Plugin Single Sign On Version 1.

2
Installation Guide
The following document describes Plugin Single Sign On version 1.2 Component configuration and installation process for BMC Remedy AR System TopPositions 2010-03-29

Plug-in Single Sign On Version 1.2

CONTENTS
1 2 3 4 5 6 6.1 6.2 6.3 6.4 6.5 6.6 6.7 7 7.1 7.2 7.3 7.4 7.5 8 8.1 8.2 8.3 8.4 8.5 8.6 8.7 INTRODUCTION ................................................................................................................... 3 WHAT IS PLUGIN SINGLE SIGN ON VERSION 1.2 ................................................................. 4 APPLICATION ....................................................................................................................... 5 EQUIPMENT COMPATIBILITY ............................................................................................... 6 HOW PLUGIN SSO WORKS................................................................................................... 7 INSTALLATION AND CONFIGURATION .............................................................................. 10 Windows Authentication ............................................................................................... 10 ClearTrust / Sitemider ................................................................................................... 10 Installation ..................................................................................................................... 10 Installation Part 1 in the server environment (ARS Platform) ....................................... 10 Installation part II in the environment on the side of Mid-Tier server ......................... 17 Installation Part III SSO Authentication Service............................................................. 22 Installation Part IV- Plugin SSO Authentication for BMC Remedy User Tool ................ 28 TROUBLESHOOTING .......................................................................................................... 33 SSO AREA plugin ............................................................................................................ 33 AREA LDAP plugin .......................................................................................................... 33 Mid-Tier SSO Plugin ....................................................................................................... 33 SSO Authentication Service ........................................................................................... 34 Whats next ................................................................................................................... 34 POTENTIAL ERRORS ........................................................................................................... 35 Mid-Tier cant find the file mt-sso.jar............................................................................ 35 Mid-Tier cant find the file jespa-1.0.9.jar ..................................................................... 35 Mid-Tier cant find the file with the licence .................................................................. 35 Mid-Tier cant find the configuration file mt-sso.config ............................................... 35 Remedy SSO cant find the Domain controller .............................................................. 36 Remedy SSO cant log into Domain controller .............................................................. 36 SSO Authentication service doesnt work ..................................................................... 36

Copyright @ 2009 TopPositions 2

Plug-in Single Sign On Version 1.2

1 INTRODUCTION
There is a very common problem each company has to deal with, that is entering an incorrect password when logging in to system or a certain application. Frustrated and unsatisfied users are unable to remember each password they are obliged to use, that leads up to many unavoidable mistakes. The only one solution seems to be IT specialists support, and the next new password. However it helps, its not a long- lasting support. The passwords change does not guarantee that the new one will not be forgotten. What is more, security policy forces users to recurrent passwords changes . Not to forget the new phrases and numbers, users write tem on the self stick note sheets and stick them onto the screens. Its obvious, that such way of storing passwords is not a safe one. That is why our team of IT specialists worked out an innovative system, that is Plugin SSO ( Plugin Single Sign On). This security method is safe and allows you to get a very easy access to BMC Remedy AR System. Plugin SSO makes the whole process of logging in very quickly and without the users participation. That is why, users do not have to think hours about a new password, but take care their duties. Plugin SSO is the best solution. All the problems will disappear as well as users frustration and annoyance. Everyone knows, that a satisfied employee is an effective employee, and effectiveness means profits. So let us help you to make a big profit. For more information, please visit our Web site : http://www.remedy-sso.com

Copyright @ 2009 TopPositions 3

Plug-in Single Sign On Version 1.2

2 WHAT IS PLUGIN SINGLE SIGN ON VERSION 1.2

Plugin SSO is a component that enables the access to the BMC Remedy AR System without the necessity of logging in. Our system uses Security Support Provider Interface(SSPI). Exerted all over the world SSPI authentication systems work on Windows and give you the highest level of information security. Plugin SSO supports joint security policy for all passwords in the company so that it makes the information stored in the BMC AR Remedy System safer. The fact that, the Plugin SSO was created and tested by the best IT security specialists makes your information unavailable for unwanted audience. Our System as the only one in the world guarantees handling of the Microsoft NT LAN Manager version. 2 (NTLMv2). Moreover, NTLMv2 is recommended and used by the best IT security specialists all over the world. NTLMv2 service is asserted by the IOPLEX component. Here you can find more information about IOPLEX: http://www.ioplex.com Plugin SSO is a product for BMC Remedy AR system and does not require any complex process of installation or configuration.

