP Only check box to mark the BMC Atrium Single Sign-On cookie to prevent non-HTTP APIs such as, JavaScript from accessing the cookie. For more information about HTTP Only parameter, see HTTP Only and HTTPS Only (see page 238) .
amAdmin
HTTPS Only
Select the HTTPS Only check box to mark the cookie with the Secure option, which ensures that the cookie is transmitted over only HTTPS connections from the browser to the server. For more information about the HTTPS Only parameter, see HTTP Only and HTTPS Only (see page 238).
Password & Confirm Password
The password for accessing the BMC Atrium Single Sign-On server.
External URL
FQDN for the BMC Atrium Single Sign-On server.
Logging Level
Logging level options are Off, Error, Warning, or Message. Error returns the least amount of information and Message contains the most amount of information.
Enable FIPS-140
Be sure to configure FIPS-140 before enabling, see Configuring FIPS-140 mode (see page 251).
BMC Atrium Single Sign-On 8.1
Page 237 of 389
BMC Software Confidential
Home
Field
Parameters
Description
Online
CAC can use OCSP. If CAC is using OCSP, be sure to configure CAC before enabling. If CAC isn't using OCSP,
Certificate Status
configuration is not required. To enable, provide the Server URL and select Enable OCSP.
Protocol Session
Max
Time after which your session will be logged out even when you are active. The default time in 120 minutes. The time
Session Time
constraints are automatically enforced when this value is selected.
Idle Timeout
Time after which your session will be logged out if you are inactive or away. The default time in 30 minutes. The time constraints are automatically enforced when this value is selected.
Note: The Max Session Time value should be more than the Idle Timeout value.
Note: When you have integrated BMC Atrium SSO with BMC Remedy AR System, you the Idle Timeout value should be 3 minutes more than the BMC Mid Tier idle timeout value. Cache Time
Time after which the cache will be cleared. Time constraints are automatically enforced. The default time is 3 minutes.
Max Session Count per User
Maximum number of concurrent sessions allowed for a user. The default value is 5. Click Enable to enable Max Session Count per User. When the session limit is exceeded, select the desired behavior. The two options are Delete Oldest or Block New.
HTTP Only and HTTPS Only With the release of BMC Atrium Single Sign-On 8.1 Patch 3, the Server Configuration Editor provides two new options: HTTP Only and HTTPS Only. The HTTP Only parameter marks the BMC Atrium Single Sign-On cookie to prevent non-HTTP APIs such as, JavaScript from accessing the cookie. When you enable the HTTPS Only parameter, it marks the cookie with the Secure option, which ensures that the cookie is transmitted only over HTTPS connections from the browser to the server. The default value of these check boxes is false. When set to true, the option prevents scripts and third-party programs from accessing the cookies.
To secure BMC Atrium Single Sign-On as a stand-alone server 1. Open the Edit Server Configuration tab on the BMC Atrium Single Sign-On Admin Console. 2. Select the HTTP Only and HTTPS Only check boxes, and click Save. 3. Restart the BMC Atrium Single Sign-On server. 4. Clear all the existing cookies from the browser history.
To secure BMC Atrium Single Sign-On as a high-availability cluster 1. Open the HA Node Details tab on the BMC Atrium Single Sign-On Admin Console. 2. Select the node for which the HTTP Only and HTTPS Only options are to be enabled. 3. Select the HTTP Only and HTTPS Only check boxes for each node, and click Save.
BMC Atrium Single Sign-On 8.1
Page 238 of 389
BMC Software Confidential
Home 3.
Note Configuration warnings appear, saying that the HTTP Only and HTTPS Only features are out of sync for some nodes. You can ignore the warnings and click OK.
4. Restart the server. 5. Clear all the existing cookies from the browser history.
Note A warning is displayed after the configuration change is saved when the HTTP Only, HTTPS Only, Cookie Name, or Cookie Domain setting is out of sync with other nodes. The warning message includes a list of other nodes that do not match the currently saved value.
10.2 Managing keystores with a keytool utility The default Tomcat server used by BMC Atrium Single Sign-On uses a keystore and a truststore for secure (HTTPS/Transport Layer Security) communications. These files are stored in the following directory: /BMC Software/AtriumSSO/tomcat/conf For more information about using Certificate Authority (CA) certificates, see: Creating new keystores (see page 240) Using the keytool utility (see page 241) Importing a certificate into the truststore (see page 243) Generating and importing CA certificates Generating self-signed certificates (see page 249) Checking the truststore for certificates The initial keystore created during the installation uses a self-signed certificate. This certificate causes browsers and other programs to warn users about the insecure nature of the certificate each time the user authenticates. The certificate warning can be prevented by doing one of the following: Permanently importing the self-signed certificate into the user's truststore. Obtaining and importing a signed identity certificate from a trusted CA. The CA vouches for the authenticity of the server's identity when the user visits BMC Atrium Single Sign-On for authentication. In this case, the user has an established trust relationship with the CA. This relationship is extended to BMC Atrium Single Sign-On after a digitally signed identity certificate is imported. By default, BMC Atrium Single Sign-On is installed with a self-signed certificate. Although valid, this certificate causes warning messages when
BMC Atrium Single Sign-On 8.1
Page 239 of 389
BMC Software Confidential
Home
users access the server to perform authentication. The warning messages occur because the certificate is not signed by a CA.
10.2.1 Creating new keystores The following topics provide information and instructions for creating new keystores: To create a new keystore (see page 240) Locations of keystore and truststores (see page 241) Example of creating a new keystore (see page 241)
To create a new keystore 1. From the command prompt, change your working directory to \AtriumSSO\tomcat\conf. 2. Create a new keystore by using a new password to secure the certificate:
Microsoft Windows: keytool -genkey -alias tomcat -keyalg RSA -sigalg SHA1withRSA -keystore %CATALINA_HOME%\conf\keystore.p12 -validity 999 -keysize 1024 -storetype pkcs12 -storepass keystore_password -keypass keystore_password -providername JsafeJCE
UNIX: keytool -genkey -alias tomcat -keyalg RSA -sigalg SHA1withRSA -keystore $CATALINA_HOME/conf/keystore.p12 -validity 999 -keysize 1024 -storetype pkcs12 -storepass keystore_password -keypass keystore_password -providername JsafeJCE
Note Based on your requirements, you can use the keysize value as 1024 or 2048.
3. After the keystore has been created, you need to provide six parameters which forms a distinguished name for a certificate associated with the key. CN - Common Name of the certificate owner (usually FQDN of the host) OU - Organizational Unit of the certificate owner O - Organization to which the certificate owner belongs L - Locality name of the certificate owner ST - State or province of the certificate owner C - Country of the certificate owner 4. Update the server.xml file with the new password for the keystore.
BMC Atrium Single Sign-On 8.1
Page 240 of 389
BMC Software Confidential
Home
For details, see the Tomcat documentation at http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html#SSL.
Locations of keystore and truststores With the BMC Atrium Single Sign-On default installation, the keystore and truststores are in the following locations: Keystore: /tomcat/conf/keystore.p12 Tomcat truststore: /tomcat/conf/cacerts.p12 JVM truststore: /jvm/jre/lib/security/cacerts.p12
Example of creating a new keystore The following is an example of how to create a new keystore:
C:\apache-tomcat-6.0.20>keytool -genkey -alias tomcat -keyalg RSA -keystore keystore.p12 –validity 999 -keysize 1024 -storetype pkcs12 -storepass keystore_password -keypass keystore_password Enter keystore password: What is your first and last name? [Unknown]: sample.bmc.com What is the name of your organizational unit? [Unknown]: BMC Atrium SSO What is the name of your organization? [Unknown]: BMC Software, Inc. What is the name of your City or Locality? [Unknown]: Austin What is the name of your State or Province? [Unknown]: TX What is the two-letter country code for this unit? [Unknown]: US Is CN=sample.bmc.com, OU=BMC Atrium SSO, O="BMC Software, Inc.", L=Austin, ST=TX, C=US correct? [no]: yes
10.2.2 Using the keytool utility The keytool utility is used to obtain a digitally signed identity certificate to replace the self-signed certificate. This utility is available with Oracle JDKs and BMC Atrium Atrium Single Sign-On. The keytool utility must be available within the shell command environment to generate a certificate signing request (CSR) or to import a CA signed certificate. The following topics are provided: To verify that the keytool utility is available (see page 242)
BMC Atrium Single Sign-On 8.1
Page 241 of 389
BMC Software Confidential
Home
Setting up the environment (see page 242) Where to go from here (see page 243)
To verify that the keytool utility is available 1. Open a shell command window. 2. In the command prompt, invoke the keytool utility:
On Windows Type keytool.exe, and press Enter. On UNIX: Type keytool and press Enter.
Note The keytool utility from Oracle JDK Java 1.5 or 1.6 can also be used.
3. If the keytool utility is available, a help message is generated that shows the keytool options. The following is the help output relevant to generating the CSR:
-certreq [-v] [-protected] [-alias ] [-sigalg ] [-file ] [-keypass ] [-keystore ] [-storepass ] [-storetype ] [-providername ] [-providerclass [-providerarg ]] ... [-providerpath ]
4. Proceed with generating and importing CA certificates. If the tool is not available, proceed with setting up the environment.
Setting up the environment Before running the keytool utility, the environment variable path must be initialized with the location of the keytool. Update the following path:
Note On UNIX, the keytool program is called keytool. On Windows, the program is keytool.exe.
On Windows \BMC Software\AtriumSSO\jdk/bin BMC Atrium Single Sign-On 8.1
Page 242 of 389
BMC Software Confidential
Home
For example, PATH=\BMC Software\AtriumSSO\jdk\bin;%PATH%
On UNIX /BMC Software/AtriumSSO/jdk/bin For example, PATH=/BMC Software/AtriumSSO/jdk/bin:$PATH
Where to go from here Generating and importing CA certificates
10.2.3 Importing a certificate into the truststore To establish secure communications with a remote server (such as a remote LDAP server), a certificate must be imported into the BMC Atrium Single Sign-On truststore. The certificate must be in printable DER format (file extension .pem ) or in the binary DER format (file extensions .cer, .crt, or .der ).
Note For High Availability installations, the certificate must be imported on each node.
The following topics provide information and instructions for importing a certificate into the truststore: To import the certificate in Windows (see page 243) To import the certificate in UNIX (see page 244) Example of importing a new certificate to the truststore (see page 244) Example of a certificate in DER format (see page 245)
To import the certificate in Windows 1. Copy the file into the BMC Atrium Single Sign-On server's conf directory: \BMC Software\AtriumSSO\tomcat\conf 2. On the command line, change the working directory to: \BMC Software\AtriumSSO\tomcat\conf 3. Modify the environment to use the JDK that is installed with BMC Atrium Single Sign-On. set PATH=\jdk\bin;%PATH% 4. Run the keytool utility with the following parameters:
BMC Atrium Single Sign-On 8.1
Page 243 of 389
4. BMC Software Confidential
Home
keytool -importcert -keystore %CATALINA_HOME%\conf\cacerts.p12 -trustcacerts -alias tomcat -keypass truststore_password -storepass truststore_password -file -storetype PKCS12 -providername JsafeJCE
Note This keytool command is based on a default installation. Other values might be needed if BMC Atrium Single Sign-On was installed in an external Tomcat container or if the default truststore has been altered.
5. Stop and restart the BMC Atrium Single Sign-On server.
To import the certificate in UNIX 1. Copy the file into the BMC Atrium Single Sign-On server's conf directory: /BMC Software/AtriumSSO/tomcat/conf 2. On the command line, change the working directory to: /BMC Software/AtriumSSO/tomcat/conf 3. Modify the environment to use the JDK installed with BMC Atrium Single Sign-On. PATH=/jdk/bin:$PATH;export PATH 4. Run the keytool utility with the following parameters:
keytool -importcert -keystore $CATALINA_HOME/conf/cacerts.p12 -trustcacerts -alias tomcat -keypass truststore_password -storepass truststore_password -file -storetype PKCS12 -providername JsafeJCE
Note This keytool command is based on a default installation. Other values may be needed if BMC Atrium Single Sign-On was installed in an external Tomcat container or if the default truststore has been altered.
5. Stop and restart the BMC Atrium Single Sign-On server.
Example of importing a new certificate to the truststore The following is an example of how to import a certificate to the truststore:
C:\apache-tomcat-6.0.20\conf>keytool -import -keystore cacerts.p12 -trustcacerts -alias tomcat -keypass truststore_password –storepass truststore_password –file mykey.cer -storetype PKCS12
BMC Atrium Single Sign-On 8.1
Page 244 of 389
BMC Software Confidential
Home
-providername JsafeJCE Owner: CN=sample.bmc.com, OU=BMC Atrium SSO, O="BMC Software, Inc.", L=Austin, ST=TX, C=US Issuer: CN=sample.bmc.com, OU=BMC Atrium SSO, O="BMC Software, Inc.", L=Austin, ST=TX, C=US Serial number: 266df6fc Valid from: Sat Jun 15 10:22:28 BST 2013 until: Thu Mar 10 09:22:28 GMT 2016 Certificate fingerprints: MD5: 43:C3:22:11:F1:5B:AD:66:73:C5:24:74:80:EF:4F:78 SHA1: 72:05:0F:FE:25:50:F7:B8:4D:F5:E8:BA:8F:88:89:2B:96:93:BB:14 SHA256: DA:9B:BA:85:2E:D2:45:74:3F:FB:D7:6A:D4:86:74:E8:B9:FA:9F:01:25:35:61:CA:00:D1:8C:2B:F8:F6:77:A4 Signature algorithm name: SHA256withRSA Version: 3 Trust this certificate? [no]: yes Certificate was added to keystore
Example of a certificate in DER format The following is an example of a certificate in printable DER format:
-----BEGIN CERTIFICATE----MIICxTCCAi4CCQCLjB2QrqlKazANBgkqhkiG9w0BAQUFADCBpjELMAkGA1UEBhMC VVMxDjAMBgNVBAgMBVRleGFzMQ8wDQYDVQQHDAZBdXN0aW4xFTATBgNVBAoMDEJN QyBTb2Z0d2FyZTEUMBIGA1UECwwLQXRyaXVtIENvcmUxJDAiBgNVBAMMG2libWMt amJoYmJrMS5hZHByb2QuYm1jLmNvbTEjMCEGCSqGSIb3DQEJARYUYWRhbV9saW5l aGFuQGJtYy5jb20wHhcNMTEwOTAxMjEyNDU4WhcNMzkwMTE3MjEyNDU4WjCBpjEL MAkGA1UEBhMCVVMxDjAMBgNVBAgMBVRleGFzMQ8wDQYDVQQHDAZBdXN0aW4xFTAT BgNVBAoMDEJNQyBTb2Z0d2FyZTEUMBIGA1UECwwLQXRyaXVtIENvcmUxJDAiBgNV BAMMG2libWMtamJoYmJrMS5hZHByb2QuYm1jLmNvbTEjMCEGCSqGSIb3DQEJARYU YWRhbV9saW5laGFuQGJtYy5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB AMtRpEhBcegujENQ7ZefrlnZxmnH54oav9VNxv6nQqneJB8sQVqg1Z+zNUPzuLPF bY2GTn/eSfXbL8RJgDnczGkL21XP8uH5NkOdBBYrcCnlV4pf+ZZxpBvmpJ1g/39L OcEc7r2R0w8D+nST9x5w88g95cOrZV9hGy08XLt0Ep7XAgMBAAEwDQYJKoZIhvcN AQEFBQADgYEAQUekME4Cv+cYCbccKNcUkjk4du8RZpZIM4PtXsqIxRYcjCCK3GQ2 Pr0fOTaAXR/qeL7x55r5ab6IIAmgx7zS9PsvEaFBoVhd26371cQxd7pY3ZOkEEpq EvF8m2WKcJGE9yzFSBWvBndd4k2Vb7EOP/1ORak6LarwfSD24SKyY7M= -----END CERTIFICATE-----
10.2.4 Generating and importing CA certificates The following topics are provided: Generating CSRs (see page 246) Adding and removing a CA certificate (see page 248)
BMC Atrium Single Sign-On 8.1
Page 245 of 389
BMC Software Confidential
Home
By default, BMC Atrium Single Sign-On is installed with a self-signed certificate. Although valid, this certificate causes warning messages when users access the server to perform authentication. The warning messages occur because the certificate is not signed by a CA.
To generate and import a CA signed identity certificate 1. Generate a CSR. The CSR must be sent to a CA to be digitally signed and returned. The CA signs the CSR using a private key which validates the server's identity and returns a signed identity certificate. For more information, see Generating CSRs (see page 246). 2. Import the CA certificate into the BMC Atrium Single Sign-On Tomcat server keystore. Importing a certificate into the truststore (see page 243). 3. Stop and restart the Tomcat server.
Note The new CA certificate does not take effect until the Tomcat server is restarted.
4. Update all integrated application truststores with the new public key. The following command shows how to generate a new certificate with the same algorithm and key size as the certificate generated during the installation. This certificate also includes an alternative server that enables the server to be accessed through a different FQDN, which occurs when the BMC Atrium Single Sign-On server is running behind a load balancer or reverse proxy server or accessed locally from the computer on which the server is executing.
keytool -genkey -alias tomcat -keyalg RSA -sigalg SHA1withRSA -keysize 2048 -keystore "keystore.p12" -storepass internal4bmc -storetype pkcs12 -providername JsafeJCE -dname "CN=loadbalancer.bmc.com, OU=AtriumSSO Server, O=BMC, ST=TX, C=US" -ext "san=DNS:node1.bmc.com,DNS:node2.bmc.com"
The identity of the owner contains the FQDN of the BMC Atrium Single Sign-On server as the CN attribute of the Distinguished Name (DN).
Note The alternative server names can also be specified by the Certificate Authority (CA) when the server certificate is signed.
Generating CSRs To obtain CA signed certificate for BMC Atrium Single Sign-On, you need to generate a CSR.
BMC Atrium Single Sign-On 8.1
Page 246 of 389
BMC Software Confidential
Home
To generate a CSR in Windows (see page 247) To generate a CSR in UNIX (see page 247) CSR Example (see page 247) Importing the signed certificate (see page 248) Where to go from here (see page 248)
To generate a CSR in Windows 1. On the command line, change the working directory to: \BMC Software\AtriumSSO\tomcat\conf 2. Modify the environment to use the JDK that is installed with BMC Atrium Single Sign-On. set PATH=\jdk\bin;%PATH% 3. Run the following keytool command:
keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore keystore.p12 -storepass internal4bmc -storetype PKCS12 -providername JsafeJCE
To generate a CSR in UNIX 1. On the command line, change the working directory to: /BMC Software/AtriumSSO/tomcat/conf 2. Modify the environment to use the JDK installed with BMC Atrium Single Sign-On. PATH=/jdk/bin:$PATH;export PATH 3. Run the following keytool command:
keytool -certreq -alias tomcat -keyalg RSA -file certreq.csr -keystore keystore.p12 -storepass internal4bmc -storetype PKCS12 -providername JsafeJCE
Note For both Windows and UNIX, the supplied default password for the BMC Atrium Single Sign-On Tomcat server is internal4bmc. You will need to provide another password if the keystore is replaced with a locally-generated file.
CSR Example The command generates and saves the CSR in the certreq.csr file. The certreq.csr file is an example and has the following content:
-----BEGIN NEW CERTIFICATE REQUEST----MIIBmDCCAQECAQAwWDEZMBcGA1UECxMQQXRyaXVtU1NPIFNlcnZlcjEVMBMGA1UEChMMQk1DIFNv
BMC Atrium Single Sign-On 8.1
Page 247 of 389
BMC Software Confidential
Home
ZnR3YXJlMSQwIgYDVQQDExtpQk1DLUpCSEJCSzEuYWRwcm9kLmJtYy5jb20wgZ8wDQYJKoZIhvcN AQEBBQADgY0AMIGJAoGBAJABuagV7e12Yu3m0LmNWEmVE4HXrdaB+uOyZFyKLZxO2e+WX3r9vc9q al5VQSE1yME6ml53B9sWS2RWA5d8xDPW8ppQe3dqQdf3QDDzfXQ18MmZAfraSbv6Y2Tj0Oad10Uf c8NUXYCvKNcmdHzkabaHuTOXuhfyGyzyCgFdd/jTAgMBAAGgADANBgkqhkiG9w0BAQUFAAOBgQAx oNCBNvnbYNHD02QOIXEP4eMd9HlfJjvJHtAS6SyibMEd00mq/BD5iV1TewwkmvJRn1BjmzGXNO1c xbasQaHN9l0+HP4X6aWfRIJtq9GOj4d9Y2wb5L6SEsgnCtnvbHDsMR0AEBLPCR7nVJ4vgQsZ9xLj EfQB8idnyyimIfoqqQ== -----END NEW CERTIFICATE REQUEST-----
The toolkit command output must be sent to the CA for a digital signature.
Note The Common Name (CN) of the certificate cannot be modified because the CN must match the host name of the server. If the names do not match, the browser issues a warning that the server is trying to impersonate another site.
Importing the signed certificate After a CSR is signed by a CA, follow the instructions for importing a certificate to the truststore (see page 243). Before importing the signed certificate import the signing root CA and any intermediate signing certificates into the truststore.
Where to go from here Generating and importing CA certificates
Adding and removing a CA certificate Adding another certificate is necessary when: Common Access Card (CAC) authentication is used. The Department of Defense (DoD) issues new CA certificates. Or if you are using SSL with LDAP for authentication. By default, the BMC Atrium Single Sign-On truststore already contains the current certificates for CAC.
Adding a CA certificate To add another CA certificate see, Importing a certificate into the truststore (see page 243).
Note Replacing the self-signed certificate on the BMC Atrium Single Sign-On server invalidates the certificates that are already accepted by users. In addition, you need to install the new certificate into the truststore of all the integrated BMC applications.
BMC Atrium Single Sign-On 8.1
Page 248 of 389
BMC Software Confidential
Home
Removing a CA certificate Before removing a certificate, identify the alias of the certificate by listing the contents of stores.
To list the contents of stores 1. To list the contents of the truststore, use the following command:
keytool -v -list -keystore -cacerts.p12 -storepass changeit -providername JsafeJCE
2. To list the contents of the keystore, use the following command:
keytool -v -list -keystore keystore.p12 -storepass internal4bmc -providername JsafeJCE
To remove an existing certificate 1. To remove an existing certificate (identified by myAlias in this example) from the truststore, use the following command:
keytool -delete -alias myAlias -keystore cacerts.p12 -storepass changeit -providername JsafeJCE
2. To remove a certificate from the keystore, use the following command:
keytool -delete -alias myAlias -keystore keystore.p12 -storepass internal4bmc -providername JsafeJCE
Where to go from here Generating and importing CA certificates
10.2.5 Generating self-signed certificates BMC Atrium Single Sign-On is installed with a self-signed certificate. A self-signed certificate is an identity certificate that is signed by the same entity whose identity it certifies. A self-signed certificate is used: By the initial keystore created during installation of BMC Atrium Single Sign-On. For configuring Secure Sockets Layer (SSL) connection between the agent and the BMC Atrium Single Sign-On server.
BMC Atrium Single Sign-On 8.1
Page 249 of 389
BMC Software Confidential
Home
To create a new self-signed certificate Run the following command: Microsoft Windows
keytool -export -alias tomcat -keystore %CATALINA_HOME%\conf\keystore.p12 -file %CATALINA_HOME%\conf\mykey.cer -storetype pkcs12 -storepass keystore_password -providername JsafeJCE
For example,
C:\Users\>keytool -export -alias tomcat -keystore keystore.p12 -file mykey.cer -storetype pkcs12 -storepass keystore_password -providername JsafeJCE Certificate stored in file
UNIX
keytool -export -alias tomcat -keystore $CATALINA_HOME/conf/keystore.p12 -file $CATALINA_HOME/conf/mykey.cer -storetype pkcs12 -storepass keystore_password -providername JsafeJCE
After you create a self-signed certificate, browsers and other programs issue warnings to users about an insecure certificate each time the user authenticates. You can prevent the certificate warning by permanently importing the self-signed certificate into the user's truststore. See, Importing a certificate into the truststore (see page 243).
10.2.6 Checking the truststore for certificates Check the contents of the BMC Atrium Single Sign-On truststore to verify that the certificate has been imported or that the Issuer (Signer) certificate has been imported. To perform this check, use the keytool utility to place the contents of the truststore into a text file to review the contents. The keytool utility is available in the Java Developer Kit (JDK) that is embedded with a BMC Atrium Single Sign-On installation. BMC recommends that you use this version of keytool.
To check the truststore for certificates 1. From the command prompt or shell window, change your working directory to: \AtriumSSO\tomcat\conf 2. Add the bin directory to the PATH environment variable. (UNIX) PATH=/AtriumSSO/jdk/bin:$PATH; export PATH (Microsoft Windows) SET PATH=\AtriumSSO\jdk\bin;%PATH% 3. BMC Atrium Single Sign-On 8.1
Page 250 of 389
BMC Software Confidential
Home
3. After the PATH variable is set, execute the following keytool command to place the contents into a certs.txt file: keytool -list -v -keystore cacerts.p12 -storepass changeit -storetype PKCS12 -providername JsafeJCE > certs.txt 4. Check the certs.txt file for the certificate. If the certificate is not in the truststore, import the desired certificate into the keystore.
10.3 Configuring FIPS-140 mode The following topics provide information and instructions for configuring FIPS-140 mode: Converting to FIPS-140 mode (see page 251) Monitoring FIPS-140 and normal mode conversions (see page 256) Changing FIPS-140 network ciphers (see page 257) Converting from FIPS-140 to normal mode (see page 258)
10.3.1 Converting to FIPS-140 mode BMC recommends that you monitor the FIPS-140 mode conversion. See Monitoring FIPS-140 and normal mode conversions (see page 256).
To convert from BMC Atrium Single Sign-On to FIPS-140 mode (Click to expand) 1 Before you begin
Before you begin When operating in FIPS-140 mode, BMC Atrium Single Sign-On blocks contact with products which are not also operating in a FIPS-140 compliant mode. Before performing the switch to FIPS-140 mode: Perform a system backup before switching to (or from) FIPS-140 mode. An unexpected hardware or software failure during the conversion can corrupt the server configuration. Verify that the integrated BMC products are capable of operating in a FIPS-140 compliant mode and are capable of making the reconfiguration that is required to continue operating with BMC Atrium Single Sign-On. If you plan to integrate additional products with BMC Atrium Single Sign-On after the switch to FIPS-140 mode is complete, be sure that these products can be integrated with the server. See the BMC Atrium Single Sign-On Product Availability Compatibility on the support website. Ensure that your Internet browser is capable of supporting 256-bit Advanced Encryption Standard (AES) encryption. See #Browser cipher capabilities (see page 252). Obtain the RSA CryptoJ FIPS cryptography module. See #RSA CryptoJ FIPS cryptography module (see page 252).
BMC Atrium Single Sign-On 8.1
Page 251 of 389
BMC Software Confidential
Home
Contact Customer Support for access to the RSA CryptoJ FIPS cryptography module. This library file must be installed into the server's Java Virtual Machine (JVM), replacing the current version which is not certified. Obtain unlimited strength Java policy files. BMC Atrium Single Sign-On uses Oracle JVM 1.7.0_03. The unlimited policy files for this JVM are available for download from the following URL: http://java.sun.com/javase/downloads/index.jsp.
Browser cipher capabilities When operating in FIPS-140 mode with default networking ciphers, the Internet browser must be capable of supporting 256-bit Advanced Encryption Standard (AES) encryption. Otherwise, the browser cannot connect with BMC Atrium Single Sign-On for administrator or user authentication purposes. FireFox 3+ is able to operate at this level. Internet Explorer might not be able to support 256-bit AES depending on the version. You can check your browser cipher capabilities at the following URL: http://www.fortify.net/sslcheck.html. This web site provides the encryption status of your browser.
RSA CryptoJ FIPS cryptography module The FIPS-approved cryptography module used by BMC Atrium Single Sign-On for FIPS-140 compliance is the RSA CryptoJ library version 6.1. The following table shows the algorithms used in normal mode and FIPS-140 mode. Purpose
Normal
FIPS-140
Encryption
DES
AES-256
Hash
MD5, SHA1, SHA256, SHA512
SHA1, SHA256, SHA512
Network protocol
TLS 1.0
TLS 1.0
Network ciphers
Any TLS
TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521, TLS_DHE_DSS_WITH_AES_256_CBC_SHA
Random
SHA1PRNG
FIPS186PRNG
2 Install the unlimited strength policy files
BMC Atrium Single Sign-On 8.1
Page 252 of 389
BMC Software Confidential
Home
To install the unlimited strength policy files BMC Atrium Single Sign-On uses Oracle JVM version 1.7.0_03. By default, this JVM is installed with strong encryption policy files allowing for limited strength settings for encryption algorithms. These limitations prevent BMC Atrium Single Sign-On from running in FIPS-140 mode. To overcome this limitation, the Unlimited Strength Jurisdiction Policy Files must be downloaded from Oracle and installed into the BMC Atrium Single Sign-On JVM.
Warning BMC Atrium Single Sign-On and all integrated products must be shut down before installing the unlimited strength policy files. BMC Atrium Single Sign-On cannot be in use during the conversion to FIPS-140 mode. If possible, a firewall should be employed to block all remote access to the server.
1. Shut down all BMC Atrium Single Sign-On integrated products. 2. Stop BMC Atrium Single Sign-On. 3. If you have not done so already, download the archive that contains the unlimited strength policy files from the following URL: http://java.sun.com/javase/downloads/index.jsp. 4. Extract the contents of the files. 5. Make a backup copy of the currently installed strong strength policy files. 6. Copy the unlimited strength policy files into the BMC Atrium Single Sign-On JVM.
JVM location The JVM is located in the following default location: (Microsoft Windows) C:\Program Files\BMC Software\AtriumSSO\jdk\jre\lib\security (UNIX) /opt/bmc/AtriumSSO/jdk/jre/lib/security If BMC Atrium Single Sign-On has been installed in a non-default location, the location of the JVM can be determined by using the following pattern: (Windows) \AtriumSSO\jdk\jre\lib\security (UNIX) /AtriumSSO/jdk/jre/lib/security In this case, installationDirectory is the base directory selected during the server installation. For BMC Atrium Single Sign-On servers using an external Tomcat server, the location of the JVM was determined by the administrator that configured the Tomcat server. Regardless of the JVM location, the following templates indicate the correct location: (Windows) \jre\lib\security (UNIX) /jre/lib/security In this case, jdkDirectory is the base directory of the JDK used to run BMC Atrium Single Sign-On.
BMC Atrium Single Sign-On 8.1
Page 253 of 389
BMC Software Confidential
Home
3 Install the cryptography library
To install the cryptography library For cryptographic functions in normal mode, BMC Atrium Single Sign-On uses the JVM and a version of the RSA CryptoJ library that is not certified for FIPS-140 operation. However, when placed into FIPS-140 mode, the server reconfigures the JVM to use the RSA CryptoJ provider as the primary provider. In addition, the cryptography needs of the server exclusively uses this provider. For the server to start in FIPS-140 mode successfully, the FIPS-140 certified version of the RSA CryptoJ library must be installed into the JVM, replacing the uncertified version. The versions of the library can be externally identified by the names of the libraries. Normal mode library is cryptoj.jar and the FIPS-140 mode libraries are cryptojce.jar, cryptojcommon.jar, and jcmFIPS.jar.
Note Contact BMC Software support for instructions on accessing the FIPS-140 version of the library.
1. Make a backup copy of the cryptoj.jar file. You might need to restore BMC Atrium Single Sign-On to normal encryption mode. 2. Copy the FIPS-140 mode libraries are cryptojce.jar, cryptojcommon.jar, and jcmFIPS.jar files onto the file system of the computer hosting BMC Atrium Single Sign-On. 3. Copy the FIPS-140 mode libraries are cryptojce.jar, cryptojcommon.jar, and jcmFIPS.jar files to the server's JVM library directory. 4. Remove the cryptoj.jarfile.
Note This is an important step to prevent a collision of the two libraries.
