Documente Academic
Documente Profesional
Documente Cultură
2
Installation Guide
The following document describes Plugin Single Sign On version 1.2 Component configuration and installation process for BMC Remedy AR System TopPositions 2010-03-29
CONTENTS
1 2 3 4 5 6 6.1 6.2 6.3 6.4 6.5 6.6 6.7 7 7.1 7.2 7.3 7.4 7.5 8 8.1 8.2 8.3 8.4 8.5 8.6 8.7 INTRODUCTION ................................................................................................................... 3 WHAT IS PLUGIN SINGLE SIGN ON VERSION 1.2 ................................................................. 4 APPLICATION ....................................................................................................................... 5 EQUIPMENT COMPATIBILITY ............................................................................................... 6 HOW PLUGIN SSO WORKS................................................................................................... 7 INSTALLATION AND CONFIGURATION .............................................................................. 10 Windows Authentication ............................................................................................... 10 ClearTrust / Sitemider ................................................................................................... 10 Installation ..................................................................................................................... 10 Installation Part 1 in the server environment (ARS Platform) ....................................... 10 Installation part II in the environment on the side of Mid-Tier server ......................... 17 Installation Part III SSO Authentication Service............................................................. 22 Installation Part IV- Plugin SSO Authentication for BMC Remedy User Tool ................ 28 TROUBLESHOOTING .......................................................................................................... 33 SSO AREA plugin ............................................................................................................ 33 AREA LDAP plugin .......................................................................................................... 33 Mid-Tier SSO Plugin ....................................................................................................... 33 SSO Authentication Service ........................................................................................... 34 Whats next ................................................................................................................... 34 POTENTIAL ERRORS ........................................................................................................... 35 Mid-Tier cant find the file mt-sso.jar............................................................................ 35 Mid-Tier cant find the file jespa-1.0.9.jar ..................................................................... 35 Mid-Tier cant find the file with the licence .................................................................. 35 Mid-Tier cant find the configuration file mt-sso.config ............................................... 35 Remedy SSO cant find the Domain controller .............................................................. 36 Remedy SSO cant log into Domain controller .............................................................. 36 SSO Authentication service doesnt work ..................................................................... 36
1 INTRODUCTION
There is a very common problem each company has to deal with, that is entering an incorrect password when logging in to system or a certain application. Frustrated and unsatisfied users are unable to remember each password they are obliged to use, that leads up to many unavoidable mistakes. The only one solution seems to be IT specialists support, and the next new password. However it helps, its not a long- lasting support. The passwords change does not guarantee that the new one will not be forgotten. What is more, security policy forces users to recurrent passwords changes . Not to forget the new phrases and numbers, users write tem on the self stick note sheets and stick them onto the screens. Its obvious, that such way of storing passwords is not a safe one. That is why our team of IT specialists worked out an innovative system, that is Plugin SSO ( Plugin Single Sign On). This security method is safe and allows you to get a very easy access to BMC Remedy AR System. Plugin SSO makes the whole process of logging in very quickly and without the users participation. That is why, users do not have to think hours about a new password, but take care their duties. Plugin SSO is the best solution. All the problems will disappear as well as users frustration and annoyance. Everyone knows, that a satisfied employee is an effective employee, and effectiveness means profits. So let us help you to make a big profit. For more information, please visit our Web site : http://www.remedy-sso.com
3 APPLICATION
As a very flexible solution, Plugin SSO can be applied in various equipment and system configurations. Plugin SSO supports: BMC Remedy AR System, vol. 7.0, 7.1, 7.5 and 7.6, Operating systems like Windows, Linux, Solaris and HP-UX, J2EE Containers like Apache Tomcat, Weblogic, Websphere and others, The outside authentication systems like ClearTrust and SiteMinder ( they authenticate users through Http header protocol), Internet browsers like Internet Explorer and Mozilla Firefox ( Mozilla Firefox requires Windows Authentication Configuration, Java 1.5 and 1.6, All variants of the NTLM protocol (NTLM by default).