Copyright @ 2009 TopPositions 4

Plug-in Single Sign On Version 1.2

3 APPLICATION
As a very flexible solution, Plugin SSO can be applied in various equipment and system configurations. Plugin SSO supports: BMC Remedy AR System, vol. 7.0, 7.1, 7.5 and 7.6, Operating systems like Windows, Linux, Solaris and HP-UX, J2EE Containers like Apache Tomcat, Weblogic, Websphere and others, The outside authentication systems like ClearTrust and SiteMinder ( they authenticate users through Http header protocol), Internet browsers like Internet Explorer and Mozilla Firefox ( Mozilla Firefox requires Windows Authentication Configuration, Java 1.5 and 1.6, All variants of the NTLM protocol (NTLM by default).

Copyright @ 2009 TopPositions 5

Plug-in Single Sign On Version 1.2

4 EQUIPMENT COMPATIBILITY
Automatic Plugin SSO log in can be used on the following operating systems: Matrix of the solution compatybility

Operating systems
Windows 2000, 2003, 2008 BMC Action Request System 7.0 Sun Solaris 9.x HP-UX 11.x Linux 2.6.x+

7.1 (MT patch 6+)

7.5 (MT patch 1+)

Plugin SSO supports many typical WWW security systems. Popular products Authentication systems ClearTrust

SiteMinder

Quest QSJ

HTTP Basic

Plugin SSO supports Windows Authentication (NTLM v2) in Out of Box version.

Copyright @ 2009 TopPositions 6

Plug-in Single Sign On Version 1.2

5 HOW PLUGIN SSO WORKS

Plugin SSO allows to get to Remedy AR System surroundings on the basis of authorization that was made when logging into the corporate network( by Windows domain authorization). When correctly logged into the Windows domain, user doesnt have to log once again to connect with BMC Remedy AR System. Plugin SSO Works as a plugin installed on BMC Remedy AR System and is able to support WebSSO systems or work autonomously. This component logs the users with BMC Remedy AR System automatically by the Web browser of BMC Remedy User Application. The following diagram shows how Plugin SSO authorizes users system by the use of Windows Authentication Protocol.

User s authorization by Plugin SSO In case of Web browser, Plugin SSO is triggered out when user is logging into one of the following Mid Tier Server addresses: /arsys/home, /arsys/forms /arsys/apps Plugin SSO asks the user's Web browser to send the NTLM header together with the users data. Then it checks if this data is correct or not . If the user was identified by the Windows Controller, user gains the access to the BMC Remedy AR System. The following diagram shows the users authorization by the web browser

Copyright @ 2009 TopPositions 7

Plug-in Single Sign On Version 1.2

Users logging in by the Internet Browser When BMC remedy User authorization application used, Plugin SSO is being triggered when the application opened. Plugin SSO is being given a special ticket to SSO Authorization Service. This service is activated at any Windows server after SSPI Negotiate (NTLM) authorization. Then, BMC Remedy User sends the ticket to BMC AR Remedy System. Plugin AREA SSO verifies this ticket in the SSO Authorization Service. Each ticket is generated for particular user and for the computer, from which user is trying to connect to BMC Remedy AS System. The following diagram shows how BMC Remedy User authorizes users.

Copyright @ 2009 TopPositions 8

Plug-in Single Sign On Version 1.2

Users logging in by the BMC Remedy User

Copyright @ 2009 TopPositions 9

Plug-in Single Sign On Version 1.2

6 INSTALLATION AND CONFIGURATION 6.1 Windows Authentication

If you do not have an external SSO system (ClearTrust, SiteMinder, etc.) and would like MidTier to authenticate users within Windows Controller, you will need to make extra moves to install the component BMC Remedy Mid-Tier. Our solution works only if Apache Tomcat has already been started as a standalone application. We do not support the product ServletExec, as it is not presently recommended by BMC.