JVM library file location The JVM library is located in the following default location: (Microsoft Windows) C:\Program Files\BMC Software\AtriumSSO\jdk\jre\lib\ext (UNIX) /opt/bmc/AtriumSSO/jdk/jre/lib/ext If BMC Atrium Single Sign-On server has been installed in a non-default location, determine the location of the JVM library using the following pattern: (Windows) \AtriumSSO\jdk\jre\lib\ext (UNIX) /AtriumSSO/jdk/jre/lib/ext
BMC Atrium Single Sign-On 8.1
Page 254 of 389
BMC Software Confidential
Home
In this case, installationDirectory is the base directory selected during the server installation. For BMC Atrium Single Sign-On servers utilizing an external Tomcat server, the location of the JVM was determined by the administrator that configured the Tomcat server. Regardless of the JVM location, the following templates indicate the correct location: (Windows) jdkDirectory\jre\lib\ext (UNIX) jdkDirectory/jre/lib/ext 4 Enable FIPS-140 mode
To enable FIPS-140 mode After restarting BMC Atrium Single Sign-On with the required JVM modifications in place, the server's configuration can be updated to trigger the change of cryptography. Before performing this next step, be sure that the following JVM modifications have been performed: Unlimited strength policy files are installed. The library cryptojce.jar, cryptojcommon.jar, and jcmFIPS.jar files are installed in library directory. The library cryptoj.jar file has been removed from the library directory. 1. (Optional) Update your network ciphers if desired. See Changing FIPS-140 network ciphers (see page 257). 2. Restart BMC Atrium Single Sign-On. 3. Log on to BMC Atrium Single Sign-On administrator console. 4. Click Edit Server Configuration. 5. Select Enable FIPS-140 6. Click Save.
Warning After the configuration has been successfully saved, the conversion process starts. This process cannot be interrupted. Do not stop BMC Atrium Single Sign-On, log on with another Administrator console, log off the current Administrator console, or initiate any other interactions with the server.
This process takes approximately 10 to 20 seconds, depending upon the computer hardware. Be sure that the background task validation process posts a successful conversion message before proceeding to the next step. 7. Monitor the log files for the completion of the cryptography conversion. For more information on how to monitor the conversion, see Monitoring FIPS-140 and normal mode conversions (see page 256). 8. After the conversion process completes, stop and start the server. 9. Verify that the server is properly operating in FIPS-140 mode by viewing the BMC Atrium Single Sign-On log file (for example, atsso.0.log) 10. BMC Atrium Single Sign-On 8.1
Page 255 of 389
BMC Software Confidential
Home
10. Reconfigure all integrated products to operate in FIPS-140 mode.
Note All products which were configured with BMC Atrium Single Sign-On prior to conversion to FIPS-140 mode must be reconfigured to operate in FIPS-140 compliant mode. These integrated products cannot use BMC Atrium Single Sign-On for authentication until they are synchronized with BMC Atrium Single Sign-On.
10.3.2 Monitoring FIPS-140 and normal mode conversions The conversion task communicates through the BMC Atrium Single Sign-On log file (for example, atsso.0.log ). The log file contains messages to signify the start of the conversion, any errors, and the completion of the process. See Managing BMC Atrium Single Sign-On logging (see page 284). Conversion to FIPS-140 mode messages (see page 256) Conversion to normal mode messages (see page 257) Using the default installation locations as an example, the log file is located at: (Microsoft Windows ) C:\Program Files\BMC Software\AtriumSSO\tomcat\temp (UNIX ) /opt/bmc/AtriumSSO/tomcat/conf
Conversion to FIPS-140 mode messages Before starting the conversion, the background task validates that the JVM has been correctly modified and is capable of running in FIPS-140 mode. If the JVM test fails, the task logs an error message indicating the JVM inadequacies and the conversion aborts. In addition, when BMC Atrium Single Sign-On is installed on an external Tomcat server, the background task verifies that the required Tomcat server and JVM configuration files exist. When starting the conversion to FIPS-140 mode, the initial message displayed is:
BMCSSG1599I=Switching Atrium SSO server to FIPS-140 mode
When the conversion process successfully finishes, it posts this message:
BMCSSG1601I=Switch of Atrium SSO server to FIPS-140 mode completed
After saving the configuration change, the conversion process alters the encrypted data within the server. Until the process completes, BMC recommends that you monitor the security page in case the process fails.
BMC Atrium Single Sign-On 8.1
Page 256 of 389
BMC Software Confidential
Home
Conversion to normal mode messages When starting the conversion from FIPS-140 mode to normal mode, the initial message displayed is:
BMCSSG1598I=Switching Atrium SSO server to normal mode (not FIPS-140 mode)
When the conversion process successfully finishes, it posts this message:
BMCSSG1600E=Switch of Atrium SSO server to normal mode completed
10.3.3 Changing FIPS-140 network ciphers The network ciphers can be updated if stronger protection for communication is desired. Although, the network ciphers are independent of FIPS-140 mode, both the unlimited strength policy files and cryptography library are required to modify the network ciphers. The following topics provide information and instruction for changing FIPS-140 network ciphers: Default location for the server.xml file (see page 257) To modify the server.xml file (see page 257) Multiple ciphers example (see page 257) Single cipher example (see page 258)
Default location for the server.xml file The ciphers that the Transport Layer Security (TLS) protocol uses can be adjusted by editing the BMC Atrium Single Sign-On server.xml file. This file is located at the following default locations: (Microsoft Windows) C:\Program Files\BMC Software\AtriumSSO\tomcat\conf (UNIX) /opt/bmc/AtriumSSO/tomcat/conf
To modify the server.xml file 1. Make a backup copy of the server.xml file. 2. Open the server.xml file in your favorite text editor. 3. Search for the Connector tag with the attribute scheme="https". 4. Modify the cipher attribute by adding or removing items.
Multiple ciphers example In the following example, the FIPS-140 version of the server.xml file has multiple ciphers:
Single cipher example In the following example, the FIPS-140 version of the server.xml file has a single cipher (TLS_RSA_WITH_3DES_EDE_CBC_SHA).
10.3.4 Converting from FIPS-140 to normal mode Converting BMC Atrium Single Sign-On to operate in normal mode, (for example, without FIPS-140 cryptography) is the same process as converting the server to FIPS-140 mode, except the Java Virtual Machine (JVM) does not need to modified prior to triggering the conversion.
Note Create a backup of the current server in case of a failure (hardware or software). If the server's configuration becomes corrupted, you can use the backup to restore the original configuration. While converting from FIPS-140 to normal mode, be sure to monitor the conversion. See Monitoring FIPS-140 and normal mode conversions (see page 256) .
BMC Atrium Single Sign-On 8.1
Page 258 of 389
BMC Software Confidential
Home
To convert to normal mode 1. Shut down all integrated products. If possible, use a firewall to block external access to BMC Atrium Single Sign-On. 2. Log on to the BMC Atrium Single Sign-On administrator console. 3. On the BMC Atrium SSO Admin Console, click Edit Server Configuration. 4. De-select FIPS Mode. 5. Click Save.
Warning Once the configuration has been successfully saved, the conversion process is triggered in the background. This process cannot be interrupted. Do not stop BMC Atrium Single Sign-On, log on with another Administrator console, log off the current Administrator console, or initiate any other interactions with the server.
This process usually takes around 10 to 20 seconds, depending upon the computer hardware. 6. Ensure that a successful conversion message is posted.
Important Be sure that the background task validation process posts a successful conversion message before restoring the original encryption files and non-FIPS-140 library.
7. Restore the original encryption files and non-FIPS140 library. a. Stop the BMC Atrium Single Sign-On server. b. Restore the strong encryption file. c. Restore the non-FIPS library. d. Restart BMC Atrium Single Sign-On. e. Verify that the server is properly operating in normal mode by viewing the BMC Atrium Single Sign-On log file (for example, atsso.0.log ) 8. Reconfigure integrated products to operate in normal mode.
Note All integrated products must be reconfigured to operate in normal mode. These integrated products cannot use BMC Atrium Single Sign-On for authentication until they are synchronized with BMC Atrium Single Sign-On.
BMC Atrium Single Sign-On 8.1
Page 259 of 389
Home
BMC Software Confidential
10.4 Using an external LDAP user store This topic describes the process and options available to an BMC Atrium Single Sign-On administrator when using an external Lightweight Directory Access Protocol (LDAP) server to provide group and attribute values for authenticated users. Users and groups cannot be managed from the BMC Atrium Single Sign-On server because the LDAP server access is read-only. Configuring an external user store is primarily needed when access to group membership information is required. The LDAP authentication module can be used to retrieve user attributes without configuring an external user store. For more information, see Using LDAP (Active Directory) for authentication.
BMC Atrium Single Sign-On 8.1
Page 260 of 389
BMC Software Confidential
Home
An external LDAP server is used to augment the information available to BMC products. For more information about the configuration options available with the LDAP user store, see the OpenAM documentation.
10.4.1 To create an external LDAP user store 1. Log on to the BMC Atrium SSO Admin Console 2. Click Edit BMC Realm. 3. On the User Store panel, click Add and select LDAPv3 User Store. 4. On the General tab, provide the LDAP server configuration parameters. 5. On the Search tab, provide the user and group attributes used for searching. 6. Click Save.
10.4.2 To modify an existing external LDAP user store 1. Log on to the BMC Atrium SSO Admin Console 2. Click Edit BMC Realm. 3. On the User Store panel, select the LDAPv3 user store and click Edit. 4. On the General tab, modify your LDAP server configuration parameters. 5. On the Search tab, modify your user and group attributes used for searching. 6. Click Save.
Note The BMC Atrium Single Sign-On server does not need to be re-booted after altering the configuration. After the alterations are committed, the changes go into effect immediately.
10.4.3 LDAPv3 User Store parameters The LDAPv3 user store uses Active Directory as the user store type. The General tab contains parameters for the LDAP server configuration. The Search tab contain parameters to search for user and group attributes.
10.4.4 General tab Field
Parameter
Description
LDAP Server
Name
(Required) Enter the host's Full Qualified Domain Name (FQDN) for the primary LDAP server is required.
Port
If the LDAP server is not listening on the default port (389), specify the port number.
Use SSL
(Optional) Enable SSL to connect to the LDAP servers. Before enabling SSL:
BMC Atrium Single Sign-On 8.1
Page 261 of 389
BMC Software Confidential
Home
Field
Parameter
Description The certificates for the LDAP servers (primary and secondary) must be imported into the JVM truststore and the BMC Atrium Single Sign-On Tomcat truststore. For more information on importing certifications into BMC Atrium Single Sign-On truststore, see Importing a certificate into the truststore (see page 243). If client authentication is required, the BMC Atrium Single Sign-On server's certificate might need to be imported into the LDAP server's truststore. Restart the Tomcat server. For more information about CA certificates, see Managing keystores with a keytool utility (see page 239) .
User Account for Search
Distinguished Name, Password, Confirm Password
(Required) The Distinguished Name (DN) is the login name that is used to connect to the LDAP server. A root user must have privileges to perform searches on the primary and secondary LDAP servers. Enter the DN for the root user, the password, and the password confirmation.
Connection Pool
Minimum Size
The connection pool attributes adjust the performance of BMC Atrium Single Sign-On and the load on the LDAP server. Before modifying the default values, BMC recommends that you complete performance timings to determine appropriate values.
Maximum Size
The connection pool attributes adjust the performance of BMC Atrium Single Sign-On and the load on the LDAP server. Before modifying the default values, BMC recommends that you complete performance timings to determine appropriate values.
External Attribute Atrium SSO Attribute
Attribute Mapping is used to take user attributes (such as email, phone number, etc.) from the external data store and map them to the attributes used within the BMC Atrium Single Sign-On system. A mapping is defined by entering the name of the External Attribute and selecting the Atrium SSO Attribute from the drop down that the external attribute is going to map to, and click Add to put the new mapping into the table.
Attribute Mapping
10.4.5 Search tab Field
Parameter
Search Base DN
Description Starting location within the LDAP directory for performing user and group searches. The search DNs should be as specific as possible for performance reasons. The depth of the search that is performed can be configured. If an object search is specified, then the DN should be the DN of the node containing the users.
Search Timeout (seconds)
Number of seconds the search is performed before it times out.
Max Search Results
Maximum number of results that are returned.
Users
Users Status
Search Attribute
User attribute on which to perform the search.
Search Filter
Specifies the filter for user searches. If the specified default class is not used by user entries in the server, then searches fail. For example, (objectclass=person).
Status Attribute
Attribute that indicates the user status. For example, userAccountControl.
Identifies the value of the attribute when the account is active.
BMC Atrium Single Sign-On 8.1
Page 262 of 389
BMC Software Confidential
Home
Field
Parameter
Description
Active Value Inactive
Identifies the value of the attribute when the account is inactive.
Value Users -
Container
People Container
Attribute
Users
Defines the LDAP attribute used to distinguish the container holding the people.
Attribute Value
Specifies the value for that LDAP attribute. If people are not within a container (relative to the group), then these values should be blank.
Attribute Name for
Specifies the attribute of the user which identifies the group to which the user belongs. For example, memberOf.
Group Groups
Search Attribute
Contains the name of the attribute which holds the name of the group. This attribute value is used in searches for user groups.
Search Filter
Be sure to validate that the LDAP Groups Search Filter is correct for the LDAP server. If the class specified is not applicable, update the filter with the correct objectclass name. For example, (objectclass=group).
Container Attribute
Defines the LDAP attribute used to distinguish the container holding the groups.
Attribute Value
Specifies the value for LDAP Groups Container attribute value. If groups are not within a container (relative to the user), then these values should be blank.
Groups
Attribute Name for User
The attribute name of a group within the LDAP system that contains the names of the users that belong to the group.
Caching
Max Age (seconds)
The maximum time that a cached value will continue to be used before the cached value is updated from the external LDAP server.
Cache Size (bytes)
The number of bytes of memory that will be used to hold cached search items from the external LDAP server.
Groups Groups Container
11 Administering The following topics provide information and instructions for administering BMC Atrium Single Sign-On:
BMC Atrium Single Sign-On 8.1
Page 263 of 389
BMC Software Confidential
Home
Managing users (see page 264) Managing user groups (see page 268) Managing authentication modules (see page 271) Managing nodes in a cluster (see page 273) Managing agents (see page 275) Managing the server configuration (see page 276) Stopping and restarting the BMC Atrium Single Sign-On server (see page 279)
11.1 Managing users BMC Atrium Single Sign-On provides basic user and group management features with the internal LDAP server. These features allow an administrator to manage users, groups, and memberships in the groups. From the User tab, the administrator can create, delete, and manage user account information including group memberships. From the Groups tab, the administrator can manage group memberships. BMC Atrium Single Sign-On is configured to use an internal LDAP for user authentication (default). While not recommended for large-scale deployments, the internal database can be used for small deployments, demonstrations, and other Proof-Of-Concept (POC) work. For larger deployments, BMC recommends that you use an external authentication server, such as another LDAP server.
BMC Atrium Single Sign-On 8.1
Page 264 of 389
BMC Software Confidential
Home
To access the User page (see page 265) To add a new user (see page 265) To search for users (see page 266) To delete users (see page 266) To modify user information (see page 266) To enable or disable a user account (see page 266) To add a group membership to a user account (see page 267) To remove a group membership from a user account (see page 267) To view user sessions (see page 267) To terminate an active user session (see page 268)
11.1.1 To access the User page 1. On the BMC Atrium SSO Admin Console, click Edit BMC Realm. 2. Select the User tab. New users can only be created when you are using the internal LDAP server for authentication. If an external source is used for authentication, new users must be created within that external system.
Note If special characters, such as comma ( , ) , semi-colon ( ; ), or plus sign ( + ) are used in the user ID, the backslash () must precede the special character. For example, Baldwin\,bob.
When creating a new user, each field that is marked with an asterisk is a required field.
11.1.2 To add a new user 1. On the BMC Atrium SSO Admin Console, click Edit BMC Realm. 2. Select the User tab. 3. Click New. 4. In the ID field, enter a unique identifier for the new user. This value is used as the user ID when the user logs in. 5. Enter the user's last name and full name. 6. Enter the password and confirm this password. 7. In the Status field, verify that the Active radio button is selected (default). 8. Click Save. The name attributes (First, Full, and Last) can be provided to BMC products to help identify user accounts by using terms that are more user-friendly. The actual use of these attributes, though, is dependent on the BMC product.
BMC Atrium Single Sign-On 8.1
Page 265 of 389
BMC Software Confidential
Home
11.1.3 To search for users If the number of users in the Available list is too large to find the user that you want to modify, use the search function. The asterisk (*) returns all user accounts. Enter part of the user ID to refine the user account list. For example, the pattern, "b*", returns users starting with the letter "b" (case-insensitive) such as "bob" and "Baldwin".
11.1.4 To delete users User accounts can only be deleted if BMC Atrium Single Sign-On is using the internal LDAP server for user authentication needs. 1. On the BMC Atrium SSO Admin Console, click Edit BMC Realm. 2. Select the User tab. 3. Select the check box next to each user account in the User list that should be deleted. 4. Click Delete. 5. Click Ok.
11.1.5 To modify user information 1. On the BMC Atrium SSO Admin Console, click Edit BMC Realm. 2. Select the User tab. 3. Select the user link that you want modify. 4. Click Edit 5. Modify the user's information. 6. Click Save.
11.1.6 To enable or disable a user account The user account can be enabled or disabled by changing the user status. 1. On the BMC Atrium SSO Admin Console, click Edit BMC Realm. 2. Select the User tab. 3. Select the user that you want modify. 4. In the Status field, click Active to enable or Inactiveto disable a user account.
Note When a user account is disabled, the user cannot authenticate without losing any of the user attributes, such as group memberships. A user loses group memberships when the user account is deleted.
BMC Atrium Single Sign-On 8.1
Page 266 of 389
BMC Software Confidential
Home
11.1.7 To add a group membership to a user account A user is added to a group from the Group tab, however, the Group tab can be accessed from the User Editor pop-up. 1. On the BMC Atrium SSO Admin Console, click Edit BMC Realm. 2. Select the User tab. 3. Select the user that you want modify. 4. Select the Group tab. 5. Select a group from the Available Groups list. 6. Click Add. Alternatively, click Add All to add all of the available groups to the user account. 7. Click Save.
Important Be selective when adding users to a group, such the Predefined groups, so that elevated privileges are not accidentally assigned to a user. For example, BmcSearchAdmin has privileges to perform searches and BmcAgents has privileges to read configuration information.
11.1.8 To remove a group membership from a user account A user is removed from a group from the Group tab, however, the Group tab can be accessed from the User Editor pop-up. 1. On the BMC Atrium SSO Admin Console, click Edit BMC Realm. 2. Select the User tab. 3. Select the user that you want modify. 4. Select the Group tab. 5. Select a group from the Member of list. 6. Click Remove. Alternatively, click Remove All to remove all of the available groups from the user account. 7. Click Save.
11.1.9 To view user sessions 1. Log on to the BMC Atrium SSO Admin Console. 2. See the Sessions panel.
Note
BMC Atrium Single Sign-On 8.1
Page 267 of 389
BMC Software Confidential
Home
The Sessions panel displays the sessions that are in the memory of the server. The replication across nodes of the HA cluster is caused when the load balancer selects a different node from the login node for validating a session. For example, when the AR server validates the SSO session when mid-tier is accessed. So, a single session may be shown multiple times which confirms that the session has been replicated on the additional nodes. The number of sessions retrieved from the server are displayed in pages. You may not be able to view all the sessions that are in the memory at a single time due to the maximum limit set for the Sessions table. This limit does not restrict the number of sessions that are supported by the server but restricts the number sessions that you can view in the Sessions table. To view a specific session which is not available due to maximum limit, you can filter the sessions based on your requirements.
11.1.10 To terminate an active user session 1. On the BMC Atrium SSO Admin Console. 2. In the Sessions panel, select the check box associated with the user session that you want to terminate. 3. Click Invalidate Session.
Important Care should be exercised to not accidentally terminate the session that is used to access the console or sessions that are used by BMC agents. These agent sessions use the following naming convention: @: or @. Terminating these sessions will, at best, close the console the administrator is using or, at worst, prevent users from accessing the BMC products that the agent is protecting.
11.2 Managing user groups BMC products can use the group membership capabilities of the BMC Atrium Single Sign-On system to provide authorization of users as well as authentication. If a BMC product does use the group memberships of the BMC Atrium Single Sign-On system, then that product's documentation must be consulted to determine which groups to privileges mapping.
BMC Atrium Single Sign-On 8.1
Page 268 of 389
BMC Software Confidential
Home
To access the Group page (see page 269) To create a new group (see page 269) To delete a group (see page 269) To assign a group membership (see page 270) To remove users from a group (see page 270)
11.2.1 To access the Group page BMC Atrium Single Sign-On provides predefined groups to help with the Administrator privileges that some BMC products might require. For example, the BmcSearchAdmin group provides privileges that allow a user to connect to the server to perform identity searches.
Note Care should be exercised when assigning this group as these elevated privileges allow greater access to BMC Atrium Single Sign-On than is normally provided.
11.2.2 To create a new group 1. On the BMC Atrium SSO Admin Console, click Edit BMC Realm. 2. Select the Groups tab. 3. Click Add. 4. Enter a new, unique name for the group. 5. From the Available Users list, select a user, click Add. Alternatively, click Add All to add all of the users to the group. 6. Click Save. Normally, BMC products install the groups that they need managed into BMC Atrium Single Sign-On as part of their installation. However, a situation might arise in which a group might need to be created (or re-created).
11.2.3 To delete a group 1. On the BMC Atrium SSO Admin Console, click Edit BMC Realm. 2. Select the Groups tab. 3. Select the check box for the group that you want to delete. 4. Click Delete. If too many groups are visible within the Group list to efficiently find the groups that you want to delete, use the search function to filter out undesired groups. For example, by changing the search filter to "D", the group IDs that start with the letter "d" (case-insensitive) are displayed.
BMC Atrium Single Sign-On 8.1
Page 269 of 389
BMC Software Confidential
Home
When you delete a group, the group is removed from BMC Atrium Single Sign-On. Users that are members of the group also have their group membership removed.
Important Deleting groups that have been installed by other BMC products is not recommended. Doing so might cause the product to malfunction or block access to the product itself.
11.2.4 To assign a group membership 1. On the BMC Atrium SSO Admin Console, click Edit BMC Realm. 2. Select the Groups tab. 3. Select a group name. 4. Select a user from the Available Users list. 5. Click Add. The user is added to the Members list. Alternatively, click Add All to add all of the users to the group. 6. Click Save. Multiple users can be assigned to a group from the Group page. The membership change is immediately put into effect.
Important Care should be exercised when adding users to a group, such as the Predefined groups, so that elevated privileges are not accidentally assigned to a user. For example, BmcSearchAdmin has privileges to perform searches and BmcAgents has privileges to read configuration information.
11.2.5 To remove users from a group Users can be removed from a group from the Group page. 1. On the BMC Atrium SSO Admin Console, click Edit BMC Realm. 2. Select the Groups tab. 3. Select the group name. 4. Select a user from the Members list and click Remove. Alternatively, click Remove All to remove all of the users from the group. 5. Click Save. The membership change is immediately put into effect.
BMC Atrium Single Sign-On 8.1
Page 270 of 389
BMC Software Confidential
Home
11.3 Managing authentication modules The basic building block of authentication in BMC Atrium Single Sign-On is the authentication module. These modules specify the type of authentication (LDAP, RSA SecurID, and so on) as well as deployment-specific values such as host names and port numbers. To manage authentication modules (see page 271) To create a new module (see page 271) To edit a module (see page 271) To delete a module (see page 272) To change the criteria for a module (see page 272) To reorder the modules in a chain (see page 272)
11.3.1 To manage authentication modules Module instances can be created, edited, and deleted from the Realm Authentication panel. The Realm Authentication panel is on the Main tab of the realm. Add allows you to create a new module instance. Edit allows you to modify the module instance parameters. Delete allows you to remove the selected module instance. Up and Down allows you to re-order a module instance in the authentication chain.
11.3.2 To create a new module 1. On the BMC Atrium SSO Admin Console, click Edit BMC Realm. 2. Click Add. 3. Select the type of new module instance. 4. Type a unique name for the module instance. The name should be composed of alphanumeric characters and a few punctuation characters such as the underscore, but no spaces, commas, or ampersands. 5. Provide the module parameters. 6. Click Save. 7. If you want to change the module configuration, edit the module. The module's configuration must be edited before it can be used within an authentication chain.
11.3.3 To edit a module 1. On the BMC Atrium SSO Admin Console, click Edit BmcRealm. 2. Select the module instance check box.
3. BMC Atrium Single Sign-On 8.1
Page 271 of 389
BMC Software Confidential
Home
3. Click Edit. A pop-up is launched that allows you to configure module attributes.
Note See the sections on configuring that particular type of module. For example, Using LDAP (Active Directory) for authentication.
11.3.4 To delete a module 1. On the BMC Atrium SSO Admin Console, click Edit BmcRealm. 2. Select the module instance check box. 3. Click Delete.
11.3.5 To change the criteria for a module 1. On the BMC Atrium SSO Admin Console, click Edit BMC Realm. 2. On the Flag option for the module, select a new criteria from the drop down menu. The criteria for a module alters the authentication status of the chain. The criteria categories are Required, Requisite, Sufficient, and Optional. Required — This module must authenticate the user. Regardless of pass or fail, processing of the chain continues. Requisite — This module must authenticate the user. When authentication fails, processing of the chain aborts. Sufficient — This module might authenticate the user. If authentication passes, processing of the chain stops, otherwise processing continues. Optional — This module might authenticate the user. Processing continues regardless of success or failure. The overall status is successful if all of the Required and Requisite modules pass before either the end of the chain or the first successful Sufficient module. When there are no Required or Requisite modules, then at least one Sufficient or Optional module must authenticate the user.
11.3.6 To reorder the modules in a chain 1. On the BMC Atrium SSO Admin Console, click Edit BMC Realm. 2. Select the Module instance that you want to move. 3. Click Up or Down to change the order in which the module instances are processed.
BMC Atrium Single Sign-On 8.1
Page 272 of 389
BMC Software Confidential
Home
11.4 Managing nodes in a cluster To manage nodes in a cluster including modifying the server configuration on each node or by deleting the node. To modify the server configuration on a node (see page 273) To delete a node from the cluster (see page 273) The following topics provide additional information and instructions for managing nodes in a cluster: Resynchronizing nodes in a cluster Starting nodes in a cluster (see page 274) Stopping nodes in a cluster (see page 274)
11.4.1 To modify the server configuration on a node 1. On the BMC Atrium SSO Admin Console, click HA Node Console. 2. Select the node that you want to modify. 3. Click Edit, modify the server parameters. 4. Click Save.
11.4.2 To delete a node from the cluster Removing a node from a cluster deletes the node permanently from the cluster. When a node cannot be brought back online, the node must be removed from the cluster configuration. For example, a node cannot be brought back online when there is a complete hardware failure. 1. On the BMC Atrium SSO Admin Console, click HA Node Details. 2. Select the node that you want to remove. 3. Click Delete. 4. When prompted with "Delete selected nodes?", click OK.
11.4.3 Resynchronizing nodes in a cluster When a node is unable to join a cluster, the information within the node becomes stale and out-of-sync with the other nodes of the cluster. In this circumstance, the node must be brought up-to-date with the cluster before it can participate.
To resynchronize a node in a cluster 1. Block access at the load balancer. 2. Execute the dsreplication utility from the command line:
dsreplication initialize -baseDN "dc=opensso,dc=java,dc=net" -adminUID -portSource -hostDestination -portDestination -n
BMC Atrium Single Sign-On 8.1
-adminPassword
-hostSource
Page 273 of 389
2.
BMC Software Confidential
Home
The dsreplication utility is in the following location: (Microsoft Windows) \tomcat\webapps\atriumsso\WEB-INF\config\opends\bat (UNIX ) /tomcat/webapps/atriumsso/WEB-INF/config/opends/bin 3. Select menu option 3. 4. Stop and start the node. 5. Restore the load balancer.
11.4.4 Starting nodes in a cluster This topic provides instructions for starting nodes in a cluster.
To start a Microsoft Windows node in a cluster 1. Block access at the load balancer. 2. To start the BMC Atrium Single Sign-On server, use the Windows Services Control Panel. You can start nodes in any order. 3. Restore the load balancer.
To start a UNIX node in a cluster 1. Block access at the load balancer. 2. Execute the following command from the command line: (You can start nodes in any order.) startup-tomcat.sh 3. Restore the load balancer.
11.4.5 Stopping nodes in a cluster This topic provides instruction for stopping nodes in a cluster.
To stop a Microsoft Windows node in a cluster 1. Block access at the load balancer. 2. To stop the BMC Atrium Single Sign-On server, use the Windows Services Control Panel. You can stop nodes in any order. 3. Restore the load balancer.
To stop a UNIX node in a cluster 1. Block access at the load balancer. 2. Execute the following command from the command line: (You can stop nodes in any order.) shutdown-tomcat.sh 3. BMC Atrium Single Sign-On 8.1
Page 274 of 389
BMC Software Confidential
Home
3. Restore the load balancer.
11.5 Managing agents BMC Atrium Single Sign-On allows you to edit and delete agents from the Agent Manager. The names for the agent and user are based on the host name and port of the URL for the BMC product server where the agent resides. This name uses the following template: BMCJEE@: or @.
host is the FQDN of the host. port is the main port number. uri is the URI of the application.
11.5.1 To edit an agent account For information about the Agent Manager and agent parameters that can be modified, see Agent manager. 1. On the BMC Atrium SSO Admin Console, click Agent Details. 2. Select the agent that you want to edit. 3. Click Edit. 4. Modify the parameters and click Save.
11.5.2 To delete an agent account If a product has become unusable and the uninstall utility can no longer be used to perform an orderly cleanup and de-integration with BMC Atrium Single Sign-On, you might need to perform a manual cleanup.
Note If all products within the JEE server no longer need authentication or you want to permanently block access from the JEE server, deleting the agent accounts effectively terminates access by the agent. To do so, both the J2EE agent and the user must be deleted from the root realm.
1. On the BMC Atrium SSO Admin Console, click Agent Details. 2. Select the J2EE agent that you want to delete. 3. Click Delete. 4. On the BMC Atrium SSO Admin Console, select the user session that has the same name as the J2EE agent (if one exists). 5. Click Invalidate Selected.
BMC Atrium Single Sign-On 8.1
Page 275 of 389
BMC Software Confidential
Home
11.6 Managing the server configuration BMC Atrium Single Sign-On server parameters can be modified or enabled including the server session, cookie name and domain, the password for accessing the server, the FQDN, logging level, FIPS-140 enablement, CAC usage of Online Certificate Status Protocol (OCSP) enablement. To modify the server configuration (see page 276) Server configuration parameters (see page 276) Server Configuration Editor parameters (see page 276) HTTP Only and HTTPS Only (see page 277) Session parameter defaults (see page 278)
11.6.1 To modify the server configuration 1. On the BMC Atrium SSO Admin Console, click Edit Server Configuration. 2. Modify the BMC Atrium Single Sign-On server parameters. 3. Click Save. Committed changes take effect immediately. A server restart is not necessary.
11.6.2 Server configuration parameters The Server Configuration Editor provides the parameters that must be updated when you install or configure BMC Atrium Single Sign-On server. The following topics are provided: Server Configuration Editor parameters (see page ) HTTP Only and HTTPS Only (see page )
11.6.3 Server Configuration Editor parameters Field
Parameters
Description
Cookies
Cookie Name
The cookie name is automatically created at install time for the BMC Atrium Single Sign-On server. It is generated based upon the FQDN of the Atrium BMC Atrium Single Sign-On host.
Cookie Domain
The default cookie domain value is the network domain of the computer you are installing the server on. The default cookie domain specifies the most restrictive access. This value is used to control cookie visibility between servers within the domain. For more information about the default cookie domain, see Default cookie domain.
HTTP Only
Select the HTTP Only check box to mark the BMC Atrium Single Sign-On cookie to prevent non-HTTP APIs such as, JavaScript from accessing the cookie. For more information about HTTP Only parameter, see HTTP Only and HTTPS Only (see page 277) .
HTTPS Only
Select the HTTPS Only check box to mark the cookie with the Secure option, which ensures that the cookie is transmitted over only HTTPS connections from the browser to the server. For more information about the HTTPS Only parameter, see HTTP Only and HTTPS Only (see page 277).
BMC Atrium Single Sign-On 8.1
Page 276 of 389
BMC Software Confidential
Home
Field
Parameters
Description
amAdmin
Password
The password for accessing the BMC Atrium Single Sign-On server.
& Confirm Password External URL
FQDN for the BMC Atrium Single Sign-On server.
Logging Level
Logging level options are Off, Error, Warning, or Message. Error returns the least amount of information and Message contains the most amount of information.
Enable FIPS-140
Be sure to configure FIPS-140 before enabling, see Configuring FIPS-140 mode (see page 251).
Online Certificate
CAC can use OCSP. If CAC is using OCSP, be sure to configure CAC before enabling. If CAC isn't using OCSP, configuration is not required.
Status Protocol
To enable, provide the Server URL and select Enable OCSP.
Session
Max Session Time
Time after which your session will be logged out even when you are active. The default time in 120 minutes. The time constraints are automatically enforced when this value is selected.
Idle Timeout
Time after which your session will be logged out if you are inactive or away. The default time in 30 minutes. The time constraints are automatically enforced when this value is selected.
Note: The Max Session Time value should be more than the Idle Timeout value.
Note: When you have integrated BMC Atrium SSO with BMC Remedy AR System, you the Idle Timeout value should be 3 minutes more than the BMC Mid Tier idle timeout value. Cache Time
Time after which the cache will be cleared. Time constraints are automatically enforced. The default time is 3 minutes.