4 EQUIPMENT COMPATIBILITY
Automatic Plugin SSO log in can be used on the following operating systems: Matrix of the solution compatybility
Operating systems
Windows 2000, 2003, 2008 BMC Action Request System 7.0 Sun Solaris 9.x HP-UX 11.x Linux 2.6.x+
Plugin SSO supports many typical WWW security systems. Popular products Authentication systems ClearTrust
SiteMinder
Quest QSJ
HTTP Basic
Plugin SSO supports Windows Authentication (NTLM v2) in Out of Box version.
Plugin SSO allows to get to Remedy AR System surroundings on the basis of authorization that was made when logging into the corporate network( by Windows domain authorization). When correctly logged into the Windows domain, user doesnt have to log once again to connect with BMC Remedy AR System. Plugin SSO Works as a plugin installed on BMC Remedy AR System and is able to support WebSSO systems or work autonomously. This component logs the users with BMC Remedy AR System automatically by the Web browser of BMC Remedy User Application. The following diagram shows how Plugin SSO authorizes users system by the use of Windows Authentication Protocol.
User s authorization by Plugin SSO In case of Web browser, Plugin SSO is triggered out when user is logging into one of the following Mid Tier Server addresses: /arsys/home, /arsys/forms /arsys/apps Plugin SSO asks the user's Web browser to send the NTLM header together with the users data. Then it checks if this data is correct or not . If the user was identified by the Windows Controller, user gains the access to the BMC Remedy AR System. The following diagram shows the users authorization by the web browser
Users logging in by the Internet Browser When BMC remedy User authorization application used, Plugin SSO is being triggered when the application opened. Plugin SSO is being given a special ticket to SSO Authorization Service. This service is activated at any Windows server after SSPI Negotiate (NTLM) authorization. Then, BMC Remedy User sends the ticket to BMC AR Remedy System. Plugin AREA SSO verifies this ticket in the SSO Authorization Service. Each ticket is generated for particular user and for the computer, from which user is trying to connect to BMC Remedy AS System. The following diagram shows how BMC Remedy User authorizes users.
6.3 Installation
Installation consists of two parts. It involves the ARS Server (ITSM)and also the MidTier module. First two parts are obligatory. Installation pack contains 3 directories: mt ,ars and rut. The first directory contains files that are required for the installation in MidTier server. The third one contains files necessary in case of SSO authorization made by BMC Remedy User.
2. Copy area-sso.cfg/area-sso.conf file to the directory containing ar.cfg/ar.conf. (It is the same directory that includes the file ar.cfg/ar.conf. e.g.: c:\program files\AR Server\conf)
Checking whether the AR External Authentication (AREA) is switched on In order to do that you need to: Log the BMC Remedy User Tool Open AR System Administration Console Open System->General->Server Information Open the folder EA Make sure RPC 390695 is selected Make sure Cross Reference Blank Password is marked Save the potential changes.
The following picture presents how to configure AR External Authentication. You need to make sure AREAHUB has been installed and started. In order to check it you have to examine the file ar.cfg/ar.conf or use the BMC Remedy User Tool. To do it you need to: Log in Remedy into the administration account using BMC Remedy User Tool Find form Configuration ARDBC On the list find the value areahub.
The picture illustrates the way of searching for areahub When on the list there is a proper record, it means that AREA-HUB has been suitably installed.