6.2 ClearTrust / Sitemider

After some time a session of ClearTrust and Siteminder expires. On this account length of the session must be synchronized with length of the BMC Remedy Mid-Tier module session. To prevent a situation when a user is still logged in the BMC Remedy AR system and is no longer logged in SSO module, while installing Mid-Tier the following steps must be taken: Configure ClearTrust or Siteminder to protect the paths /arsys/home, /arsys/forms oraz /arsys/apps. Adjust length of Mid-Tier session one minute shorter than the session in ClearTrust or Siteminder.

6.3 Installation
Installation consists of two parts. It involves the ARS Server (ITSM)and also the MidTier module. First two parts are obligatory. Installation pack contains 3 directories: mt ,ars and rut. The first directory contains files that are required for the installation in MidTier server. The third one contains files necessary in case of SSO authorization made by BMC Remedy User.

6.4 Installation Part 1 in the server environment (ARS Platform)

All the files necessary for this part of installation you can find in ars directory. Files copying to AR system 1. Copy areasso.dll/areasso.so file to operational directory of ARS server (It is the same directory that includes the file arserver.exe)

Copyright @ 2009 TopPositions 10

Plug-in Single Sign On Version 1.2

2. Copy area-sso.cfg/area-sso.conf file to the directory containing ar.cfg/ar.conf. (It is the same directory that includes the file ar.cfg/ar.conf. e.g.: c:\program files\AR Server\conf)

Copyright @ 2009 TopPositions 11

Plug-in Single Sign On Version 1.2

Checking whether the AR External Authentication (AREA) is switched on In order to do that you need to: Log the BMC Remedy User Tool Open AR System Administration Console Open System->General->Server Information Open the folder EA Make sure RPC 390695 is selected Make sure Cross Reference Blank Password is marked Save the potential changes.

Copyright @ 2009 TopPositions 12

Plug-in Single Sign On Version 1.2

The following picture presents how to configure AR External Authentication. You need to make sure AREAHUB has been installed and started. In order to check it you have to examine the file ar.cfg/ar.conf or use the BMC Remedy User Tool. To do it you need to: Log in Remedy into the administration account using BMC Remedy User Tool Find form Configuration ARDBC On the list find the value areahub.

The picture illustrates the way of searching for areahub When on the list there is a proper record, it means that AREA-HUB has been suitably installed.

Copyright @ 2009 TopPositions 13

Plug-in Single Sign On Version 1.2

The picture illustrates the search result on condition that the areahub has been suitably installed When AREAHUB has not been installed you will have to do it by making appropriate entries in the file ar.cfg/ar.conf:

Windows
Plugin: areahub.dll

Solaris/Linux
Plugin: areahub.so

In order to verify whether Plugin AREAHUB works properly you need to restart service BMC Remedy AR System. After having restarted the system in the log file of a plugin there should be the following entry (if the log file is large you should search in there the value ARSYS.AREA.HUB ):

In order to turn on logging of Plugin Server you need to move to the chapter entitled Turning on of the Plugin Server. Copyright @ 2009 TopPositions 14

Plug-in Single Sign On Version 1.2

AREAHUB configuration for Plugin AREA SSO usage To activate AREA SSO Plugin add the following entries to ar.cfg/ar.conf file (this configuration uses the additional authorization based on LDAP) :
Plugin: areahub.dll AREA-Hub-Plugin: areasso.dll AREA-Hub-Plugin: arealdap.dll

Configuration using the authorization pursuant to form User:

Plugin: areahub.dll AREA-Hub-Plugin: areasso.dll

AREA SSO plugin configuration in the area-sso.cfg/area-sso.conf file. You should change the following entries in the area-sso.cfg/area-sso.conf file. Parametr MidTier-Enabled Opis If the users will connect to BMC Remedy AR System by Web browser this parameter should be enabled. For ex.: MidTier-Enabled: Enabled Addresses of the Mid-Tier Servers that users will be authorized by. For ex.: MidTier-IP: 127.0.0.1;192.168.21.2 Shared key password identical, just like the one configured in the second part of installation guide. The password is going to be encoded after restarting BMC Remedy AR System in area-sso.cfg/area-sso.conf file. For ex.: New-MidTier-Shared-Key: <password> If users will connect to the BMC Remedy AR System by BMC Remedy User, this parameter should be enabled For ex.: RUT-Enabled: Enabled IP address of SSO Authentication Service For ex.: AuthService-IP: 127.0.0.1 This parameter should be enabled if RUT-Enabled is set to Enabled. TCP port on which SSO Authentication Service works. Default parameter value is 11000 port For ex.: AuthService-Port: 12000