Max Session Count per User
Maximum number of concurrent sessions allowed for a user. The default value is 5. Click Enable to enable Max Session Count per User. When the session limit is exceeded, select the desired behavior. The two options are Delete Oldest or Block New.
11.6.4 HTTP Only and HTTPS Only With the release of BMC Atrium Single Sign-On 8.1 Patch 3, the Server Configuration Editor provides two new options: HTTP Only and HTTPS Only. The HTTP Only parameter marks the BMC Atrium Single Sign-On cookie to prevent non-HTTP APIs such as, JavaScript from accessing the cookie. When you enable the HTTPS Only parameter, it marks the cookie with the Secure option, which ensures that the cookie is transmitted only over HTTPS connections from the browser to the server. The default value of these check boxes is false. When set to true, the option prevents scripts and third-party programs from accessing the cookies.
BMC Atrium Single Sign-On 8.1
Page 277 of 389
BMC Software Confidential
Home
To secure BMC Atrium Single Sign-On as a stand-alone server 1. Open the Edit Server Configuration tab on the BMC Atrium Single Sign-On Admin Console. 2. Select the HTTP Only and HTTPS Only check boxes, and click Save. 3. Restart the BMC Atrium Single Sign-On server. 4. Clear all the existing cookies from the browser history.
To secure BMC Atrium Single Sign-On as a high-availability cluster 1. Open the HA Node Details tab on the BMC Atrium Single Sign-On Admin Console. 2. Select the node for which the HTTP Only and HTTPS Only options are to be enabled. 3. Select the HTTP Only and HTTPS Only check boxes for each node, and click Save.
Note Configuration warnings appear, saying that the HTTP Only and HTTPS Only features are out of sync for some nodes. You can ignore the warnings and click OK.
4. Restart the server. 5. Clear all the existing cookies from the browser history.
Note A warning is displayed after the configuration change is saved when the HTTP Only, HTTPS Only, Cookie Name, or Cookie Domain setting is out of sync with other nodes. The warning message includes a list of other nodes that do not match the currently saved value.
11.6.5 Session parameter defaults The session parameters defaults for the BMC Atrium Single Sign-On server are: Max Session Time (Default: 120 minutes) Idle Timeout (Default: 30 minutes) Cache Time (Default: 3 minutes) Max Session Count per User (Default: 5)
BMC Atrium Single Sign-On 8.1
Page 278 of 389
BMC Software Confidential
Home
11.7 Stopping and restarting the BMC Atrium Single Sign-On server This section describes how to stop and restart the BMC Atrium Single Sign-On server on Microsoft Windows, UNIX, and Linux.
11.7.1 Stopping and restarting on Windows 1. From the desktop of the application server host, use the Control Panel to go to the Administrator Tools' Component Services dialog box. 2. Expand the Services folder. 3. Select BMC Atrium SSO. 4. Click Stop. 5. To restart BMC Atrium Single Sign-On, click Start.
11.7.2 Stopping and restarting on UNIX or Linux Ensure that your Java processes are stopped before restarting BMC Atrium Single Sign-On. Start the UNIX or Linux services by performing the following steps: 1. Navigate to the /AtriumSSO/bin directory. 2. To shut down the services, type the following command:
shutdown-tomcat.sh
3. To start the services, type the following command:
startup-tomcat.sh
12 Troubleshooting BMC Atrium Single Sign-On (default) supports logging on both the server and agents. Logging is used for auditing purposes and for general debugging of connection issues. The logging system supports rotation of the agent audit log files. By default, these log files are not used or rotated because audit logging also occurs on the server. If rotation is disabled, the file system might be consumed with log files.
Note
BMC Atrium Single Sign-On 8.1
Page 279 of 389
BMC Software Confidential
Home
The logging system can be modified for each component of BMC Atrium Single Sign-On.
The following topics provide information about various issues that can occur with BMC Atrium Single Sign-On:
BMC Atrium Single Sign-On 8.1
Page 280 of 389
BMC Software Confidential
Home
Collecting diagnostics (see page 281) Working with error messages (see page 285) Logon and logoff issues (see page 316) Upgrading from 7.6.04 to 8.1 silent installation issue (see page 317) Troubleshooting AR authentication (see page 320) Troubleshooting AR System server and Mid Tier integrations Troubleshooting CAC authentication (see page 326) Troubleshooting FIPS-140 conversion Troubleshooting JEE agents (see page 331) Troubleshooting Kerberos authentication (see page 333) Troubleshooting an external LDAP user store Troubleshooting SAMLv2 Troubleshooting redirect URLs (see page 343) Session sharing in HA mode issue (see page 345) Troubleshooting installation or upgrade issues (see page 346) Resolving installation issues on LINUX operating system (see page 346)
12.1 Collecting diagnostics BMC Atrium Single Sign-On as a distributed system creates log files placed in many locations. The locations for the log files generally depend on the component of the system (server or agents). To help gather log files and other information that is critical to providing quality support, a Java utility is available that has many of the components. This utility requires a modern Java 6 JVM. To run the support utility (see page 282) Support utility location (see page 282)
BMC Atrium Single Sign-On 8.1
Page 281 of 389
BMC Software Confidential
Home
Log file locations (see page 282) Using BMC Atrium Single Sign-On for logging (see page 284)
12.1.1 To run the support utility 1. On the command line, navigate to the directory containing the jar support utility. 2. Enter the following jar command:
java -jar atssoSupport.jar
After the utility completes, all of the gathered information is stored in the atssoSupport.zip file.
12.1.2 Support utility location The server and the web agent places the jar support utility in a pre-defined location. Products which use the Thick Agents for integration do not have a pre-defined location, but instead rely on a product-specific location. The location within the server is: /tomcat/webapps/atriumsso/WEB-INF/tools The location within the agent is: /atssoAgents/bin
installationDirectory is the location where BMC Atrium Single Sign-On has been installed. container is the base directory of the JEE container in which the agent has been installed.
12.1.3 Log file locations BMC Atrium Single Sign-On has two main logging directories: /tomcat/webapps/atriumsso/WEB-INF/config/atriumsso/log /tomcat/webapps/atriumsso/WEB-INF/config/atriumsso/debug Of the log and debug directory component files, the files that are most commonly used to resolve BMC Atrium Single Sign-On issues are the Authentication and CoreSystem log files. These files contain the error entries about failures to communicate with the authentication modules, with the exception of RSA SecurID. RSA SecurID also uses the rsa_api.log and rsa_api_debug.log for additional logging. Additional server log file locations (see page 283) Install program log files (see page 283) Log directory (see page 283) BMC Atrium Single Sign-On 8.1
Page 282 of 389
BMC Software Confidential
Home
Debug directory (see page 283)
Additional server log file locations Additional server log files are located at: /tomcat/logs /tomcat/temp
Install program log files The install program log files are in the temporary file system: /atriumsso_install_log.txt /AtriumSSOInstalledConfiguration.xml /AtriumSSOInstallingConfiguration.xml
Log directory The log directory contains log files that are useful for auditing purposes. Each component of BMC Atrium Single Sign-On creates two files within this directory, one for successful entries and the other for error entries. The following components typically have files in this logging directory: amAuthentication amConsole amPolicy IDFF WSFederation amPolicyDelegation amSSO
Debug directory The debug directory contains additional log files that are geared towards problem resolution. The following BMC Atrium Single Sign-On components typically have files in this logging directory: Authentication CoreSystem Entitlement IdRepo Session rsa_api_debug.log rsa_api.log
BMC Atrium Single Sign-On 8.1
Page 283 of 389
BMC Software Confidential
Home
12.1.4 Using BMC Atrium Single Sign-On for logging BMC Atrium Single Sign-On provides logging level options at the server level and at the agent level. In addition, debug logging can be enabled for RSA SecurID. To enable logging at the server level (see page 284) To enable logging at the agent level (see page 284) To modify the rsa_api.properties file (see page 285) The logging level options at both the server and agent level include: Off — Turns off logging. Error (default) — Returns the least amount of information. The logging level is typically kept at this default. Message — Generates the most verbose logs but severely impacts server performance. Message level should only be used when an issue is being worked on. Warning — Returns more information than Error, but less than Message.
Note BMC recommends that for normal operation, set Logging Level to either Off or Error.
To enable logging at the server level 1. On the BMC Atrium SSO Admin Console, click Edit Server Configuration. 2. In the Logging Level section, select your logging level from the drop down menu. 3. Click Save. 4. Restart the server for the logging configuration change to take effect. The default log file location is in the following directory: /tomcat/webapps/atriumsso/WEB-INF/config/atriumsso/debug
To enable logging at the agent level 1. On the BMC Atrium SSO Admin Console, click Agent Details. 2. Select the agent that you want to update. 3. In the Logging Level section, select your logging level from the drop down menu. 4. Click Save. 5. Restart the agent for the logging configuration change to take effect. The default location for the log files generated by the agent is the temporary directory of the web container where the agent is deployed. For example, for the Tomcat server, the location is the CATALINA_HOME directory and for IBM WebSphere, the location is the AppServer directory.
BMC Atrium Single Sign-On 8.1
Page 284 of 389
BMC Software Confidential
Home
To modify the rsa_api.properties file For RSA SecurID, additional debug logging is available by modifying the rsa_api.properties file. 1. Navigate to /tomcat/webapps/atriumsso/WEB-INF/config/atriumsso/auth/ace/data 2. Edit the rsa_api.properties file. 3. Change the RSA_ENABLE_DEBUG property from NO to YES. Changing this property increases the volume of debugging information supplied by the RSA SecurID module. 4. Access the rsa_api_debug.log file in the debug logging directory for this information.
12.2 Working with error messages Error number
Message
BMCSSG0000E
Undefined error message. Contact BMC Software, Inc.
BMCSSO1000E
Undefined error message. Contact BMC Software, Inc.
BMCSSO1001I
OpenSSO agent configuration override is on.
BMCSSO1002E
Cannot find config.properties in directory specified (%s)
BMCSSO1003I
BMC Atrium SSO agent is disabled.
BMCSSO1004I
No disabled user id specified, and user not already authenticated. Using user id "nobody".
BMCSSO1005E
Failed to configure logging: %s
BMCSSO1006E
Destination directory for templates does not exist: %s
BMCSSO1007E
Destination directory for templates is not a directory: %s
BMCSSO1008E
Required parameter not specified for configuration (%s). Internal Error. Contact BMC Software, Inc.
BMCSSG1009E
Failed to generated configuration for OpenSSO Agent.
BMCSSO1010E
BMC Atrium SSO security not configured.
BMCSSO1011E
BMC Atrium SSO security improperly configured. Internal error. Contact BMC Software, Inc.
BMCSSG1012E
BMC Atrium SSO security not integrated with server. Internal error. Contact BMC Software, Inc.
BMCSSO1013E
Failed internal agent configuration. Internal error. Contact BMC Software, Inc.
BMCSSO1014E
Failed internal agent configuration. Internal error. Contact BMC Software, Inc.
BMCSSO1015E
Agent configuration file (%s) already exists. Either delete agent or use replace agent.
BMCSSO1016W
Failed to get canonicalized host name.
BMCSSO1017E
Agent configuration file (%s) must be located within WEB-INF directory structure.
BMCSSO1018E
Failed agent confidentiality algorithm (%s). Contact BMC Software, Inc.
BMC Atrium Single Sign-On 8.1
Page 285 of 389
BMC Software Confidential
Home
Error number
Message
BMCSSO1019E
Failed agent confidentiality algorithm (%s). Contact BMC Software, Inc.
BMCSSO1020E
Failed agent confidentiality algorithm (%s). Contact BMC Software, Inc.
BMCSSG1021E
Cannot delete agent because configuration file specified does not exist.
BMCSSG1022E
Cannot delete agent because configuration file does not contain BMC Atrium SSO server information.
BMCSSG1023E
Error while processing deployer command (%s): %s
BMCSSG1024E
Failed to register agent with BMC Atrium SSO server (%s).
BMCSSG1025E
BMC Atrium SSO agent already registered with BMC Atrium SSO server. Must either replace or delete this agent.
BMCSSG1026E
File system location of container lib could not be identified. Specify through the property BMC Atrium SSO.container.lib.dir.
BMCSSG1027E
Failure generating or updating agent config.properties file (%s).
BMCSSG1028E
The web.xml file specified could not be found. Verify agent file system location supplied.
BMCSSG1029W
Agent configuration was disabled. Re-enabling security.
BMCSSG1030E
The web.xml file is not configured for FORM login. Please change the configuration to FORM login for BMC Atrium SSO Agent configuration.
BMCSSG1031E
Failed administrator logon: %s
BMCSSG1032E
Failed agent logon: %s
BMCSSG1033E
Failed to find agent configuration file.
BMCSSG1034E
Parsing error while processing file %s.
BMCSSG1035E
Could not access configuration template file (%s). Internal error. Contact BMC Software, Inc.
BMCSSG1036E
Could not find configuration template file. Internal error. Contact BMC Software, Inc.
BMCSSG1037E
Failed to create container control. Internal error. Contact BMC Software, Inc.
BMCSSG1038E
Failed to create container control for unknown type(%s). Internal error. Contact BMC Software, Inc.
BMCSSG1039E
Administrative function (%s) failed. Internal error. Contact BMC Software, Inc.
BMCSSG1040E
Tomcat cookie adjustment failed. Internal error. Contact BMC Software, Inc.
BMCSSG1041E
Failed to bounce container. Internal error. Contact BMC Software, Inc.
BMCSSG1042E
Invalid hostname specified for BMC Atrium SSO URL (%s). Must use FQDN.
BMCSSG1043E
Failed to resolve configuration path (%s) to canonical.
BMCSSG1044E
Failed domain lookup of hostname supplied for BMC Atrium SSO URL.
BMCSSG1045E
Failed to find configurator template. Internal Error. Contact BMC Software, Inc.
BMCSSG1046E
Failed to load configurator template. Internal Error. Contact BMC Software, Inc.
BMC Atrium Single Sign-On 8.1
Page 286 of 389
BMC Software Confidential
Home
Error number
Message
BMCSSG1047E
Failed to load configurator template. Internal Error. Contact BMC Software, Inc.
BMCSSG1048E
Failed to execute configurator.
BMCSSG1049E
Execution of configurator failed with status code(%s).
BMCSSG1050E
Configuration of CAC was interrupted.
BMCSSG1051E
Configuration of CAC failed (%s).
BMCSSG1052E
Setup of administrative tool was interrupted.
BMCSSG1053E
Setup of administrative tool failed (%s).
BMCSSG1054E
Setup of administrative tool finished with non-zero result code (%s).
BMCSSG1055E
Invalid URL specified for BMC Atrium SSO server (%s).
BMCSSG1056E
BMC Atrium SSO configuration failed (%s).
BMCSSG1057I
Successfully configured BMC Atrium SSO server.
BMCSSG1058E
Invalid container home specified for BMC Atrium SSO server (%s).
BMCSSG1059E
Administrative password cannot be null or empty.
BMCSSG1060E
LDAP port specified is out of range (%d), must be 1..65534.
BMCSSG1061E
Failed to find executable jar file within classpath (%s).
BMCSSG1062E
Failed to connect with BMC Atrium SSO container. Container must be running with BMC Atrium SSO.war deployed before configuration.
BMCSSG1063E
Invalid URL type (%s).
BMCSSG1064E
Error connecting with BMC Atrium SSO container (%s)- is it running?
BMCSSG1065E
Failed to create temporary file for configuration (%s).
BMCSSG1066E
Failed to write to temporary file for configuration (%s).
BMCSSG1067E
Failed reconfiguration of BMC Atrium SSO server.
BMCSSG1068E
Invalid cookie domain specified (%s).
BMCSSG1069E
Failed to rewrite server URL to include proper context URI.
BMCSSG1070E
Agent password or name is empty/null. Internal error. Contact BMC Software, Inc.
BMCSSG1071E
Administrator password or name is empty/null. Internal error. Contact BMC Software, Inc.
BMCSSG1072E
Failed to create agent profile (response code: %s).
BMCSSG1073E
Configuration for agents failed (%s).
BMCSSG1074E
Configuration for agents was interrupted.
BMCSSG1075E
Failed to create cache dir.
BMC Atrium Single Sign-On 8.1
Page 287 of 389
BMC Software Confidential
Home
Error number
Message
BMCSSG1076E
Failed to create authentication context (%s). Is the BMC Atrium SSO server running?
BMCSSG1077E
Failed to begin login (%s).
BMCSSG1078E
Default BMC Atrium SSO server not specified with environment variable .
BMCSSG1079E
Badly formed URL for default BMC Atrium SSO server.
BMCSSG1080E
Failed to retrieve SSOToken (%s).
BMCSSG1081E
Failed to retrieve idle time (%s).
BMCSSG1082E
Failed to retrieve max idle time (%s).
BMCSSG1083E
Failed to retrieve max session time (%s).
BMCSSG1084E
Failed to retrieve principal (%s).
BMCSSG1085E
Failed to retrieve time left (%s).
BMCSSG1086E
Failed to logout (%s).
BMCSSG1087E
Failed to register for token events (%s).
BMCSSG1088E
Failed to get token event type (%s).
BMCSSG1089E
Failed to validate SSO token (%s).
BMCSSG1090E
Administrative password must be at least 8 characters in length.
BMCSSG1091E
Token cache too large to load (%d).
BMCSSG1092E
Failed to read fully from cache file (%s).
BMCSSG1093E
Failed to delete cache.
BMCSSG1094E
Failed to convert to XML. Internal Error. Contact BMC Software, Inc.
BMCSSG1095E
Failed to create lock on cache (%s).
BMCSSG1096E
Interrupted during create lock on cache (%s).
BMCSSG1097E
Failed to extract data from possibly corrupted cache (%s).
BMCSSG1098E
Failed to write to cache (%s).
BMCSSG1099E
Failed to write to cache (%s). Internal Error. Contact BMC Software, Inc.
BMCSSG1200E
Default BMC Atrium SSO server is not specified.
BMCSSG1201E
Default BMC Atrium SSO server URL is not specified correctly (%s).
BMCSSG1202E
Failed to retrieve SSOToken using token id. Is server certificate in truststore? (%s).
BMCSSG1203E
Login failed (%s).
BMCSSG1204E
Must authenticate a user before requesting token.
BMCSSG1205E
Failed to retrieve token (%s).
BMC Atrium Single Sign-On 8.1
Page 288 of 389
BMC Software Confidential
Home
Error number
Message
BMCSSG1206E
System callback handler is not specified.
BMCSSG1207E
Failed to load class for callback handler.
BMCSSG1208E
Failed to create an instance of the class for callback handler (%s).
BMCSSG1209E
Unknown UIHandler specified: %s
BMCSSG1210E
Failure during login (%s).
BMCSSG1211E
Failure during login (%s).
BMCSSG1212W
Please enter a value for the password.
BMCSSG1213E
Failed to logout from BMC Atrium SSO server (%s).
BMCSSG1214E
Failed to abort from BMC Atrium SSO server (%s).
BMCSSG1215E
Invalid naming URL: %s
BMCSSG1216E
Invalid BMC Atrium SSO URL specified (%s).
BMCSSG1217E
Already logged into BMC Atrium SSO server. Logout before trying to login again.
BMCSSG1218E
Context must be reset before being used for another login.
BMCSSG1219E
Failed to find userid within Principal (%s).
BMCSSG1220E
Failed to create context from token (%s).
BMCSSG1221E
Improper response received from BMC Atrium SSO server (%d).
BMCSSG1222E
Failed to connect with BMC Atrium SSO server.
BMCSSG1223E
Invalid security provider specified (%s).
BMCSSG1224E
Invalid security algorithm specified (%s).
BMCSSG1225E
Could not resolve hostname for BMC Atrium SSO server (%s).
BMCSSG1226E
Failed to access user specified keystore file (%s): %s
BMCSSG1227E
Failed to execute keytool to generate certificate.
BMCSSG1228E
Keytool finished with non-zero status code (%d).
BMCSSG1229E
Keystore password not specified.
BMCSSG1230E
Keystore password not specified.
BMCSSG1231E
Trying to use insecure communications protocol HTTP instead of HTTPS. Must use HTTPS for server URL (%s).
BMCSSG1232E
Could not find configuration utility. Has BMC Atrium SSO war file been deployed?
BMCSSG1233E
Could not connect using HTTPS and keystore specifications.
BMCSSG1234E
Failed to create TLS socket factory for HTTPS communications (%s).
BMC Atrium Single Sign-On 8.1
Page 289 of 389
BMC Software Confidential
Home
Error number
Message
BMCSSG1235E
Specified insecure HTTP protocol for BMC Atrium SSO but configuration is blocking usage.
BMCSSG1236E
Failed to initialize HTTPS protocol using keystore specified (%s).
BMCSSG1237E
Failed to initialize HTTPS protocol using certificate file specified (%s).
BMCSSG1238E
Configuration for HTTPS protocol is incomplete- a keystore or certificate is required.
BMCSSG1239E
Error while loading keystore specified for web agent deployment and configuration.
BMCSSG1240E
Error while loading server certificate specified for web agent deployment and configuration.
BMCSSG1241E
Failed to connect with BMC Atrium SSO server for HTTPS certificate download (%s).
BMCSSG1242E
Failed to retrieve certificate from BMC Atrium SSO server for HTTPS configuration.
BMCSSG1243E
Failed to write retrieved certificate to cache (%s).
BMCSSG1244E
Failed to use HTTPS certificates for agent delete (%s).
BMCSSG1245W
Specified insecure HTTP protocol for BMC Atrium SSO server (%s).
BMCSSG1246E
Failed to load users keystore (%s).
BMCSSG1247E
Failed to create keystore manager(%s).
BMCSSG1248E
Failed to add new certificate to keystore(%s).
BMCSSG1250E
Failed to lock file for keystore update (%s).
BMCSSG1251E
Failed to unlock file after keystore update (%s).
BMCSSG1252E
Login failed. Verify user credentials and try again.
BMCSSG1253E
Failed to create LDAP chain (%s).
BMCSSG1254E
Failed to load keystore (%s).
BMCSSG1255E
Invalid token specified for BMC Atrium SSO server connection.
BMCSSG1256E
Alias cannot be null. Internal error. Contact BMC Software, Inc.
BMCSSG1257E
Failed to update keystore because of failure to delete original keystore file.
BMCSSG1258E
Failed to rename new keystore to replace original keystore.
BMCSSG1259E
Failed to load keystore from file (%s).
BMCSSG1260E
Failed to read data from file (%s). Keystore has been corrupted.
BMCSSG1261E
If keystore specified, then keystore type and password must also be provided.
BMCSSG1262E
No keystore available for private keys.
BMCSSG1263E
Failed to setup trust manager (%s).
BMCSSG1264E
Failed to bounce container after configuration step (%s).
BMCSSG1265E
Authentication callback failed to provide credentials (%s).
BMC Atrium Single Sign-On 8.1
Page 290 of 389
BMC Software Confidential
Home
Error number
Message
BMCSSG1266E
BMC Atrium SSO URL is not specified through environment or system properties.
BMCSSG1267E
Invalid BMC Atrium SSO URL specified (%s).
BMCSSG1268E
A realm must be specified when connecting with BMC Atrium SSO (cannot be null).
BMCSSG1269E
A callback handler must be specified when connecting with BMC Atrium SSO (cannot be null).
BMCSSG1270E
Failed to find UID within DN (%s).
BMCSSG1271E
Empty DN provided for principal.
BMCSSG1272E
Failed to load JVM KeyStore(%s).
BMCSSG1273E
Missing store password for keystore file.
BMCSSG1274E
Malformed forwarding URL received (%s).
BMCSSG1275E
Failed to configure SecurID module (%s).
BMCSSG1276E
Failed creating ActiveDirectory chain (%s).
BMCSSG1277E
Failed adding ActiveDirectory module to ActiveDirectory chain (%s).
BMCSSG1278E
Failed creating ActiveDirectory module (%s).
BMCSSG1279E
Failed updating LDAP module (%s).
BMCSSG1280E
Failed updating AD module (%s).
BMCSSG1281E
Failed to create directory for file lock (%s).
BMCSSG1282E
Keytool finished with non-zero status code (%d).
BMCSSG1283E
Failed to execute keytool to export certificate.
BMCSSG1284E
Keytool finished with non-zero status code (%d).
BMCSSG1285E
Failed to connect with Identity REST services (%s).
BMCSSG1286E
Not connected with Identity REST services. Internal Error. Contact BMC Software, Inc.
BMCSSG1287E
Failed to fetch attributes from server (%s).
BMCSSG1288E
Failed to retrieve client host name(%s).
BMCSSG1289E
Failed to parse LDAP value (%s).
BMCSSG1290E
Failed to deserialize group file (%s).
BMCSSG1291E
Groups file (%s) does not exist.
BMCSSG1292E
Failed to upload groups to server (%s).
BMCSSG1293I
User canceled login.
BMCSSG1294E
Authentication failed for unknown reason.
BMCSSG1295E
Failed to find class (%s) in launching jar. Internal Error. Contact BMC Software, Inc.
BMC Atrium Single Sign-On 8.1
Page 291 of 389
BMC Software Confidential
Home
Error number
Message
BMCSSG1296E
Failed to parse jar file URL (%s). Internal Error. Contact BMC Software, Inc.
BMCSSG1297E
Failed to locate jar entry in jar URL (%s). Internal Error. Contact BMC Software, Inc.
BMCSSG1298E
Failed to get jar URL (%s). Internal Error. Contact BMC Software, Inc.
BMCSSG1299E
Agent zip directory (%s) not found in jar file directory (%s). Internal Error. Contact BMC Software, Inc.
BMCSSG1300E
Agent action option must be specified (install, migrate, uninstall).
BMCSSG1301E
Failed to create temporary response file (%s).
BMCSSG1302E
When truststore option is specified, the password, type and alias must also be specified.
BMCSSG1303E
Truststore specified does not exist(%s).
BMCSSG1304E
JEE container base directory specified does not exist (%s).
BMCSSG1305E
JEE container base directory specified is not a directory (%s).
BMCSSG1306E
Couldn't find websphere agent zip (%s).
BMCSSG1307E
Websphere server instance configuration directory doesn't exist (%s).
BMCSSG1308E
Couldn't create temporary server certificate file (%s).
BMCSSG1309E
Failed to load response file from input stream (%s). Internal Error. Contact BMC Software, Inc.
BMCSSG1310E
Failed to open response file source file (%s). Internal Error. Contact BMC Software, Inc.
BMCSSG1311E
Failed to load response file from string (%s). Internal Error. Contact BMC Software, Inc.
BMCSSG1312E
Failed to open response file (%s). Internal Error. Contact BMC Software, Inc.
BMCSSG1313E
Failed to write into response file (%s). Internal Error. Contact BMC Software, Inc.
BMCSSG1314E
Missing value for variable (%s). Internal Error. Contact BMC Software, Inc.
BMCSSG1315E
Failed to generate random sequence (%s).
BMCSSG1316E
Failed to create temporary file (%s).
BMCSSG1317I
Successfully finished execution.
BMCSSG1318I
Deployer execution completed.
BMCSSG1319E
Failed deployer execution.
BMCSSG1320E
Failed to load agent configuration (%s).
BMCSSG1321E
Failed to save agent configuration (%s).
BMCSSG1322I
Detected agent installation.
BMCSSG1323I
Agent installation not detected.
BMCSSG1324E
Agent installation detected, but failed to instantiate (%s).
BMC Atrium Single Sign-On 8.1
Page 292 of 389
BMC Software Confidential
Home
Error number
Message
BMCSSG1325E
Agent installation detected, but failed to instantiate (%s).
BMCSSG1326E
Failed to parse deployer options (%s).
BMCSSG1327E
Failed to access template file (%s).
BMCSSG1328E
Failed to find worker for task. Internal Error. Contact BMC Software, Inc.
BMCSSG1329E
Invalid parameter values.
BMCSSG1330E
Subscript execution failed (%s) (formerly code BMCSDG1330E).
BMCSSG1331E
Failed to create agent installation directory (%s).
BMCSSG1332E
Failed to connect with BMC Atrium SSO server (%s).
BMCSSG1333E
JEE container cannot be running during installation. Please stop the server and retry agent installation.
BMCSSG1334E
BMC Atrium SSO server (%s) cannot be contacted. It must be running during agent installation.
BMCSSG1335E
Failed to netstat for JEE container ports (%s).
BMCSSG1336E
Failed to create agent account (%s).
BMCSSG1337E
Failed to create logout url (%s).
BMCSSG1338E
Failed to create BMC Agent (%s).
BMCSSG1339E
Failed to convert agent data (%s).
BMCSSG1340E
Agent installation finished with errors (formerly code BMCSDG1340E).
BMCSSG1341E
Agent already installed and configured for URL (%s). Use "--force" option to override.
BMCSSG1342E
Unknown agent specified for URL (%s). Use "--force" option to override.
BMCSSG1343E
Failed to update BMC Agent after uninstall (%s).
BMCSSG1344E
JEE truststore specified does not exist (%s).
BMCSSG1345E
JVM truststore specified does not exist (%s).
BMCSSG1346E
JEE password must be specified when JEE truststore is specified.
BMCSSG1347E
JVM password must be specified when JVM truststore is specified.
BMCSSG1348E
Couldn't find tomcat agent zip (%s).
BMCSSG1349E
BMC Atrium SSO filter experienced internal error processing security: %s
BMCSSG1350E
BMC Atrium SSO cannot be contacted. Contact security administrator.
BMCSSG1351E
Failed to create BmcRealm (%s).
BMCSSG1352E
Failed to create temporary file for property update (%s): %s
BMCSSG1353E
Failed to open stream to new property file (%s).
BMC Atrium Single Sign-On 8.1
Page 293 of 389
BMC Software Confidential
Home
Error number
Message
BMCSSG1354E
Failed adding LDAP module to LDAP chain (%s).
BMCSSG1355E
Failed to write to new property file (%s).
BMCSSG1356E
Failed to update keystore for login(%s).
BMCSSG1357E
Failure during server certificate acceptance (%s).
BMCSSG1358E
Failure during server certificate acceptance (%s).
BMCSSG1359E
Used declined certificate from server (%s).
BMCSSG1360E
Failure checking server certificate against keystore (%s).
BMCSSG1361E
Wow, couldn't generate a unique filename for old file (%s).
BMCSSG1362E
Failed to rename old configuration file.
BMCSSG1363E
Server presented certificate unusable for server verification. CN must be hostname.
BMCSSG1364E
Failed setting auth level on in DataStore module (%s).
BMCSSG1365E
Failed to set CAC server configuration (%s).
BMCSSG1366E
Failed to create CAC module (%s).
BMCSSG1367E
Failed to set OCSP on in CAC module (%s).
BMCSSG1368E
Failed to create CAC chain (%s).
BMCSSG1369E
Failed to add CAC module to CAC chain (%s).
BMCSSG1370E
Failed to rollback to old configuration file.
BMCSSG1371E
Failed to create access to keystores (%s).
BMCSSG1372E
Failed to load MS-CAPI (%s).
BMCSSG1373E
A certificate is required for login, but none found. Is CAC card inserted?
BMCSSG1374E
Failed to prepare script for unix execution (%s).
BMCSSG1375E
Failed registering SecurID authentication module (%s).
BMCSSG1376E
Failed creating SecurID service (%s).
BMCSSG1377E
Failed to connect with BMC Atrium SSO server (%s).
BMCSSG1378E
Failed to connect with BMC Atrium SSO server (%s).
BMCSSG1379E
Failed to logout from BMC Atrium SSO server (%s).
BMCSSG1380E
Failed to commit log in with BMC Atrium SSO server (%s).
BMCSSG1381E
Failed to create SecurID module (%s).
BMCSSG1382E
Failed to create SecurID chain (%s).
BMCSSG1383E
Failed to add SecurID module to SecurID chain (%s).
BMC Atrium Single Sign-On 8.1
Page 294 of 389
BMC Software Confidential
Home
Error number
Message
BMCSSG1284E
Failed to get encoding for certificate (%s).
BMCSSG1385E
Failed to deserialize subjects file (%s).
BMCSSG1386E
Subjects file (%s) does not exist.
BMCSSG1387E
Failed to serialize subjects file (%s).
BMCSSG1388E
BMC Atrium SSO URL specified is invalid (%s).
BMCSSG1389E
File to import doesn't exist (%s).
BMCSSG1390E
Failed subject import(%s).
BMCSSG1391E
Failed subject export(%s).
BMCSSG1392E
The GET operation is not supported for this service.
BMCSSG1393E
The POST operation is not supported for this service.
BMCSSG1394E
The PUT operation is not supported for this service.
BMCSSG1395E
The DELETE operation is not supported for this service.
BMCSSG1396E
Failed to return JSON message for exception (%s).
BMCSSG1397E
Unsupported media type requested from REST services (%s).