The picture illustrates the search result on condition that the areahub has been suitably installed When AREAHUB has not been installed you will have to do it by making appropriate entries in the file ar.cfg/ar.conf:
Windows
Plugin: areahub.dll
Solaris/Linux
Plugin: areahub.so
In order to verify whether Plugin AREAHUB works properly you need to restart service BMC Remedy AR System. After having restarted the system in the log file of a plugin there should be the following entry (if the log file is large you should search in there the value ARSYS.AREA.HUB ):
In order to turn on logging of Plugin Server you need to move to the chapter entitled Turning on of the Plugin Server. Copyright @ 2009 TopPositions 14
AREAHUB configuration for Plugin AREA SSO usage To activate AREA SSO Plugin add the following entries to ar.cfg/ar.conf file (this configuration uses the additional authorization based on LDAP) :
Plugin: areahub.dll AREA-Hub-Plugin: areasso.dll AREA-Hub-Plugin: arealdap.dll
AREA SSO plugin configuration in the area-sso.cfg/area-sso.conf file. You should change the following entries in the area-sso.cfg/area-sso.conf file. Parametr MidTier-Enabled Opis If the users will connect to BMC Remedy AR System by Web browser this parameter should be enabled. For ex.: MidTier-Enabled: Enabled Addresses of the Mid-Tier Servers that users will be authorized by. For ex.: MidTier-IP: 127.0.0.1;192.168.21.2 Shared key password identical, just like the one configured in the second part of installation guide. The password is going to be encoded after restarting BMC Remedy AR System in area-sso.cfg/area-sso.conf file. For ex.: New-MidTier-Shared-Key: <password> If users will connect to the BMC Remedy AR System by BMC Remedy User, this parameter should be enabled For ex.: RUT-Enabled: Enabled IP address of SSO Authentication Service For ex.: AuthService-IP: 127.0.0.1 This parameter should be enabled if RUT-Enabled is set to Enabled. TCP port on which SSO Authentication Service works. Default parameter value is 11000 port For ex.: AuthService-Port: 12000
MidTier-IP New-MidTier-SharedKey
RUT-Enabled
AuthService-IP
AuthService-Port
Configuration of the AREA LDAP plugin If the BMC AREA LDAP Plugin is used to store data about users in LDAP or in Active-Directory you will need to follow the instructions in the following chapter. In the case when the data about users is stored in the form User within AR System you will need to go straight to the chapter Turning on of the Plugin Server logging. Copyright @ 2009 TopPositions 15
After having made sure that plugin AREAHUB has been properly installed you will have to take another step consisting in configuring or checking whether BMC AREA LDAP Plugin has been properly installed and configured. The installation and configuration details can be found in the documents of BMC AR System: BMC Remedy Action Request System 7.0 Integrating with Plugins and Third-Party Products http://www.bmc.com/supportu/documents/84/67/58467/58467.pdf Page 163 BMC Remedy Action Request System 7.1.00 Integrating with Plugins and Third-Party Products http://www.bmc.com/supportu/documents/93/94/69394/69394.pdf Page 133 BMC Remedy Action Request System 7.5.00 Integration Guide http://www.bmc.com/supportu/documents/53/80/95380/95380.pdf Page 143 To verify if the BMC AREA LDAP plugin configuration is appropriate you should open the AREA LDAP Configuration form and check the data entered into the form is correct:
Turning on of the Plugin Server logging In order to verify that Remedy SSO Plugin works properly you need to select logging into PlugIn Server from the level of the authorized ARS user in the module Server Information and in the folder Log Files you need to select All in the Plugin Log Level.
The picture illustrates the way of configuring logging of the Plugin Server.
5. 6. 7. 8.
Copy mt-sso.config file to Mid-Tier\WEB-INF\classes directory Copy mt-sso.license file to Mid-Tier\WEB-INF\classes directory Copy the whole sso directory to Mid-Tier\shared directory After having made all the above changes you need to restart Mid-Tier server.
Creating service account for NETLOGON communication If the authorization is supposed to take place in Windows Controller, you need to create a service account in Active Directory. Otherwise you can move on to the next point Configuration of the MidTier SSO plugin via http website To create the service account in Active Directory you have to use a tool called Active Directory
Users and Computers (ADUC). NETLOGON service requires the account to be of a Computer type (A regular users account will not work.) We recommend to enter the same value using letter, digits and underlining (without spaces) in the field "Computer name" (cn) and "pre-Windows 2000 name" (sAMAccountName). The created service account should have its own DN that has to be used to change the password in the next step. E.g.: If the account has been called REMEDY and the name of the domain in which the account has been created is example.com DN for this account will equal: CN=REMEDY,CN=Computers,DC=example,DC=com.