MidTier-IP New-MidTier-SharedKey

RUT-Enabled

AuthService-IP

AuthService-Port

Configuration of the AREA LDAP plugin If the BMC AREA LDAP Plugin is used to store data about users in LDAP or in Active-Directory you will need to follow the instructions in the following chapter. In the case when the data about users is stored in the form User within AR System you will need to go straight to the chapter Turning on of the Plugin Server logging. Copyright @ 2009 TopPositions 15

Plug-in Single Sign On Version 1.2

After having made sure that plugin AREAHUB has been properly installed you will have to take another step consisting in configuring or checking whether BMC AREA LDAP Plugin has been properly installed and configured. The installation and configuration details can be found in the documents of BMC AR System: BMC Remedy Action Request System 7.0 Integrating with Plugins and Third-Party Products http://www.bmc.com/supportu/documents/84/67/58467/58467.pdf Page 163 BMC Remedy Action Request System 7.1.00 Integrating with Plugins and Third-Party Products http://www.bmc.com/supportu/documents/93/94/69394/69394.pdf Page 133 BMC Remedy Action Request System 7.5.00 Integration Guide http://www.bmc.com/supportu/documents/53/80/95380/95380.pdf Page 143 To verify if the BMC AREA LDAP plugin configuration is appropriate you should open the AREA LDAP Configuration form and check the data entered into the form is correct:

The picture illustrates a model BMC AREA LDAP plugin configuration.

Copyright @ 2009 TopPositions 16

Plug-in Single Sign On Version 1.2

Turning on of the Plugin Server logging In order to verify that Remedy SSO Plugin works properly you need to select logging into PlugIn Server from the level of the authorized ARS user in the module Server Information and in the folder Log Files you need to select All in the Plugin Log Level.

The picture illustrates the way of configuring logging of the Plugin Server.

6.5 Installation part II in the environment on the side of Mid-Tier server

All the files to be used in this part of the installation you can find in mt directory. Java SDK Environment At first you need to check if Java SDK has been installed in the Server. Installation of Java JRE is not sufficient for the correct functioning of the system. Copying and changes of the files 1. Patch the file Web.xml that can be found in the Mid-Tier server via update of the file web.xml.patch. The contents of the patch needs to be copied into the file Mid-Tier\WEB-INF \web.xml between the last entry of a type </filter> and the first one of a type <filter-mapping> 2. Copy the mt-sso.jar file to Mid-Tier\WEB-INF\lib directory 3. Copy jespa-1.0..jar file to Mid-Tier\WEB-INF\lib directory 4. Copy bcprov-jdk15-144.jar file to Mid-Tier\WEB-INF\lib directory

Copyright @ 2009 TopPositions 17

Plug-in Single Sign On Version 1.2

5. 6. 7. 8.

Copy mt-sso.config file to Mid-Tier\WEB-INF\classes directory Copy mt-sso.license file to Mid-Tier\WEB-INF\classes directory Copy the whole sso directory to Mid-Tier\shared directory After having made all the above changes you need to restart Mid-Tier server.

Creating service account for NETLOGON communication If the authorization is supposed to take place in Windows Controller, you need to create a service account in Active Directory. Otherwise you can move on to the next point Configuration of the MidTier SSO plugin via http website To create the service account in Active Directory you have to use a tool called Active Directory
Users and Computers (ADUC). NETLOGON service requires the account to be of a Computer type (A regular users account will not work.) We recommend to enter the same value using letter, digits and underlining (without spaces) in the field "Computer name" (cn) and "pre-Windows 2000 name" (sAMAccountName). The created service account should have its own DN that has to be used to change the password in the next step. E.g.: If the account has been called REMEDY and the name of the domain in which the account has been created is example.com DN for this account will equal: CN=REMEDY,CN=Computers,DC=example,DC=com.

Change of a password to the service account A password to the service account must be entered in the MidTier SSO Plugin configuration. Password change can be made only by using the Microsoft tools or with help of the script attached to the installation pack:

Copyright @ 2009 TopPositions 18

Plug-in Single Sign On Version 1.2

'SetComputerPass.vbs Option Explicit Dim strDn, objPassword, strPassword, objComputer If WScript.arguments.count <> 1 Then WScript.Echo "Usage: SetComputerPass.vbs <ComputerDN>" WScript.Quit End If strDn = WScript.arguments.item(0) Set objPassword = CreateObject("ScriptPW.Password") WScript.StdOut.Write "Password:" strPassword = objPassword.GetPassword() Set objComputer = GetObject("LDAP://" & strDn) objComputer.SetPassword strPassword WScript.Echo WScript.Echo "Password set on " & strDn WScript.Quit

The above scripts should be activated from the station that has rights to the Active Directory.
The following example demonstrates how to change the password for the account CN=REMEDY,CN=Computers,DC=example,DC=com: C:\>cscript SetComputerPass.vbs CN=REMEDY,CN=Computers,DC=example,DC=com Password: **********

Configuration of the MidTier SSO plugin via http website In order to configure MidTier SSO Plugin you need to: 1. Open the website of the configuration tool in your internet browser: http://path-to-midtier/arsys/shared/sso/config.jsp 2. Log in the administration panel by using a password. 3. The default password for the administration panel is password. 4. Select General Settings MidTier SSO configuration tool contains the following section: Core Configuration Parametr Turn On/Off Shared Key

Opis Turning on and turning off of MidTier SSO plugin In this field you should enter the same password as the one defined on the side of ARS Server (SharedKey) Log level of MidTierSSO plugin Potential values: Info information about configuration Trace information about users logging into the system Copyright @ 2009 TopPositions 19

SSO Log Level

Plug-in Single Sign On Version 1.2

Username conversion

Debug debugging information All all the information

Username conversion Possible values: To Upper case changes all the letters in the username into upper case ones: For example.: ABAKER@EXAMPLE.COM To Lower case changes all the letters in the username into lower case ones: For example.: abaker@example.com If the external SSO system sends the username in a specific HTTP header , in this field you should enter the name of this header. Otherwise this field should remain empty.

HTTP header(s) containing username

Windows Authentication Configuration When the users authorization is to take place in Windows Controller, you need to fill in the following Fields. Otherwise you need to restart Mid-Tier module. The installation of Mid-Tier SSO Plugin is completed. Parametr Active Directory domain Opis Name of the domain into which users will be authenticated must be entered in full format: For example.: example.com NTLM protocol log level Possible values: None no logging Critical critical errors Basic basic information Detailed detailed information Debbuging all the information Name of a users account created in the point: Creating service account for NETLOGON For example.: REMEDY$@EXAMPLE.COM* *It is necessary to type $ after username. Password to the users account (Computer Account) modified in the point: Change of a password to the service account Format of a user logging into Remedy system. Possible values: Username only username. Copyright @ 2009 TopPositions 20

NTLM log level

Computer Account

Computer Password

Canonical Account Name

Plug-in Single Sign On Version 1.2

For example.: abaker

Backslash username + domain name separated by a symbol \

For example.: EXAMPLE\abaker

Principal username + full domain name separated by a symbol @

For exampe.: abaker@example.com

Save the changes and then restart MidTier application.