BMCSSG1398E
Failed to convert exception to JSON object (%s).
BMCSSG1399E
Failed to add info to JSON object (%s).
BMCSSG1400E
Failed to add FIPS info to JSON object (%s).
BMCSSG1401E
Missing required parameter for REST service (%s).
BMCSSG1402E
Missing required parameters for REST service (%s).
BMCSSG1403E
Failure performing identity search (%s).
BMCSSG1404E
Failure creating JSON object for identity search (%s).
BMCSSG1405E
Invalid URI specified for remote notification (%s).
BMCSSG1406E
Failed to register for token notifications (%s).
BMCSSG1407E
Invalid tokenid passed for notifications (%s).
BMCSSG1408E
A URI must be specified for notifications.
BMCSSG1409E
At least one tokenid must be specified to register for notifications.
BMCSSG1410E
Notification URI already registered to receive notifications.
BMCSSG1411E
The URI specified is not registered for notifications (%s).
BMCSSG1412E
The URI specified was terminated due to failure to retrieve notifications in a timely manner (%s).
BMCSSG1413E
The URL specified for remote HTTP client failed to parse (%s): %s
BMC Atrium Single Sign-On 8.1
Page 295 of 389
BMC Software Confidential
Home
Error number
Message
BMCSSG1414E
Failed to create JSON message for notification (%s).
BMCSSG1415E
Received unsuccessful result code (%s) from HTTP send: %s
BMCSSG1416E
Test remote connection failed (%s).
BMCSSG1417W
Reverse remote client is not connected to receive messages (%s).
BMCSSG1418E
Invalid hostname specified for remote client (%s).
BMCSSG1419E
Failed to create TLS context (%s).
BMCSSG1420E
Failed to create reader/writers for socket notifications (%s).
BMCSSG1421E
Failed to build JSON object (%s).
BMCSSG1422E
Failed REST call to BMC Atrium SSO server (%s).
BMCSSG1423E
Internal error, no response code returned (%s).
BMCSSG1424E
Failed REST call with exception(%s): %s.
BMCSSG1425E
Internal error, no principal within session token (%s).
BMCSSG1426E
Internal error, no groups within session token (%s).
BMCSSG1427E
Internal error, no field %s within session token (%s).
BMCSSG1428E
Only agents and administrators can register for notifications on non-owner sessions.
BMCSSG1429E
Invalid URL specified (%s).
BMCSSG1430E
Failed to get BMC Atrium SSO server URL from notification (%s).
BMCSSG1431E
Failed to parse session notification from server (%s).
BMCSSG1432E
Error opening notification socket (%s).
BMCSSG1433E
Timed-out opening notification socket (%s).
BMCSSG1434E
Failed to create TLS socket (%s).
BMCSSG1435E
Failed to acquire FQDN for local host (%s).
BMCSSG1436E
Failed to compose URI for notifications (%s).
BMCSSG1437E
Failed to use reverse messenger with server (%s).
BMCSSG1438E
Failed to retrieve server version from info reply (%s).
BMCSSG1439E
Failed to retrieve server build date from info reply (%s).
BMCSSG1440E
BMC Atrium SSO server release is too old- does not support remote notification.
BMCSSG1441E
The URI specified was not registered for notification events (%s).
BMCSSG1442E
Failed to create messenger for reverse protocol (%s).
BMCSSG1443E
Invalid client certificate presented for notification (%s).
BMC Atrium Single Sign-On 8.1
Page 296 of 389
BMC Software Confidential
Home
Error number
Message
BMCSSG1444E
Failed to create dynamic client certificate (%s).
BMCSSG1445E
Unknown user attribute specified for export (%s).
BMCSSG1446E
Failed to connect with BMC Atrium SSO internal LDAP server (%s).
BMCSSG1447E
Failed to create unload directory (%s).
BMCSSG1448E
Failure during configuration dump (%s).
BMCSSG1449E
Failure during properties dump (%s).
BMCSSG1450E
Invalid server URL specified (%s).
BMCSSG1451E
Dump directory does not exist(%s).
BMCSSG1452E
Invalid dump directory (%s).
BMCSSG1453E
Failure loading configuration (%s).
BMCSSG1454I
Successfully unloaded BMC Atrium SSO data.
BMCSSG1455I
Successfully loaded BMC Atrium SSO data.
BMCSSG1456E
Failed to unload BMC Atrium SSO data (%s).
BMCSSG1457E
Failed to load BMC Atrium SSO data (%s).
BMCSSG1458E
Failed to unload group data (%s).
BMCSSG1459E
Failed to unload user data (%s).
BMCSSG1460E
Failed to find amserver.jar for update (%s).
BMCSSG1461E
Failed to access updated amserver.jar from classpath. Internal error. Contact BMC Software, Inc.
BMCSSG1462E
Failed to write data to amserver.jar (%s).
BMCSSG1463E
Failed to open temporary file for updated jar contents (%s).
BMCSSG1464E
Failed to rename old amserver.jar to %s.
BMCSSG1465E
Failed to rename new file to amserver.jar.
BMCSSG1466E
Failed to stop SSO container (%s).
BMCSSG1467E
Failed to start SSO container (%s).
BMCSSG1468E
Failed to access LDAP config (%s).
BMCSSG1469E
Failed to save modified LDAP config (%s).
BMCSSG1470E
Failed agent confidentiality algorithm (%s). Internal error. Contact BMC Software, Inc.
BMCSSG1471E
Failed agent confidentiality algorithm (%s). Internal error. Contact BMC Software, Inc.
BMCSSG1472E
Failed agent confidentiality algorithm (%s). Internal error. Contact BMC Software, Inc.
BMCSSG1473E
Failed to stop service for child process (%s).
BMC Atrium Single Sign-On 8.1
Page 297 of 389
BMC Software Confidential
Home
Error number
Message
BMCSSG1474E
Unable to access LDAP configuration (%s). Internal error. Contact BMC Software, Inc.
BMCSSG1475E
Missing property from configuration file (%s).
BMCSSG1476E
Failed to connect agent due to unsupported callback type.
BMCSSG1477E
Failed to retrieve cookie name from server (%s).
BMCSSG1478E
Failed to access configuration file (%s).
BMCSSG1479E
Failed to load from configuration file (%s).
BMCSSG1480E
Failed to open configuration file (%s).
BMCSSG1481E
Failed to store to configuration file (%s).
BMCSSG1482E
Failed to store secret key in keystore (%s).
BMCSSG1483E
Failed to generate secret key (%s).
BMCSSG1484E
Failed to encrypt with secret key (%s).
BMCSSG1485E
Configuration directory name is not specified in system property (%s).
BMCSSG1486E
Configuration directory does not exist (%s).
BMCSSG1487E
Web application configuration directory does not exist (%s).
BMCSSG1488E
Configuration file does not exist (%s).
BMCSSG1489E
Failed to find Tomcat v6 bin directory (%s).
BMCSSG1490E
Failed to access script file for JEE Agent integration (%s).
BMCSSG1491E
Failed to find Tomcat v6 bin directory (%s).
BMCSSG1492E
Failed to access script file for JEE Agent integration (%s).
BMCSSG1493E
Agent configuration directory for webapp already exists. If agent not currently deployed, delete directory and try again (%s).
BMCSSG1494E
Failed to create script file for JEE Agent integration (%s).
BMCSSG1495E
Failed to connect with BMC Atrium SSO server for token attributes (%s).
BMCSSG1496E
Incompatible message type received from BMC Atrium SSO server for token attributes (%s).
BMCSSG1497E
Failed to delete agent from BMC Atrium SSO server (%s).
BMCSSG1498E
Failed to delete agent user account from SSO server (%s).
BMCSSG1499E
Failed to decode agent password (%s).
BMCSSG1500E
Entry in keystore does not refer to secret key (%s).
BMCSSG1501E
Failed to get secret key (%s).
BMCSSG1502E
Failed to get agent token id (%s).
BMC Atrium Single Sign-On 8.1
Page 298 of 389
BMC Software Confidential
Home
Error number
Message
BMCSSG1503E
Failed to get cookie name from server (%s).
BMCSSG1504E
Failed to get FIPS mode from server reply (%s).
BMCSSG1505E
Failed to get FIPS mode from server (%s).
BMCSSG1506E
BMC Atrium SSO server is operating in FIPS mode but this agent is not in FIPS mode.
BMCSSG1507E
BMC Atrium SSO server is not operating in FIPS mode but this agent is in FIPS mode.
BMCSSG1508E
BMC Atrium SSO server is currently not available.
BMCSSG1509E
Failed to convert URL to URI (%s).
BMCSSG1510E
Failed to compose notification URL (%s).
BMCSSG1511E
Failed to access agent attribute (%s) from server (%s).
BMCSSG1512E
Exceeded redirection limit.
BMCSSG1513E
Failed to decode cookie (%s).
BMCSSG1514E
Required identity event attribute missing (%s).
BMCSSG1515E
Failed to get repository for identity listener (%s).
BMCSSG1516E
Required token event attribute missing (%s).
BMCSSG1517E
Failed to download and configure agent (%s).
BMCSSG1518E
Agent was renamed- local configuration must be updated.
BMCSSG1519E
Agent was deleted- local configuration must be updated.
BMCSSG1520E
Failed to get time from server reply (%s).
BMCSSG1521E
Failed to create TLS socket factory (%s).
BMCSSG1522E
Failed to start web receiver thread (%s).
BMCSSG1523E
Failed to find Tomcat v5 bin directory (%s).
BMCSSG1524E
Failed to access script file for JEE Agent integration (%s).
BMCSSG1525E
Failed to create script file for JEE Agent integration (%s).
BMCSSG1526E
Unable to get servlet context path. Use atsso.context.path in servlet init parameter.
BMCSSG1527E
Unknown contain type specified (%s).
BMCSSG1528E
Failed to find WebSphere script. Internal error. Contact BMC Software, Inc.
BMCSSG1529E
Failed to parse command line options for WebSphere7 (%s).
BMCSSG1530E
Instance directory specified does not exist (%s).
BMCSSG1531E
Failed to load WebSphere script (%s). Internal error. Contact BMC Software, Inc.
BMCSSG1532E
Failed to execute WebSphere script (%s).
BMC Atrium Single Sign-On 8.1
Page 299 of 389
BMC Software Confidential
Home
Error number
Message
BMCSSG1533E
WebSphere script failed.
BMCSSG1534E
Failed to store support utility program.
BMCSSG1535E
Failed to parse command line options for JBoss (%s).
BMCSSG1536E
Failed to find run.conf file (%s).
BMCSSG1537E
Failed to connect with BMC Atrium SSO server (%s). Is it running? Are the credentials correct?
BMCSSG1538E
Failed creating AR service (%s).
BMCSSG1539E
Failed to configure AR module (%s).
BMCSSG1540E
Failed creating AR module (%s).
BMCSSG1541E
Failed creating AR chain (%s).
BMCSSG1542E
Failed adding AR module to AR chain (%s).
BMCSSG1543E
Failed authentication with AR server (%s).
BMCSSG1544E
Failed to connect with AR server.
BMCSSG1545E
Unsupported type for operation with AR Server data source.
BMCSSG1546E
Failed to get groups for user (%s).
BMCSSG1547E
AR Server data source only supports group memberships.
BMCSSG1548E
AR Server host name not configured.
BMCSSG1549E
AR Server port number not configured.
BMCSSG1550E
Failed to create new agent account (%s) in BMC Atrium SSO server. Delete agent in administrator console and try again.
BMCSSG1551E
Failed adding DataStore module to AR chain (%s).
BMCSSG1552E
Data store failed to connect to AR Server using administrator account.
BMCSSG1553I
AR authentication allowed guest login but that option is blocked.
BMCSSG1554E
Failed to convert file for UNIX execution.
BMCSSG1555E
Failed to load provider for keystore type (%s).
BMCSSG1556E
Failed to load provider for truststore type (%s).
BMCSSG1557E
Failed to load keystore (%s).
BMCSSG1558E
Failed to load truststore (%s).
BMCSSG1559E
Failed to transfer public certificate to truststore (%s).
BMCSSG1560E
Failed to save truststore (%s).
BMCSSG1561E
Failed to remove old truststore.
BMC Atrium Single Sign-On 8.1
Page 300 of 389
BMC Software Confidential
Home
Error number
Message
BMCSSG1562E
Failed to replace old truststore.
BMCSSG1563E
BMC Atrium SSO server is in FIPS mode but RSA library is not FIPS compliant.
BMCSSG1564E
Failed to load specified provider class (%s): %s
BMCSSG1565E
Failed initializing to non-FIPS mode (%s).
BMCSSG1566E
Failed initializing to setup socket factory for LDAP (%s).
BMCSSG1567E
Failed to create socket for LDAP (%s).
BMCSSG1568E
Failed to initialize service.
BMCSSG1569E
Invalid parameter.
BMCSSG1570E
Failed to initialize service (%s).
BMCSSG1571E
Failed to initialize to receive notifications of FIPS service changes (%s).
BMCSSG1572E
BMC Atrium SSO server FIPS configuration is out of sync with server environment.
BMCSSG1573E
Not enforced file specified doesn't exist.
BMCSSG1574E
Failed to extract agent certificate from keystore (%s).
BMCSSG1575E
Source file name for conversion cannot be null.
BMCSSG1576E
Source type for conversion cannot be null.
BMCSSG1577E
Destination type for conversion cannot be null.
BMCSSG1578E
Failed to create temporary file for conversion (%s).
BMCSSG1579E
Destination file already exists.
BMCSSG1580E
Failed to open source keystore (%s).
BMCSSG1581E
Failed to create destination keystore (%s).
BMCSSG1582E
Failed to load destination keystore (%s).
BMCSSG1583E
Failed to get item from source keystore (%s).
BMCSSG1584E
Failed to move items into destination keystore (%s).
BMCSSG1585E
Failed to save destination keystore (%s).
BMCSSG1586E
Failed to open destination keystore (%s).
BMCSSG1587E
Failed to delete old destination keystore (%s).
BMCSSG1588E
Failed to rename new destination keystore (%s).
BMCSSG1589E
Failed to capture BMC Atrium SSO server certificate (%s).
BMCSSG1590E
Unload directory doesn't exist.
BMCSSG1591E
Failed to parse Tomcat server.xml;
BMC Atrium Single Sign-On 8.1
Page 301 of 389
BMC Software Confidential
Home
Error number
Message
BMCSSG1592E
Failed to setup truststore (%s).
BMCSSG1593E
BMC Atrium SSO server is running in FIPS140 mode, but the SDK is not configured for FIPS140.
BMCSSG1594E
BMC Atrium SSO server is not running in FIPS140 mode, but the SDK is configured for FIPS140.
BMCSSG1595E
Upgrade utility failed to connect with BMC Atrium SSO Server.
BMCSSG1596E
Failed to open server defaults (%s).
BMCSSG1597E
Failed to switch FIPS-140 mode (%s).
BMCSSG1598I
Switching Atrium SSO server to normal mode (not FIPS-140 mode).
BMCSSG1599I
Switching Atrium SSO server to FIPS-140 mode.
BMCSSG1600E
Switch of Atrium SSO server to normal mode completed.
BMCSSG1601I
Switch of Atrium SSO server to FIPS-140 mode completed.
BMCSSG1602E
Failed to update bootstrap information to FIPS-140 mode (has FIPS certified jar been installed?): %s
BMCSSG1603E
Failed to update bootstrap information to normal mode: %s
BMCSSG1604E
Failed to update server configuration to FIPS-140 mode: %s
BMCSSG1605E
Failed to update JVM configuration to FIPS-140 mode: %s
BMCSSG1606E
Failed to update server configuration to normal mode: %s
BMCSSG1607E
Failed to update JVM configuration to normal mode: %s
BMCSSG1608W
Detected CryptoJ library is not FIPS-140 compliant.
BMCSSG1609E
{{Failed to get FIPS-140 cipher for switch: %s }}
BMCSSG1610E
Failed to get normal cipher for switch: %s
BMCSSG1611E
Failed to switch FIPS mode: %s
BMCSSG1612E
Failed to update services information for switch to FIPS-140 mode: %s
BMCSSG1613E
Failed to update services information for switch to normal mode: %s
BMCSSG1614E
Failed JVM test for FIPS-140 cryptography. Please validate unlimited strength policy files and cryptojFIPS.jar have been installed into server JVM.
BMCSSG1615E
Failed JVM test for FIPS-140 cryptography with exception (%s). Please validate unlimited strength policy files and cryptojFIPS.jar have been installed into server JVM.
BMCSSG1616E
Failure converting cryptography for FIPS-140 switch (%s).
BMCSSG1617E
Failed JVM test for FIPS-140 cryptography. Please validate unlimited strength policy files and that RSA FIPS jars have been installed into server JVM.
BMCSSG1618E
Failed JVM test for FIPS-140 cryptography with exception (%s). Please validate unlimited strength policy files and RSA FIPS jars have been installed into server JVM.
BMC Atrium Single Sign-On 8.1
Page 302 of 389
BMC Software Confidential
Home
BMCSSG1619E
Failed JVM test for FIPS-140 cryptography. Please validate unlimited strength policy files and that RSA FIPS jars have been installed into JVM.
BMCSSG1620E
Failed JVM test for FIPS-140 cryptography with exception (%s). Please validate unlimited strength policy files and RSA FIPS jars have been installed into JVM.
BMCSSG1621E
Failed to connect with Atrium SSO server (%s). Is server running in FIPS-140 mode?
BMCSSG1622E
Failed to switch from FIPS-140 mode.
BMCSSG1623E
Failed to switch to FIPS-140 mode.
BMCSSG1624I
Atrium SSO server is running in FIPS-140 mode.
BMCSSG1625I
Validated JVM ability for FIPS.
BMCSSG1626E
Failed to initialize cryptography (%s).
BMCSSG1627E
Failed to load LDAP configuration (%s).
BMCSSG1628E
Failed to parse LDAP configuration (%s).
BMCSSG1629E
Failed to update LDAP configuration (%s).
BMCSSG1630E
Failed to find ServletExec script file for modification (%s).
BMCSSG1631E
FIPS switch blocked due to missing server.xml.fips/server.xml.nofips and java.security.fips/java.security.nofips files not available. For information about file requirements, see Configuring an external Tomcat instance for FIPS-140.
BMCSSG1632E
Failed to parse configuration (%s).
BMCSSG1633E
Failed to extract OpenDS utilities (%s). Internal Error. Contact BMC Software, Inc.
BMCSSG1634E
Cluster configuration file specified does not exist (%s).
BMCSSG1635E
Cluster configuration file specified already exists (%s). Delete file or specify a non-existent name.
BMCSSG1636E
Cluster save-config and read-config cannot be specified during the same configuration.
BMCSSG1637E
Failed to load properties from cluster config file (%s).
BMCSSG1638E
Failed to save properties to cluster configuration file (%s).
BMCSSG1639E
LDAP Replication port must be specified when cluster file is specified.
BMCSSG1640E
Cluster save or read file must be specified when LDAP replication port is specified.
BMCSSG1641E
LDAP Replication port must be between 1 and 65535, inclusive (%s).
BMCSSG1642E
Failed to delete internal LDAP configuration template (%s). Internal Error. Contact BMC Software, Inc.
BMCSSG1643E
Failed to copy internal LDAP configuration template for clustered server. Internal Error. Contact BMC Software, Inc.
BMCSSG1644E
Failed to create directories for internal LDAP keystore (%s). Internal Error. Contact BMC Software, Inc.
BMC Atrium Single Sign-On 8.1
Page 303 of 389
BMC Software Confidential
Home
BMCSSG1645E
Failed to create keystore for internal LDAP keystore (%s). Internal Error. Contact BMC Software, Inc.
BMCSSG1646E
Failed to create keystore for internal LDAP keystore (%s). Internal Error. Contact BMC Software, Inc.
BMCSSG1647E
Failed to save keystore for internal LDAP keystore (%s). Internal Error. Contact BMC Software, Inc.
BMCSSG1648E
Failed to save keystore pin for internal LDAP keystore (%s). Internal Error. Contact BMC Software, Inc.
BMCSSG1649E
Failed to format clustered OpenDS configuration template (%s). Internal Error. Contact BMC Software, Inc.
BMCSSG1650E
Failed to remove old LDAP truststore.
BMCSSG1651E
Failed to replace old LDAP truststore.
BMCSSG1652E
Failed to save LDAP truststore (%s).
BMCSSG1653E
Failed to transfer certificate (%s).
BMCSSG1654E
Failed to load LDAP truststore (%s).
BMCSSG1655E
Failed to get Keystore provider for type %s (%s).
BMCSSG1656E
Failed to get free port for internal LDAP communications (%s).
BMCSSG1657E
Failed to get LDAP keystore type (%s): %s
BMCSSG1658E
Failed to open LDAP keystore (%s).
BMCSSG1659E
LDAP keystore doesn't contain alias (%s).
BMCSSG1660E
Failed to pull certificate from LDAP keystore (%s).
BMCSSG1661E
Failed to get JVM truststore type (%s): %s
BMCSSG1662E
Failed to load JVM truststore (%s).
BMCSSG1663E
Failed to add LDAP certificate to JVM truststore (%s).
BMCSSG1664E
Failed to save JVM truststore (%s).
BMCSSG1665E
Failed to remove old JVM truststore.
BMCSSG1666E
Failed to replace old JVM truststore.
BMCSSG1667E
Invalid URL specified for Load Balancer (%s).
BMCSSG1668E
Both lb-url and lb-site-name parameters must be specified, or neither should be specified.
BMCSSG1669E
This host cannot be in the cluster because it is not in the same domain (or sub-domain) of the cookie domain (%s).
BMCSSG1670E
Failed to update OpenDS java home scripts (%s). Internal Error. Contact BMC Software, Inc.
BMCSSG1671E
Failed to create message handler for message type %s. Internal Error. Contact BMC Software, Inc.
BMCSSG1672E
Failed to build message for queue: %s
BMC Atrium Single Sign-On 8.1
Page 304 of 389
BMC Software Confidential
Home
BMCSSG1673E
Failed to parse received message from queue: %s
BMCSSG1674E
Failed to access DB Meta topics for sync: %s
BMCSSG1675E
Failed to access DB Meta topics for messages: %s
BMCSSG1676E
Failed to lookup local site id: %s
BMCSSG1677E
Failed to create connection to DB: %s
BMCSSG1678E
Failed to initialized embedded Apache MQ: %s
BMCSSG1679E
Failed to access DB response topic: %s
BMCSSG1680E
Failed to access DB requests topic: %s
BMCSSG1681E
Failed to create publisher for DB Meta topic: %s
BMCSSG1682E
Failed to create subscriber for DB Meta topic: %s
BMCSSG1683E
Failed to start message queue processing: %s
BMCSSG1684E
Message type does not match type in message (%s). Internal Error. Contact BMC Software, Inc.
BMCSSG1685E
Primary key not specified before generating response.
BMCSSG1686E
Secondary key not specified before generating response.
BMCSSG1687E
Failed to use message queue URI's specified (%s), and failed to use default VM message queue.
BMCSSG1688E
Failed setting message queue implementation (%s).
BMCSSG1689E
Failed creating stand-alone site (%s).
BMCSSG1690E
Failed setting site message queue attributes (%s).
BMCSSG1691E
Failed adding single server to site (%s).
BMCSSG1692E
Failed to reform ssoadm scripts (%s).
BMCSSG1693E
Failed to remove discover from ActiveMQ configuration (%s).
BMCSSG1694E
This Atrium SSO server does not support GROUP identity search (version of server is too old). Please upgrade the Atrium SSO server.
BMCSSG1695E
Failed to get identities from search reply (%s).
BMCSSG1696E
Failed call to Atrium SSO server (%s).
BMCSSG1697I
Authentication process aborted.
BMCSSG1698E
Failed to build dialog in event thread (%s).
BMCSSG1699E
Failure during login (%s).
BMCSSG1700E
Cannot logout- context not logged in.
BMCSSG1701E
Authentication callback failed to provide credentials (%s).
BMCSSG1702E
Failed to parse session creation date/time (%s): %s
BMC Atrium Single Sign-On 8.1
Page 305 of 389
BMC Software Confidential
Home
BMCSSG1703E
Invalid cluster URL specified in cluster configuration. Internal Error. Contact BMC Software. (%s)
BMCSSG1704E
Cannot convert parameters to proper encoding (%s).
BMCSSG1705E
Failed to convert authentication request into XML (%s). Internal Error. Contact BMC Software.
BMCSSG1706E
Failed to convert XML binary into UTF8 charset (%s). Internal Error. Contact BMC Software.
BMCSSG1707E
Failed to convert authentication response into Java (%s). Internal Error. Contact BMC Software.
BMCSSG1708E
No more callback requirements.
BMCSSG1709E
Authentication failure (%s): %s
BMCSSG1710E
Failed to re-initialize JEEFilter agent (%s).
BMCSSG1711E
Failed to find custom Callback class (%s): %s
BMCSSG1712E
Failed to load custom Callback class (%s): %s
BMCSSG1713E
HP-UX is not a supported JVM for Kerberos authentication.
BMCSSG1714E
Failed to get service ticket (%s).
BMCSSG1715E
Failed Kerberos login (%s).
BMCSSG1716E
Failed to create context for Kerberos login (%s).
BMCSSG1717E
Failed call to Atrium SSO server, return code: %s.
BMCSSG1718E
Failed to load Cookie Manager for JVM (%s).
BMCSSG1719E
Invalid container home specified for Atrium SSO server (%s).
BMCSSG1720E
Invalid container home specified for Atrium SSO server (%s).
BMCSSG1721E
Administrative password must be at least 8 characters in length.
BMCSSG1722E
Administrative password must be at least 8 characters in length.
BMCSSG1723E
LDAP port specified is out of range (%d), must be 1..65534.
BMCSSG1724E
LDAP port specified is out of range (%d), must be 1..65534.
BMCSSG1725E
Both lb-url and lb-site-name parameters must be specified, or neither should be specified.
BMCSSG1726E
Both lb-url and lb-site-name parameters must be specified, or neither should be specified.
BMCSSG1727E
Failed to rewrite server URL to include proper context URI.
BMCSSG1728E
Failed to rewrite server URL to include proper context URI.
BMCSSG1729E
Failed removing single server from site (%s).
BMCSSG1730E
Execution of dsreplication failed (%s).
BMCSSG1731E
Execution of dsreplication failed.
BMCSSG1732E
Failed to set OCSP server configuration (%s).
BMCSSG1733E
Failed getting local truststore (%s).
BMC Atrium Single Sign-On 8.1
Page 306 of 389
BMC Software Confidential
Home
BMCSSG1734E
Failed loading local truststore.
BMCSSG1735E
Failed getting site members (%s).
BMCSSG1736E
Failed getting site members (%s).
BMCSSG1737E
Failed Agent authentication with Atrium SSO server. May need to re-integrate application with the Atrium SSO server.
BMCSSG1738E
Failed to convert LDAP port during upgrade (%s).
BMCSSG1739E
Failed to stop server (%s). Internal error. Contact BMC Software.
BMCSSG1740E
Main command line option unrecognized.
BMCSSG1741E
Invalid sub-options encountered.
BMCSSG1742E
Failed to read the input file: %s
BMCSSG1742E
Failed to read the input file: %s
BMCSSG1743E
IO error encountered when attempting to create the user: %s
BMCSSG1744E
Process was interrupted when attempting to create the user: %s
BMCSSG1745E
IO error encountered when attempting to federate users identities.
BMCSSG1746E
Process was interrupted when attempting to federate user identities.
BMCSSG1747E
IO error encountered when attempting to import federation data.
BMCSSG1748E
Process was interrupted when attempting to import federation data.
BMCSSG1749E
Illegal universal identifier: %s
BMCSSG1750E
Failed to write response file: %s
BMCSSG1751E
Local ID is missing or empty for line (%s): %s
BMCSSG1752E
Failed to create the temporary user ID mapping file.
BMCSSG1753E
Failed to create the temporary name ID mapping file.
BMCSSG1754E
Failed to save the temporary user ID mapping file.
BMCSSG1755E
Failed to save the name ID mapping file.
BMCSSG1756E
Failed to delete the temporary name ID mapping file.
BMCSSG1757E
Integration with Atrium SSO is failing. Please contact %s support team for help with resolving this integration problem (%s).
BMCSSG1758E
Failed to start container (%s). Internal error. Contact BMC Software.
BMCSSG1759E
Process inputs not supported in ssoadm. Internal error. Contact BMC Software.
BMCSSG1760E
Failed to initialize comm with Atrium SSO server: (%s)
BMCSSG1761E
Failed execution of command (%s) returning %s.
BMCSSG1762E
Failed execution of command (%s) returning %s.
BMC Atrium Single Sign-On 8.1
Page 307 of 389
BMC Software Confidential
Home
BMCSSG1763E
Export service configuration not supported remotely. Internal error. Contact BMC Software.
BMCSSG1764E
Local certificate out of sync with remote server.
BMCSSG1765E
No certificate for remote server.
BMCSSG1766E
Local Atrium SSO certificate does not match remote server certificate. Agent may need to be re-integrated with the Atrium SSO server.
BMCSSG1767E
Failed to setup temporary truststore (%s). Internal error. Contact BMC Software.
BMCSSG1768E
Failed to configure Atrium SSO server. Internal error. Contact BMC Software.
BMCSSG1769E
Error during configuration of Atrium SSO server (%s).
BMCSSG1770E
Atrium SSO failed to update the Data Store with the federation account information (%s).
BMCSSG1771E
Invalid response received from IdP (%s).
BMCSSG1772E
Atrium SSO failed to map the attributes received from the IdP (%s).
BMCSSG1773E
Your user account on the Atrium SSO SP has expired (%s). Please contact your administrator for assistance.
BMCSSG1774E
Your user account on the Atrium SSO SP is inactive (%s). Please contact your administrator for assistance.
BMCSSG1775E
Your user account on the Atrium SSO SP is locked (%s). Please contact your administrator for assistance.
BMCSSG1776E
Failed to get Atrium SSO SP configuration for realm %s (%s).
BMCSSG1777E
Atrium SSO failed to find the federated user account specified (%s).
BMCSSG1778E
Atrium SSO failed to access session information (%s).
BMCSSG1779E
Atrium SSO failed to create a new session for federated user (%s).
BMCSSG1780E
An unexpected failure occurred while processing the SAMLv2 authentication (%s).
BMCSSG1781E
Failed to get SAMLv2 XML response: %s
BMCSSG1782E
Failed to get SAMLv2 XML request: %s
BMCSSG1783E
Failed to create site during upgrade (%s).
BMCSSG1784E
Error while trying to find server configuration name (%s).
BMCSSG1785E
Failed to find server configuration name.
BMCSSG1786E
Failed to delete site during upgrade (%s).
BMCSSG1787E
Failed to preserve SAMLv2 keystore (%s).
BMCSSG1788E
Failed to restore SAMLv2 keystore (%s).
BMCSSG1789E
Failed to parse ssoadm reply (%s). Internal error. Contact BMC Software.
BMCSSG1790E
SsoAdm state switch returned invalid reply: %s
BMCSSG1791E
Execution of dsconfig failed (%s).
BMC Atrium Single Sign-On 8.1
Page 308 of 389
BMC Software Confidential
Home
BMCSSG1792E
Execution of dsconfig failed.
BMCSSG1793E
Failed to remove JMX communications (%s).
BMCSSG1794E
Failed to restrict admin connections to localhost only (%s).
BMCSSG1795E
Failed to restrict LDAP connections to localhost only (%s).
BMCSSG1796E
Login failed.
BMCSSG1797E
Failed to get token (%s).
BMCSSG1798E
Failed to get token from session (%s).
BMCSSG1799E
Insufficient privileges.
BMCSSG1800E
Failure while processing authentications for realm (%s). Internal Error. Contact BMC Software.
BMCSSG1801E
Failed to get list of user stores for realm access (%s). Internal Error. Contact BMC Software.
BMCSSG1802E
Failed to fetch COT for realm %s. Internal Error. Contact BMC Software.
BMCSSG1803E
Failed to verify if realm is Federated (%s). Internal Error. Contact BMC Software.
BMCSSG1804E
Failed to access realm attributes (%s). Internal Error. Contact BMC Software.
BMCSSG1805E
Failed to get authentication chain for realm (%s). Internal Error. Contact BMC Software.
BMCSSG1806E
Failed to convert authentication control value (%s). Internal Error. Contact BMC Software.
BMCSSG1807E
Failed to get federated information for realm (%s): %s. Internal Error. Contact BMC Software.
BMCSSG1808E
Failed to get federation information (%s). Internal Error. Contact BMC Software.
BMCSSG1809E
Failed to get user store information (%s). Internal Error. Contact BMC Software.
BMCSSG1810E
Failed to update user profile (%s).
BMCSSG1811E
Failed to get admin token (%s).
BMCSSG1812E
Failed to convert auth chain (%s).
BMCSSG1813E
Failed to save auth chain (%s).
BMCSSG1814E
Failed to remove unused datastore from realm (%s).
BMCSSG1815E
Failed to get federated entity list (%s).
BMCSSG1816E
Failed to find authentication module instance for realm (%s).
BMCSSG1817E
Failed to set authentication module attributes (%s).
BMCSSG1818E
Failed to create authentication module instance (%s).
BMCSSG1819E
Failed to create authentication module instance with unique name.
BMCSSG1820W
Unknown host name specified.
BMCSSG1821W
Host specified cannot be contacted.
BMCSSG1821E
Port must be in the range 1..65535 or not specified.
BMC Atrium Single Sign-On 8.1
Page 309 of 389
BMC Software Confidential
Home
BMCSSG1822W
Could not connect to remote server on port specified.
BMCSSG1823E
Value cannot be empty.
BMCSSG1824E
Distinguished Name not valid.
BMCSSG1825E
The value must be a positive, non-zero value.
BMCSSG1826E
Invalid LDAP attribute name.
BMCSSG1827W
Unable to bind to LDAP server.
BMCSSG1828E
Failed to search for agents (%s).
BMCSSG1829E
Failed search for agent (%s).
BMCSSG1830E
Failed to get attributes for agent (%s).
BMCSSG1831W
Passwords should not be blank.
BMCSSG1832E
Invalid hostname specified.
BMCSSG1833E
Invalid URI specified.
BMCSSG1834E
Invalid URL specified.
BMCSSG1835E
Failed to update agent active status.
BMCSSG1836E
Failed to update agent attributes.
BMCSSG1837W
Agent not found (deleted?).
BMCSSG1838E
Cookie name cannot be reserved word: "expires", "domain", "path", "secure"
BMCSSG1839E
Cookie name cannot contain semi-colon, comma, white space or control characters.
BMCSSG1840W
It is recommended for best browser compatibilty that cookie name should only contain alphanumeric characters and the underscore.
BMCSSG1841E
Cookie name cannot be over 4K in length.
BMCSSG1842E
Failed to process SAML keystore (%s).
BMCSSG1843E
Failed to process SAML keystore (%s).
BMCSSG1844E
Failed to load SAML keystore (%s).
BMCSSG1845E
Failed to access SAML entity (%s).
BMCSSG1846E
Failed to get IdP entity for realm (%s).
BMCSSG1847E
Failed to get encryption lists for realm (%s).
BMCSSG1848E
Failed to commit entity changes (%s).
BMCSSG1849E
Failed to create SAMLv2 idp (%s).
BMCSSG1850E
Failed to get SAMLv2 manager (%s).
BMCSSG1851E
Failed to create realm COT (%s).
BMC Atrium Single Sign-On 8.1
Page 310 of 389
BMC Software Confidential
Home
BMCSSG1852E
Failed to update IdP encryption (%s).
BMCSSG1853E
When an encryption alias is specified, an encryption algorithm must also be specified.
BMCSSG1854E
Failed to search user stores (%s).
BMCSSG1855E
Failed to get user attributes (%s).
BMCSSG1856E
Failed to get user repo (%s).
BMCSSG1857I
Successfully created IdP.
BMCSSG1858W
Failed to verify host is accessible (%s).
BMCSSG1859E
Failed to verify AR host name.
BMCSSG1860E
File specified does not exist.
BMCSSG1861W
File specified does not exist.
BMCSSG1862E
File path specified refers to a directory.
BMCSSG1863E
File is not readable.
BMCSSG1864E
File path specified refers to a file.
BMCSSG1865E
Directory specified does not exist.
BMCSSG1866W
Directory specified does not exist.
BMCSSG1867E
Failed to create remote IdP (%s).
BMCSSG1868E
Realm for new IdP was not provided.
BMCSSG1869E
Name for new IdP was not provided.
BMCSSG1870E
XML for new IdP was not provided.
BMCSSG1871E
Failed to create remote SAMLv2 idp (%s).
BMCSSG1872E
Failed to create remote SAMLv2 idp (%s).
BMCSSG1873E
Invalid protocol specified for URL- only HTTP or HTTPS permitted.
BMCSSG1874E
Invalid URL specified.
BMCSSG1875E
Failed SSL/TLS negotiations. Verify IdP server certificate is in Atrium SSO truststore.
BMCSSG1876E
Failure connecting with remote IdP (%s).
BMCSSG1877E
Failure connecting with remote IdP (%s).
BMCSSG1878W
Service Principal doesn't start with primary HTTP.
BMCSSG1879E
Service Principal doesn't contain a Realm.
BMCSSG1880E
Service Principal doesn't contain a host name.
BMCSSG1881E
Invalid Service Principal- expected HTTP/hostname.domainname@dc_domain_name.
BMCSSG1882E
No Service Prinicipals found in keytab file specified.
BMC Atrium Single Sign-On 8.1
Page 311 of 389
BMC Software Confidential
Home
BMCSSG1883E
Multiple Service Prinicipals found in keytab file specified.
BMCSSG1884E
Invalid token passed (%s).
BMCSSG1885E
Administrative token required.
BMCSSG1886E
Failed to fetch realms (%s).
BMCSSG1887E
Failed to parse realms response (%s).
BMCSSG1888E
Failed to get realm from token (%s).
BMCSSG1889E
Failed to get user attributes (%s).
BMCSSG1890E
UserId already exists.
BMCSSG1891E
Failed to get users groups (%s).
BMCSSG1892E
Failed to update user active status (%s).
BMCSSG1893E
Failed to update user active status (%s).
BMCSSG1894E
Failed to create new identity (%s).
BMCSSG1895E
Failed to commit user update (%s).
BMCSSG1896E
Failed to update user password (%s).
BMCSSG1897E
Failed to get token from session (%s).
BMCSSG1898E
Failed to get token manager (%s).
BMCSSG1899E
Failed to get server list (%s).
BMCSSG1900E
Failed to get server configuration (%s).
BMCSSG1901E
Invalid session idle timeout.
BMCSSG1902E
Invalid maximum session count.
BMCSSG1903E
Invalid maximum session time.
BMCSSG1904E
Invalid session cache time.
BMCSSG1905E
Top-level domains cannot be specified for the cookie domain.
BMCSSG1906E
Invalid cookie domain specified.
BMCSSG1907E
Failed to create token for realm access (%s).
BMCSSG1908E
Failed to delete federated entity (%s).
BMCSSG1909E
Failed to update server properties (%s).
BMCSSG1910E
Failed to update server site (%s).
BMCSSG1911E
Failed to update session dynamic attributes (%s).
BMCSSG1912E
Failed to update session global attributes (%s).
BMCSSG1913E
Failed to update session global attributes (%s).
BMC Atrium Single Sign-On 8.1
Page 312 of 389
BMC Software Confidential
Home
BMCSSG1914E
Failed to update amAdmin password (%s).
BMCSSG1915E
Failed to save auth chain (%s).
BMCSSG1916E
Unknown realm passed for user store access (%s).
BMCSSG1917E
Unknown user store requested (%s).
BMCSSG1918E
Failed to acquire AM authentication manager object (%s).
BMCSSG1919E
Failed to create user store (%s).
BMCSSG1920E
Failed to update user store (%s).
BMCSSG1921E
Failed to delete user store (%s).
BMCSSG1922E
Value must be 1 or greater.
BMCSSG1923E
Minimum must be greater than maximum.
BMCSSG1924E
The cache max age must be at least 1 (default 600).
BMCSSG1925E
The cache size must be at least 1 (default 10240).
BMCSSG1926W
Failed to connect with AR server (%s).
BMCSSG1927W
Failed to connect with AR server.
BMCSSG1928E
The AR pool linger time cannot be less than or equal to zero.
BMCSSG1929E
The AR pool size cannot be less than or equal to zero.
BMCSSG1930E
Failed to get SP entity for realm (%s).
BMCSSG1931E
Failed to get encryption lists for realm (%s).
BMCSSG1932E
Skew must be greater than zero.
BMCSSG1933E
Failed to create hosted SAMLv2 sp (%s).
BMCSSG1934E
Failed to get SP entity for realm (%s).
BMCSSG1935E
Failed SSL/TLS negotiations. Verify SP server certificate is in Atrium SSO truststore.
BMCSSG1936E
Failure connecting with remote SP (%s).
BMCSSG1937E
Failure connecting with remote SP (%s).
BMCSSG1938I
Successfully created SP.
BMCSSG1939E
Failed to create remote SAMLv2 SP (%s).
BMCSSG1940E
Failed to create remote SAMLv2 SP (%s).
BMCSSG1941E
Realm for new SP was not provided.
BMCSSG1942E
XML for new SP was not provided.
BMCSSG1943E
Wild card attribute mapping only valid with * for both key and value.
BMCSSG1944E
Failed to add attribute to SP (%s).
BMC Atrium Single Sign-On 8.1
Page 313 of 389
BMC Software Confidential
Home
BMCSSG1945E
Failed to get HA nodes (%s).
BMCSSG1946E
The server node cannot used for the admin console cannot be deleted (%s).
BMCSSG1947E
Failed to get server site name (%s).
BMCSSG1948E
Failed to delete node from site (%s).
BMCSSG1949E
Failed to delete node (%s).
BMCSSG1950E
Only super-admin is allowed to delete nodes.
BMCSSG1951E
Failed to access internal configuration.
BMCSSG1952E
Failed to prepare for disabling replication (%s).
BMCSSG1953W
Connect to AR with guest user- admin privileges are needed for user store operation.
BMCSSG1954E
Failed to write agent certificate to PEM file (%s).
BMCSSG1955E
Failed to write agent key to PEM file (%s).
BMCSSG1956E
Failed to write Atrium SSO certificate to PEM file (%s).
BMCSSG1957E
Unknow realm specified for agent (%s).
BMCSSG1958E
Failed to load keystore (%s).
BMCSSG1959E
Failed to write certificate to PEM format (%s).
BMCSSG1960E
Failed to read PEM certificate from PEM format (%s).
BMCSSG1961E
Failed to import certificate (%s).
BMCSSG1962I
Successfully uploaded certificate.
BMCSSG1963E
Failed to convert uploaded file (%s).
BMCSSG1964E
Failed to convert DER to certificate (%s).
BMCSSG1965E
Failed to check truststore for replacements (%s).
BMCSSG1966E
Failed to load default values for user store (%s).
BMCSSG1967E
Failed to load certs from truststore (%s).
BMCSSG1968E
Failed to get group attributes (%s).
BMCSSG1969E
Failed to get group users (%s).
BMCSSG1970E
Group already exists.
BMCSSG1971E
Failed to add user (%s) to group (%s).
BMCSSG1972E
Failed to update group membership (%s).
BMCSSG1973E
Failed to set realm to use upgrade chain (%s).
BMCSSG1974E
Failed to dump realm auth properties (%s).
BMCSSG1975E
Failed to find auth type (%s).
BMC Atrium Single Sign-On 8.1
Page 314 of 389
BMC Software Confidential
Home
BMCSSG1976E
Failed to dump realm ds properties (%s).
BMCSSG1977E
Failed to write realm auth properties (%s).
BMCSSG1978E
Failed to dump agent properties (%s).
BMCSSG1979E
Failed to write agent properties (%s).
BMCSSG1980E
Failed to dump realm auth properties (%s).
BMCSSG1981E
Failed to instantiate encryption (%s).
BMCSSG1982E
Failed creating upgrade chain (%s).
BMCSSG1983E
Failed to load agent properties file (%s).
BMCSSG1984E
Failed to load agent properties (%s).
BMCSSG1985E
Failed to get current auth instances (%s).
BMCSSG1986E
Failed to remove collision auth cfg (%s).
BMCSSG1987E
Failed to create realm (%s).
BMCSSG1988E
Failed to list user realms (%s).
BMCSSG1989E
Failed to delete many of the user realms.
BMCSSG1990E
Failed to delete these realms (%s).
BMCSSG1991E
Failed to create new realms web pages (%s).
BMCSSG1992E
Failed to delete new realms web pages (%s).
BMCSSG1993E
Failed to connect with internal LDAP (%s).
BMCSSG1994E
Failed to create realm container LDAP directory for realm (%s).
BMCSSG1995E
Failed to create people container in LDAP directory for realm (%s).
BMCSSG1996E
Failed to create people container in LDAP directory for realm (%s).
BMCSSG1997E
Failed to create new admin identity (%s).
BMCSSG1998E
Failed to create new search admin identity (%s).
BMCSSG1999E
Invalid demo password specified- must be at least 8 characters.
BMCSSG2000E
Failed to create demo identity (%s).
BMCSSG2001E
Failed help URL lookup (%s).
BMCSSG2002E
Root realm cannot be specified for agents.
BMC Atrium Single Sign-On 8.1
Page 315 of 389
BMC Software Confidential
Home
12.3 Logon and logoff issues Logon and logoff issues can occur (or appear to occur) associated with URL re-directs and normal Identity Provider (IdP) behavior.
12.3.1 Automatic IdP logon behavior With SAMLv2 authentication configurations, an automatic logon can occur after you have terminated your single sign-on (SSO) session. This behavior gives the impression that the user was not logged out. In SAMLv2 configurations, the IdP caches authentication information within the browser. This information allows the IdP to automatically re-authenticate a user without the user re-entering their credentials. The effect is that when a user logs out of a SAMLv2 system, a browser refresh can automatically log the user back into the system. For this type of system, to ensure that the user is permanently logged off the system, close all browser windows and tabs. For example, when a user has two browser windows (or tabs) open, one with BMC Remedy Mid Tier and the other with BMC Analytics and the user logs off of BMC Remedy Mid Tier and closes the window, the user terminates their SSO session. If the user goes to the BMC Analytics window and refreshes the browser (for example, clicks on a link), then the browser performs the action as through the user was still logged onto the system. What transpired was that a new SSO session was created automatically for the user (due to the auto-logon of the IdP).
12.3.2 URL re-direct issues Logon and logoff issues can occur (typically with a SAMLv2 configuration) when too many URL re-directs happen between the browser and servers during logon and logoff processing. 1. Capture the HTTP traffic between the browser and servers using a capture tool such as Fiddler, ieHttpHeaders, or Live HTTP Headers. 2. Identify potential configuration changes to the reverse proxy, load balancer, or BMC Atrium Single Sign-On. 3. Modify the configuration: If the re-direct is from https://sample.bmc.com/arsys to https://sample.bmc.com/arsys/ (a forward-slash after arsys), check and modify the agent log on and log out URL configuration to include the forward-slash. If the re-direct is associated with Reverse Proxy or Load Balancer where a protocol switch from HTTPS to HTTP occurs (for example, the browser communicates on HTTPS to the Reverse Proxy which then communicates to the server using HTTP), configure the Reverse Proxy or Load Balancer to include the HTTP AtssoReturnLocation header with the value https://. In this case, the agent in the server uses the HTTP protocol for the return address which causes the re-direct.
BMC Atrium Single Sign-On 8.1
Page 316 of 389
BMC Software Confidential
Home
12.4 Upgrading from 7.6.04 to 8.1 silent installation issue When upgrading BMC Atrium Single sign-On from version 7.6 to 8.1 version, if version 7.6 was installed through the UI and version 8.1 was installed by a silent installation, and error occurs because of differences in the host names provided during these installs (uppercase versus lowercase). In a BMC Atrium Single Sign-On UI installation, uppercase host names are the default, for example, KBP1-DHP-F48200.synapse.com. In a BMC Atrium Single Sign-On silent installation, lowercase host names are the default, for example, kbp1-dhp-f48200.synapse.com. Two methods are provided for upgrading BMC Atrium Single Sign-On where version 7.6 was installed using the UI and version 8.1 uses a silent installation. Upgrading without specifying the host name (see page 319) Upgrading by re-defining the host name (see page 319) Different case values for only the browser works correctly because there is no difference between uppercase and lowercase addresses. However, the host name value is used for BMC Atrium Single Sign-On administration configuration where as host names are case-sensitive. The case-sensitive difference causes an error during the upgrade. BMC Atrium Single Sign-On version 7.6 UI installation example
BMC Atrium Single Sign-On 8.1
Page 317 of 389
Home
BMC Software Confidential
BMC Atrium Single Sign-On version 8.1 silent installation example
BMC Atrium Single Sign-On 8.1
Page 318 of 389
BMC Software Confidential
Home
12.4.1 Upgrading without specifying the host name During the BMC Atrium Single Sign-On version 8.1 UI upgrade, if you do not provide values for the following parameters, the upgrade Installer fills in the values from the previous installation. Destination Directory Hostname Tomcat, tomcat ports Cookie domain 1. Delete the ATRIUMSSO_HOST_NAME property from the SSOSilentInstallOptions.txt file. 2. Run the silent installation without providing the above parameters..
12.4.2 Upgrading by re-defining the host name Alternatively, re-define the host name in the SSOSilentInstallOptions.txt file. 1. Before running the BMC Atrium Single Sign-On version 8.1 silent installation, run the mod.bat/mod.sh command to obtain the BMC Atrium Single Sign-On server name. For example, (Microsoft Windows):
\tomcat\webapps\atriumsso\WEB-INF\tools\ssoadm\atriumsso\bin\mod.bat list-servers -u amadmin -f D:\pass.txt
BMC Atrium Single Sign-On 8.1
Page 319 of 389
BMC Software Confidential
Home
Where pass.txt is the file with the non-encrypted password for the BMC Atrium Single Sign-On administrator user (amadmin).
2. Edit the SSOSilentInstallOptions.txt file and modify the ATRIUM_HOST_NAME parameter to reflect only the BMC Atrium Single Sign-On server name. On the following example, KBP1-DHP-F48200.synapse.com is the correct value.
12.5 Troubleshooting AR authentication This topic explains common errors associated with AR System authentication.
12.5.1 User has no profile in this organization If the User Profile for the BMC Realm is set to Required instead of Dynamic or Ignored, the following error message occurs when logging into a BMC product: User has no profile in this organization To modify the User Profile setting 1. BMC Atrium Single Sign-On 8.1
Page 320 of 389
BMC Software Confidential
Home
1. On the BMC Atrium SSO Admin Console, click Edit BMC Realm. 2. Select either Dynamic or Ignored.
12.5.2 Error saving user or group edits An exception error occurs when you try to update user attributes or assign groups to users with information that was retrieved from the AR Server. The AR Server Data Store provides read-only access to the user and group information. The error indicates that a search base entry does not exist.
12.5.3 Error in SAML Authentication when Auto Federation is enabled Atrium Single-SignOn fails to find the federated user account specified and creates an exception error (BMCSSG1777E) if Auto Federation is enabled and an AR user store is used. Workaround: Delete the AR user store. For more information, see Using AR for authentication.
12.6 Troubleshooting AR System server and Mid Tier integrations Performing the BMC Atrium Single Sign-On integration with the BMC Remedy AR System server and the BMC Remedy Mid Tier is a two-step sequence. If you have problems with BMC Atrium Single Sign-On installation and configuration, review the following information.The BMC Atrium Core solution works with other BMC Atrium solutions to facilitate the alignment of your IT organization with business priorities. BMC Atrium Core provides tight integration across management tools used in your IT environment, saving your IT organization time and money. Manually running the SSOARIntegration utility on the AR System server (see page 321) Manually running the SSOMidtierIntegration utility on the AR System server (see page 323)
12.6.1 Manually running the SSOARIntegration utility on the AR System server The SSOARIntegration utility uses the following inputs in the arintegration.txt file to integrate BMC Atrium Single Sign-On and the AR System server:
[--ar-server-name=ARServerName] [--ar-server-user=ARServerUser] [--ar-server-password=ARServerPassword]
BMC Atrium Single Sign-On 8.1
Page 321 of 389
BMC Software Confidential
Home
[--ar-server-port=ARServerPort] [--atrium-sso-url=AtriumSSOURL] [--admin-name=SSOAdminName] [--admin-pwd=SSOAdminPassword] [--truststore=truststorepath | Optional parameter] [--truststore-password=truststorepassword | Optional parameter] [--force= Restart AR Server automatically | Optional parameter]
If needed, you can manually run the SSOARIntegration utility on the AR System server. 1. On the computer where the AR System server is installed, navigate to the \artools\AtriumSSOIntegrationUtility directory. For example, navigate to C:\Program Files\BMC Software\ARSystem\artools\AtriumSSOIntegrationUtility. 2. Enter the following command:
java -jar SSOARIntegration.jar --ar-server-name ARServerName --ar-server-user ARServerUser --ar-server-password ARServerPassword --ar-server-port ARServerPort --atrium-sso-url AtriumSSOURL --admin-name SSOAdminName --admin-pwd SSOAdminPassword
For example:
java -jar C:\Program Files\BMC Software\ARSystem\artools\AtriumSSOIntegrationUtility\SSOARIntegration.jar --ar-server-name ARServer.labs.bmc.com --ar-server-user Demo --ar-server-password Demo --ar-server-port 0 --atrium-sso-url https://ssoServer.bmc.com:8443/atriumsso --admin-name amAdmin --admin-pwd bmcAdm1n
Tip Copy and paste this example into a text editor, and modify the values for your own environment. Then copy the final version into your command window.
3. Review the utility logs at \artools\AtriumSSOIntegrationUtility\Logs\AtriumSSOIntegrationUtility.log. If successful, the SSOARIntegrationutility performs the following actions on the AR System server: Validates the user inputs and returns any errors. Configures the SSO AREA plug-in with a Java plug-in entry in ar.cfg/ar.conf:
Server-Plugin-Alias: AREA AREA VW-PUN-REM-QA5J.pune-labs.bmc.com:9999
Configures the EA form for BMC Atrium Single Sign-On with the following entries in the ar.cfgfile:
BMC Atrium Single Sign-On 8.1
Page 322 of 389
BMC Software Confidential
Home
Use-Password-File: T Crossref-Blank-Password: T External-Authentication-RPC-Socket: 390695 Authentication-Chaining-Mode: 1
Verifies the BMC Atrium Single Sign-On username and password by connecting with the BMC Atrium Single Sign-On server and returns any errors. Configures single sign-on with the following entries in the ar.cfgfile:
Atrium-SSO-Location: Atrium-SSO-Admin-User: SSOAdminName Atrium-SSO-Admin-Password: SSOAdminPassword Atrium-SSO-Keystore-Password: truststorepassword Atrium-SSO-Keystore-Path: truststorepath
Restarts the AR System server.
12.6.2 Manually running the SSOMidtierIntegration utility on the AR System server The SSOMidtierIntegration utility uses the following inputs to integrate BMC Atrium Single Sign-On and the AR System server:
[--install-mode=Install or Uninstall] [--ar-server-name=ARServerName] [--ar-server-user=ARServerUser] [--ar-server-password=ARServerPassword] [--ar-server-port=ARServerPort] [--container-type=containertype] [--web-app-url=MidtierURL or LoadBalancerURL] [--container-base-dir=webserverhomedirectory] [--jre-path=JREInstallDirectory] [--midtier-home=MidtierHome] [--notify-url=MidTierURL] [--agent-realm=RealmName] [--force SuppressAllManualInputs] [--server-instance-name WebSphereinstancename required input for WebSphere server] [--instance-config-directory WebSphereconfigdirectory required input for WebSphere server] [--weblogic-domain-home BEAdomainhome required input for WebLogic web application]
Note If you are using IBM WebSphere, pass the IBM Java path as an input for the --jre-path input parameter.
BMC Atrium Single Sign-On 8.1
Page 323 of 389
BMC Software Confidential
Home
Possible parameters for container-type and container-base-dir For --container-type, specify one of the following possible values: JBOSSV4 JBOSSV5 SERVLETEXECV5 SERVLETEXECV6 TOMCATV5 TOMCATV6 TOMCATV7 WEBSPHEREV6 WEBSPHEREV7 WEBLOGICV10 If you are using the Apache or IIS web application server, specify --container-base-dir as instead of the Apache or IIS directory, and specify the --container-type as TOMCAT instead of Apache or IIS.
Additional parameters for IBM WebSphere For IBM WebSphere, you can set these additional parameters:
[--server-instance-name WebSphereServerInstanceName] [--instance-config-directory WebSphereServerInstanceConfigurationDirectory]
For example:
[--server-instance-name server1] [--instance-config-directory /AppServer/profiles/AppSrv01/config/cells/Node01Cell/nodes/Node01/servers/server1]
Additional parameters for Oracle WebLogic For Oracle WebLogic, you can set these additional parameters:
[--weblogic-domain-home DomainHomeDirectoryForDomainWhereWebAppIsDeployed]
For example:
[ --weblogic-domain-home /user_projects/domains/base_domain]
BMC Atrium Single Sign-On 8.1
Page 324 of 389
BMC Software Confidential
Home
If needed, you can manually run the SSOMidtierIntegration utility on the AR System server. 1. On the computer where the AR System server is installed, navigate to the \artools\AtriumSSOIntegrationUtility directory. For example, navigate to C:\Program Files\BMC Software\ARSystem\artools\AtriumSSOIntegrationUtility. 2. Enter the following command:
java -jar SSOMidtierIntegration.jar --midtierintegration --ar-server-name ARServerName --ar-server-user ARServerUser --ar-server-password ARServerPassword --ar-server-port ARServerPort --install --container-type containertype --web-app-url MidtierURL --container-base-dir webserverhomedirectory --jre-path JREInstallDirectory --midtier-home MidtierHome
For example:
java -jar C:\Program Files\BMC Software\ARSystem\midtier\AtriumSSOIntegrationUtility\SSOMidtierIntegration.jar --midtierintegration --ar-server-name ARServer.labs.bmc.com --ar-server-user Demo --ar-server-password Demo --ar-server-port 0 --install --container-type TOMCATV6 --web-app-url http://Midtier.bmc.com:8080/arsys --container-base-dir "C:\Program Files\Apache Software Foundation\Tomcat6.0" --jre-path "C:\Program Files\Java\jre7" --midtier-home "C:\Program Files\BMC Software\ARSystem\midtier"
Tip Copy and paste this example into a text editor, and modify the values for your own environment. Then copy the final version into your command window.
3. Review the utility logs at \artools\AtriumSSOIntegrationUtility\Logs\AtriumSSOIntegrationUtility.log. 4. Review the web.xml file (located at C:\Program Files\BMC Software\ARSystem\midtier\WEB-INF) to verify that the following settings are present:
Agent com.bmc.atrium.sso.agents.web.SSOFilter Agent /*
5. Review the config.properties file (located at C:\Program Files\BMC Software\ARSystem\midtier\WEB-INF\classes) to verify that the following entry is present:
BMC Atrium Single Sign-On 8.1
Page 325 of 389
5.
BMC Software Confidential
Home
arsystem.authenticator=com.remedy.arsys.sso.AtriumSSOAuthenticator
The SSOMidtierIntegration utility performs the following actions on the Mid Tier: Validates the user inputs and returns any errors. Checks if you are installing or uninstalling. Connects to AR System server and fetches SSO values. If successful, performs AR System server and BMC Atrium Single Sign-On integration. Otherwise, returns an AR-SSO integration is not done error. Checks if Mid Tier is running and, if so, shuts it down before running the utility. Copies files to Mid Tier and performs other modifications to the Mid Tier.
12.7 Troubleshooting CAC authentication If authentication fails, there are several log directories and several debug methods that you can use to resolve issues. If you discover that a certificate is not in the truststore, import the certificate into the keystore. With the default logging level, check for errors in the normal BMC Atrium Single Sign-On log files in the log directory: \AtriumSSO\tomcat\webapps\atriumsso\WEB-INF\config\atriumsso\log Check the Authentication file in the debug directory after setting the logging level to Message: \AtriumSSO\tomcat\webapps\atriumsso\WEB-INF\config\atriumsso\debug Check the Authentication directory: BMC Atrium SSO \WEB-INF\config\Atrium SSO\debug\Authentication Change the clientAuth setting in the Tomcat server.xml configuration file to True. Turn on network debug logging. Check the BMC Atrium Single Sign-On truststore to verify that the certificate has been imported or that the Issuer (in other words, the Signer) certificate has been imported. The following troubleshooting topics are addressed here:
BMC Atrium Single Sign-On 8.1
Page 326 of 389
BMC Software Confidential
Home
Example of a default logging level error Example of a debug log error when a certificate is not available Changing the clientAuth setting Turning on network debug logging (see page 328) Example of a client not responding with a certificate Example of a client sending a certificate Example of a list of certificates sent to the client Example of URL certificate authentication not enabled Example of OCSP certificate failure Clock skew too great for CAC authentication (see page 331)
12.7.1 Example of a default logging level error A sign of the certificate issue can be seen in the normal BMC Atrium Single Sign-On log files with the default logging level. The following error log comes from the amAuthentication.error file located in the following log directory: \AtriumSSO\tomcat\webapps\atriumsso\WEB-INF\config\atriumsso\log
"2011-05-26 20:00:20" "Login Failed" "Not Available" "Not Available" 172.22.33.64 INFO o=bmcrealm,ou=services,dc=opensso,dc=java,dc=net "cn=dsameuser,ou=DSAME Users,dc=opensso,dc=java,dc=net" AUTHENTICATION-200 CAC "Not Available" 172.22.33.64
12.7.2 Example of a debug log error when a certificate is not available After debug logging is enabled, a log entry is available in the Authentication file from the debug directory: \AtriumSSO\tomcat\webapps\atriumsso\WEB-INF\config\atriumsso\debug The CAC module logs an error when a certificate is not available for authentication. The following is a sample log error:
LOGINFAILED Error.... amAuth:05/26/2011 06:28:47:604 PM CDT: Thread[http-8443-4,5,main] Exception : com.sun.identity.authentication.spi.AuthLoginException(1):null com.sun.identity.authentication.spi.AuthLoginException(2):User certificate not found com.sun.identity.authentication.spi.AuthLoginException: User certificate not found at com.sun.identity.authentication.modules.cert.Cert.process(Cert.java:415) at com.sun.identity.authentication.spi.AMLoginModule.wrapProcess(AMLoginModule.java:866) at com.sun.identity.authentication.spi.AMLoginModule.login(AMLoginModule.java:965) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
BMC Atrium Single Sign-On 8.1
Page 327 of 389
BMC Software Confidential
Home
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) .... MORE TRACE DELETED
12.7.3 Changing the clientAuth setting The simplest approach for identifying why a CAC or certificate login failed is to change the clientAuth setting in the Tomcat server.xml configuration file to True. This change makes the certificate exchange a required value. If the Transport Layer Security (TLS) handshake fails, the browser presents an error message. For example, the following message is displayed by Firefox when the TLS handshake fails:
*Secure Connection Failed* An error occurred during a connection to SSL peer cannot verify your certificate (Error code: ssl_error_bad_cert_alert)
12.7.4 Turning on network debug logging If a more detailed examination of the communication between the client and the server is necessary, turn on network debug logging to gather detailed information. To turn on detailed network debug logging (see page 328) To edit the service definition in Microsoft Windows (see page 328) To edit the service definition in UNIX (see page 329)
To turn on detailed network debug logging 1. Stop the BMC Atrium Single Sign-On server. 2. Edit the service definition. 3. Restart the BMC Atrium Single Sign-On server. 4. Attempt to log on using either the CAC card or a client certificate.
To edit the service definition in Microsoft Windows 1. From the command prompt, change your working directory to \AtriumSSO\tomcat\bin. 2. Run the following command: tomcat6w.exe //ES//BMCAtriumSSOTomcat 3. On the Java tab, add the following Java Virtual Machine (JVM) specification to the Java Options input field: -Djavax.net.debug=ssl,handshake 4. On the Logging tab, enter the file names for the stdout and stderr fields. For example, c:\stdout.txt and c:\stderr.txt. 5. BMC Atrium Single Sign-On 8.1
Page 328 of 389
BMC Software Confidential
Home
5. Click either OK or Apply.
To edit the service definition in UNIX 1. From a shell window, change your working directory to /AtriumSSO/tomcat/bin. 2. Edit the setenv.sh shell file and add the JVM directory to the existing CATALINA_OPTS definition: -Djavax.net.debug=ssl,handshake
12.7.5 Example of a client not responding with a certificate The following log from the Transport Layer Security (TLS) debug logs shows an example of when the client does not respond with a certificate. In this example, there is a lack of logging between *** Certificate chain and the *** section terminator.