Change of a password to the service account A password to the service account must be entered in the MidTier SSO Plugin configuration. Password change can be made only by using the Microsoft tools or with help of the script attached to the installation pack:
'SetComputerPass.vbs Option Explicit Dim strDn, objPassword, strPassword, objComputer If WScript.arguments.count <> 1 Then WScript.Echo "Usage: SetComputerPass.vbs <ComputerDN>" WScript.Quit End If strDn = WScript.arguments.item(0) Set objPassword = CreateObject("ScriptPW.Password") WScript.StdOut.Write "Password:" strPassword = objPassword.GetPassword() Set objComputer = GetObject("LDAP://" & strDn) objComputer.SetPassword strPassword WScript.Echo WScript.Echo "Password set on " & strDn WScript.Quit
The above scripts should be activated from the station that has rights to the Active Directory.
The following example demonstrates how to change the password for the account CN=REMEDY,CN=Computers,DC=example,DC=com: C:\>cscript SetComputerPass.vbs CN=REMEDY,CN=Computers,DC=example,DC=com Password: **********
Configuration of the MidTier SSO plugin via http website In order to configure MidTier SSO Plugin you need to: 1. Open the website of the configuration tool in your internet browser: http://path-to-midtier/arsys/shared/sso/config.jsp 2. Log in the administration panel by using a password. 3. The default password for the administration panel is password. 4. Select General Settings MidTier SSO configuration tool contains the following section: Core Configuration Parametr Turn On/Off Shared Key
Opis Turning on and turning off of MidTier SSO plugin In this field you should enter the same password as the one defined on the side of ARS Server (SharedKey) Log level of MidTierSSO plugin Potential values: Info information about configuration Trace information about users logging into the system Copyright @ 2009 TopPositions 19
Username conversion
Username conversion Possible values: To Upper case changes all the letters in the username into upper case ones: For example.: ABAKER@EXAMPLE.COM To Lower case changes all the letters in the username into lower case ones: For example.: abaker@example.com If the external SSO system sends the username in a specific HTTP header , in this field you should enter the name of this header. Otherwise this field should remain empty.
Windows Authentication Configuration When the users authorization is to take place in Windows Controller, you need to fill in the following Fields. Otherwise you need to restart Mid-Tier module. The installation of Mid-Tier SSO Plugin is completed. Parametr Active Directory domain Opis Name of the domain into which users will be authenticated must be entered in full format: For example.: example.com NTLM protocol log level Possible values: None no logging Critical critical errors Basic basic information Detailed detailed information Debbuging all the information Name of a users account created in the point: Creating service account for NETLOGON For example.: REMEDY$@EXAMPLE.COM* *It is necessary to type $ after username. Password to the users account (Computer Account) modified in the point: Change of a password to the service account Format of a user logging into Remedy system. Possible values: Username only username. Copyright @ 2009 TopPositions 20
Computer Account
Computer Password
Configuration of the Remedy SSO solution via edition of the file mt-sso.config To configurate MidTier SSO plugin manually, you should change mt-sso.config file that you can find in the Midtier\WEB-INF\classes directory. Core Configuration Parametr remedy.sso.status
Opis Turning on and turning off of the Remedy SSO plugin. Possible values: on/off Username conversion. Possible values: upper changes all the letters in the username into upper case ones: For example.: ABAKER@EXAMPLE.COM lower changes all the letters in the username into lower case ones: For example.: abaker@example.com If the external SSO system sends the username in a specific HTTP header , in this field you should enter the name of this header. Otherwise this field should remain empty. A password that has been defined on the side of ARS server (SharedKey). After restarting Mid-Tier service the password will be hashed and saved in the configuration file within the parameter: remedy.sso.sharedKey Remedy SSO log level Possible values: Info information about configuration Trace information about users logging into system Debug debugging information All all the information
remedy.sso.username.case
remedy.sso.http.header
remedy.sso.new.sharedKey
remedy.sso.loglevel
Windows Authentication Configuration Parametr jespa.bindstr Opis Name of the domain into which users will be authenticated must be entered in full format: For example.: example.com NTML protocol log level Possible values: 0 no logging 1 critical errors 2 basic information 3 detailed information 4+ all the information Name of a users account created in the point: Creating service account for NETLOGON For example.: REMEDY$@EXAMPLE.COM* *It is necessary to type $ after username. Password to the users account (Computer Account) modified in the point: Change of a password to the service account After restarting Mid-Tier service the password should be hashed and saved in the configuration file within the parameter jespa.service.password Format of a user logging into Remedy AR System. Possible values:
2 only username.