Configuration of the Remedy SSO solution via edition of the file mt-sso.config To configurate MidTier SSO plugin manually, you should change mt-sso.config file that you can find in the Midtier\WEB-INF\classes directory. Core Configuration Parametr remedy.sso.status

Opis Turning on and turning off of the Remedy SSO plugin. Possible values: on/off Username conversion. Possible values: upper changes all the letters in the username into upper case ones: For example.: ABAKER@EXAMPLE.COM lower changes all the letters in the username into lower case ones: For example.: abaker@example.com If the external SSO system sends the username in a specific HTTP header , in this field you should enter the name of this header. Otherwise this field should remain empty. A password that has been defined on the side of ARS server (SharedKey). After restarting Mid-Tier service the password will be hashed and saved in the configuration file within the parameter: remedy.sso.sharedKey Remedy SSO log level Possible values: Info information about configuration Trace information about users logging into system Debug debugging information All all the information

remedy.sso.username.case

remedy.sso.http.header

remedy.sso.new.sharedKey

remedy.sso.loglevel

Copyright @ 2009 TopPositions 21

Plug-in Single Sign On Version 1.2

Windows Authentication Configuration Parametr jespa.bindstr Opis Name of the domain into which users will be authenticated must be entered in full format: For example.: example.com NTML protocol log level Possible values: 0 no logging 1 critical errors 2 basic information 3 detailed information 4+ all the information Name of a users account created in the point: Creating service account for NETLOGON For example.: REMEDY$@EXAMPLE.COM* *It is necessary to type $ after username. Password to the users account (Computer Account) modified in the point: Change of a password to the service account After restarting Mid-Tier service the password should be hashed and saved in the configuration file within the parameter jespa.service.password Format of a user logging into Remedy AR System. Possible values:
2 only username.

jespa.log.level

jespa.service.acctname

jespa.service.new.password

jespa.account.canonicalForm

For example.: abaker. 3 username + domain name separated by a symbol \

For example.: EXAMPLE\abaker

4 username + full domain name separated by a symbol @ For example.: abaker@example.com

Save the changes and then restart MidTier application. In the file you can use additional options for Windows Authentication. More details can be found in technical documentation for Jespa module: Jespa Operator's Manual

6.6 Installation Part III SSO Authentication Service

All the files to be used in this part of the installation you can find in rut directory. If the automatic logging should not work on BMC Remedy User Tool application, please miss the rest part of this chapter. SSO Authentication Service is the service that is run on Windows server. It identifies users in the Windows controller by the SSPI Negotiation interface(NTLM protocol). Copyright @ 2009 TopPositions 22

Plug-in Single Sign On Version 1.2

The following service may be run on each Windows Server that is connected to the domain. Run Installers 1. Run setup.exe on the server where the SSO Authentication Service will be installed ( be logged on the administrators account). 2. If there is no Microsoft .Net Framework 3.5 on the server, its installer will install automatically. 3. Choose Next on the first screen.

4. Accept the license by choosing checkbox YES I accept the terms of the License Agreement, and then click Next.

Copyright @ 2009 TopPositions 23

Plug-in Single Sign On Version 1.2

5. Choose the directory where SSO Authentication Service will be installed, and then click Next.

6. Choose SSO Authentication Service from the list and remove SSO Authentication plugin, then click Next.

Copyright @ 2009 TopPositions 24

Plug-in Single Sign On Version 1.2

7. Type TCP port number used by the SSO Authentication Service(the port address must be unused by any others services), then click Next.

8. Choose format of a username logging into Remedy AR System, then click Next.

Copyright @ 2009 TopPositions 25

Plug-in Single Sign On Version 1.2

In Canonical Account Name you can choose between the following:

Username only username. For example.: abaker Backslash username + domain name separated by a symbol \ For example.: EXAMPLE\abaker Principal username + full domain name separated by a symbol @ For exampe.: abaker@example.com

In the UserName Conversion area you can choose between the following : Upper changes all the letters in the username into upper case ones: For exampe.: ABAKER@EXAMPLE.COM Lower changes all the letters in the username into lower case ones: For exampe.: abaker@example.com

9. Give the BMC Remedy AR System localization to which users will be automatically logged in. When the formula left empty, the configuration will be necessary on each users station. Then choose Next.

Copyright @ 2009 TopPositions 26

Plug-in Single Sign On Version 1.2

10. Continue installation by choosing Next.

11. Installation completed. Choose Finish to close installer.

Copyright @ 2009 TopPositions 27

Plug-in Single Sign On Version 1.2

6.7 Installation Part IV- Plugin SSO Authentication for BMC Remedy User
Tool
All the files to be used in this part of the installation you can find in rut directory. If you want the automatic Single Sign On logging in BMC Remedy User to work on the final users workstation, please install SSO Authentication plugin. Run Installers 1. Run setup.exe on the workstation where the SSO Authentication Plugin will be installed. 2. If there is no Microsoft .Net Framework 3.5 on the workstation, its installer will install automatically. 3. Choose Next on the first screen.

Copyright @ 2009 TopPositions 28

Plug-in Single Sign On Version 1.2

4. Accept the license by choosing checkbox YES I accept the terms of the License Agreement, and then click Next.

5. Choose the directory where SSO Authentication Plugin will be installed, and then click Next.

Copyright @ 2009 TopPositions 29

Plug-in Single Sign On Version 1.2

6. Choose SSO Authentication Plugin from the list and remove SSO Authentication Service, then click Next.

7. Give the SSO Authentication Service localization to which users will be automatically logged in. Then choose Next.

Copyright @ 2009 TopPositions 30

Plug-in Single Sign On Version 1.2

8. Continue installation by choosing Next.

9. Installation completed. Choose Finish to close installer.

Copyright @ 2009 TopPositions 31

Plug-in Single Sign On Version 1.2

11. To verify whether the installation completed successfully, open the BMC Remedy User application and check if the user was automatically logged in BMC Remedy AR System.

Copyright @ 2009 TopPositions 32

Plug-in Single Sign On Version 1.2

7 TROUBLESHOOTING
If during the installation you faced a problem that cannot be solved you should take the following steps in order to enable us to diagnose the problem.

7.1 SSO AREA plugin

In the beginning of problem diagnosis you need to verify whether SSO AREA plugin has been correctly installed and configured. Mid-Tier IP address At first you need to check whether the Mid-Tier IP address in the file area-sso.cfg/areasso.conf has been correctly configured. Shared-Key Then you need to verify if shared-key has been correctly configured. In order to do that you have to start the tool BMC Remedy User on the server on which MidTier is installed. After that you should enter your login coming from Active-Directory in the field username; the field password should be left empty. You should key shared-key, that has been previously configured during installation, in the field authentication. If you manage to log into the system that would mean SSO AREA plugin has been properly installed and configured. Otherwise you have to again set up a correct shared-key in the file area-sso.cfg/area-sso.conf.

7.2 AREA LDAP plugin

If AREA LDAP plugin is not used to authorize users in Active Directory you need to move on to the next step. Otherwise you have to start a tool BMC Remedy User. Then in the field username enter your login coming from Active-Directory; enter a domain password in the field password. If you manage to log into the system that would mean AREA LDAP plugin has been properly installed and configured. Otherwise you have to check the configuration of AREA LDAP plugin in the form AREA LDAP Configuration.

7.3 Mid-Tier SSO Plugin

If SSO AREA plugin works properly, in the next step you need to check if plugin on the side of Mid-Tier has been correctly installed. MT-SSO.jar At first you should check if the file MT-SSO.jar has been correctly installed. In order to do that you need to check if there is the file MT-SSO.jar in the directory MitTier/WEB-INF/lib.

Copyright @ 2009 TopPositions 33

Plug-in Single Sign On Version 1.2

mt-sso.config In the next step you need to check if the file mt-sso.config has been correctly installed. In order to do that you need to check if there is the file mt-sso.config in the directory Mit-Tier/WEBINF/classes. mt-sso.license Then you need to check if the file mt-sso.license has been correctly installed. In order to do that you need to check if there is the file mt-sso.license in the directory Mit-Tier/WEB-INF/classes. MidTier SSO Plugin Configuration In order to verify whether MidTier SSO plugin has been correctly configured you need to open the website of the Configuration tool: http://mid-tier hostname/arsys/shared/sso/config.jsp. Then after correct logging you need to verify if: a correct licence has been installed Remedy SSO plugin has been turned on Windows Controller data have been entered correctly (if the controller is used for users authentication)

7.4 SSO Authentication Service

If the SSO Auth Service doesnt work, check the EventLog entries ( on the Server, on which it was installed).

7.5 Whats next

If the problem continues you should forward an email to our support department including following information: file AR Server plugin log (with the Plugin-Log-Level adjusted to 100) with a users logging attempt registered by BMC Remedy User-using shared-key; files ar.cfg and area-sso.cfg from AR Server, and the file mt-sso.config from Midtier; the file web.xml from Mid-Tier server; log files from servlet engine on which Mid-Tier has been installed; version numbers of the ARS server and Mid-Tier together with patch numbers name and version number of servlet engine. EventLog entries for SSO Auth Service.

Copyright @ 2009 TopPositions 34

Plug-in Single Sign On Version 1.2

8 POTENTIAL ERRORS
Below find a list of errors that may occur during installation:

8.1 Mid-Tier cant find the file mt-sso.jar

If during installation you have forgotten to copy the file mt-sso.jar, in logs of Tomcat server there should be the following error report:
java.lang.ClassNotFoundException: remedy.sso.midtier.jespa.filters.SSOHttpFilter at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1362) at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1208) at org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:207) at org.apache.catalina.core.ApplicationFilterConfig.setFilterDef(ApplicationFilterConfig.java:302) at org.apache.catalina.core.ApplicationFilterConfig.<init>(ApplicationFilterConfig.java:78)

8.2 Mid-Tier cant find the file jespa-1.0.9.jar

If during installation you have forgotten to copy the file jespa-1.0.9.jar, in logs of Tomcat server there should be the following error report:
java.lang.NoClassDefFoundError: jespa/http/HttpSecurityService at java.lang.ClassLoader.defineClass1(Native Method) at java.lang.ClassLoader.defineClass(Unknown Source) at java.security.SecureClassLoader.defineClass(Unknown Source) at org.apache.catalina.loader.WebappClassLoader.findClassInternal(WebappClassLoader.java:1852) at org.apache.catalina.loader.WebappClassLoader.findClass(WebappClassLoader.java:876)

8.3 Mid-Tier cant find the file with the licence

If during installation you have forgotten to copy the file mt-sso.license, in logs of Tomcat server there should be the following error report:
15:14:51,942 Remedy Single Sign file: /mt-sso.license not found - Licence file: /mt-sso.license 15:14:51,942 Remedy Single Sign License not loaded - License not loaded 15:14:51,942 Remedy Single Sign loaded ON ERROR (lic.LicenseManager:loadLicence:?) - Licence not found ON WARN (lic.LicenseManager:validateLicense:?) -

ON ERROR (filters.SSOHttpFilter:init:?) - License not

8.4 Mid-Tier cant find the configuration file mt-sso.config

If during installation you have forgotten to copy the file mt-sso.config, in logs of Tomcat server there should be the following error report:
15:33:20,317 Remedy Single Sign ON ERROR (filters.SSOHttpFilter:init:?) - Failed to load config file!

Copyright @ 2009 TopPositions 35

Plug-in Single Sign On Version 1.2

8.5 Plugin SSO cant find the Domain controller

If during installation you have incorrectly entered the domain name in the field Active Directory domain, in logs of Tomcat server there should be the following error report:
java.net.PortUnreachableException: ICMP Port Unreachable at java.net.PlainDatagramSocketImpl.receive0(Native Method) at java.net.PlainDatagramSocketImpl.receive(Unknown Source) at java.net.DatagramSocket.receive(Unknown Source) at com.sun.jndi.dns.DnsClient.doUdpQuery(Unknown Source) at com.sun.jndi.dns.DnsClient.query(Unknown Source) at com.sun.jndi.dns.Resolver.query(Unknown Source)

8.6 Plugin SSO cant log into Domain controller

If during configuration you have incorrectly entered the name of a service account or its password, in the field Active Directory domain, in logs of Tomcat server there should be the following error report:
jcifs.smb.SmbAuthException: Logon failure: unknown user name or bad password. at jcifs.smb.SmbTransport.checkStatus(Unknown Source) at jcifs.smb.SmbTransport.send(Unknown Source) at jcifs.smb.SmbSession.sessionSetup(Unknown Source) at jcifs.smb.SmbSession.send(Unknown Source) at jcifs.smb.SmbTree.treeConnect(Unknown Source)

8.7 SSO Authentication service doesnt work

TCP Port is probably busy by the other service, Change the ports number ( SSO Auth Service
should be installed again).

Copyright @ 2009 TopPositions 36