*** ServerHelloDone http-8443-1, WRITE: TLSv1 Handshake, length = 1606 http-8443-1, READ: TLSv1 Handshake, length = 109 *** Certificate chain *** http-8443-1, SEND TLSv1 ALERT: fatal, description = bad_certificate http-8443-1, WRITE: TLSv1 Alert, length = 2 http-8443-1, called closeSocket() http-8443-1, handling exception: javax.net.ssl.SSLHandshakeException: null cert chain
12.7.6 Example of a client sending a certificate The following is an example of a certificate chain when a client sends a certificate:
*** Certificate chain chain [0] = [ [ Version: V3 Subject: CN=iBMC-JBHBBK1.adprod.bmc.com, O=BMC Software, OU=AtriumSSO Server Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 \\ \\ Key: Sun RSA public key, 1024 bits modulus: 1153476415046747080545705726032711211661968880193177355336120528259205179 8701885413352651439456472027242135383823079486221876201099852580433674612 2095506217482528174781177916973132898161752304402048808946927230955649506 8627650608058272169958226152224835413140850196651094714261111749419276023 57110513103177317 public exponent: 65537 Validity: [From: Thu May 26 17:35:59 CDT 2011, To: Sun May 23 17:35:59 CDT 2021] Issuer: CN=iBMC-JBHBBK1.adprod.bmc.com, O=BMC Software, OU=AtriumSSO Server
BMC Atrium Single Sign-On 8.1
Page 329 of 389
BMC Software Confidential
Home
SerialNumber: [ 4dded5cf] \\ \\ ] Algorithm: [SHA1withRSA] Signature: 0000: 65 CC 79 95 9C F3 5A 66 0010: AC 12 A6 3F A2 E8 9B 47 0020: 3A 7C 33 D3 87 4D FD 8D 0030: 31 6E C9 66 AD 02 C5 9F 0040: 68 2A 3B 9C 4E 50 0B 2D 0050: 6E 91 6F C3 CD 6E AC 66 0060: B9 6B 96 1E 0A 90 67 05 0070: DF AD 3D 5F 1F DF 09 32 0070: DF AD 3D 5F 1F DF 09 32 ] ***
59 65 55 04 8F 6E A0 77 77
B1 D7 84 CE C5 92 1A F0 F0
3F F5 FA 10 CB E3 F1 39 39
53 23 E5 66 7D 1E 2B 13 13
EC 06 AB 2C BB B5 55 46 46
AD A9 55 46 76 19 35 94 94
F7 6B FB C0 E0 06 07 DD DD
CD 17 12 FA 75 17 D5 D7 D7
e.y...ZfY.?S.... ...?...Ge..#..k. :.3..M..U....U.. 1n.f.......f,F.. h*;.NP.-.....v.u n.o..n.fn....... .k....g....+U5.. ..=_...2w.9.F... ..=_...2w.9.F...
12.7.7 Example of a list of certificates sent to the client The client receives a list of certificates from the server that the client uses when determining which certificates to respond with. This list of certificates is sent at the end of the servers hello reply. The client uses this list to scan its truststore for a certificate that is an exact match (for example, a self-signed certificate), or for a certificate that is signed by one of these certificates. If no match is found, no certificate is sent and the login fails.
*** CertificateRequest Cert Types: RSA, DSS, ECDSA Cert Authorities:*** ServerHelloDone
12.7.8 Example of URL certificate authentication not enabled If the BMC Atrium Single Sign-On WEB-INF\config\Atrium SSO\debug\Authentication directory contains the following error messages, then the Common Access Card (CAC) certificate was not passed in from the client. Ensure that the certificates, or the correct certificates, were imported into the cacerts.p12 file.
amAuthCert:11/18/2009 01:17:37:922 PM CST: Thread[http-8443-6,5,main] ERROR: Certificate: cert passed in URL not enabled for this client amAuthCert:11/18/2009 01:17:37:922 PM CST: Thread[http-8443-6,5,main] ERROR: Certificate: exiting validate with exception com.sun.identity.authentication.spi.AuthLoginException: URL certificate authentication not enabled. at com.sun.identity.authentication.modules.cert.Cert.process(Cert.java:383) at com.sun.identity.authentication.spi.AMLoginModule.wrapProcess(AMLoginModule.java:866) at com.sun.identity.authentication.spi.AMLoginModule.login(AMLoginModule.java:926) at sun.reflect.GeneratedMethodAccessor57.invoke(Unknown Source) ....
BMC Atrium Single Sign-On 8.1
Page 330 of 389
BMC Software Confidential
Home
12.7.9 Example of OCSP certificate failure If you receive the following errors, verify that you imported the Online Certificate Status Protocol (OCSP) certificates into the cacerts.p12 file:
amAuthCert:11/18/2009 02:45:58:004 PM CST: Thread[http-8443-3,5,main] ERROR: CertPath:verify failed. amAuthCert:11/18/2009 02:45:58:004 PM CST: Thread[http-8443-3,5,main] ERROR: X509Certificate:CRL / OCSP verify failed.
12.7.10 Clock skew too great for CAC authentication Clock skew is the range of time allowed for a server to accept authentication. If the clock skew too far off, you will receive a clock skew too great error message. The clock skew between the BMC Atrium Single Sign-On server and the OCSP server must not be more than 15 minutes, otherwise OCSP validation fails. This error indicates that the clock on one or both of the servers has the wrong time. To resolve this issue either use a time server to synchronize the computers, or manually set the clock on one or both of the computers to the correct time.
12.8 Troubleshooting FIPS-140 conversion If the conversion process fails: 1. From the BMC Atrium Single Sign-On administrator console, restore FIPS mode back to normal mode. For more information about restoring normal mode, see Converting from FIPS-140 to normal mode (see page 258). 2. Save the configuration change. 3. Address the cause of the failure. If any errors occurred during the conversion, they are posted after the initial BMCSSG1599I message. 4. Retry the FIPS-140 conversion after resolving the cause of the previous attempts failure.
12.9 Troubleshooting JEE agents This following topics provide instruction for manually removing a JEE agent from BMC Atrium Single Sign-On. These steps only involve BMC Atrium Single Sign-On configuration. Additional steps might be required for full removal.
BMC Atrium Single Sign-On 8.1
Page 331 of 389
BMC Software Confidential
Home
To remove a JEE agent from BMC Atrium Single Sign-On (see page 332) To remove a JEE agent from WebSphere (see page 332) To remove a JEE agent from Tomcat (see page 332) To remove a JEE agent from JBoss or WebLogic (see page 333)
12.9.1 To remove a JEE agent from BMC Atrium Single Sign-On 1. On the BMC Atrium SSO Admin Console, click Agent Details. 2. Select the agent you want to delete. 3. Click Delete.
12.9.2 To remove a JEE agent from WebSphere 1. Stop IBM WebSphere Application Server (WAS). 2. Delete /AppServer/atssoAgents. 3. Delete /AppServer/.amAgentLocator. 4. Edit \AppServer\profiles\AppSrv01\config\cells\\nodes\\servers\server1\server.xml a. Navigate to process:Server > processDefinitions > jvmEntries. b. Remove from attribute genericJvmArguments the system property declarations (for example, -Dcom.iplanet.services.debug.level=on ). c. A sub tag of jvmEntries, classpath, contains the classpath for the JVM. Remove the BMC Atrium Single Sign-On entries. 5. Restart WAS.
12.9.3 To remove a JEE agent from Tomcat 1. Stop Tomcat. 2. Delete /atssoAgents. The following steps may not be applicable, depending on the agent used by the web application: 3. Delete /.amAgentLocator. 4. Edit conf/server.xml/and remove the realm definition. For example:
="com.sun.identity.agents.tomcat.v6.AmTomcatRealm" debug="99"/
5. Edit bin/setclasspath.sh (or catalinaHomebin/setclasspath.bat). a. Delete the inclusion of setAgentclasspath.sh (or setAgentclasspath.bat ). b. Delete bin/setAgentclasspath.bat. 6. Restart Tomcat.
BMC Atrium Single Sign-On 8.1
Page 332 of 389
BMC Software Confidential
Home
12.9.4 To remove a JEE agent from JBoss or WebLogic 1. Stop the relevant application server. 2. Delete /atssoAgents. 3. Restart the relevant application server.
12.10 Troubleshooting Kerberos authentication When diagnosing Kerberos authentication failures, access the logs on the Ticket Granting Server (TGS) to identify failure root causes. In addition, install a utility program (for example, HTTPHeaders for Internet Explorer and Live HTTP Headers for Firefox) into the browser to display headers that are sent between the browser and the BMC Atrium Single Sign-On server. Headers help identify failure points. The following commands are useful for troubleshooting: klist tickets lists open tickets with TGS klist purge closes tickets with TGS Problems with the module configuration can be detected by turning on BMC Atrium Single Sign-On debug logging and attempting to log in by using a test URL. Log entries are generated in the debug.out log file when message level debugging is configured. The following troubleshooting topics are addressed here:
BMC Atrium Single Sign-On 8.1
Page 333 of 389
BMC Software Confidential
Home
Invalid user name for Kerberos authentication Invalid service principal name for Kerberos authentication Invalid keytab index number for Kerberos authentication Invalid password for Kerberos authentication Incorrect server name for Kerberos authentication Browser sending NTLM instead of Kerberos (see page 336) Browser not correctly configured for Kerberos authentication Clock skew too great for Kerberos authentication Chained authentication failure in Microsoft Internet Explorer (see page 338)
12.10.1 Invalid user name for Kerberos authentication This error message indicates that the user name does not match the entry in the keytab file. Validate that the full principal name is used and the correct service type, domain, and so on are specified.
New Service Login ... amAuthWindowsDesktopSSO:06/24/2011 12:40:11:670 PM CDT: Thread[http-8443-2,5,main] ERROR: Service Login Error: amAuthWindowsDesktopSSO:06/24/2011 12:40:11:670 PM CDT: Thread[http-8443-2,5,main] Stack trace: javax.security.auth.login.LoginException: Unable to obtain password from user at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:789) at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:654) ...
12.10.2 Invalid service principal name for Kerberos authentication This error messages indicates a possible failure due to a discrepancy between the service principal name in the keytab file and the actual service principal name in the TGS or Active Directory. This error can be caused by renaming the service principal in the TGS without updating the keytab file. Validate the name (case-sensitive) and re-generate the keytab file if the service principal name has changed.
amAuthWindowsDesktopSSO:06/28/2011 04:24:33:854 PM CDT: Thread[http-8443-1,5,main] New Service Login ... amAuthWindowsDesktopSSO:06/28/2011 04:24:33:870 PM CDT: Thread[http-8443-1,5,main] ERROR: Service Login Error: amAuthWindowsDesktopSSO:06/28/2011 04:24:33:870 PM CDT: Thread[http-8443-1,5,main] Stack trace: javax.security.auth.login.LoginException: Client not found in Kerberos database (6) at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:696) at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:542)
BMC Atrium Single Sign-On 8.1
Page 334 of 389
Home
BMC Software Confidential
12.10.3 Invalid keytab index number for Kerberos authentication This exception failure is generated in the logs when the keytab file was generated with a KVNO value different from the one specified in the ticket. The solution is to regenerate the keytab file. Be sure to specify the /kvno 0 option; this ensures that the KVNO value is compatible.
amJAAS:10/18/2011 09:35:00:435 AM PDT: Thread[http-8443-1,5,main] Exception: com.sun.identity.authentication.spi.AuthLoginException: Failed to authentication. Failure unspecified at GSS-API level (Mechanism level: Specified version of key is not available (44))
12.10.4 Invalid password for Kerberos authentication This error message from the Active Directory server indicates that the password in the keytab file is incorrect for the specified principal. Verify that the password is correct and generate the keytab file if it is not correct or has been changed since the file was generated.
amAuthWindowsDesktopSSO:06/24/2011 02:18:31:590 PM CDT: Thread[http-8443-1,5,main] ERROR: Service Login Error: amAuthWindowsDesktopSSO:06/24/2011 02:18:31:590 PM CDT: Thread[http-8443-1,5,main] Stack trace: javax.security.auth.login.LoginException: Pre-authentication information was invalid (24) at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:696) at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:542)
12.10.5 Incorrect server name for Kerberos authentication This exception failure indicates that the server host name specified for the module configuration is incorrect, or that the server is not accessible through the network. Validate the server name and that the server can be contacted through the network.
amAuth:06/24/2011 05:48:57:828 PM CDT: Thread[http-8443-2,5,main] LOGINFAILED Error.... amAuth:06/24/2011 05:48:57:828 PM CDT: Thread[http-8443-2,5,main] Exception : com.sun.identity.authentication.spi.AuthLoginException(1):null com.sun.identity.authentication.spi.AuthLoginException(2):Service authentication failed. javax.security.auth.login.LoginException(3):Receive timed out javax.security.auth.login.LoginException: Receive timed out at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:700) at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:542)
BMC Atrium Single Sign-On 8.1
Page 335 of 389
Home
BMC Software Confidential
12.10.6 Browser sending NTLM instead of Kerberos The following entry in the debug log files indicates that the token received from the client is a Microsoft Windows NT LAN Manager (NTLM) token, not a Kerberos token as required. Verify that the BMC Atrium Single Sign-On server has been set up correctly as a service principal and that the client and successfully request a Ticket for the Service.
amAuthWindowsDesktopSSO:06/28/2011 06:46:14:877 PM CDT: Thread[http-8443-1,5,main] Retrieved config params from cache. amAuthWindowsDesktopSSO:06/28/2011 06:46:14:877 PM CDT: Thread[http-8443-1,5,main] WARNING: Authentication token is NTLM. amAuthWindowsDesktopSSO:06/28/2011 06:46:14:877 PM CDT: Thread[http-8443-1,5,main] SPNEGO token: 4e 54 4c 4d 53 53 50 00 01 00 00 00 07 82 08 a2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 05 02 ce 0e 00 00 00 0f
When a browser is sending an NTLM token instead of a Kerberos token, the failure could be caused by a problem obtaining a service token for the BMC Atrium Single Sign-On server. For example, failure to find a case-sensitive lookup of the principal name results in an NTLM token being sent. When debugging a client failure, enable the Kerberos event logging to identify failures. Disabling Kerberos event logging after diagnosing the failure is important. For more information about how to enable Kerberos event logging, see http://support.microsoft.com/kb/262177. The following trace from an exchange between an Internet Explorer browser and the BMC Atrium Single Sign-On server shows a successful negotiation.
GET /atriumsso/UI/Login?gx_charset=UTF-8&realm=BmcRealm HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, / Accept-Language: en-us UA-CPU: x86 Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) Host: ibmc-jbhbbk1.adprod.bmc.com:8443 Connection: Keep-Alive Cookie: s_pers=%20s_lv%3D1270043963949%7C1364651963949%3B%20s_lv_s%3DFirst%2520Visit%7C1270045763949%3B%20s_nr%3D127004396396 s_vi=[CS]v1|25D9AA60851D2F18-60000104E00EF3FE[CE]; __utma=246752535.599385143.1270043842.1270043842.1270043842.1 HTTP/1.1 401 Unauthorized Server: Apache-Coyote/1.1 Pragma: no-cache
BMC Atrium Single Sign-On 8.1
Page 336 of 389
Home
BMC Software Confidential
Cache-Control: no-cache Expires: 0 Cache-Control: private X-DSAMEVersion: Atrium SSO 7.6.04(2011-June-28 13:47) AM_CLIENT_TYPE: genericHTML
Set-Cookie: AMAuthCookie=AQIC5wM2LY4SfcwV3%2FNDDybcVGsdeW%2B%2BRnGC93rfcaw%2FEf8%3D%40AAJTSQACMDIAAlNLAAkxOTE4MzI0NTIAAlMxAAIwMQ% Domain=.bmc.com; Path=/ Set-Cookie: amlbcookie=01; Domain=.bmc.com; Path=/ WWW-Authenticate: Negotiate Content-Type: text/html;charset=utf-8 Content-Length: 954 Date: Wed, 29 Jun 2011 00:09:46 GMT GET /atriumsso/UI/Login?gx_charset=UTF-8&realm=BmcRealm HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, / Accept-Language: en-us UA-CPU: x86 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) Host: ibmc-jbhbbk1.adprod.bmc.com:8443 Connection: Keep-Alive Authorization: Negotiate YIIE7gYGKwYBBQUCoIIE4jCCBN6gJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKw YBBAGCNwICCqKCBLQEggSwYIIErAYJKoZIhvcSAQICAQBuggSbMIIEl6ADAgEFoQMCAQ6iBwMFACAAAACjggO/ YYIDuzCCA7egAwIBBaEQGw5CU01EU0wuQk1DLkNPTaIuMCygAwIBAqElMCMbBEhUVFAbG2libWMtamJoYmJrMS5h ZHByb2QuYm1jLmNvbaOCA2wwggNooAMCARehAwIBA6KCA1oEggNWF2cjeeJwxrbN85nRgZ6kQQ49s7I54ndjXLJD jdc62pRQqDDYaMn6KUBR5zPfwuvNRlL4e3n0MXtNLbUMgMGWiDBZlLVLRJg6p3tydxJC9eEiWYFu ...
12.10.7 Browser not correctly configured for Kerberos authentication This stack trace indicates that the browser is not sending the Kerberos token. Validate that the browser is configured for Kerberos authentication with the BMC Atrium Single Sign-On server. Verify that the principals in the BMC Atrium Single Sign-On Kerberos configuration and the user account running the browser are all in the same realm. Lastly, when multiple services are running on the same host or non-standard ports are being used for HTTP and HTTPS connections, review the following Microsoft article for more information, see http://support.microsoft.com/kb/908209.
amJAAS:06/24/2011 02:35:46:834 PM CDT: Thread[http-8443-2,5,main] Exception: com.sun.identity.authentication.spi.AuthLoginException: Invalid Kerberos token. amJAAS:06/24/2011 02:35:46:834 PM CDT: Thread[http-8443-2,5,main] Set firstRequiredError to com.sun.identity.authentication.spi.AuthLoginException: Invalid Kerberos token. amLoginModule:06/24/2011 02:35:46:834 PM CDT: Thread[http-8443-2,5,main]
BMC Atrium Single Sign-On 8.1
Page 337 of 389
BMC Software Confidential
Home
ABORT return.... false amJAAS:06/24/2011 02:35:46:834 PM CDT: Thread[http-8443-2,5,main] abort ignored amAuth:06/24/2011 02:35:46:834 PM CDT: Thread[http-8443-2,5,main] LOGINFAILED Error.... amAuth:06/24/2011 02:35:46:834 PM CDT: Thread[http-8443-2,5,main] Exception : com.sun.identity.authentication.spi.AuthLoginException(1):null com.sun.identity.authentication.spi.AuthLoginException(2):Invalid Kerberos token. com.sun.identity.authentication.spi.AuthLoginException: Invalid Kerberos token. at com.sun.identity.authentication.modules.windowsdesktopsso.WindowsDesktopSSO.process(WindowsDesktopSSO.java:146) at com.sun.identity.authentication.spi.AMLoginModule.wrapProcess(AMLoginModule.java:866)
12.10.8 Clock skew too great for Kerberos authentication The time difference between the BMC Atrium Single Sign-On server and the Key Distribution Center (KDC) (or ActiveDirectory domain controller) is too great. Normally, the time difference should be no great than 5 minutes. Use a time server to synchronize the computers or adjust the time manually to be closer in sync.
Error: javax.security.auth.login.LoginException(3):Clock skew too great (37)
12.10.9 Chained authentication failure in Microsoft Internet Explorer When Kerberos is chained together with LDAP or AR for authentication and you enter your credentials for login in Internet Explorer (IE) browser, the authentication fails. You can detect the issue by removing Kerberos module from the authentication chain. The authentication works correctly when Kerberos is removed from the authentication chain. You might be facing this issue due to an optimization feature that Microsoft have added to IE that causes IE to not send the user entered credentials to the BMC Atrium Single Sign-On server.
Tip The problem can be avoided by using Mozilla Firefox or other compatible browsers.
Resolution By disabling this optimization, the credentials are sent and the user is successfully authenticated.
Steps to follow from the KB article To resolve this issue from the client side, use Registry Editor (Regedt32.exe) to add a value to the following registry key: HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Internet Settings/
BMC Atrium Single Sign-On 8.1
Page 338 of 389
BMC Software Confidential
Home
Note The above registry key is one path; it has been wrapped for readability.
Add the following registry value: Value Name: DisableNTLMPreAuth Data Type: REG_DWORD Value: 1 For more information about disabling the optimization feature, refer to the knowledge base (KB) article from Microsoft, Restricting data to be posted to specific website.
Note The KB also mentions about disabling Kerberos or Integrated Windows Authentication which should be ignored.
12.11 Troubleshooting an external LDAP user store This topic provides information to help you correct issues that might arise with configuring to use an external LDAP user store.
12.11.1 No users in User tab If there are no users in the User tab: 1. On the BMC Atrium SSO Admin Console, click Edit BMC Realm. 2. In the User Stores panel, select the LDAP user store, and click Edit. 3. Select the Search tab. 4. Verify that the Users Search Filter field value is correct for the LDAP server. Specifically, the default filter must contain a class which is part of the LDAP structure. 5. If values were specified for the People Container Container Attribute and Attribute Value, remove those values (leave those fields blank).
12.11.2 No groups in Group tab If there are no groups in the Group tab: 1. On the BMC Atrium SSO Admin Console, click Edit BMC Realm. 2. BMC Atrium Single Sign-On 8.1
Page 339 of 389
BMC Software Confidential
Home
2. In the User Stores panel, select the LDAP user store, and click Edit. 3. Select the Search tab. 4. Verify that the Groups Search Filter field value is correct (the class selected is used in LDAP server). 5. Verify that the Groups Container Container Attribute and Attribute Value information are both correct. Alternatively, try blank values (no characters).
12.12 Troubleshooting SAMLv2 This section includes the following issues:
BMC Atrium Single Sign-On 8.1
Page 340 of 389
BMC Software Confidential
Home
IdP metadata issues SAMLv2 keystore issues (see page 341) Metadata issues (see page 342) Certificate issues
12.12.1 IdP metadata issues When using Atrium Single Sign-On server as an Identity Provider (IdP), the server needs to be able to provide the metadata to Service Providers (SP) that are part of the Circle of Trust. The configuration of the IdP can be verified by using this URL with a browser: https://sample.bmc.com:8443/atriumsso/saml2/jsp/exportmetadata.jsp If the Atrium Single Sign-On server is correctly configured, the server returns an XML document which is the metadata for the IdP.
libCOT:03/03/2011 02:55:51:194 PM CST: Thread[http-18443-6,5,main] ERROR: COTManager.createCircleOfTrust: com.sun.identity.plugin.configuration.ConfigurationException: Unable to create configuration of component "LIBCOT" for realm "/BmcRealm".
This error usually indicates that the certificates from the IdP have not been stored into the truststore of the BMC Atrium Single Sign-On server that is hosting the SP.
12.12.2 SAMLv2 keystore issues If the SAMLv2 keystore is not correctly configured, the following error is displayed on the top of the page when attempting to create a new IdP or SP: Check the Federation log file in the following location: /tomcat/webapps/atriumsso/WEB-INF/config/atriumsso/debug The following error messages indicate that the keystore is of the wrong format (For SAMLv2, only keystores that are in JKS format are supported. This keystore is used for holding certificates and private keys for signing and encryption):
ERROR: mapPk2Cert.JKSKeyProvider: java.io.IOException: Invalid keystore format ERROR: mapPk2Cert.JKSKeyProvider: java.lang.NullPointerException
BMC Atrium Single Sign-On 8.1
Page 341 of 389
BMC Software Confidential
Home
ERROR: mapPk2Cert.JKSKeyProvider: java.io.IOException: Keystore was tampered with, or password was incorrect
The following message indicates that the files containing the passwords for the store or the key do not contain the correct values (the values must be encoded before being stored within the files):
libSAML:03/02/2011 12:42:23:418 ERROR: JKSKeyProvider: keystore libSAML:03/02/2011 12:42:23:418 ERROR: JKSKeyProvider: keystore
PM CST: Thread[main,5,main] file does not exist PM CST: Thread[main,5,main] password is null
The following message (displayed in the browser) indicates that the keystore file is incorrectly defined or missing:
HTTP Status 400 - Error processing AuthnRequest. Error retrieving meta data. HTTP Status 400 - Error processing AuthnRequest. Error retrieving meta data.
12.12.3 Metadata issues An error occurs when the BMC Atrium Single Sign-On server cannot find the Identity Provider (idP), or the request sent by the client was syntactically incorrect. In the status report, the following message is displayed: Error processing AuthnRequest. Error retrieving meta data At log n, the browser displays the following message: HTTP Status 500 -
To resolve metadata issues 1. Verify that the agent URL for login has the IdP spelled correctly. 2. Verify that the IdP is defined in the BMC Atrium Single Sign-On server.
12.12.4 Certificate issues In an exception report, the following message displays:
The server encountered an internal error () that prevented it from fulfilling this request.
This problem is usually caused by the HTTPS certificate or the root CA-signed certificate from the IdP or SP server. The certificate might not be stored in the BMC Atrium Single Sign-On server's truststore.
BMC Atrium Single Sign-On 8.1
Page 342 of 389
BMC Software Confidential
Home
To resolve certificate issues 1. Import the appropriate certificate into the truststore: /tomcat/conf/cacerts.p12 2. Restart the BMC Atrium Single Sign-On server. The following message indicates the exception:
javax.servlet.ServletException: AMSetupFilter.doFilter com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:118)
The following message indicates the root cause:
com.sun.identity.saml2.common.SAML2Exception: java.security.PrivilegedActionException: com.sun.xml.messaging.saaj.SOAPExceptionImpl: Message send failed com.sun.identity.saml2.profile.SPACSUtils.getResponseFromArtifact(SPACSUtils.java:382) com.sun.identity.saml2.profile.SPACSUtils.getResponseFromGet(SPACSUtils.java:247) com.sun.identity.saml2.profile.SPACSUtils.getResponse(SPACSUtils.java:161) org.apache.jsp.saml2.jsp.spAssertionConsumer_jsp._jspService(spAssertionConsumer_jsp.java:180) org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) javax.servlet.http.HttpServlet.service(HttpServlet.java:717) org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:374) org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:342) org.apache.jasper.servlet.JspServlet.service(JspServlet.java:267) javax.servlet.http.HttpServlet.service(HttpServlet.java:717) com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:91)
12.13 Troubleshooting redirect URLs Multiple redirect URLs can occur when a load balancer or reverse proxy is implemented. Modifying the load balancer (or reverse proxy) for redirect URLs (see page 343) Using load balancer (or reverse proxy) host names for redirect URLs (see page 344) Cookie name change for a HA node (see page 344)
12.13.1 Modifying the load balancer (or reverse proxy) for redirect URLs If a BMC product is deployed behind a load balancer (or a reverse proxy), then the load balancer (or reverse proxy) must specify a BMC Atrium Single Sign-On redirect URL for the product agent. This modification is valid for both High Availability (HA) and non-HA environments.
BMC Atrium Single Sign-On 8.1
Page 343 of 389
BMC Software Confidential
Home
Specify an HTTP Header with the name AtssoReturnLocation using the following syntax for the header value: ://:
Note Note: To ensure browser compatibility, the load balancer hostname should contain not contain underscore characters.
12.13.2 Using load balancer (or reverse proxy) host names for redirect URLs If BMC Atrium Single Sign-On is deployed behind a load balancer (or reverse proxy), the product agent logon and logoff configuration can be modified to use the load balancer (or reverse proxy) host names instead of the real FQDN host names. In this case, the client browser is forwarded to the load balancer (or reverse proxy) host name of the BMC Atrium Single Sign-On server. This modification is valid for both HA and non-HA environments. Log into the BMC Atrium Single Sign-On Administrator console and edit the product agent's configuration. Use the following template for the new logon and logoff URLs, respectively: URL formats Login
://:(port>/atriumsso/UI/Login?realm=
Logout
://:(port>/atriumsso/UI/Logout?realm=
12.13.3 Cookie name change for a HA node In a BMC Atrium Single Sign-on HA environment, if a cookie name is changed for a particular BMC Atrium Single Sign-On node, restart the BMC Atrium Single Sign-On server.
Note In some cases, BMC Atrium Single Sign-On server restart, browser cache purge, and cookies cleanup do not help to avoid a multiple redirects error. In that case, reboot the OS.
BMC Atrium Single Sign-On 8.1
Page 344 of 389
BMC Software Confidential
Home
12.14 Session sharing in HA mode issue In BMC Atrium Single Sign-On High Availability (HA) mode, session sharing can fail in some specific network environments when the default protocol (multicast) is used by ApacheMQ. ApacheMQ is a third party component which is used by Atrium Single Sign-On to inform all nodes in the cluster about sessions’ creation and termination events. If session sharing fails, change the configuration settings to an alternative protocol.
12.14.1 To configure point-to-point sessions sharing Perform the following on each node in the HA cluster. 1. Navigate to the /tomcat/webapps/atriumsso/WEB-INF/classes/ directory. 2. Edit the activemq.xml file. 3. Replace the following tag: with:
where:
hostname — The host name of the current node. port — The port which will be used for the sessions sharing on this node. 4. Replace the following tag: with: where:
hostname — The host name of another node in the HA cluster. port — The port which is used by another node for session sharing.
Note The : pair is specified on another node in the tag.
5. Save the file.
BMC Atrium Single Sign-On 8.1
Page 345 of 389
BMC Software Confidential
Home
Note
Shutdown all the nodes in the cluster after configuring point-to-point session sharing. Do not start all the nodes at the same time. Start each node beginning from the first node only after the previous node is fully started.
12.15 Troubleshooting installation or upgrade issues This page has not been approved for publication.
12.16 Resolving installation issues on LINUX operating system You may face the following issues during installation of BMC Atrium Single Sign-On on the Red Hat Enterprise Linux computers. Following topics are provided: Installation failure due to missing libraries (see page 346) Installation failure due to low level of entropy (see page 346)
12.16.1 Installation failure due to missing libraries If you are installing BMC Atrium Single Sign-On on Red Hat Enterprise Linux (RHEL) 6.x and the installer aborts suddenly, then the following 32-bit RPM packages must be installed to make 32-bit JRE support and the user interface available to the installer: Glibc.i686 libXtst.i686
12.16.2 Installation failure due to low level of entropy In computing, entropy is the considered as the randomness collected by an operating system or an application for use in cryptography or other uses that require random data. This randomness is often collected from hardware sources, either existing ones such as mouse movements or specially provided randomness generators. When the entropy level in an application decreases beyond a certain level, the linux operating systems running BMC Atrium Single Sign-On (SSO) installer may face the following issue. During installation BMC Atrium Single Sign-On (SSO) logs the entropy level for maintenance purpose. For successful installation of BMC Atrium SSO, the entropy level should be substantially higher than 150. If an
BMC Atrium Single Sign-On 8.1
Page 346 of 389
BMC Software Confidential
Home
installation or silent installation aborts suddenly, finishes very quickly, or takes a long time to complete, you may be facing low entropy issues. When the entropy level on the computers running BMC Atrium SSO installer is less than 150, the installation fails with the following error message: There is potential problem with performance on this computer. The level of entropy is 150 and the random data generation time is 6 milliseconds. You may run the following command as root user: 'rngd -b -r /dev/urandom -o /dev/random' or prefer to restart the computer.
Info You can verify the level of entropy at the following location on the linux computers using the following command: cat/proc/sys/kernel/random/entropy_avail.
Workaround For restoring the level of entropy and installing BMC Atrium SSO, you can use any of the the following options: Run the following commands as root user. This option is preferred as it helps in maintaining the entropy level after installation as well. If your server has a low entropy level, you should configure your server to run the following commands while starting up your server. rngd yum install rng-tools echo 'EXTRAOPTIONS="-i -o /dev/random -r /dev/urandom -t 10 -W 2048"' /etc/sysconfig/rngd chkconfig rngd on service rngd restart
Restart your computer. This option in not recommended and will increase the entropy level temporarily. This option can be used to identify if entropy is the only issue for installation failure.
13 Known and corrected issues The following issues pertain to this release of BMC Atrium Core Single Sign-On and its service packs and patches. They are divided as follows: Installation and upgrade issues (see page ) Other issues (see page )
BMC Atrium Single Sign-On 8.1
Page 347 of 389
BMC Software Confidential
Home
To see all open issues, or to see the issues corrected in a specific release, service pack, or patch, sort the table by the Corrected in column. An issue with no version number listed here remains open. Version numbers are given in the format MajorRelease.MinorRelease.ServicePack.Patch. For example, 8.2.04.01 is patch 1 for service pack 4 of minor release 8.2.
13.1 Installation and upgrade issues Known and corrected issues related to installation or upgrade Click any column heading to sort this table or change sort direction
Defect ID
Description
Affected versions
SW00452251
If you try to install BMC Atrium Single Sign-On version 8.1 on a volume where 8dot3 is disabled, the installation fails.
8.1.00.03
Corrected in
Workaround: Enable 8dot3 names on the volume on which BMC Atrium Single Sign-On is installed. To enable 8dot3 naming: 1. Execute the following command in the command window with the elevated privileges: fsutil.exe behaviour set disabled 8dot3 0 2. Recreate installation folders in order to force the generation of 8dot3 names.
SW00452338
The BMC Atrium Single Sign-On upgrade fails when the default password is changed in the server.xml and if the certificate stores are not pointing to the default locations.
SW00443582
When you install BMC Atrium Single Sign-On with amadmin as login and password including special characters, the authentication fails.
SW00425820
BMC Atrium Single Sign-On installer always shows the Keystore as "tomcat" when installing on an external Tomcat server. This could be an issue if you have configured an external Tomcat server for BMC Atrium Single Sign-On installation which has a keystore alias as other than "tomcat".
8.1.00.03
8.1.00.03
8.0.00 8.1.00
Workaround: Manually change the Keystore alias in the BMC Atrium Single Sign-On installer screen to the alias you set while configuring your Tomcat server. SW00447285
If you installed Tomcat 7 with the .exe installer, the SSO integration utility cannot stop and restart Tomcat. Workaround: Perform one of the following workarounds:
8.1.00
Manually stop Tomcat before you run the utility. You can ignore the exception at the end of excecution: Error while starting Tomcat Manually perform the integration.
SW00448578
The BMC Atrium Single Sign-On 8.1 documentation does not mention that before installing BMC Atrium Single Sign-On 8.1.00 or later on Red Hat Enterprise Linux 6.x, you must install the following 32-bit RPM packages:
8.1.00
8.1.00.02
Glibc.i686 libXtst.i686
BMC Atrium Single Sign-On 8.1
Page 348 of 389
BMC Software Confidential
Home
Defect ID
Description
Affected versions
Corrected in
This information is now documented in the "System requirements" section on the Prerequisites for installation (see page 42) page. SW00450616
When you upgrade the following versions of BMC Atrium Single Sign-On, user assignments to custom groups are not retained: Version 8.1.00 to 8.1.00.01 or later Versions 8.1.00 or 8.1.00.01 to 8.1.00.02 or later
8.1.00.01 8.1.00.02 8.1.00.03
Workaround: You must reassign users to the appropriate groups after the upgrade. SW00448219
When you upgrade BMC Atrium Single Sign-On using an upgrade path of BMC Atrium Single Sign-On version 8.1.00 to version 8.1.00.02 or later, and you have deployed BMC SSO in HA mode on Red Hat Enterprise Linux Server release 6.2 operating system, the upgrade fails.
8.1.00.02
SW00446188
If you are installing BMC Atrium Single Sign-On on a Japanese or a Chinese locale, the installer fails.
8.1.00.02
SW00443648
While logging to the BMC Atrium Single Sign-On Administration page, in certain scenarios the Open AM page gets displayed.
8.1.00.02
SW00447605
During the fresh installation of BMC Atrium Single Sign-On a non critical error message gets displayed, which can be ignored.
8.1.00.02
SW00449708
During the fresh install of BMC Atrium Single Sign-On if there is a space in the name of the installation folder, the installation fails.
8.1.00.02
SW00447623 SW00449894
Version 8.1.00.02 corrected defects related to BMC Atrium Single Sign-On in HA mode. These fixes include sessions failover, replication of the configuration, and so on.
8.1.00.03
8.1.00.02
SW00449987 SW00450188 SW00450242 SW00450296 SW00450318 SW00451056 SW00451254 SW00451490 SW00455079
The signing and encryption certificates in the SAMLv2 keystore are lost during the upgrade of BMC Atrium Single Sign-On version 8.0.00 to version 8.1.00.
8.1.00.03
Workaround: You must manually preserve the SAMLv2 keystore before the upgrade and restore it after the upgrade is done. To preserve the SAMLv2 keystore manually: 1. Create a backup of the SAMLv2 keystore outside the installation directory before performing the upgrade. Note: In BMC Atrium Single Sign-On server version 8.0 the keystore is stored in file named keystore.jks which is located at /tomcat/webapps/atriumsso/WEB-INF/config/atriumsso 2. After upgrade, rename the keystore.jks to cot.jks. 3. Replace the newly installed cot.jks located in /tomcat directory. 4. Copy the .keypass and .storepass files to the /tomcat directory, if the keystore passwords are altered from the default value. 5. Restart the BMC Atrium Single Sign-On server. 6. Open the Admin Console and edit the Local Service Provider editor to verify the proper certificate alias has been created.
BMC Atrium Single Sign-On 8.1
Page 349 of 389
BMC Software Confidential
Home
Defect ID
Description
Affected versions
SW00455119
The user account federations are lost after you upgrade to BMC Atrium Single Sign-On version 8.1.00.03.
8.1.00.03
Corrected in
Workaround: You must re-federate your account the first time you login to BMC Atrium Single Sign-On server version 8.1.00.03.
13.2 Other issues Known and corrected issues for areas other than installation and upgrade Click any column heading to sort this table or change sort direction
Defect ID
Description
Affected versions
Corrected in
SW00440868
During a log out operation, if one user logged out, the BMC Atrium Single Sign-On logged out all the users.
8.1.00.03
SW00451947
When you create a new local Service Provider (SP), only PasswordProtectedTransport chack box is enabled in the Default Authentication Context list present on the Local Service Provider (SP) Editor.
8.1.00.03
SW00451946
The User Editor does not show the groups from an external LDAP user store for the user from the same external LDAP user store.
8.1.00.03
SW00447267
The validity of the agent certificate generated for BMC Atrium Single Sign-On is for 2 to 3 months, which causes issues on some environment.
8.1.00.03
SW00450560
The BMC Atrium Single Sign-On agent requires some changes to support the network load balancers.
8.1.00.03
SW00451673
In the case of two or more authentication chains in BMC Atrium Single Sign-On, login is not successful
8.1.00.03
without displaying the second login page. SW00451952
The BMC Atrium Single Sign-On does not provide the ability to select the Default Authentication Context in
8.1.00.03
the SAML Local Service Provider (SP) editor. SW00453492
In the Administrator Console of the BMC Atrium Single Sign-On the Name ID option that allows the
8.1.00.03
selection of name ID formats and the ordering of those selections are missing from the Local Service Provider (SP) editor window. SW00452001
The values for member attributes between users and groups in external LDAP are stored incorrectly in BMC Atrium Single Sign-On server.
SW00447654
Multi-threading issues occur while retrieving certificates from the BMC Atrium Single Sign-On server.
8.1.00
8.1.00.01
SW00448326
Cannot create users and groups with names similar (subset) to existing users and groups.
8.1.00
8.1.00.01
SW00448607
BMC Atrium Single Sign-On users cannot authenticate with BMC Atrium Orchestrator when integrated with BMC Atrium Single Sign-On.
8.1.00
8.1.00.01
SW00448553
In a BMC Atrium Single Sign-On High Availability (HA) configuration, the replication of configuration modules does not work correctly.
8.1.00
8.1.00.02
SW00450113
If you added the AR authentication module on the second place in the authentication chain for a realm for which the user profile was set to Dynamic, users cannot successfully log on to that realm.
8.1.00
8.1.00.02
8.1.00
8.1.00.02
SW00450144
BMC Atrium Single Sign-On 8.1
8.1.00.03
Page 350 of 389
BMC Software Confidential
Home
Defect ID
Description
Affected versions
Corrected in
8.1.00.02
8.1.00.03
8.1.00
8.1.00.03
In a BMC Atrium Single Sign-On High Availability (HA) configuration, when you restart an HA node and then add a new module on another HA node that is not restarted, "unknown" authentication modules are displayed in the authentication chain for the HA node that you restart. SW00450660
In a BMC Atrium Single Sign-on High Availability (HA) configuration, when you try to log on to an application that has been integrated with BMC Atrium Single Sign-On, the following error message might be displayed: User has no profile in this realm. Contact administrator Workaround: If you could previously log on to the application successfully, restarting the BMC Atrium SSO service and logging on to the application again resolves the issue.
SW00450313
In a BMC Atrium Single Sign-On High Availability (HA) configuration, when you log on to the Admin Console of two different nodes using the same browser, log out from one of the Admin Consoles, and refresh the page of the other Admin Console, you are logged on to both the Admin Consoles again without entering credentials.
8.1.00.01 8.1.00.02
14 Support information This topic contains information about how to contact Customer Support and the support status for this and other releases.
14.1 Contacting Customer Support If you have problems with or questions about a BMC product, or for the latest support policies, see the Customer Support website at http://www.bmc.com/support. You can access product documents, search the Knowledge Base for help with an issue, and download products and maintenance. If you do not have access to the web and you are in the United States or Canada, contact Customer Support at 800 537 1813. Outside the United States or Canada, contact your local BMC office or agent.
14.2 Support status Based on the support policy adopted September 1, 2011, for releases from that date forward, BMC provides technical support for a product based on time rather than number of releases. The previous release-based policy applies to releases before September 1, 2011. The support status for BMC Atrium Single Sign-On is the same as the support status for BMC Atrium CMDB Suite. To view the support status for this release, see the BMC Atrium CMDB Suite Support page.
BMC Atrium Single Sign-On 8.1
Page 351 of 389
BMC Software Confidential
Home
15 PDFs Ready-made PDFs Snapshot
Date
File size
BMC Atrium Single Sign-On Version 8.1.00.01
03-21-2013
3.90 MB
BMC Atrium Single Sign-On 8.1
Page 352 of 389
BMC Software Confidential
Home
16 Tracking tools Comments dashboard (see page 353) No Labels report (see page 363) Technical Bulletin SW00448553 (see page 369) Enabling multiple realms (see page 372) Configuring multi-tenancy support Overview steps to install and configure HA Load-Balancing environment with SSO (see page 378) Number of pages in space (see page 383) Installing and managing certificates in BMC Atrium SSO (see page 383) Installing certificates after integration with other BMC products (see page 383)
16.1 Comments dashboard Date and time
Page
Author
Comment
Thu May 23
Managing the server configuration (see page 276)
Krassimir
(see page )Error:
Stoianov
com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Dixie Pine
(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to
07:56:33 CDT 2013 Fri Mar 15 18:26:28 CDT
Installation options (see page 48)
2013
com.atlassian.confluence.pages.AbstractPage
Mon Sep 16
Troubleshooting Kerberos authentication (see
Keith
(see page )Error:
11:08:03 CDT 2013
page 333)
Linehan
com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Mon Aug 19 03:30:16 CDT
Installing silently (see page 112)
Hemant Baliwala
(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to
2013
com.atlassian.confluence.pages.AbstractPage
Wed Mar 20 16:20:34 CDT 2013
Example of a debug log error when a certificate is not available
Dixie Pine
Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Wed Mar 20 16:21:37 CDT 2013
Changing the clientAuth setting
Dixie Pine
Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Wed Mar 20 16:22:39 CDT 2013
Turning on network debug logging (see page 328)
Dixie Pine
(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Wed Mar 20 16:24:03 CDT 2013
Example of a client sending a certificate
Dixie Pine
Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Example of a list of certificates sent to the client
Dixie Pine
BMC Atrium Single Sign-On 8.1
Page 353 of 389
BMC Software Confidential
Home
Date and time
Page
Author
Comment
Wed Mar 20
Error: com.atlassian.confluence.pages.Comment cannot be
16:25:17 CDT 2013
cast to com.atlassian.confluence.pages.AbstractPage
Wed Mar 20 16:26:53 CDT
Example of URL certificate authentication not enabled
Dixie Pine
Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Example of OCSP certificate failure
Dixie Pine
Error: com.atlassian.confluence.pages.Comment cannot be
2013 Wed Mar 20 16:28:09 CDT 2013 Wed Mar 20 16:36:10 CDT
cast to com.atlassian.confluence.pages.AbstractPage
Clock skew too great for CAC authentication (see page 331)
Dixie Pine
2013 Wed Mar 20
(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Troubleshooting FIPS-140 conversion
Dixie Pine
16:46:37 CDT 2013
Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Wed Mar 20 16:47:58 CDT 2013
Troubleshooting JEE agents (see page 331)
Dixie Pine
(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Wed Mar 20 16:19:09 CDT 2013
Example of a default logging level error
Dixie Pine
Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Thu Jan 31 17:42:16 CST 2013
Reviewing AR server external authentication settings and configuring group mapping (see page 91)
Ruth Harris
(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Fri Mar 15 12:13:35 CDT 2013
BMC Atrium Single Sign-On using SAMLv2 deployment example (see page 31)
Ruth Harris
(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Wed Mar 20 16:54:42 CDT 2013
Clock skew too great for Kerberos authentication
Dixie Pine
Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Mon Mar 18 18:02:11 CDT 2013
Integrating BMC Dashboards for BSM (see page 198)
Volker Scheithauer
(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Tue Jan 29 18:08:31 CST 2013
BMC Atrium Single Sign-On using SAMLv2 deployment example (see page 31)
Ruth Harris
(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Tue Sep 03 05:09:42 CDT 2013
Stopping and restarting the BMC Atrium Single Sign-On server (see page 279)
Abhay Chokshi
(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Tue Sep 03 07:51:02 CDT 2013
Checking the compatibility matrix for system requirements and supported configurations
Abhay Chokshi
Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
IdP metadata issues
BMC Atrium Single Sign-On 8.1
Page 354 of 389
BMC Software Confidential
Home
Date and time
Author
Comment
Fri Jul 26
Keith
Error: com.atlassian.confluence.pages.Comment cannot be
18:37:00 CDT 2013
Linehan
cast to com.atlassian.confluence.pages.AbstractPage
IdP metadata issues
Keith Linehan
Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Thu Sep 05
BMC Atrium Single Sign-On using SAMLv2
Abhay
(see page )Error:
07:42:58 CDT 2013
deployment example (see page 31)
Chokshi
com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Tue Sep 03 05:09:06 CDT
Stopping and restarting the BMC Atrium Single Sign-On server (see page 279)
Abhay Chokshi
(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to
Fri Jul 26 19:23:12 CDT
Page
2013
2013
com.atlassian.confluence.pages.AbstractPage
Tue Mar 19
Integrating BMC Dashboards for BSM (see page
15:47:42 CDT 2013
198)
Ruth Harris
(see page )Error:
Sun Oct 27 15:03:36 CDT 2013
BMC Atrium Single Sign-On using SAMLv2 deployment example (see page 31)
Abhay Chokshi
(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Tue Jul 02 19:41:07 CDT 2013
Setting an HTTPS connection (see page 78)
Melanie Boston
(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Tue Jul 02 19:51:58 CDT 2013
Configuring a JVM for the Tomcat Server (see page 77)
Melanie Boston
(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Wed Mar 20 15:58:32 CDT 2013
Collecting diagnostics (see page 281)
Dixie Pine
(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Fri Mar 15 12:13:14 CDT 2013
BMC Atrium Single Sign-On using SAMLv2 deployment example (see page 31)
Ruth Harris
(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Mon Oct 28 07:24:34 CDT 2013
Configuring a JVM for the Tomcat Server (see page 77)
Abhay Chokshi
(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Tue Sep 03 07:55:12 CDT 2013
Checking the compatibility matrix for system requirements and supported configurations
Abhay Chokshi
Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Wed Nov 06 04:22:43 CST 2013
Managing the server configuration (see page 276)
Abhay Chokshi
(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Wed Mar 20 16:13:37 CDT 2013
Troubleshooting CAC authentication (see page 326)
Dixie Pine
(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Deepa Bhat
BMC Atrium Single Sign-On 8.1
Page 355 of 389
BMC Software Confidential
Home
Date and time
Page
Author
Tue Mar 26
Checking the compatibility matrix for system
Error: com.atlassian.confluence.pages.Comment cannot be
06:09:03 CDT 2013
requirements and supported configurations
cast to com.atlassian.confluence.pages.AbstractPage
Mon Feb 04 16:12:56 CST
Installing BMC Atrium Single Sign-On as a standalone (see page 50)
Ruth Harris
2013
Comment
(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Wed Sep 04
Checking the compatibility matrix for system
Abhay
Error: com.atlassian.confluence.pages.Comment cannot be
01:02:35 CDT 2013
requirements and supported configurations
Chokshi
cast to com.atlassian.confluence.pages.AbstractPage
Thu Jan 31 17:40:57 CST
Reviewing AR server external authentication settings and configuring group mapping (see page
Ruth Harris
(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to
2013
91)
Tue Jan 29
BMC Atrium Single Sign-On using SAMLv2
18:12:34 CST 2013
deployment example (see page 31)
Tue Jan 29 23:05:33 CST 2013
Installing BMC Atrium Single Sign-On as a standalone (see page 50)
Shweta Hardikar
(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Thu Jan 17 18:19:34 CST 2013
Reviewing AR server external authentication settings and configuring group mapping (see page 91)
John Stamps
(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Thu Aug 29 02:22:14 CDT 2013
IdP metadata issues
Ivan Pirishanchin
Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Thu Jan 24 17:20:22 CST 2013
Reviewing AR server external authentication settings and configuring group mapping (see page 91)
Shlomi Afia
(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Wed Oct 30 14:20:49 CDT 2013
Managing the server configuration (see page 276)
Keith Linehan
(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Tue Mar 19 23:32:47 CDT 2013
HA Nodes manager (see page 234)
Dixie Pine
(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Wed Mar 20 17:01:59 CDT 2013
Troubleshooting redirect URLs (see page 343)
Dixie Pine
(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Wed Mar 20 17:16:50 CDT 2013
End-to-end BMC Atrium Single Sign-On process
Dixie Pine
Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Mon Mar 18 17:22:19 CDT 2013
Installing BMC Atrium Single Sign-On as a standalone (see page 50)
Dixie Pine
(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
BMC Atrium Single Sign-On 8.1
com.atlassian.confluence.pages.AbstractPage Ruth Harris
(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Page 356 of 389
BMC Software Confidential
Home
Date and time
Page
Author
Comment
Tue Jul 16
Configuring a JVM for the Tomcat Server (see
Nicholas
(see page )Error:
12:41:29 CDT 2013
page 77)
Butler
com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Tue Sep 03 05:46:53 CDT
Prerequisites for installation (see page 42)
Abhay Chokshi
(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to
2013 Tue Sep 03
com.atlassian.confluence.pages.AbstractPage Prerequisites for installation (see page 42)
05:47:54 CDT 2013 Fri Nov 15 07:41:24 CST
Prerequisites for installation (see page 42)
Abhay
(see page )Error:
Chokshi
com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Abhay Chokshi
(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to
2013 Fri Nov 15
com.atlassian.confluence.pages.AbstractPage Prerequisites for installation (see page 42)
07:42:35 CST 2013
Abhay
(see page )Error:
Chokshi
com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Mon Nov 25 07:09:23 CST 2013
Prerequisites for installation (see page 42)
Abhay Chokshi
(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Mon Nov 25 07:10:07 CST 2013
Prerequisites for installation (see page 42)
Abhay Chokshi
(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Mon Jan 21 17:10:52 CST 2013
Installing BMC Atrium Single Sign-On with the AR System server and Mid Tier (see page 79)
John Stamps
(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Wed Dec 11 05:27:44 CST 2013
Managing users (see page 264)
Abhay Chokshi
(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Tue Dec 10 09:57:33 CST 2013
Managing users (see page 264)
Keith Linehan
(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Tue Dec 10 10:07:37 CST 2013
Managing users (see page 264)
Keith Linehan
(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Tue Apr 23 08:41:21 CDT 2013
BMC Atrium Single Sign-On and OpenAM (see page 22)
Hemant Baliwala
(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Wed Jul 17 09:40:26 CDT 2013
BMC Atrium Single Sign-On and OpenAM (see page 22)
Hemant Baliwala
(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Mon Apr 15 13:01:06 CDT 2013
Patch 2 for version 8.1.00: 8.1.00.02 (see page 18 )
Kelly Holcomb
(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
BMC Atrium Single Sign-On 8.1
Page 357 of 389
BMC Software Confidential
Home
Date and time
Page
Author
Comment
Tue Apr 16
Patch 2 for version 8.1.00: 8.1.00.02 (see page 18
Shubhangi
(see page )Error:
03:03:35 CDT 2013
)
Apte
com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Tue Feb 12 09:23:24 CST
Downloading the installation files (see page 44)
Ranganath Samudrala
(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to
2013 Mon Mar 18
com.atlassian.confluence.pages.AbstractPage Downloading the installation files (see page 44)
Ruth Harris
17:47:52 CDT 2013 Mon Dec 23 06:27:34 CST
com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage Downloading the installation files (see page 44)
Abhay Chokshi
2013 Mon Mar 25
(see page )Error:
(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Downloading the installation files (see page 44)
10:14:53 CDT 2013
Ranganath
(see page )Error:
Samudrala
com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Tue Mar 26 09:40:33 CDT 2013
Downloading the installation files (see page 44)
Ruth Harris
(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Mon Dec 23 06:26:39 CST 2013
Downloading the installation files (see page 44)
Abhay Chokshi
(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Mon Dec 23 06:25:43 CST 2013
Downloading the installation files (see page 44)
Abhay Chokshi
(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Mon Dec 23 06:24:55 CST 2013
Downloading the installation files (see page 44)
Abhay Chokshi
(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Thu Jun 27 10:27:48 CDT 2013
Downloading the installation files (see page 44)
Benoit Ischia
(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Mon Dec 23 06:24:10 CST 2013
Downloading the installation files (see page 44)
Abhay Chokshi
(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Wed Jul 24 03:09:54 CDT 2013
Downloading the installation files (see page 44)
Hemant Baliwala
(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Tue Oct 01 05:57:24 CDT 2013
Downloading the installation files (see page 44)
Abhay Chokshi
(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Tue Jul 02 18:58:53 CDT 2013
Server Configuration Editor (see page 237)
Melanie Boston
(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Realm Editor
Dixie Pine
BMC Atrium Single Sign-On 8.1
Page 358 of 389
BMC Software Confidential
Home
Date and time
Page
Author
Comment
Tue Mar 19
Error: com.atlassian.confluence.pages.Comment cannot be
23:26:24 CDT 2013
cast to com.atlassian.confluence.pages.AbstractPage
Tue Jul 02 18:27:39 CDT
Realm Editor
Melanie Boston
Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Using LDAP (Active Directory) for authentication
Boris Ioffe
Error: com.atlassian.confluence.pages.Comment cannot be
2013 Tue Jun 04 14:56:25 CDT 2013 Thu Jul 11 12:08:14 CDT
cast to com.atlassian.confluence.pages.AbstractPage
Using LDAP (Active Directory) for authentication
Keith Linehan
Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Using LDAP (Active Directory) for authentication
Nick Smith
Error: com.atlassian.confluence.pages.Comment cannot be
2013 Wed Jul 17 10:04:36 CDT 2013
cast to com.atlassian.confluence.pages.AbstractPage
Thu Jul 18 07:33:25 CDT 2013
Using LDAP (Active Directory) for authentication
Hemant Baliwala
Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Tue Sep 03 05:37:24 CDT 2013
Using LDAP (Active Directory) for authentication
Abhay Chokshi
Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Tue Sep 03 06:00:30 CDT 2013
Configuring BMC Atrium Single Sign-On as an SP
Abhay Chokshi
Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Tue Sep 03 06:15:32 CDT 2013
Configuring BMC Atrium Single Sign-On as an SP
Abhay Chokshi
Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Sun Oct 27 14:39:02 CDT 2013
Configuring BMC Atrium Single Sign-On as an SP
Abhay Chokshi
Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Mon Mar 18 17:16:34 CDT 2013
Configuring Terminal Services and DEP parameters
Dixie Pine
Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Tue Mar 19 23:00:40 CDT 2013
Running a health check on the BMC Atrium Single Sign-On integration
Dixie Pine
Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Thu Sep 12 08:54:13 CDT 2013
Using SAMLv2 for authentication
Abhay Chokshi
Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Thu Sep 12 09:45:54 CDT 2013
Using SAMLv2 for authentication
Abhay Chokshi
Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Ruth Harris
BMC Atrium Single Sign-On 8.1
Page 359 of 389
BMC Software Confidential
Home
Date and time
Page
Author
Mon Mar 18
Installing BMC Atrium Single Sign-On as a High
(see page )Error:
18:15:30 CDT 2013
Availability cluster (see page 55)
com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Mon Mar 18 18:14:08 CDT
Installing BMC Atrium Single Sign-On as a High Availability cluster (see page 55)
Ruth Harris
2013
Comment
(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Fri Sep 06
Installing BMC Atrium Single Sign-On as a High
Keith
(see page )Error:
09:46:03 CDT 2013
Availability cluster (see page 55)
Linehan
com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Fri Sep 06 09:55:28 CDT
Installing BMC Atrium Single Sign-On as a High Availability cluster (see page 55)
Keith Linehan
(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to
2013
com.atlassian.confluence.pages.AbstractPage
Thu Sep 12
Installing BMC Atrium Single Sign-On as a High
Abhay
(see page )Error:
09:31:20 CDT 2013
Availability cluster (see page 55)
Chokshi
com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Thu Jan 24 14:56:39 CST 2013
Managing the AR System users and groups for authentication (see page 97)
Shlomi Afia
(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Thu Jan 31 17:51:14 CST 2013
Managing the AR System users and groups for authentication (see page 97)
Ruth Harris
(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Fri Feb 01 15:11:11 CST 2013
Managing the AR System users and groups for authentication (see page 97)
John Stamps
(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Wed Jun 12 09:55:05 CDT 2013
Managing the AR System users and groups for authentication (see page 97)
Koray Kusat
(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Tue Mar 19 22:58:56 CDT 2013
Configuring the BMC Atrium Single Sign-On server for AR System integration (see page 183)
Dixie Pine
(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Mon Mar 18 17:53:55 CDT 2013
Configuring after installation
Dixie Pine
Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Wed Mar 20 15:48:51 CDT 2013
Troubleshooting (see page 279)
Dixie Pine
(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Tue Mar 19 23:24:23 CDT 2013
Navigating the interface
Dixie Pine
Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Fri Jul 05 10:30:52 CDT 2013
Managing keystores with a keytool utility (see page 239)
Tetiana Pustovit
(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
BMC Atrium Single Sign-On 8.1
Page 360 of 389
BMC Software Confidential
Home
Date and time
Page
Author
Comment
Mon Jul 08
Managing keystores with a keytool utility (see
Hemant
(see page )Error:
02:37:01 CDT 2013
page 239)
Baliwala
com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Mon Jul 08 04:34:41 CDT
Managing keystores with a keytool utility (see page 239)
Tetiana Pustovit
(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to
2013 Wed Mar 20
com.atlassian.confluence.pages.AbstractPage Using the keytool utility (see page 241)
Dixie Pine
00:09:53 CDT 2013 Mon Jul 08 04:32:49 CDT
com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage Using the keytool utility (see page 241)
Tetiana Pustovit
2013 Mon Jul 08
(see page )Error:
(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Using the keytool utility (see page 241)
04:53:55 CDT 2013
Hemant
(see page )Error:
Baliwala
com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Tue Jul 02 19:31:30 CDT 2013
Generating self-signed certificates (see page 249)
Melanie Boston
(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Wed Jan 08 10:20:44 CST 2014
Resynchronizing nodes in a cluster
Milan Franzkowski
Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Wed Jan 08 10:21:55 CST 2014
Resynchronizing nodes in a cluster
Milan Franzkowski
Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Thu Mar 14 11:59:45 CDT 2013
Integrating BMC Atrium Orchestrator Platform (see page 209)
Deepa Bhat
(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Thu Mar 14 13:16:49 CDT 2013
Integrating BMC Atrium Orchestrator Platform (see page 209)
Ruth Harris
(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Thu Mar 14 22:20:17 CDT 2013
Integrating BMC Atrium Orchestrator Platform (see page 209)
Deepa Bhat
(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Tue Apr 16 10:26:03 CDT 2013
Integrating BMC Atrium Orchestrator Platform (see page 209)
Melody Locke
(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Tue Apr 16 23:51:49 CDT 2013
Integrating BMC Atrium Orchestrator Platform (see page 209)
Deepa Bhat
(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Thu May 09 13:08:59 CDT 2013
Generating CSRs (see page 246)
Anil Premlall
(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Generating CSRs (see page 246)
Anil Premlall
BMC Atrium Single Sign-On 8.1
Page 361 of 389
BMC Software Confidential
Home
Date and time
Page
Author
Comment
Thu May 09
(see page )Error:
16:09:00 CDT 2013
com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Thu Jan 09 07:05:25 CST
Generating CSRs (see page 246)
Abhay Chokshi
2014 Fri Jul 19
com.atlassian.confluence.pages.AbstractPage Configuring multi-tenancy support
Gourav Jain
03:57:27 CDT 2013 Fri Jul 19 04:18:57 CDT
(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to
Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Configuring multi-tenancy support
Hemant Baliwala
Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Configuring multi-tenancy support
Gourav Jain
Error: com.atlassian.confluence.pages.Comment cannot be
2013 Wed Aug 21 06:39:24 CDT 2013
cast to com.atlassian.confluence.pages.AbstractPage
Fri Sep 06 06:19:40 CDT 2013
Configuring multi-tenancy support
Shrihari Sn
Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Thu Sep 12 08:48:03 CDT 2013
Configuring multi-tenancy support
Abhay Chokshi
Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Thu Jan 31 17:37:33 CST 2013
Overview steps to install and configure HA Load-Balancing environment with SSO (see page 378)
Ruth Harris
(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Fri Mar 15 19:48:39 CDT 2013
Technical Bulletin SW00448553 (see page 369)
Dixie Pine
(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Tue Mar 19 17:14:04 CDT 2013
Integrating
Ruth Harris
Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Tue Mar 19 17:10:47 CDT 2013
Integrating
Ruth Harris
Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Thu Sep 05 07:41:32 CDT 2013
Integrating
Abhay Chokshi
Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Wed Mar 20 16:17:09 CDT 2013
Checking the truststore for certificates
Dixie Pine
Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Mon Feb 04 13:37:00 CST 2013
Running the SSOMidtierIntegration utility on the Mid Tier (see page 92)
John Stamps
(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
BMC Atrium Single Sign-On 8.1
Page 362 of 389
BMC Software Confidential
Home
Date and time
Page
Author
Comment
Wed Jul 03
Adding and removing a CA certificate (see page
Melanie
(see page )Error:
12:03:23 CDT 2013
248)
Boston
com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Thu Jul 04 04:05:55 CDT
Adding and removing a CA certificate (see page 248)
Prachi Kalyani
(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to
2013
com.atlassian.confluence.pages.AbstractPage
Tue Oct 22
Troubleshooting Kerberos authentication (see
Abhay
(see page )Error:
03:19:49 CDT 2013
page 333)
Chokshi
com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Mon Jan 13 14:39:28 CST
Reconfiguring your browser (see page 138)
Anil Premlall
(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to
2014 Tue Jan 14
com.atlassian.confluence.pages.AbstractPage Reconfiguring your browser (see page 138)
14:44:49 CST 2014
Abhay
(see page )Error:
Chokshi
com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Thu Jan 16 05:05:09 CST 2014
Enabling multiple realms (see page 372)
Abhay Chokshi
(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Thu Jan 16 04:32:29 CST 2014
LDAP (Active Directory) Editor (see page 223)
Abhay Chokshi
(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Thu Jan 16 08:13:16 CST 2014
LDAP (Active Directory) Editor (see page 223)
Abhay Chokshi
(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Thu Jul 11 05:20:58 CDT 2013
Running the SSOARIntegration utility on the AR System server (see page 88)
Koray Kusat
(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Thu Jul 18 08:18:33 CDT 2013
Running the SSOARIntegration utility on the AR System server (see page 88)
Hemant Baliwala
(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Sat Oct 26 19:31:41 CDT 2013
Running the SSOARIntegration utility on the AR System server (see page 88)
Srivamsi Patchipulusu
(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
Mon Oct 28 10:56:32 CDT 2013
Running the SSOARIntegration utility on the AR System server (see page 88)
Abhay Chokshi
(see page )Error: com.atlassian.confluence.pages.Comment cannot be cast to com.atlassian.confluence.pages.AbstractPage
16.2 Pages without labels in this space This table contains all pages in this space that do not have labels, sorted by branch. Print | Word
BMC Atrium Single Sign-On 8.1
Page 363 of 389
BMC Software Confidential
Home
Parent
Page Title
Last modified by
Manually configuring mid tier for BMC Atrium Single Sign-On user authentication (see page 176)
Container types, containers, and agents
John Stamps
Troubleshooting Kerberos authentication (see page 333)
Invalid service principal name for Kerberos authentication
Gary Beason
Troubleshooting Kerberos authentication (see page 333)
Invalid keytab index number for Kerberos authentication
Gary Beason
Troubleshooting Kerberos authentication (see page 333)
Invalid password for Kerberos authentication
Gary Beason
Federating user accounts in bulk (see page 157)
Federate command results output file
Ruth Harris
Troubleshooting Kerberos authentication (see page 333)
Browser sending NTLM instead of Kerberos (see page 336)
Prachi Kalyani
Troubleshooting Kerberos authentication (see page 333)
Invalid user name for Kerberos authentication
Gary Beason
Federating user accounts in bulk (see page 157)
Create command results output file
Ruth Harris
Federating user accounts in bulk (see page 157)
Create-federate command results output file
Ruth Harris
Realm Editor
AR Editor (see page 223)
Dixie Pine
Realm Editor
LDAPv3 (Active Directory) User Store Editor (see page 225)
Prachi Kalyani
Realm Editor
AR User Store Editor
John Stamps
Realm Editor
User Editor
Ruth Harris
Realm Editor
Group Editor
Ruth Harris
Realm Editor
Local Identity Provider (IdP) Editor
Ruth Harris
Navigating the interface
HA Nodes manager (see page 234)
Dixie Pine
Realm Editor
Remote Service Provider (SP) Editor (see page 232)
Dixie Pine
Realm Editor
SecurID Editor (see page 227)
Dixie Pine
Troubleshooting CAC authentication (see page 326)
Example of a list of certificates sent to the client
Confluence Admin
Managing nodes in a cluster (see page 273)
Stopping nodes in a cluster (see page 274)
Dixie Pine
Federating user accounts in bulk (see page 157)
Import command results output file
Ruth Harris
Federating user accounts in bulk (see page 157)
Error messages for bulk federation of user accounts
Ruth Harris
Troubleshooting (see page 279)
Troubleshooting redirect URLs (see page 343)
Abhay Chokshi
BMC Atrium Single Sign-On 8.1
Page 364 of 389
BMC Software Confidential
Home
Parent
Page Title
Last modified by
Federating user accounts in bulk (see page 157)
Create-import command results output file
Ruth Harris
Troubleshooting (see page 279)
Troubleshooting installation or upgrade issues (see page 346)
Abhay Chokshi
Troubleshooting (see page 279)
Session sharing in HA mode issue (see page 345)
Abhay Chokshi
Managing nodes in a cluster (see page 273)
Starting nodes in a cluster (see page 274)
Dixie Pine
Realm Editor
Remote Identity Provider (IdP) Editor
Ruth Harris
Upgrading
Preparing to upgrade BMC Analytics for BSM
Ruth Harris
Realm Editor
Local Service Provider (SP) Editor (see page 230)
Hemant Baliwala
Troubleshooting CAC authentication (see page 326)
Example of a client not responding with a certificate
Ruth Harris
Troubleshooting CAC authentication (see page 326)
Changing the clientAuth setting
Ruth Harris
Troubleshooting CAC authentication (see page 326)
Example of a client sending a certificate
Gary Beason
Troubleshooting CAC authentication (see page 326)
Turning on network debug logging (see page 328)
Ruth Harris
Troubleshooting SAMLv2
IdP metadata issues
Ruth Harris
Installing BMC Atrium Single Sign-On on an external Tomcat server (see page 72)
Policy file additions for external Tomcat installations (see page 75 )
Prachi Kalyani
Upgrading
Upgrading HA nodes
Ruth Harris
Realm Editor
Create Service Provider (see page 229)
Ruth Harris
Realm Editor
Create Identity Provider (see page 228)
Ruth Harris
Troubleshooting CAC authentication (see page 326)
Clock skew too great for CAC authentication (see page 331)
Dixie Pine
Planning (see page 29)
Checking the compatibility matrix for system requirements and supported configurations
Abhay Chokshi
Integrating
Integrating BMC Mobility for ITSM 8.1.00 (see page 212)
Abhay Chokshi
Federating user accounts in bulk (see page 157)
Identity files for user accounts (see page 160)
Ruth Harris
Realm Editor
CAC (certificate) Editor
Ruth Harris
Troubleshooting (see page 279)
Logon and logoff issues (see page 316)
Dixie Pine
Troubleshooting Kerberos authentication (see page 333)
Clock skew too great for Kerberos authentication
Ruth Harris
Integrating BMC Real End User Experience Monitoring (see page 212)
Preparing the Console component for the BMC Atrium SSO integration (see page 212)
Abhay Chokshi
Federating user accounts in bulk (see page 157)
bulkFederation command parameters (see page 161)
Dixie Pine
BMC Atrium Single Sign-On 8.1
Page 365 of 389
BMC Software Confidential
Home
Parent
Page Title
Last modified by
Installing BMC Atrium Single Sign-On with the AR System server
Reviewing AR server external authentication settings and
and Mid Tier (see page 79)
configuring group mapping (see page 91)
Installing BMC Atrium Single Sign-On as a High Availability
Installing additional nodes for an HA cluster on an external Tomcat
Hemant
cluster (see page 55)
server (see page 70)
Baliwala
Troubleshooting CAC authentication (see page 326)
Example of a debug log error when a certificate is not available
Ruth Harris
Troubleshooting SAMLv2
Metadata issues (see page 342)
Dixie Pine
Troubleshooting (see page 279)
Troubleshooting SAMLv2
Ruth Harris
Troubleshooting SAMLv2
Certificate issues
Ruth Harris
Troubleshooting CAC authentication (see page 326)
Example of OCSP certificate failure
Ruth Harris
Installing BMC Atrium Single Sign-On as a High Availability cluster (see page 55)
Installing additional nodes for an HA cluster on a new Tomcat server (see page 63)
Hemant Baliwala
Troubleshooting CAC authentication (see page 326)
Example of URL certificate authentication not enabled
Dixie Pine
Installing BMC Atrium Single Sign-On on an external Tomcat server (see page 72)
Configuring an external Tomcat instance for FIPS-140 (see page 76)
Prachi Kalyani
Installing BMC Atrium Single Sign-On as a High Availability cluster (see page 55)
Installing the first node for an HA cluster on an external Tomcat server (see page 68)
Ruth Harris
Installing (see page 40)
Preparing for installation
Ruth Harris
Integrating BMC Atrium Single Sign-On with AR System Version 8.0.00
Configuring external authentication for AR System integration (see page 170)
Dixie Pine
Troubleshooting Kerberos authentication (see page 333)
Browser not correctly configured for Kerberos authentication
Ruth Harris
Troubleshooting Kerberos authentication (see page 333)
Incorrect server name for Kerberos authentication
Gary Beason
Installing BMC Atrium Single Sign-On with the AR System server and Mid Tier (see page 79)
Installing BMC Atrium Single Sign-On
Ruth Harris
Troubleshooting (see page 279)
Resolving installation issues on LINUX operating system (see page 346)
Abhay Chokshi
Integrating
Integrating BMC Real End User Experience Monitoring (see page 212)
Abhay Chokshi
Integrating BMC Real End User Experience Monitoring (see page 212)
Preparing BMC Atrium SSO server for integration (see page 212)
Abhay Chokshi
Using Kerberos for authentication (see page 132)
Generating a keytab for the service principal and mapping the Kerberos service name (see page 134)
Abhay Chokshi
Troubleshooting (see page 279)
Upgrading from 7.6.04 to 8.1 silent installation issue (see page 317)
Ruth Harris
Planning (see page 29)
End-to-end BMC Atrium Single Sign-On process
Abhay Chokshi
BMC Atrium Single Sign-On 8.1
Ruth Harris
Page 366 of 389
BMC Software Confidential
Home
Parent
Page Title
Last modified by
Legal notices
Ruth Harris
Installing BMC Atrium Single Sign-On on an external Tomcat server (see page 72)
JVM parameter additions for external Tomcat installations (see page 76)
Prachi Kalyani
Troubleshooting CAC authentication (see page 326)
Example of a default logging level error
Ruth Harris
Integrating BMC Atrium Single Sign-On with AR System Version
Manually configuring mid tier for BMC Atrium Single Sign-On user
Abhay
8.0.00
authentication (see page 176)
Chokshi
Troubleshooting SAMLv2
SAMLv2 keystore issues (see page 341)
Abhay Chokshi
Service packs and patches (see page 17)
Patch 3 for version 8.1.00: 8.1.00.03 (see page 17)
Prachi Kalyani
What's new (see page 12)
Documentation updates after release (see page 20)
Abhay Chokshi
Service packs and patches (see page 17)
Patch 2 for version 8.1.00: 8.1.00.02 (see page 18)
Abhay Chokshi
Navigating the interface
Server Configuration Editor (see page 237)
Abhay Chokshi
Navigating the interface
Agent manager
Melanie Boston
Navigating the interface
Realm Editor
Prachi Kalyani
Installing BMC Atrium Single Sign-On with the AR System server and Mid Tier (see page 79)
Running a health check on the BMC Atrium Single Sign-On installation
John Stamps
Using SAMLv2 for authentication
Configuring BMC Atrium Single Sign-On as an IdP
Ruth Harris
Manually configuring mid tier for BMC Atrium Single Sign-On user authentication (see page 176)
Deployer commands for various JSP engines
Ruth Harris
Integrating BMC Atrium Single Sign-On with AR System Version 8.0.00
Configuring BMC Atrium Single Sign-On for integration
Prachi Kalyani
Integrating BMC Atrium Single Sign-On with AR System Version 8.0.00
Installing BMC Atrium Single Sign-On for AR System integration
Prachi Kalyani
Integrating BMC Atrium Single Sign-On with AR System Version 8.0.00
Running a health check on the BMC Atrium Single Sign-On integration
Ruth Harris
Troubleshooting (see page 279)
Troubleshooting AR System server and Mid Tier integrations
Ruth Harris
Realm Editor
Kerberos Editor (see page 227)
Abhay Chokshi
Integrating BMC Atrium Single Sign-On with AR System Version 8.0.00
Configuring the BMC Atrium Single Sign-On server for AR System integration (see page 183)
Abhay Chokshi
BMC Atrium Single Sign-On 8.1
Page 367 of 389
BMC Software Confidential
Home
Parent
Page Title
Last modified by
Using (see page 214)
Navigating the interface
Ruth Harris
Home (see page 11)
Using (see page 214)
Dixie Pine
Managing keystores with a keytool utility (see page 239)
Using the keytool utility (see page 241)
Hemant Baliwala
Managing nodes in a cluster (see page 273)
Resynchronizing nodes in a cluster
Ruth Harris
Integrating
Integrating BMC Atrium Orchestrator Platform (see page 209)
Abhay Chokshi
Tracking tools (see page 353)
Comments dashboard (see page 353)
Ruth Harris
Tracking tools (see page 353)
No Labels report (see page 363)
Ruth Harris
Tracking tools (see page 353)
Number of pages in space (see page 383)
Bruce Cane
Tracking tools (see page 353)
Installing and managing certificates in BMC Atrium SSO (see page 383)
Abhay Chokshi
Tracking tools (see page 353)
Installing certificates after integration with other BMC products (see page 383)
Abhay Chokshi
Managing keystores with a keytool utility (see page 239)
Generating and importing CA certificates
Abhay Chokshi
Managing keystores with a keytool utility (see page 239)
Checking the truststore for certificates
Ruth Harris
Installing BMC Atrium Single Sign-On with the AR System server and Mid Tier (see page 79)
Running the SSOMidtierIntegration utility on the Mid Tier (see page 92)
Abhay Chokshi
Installing and managing certificates in BMC Atrium SSO (see page 383)
Finding intermediate CA (see page 383)
Abhay Chokshi
Installing and managing certificates in BMC Atrium SSO (see page 383)
Importing a certificate into cacerts.p12 (see page 383)
Abhay Chokshi
Installing and managing certificates in BMC Atrium SSO (see page 383)
Importing a certificate into keystore.p12 (see page 383)
Abhay Chokshi
Installing and managing certificates in BMC Atrium SSO (see page 383)
Importing certificate chains and intermediate certificates (see page 383)
Abhay Chokshi
Installing and managing certificates in BMC Atrium SSO (see page 383)
Installing certificates in HA load balancing environment (see page 383)
Abhay Chokshi
Installing and managing certificates in BMC Atrium SSO (see page 383)
Installing certificates on a standalone server (see page 383)
Abhay Chokshi
Installing BMC Atrium Single Sign-On as a High Availability cluster (see page 55)
Installing the first node for an HA cluster on a new Tomcat server (see page 57)
Abhay Chokshi
Troubleshooting Kerberos authentication (see page 333)
Chained authentication failure in Microsoft Internet Explorer (see page 338)
Abhay Chokshi
Using Kerberos for authentication (see page 132)
Reconfiguring your browser (see page 138)
BMC Atrium Single Sign-On 8.1
Page 368 of 389
BMC Software Confidential
Home
Parent
Page Title
Last modified by Prachi Kalyani
Tracking tools (see page 353)
Enabling multiple realms (see page 372)
Dixie Pine
Realm Editor
LDAP (Active Directory) Editor (see page 223)
Abhay Chokshi
Installing BMC Atrium Single Sign-On with the AR System server and Mid Tier (see page 79)
Running the SSOARIntegration utility on the AR System server (see page 88)
Abhay Chokshi
16.3 Technical Bulletin SW00448553 16.3.1 BMC Atrium Single Sign-On Version 8.1.00 March 14, 2013 Defect SW00448553 BMC Software is alerting users of BMC Atrium Single Sign-On version 8.1.00 to a workaround for defect SW00448553, which is associated with configuration replication in BMC Atrium Single Sign-On High Availability (HA) configurations. This technical bulletin describes how to implement the workaround. If you have any questions about the workaround, contact BMC Software Customer Support at 800 537 1813 (United States or Canada) or call your local support center. Issue (see page 369) Workaround procedure (see page 369) Workaround scripts (see page 370) Where to get the latest product information (see page 372)
16.3.2 Issue In a BMC Atrium Single Sign-On High Availability (HA) configuration, replication of configuration modules does not work correctly.
16.3.3 Workaround procedure When multiple nodes are used as a primary server in a BMC Atrium Single Sign-On High Availability configuration do the following: 1. Disable replication on all of the BMC Atrium Single Sign-On servers in the HA cluster by using the dereplicate.bat script. 2. BMC Atrium Single Sign-On 8.1
Page 369 of 389
BMC Software Confidential
Home
2. Log on to each BMC Atrium Single Sign-On servers in the HA cluster and review the HA Node list in the BMC Atrium SSO Admin Console HA Node list. 3. Select the BMC Atrium Single Sign-On server that lists all the nodes as primary server. If more than one server lists all of the nodes as primary server, select any one as primary server. 4. Stop all the BMC Atrium Single Sign-On servers in the HA cluster except the primary server that you selected. 5. Back up the primary server by using the backup.bat script. 6. Restore the primary server by using the restore.bat script. Execute this command on all BMC Atrium Single Sign-On servers in the HA cluster. 7. Repeat steps 4 - 6 if you change the configuration on the primary server. The following three scripts are used for this workaround: dereplicate.bat — Disables replication on all servers in HA cluster. backup.bat — Backs up the primary server. restore.bat — Restores the primary server.
16.3.4 Workaround scripts dereplicate.bat script set ATRIUM_SSO_DIR=D:\APPS\BMC Software\AtriumSSO set OPENDS_DIR=%ATRIUM_SSO_DIR%\tomcat\webapps\atriumsso\WEB-INF\config\opends set DSREPLICATION_PATH=%OPENDS_DIR%\bat\dsreplication.bat set PASSWORD=admin123 set HOST1=kbp1-dhp-f48202.synapse.com set ADMIN_PORT1=40444 set REPL_PORT1=40636 set HOST2=kbp1-dhp-f48202.synapse.com set ADMIN_PORT2=41444 set REPL_PORT2=41636 call "%DSREPLICATION_PATH%" disable \--disableAll \-h %HOST1% \-p %ADMIN_PORT1% \--bindDN "cn=Directory Manager" \--adminPassword %PASSWORD% \-X \-n call "%DSREPLICATION_PATH%" disable \--disableAll \-h %HOST2% \-p %ADMIN_PORT2% \--bindDN "cn=Directory Manager" \--adminPassword %PASSWORD% \-X \-n
backup.bat script set ATRIUM_SSO_DIR=D:\APPS\BMC Software\AtriumSSO set OPENDS_DIR=%ATRIUM_SSO_DIR%\tomcat\webapps\atriumsso\WEB-INF\config\opends set DESTINATION_EXEC_DIR=%OPENDS_DIR%\bat
BMC Atrium Single Sign-On 8.1
Page 370 of 389
Home
BMC Software Confidential
@rem @rem ****************************************************************************************** @rem Set the BACKUP_DIR as commonly accessible drive among the members in the HA environemnt @rem ****************************************************************************************** @rem set BACKUP_DIR=\atsso_opends_clone set SOURCE_HOST=kbp1-dhp-f48202.synapse.com set SOURCE_ADMIN_PORT=40444 set PASSWORD=admin123 rd "%BACKUP_DIR%" /S /Q call "%DESTINATION_EXEC_DIR%\backup" --backendID userRoot --backupDirectory "%BACKUP_DIR%" -h %SOURCE_HOST% -p %SOURCE_ADMIN_PORT% -D "cn=directory manager" -w %PASSWORD% --hash -X
restore.bat script set ATRIUM_SSO_DIR=D:\APPS\BMC Software\AtriumSSO set OPENDS_DIR=%ATRIUM_SSO_DIR%\tomcat\webapps\atriumsso\WEB-INF\config\opends set DESTINATION_EXEC_DIR=%OPENDS_DIR%\bat @rem @rem \*****************************************************************************************\* @rem Set the BACKUP_DIR to the primary server's mapped drive @rem e.g., map the primary server location to Z: @rem \*****************************************************************************************\* @rem set BACKUP_DIR= @rem @rem \**********************************************************\* @rem Set the LOCAL_BACKUP_DIR as a folder on the current machine @rem \**********************************************************\* @rem set LOCAL_BACKUP_DIR=\atsso_opends_working_config rd "%LOCAL_BACKUP_DIR%" /S /Q md "%LOCAL_BACKUP_DIR%" @rem @rem copy the current working configuration folder @rem cd "%LOCAL_BACKUP_DIR%" && xcopy "%OPENDS_DIR%\db" /e
@rem @rem copy the current working configuration folder @rem cd "%LOCAL_BACKUP_DIR%\db" && xcopy "%OPENDS_DIR%\db" /e
BMC Atrium Single Sign-On 8.1
Page 371 of 389
BMC Software Confidential
Home
@rem @rem before restoring let's make a copy of the existing configuration @rem call "%DESTINATION_EXEC_DIR%\restore" \--backupDirectory "%BACKUP_DIR%"
16.3.5 Where to get the latest product information To view the latest BMC product documents, see the Customer Support website at http://www.bmc.com/support. Notices, such as flashes, technical bulletins, and release notes, are available on the website. You can subscribe to proactive alerts to receive email messages when notices are issued or updated. For more information about proactive alerts, see the Customer Support website.
16.4 Enabling multiple realms BMC Atrium Single Sign-On allows you to configure for multiple realms. Realm panel (see page 373) To enable multiple realms (see page 374) To create a new realm (see page 374) The following image shows the BMC Atrium SSO Admin Console when configured for multiple realms:
BMC Atrium Single Sign-On 8.1
Page 372 of 389
BMC Software Confidential
Home
16.4.1 Realm panel For the Remedy OnDemand solution, BMC Atrium Single Sign-On allows multiple realms. In this case, the Realm panel replaces the BMC Realm panel in the BMC Atrium SSO Admin Console. The Realm panel displays the realm name along with its user profile and status. Each realm has the same capability as the BmcRealm in terms of managing realm authentication, federation, user stores (AR and LDAPv3), users, and user groups.
Note BmcRealm is the default realm and can not be deleted.
Add launches the Create Realm Editor which allows you to add a realm to the system. Edit launches the Realm Editor which allows you to manage that particular realm's authentication, federation, user stores (AR and LDAPv3), users, and user groups. Delete allows you to remove the realm from the system. Filter field allows you to display specific realms based on your search criteria.
BMC Atrium Single Sign-On 8.1
Page 373 of 389
Home
BMC Software Confidential
The following image shows a realm panel:
16.4.2 To enable multiple realms 1. Stop the BMC Atrium Single Sign-On server. 2. Edit the web.xml file. 3. Search for the parameter name "allow.multiple.realms". 4. Change the parameter value from false to true. 5. Save and exit the file. 6. Restart the BMC Atrium Single Sign-On server. For more information about restarting the server, see Stopping and restarting the BMC Atrium Single Sign-On server (see page 279).
16.4.3 To create a new realm 1. On the Realm panel, click Add. The Create Realm Editor pops up.
2. In the Realm Name field, provide a name for the new realm. 3. In the User Profile field, select a user profile. 4. Click Save.
16.5 Configuring multi-tenancy support Writer notes (Shubhangi Apte) on April 12, 2013
BMC Atrium Single Sign-On 8.1
Page 374 of 389
Home
BMC Software Confidential
Ruth Harris had documented this information on the initial page for SSO 8.1.00 Patch 2. However, when I followed up with Volodymyr Zaporozhets he said that the team will not be announcing multi-tenancy support in patch 2. The team had initially talked about disabling this feature as the plan was to deliver it to BMC Remedy OnDemand only. However, RoD later decided to wait until 8.8 for different reasons. I have removed the following content from the SSO 8.1.00 Patch 2 page and have added it under Tracking tools (in case this information is required for later releases).
16.5.1 Configuring multi-tenancy support Patch 2 for version 8.1.00 supports multi-tenancy for Remedy onDemand (RoD). Deployment involves using BMC Atrium Single Sign-On as a shared service which is implemented in High Availability (HA) mode. Each realm is mapped to one web agent in the BMC Remedy Mid Tier whereas each customer has a Mid Tier. Deploying multiple realms for customers is supported through an enhanced Web Agent. To update the Web Agent without re-deployment, a script, upgrade-wa, is provided. The following diagram illustrates the deployment architecture:
BMC Atrium Single Sign-On 8.1
Page 375 of 389
BMC Software Confidential
Home
The Web Agent maps the server hostname (which is used by user to access a protected application) to the full logon and logout URLs. The logon and logout URLs contain the information (for example, realm name and IdP ID) required to separate different tenants from each other. The mapping is specified in the configuration file.
Note When multi-tenancy support is enabled, the login and logout URLs specified for the Web Agent configuration from the BMC Atrium SSO Console is not used.
Following diagram illustrates the authentication process when the mutli-tenant web-agent is used:
Configuration file Configuration file is a properties file which contains records with the following format: |= Configuration file example pepsi.onbmc.com|login=https://sso.onbmc.com:8443/atriumsso/UI/Login?realm=/PepsiRealm pepsi.onbmc.com|logout=https://sso.onbmc.com:8443/atriumsso/UI/Logout?realm=/PepsiRealm coke.onbmc.com|login=https://sso.onbmc.com:8443/atriumsso/UI/Login?realm=/CokeRealm coke.onbmc.com|logout=https://sso.onbmc.com:8443/atriumsso/UI/Logout?realm=/CokeRealm
To enable multi-tenancy support place multitenancy.cfg.properties file (in build #24 and below place multitenancy.cfg.poperties file instead) in the WebAgent configuration directory (e.g. atssoAgents/). disable FQDN check in the WebAgent configuration properties in the AtriumSSO console.
BMC Atrium Single Sign-On 8.1
Page 376 of 389
BMC Software Confidential
Home
To disable multi-tenancy support Remove configuration file.
Note It is not necessary to restart the container with the WebAgent when enabling or disabling multi-tenency support or to make changes its configuration. WebAgent periodically polls its configuration file. Poll time configured via atsso.server.check.delay system property, default poll time - 2 minutes.
Web agent script A script for updating the web agent without re-deployment is provided as part of the BMC Atrium Single Sign-On 8.1.00 Patch 2 release. The script is located in the webagent.zip/upgrade folder with both Microsoft Windows (.bat) and Linux (.sh) versions available.
Note In the upgrade folder is a README.txt file with the following content: You can use the upgrade-wa script to upgrade WebAgent libraries without WebAgent re-deployment.
Usage upgrade-wa [upgrade_lib_path] webapp_path
Parameters upgrade_lib_path — Path to the libraries that are used during the upgrade (optional) webapp_path — Path to the web application with the deployed WebAgent (required)
Load balancer configuration Load balancer should be setup before the WebAgent, not Atrium SSO. In load balancer should be enabled preserving of the HTTP host header during performing requests to the back-end servers. In Apache Httpd this could be configured in the configuration file: add or replace ProxyPreserveHost On option to the necessary VirtualHost sections. add or replace DefaultType None option to the global configuration. httpd.conf
BMC Atrium Single Sign-On 8.1
Page 377 of 389
BMC Software Confidential
Home
. . . ProxyPreserveHost On . . . . . . DefaultType None . . .
16.6 Overview steps to install and configure HA Load-Balancing environment with SSO This topic provides a high-level road map for installing and configuring a high-availability (HA) Load-Balancing server group environment with SSO. Click the links to "drill down" to more specific instructions. 1. Create a comprehensive list of all the computers in your environment . For example, list all your load-balancers, AR System servers, Mid Tiers, SSO servers, and so on.
BMC Atrium Single Sign-On 8.1
Page 378 of 389
BMC Software Confidential
Home
Create a list in a text file for each server and its IP address, as well as all accepted fully qualified names. 2. Set up your load-balancers. a. Configure the AR System server load-balancer with all your servers in the server group. Make sure that your AR System server load-balancer includes all the computers on which you will install AR System servers. Otherwise, you encounter various errors when you configure the Mid Tier to use the AR System server load-balancer (see page 381). b. Configure the Mid Tier load-balancer. Make sure that your Mid Tier load-balancer includes all the computers on which you will install Mid Tiers. c. BMC Atrium Single Sign-On 8.1
Page 379 of 389
BMC Software Confidential
Home
c. Configure the SSO server load-balancer. Make sure that your SSO load-balancer includes all the computers on which you will install SSO servers. 3. Install the server group. a. Install the first AR System server. b. Install the first Mid Tier. c. Obtain BMC Remedy license keys. d. Testing the mid tier in your server group. This step is temporary, to test the installation of the first AR System server. e. Configuring the first server to be a server group member. f. Testing and confirming that the first server is working properly. g. Installing the next AR System server in the server group. h. Configuring the next server for the server group. i. Configure the Mid Tier to include all the AR System servers you just installed. This step is temporary, to test the installations of the remaining AR System servers. j. Testing and confirming that the current server is working properly. Use the AR System Server Group Operation Ranking form to distribute the load between the AR System servers and the load balancer.
BMC Atrium Single Sign-On 8.1
Page 380 of 389
BMC Software Confidential
Home
k. Configure the Mid Tier to use the AR System server load-balancer. Remove the first AR System from the Mid Tier and add the name of the virtual host of the AR System server load balancer (for example, remedyssoservergroup). l. Log on to the Mid Tier. Make sure that the Mid Tier resolves to the AR System server load balancer.
BMC Atrium Single Sign-On 8.1
Page 381 of 389
BMC Software Confidential
Home
You should be able to access, for example, the BMC Remedy AR System Administration Console. m. Install the remaining Mid Tiers for your environment. 4. Configure the Mid Tier load-balancer with all your Mid Tiers in the server group. When you log on to the Mid Tier load balancer, then Mid Tier load balancer should resolve to the AR System server load balancer.
5. Install the SSO servers. a. Installing BMC Atrium Single Sign-On. b. Managing the AR System users and groups for authentication (see page 97). c. Running the SSOARIntegration utility on the AR System server (see page 88) d. Running the SSOMidtierIntegration utility on the Mid Tier (see page 92). You configure the SSO AREA plug-in with a Java plug-in entry, along with other External Authentication parameters. 6. Define additional SSO authentication methods.
BMC Atrium Single Sign-On 8.1
Page 382 of 389
Home
BMC Software Confidential
16.7 Number of pages in space Number of pages in this space: 206
16.8 Installing and managing certificates in BMC Atrium SSO This page has not been approved for publication.
16.8.1 Installing certificates on a standalone server This page has not been approved for publication.
16.8.2 Installing certificates in HA load balancing environment This page has not been approved for publication.
16.8.3 Importing a certificate into keystore.p12 This page has not been approved for publication.
16.8.4 Importing a certificate into cacerts.p12 This page has not been approved for publication.
16.8.5 Finding intermediate CA This page has not been approved for publication.
16.8.6 Importing certificate chains and intermediate certificates This page has not been approved for publication.
16.9 Installing certificates after integration with other BMC products This page has not been approved for publication.
BMC Atrium Single Sign-On 8.1
Page 383 of 389
Home
BMC Software Confidential
Index a adding 248 administration 263, 264, 268, 271, 273, 275 agents 263, 275, 279, 331 ar 97 architecture 20 ar system 320 authentication 97, 132, 263, 271, 320, 326, 333 authentication chains 263 authentication modules 271
b bmc analytics 199 bmc atrium sso 11, 79, 284, 331 bmc capacity optimization 207 bmc dashboards 198 bmc internal 353, 369, 378 bmc itbm 204, 205 bmc proactivenet 200 bmc remedy ar system 31, 79, 97 bulkfederation 157
c ca 248 cac 326 ca certificates 239 certificates 20, 239, 243, 246, 248, 249 ciphers 257 configuration 132, 251, 276 configuring jvm 77 console 22 conversion 251, 256 cookie domain 20 BMC Atrium Single Sign-On 8.1
Page 384 of 389
Home
BMC Software Confidential
csr 246 customer support 351
d data 260 deployment 20, 31 diagnostics 279, 281 downloads 44
e errors 279, 285 external tomcat 72
f features 12 federating 157, 263 fips 251, 251, 256, 257, 258 fips 140 251, 251, 256, 257, 258 fixes 12, 17, 19
g generate csr 246 group membership 264 groups 97, 263, 268
h ha 20, 55, 112, 263, 273 high availability 20, 55, 112, 263, 273 home 11
i import 243 importing certificates 246 BMC Atrium Single Sign-On 8.1
Page 385 of 389
Home
BMC Software Confidential
installation 40, 42, 48, 50, 55, 72, 79, 112 integration 198, 199, 200, 204, 205, 207 issues 12, 17, 19
j jboss 331 jee 20, 279, 331
k kerberos 132, 333 keystore 239, 240 keytool 239
l ldap 260 licensing 12 linux 117 logs 282, 284
m mid tier 31, 79 monitoring 256
n network ciphers 257 new 12, 17, 19 nodes 263, 273 normal mode 258
o openam 22
BMC Atrium Single Sign-On 8.1
Page 386 of 389
Home
BMC Software Confidential
p passwords 20 patches 12, 17, 19 pdfs 352 planning 29 prerequisites 42 product agents 275
r realms 20 reference 31, 351 release notes 12 rsa api properties 284
s saml 31 self signed 249 server 77 session behavior 20, 24 session parameters 263, 276 setting http connection 78 silent 112 sso 11, 22 sso server 263, 279 starting 279 stopping 279 store 260 supported 351
t tomcat 77, 331 troubleshooting 279, 320, 326, 331, 333 truststore 239, 243
u BMC Atrium Single Sign-On 8.1
Page 387 of 389
Home
BMC Software Confidential
uninstalling 112, 117 unix 117 updates 12, 17, 19 user 260, 263 user accounts 157, 263 user groups 268 users 97, 264
v versions 351
w weblogic 331 websphere 205, 331 windows 117
© Copyright 2013 BMC Software, Inc. © Copyright 2013 BladeLogic, Inc. BMC, BMC Software, and the BMC Software logo are the exclusive properties of BMC Software, Inc., are registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other BMC trademarks, service marks, and logos may be registered or pending registration in the U.S. or in other countries. All other trademarks or registered trademarks are the property of their respective owners. BladeLogic and the BladeLogic logo are the exclusive properties of BladeLogic, Inc. The BladeLogic trademark is registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other BladeLogic trademarks, service marks, and logos may be registered or pending registration in the U.S. or in other countries. All other trademarks or registered trademarks are the property of their respective owners. All Cisco trademarks that are referred to or displayed in the space are registered trademarks or trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries. All IBM trademarks that are referred to or displayed in the space are trademarks of International Business Machines Corporation in the United States, other countries, or both. IT Infrastructure Library® is a registered trade mark of the Cabinet Office. ITIL® is a registered trade mark of the Cabinet Office. Linux is the registered trademark of Linus Torvalds. Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners. PinkVERIFY and PinkVERIFY logo Trademark Pink Elephant. Used under license from Pink Elephant. All SAP trademarks that are referred to or displayed in the document are trademarks or registered trademarks of SAP AG in Germany and in several other countries. UNIX is the registered trademark of The Open Group in the US and other countries.
BMC Atrium Single Sign-On 8.1
Page 388 of 389
Home
BMC Software Confidential
The information included in this documentation is the proprietary and confidential information of BMC Software, Inc., its affiliates, or licensors. Your use of this information is subject to the terms and conditions of the applicable End User License agreement for the product and to the proprietary and restricted rights notices included in the product documentation. Restricted rights legend U.S. Government Restricted Rights to Computer Software. UNPUBLISHED—RIGHTS RESERVED UNDER THE COPYRIGHT LAWS OF THE UNITED STATES. Use, duplication, or disclosure of any data and computer software by the U.S. Government is subject to restrictions, as applicable, set forth in FAR Section 52.227-14, DFARS 252.227-7013, DFARS 252.227-7014, DFARS 252.227-7015, and DFARS 252.227-7025, as amended from time to time. Contractor/Manufacturer is BMC SOFTWARE INC, 2101 CITYWEST BLVD, HOUSTON TX 77042-2827, USA. Any contract notices should be sent to this address. BMC Software Inc. 2101 CityWest Blvd, Houston TX 77042-2827, USA 713 918 8800 Customer Support: 800 537 1813 or contact your local support center
BMC Atrium Single Sign-On 8.1
Page 389 of 389