jespa.log.level
jespa.service.acctname
jespa.service.new.password
jespa.account.canonicalForm
Save the changes and then restart MidTier application. In the file you can use additional options for Windows Authentication. More details can be found in technical documentation for Jespa module: Jespa Operator's Manual
The following service may be run on each Windows Server that is connected to the domain. Run Installers 1. Run setup.exe on the server where the SSO Authentication Service will be installed ( be logged on the administrators account). 2. If there is no Microsoft .Net Framework 3.5 on the server, its installer will install automatically. 3. Choose Next on the first screen.
4. Accept the license by choosing checkbox YES I accept the terms of the License Agreement, and then click Next.
5. Choose the directory where SSO Authentication Service will be installed, and then click Next.
6. Choose SSO Authentication Service from the list and remove SSO Authentication plugin, then click Next.
7. Type TCP port number used by the SSO Authentication Service(the port address must be unused by any others services), then click Next.
8. Choose format of a username logging into Remedy AR System, then click Next.
In the UserName Conversion area you can choose between the following : Upper changes all the letters in the username into upper case ones: For exampe.: ABAKER@EXAMPLE.COM Lower changes all the letters in the username into lower case ones: For exampe.: abaker@example.com
9. Give the BMC Remedy AR System localization to which users will be automatically logged in. When the formula left empty, the configuration will be necessary on each users station. Then choose Next.
6.7 Installation Part IV- Plugin SSO Authentication for BMC Remedy User
Tool
All the files to be used in this part of the installation you can find in rut directory. If you want the automatic Single Sign On logging in BMC Remedy User to work on the final users workstation, please install SSO Authentication plugin. Run Installers 1. Run setup.exe on the workstation where the SSO Authentication Plugin will be installed. 2. If there is no Microsoft .Net Framework 3.5 on the workstation, its installer will install automatically. 3. Choose Next on the first screen.
4. Accept the license by choosing checkbox YES I accept the terms of the License Agreement, and then click Next.
5. Choose the directory where SSO Authentication Plugin will be installed, and then click Next.
6. Choose SSO Authentication Plugin from the list and remove SSO Authentication Service, then click Next.
7. Give the SSO Authentication Service localization to which users will be automatically logged in. Then choose Next.
11. To verify whether the installation completed successfully, open the BMC Remedy User application and check if the user was automatically logged in BMC Remedy AR System.
7 TROUBLESHOOTING
If during the installation you faced a problem that cannot be solved you should take the following steps in order to enable us to diagnose the problem.
mt-sso.config In the next step you need to check if the file mt-sso.config has been correctly installed. In order to do that you need to check if there is the file mt-sso.config in the directory Mit-Tier/WEBINF/classes. mt-sso.license Then you need to check if the file mt-sso.license has been correctly installed. In order to do that you need to check if there is the file mt-sso.license in the directory Mit-Tier/WEB-INF/classes. MidTier SSO Plugin Configuration In order to verify whether MidTier SSO plugin has been correctly configured you need to open the website of the Configuration tool: http://mid-tier hostname/arsys/shared/sso/config.jsp. Then after correct logging you need to verify if: a correct licence has been installed Remedy SSO plugin has been turned on Windows Controller data have been entered correctly (if the controller is used for users authentication)
8 POTENTIAL ERRORS
Below find a list of errors that may occur during installation: